idnits 2.17.1 draft-mcgrew-tls-aes-ccm-ecc-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (May 31, 2012) is 4348 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'AES' -- Possible downref: Non-RFC (?) normative reference: ref. 'CCM' == Outdated reference: A later version (-04) exists of draft-mcgrew-tls-aes-ccm-03 ** Obsolete normative reference: RFC 4366 (Obsoleted by RFC 5246, RFC 6066) ** Obsolete normative reference: RFC 4492 (Obsoleted by RFC 8422) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Downref: Normative reference to an Informational RFC: RFC 6090 ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) -- Obsolete informational reference (is this intentional?): RFC 4346 (Obsoleted by RFC 5246) Summary: 5 errors (**), 0 flaws (~~), 3 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TLS Working Group D. McGrew 3 Internet-Draft Cisco Systems 4 Intended status: Standards Track D. Bailey 5 Expires: December 2, 2012 RSA/EMC 6 M. Campagna 7 R. Dugal 8 Certicom Corp. 9 May 31, 2012 11 AES-CCM ECC Cipher Suites for TLS 12 draft-mcgrew-tls-aes-ccm-ecc-03 14 Abstract 16 This memo describes the use of the Advanced Encryption Standard (AES) 17 in the Counter and CBC-MAC Mode (CCM) of operation within Transport 18 Layer Security (TLS) to provide confidentiality and data origin 19 authentication. The AES-CCM algorithm is amenable to compact 20 implementations, making it suitable for constrained environments. 21 The ciphersuites defined in this document use Elliptic Curve 22 Cryptography (ECC), and are advantageous in networks with limited 23 bandwidth. 25 Status of this Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on December 2, 2012. 42 Copyright Notice 44 Copyright (c) 2012 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 1.1. Conventions Used In This Document . . . . . . . . . . . . . 3 62 2. ECC based AES-CCM Cipher Suites . . . . . . . . . . . . . . . . 3 63 2.1. AEAD algorithms . . . . . . . . . . . . . . . . . . . . . . 5 64 2.2. Required algorithms for each CipherSuite . . . . . . . . . 5 66 3. TLS Versions . . . . . . . . . . . . . . . . . . . . . . . . . 6 68 4. History . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 70 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 72 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 73 6.1. Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . 7 74 6.2. Counter Reuse . . . . . . . . . . . . . . . . . . . . . . . 7 76 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 78 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 79 8.1. Normative References . . . . . . . . . . . . . . . . . . . 7 80 8.2. Informative References . . . . . . . . . . . . . . . . . . 8 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 84 1. Introduction 86 This document describes the use of Advanced Encryption Standard (AES) 87 [AES] in Counter with CBC-MAC Mode (CCM) [CCM] in several TLS 88 ciphersuites. AES-CCM provides both authentication and 89 confidentiality and uses as its only primitive the AES encrypt 90 operation (the AES decrypt operation is not needed). This makes it 91 amenable to compact implementations, which is advantageous in 92 constrained environments. Of course, adoption outside of constrained 93 environments is necessary to enable interoperability, such as that 94 between web clients and embedded servers, or between embedded clients 95 and web servers. The use of AES-CCM has been specified for IPsec ESP 96 [RFC4309] and 802.15.4 wireless networks [IEEE802154]. 98 Authenticated encryption, in addition to providing confidentiality 99 for the plaintext that is encrypted, provides a way to check its 100 integrity and authenticity. Authenticated Encryption with Associated 101 Data, or AEAD [RFC5116], adds the ability to check the integrity and 102 authenticity of some associated data that is not encrypted. This 103 note utilizes the AEAD facility within TLS 1.2 [RFC5246] and the AES- 104 CCM-based AEAD algorithms defined in [RFC5116] and 105 [I-D.mcgrew-tls-aes-ccm] . All of these algorithms use AES-CCM; some 106 have shorter authentication tags, and are therefore more suitable for 107 use across networks in which bandwidth is constrained and message 108 sizes may be small. 110 The ciphersuites defined in this document use Ephemeral Elliptic 111 Curve Diffie-Hellman (ECDHE) as their key establishment mechanism; 112 these ciphersuites can be used with DTLS [RFC6347]. 114 1.1. Conventions Used In This Document 116 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 117 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 118 document are to be interpreted as described in [RFC2119] 120 2. ECC based AES-CCM Cipher Suites 122 The ciphersuites defined in this document are based on the AES-CCM 123 authenticated encryption with associated data (AEAD) algorithms 124 AEAD_AES_128_CCM and AEAD_AES_256_CCM described in [RFC5116]. The 125 following ciphersuites are defined: 127 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM = {TBD1,TBD1} 128 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CCM = {TBD2,TBD2} 129 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = {TBD3,TBD3} 130 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = {TBD4,TBD4} 132 These ciphersuites make use of the AEAD capability in TLS 1.2 133 [RFC5246]. Note that each of these AEAD algorithms uses AES-CCM. 134 Ciphersuites ending with "8" use eight-octet authentication tags; the 135 other ciphersuites have 16 octet authentication tags. 137 The HMAC truncation option described in Section 3.5 of [RFC4366] 138 (which negotiates the "truncated_hmac" TLS extension) does not have 139 an effect on the cipher suites defined in this note, because they do 140 not use HMAC to protect TLS records. 142 The "nonce" input to the AEAD algorithm is as in [RFC5288]; for the 143 convenience of the reader, we summarize the details in this note. 144 The "nonce" SHALL be 12 bytes long and constructed as follows: 146 struct { 147 case client: 148 uint32 client_write_IV; // low order 32-bits 149 case server: 150 uint32 server_write_IV; // low order 32-bits 151 uint64 seq_num; 152 } CCMNonce. 154 In DTLS, the 64-bit seq_num field is the 16-bit DTLS epoch field 155 concatenated with the 48-bit sequence_number field. The epoch and 156 sequence_number appear in the DTLS record layer. 158 This construction allows the internal counter to be 32-bits long, 159 which is a convenient size for use with CCM. 161 These ciphersuites make use of the default TLS 1.2 Pseudorandom 162 Function (PRF), which uses HMAC with the SHA-256 hash function. 164 The ECDHE_ECDSA key exchange is performed as defined in [RFC4492], 165 with the following additional stipulations: 167 o The curve secp256r1 MUST be supported, and the curves secp384r1 168 and secp521r1 MAY be supported; these curves are equivalent to the 169 NIST P-256, P-384, and P-521 curves. Note that all of these 170 curves have cofactor equal to one, which simplifies their use. 171 o The server's certificate MUST contain an ECDSA-capable public key, 172 it MUST be signed with ECDSA, and it MUST use SHA-256, SHA-384, or 173 SHA-512. The Signature Algorithms extension (Section 7.4.1.4.1 of 174 [RFC5246]) MUST be used to indicate support of those signature and 175 hash algorithms. If a client certificate is used, the same 176 conditions apply to it. The acceptable choices of hashes and 177 curves that can be used with each ciphersuite are detailed in 178 Section 2.2. 179 o The uncompressed point format MUST be supported. Other point 180 formats MAY be used. 181 o The client SHOULD offer the elliptic_curves extension and the 182 server SHOULD expect to receive it. 183 o The client MAY offer the ec_point_formats extension, but the 184 server need not expect to receive it. 185 o [RFC6090] MAY be used as an implementation method. 187 Implementations of these ciphersuites will interoperate with 188 [RFC4492], but can be more compact than a full implementation of that 189 RFC. 191 2.1. AEAD algorithms 193 The following AEAD algorithms are used: 195 AEAD_AES_128_CCM is used in the TLS_ECDHE_ECDSA_WITH_AES_128_CCM 196 ciphersuite, 198 AEAD_AES_256_CCM is used in the TLS_ECDHE_ECDSA_WITH_AES_256_CCM 199 ciphersuite, 201 AEAD_AES_128_CCM_8 is used in the 202 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 ciphersuite, and 204 AEAD_AES_256_CCM_8 is used in the 205 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 ciphersuite. 207 2.2. Required algorithms for each CipherSuite 209 The curves and hash algorithms that can be used with each ciphersuite 210 are as follows. The ciphersuites TLS_ECDHE_ECDSA_WITH_AES_128_CCM 211 and TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 MUST be used with one of the 212 following combinations: 214 secp256r1 and SHA-256, or 215 secp384r1 and SHA-384, or 216 secp521r1 and SHA-512. 218 The ciphersuites TLS_ECDHE_ECDSA_WITH_AES_256_CCM and 219 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 MUST be used with one of the 220 following combinations: 222 secp384r1 and SHA-384, or 223 secp521r1 and SHA-512. 225 3. TLS Versions 227 These ciphersuites make use of the authenticated encryption with 228 additional data defined in TLS 1.2 [RFC5288]. They MUST NOT be 229 negotiated in older versions of TLS. Clients MUST NOT offer these 230 cipher suites if they do not offer TLS 1.2 or later. Servers which 231 select an earlier version of TLS MUST NOT select one of these cipher 232 suites. Earlier versions do not have support for AEAD; for instance, 233 the TLSCiphertext structure does not have the "aead" option in TLS 234 1.1. Because TLS has no way for the client to indicate that it 235 supports TLS 1.2 but not earlier, a non-compliant server might 236 potentially negotiate TLS 1.1 or earlier and select one of the cipher 237 suites in this document. Clients MUST check the TLS version and 238 generate a fatal "illegal_parameter" alert if they detect an 239 incorrect version. 241 4. History 243 The 03 version removed materials that are redundant with 244 draft-mcgrew-tls-aes-ccm, and replaced them with references to that 245 draft. That draft has been approved for RFC and will be a suitable 246 stable normative reference. 248 The 02 version removed the AEAD_AES_128_CCM_12 and 249 AEAD_AES_256_CCM_12 AEAD algorithms, because they were not needed in 250 any ciphersuites. The AES-256 ciphersuites were retained, however, 251 to provide a secure cipher for use with the higher security curves 252 secp384r1 and secp521r1. 254 This section is to be removed by the RFC editor upon publication. 256 5. IANA Considerations 258 IANA has assigned values for the Ciphersuites defined in Section 2 259 and the AEAD algorithms defined in Section 2.1 of this note. 261 6. Security Considerations 262 6.1. Perfect Forward Secrecy 264 The perfect forward secrecy properties of ephemeral Diffie-Hellman 265 ciphersuites are discussed in the security analysis of [RFC4346]. 266 This analysis applies to the ECDHE ciphersuites. 268 6.2. Counter Reuse 270 AES-CCM security requires that the counter is never reused. The IV 271 construction in Section 2 is designed to prevent counter reuse. 273 7. Acknowledgements 275 This draft borrows heavily from [RFC5288]. Thanks are due to Robert 276 Cragie. 278 This draft is motivated by the considerations raised in the Zigbee 279 Smart Energy 2.0 working group. 281 8. References 283 8.1. Normative References 285 [AES] National Institute of Standards and Technology, 286 "Specification for the Advanced Encryption Standard 287 (AES)", FIPS 197, November 2001. 289 [CCM] National Institute of Standards and Technology, 290 "Recommendation for Block Cipher Modes of Operation: The 291 CCM Mode for Authentication and Confidentiality", SP 800- 292 38C, May 2004. 294 [I-D.mcgrew-tls-aes-ccm] 295 McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for TLS", 296 draft-mcgrew-tls-aes-ccm-03 (work in progress), 297 February 2012. 299 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 300 Requirement Levels", BCP 14, RFC 2119, March 1997. 302 [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., 303 and T. Wright, "Transport Layer Security (TLS) 304 Extensions", RFC 4366, April 2006. 306 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 307 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 308 for Transport Layer Security (TLS)", RFC 4492, May 2006. 310 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 311 Encryption", RFC 5116, January 2008. 313 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 314 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 316 [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois 317 Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, 318 August 2008. 320 [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic 321 Curve Cryptography Algorithms", RFC 6090, February 2011. 323 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 324 Security Version 1.2", RFC 6347, January 2012. 326 8.2. Informative References 328 [IEEE802154] 329 Institute of Electrical and Electronics Engineers, 330 "Wireless Personal Area Networks", IEEE Standard 802.15.4- 331 2006, 2006. 333 [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM 334 Mode with IPsec Encapsulating Security Payload (ESP)", 335 RFC 4309, December 2005. 337 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security 338 (TLS) Protocol Version 1.1", RFC 4346, April 2006. 340 Authors' Addresses 342 David McGrew 343 Cisco Systems 344 13600 Dulles Technology Drive 345 Herndon, VA 20171 346 USA 348 Email: mcgrew@cisco.com 349 Daniel V. Bailey 350 RSA/EMC 351 174 Middlesex Tpke. 352 Bedford, MA 01463 353 USA 355 Email: dbailey@rsa.com 357 Matthew Campagna 358 Certicom Corp. 359 5520 Explorer Drive #400 360 Mississauga, Ontario L4W 5L1 361 Canada 363 Email: mcampagna@certicom.com 365 Robert Dugal 366 Certicom Corp. 367 5520 Explorer Drive #400 368 Mississauga, Ontario L4W 5L1 369 Canada 371 Email: rdugal@certicom.com