idnits 2.17.1 draft-mcgrew-tls-aes-ccm-ecc-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 12, 2014) is 3719 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 4492 (Obsoleted by RFC 8422) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TLS Working Group D. McGrew 3 Internet-Draft Cisco Systems 4 Intended status: Informational D. Bailey 5 Expires: August 16, 2014 RSA/EMC 6 M. Campagna 7 R. Dugal 8 Certicom Corp. 9 February 12, 2014 11 AES-CCM ECC Cipher Suites for TLS 12 draft-mcgrew-tls-aes-ccm-ecc-08 14 Abstract 16 This memo describes the use of the Advanced Encryption Standard (AES) 17 in the Counter and CBC-MAC Mode (CCM) of operation within Transport 18 Layer Security (TLS) to provide confidentiality and data origin 19 authentication. The AES-CCM algorithm is amenable to compact 20 implementations, making it suitable for constrained environments, 21 while at the same time providing a high level of security. The 22 ciphersuites defined in this document use Elliptic Curve Cryptography 23 (ECC), and are advantageous in networks with limited bandwidth. 25 Status of this Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on August 16, 2014. 42 Copyright Notice 44 Copyright (c) 2014 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 1.1. Conventions Used In This Document . . . . . . . . . . . . 3 62 2. ECC based AES-CCM Cipher Suites . . . . . . . . . . . . . . . 3 63 2.1. AEAD algorithms . . . . . . . . . . . . . . . . . . . . . 5 64 2.2. Requirements on Curves and Hashes . . . . . . . . . . . . 5 66 3. TLS Versions . . . . . . . . . . . . . . . . . . . . . . . . . 5 68 4. History . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 70 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 72 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 73 6.1. Perfect Forward Secrecy . . . . . . . . . . . . . . . . . 7 74 6.2. Counter Reuse . . . . . . . . . . . . . . . . . . . . . . 7 75 6.3. Hardware Security Modules . . . . . . . . . . . . . . . . 7 77 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 79 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 80 8.1. Normative References . . . . . . . . . . . . . . . . . . . 8 81 8.2. Informative References . . . . . . . . . . . . . . . . . . 9 83 Appendix A. Recommended Curves and Algorithms . . . . . . . . . . 9 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 87 1. Introduction 89 This document describes the use of Advanced Encryption Standard (AES) 90 [AES] in Counter with CBC-MAC Mode (CCM) [CCM] in several TLS 91 ciphersuites. AES-CCM provides both authentication and 92 confidentiality and uses as its only primitive the AES encrypt 93 operation (the AES decrypt operation is not needed). This makes it 94 amenable to compact implementations, which is advantageous in 95 constrained environments. Of course, adoption outside of constrained 96 environments is necessary to enable interoperability, such as that 97 between web clients and embedded servers, or between embedded clients 98 and web servers. The use of AES-CCM has been specified for IPsec ESP 99 [RFC4309] and 802.15.4 wireless networks [IEEE802154]. 101 Authenticated encryption, in addition to providing confidentiality 102 for the plaintext that is encrypted, provides a way to check its 103 integrity and authenticity. Authenticated Encryption with Associated 104 Data, or AEAD [RFC5116], adds the ability to check the integrity and 105 authenticity of some associated data that is not encrypted. This 106 memo utilizes the AEAD facility within TLS 1.2 [RFC5246] and the AES- 107 CCM-based AEAD algorithms defined in [RFC5116] and [RFC6655] . All 108 of these algorithms use AES-CCM; some have shorter authentication 109 tags, and are therefore more suitable for use across networks in 110 which bandwidth is constrained and message sizes may be small. 112 The ciphersuites defined in this document use Ephemeral Elliptic 113 Curve Diffie-Hellman (ECDHE) as their key establishment mechanism; 114 these ciphersuites can be used with DTLS [RFC6347]. 116 1.1. Conventions Used In This Document 118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 120 document are to be interpreted as described in [RFC2119]. 122 2. ECC based AES-CCM Cipher Suites 124 The ciphersuites defined in this document are based on the AES-CCM 125 authenticated encryption with associated data (AEAD) algorithms 126 AEAD_AES_128_CCM and AEAD_AES_256_CCM described in [RFC5116]. The 127 following ciphersuites are defined: 129 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM = {TBD1,TBD1} 130 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CCM = {TBD2,TBD2} 131 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = {TBD3,TBD3} 132 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = {TBD4,TBD4} 134 These ciphersuites make use of the AEAD capability in TLS 1.2 135 [RFC5246]. Note that each of these AEAD algorithms uses AES-CCM. 136 Ciphersuites ending with "8" use eight-octet authentication tags; the 137 other ciphersuites have 16 octet authentication tags. 139 The HMAC truncation option described in Section 7 of [RFC6066] (which 140 negotiates the "truncated_hmac" TLS extension) does not have an 141 effect on the cipher suites defined in this note, because they do not 142 use HMAC to protect TLS records. 144 The "nonce" input to the AEAD algorithm is as defined in [RFC6655]. 146 In DTLS, the 64-bit seq_num field is the 16-bit DTLS epoch field 147 concatenated with the 48-bit sequence_number field. The epoch and 148 sequence_number appear in the DTLS record layer. 150 This construction allows the internal counter to be 32-bits long, 151 which is a convenient size for use with CCM. 153 These ciphersuites make use of the default TLS 1.2 Pseudorandom 154 Function (PRF), which uses HMAC with the SHA-256 hash function. 156 The ECDHE_ECDSA key exchange is performed as defined in [RFC4492], 157 with the following additional stipulations: 159 o Curves with a cofactor equal to one SHOULD be used; this 160 simplifies their use. 161 o The uncompressed point format MUST be supported. Other point 162 formats MAY be used. 163 o The client SHOULD offer the elliptic_curves extension and the 164 server SHOULD expect to receive it. 165 o The client MAY offer the ec_point_formats extension, but the 166 server need not expect to receive it. 167 o [RFC6090] MAY be used as an implementation method. 168 o Following [RFC4492], the server's certificate MUST contain a 169 suitable ECC public key, and MUST be signed with a suitable ECC 170 public key. The elliptic curve and hash function SHOULD be 171 selected to ensure a uniform security level; guidance on 172 acceptable choices of hashes and curves that can be used with each 173 ciphersuite is detailed in Section 2.2. The Signature Algorithms 174 extension (Section 7.4.1.4.1 of [RFC5246]) SHOULD be used to 175 indicate support of those signature and hash algorithms. If a 176 client certificate is used, the same criteria SHOULD apply to it. 178 Implementations of these ciphersuites will interoperate with 179 [RFC4492], but can be more compact than a full implementation of that 180 RFC. 182 2.1. AEAD algorithms 184 The following AEAD algorithms are used: 186 AEAD_AES_128_CCM is used in the TLS_ECDHE_ECDSA_WITH_AES_128_CCM 187 ciphersuite, 189 AEAD_AES_256_CCM is used in the TLS_ECDHE_ECDSA_WITH_AES_256_CCM 190 ciphersuite, 192 AEAD_AES_128_CCM_8 is used in the 193 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 ciphersuite, and 195 AEAD_AES_256_CCM_8 is used in the 196 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 ciphersuite. 198 2.2. Requirements on Curves and Hashes 200 Implementations SHOULD select elliptic curves and hash functions so 201 that AES-128 is used with a curve and a hash function supporting a 202 128-bit security level, and AES-256 is used with a curve and a hash 203 function supporting a 192-bit or 256-bit security level. More 204 detailed guidance on cryptographic parameter selection is given in 205 [SP800-57] (see especially Tables 2 and 3). 207 Appendix A describes suitable curves and hash functions that are 208 widely available. 210 3. TLS Versions 212 These ciphersuites make use of the authenticated encryption with 213 additional data defined in TLS 1.2 [RFC5288]. They MUST NOT be 214 negotiated in older versions of TLS. Clients MUST NOT offer these 215 cipher suites if they do not offer TLS 1.2 or later. Servers which 216 select an earlier version of TLS MUST NOT select one of these cipher 217 suites. Earlier versions do not have support for AEAD; for instance, 218 the TLSCiphertext structure does not have the "aead" option in TLS 219 1.1. Because TLS has no way for the client to indicate that it 220 supports TLS 1.2 but not earlier, a non-compliant server might 221 potentially negotiate TLS 1.1 or earlier and select one of the cipher 222 suites in this document. Clients MUST check the TLS version and 223 generate a fatal "illegal_parameter" alert if they detect an 224 incorrect version. 226 4. History 228 The 08 version changed a MUST to a SHOULD to align with [RFC4492] and 229 tweaked text identified during IESG review. It also adds text 230 describing the unfortunate interaction between PKCS 11 and the TLS 231 AEAD ciphersuites that Mike StJohns identified. 233 The 07 version removed the mandatory-to-implement elliptic curves and 234 hash functions, and replaced them with non-normative guidance, which 235 is in Appendix A. 237 The 06 version replaced obsoleted references with updated ones to 238 RFC6066, RFC6655, RFC5246, fixes a boilerplate error, and corrects 239 the section reference for the truncated HMAC RFC. It also changes 240 the mandatory-to-implement curves and hash algorithms to be less 241 restrictive, so that the specification can potentially be used with 242 curves other than secp256r1, secp384r1, and secp521r1. A reference 243 to SP 800-57 was added to provide guidance on parameter selection. 245 The 05 version updated the IANA considerations. 247 The 04 version changed the intended status to "Informational", and 248 removed the redundant definition of the AEAD nonce and replaced it 249 with a reference to draft-mcgrew-tls-aes-ccm, to avoid incompatible 250 descriptions. 252 The 03 version removed materials that are redundant with 253 draft-mcgrew-tls-aes-ccm, and replaced them with references to that 254 draft. That draft has been approved for RFC and will be a suitable 255 stable normative reference. 257 The 02 version removed the AEAD_AES_128_CCM_12 and 258 AEAD_AES_256_CCM_12 AEAD algorithms, because they were not needed in 259 any ciphersuites. The AES-256 ciphersuites were retained, however, 260 to provide a secure cipher for use with the higher security curves 261 secp384r1 and secp521r1. 263 This section is to be removed by the RFC editor upon publication. 265 5. IANA Considerations 267 IANA is requested to assign the values for the ciphersuites defined 268 in Section Section 2 from the TLS and DTLS CipherSuite registries. 269 IANA, please note that the DTLS-OK column should be marked as "Y" for 270 each of these algorithms. 272 6. Security Considerations 274 6.1. Perfect Forward Secrecy 276 The perfect forward secrecy properties of ephemeral Diffie-Hellman 277 ciphersuites are discussed in the security analysis of [RFC5246]. 278 This analysis applies to the ECDHE ciphersuites. 280 6.2. Counter Reuse 282 AES-CCM security requires that the counter is never reused. The 283 nonce construction in Section 2 is designed to prevent counter reuse. 285 6.3. Hardware Security Modules 287 A ciphersuite can be implemented in such a way that the secret keys 288 and private keys are stored inside a Hardware Security Module (HSM), 289 and the cryptographic operations involving those keys are performed 290 by the HSM on data provided by an application interacting with the 291 HSM through an interface such as that defined by the Cryptographic 292 Token Interface Standard [PKCS11]. When an AEAD ciphersuite, such as 293 those in this note, are implemented in this way, special handling of 294 the nonce is required. This is because the "salt" part of the nonce 295 is set to the client_write_IV or server_write_IV, which is a function 296 of the TLS master secret. 298 Another potential issue with the Cryptographic Token Interface 299 Standard is that the use of the DecryptUpdate function is not 300 possible with the CCM decrypt operation, or the decrypt operation any 301 other authenticated encryption method. This is because the 302 DecryptUpdate requires that post-decryption plaintext be returned 303 before the authentication check is completed. 305 7. Acknowledgements 307 This draft borrows heavily from [RFC5288]. Thanks are due to Robert 308 Cragie for his great help in making this work complete, correct, and 309 useful, and to Peter Dettman for his review. Thanks also to Mike 310 StJohns for pointing out the HSM issues. 312 This draft is motivated by the considerations raised in the Zigbee 313 Smart Energy 2.0 working group. 315 8. References 316 8.1. Normative References 318 [AES] National Institute of Standards and Technology, 319 "Specification for the Advanced Encryption Standard 320 (AES)", FIPS 197, November 2001. 322 [CCM] National Institute of Standards and Technology, 323 "Recommendation for Block Cipher Modes of Operation: The 324 CCM Mode for Authentication and Confidentiality", SP 800- 325 38C, May 2004. 327 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 328 Requirement Levels", BCP 14, RFC 2119, March 1997. 330 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 331 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 332 for Transport Layer Security (TLS)", RFC 4492, May 2006. 334 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 335 Encryption", RFC 5116, January 2008. 337 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 338 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 340 [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois 341 Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, 342 August 2008. 344 [RFC5639] Lochter, M. and J. Merkle, "Elliptic Curve Cryptography 345 (ECC) Brainpool Standard Curves and Curve Generation", 346 RFC 5639, March 2010. 348 [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: 349 Extension Definitions", RFC 6066, January 2011. 351 [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic 352 Curve Cryptography Algorithms", RFC 6090, February 2011. 354 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 355 Security Version 1.2", RFC 6347, January 2012. 357 [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for 358 Transport Layer Security (TLS)", RFC 6655, July 2012. 360 [SP800-57] 361 National Institute of Standards and Technology, 362 "Recommendation for Key Management - Part 1: General 363 (Revision 3)", SP 800-57 Part 1, July 2012. 365 8.2. Informative References 367 [IEEE802154] 368 Institute of Electrical and Electronics Engineers, 369 "Wireless Personal Area Networks", IEEE Standard 802.15.4- 370 2006, 2006. 372 [PKCS11] RSA Laboratories, "PKCS #11: Cryptographic Token Interface 373 Standard version 2.20", Public Key Cryptography 374 Standards PKCS#11-v2.20, 2004. 376 [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM 377 Mode with IPsec Encapsulating Security Payload (ESP)", 378 RFC 4309, December 2005. 380 Appendix A. Recommended Curves and Algorithms 382 This memo does not mandate any particular elliptic curves or 383 cryptographic algorithms, for the sake of flexibility. However, 384 since the main motivation for the AES-CCM-ECC ciphersuites is their 385 suitability for constrained environments, it is valuable to identify 386 a particular suitable set of curves and algorithms. 388 This appendix identifies a set of elliptic curves and cryptographic 389 algorithms that meet the requirements of this note, which are widely 390 supported and believed to be secure. 392 The curves and hash algorithms recommended for each ciphersuite are: 394 An implementation that includes either 395 TLS_ECDHE_ECDSA_WITH_AES_128_CCM or 396 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 SHOULD support the secp256r1 397 curve and the SHA-256 hash function. 398 An implementation that includes either 399 TLS_ECDHE_ECDSA_WITH_AES_256_CCM or 400 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 SHOULD support the secp384r1 401 curve and the SHA-384 hash function, and MAY support the secp521r1 402 curve and the SHA-512 hash function. 404 More information about the secp256r1, secp384r1, and secp521r1 curves 405 is available in Appendix A of [RFC4492]. 407 It is not necessary to implement the above curves and hash functions 408 in order to conform to this specification. Other elliptic curves, 409 such as the Brainpool curves [RFC5639] for example, meet the criteria 410 laid out in this memo. 412 Authors' Addresses 414 David McGrew 415 Cisco Systems 416 13600 Dulles Technology Drive 417 Herndon, VA 20171 418 USA 420 Email: mcgrew@cisco.com 422 Daniel V. Bailey 423 RSA/EMC 424 174 Middlesex Tpke. 425 Bedford, MA 01463 426 USA 428 Email: dbailey@rsa.com 430 Matthew Campagna 431 Certicom Corp. 432 5520 Explorer Drive #400 433 Mississauga, Ontario L4W 5L1 434 Canada 436 Email: mcampagna@certicom.com 438 Robert Dugal 439 Certicom Corp. 440 5520 Explorer Drive #400 441 Mississauga, Ontario L4W 5L1 442 Canada 444 Email: rdugal@certicom.com