idnits 2.17.1 draft-mcgrew-tls-aes-ccm-ecc-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 208 has weird spacing: '...ameters cur...' == Line 212 has weird spacing: '...HParams par...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (July 5, 2010) is 5036 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'AES' -- Possible downref: Non-RFC (?) normative reference: ref. 'CCM' == Outdated reference: A later version (-06) exists of draft-ietf-tls-rfc4347-bis-03 == Outdated reference: A later version (-04) exists of draft-mcgrew-fundamental-ecc-03 ** Downref: Normative reference to an Informational draft: draft-mcgrew-fundamental-ecc (ref. 'I-D.mcgrew-fundamental-ecc') ** Obsolete normative reference: RFC 4346 (Obsoleted by RFC 5246) ** Obsolete normative reference: RFC 4366 (Obsoleted by RFC 5246, RFC 6066) ** Obsolete normative reference: RFC 4492 (Obsoleted by RFC 8422) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 5 errors (**), 0 flaws (~~), 6 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TLS Working Group D. McGrew 3 Internet-Draft Cisco Systems, Inc. 4 Intended status: Standards Track D. Bailey 5 Expires: January 6, 2011 RSA/EMC 6 M. Campagna 7 R. Dugal 8 Certicom Corp. 9 July 5, 2010 11 AES-CCM ECC Cipher Suites for TLS 12 draft-mcgrew-tls-aes-ccm-ecc-00 14 Abstract 16 This memo describes the use of the Advanced Encryption Standard (AES) 17 in the Counter and CBC-MAC Mode (CCM) of operation within Transport 18 Layer Security (TLS) to provide confidentiality and data origin 19 authentication. The AES-CCM algorithm is amenable to compact 20 implementations, making it suitable for constrained environments. 21 The ciphersuites defined in this document use Elliptic Curve 22 Cryptography (ECC), and are intended for use in networks with limited 23 bandwidth. 25 Status of this Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on January 6, 2011. 42 Copyright Notice 44 Copyright (c) 2010 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 1.1. Conventions Used In This Document . . . . . . . . . . . . 3 62 2. ECC based AES-CCM Cipher Suites . . . . . . . . . . . . . . . 4 63 2.1. Data Structures and Encoding . . . . . . . . . . . . . . . 5 65 3. TLS Versions . . . . . . . . . . . . . . . . . . . . . . . . . 7 67 4. New AEAD algorithms . . . . . . . . . . . . . . . . . . . . . 8 68 4.1. AES-128-CCM with an 8-octet ICV . . . . . . . . . . . . . 8 69 4.2. AES-256-CCM with an 8-octet ICV . . . . . . . . . . . . . 8 71 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 73 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 74 6.1. Perfect Forward Secrecy . . . . . . . . . . . . . . . . . 10 75 6.2. Counter Reuse . . . . . . . . . . . . . . . . . . . . . . 10 77 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 79 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 80 8.1. Normative References . . . . . . . . . . . . . . . . . . . 12 81 8.2. Informative References . . . . . . . . . . . . . . . . . . 13 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 85 1. Introduction 87 This document describes the use of Advanced Encryption Standard (AES) 88 [AES] in Counter with CBC-MAC Mode (CCM) [CCM] in several TLS 89 ciphersuites. AES-CCM provides both authentication and 90 confidentiality and uses as its only primitive the AES encrypt 91 operation (the AES decrypt operation is not needed). This makes it 92 amenable to compact implementations, which makes it useful in 93 constrained environments. The use of AES-CCM has been specified for 94 use with IPsec ESP [RFC4309] and 802.15.4 wireless networks 95 [IEEE802154]. 97 Authenticated encryption, in addition to providing confidentiality 98 for the plaintext that is encrypted, provides a way to check its 99 integrity and authenticity. Authenticated Encryption with Associated 100 Data, or AEAD [RFC5116], adds the ability to check the integrity and 101 authenticity of some associated data that is not encrypted. This 102 note utilizes the AEAD facility within TLS 1.2 [RFC5246] and the AES- 103 CCM-based AEAD algorithms defined in [RFC5116]. Additional AEAD 104 algorithms are also defined, which use AES-CCM but which have shorter 105 authentication tags, and therefore are more suitable for use across 106 networks in which bandwidth is constrained and message sizes may be 107 small. 109 The ciphersuites defined in this document use Ephemeral Elliptic 110 Curve Diffie-Hellman (ECDHE) as their key establishment mechanism; 111 these ciphersuites can be used with DTLS [I-D.ietf-tls-rfc4347-bis]. 113 1.1. Conventions Used In This Document 115 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 116 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 117 document are to be interpreted as described in [RFC2119] 119 2. ECC based AES-CCM Cipher Suites 121 The ciphersuites defined in this document are based on the the AES- 122 CCM authenticated encryption with associated data (AEAD) algorithms 123 AEAD_AES_128_CCM and AEAD_AES_256_CCM described in [RFC5116]. The 124 following ciphersuites are defined: 126 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM = {TBD1,TBD1} 127 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CCM = {TBD2,TBD2) 128 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM = {TBD3,TBD3} 129 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CCM = {TBD4,TBD4} 130 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = {TBD5,TBD5} 131 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = {TBD6,TBD6) 132 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = {TBD7,TBD7} 133 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = {TBD8,TBD8} 135 These ciphersuites make use of the AEAD capability in TLS 1.2 136 [RFC5246]. Note that each of these AEAD algorithms uses AES-CCM. 137 Ciphersuites ending with "8" use eight-octet authentication tags; the 138 other ciphersuites have 16 octet authentication tags. 140 The HMAC truncation option described in Section 3.5 of [RFC4366] 141 (which negotiates the "truncated_hmac" TLS extension) does not have 142 an effect on cipher suites that do not use HMAC. 144 The "nonce" input to the AEAD algorithm is defined as in [RFC5288]. 145 The "nonce" SHALL be 12 bytes long and constructed as follows: 147 struct { 148 case client: 149 uint32 client_write_IV; // low order 32-bits 150 case server: 151 uint32 server_write_IV; // low order 32-bits 152 uint64 seq_num; 153 } CCMNonce. 155 In DTLS, the 64-bit seq_num field is the 16-bit DTLS epoch field 156 concatenated with the 48-bit sequence_number field. The epoch and 157 sequence_number appear in the DTLS record layer. 159 This construction allows the internal counter to be 32-bits long, 160 which is a convenient size for use with CCM. 162 These ciphersuites make use of the default TLS 1.2 Pseudorandom 163 Function (PRF), which uses HMAC with the SHA-256 hash function. The 164 ECDHE_ECDSA key exchange is performed as defined in [RFC4492], with 165 the following additional stipulations: 167 The curves secp256r1, secp384r1, and secp521r1 MUST be supported; 168 these curves are equivalent to the NIST P-256, P-384, and P-521 169 curves. Note that all of these curves have cofactor equal to one, 170 which simplifies their use. 172 The uncompressed point format MUST be supported, and other point 173 formats MUST NOT be used. The use of other point formats will be 174 considered in later versions of this draft. 176 The client MUST NOT offer the elliptic_curves extension nor the 177 ec_point_formats extension. The server MUST NOT expect to receive 178 those extensions. 180 [I-D.mcgrew-fundamental-ecc] MAY be used as an implementation 181 method. 183 The server's certificate MUST contain an ECDSA-capable public key, 184 and it MUST be signed with ECDSA. If a client certificate is 185 used, the same conditions apply to it. 187 2.1. Data Structures and Encoding 189 The key exchange method uses the data structures and encodings 190 defined in this section; these are a subset of [RFC4492]. Unused 191 enumerated values and branches of "select" operations are not shown. 193 enum { 194 secp256r1 (23), secp384r1 (24), secp521r1 (25), 195 (0xFFFF) 196 } NamedCurve; 198 struct { 199 ECCurveType curve_type = named_curve; 200 NamedCurve namedcurve; 201 } ECParameters; 203 struct { 204 opaque point <1..2^8-1>; 205 } ECPoint; 207 struct { 208 ECParameters curve_params; 209 ECPoint public; 210 } ServerECDHParams; 211 { 212 ServerECDHParams params; 213 Signature signed_params; 214 } ServerKeyExchange; 216 enum { ecdsa } SignatureAlgorithm; 218 { 219 digitally-signed struct { 220 opaque sha_hash[sha_size]; 221 }; 222 } Signature; 224 Ecdsa-Sig-Value ::= SEQUENCE { 225 r INTEGER, 226 s INTEGER 227 } 229 enum { 230 ecdsa_sign(64), (255) 231 } ClientCertificateType; 233 The TLS CertificateRequest message is extended as follows. Because 234 only ephemeral Diffie-Hellman is used, the PublicValueEncoding is 235 always "explicit". 237 struct { 238 ECPoint ecdh_Yc; 239 } ecdh_public; 240 } ClientECDiffieHellmanPublic; 242 struct { 243 { 244 ClientECDiffieHellmanPublic; 245 } exchange_keys; 246 } ClientKeyExchange; 248 3. TLS Versions 250 These ciphersuites make use of the authenticated encryption with 251 additional data defined in TLS 1.2 [RFC5288]. They MUST NOT be 252 negotiated in older versions of TLS. Clients MUST NOT offer these 253 cipher suites if they do not offer TLS 1.2 or later. Servers which 254 select an earlier version of TLS MUST NOT select one of these cipher 255 suites. Because TLS has no way for the client to indicate that it 256 supports TLS 1.2 but not earlier, a non-compliant server might 257 potentially negotiate TLS 1.1 or earlier and select one of the cipher 258 suites in this document. Clients MUST check the TLS version and 259 generate a fatal "illegal_parameter" alert if they detect an 260 incorrect version. 262 4. New AEAD algorithms 264 The following AEAD algorithms are defined: 266 AEAD_AES_128_CCM_8 = TBD9 267 AEAD_AES_256_CCM_8 = TBD10 268 AEAD_AES_128_CCM_12 = TBD11 269 AEAD_AES_256_CCM_12 = TBD12 271 4.1. AES-128-CCM with an 8-octet ICV 273 The AEAD_AES_128_CCM_8 authenticated encryption algorithm is 274 identical to the AEAD_AES_128_CCM algorithm (see Section 5.3 of 275 [RFC5116]), except that it uses eight octets for authentication, 276 instead of the full sixteen octets used by AEAD_AES_128_CCM. The 277 AEAD_AES_128_CCM_8 ciphertext consists of the ciphertext output of 278 the CCM encryption operation concatenated with the 8-octet 279 authentication tag output of the CCM encryption operation. Test 280 cases are provided in [CCM]. The input and output lengths are as as 281 for AEAD_AES_128_CCM. An AEAD_AES_128_CCM_8 ciphertext is exactly 8 282 octets longer than its corresponding plaintext. 284 4.2. AES-256-CCM with an 8-octet ICV 286 The AEAD_AES_256_CCM_8 authenticated encryption algorithm is 287 identical to the AEAD_AES_256_CCM algorithm (see Section 5.4 of 288 [RFC5116]), except that it uses eight octets for authentication, 289 instead of the full sixteen octets used by AEAD_AES_256_CCM. The 290 AEAD_AES_256_CCM_8 ciphertext consists of the ciphertext output of 291 the CCM encryption operation concatenated with the 8-octet 292 authentication tag output of the CCM encryption operation. Test 293 cases are provided in [CCM]. The input and output lengths are as as 294 for AEAD_AES_128_CCM. An AEAD_AES_128_CCM_8 ciphertext is exactly 8 295 octets longer than its corresponding plaintext. 297 5. IANA Considerations 299 IANA has assigned values for the Ciphersuites defined in Section 2 300 and the AEAD algorithms defined in Section 4 of this note. 302 6. Security Considerations 304 6.1. Perfect Forward Secrecy 306 The perfect forward secrecy properties of ephemeral Diffie-Hellman 307 ciphersuites are discussed in the security analysis of [RFC4346]. 308 This analysis applies to the ECDHE ciphersuites. 310 6.2. Counter Reuse 312 AES-CCM security requires that the counter is never reused. The IV 313 construction in Section 2 is designed to prevent counter reuse. 315 7. Acknowledgements 317 This draft borrows heavily from [RFC5288]. 319 This draft is motivated by the considerations raised in the Zigbee 320 Smart Energy 2.0 working group. 322 8. References 324 8.1. Normative References 326 [AES] National Institute of Standards and Technology, 327 "Specification for the Advanced Encryption Standard 328 (AES)", FIPS 197, November 2001. 330 [CCM] National Institute of Standards and Technology, 331 "Recommendation for Block Cipher Modes of Operation: The 332 CCM Mode for Authentication and Confidentiality", SP 800- 333 38C, May 2004. 335 [I-D.ietf-tls-rfc4347-bis] 336 Rescorla, E. and N. Modadugu, "Datagram Transport Layer 337 Security version 1.2", draft-ietf-tls-rfc4347-bis-03 (work 338 in progress), October 2009. 340 [I-D.mcgrew-fundamental-ecc] 341 McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic 342 Curve Cryptography Algorithms", 343 draft-mcgrew-fundamental-ecc-03 (work in progress), 344 May 2010. 346 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 347 Requirement Levels", BCP 14, RFC 2119, March 1997. 349 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security 350 (TLS) Protocol Version 1.1", RFC 4346, April 2006. 352 [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., 353 and T. Wright, "Transport Layer Security (TLS) 354 Extensions", RFC 4366, April 2006. 356 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 357 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 358 for Transport Layer Security (TLS)", RFC 4492, May 2006. 360 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 361 Encryption", RFC 5116, January 2008. 363 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 364 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 366 [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois 367 Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, 368 August 2008. 370 8.2. Informative References 372 [IEEE802154] 373 Institute of Electrical and Electronics Engineers, 374 "Wireless Personal Area Networks", IEEE Standard 802.15.4- 375 2006, 2006. 377 [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM 378 Mode with IPsec Encapsulating Security Payload (ESP)", 379 RFC 4309, December 2005. 381 Authors' Addresses 383 David McGrew 384 Cisco Systems, Inc. 385 170 W Tasman Drive 386 San Jose, CA 95134 387 USA 389 Email: mcgrew@cisco.com 391 Daniel V. Bailey 392 RSA/EMC 393 174 Middlesex Tpke. 394 Bedford, MA 01463 395 USA 397 Email: dbailey@rsa.com 399 Matthew Campagna 400 Certicom Corp. 401 5520 Explorer Drive #400 402 Mississauga, Ontario L4W 5L1 403 Canada 405 Email: mcampagna@certicom.com 407 Robert Dugal 408 Certicom Corp. 409 5520 Explorer Drive #400 410 Mississauga, Ontario L4W 5L1 411 Canada 413 Email: rdugal@certicom.com