idnits 2.17.1 draft-mcgrew-tls-aes-ccm-ecc-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 1, 2013) is 4095 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 4492 (Obsoleted by RFC 8422) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TLS Working Group D. McGrew 3 Internet-Draft Cisco Systems 4 Intended status: Informational D. Bailey 5 Expires: August 5, 2013 RSA/EMC 6 M. Campagna 7 R. Dugal 8 Certicom Corp. 9 February 1, 2013 11 AES-CCM ECC Cipher Suites for TLS 12 draft-mcgrew-tls-aes-ccm-ecc-06 14 Abstract 16 This memo describes the use of the Advanced Encryption Standard (AES) 17 in the Counter and CBC-MAC Mode (CCM) of operation within Transport 18 Layer Security (TLS) to provide confidentiality and data origin 19 authentication. The AES-CCM algorithm is amenable to compact 20 implementations, making it suitable for constrained environments. 21 The ciphersuites defined in this document use Elliptic Curve 22 Cryptography (ECC), and are advantageous in networks with limited 23 bandwidth. 25 Status of this Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on August 5, 2013. 42 Copyright Notice 44 Copyright (c) 2013 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 1.1. Conventions Used In This Document . . . . . . . . . . . . . 3 62 2. ECC based AES-CCM Cipher Suites . . . . . . . . . . . . . . . . 3 63 2.1. AEAD algorithms . . . . . . . . . . . . . . . . . . . . . . 5 64 2.2. Required algorithms for each CipherSuite . . . . . . . . . 5 66 3. TLS Versions . . . . . . . . . . . . . . . . . . . . . . . . . 5 68 4. History . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 70 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 72 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 73 6.1. Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . 7 74 6.2. Counter Reuse . . . . . . . . . . . . . . . . . . . . . . . 7 76 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 78 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 79 8.1. Normative References . . . . . . . . . . . . . . . . . . . 7 80 8.2. Informative References . . . . . . . . . . . . . . . . . . 8 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 84 1. Introduction 86 This document describes the use of Advanced Encryption Standard (AES) 87 [AES] in Counter with CBC-MAC Mode (CCM) [CCM] in several TLS 88 ciphersuites. AES-CCM provides both authentication and 89 confidentiality and uses as its only primitive the AES encrypt 90 operation (the AES decrypt operation is not needed). This makes it 91 amenable to compact implementations, which is advantageous in 92 constrained environments. Of course, adoption outside of constrained 93 environments is necessary to enable interoperability, such as that 94 between web clients and embedded servers, or between embedded clients 95 and web servers. The use of AES-CCM has been specified for IPsec ESP 96 [RFC4309] and 802.15.4 wireless networks [IEEE802154]. 98 Authenticated encryption, in addition to providing confidentiality 99 for the plaintext that is encrypted, provides a way to check its 100 integrity and authenticity. Authenticated Encryption with Associated 101 Data, or AEAD [RFC5116], adds the ability to check the integrity and 102 authenticity of some associated data that is not encrypted. This 103 note utilizes the AEAD facility within TLS 1.2 [RFC5246] and the AES- 104 CCM-based AEAD algorithms defined in [RFC5116] and [RFC6655] . All 105 of these algorithms use AES-CCM; some have shorter authentication 106 tags, and are therefore more suitable for use across networks in 107 which bandwidth is constrained and message sizes may be small. 109 The ciphersuites defined in this document use Ephemeral Elliptic 110 Curve Diffie-Hellman (ECDHE) as their key establishment mechanism; 111 these ciphersuites can be used with DTLS [RFC6347]. 113 1.1. Conventions Used In This Document 115 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 116 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 117 document are to be interpreted as described in [RFC2119]. 119 2. ECC based AES-CCM Cipher Suites 121 The ciphersuites defined in this document are based on the AES-CCM 122 authenticated encryption with associated data (AEAD) algorithms 123 AEAD_AES_128_CCM and AEAD_AES_256_CCM described in [RFC5116]. The 124 following ciphersuites are defined: 126 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM = {TBD1,TBD1} 127 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CCM = {TBD2,TBD2} 128 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = {TBD3,TBD3} 129 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = {TBD4,TBD4} 131 These ciphersuites make use of the AEAD capability in TLS 1.2 132 [RFC5246]. Note that each of these AEAD algorithms uses AES-CCM. 133 Ciphersuites ending with "8" use eight-octet authentication tags; the 134 other ciphersuites have 16 octet authentication tags. 136 The HMAC truncation option described in Section 7 of [RFC6066] (which 137 negotiates the "truncated_hmac" TLS extension) does not have an 138 effect on the cipher suites defined in this note, because they do not 139 use HMAC to protect TLS records. 141 The "nonce" input to the AEAD algorithm is as defined in [RFC6655]. 143 In DTLS, the 64-bit seq_num field is the 16-bit DTLS epoch field 144 concatenated with the 48-bit sequence_number field. The epoch and 145 sequence_number appear in the DTLS record layer. 147 This construction allows the internal counter to be 32-bits long, 148 which is a convenient size for use with CCM. 150 These ciphersuites make use of the default TLS 1.2 Pseudorandom 151 Function (PRF), which uses HMAC with the SHA-256 hash function. 153 The ECDHE_ECDSA key exchange is performed as defined in [RFC4492], 154 with the following additional stipulations: 156 o The curve secp256r1 MUST be supported, and the curves secp384r1 157 and secp521r1 MAY be supported; these curves are equivalent to the 158 NIST P-256, P-384, and P-521 curves. Note that all of these 159 curves have cofactor equal to one, which simplifies their use. 160 o The server's certificate MUST contain an ECDSA-capable public key, 161 it MUST be signed with ECDSA, and it MUST use SHA-256, SHA-384, or 162 SHA-512. The Signature Algorithms extension (Section 7.4.1.4.1 of 163 [RFC5246]) MUST be used to indicate support of those signature and 164 hash algorithms. If a client certificate is used, the same 165 conditions apply to it. The acceptable choices of hashes and 166 curves that can be used with each ciphersuite are detailed in 167 Section 2.2. 168 o The uncompressed point format MUST be supported. Other point 169 formats MAY be used. 170 o The client SHOULD offer the elliptic_curves extension and the 171 server SHOULD expect to receive it. 172 o The client MAY offer the ec_point_formats extension, but the 173 server need not expect to receive it. 174 o [RFC6090] MAY be used as an implementation method. 176 Implementations of these ciphersuites will interoperate with 177 [RFC4492], but can be more compact than a full implementation of that 178 RFC. 180 Implementations that use other curves SHOULD use curves that have 181 cofactor equal to 1, for simplicity of implementation. Many curves, 182 such as the Brainpool curves [RFC5639] for example, meet this 183 criteria. 185 2.1. AEAD algorithms 187 The following AEAD algorithms are used: 189 AEAD_AES_128_CCM is used in the TLS_ECDHE_ECDSA_WITH_AES_128_CCM 190 ciphersuite, 192 AEAD_AES_256_CCM is used in the TLS_ECDHE_ECDSA_WITH_AES_256_CCM 193 ciphersuite, 195 AEAD_AES_128_CCM_8 is used in the 196 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 ciphersuite, and 198 AEAD_AES_256_CCM_8 is used in the 199 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 ciphersuite. 201 2.2. Required algorithms for each CipherSuite 203 The curves and hash algorithms that must be supported are as follows: 205 An implementation that includes either 206 TLS_ECDHE_ECDSA_WITH_AES_128_CCM or 207 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 MUST support secp256r1 and SHA- 208 256. 209 An implementation that includes either 210 TLS_ECDHE_ECDSA_WITH_AES_256_CCM or 211 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 MUST support secp384r1 and SHA- 212 384, and MAY support secp521r1 and SHA-512. 214 Implementations that use other curves and hash functions SHOULD 215 select them so that AES-128 is used with a curve and a hash function 216 supporting a 128-bit security level, and AES-256 is used with a curve 217 and a hash function supporting a 192-bit or 256-bit security level. 218 More detailed guidance on cryptographic parameter selection is given 219 in [SP800-57] (see especially Tables 2 and 3). 221 3. TLS Versions 223 These ciphersuites make use of the authenticated encryption with 224 additional data defined in TLS 1.2 [RFC5288]. They MUST NOT be 225 negotiated in older versions of TLS. Clients MUST NOT offer these 226 cipher suites if they do not offer TLS 1.2 or later. Servers which 227 select an earlier version of TLS MUST NOT select one of these cipher 228 suites. Earlier versions do not have support for AEAD; for instance, 229 the TLSCiphertext structure does not have the "aead" option in TLS 230 1.1. Because TLS has no way for the client to indicate that it 231 supports TLS 1.2 but not earlier, a non-compliant server might 232 potentially negotiate TLS 1.1 or earlier and select one of the cipher 233 suites in this document. Clients MUST check the TLS version and 234 generate a fatal "illegal_parameter" alert if they detect an 235 incorrect version. 237 4. History 239 The 06 version replaces obsoleted references with updated ones to 240 RFC6606, RFC6655, RFC5246, fixes a boilerplate error, and corrects 241 the section reference for the truncated HMAC RFC. It also changes 242 the mandatory-to-implement curves and hash algorithms to be less 243 restrictive, so that the specification can potentially be used with 244 curves other than secp256r1, secp384r1, and secp521r1. A reference 245 to SP 800-57 was added to provide guidance on parameter selection. 247 The 05 version updated the IANA considerations. 249 The 04 version changed the intended status to "Informational", and 250 removed the redundant definition of the AEAD nonce and replaced it 251 with a reference to draft-mcgrew-tls-aes-ccm, to avoid incompatible 252 descriptions. 254 The 03 version removed materials that are redundant with 255 draft-mcgrew-tls-aes-ccm, and replaced them with references to that 256 draft. That draft has been approved for RFC and will be a suitable 257 stable normative reference. 259 The 02 version removed the AEAD_AES_128_CCM_12 and 260 AEAD_AES_256_CCM_12 AEAD algorithms, because they were not needed in 261 any ciphersuites. The AES-256 ciphersuites were retained, however, 262 to provide a secure cipher for use with the higher security curves 263 secp384r1 and secp521r1. 265 This section is to be removed by the RFC editor upon publication. 267 5. IANA Considerations 269 IANA is requested to assign the values for the ciphersuites defined 270 in Section Section 2 from the TLS and DTLS CipherSuite registries. 271 IANA, please note that the DTLS-OK column should be marked as "Y" for 272 each of these algorithms. 274 6. Security Considerations 276 6.1. Perfect Forward Secrecy 278 The perfect forward secrecy properties of ephemeral Diffie-Hellman 279 ciphersuites are discussed in the security analysis of [RFC5246]. 280 This analysis applies to the ECDHE ciphersuites. 282 6.2. Counter Reuse 284 AES-CCM security requires that the counter is never reused. The IV 285 construction in Section 2 is designed to prevent counter reuse. 287 7. Acknowledgements 289 This draft borrows heavily from [RFC5288]. Thanks are due to Robert 290 Cragie for his great help in making this work complete, correct, and 291 useful. 293 This draft is motivated by the considerations raised in the Zigbee 294 Smart Energy 2.0 working group. 296 8. References 298 8.1. Normative References 300 [AES] National Institute of Standards and Technology, 301 "Specification for the Advanced Encryption Standard 302 (AES)", FIPS 197, November 2001. 304 [CCM] National Institute of Standards and Technology, 305 "Recommendation for Block Cipher Modes of Operation: The 306 CCM Mode for Authentication and Confidentiality", SP 800- 307 38C, May 2004. 309 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 310 Requirement Levels", BCP 14, RFC 2119, March 1997. 312 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 313 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 314 for Transport Layer Security (TLS)", RFC 4492, May 2006. 316 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 317 Encryption", RFC 5116, January 2008. 319 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 320 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 322 [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois 323 Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, 324 August 2008. 326 [RFC5639] Lochter, M. and J. Merkle, "Elliptic Curve Cryptography 327 (ECC) Brainpool Standard Curves and Curve Generation", 328 RFC 5639, March 2010. 330 [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: 331 Extension Definitions", RFC 6066, January 2011. 333 [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic 334 Curve Cryptography Algorithms", RFC 6090, February 2011. 336 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 337 Security Version 1.2", RFC 6347, January 2012. 339 [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for 340 Transport Layer Security (TLS)", RFC 6655, July 2012. 342 [SP800-57] 343 National Institute of Standards and Technology, 344 "Recommendation for Key Management - Part 1: General 345 (Revision 3)", SP 800-57 Part 1, July 2012. 347 8.2. Informative References 349 [IEEE802154] 350 Institute of Electrical and Electronics Engineers, 351 "Wireless Personal Area Networks", IEEE Standard 802.15.4- 352 2006, 2006. 354 [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM 355 Mode with IPsec Encapsulating Security Payload (ESP)", 356 RFC 4309, December 2005. 358 Authors' Addresses 360 David McGrew 361 Cisco Systems 362 13600 Dulles Technology Drive 363 Herndon, VA 20171 364 USA 366 Email: mcgrew@cisco.com 368 Daniel V. Bailey 369 RSA/EMC 370 174 Middlesex Tpke. 371 Bedford, MA 01463 372 USA 374 Email: dbailey@rsa.com 376 Matthew Campagna 377 Certicom Corp. 378 5520 Explorer Drive #400 379 Mississauga, Ontario L4W 5L1 380 Canada 382 Email: mcampagna@certicom.com 384 Robert Dugal 385 Certicom Corp. 386 5520 Explorer Drive #400 387 Mississauga, Ontario L4W 5L1 388 Canada 390 Email: rdugal@certicom.com