idnits 2.17.1 draft-mcgrew-tls-aes-ccm-ecc-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (January 19, 2011) is 4839 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'AES' -- Possible downref: Non-RFC (?) normative reference: ref. 'CCM' == Outdated reference: A later version (-06) exists of draft-ietf-tls-rfc4347-bis-03 ** Downref: Normative reference to an Informational draft: draft-mcgrew-fundamental-ecc (ref. 'I-D.mcgrew-fundamental-ecc') ** Obsolete normative reference: RFC 4346 (Obsoleted by RFC 5246) ** Obsolete normative reference: RFC 4366 (Obsoleted by RFC 5246, RFC 6066) ** Obsolete normative reference: RFC 4492 (Obsoleted by RFC 8422) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 5 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TLS Working Group D. McGrew 3 Internet-Draft Cisco Systems, Inc. 4 Intended status: Standards Track D. Bailey 5 Expires: July 23, 2011 RSA/EMC 6 M. Campagna 7 R. Dugal 8 Certicom Corp. 9 January 19, 2011 11 AES-CCM ECC Cipher Suites for TLS 12 draft-mcgrew-tls-aes-ccm-ecc-01 14 Abstract 16 This memo describes the use of the Advanced Encryption Standard (AES) 17 in the Counter and CBC-MAC Mode (CCM) of operation within Transport 18 Layer Security (TLS) to provide confidentiality and data origin 19 authentication. The AES-CCM algorithm is amenable to compact 20 implementations, making it suitable for constrained environments. 21 The ciphersuites defined in this document use Elliptic Curve 22 Cryptography (ECC), and are intended for use in networks with limited 23 bandwidth. 25 Status of this Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on July 23, 2011. 42 Copyright Notice 44 Copyright (c) 2011 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 1.1. Conventions Used In This Document . . . . . . . . . . . . 3 62 2. ECC based AES-CCM Cipher Suites . . . . . . . . . . . . . . . 4 63 2.1. Required Algorithms for each CipherSuite . . . . . . . . . 5 65 3. TLS Versions . . . . . . . . . . . . . . . . . . . . . . . . . 7 67 4. New AEAD algorithms . . . . . . . . . . . . . . . . . . . . . 8 68 4.1. AES-128-CCM with an 8-octet ICV . . . . . . . . . . . . . 8 69 4.2. AES-256-CCM with an 8-octet ICV . . . . . . . . . . . . . 8 71 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 73 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 74 6.1. Perfect Forward Secrecy . . . . . . . . . . . . . . . . . 10 75 6.2. Counter Reuse . . . . . . . . . . . . . . . . . . . . . . 10 77 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 79 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 80 8.1. Normative References . . . . . . . . . . . . . . . . . . . 12 81 8.2. Informative References . . . . . . . . . . . . . . . . . . 13 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 85 1. Introduction 87 This document describes the use of Advanced Encryption Standard (AES) 88 [AES] in Counter with CBC-MAC Mode (CCM) [CCM] in several TLS 89 ciphersuites. AES-CCM provides both authentication and 90 confidentiality and uses as its only primitive the AES encrypt 91 operation (the AES decrypt operation is not needed). This makes it 92 amenable to compact implementations, which is advantageous in 93 constrained environments. The use of AES-CCM has been specified for 94 IPsec ESP [RFC4309] and 802.15.4 wireless networks [IEEE802154]. 96 Authenticated encryption, in addition to providing confidentiality 97 for the plaintext that is encrypted, provides a way to check its 98 integrity and authenticity. Authenticated Encryption with Associated 99 Data, or AEAD [RFC5116], adds the ability to check the integrity and 100 authenticity of some associated data that is not encrypted. This 101 note utilizes the AEAD facility within TLS 1.2 [RFC5246] and the AES- 102 CCM-based AEAD algorithms defined in [RFC5116]. Additional AEAD 103 algorithms are defined in this note; these use AES-CCM but have 104 shorter authentication tags, and therefore are more suitable for use 105 across networks in which bandwidth is constrained and message sizes 106 may be small. 108 The ciphersuites defined in this document use Ephemeral Elliptic 109 Curve Diffie-Hellman (ECDHE) as their key establishment mechanism; 110 these ciphersuites can be used with DTLS [I-D.ietf-tls-rfc4347-bis]. 112 1.1. Conventions Used In This Document 114 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 115 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 116 document are to be interpreted as described in [RFC2119] 118 2. ECC based AES-CCM Cipher Suites 120 The ciphersuites defined in this document are based on the AES-CCM 121 authenticated encryption with associated data (AEAD) algorithms 122 AEAD_AES_128_CCM and AEAD_AES_256_CCM described in [RFC5116]. The 123 following ciphersuites are defined: 125 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM = {TBD1,TBD1} 126 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CCM = {TBD2,TBD2) 127 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = {TBD3,TBD3} 128 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = {TBD4,TBD4) 130 These ciphersuites make use of the AEAD capability in TLS 1.2 131 [RFC5246]. Note that each of these AEAD algorithms uses AES-CCM. 132 Ciphersuites ending with "8" use eight-octet authentication tags; the 133 other ciphersuites have 16 octet authentication tags. 135 The HMAC truncation option described in Section 3.5 of [RFC4366] 136 (which negotiates the "truncated_hmac" TLS extension) does not have 137 an effect on the cipher suites defined in this note, because they do 138 not use HMAC to protect TLS records. 140 The "nonce" input to the AEAD algorithm is defined as in [RFC5288]. 141 The "nonce" SHALL be 12 bytes long and constructed as follows: 143 struct { 144 case client: 145 uint32 client_write_IV; // low order 32-bits 146 case server: 147 uint32 server_write_IV; // low order 32-bits 148 uint64 seq_num; 149 } CCMNonce. 151 In DTLS, the 64-bit seq_num field is the 16-bit DTLS epoch field 152 concatenated with the 48-bit sequence_number field. The epoch and 153 sequence_number appear in the DTLS record layer. 155 This construction allows the internal counter to be 32-bits long, 156 which is a convenient size for use with CCM. 158 These ciphersuites make use of the default TLS 1.2 Pseudorandom 159 Function (PRF), which uses HMAC with the SHA-256 hash function. 161 The ECDHE_ECDSA key exchange is performed as defined in [RFC4492], 162 with the following additional stipulations: 164 The curves secp256r1 and secp384r1 MUST be supported, and the 165 curve secp521r1 MAY be supported; these curves are equivalent to 166 the NIST P-256, P-384, and P-521 curves. Note that all of these 167 curves have cofactor equal to one, which simplifies their use. 169 The server's certificate MUST contain an ECDSA-capable public key, 170 it MUST be signed with ECDSA, and it MUST use SHA-256, SHA-384, or 171 SHA-512. The Signature Algorithms extension (Section 7.4.1.4.1 of 172 [RFC5246]) MUST be used to indicate support of those signature and 173 hash algorithms. If a client certificate is used, the same 174 conditions apply to it. The acceptable choices of hashes and 175 curves that can be used with each ciphersuite are detailed in 176 Section 2.1. 178 The uncompressed point format MUST be supported. Other point 179 formats MAY be used. 181 The client MUST offer the elliptic_curves extension and the server 182 MUST expect to receive it. 184 The client MAY offer the ec_point_formats extension, but the 185 server need not expect to receive it. 187 [I-D.mcgrew-fundamental-ecc] MAY be used as an implementation 188 method. 190 Implementations of these ciphersuites will interoperate with 191 [RFC4492], but can be more compact than a full implementation of that 192 RFC. 194 2.1. Required Algorithms for each CipherSuite 196 The curves and hash algorithms that can be used with each ciphersuite 197 are described in the following table. 199 +--------------------------------------------+----------------------+ 200 | CipherSuite | Algorithms | 201 +--------------------------------------------+----------------------+ 202 | TLS_ECDHE_ECDSA_WITH_AES_128_CCM | MUST support | 203 | TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 | secp256r1, SHA-256 | 204 | | | 205 | | MAY support | 206 | | secp384r1, SHA-384 | 207 | | | 208 | | MAY support | 209 | | secp521r1, SHA-512 | 210 | | | 211 | TLS_ECDHE_ECDSA_WITH_AES_256_CCM | MUST support | 212 | TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 | secp384r1, SHA-384 | 213 | | | 214 | | MAY support | 215 | | secp521r1, SHA-512 | 216 +--------------------------------------------+----------------------+ 218 3. TLS Versions 220 These ciphersuites make use of the authenticated encryption with 221 additional data defined in TLS 1.2 [RFC5288]. They MUST NOT be 222 negotiated in older versions of TLS. Clients MUST NOT offer these 223 cipher suites if they do not offer TLS 1.2 or later. Servers which 224 select an earlier version of TLS MUST NOT select one of these cipher 225 suites. Because TLS has no way for the client to indicate that it 226 supports TLS 1.2 but not earlier, a non-compliant server might 227 potentially negotiate TLS 1.1 or earlier and select one of the cipher 228 suites in this document. Clients MUST check the TLS version and 229 generate a fatal "illegal_parameter" alert if they detect an 230 incorrect version. 232 4. New AEAD algorithms 234 The following AEAD algorithms are defined: 236 AEAD_AES_128_CCM_8 = TBD9 237 AEAD_AES_256_CCM_8 = TBD10 238 AEAD_AES_128_CCM_12 = TBD11 239 AEAD_AES_256_CCM_12 = TBD12 241 4.1. AES-128-CCM with an 8-octet ICV 243 The AEAD_AES_128_CCM_8 authenticated encryption algorithm is 244 identical to the AEAD_AES_128_CCM algorithm (see Section 5.3 of 245 [RFC5116]), except that it uses eight octets for authentication, 246 instead of the full sixteen octets used by AEAD_AES_128_CCM. The 247 AEAD_AES_128_CCM_8 ciphertext consists of the ciphertext output of 248 the CCM encryption operation concatenated with the 8-octet 249 authentication tag output of the CCM encryption operation. Test 250 cases are provided in [CCM]. The input and output lengths are as for 251 AEAD_AES_128_CCM. An AEAD_AES_128_CCM_8 ciphertext is exactly 8 252 octets longer than its corresponding plaintext. 254 4.2. AES-256-CCM with an 8-octet ICV 256 The AEAD_AES_256_CCM_8 authenticated encryption algorithm is 257 identical to the AEAD_AES_256_CCM algorithm (see Section 5.4 of 258 [RFC5116]), except that it uses eight octets for authentication, 259 instead of the full sixteen octets used by AEAD_AES_256_CCM. The 260 AEAD_AES_256_CCM_8 ciphertext consists of the ciphertext output of 261 the CCM encryption operation concatenated with the 8-octet 262 authentication tag output of the CCM encryption operation. Test 263 cases are provided in [CCM]. The input and output lengths are as for 264 AEAD_AES_128_CCM. An AEAD_AES_128_CCM_8 ciphertext is exactly 8 265 octets longer than its corresponding plaintext. 267 5. IANA Considerations 269 IANA has assigned values for the Ciphersuites defined in Section 2 270 and the AEAD algorithms defined in Section 4 of this note. 272 6. Security Considerations 274 6.1. Perfect Forward Secrecy 276 The perfect forward secrecy properties of ephemeral Diffie-Hellman 277 ciphersuites are discussed in the security analysis of [RFC4346]. 278 This analysis applies to the ECDHE ciphersuites. 280 6.2. Counter Reuse 282 AES-CCM security requires that the counter is never reused. The IV 283 construction in Section 2 is designed to prevent counter reuse. 285 7. Acknowledgements 287 This draft borrows heavily from [RFC5288]. 289 This draft is motivated by the considerations raised in the Zigbee 290 Smart Energy 2.0 working group. 292 8. References 294 8.1. Normative References 296 [AES] National Institute of Standards and Technology, 297 "Specification for the Advanced Encryption Standard 298 (AES)", FIPS 197, November 2001. 300 [CCM] National Institute of Standards and Technology, 301 "Recommendation for Block Cipher Modes of Operation: The 302 CCM Mode for Authentication and Confidentiality", SP 800- 303 38C, May 2004. 305 [I-D.ietf-tls-rfc4347-bis] 306 Rescorla, E. and N. Modadugu, "Datagram Transport Layer 307 Security version 1.2", draft-ietf-tls-rfc4347-bis-03 (work 308 in progress), October 2009. 310 [I-D.mcgrew-fundamental-ecc] 311 McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic 312 Curve Cryptography Algorithms", 313 draft-mcgrew-fundamental-ecc-04 (work in progress), 314 December 2010. 316 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 317 Requirement Levels", BCP 14, RFC 2119, March 1997. 319 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security 320 (TLS) Protocol Version 1.1", RFC 4346, April 2006. 322 [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., 323 and T. Wright, "Transport Layer Security (TLS) 324 Extensions", RFC 4366, April 2006. 326 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 327 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 328 for Transport Layer Security (TLS)", RFC 4492, May 2006. 330 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 331 Encryption", RFC 5116, January 2008. 333 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 334 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 336 [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois 337 Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, 338 August 2008. 340 8.2. Informative References 342 [IEEE802154] 343 Institute of Electrical and Electronics Engineers, 344 "Wireless Personal Area Networks", IEEE Standard 802.15.4- 345 2006, 2006. 347 [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM 348 Mode with IPsec Encapsulating Security Payload (ESP)", 349 RFC 4309, December 2005. 351 Authors' Addresses 353 David McGrew 354 Cisco Systems, Inc. 355 170 W Tasman Drive 356 San Jose, CA 95134 357 USA 359 Email: mcgrew@cisco.com 361 Daniel V. Bailey 362 RSA/EMC 363 174 Middlesex Tpke. 364 Bedford, MA 01463 365 USA 367 Email: dbailey@rsa.com 369 Matthew Campagna 370 Certicom Corp. 371 5520 Explorer Drive #400 372 Mississauga, Ontario L4W 5L1 373 Canada 375 Email: mcampagna@certicom.com 377 Robert Dugal 378 Certicom Corp. 379 5520 Explorer Drive #400 380 Mississauga, Ontario L4W 5L1 381 Canada 383 Email: rdugal@certicom.com