idnits 2.17.1 draft-sca-curdle-tls-sm34-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 22, 2018) is 2193 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'I-D.ribose-cfrg-sm4ae' is defined on line 286, but no explicit reference was found in the text == Unused Reference: 'BOTAN' is defined on line 320, but no explicit reference was found in the text == Unused Reference: 'GMT-0002-2012' is defined on line 340, but no explicit reference was found in the text == Unused Reference: 'GMT-0004-2012' is defined on line 345, but no explicit reference was found in the text == Unused Reference: 'GMT-0006-2012' is defined on line 350, but no explicit reference was found in the text == Unused Reference: 'OPENSSL' is defined on line 368, but no explicit reference was found in the text -- No information found for draft-ribose-cfrg-sm4ae - is the name correct? -- Obsolete informational reference (is this intentional?): RFC 4346 (Obsoleted by RFC 5246) -- Obsolete informational reference (is this intentional?): RFC 4366 (Obsoleted by RFC 5246, RFC 6066) -- Obsolete informational reference (is this intentional?): RFC 4492 (Obsoleted by RFC 8422) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 7539 (Obsoleted by RFC 8439) Summary: 0 errors (**), 0 flaws (~~), 7 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Research Task Force Y. Yang 3 Internet-Draft BaishanCloud 4 Intended status: Informational R. Tse 5 Expires: October 24, 2018 Ribose 6 M-J. Saarinen 7 Independent Consultant 8 W. Wong 9 Hang Seng Management College 10 April 22, 2018 12 SM3 and SM4 Cipher Suites for TLS 13 draft-sca-curdle-tls-sm34-00 15 Abstract 17 This document describes TLS cipher suites that utilize the SM3 18 cryptographic hash algorithm (GB/T 32905-2016) and SM4 symmetric 19 blockcipher algorithm (GB/T 32907-2016), both published by the State 20 Cryptography Administration of China (SCA). 22 This document is a product of the Crypto Forum Research Group (CFRG). 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on October 24, 2018. 41 Copyright Notice 43 Copyright (c) 2018 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (https://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 3 57 3. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3.1. HMAC-Based . . . . . . . . . . . . . . . . . . . . . . . 3 59 3.2. Galois Counter Mode-Based . . . . . . . . . . . . . . . . 3 60 3.3. Counter and CBC-MAC Mode-Based . . . . . . . . . . . . . 4 61 3.4. OCB . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 62 4. TLS Versions . . . . . . . . . . . . . . . . . . . . . . . . 5 63 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 64 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 65 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 66 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 67 7.2. Informative References . . . . . . . . . . . . . . . . . 7 68 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 10 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 71 1. Introduction 73 The SM3 [I-D.sca-cfrg-sm3] [GBT.32905-2016] [ISO.IEC.10118-3] and SM4 74 [I-D.ribose-cfrg-sm4] [GBT.32907-2016] [ISO.IEC.18033-3.AMD2] 75 algorithms are published by the State Cryptography Administration 76 (SCA) of China [SCA] for authorized use within China. Both 77 algorithms are published in public, and now commonly available in 78 cryptographic libraries. 80 SM3 is as a cryptographic hash algorithm that produces an output hash 81 value of 256 bits long, based on 512-bit input message blocks, on 82 input lengths up to 2^(m). 84 SM4 is a symmetric encryption algorithm, a blockcipher to be exact, 85 designed for data encryption that acts on 128-bit blocks. 87 TLS versions at and beyond 1.2 [RFC5246] contain support for 88 authenticated encryption with additional data (AEAD) cipher modes 89 [RFC5116]. 91 This document describes the use of SM4 [I-D.ribose-cfrg-sm4] in 92 conjunction with various key exchange mechanisms as a cipher suite 93 for TLS, in two ways: 95 o by using SM4 with authentication encryption modes (CCM, GCM, OCB), 96 in a manner similar to [RFC7251]; 98 o by using SM4 together with SM3 [I-D.sca-cfrg-sm3] as MAC, in a 99 manner similar to [RFC5288], [RFC5289] and [RFC7539]. 101 TODO: describe SM4 AE modes... 103 2. Terms and Definitions 105 The key words "*MUST*", "*MUST NOT*", "*REQUIRED*", "*SHALL*", 106 "*SHALL NOT*", "*SHOULD*", "*SHOULD NOT*", "*RECOMMENDED*", "*NOT 107 RECOMMENDED*", "*MAY*", and "*OPTIONAL*" in this document are to be 108 interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only 109 when, they appear in all capitals, as shown here. 111 3. Cipher Suites 113 Cipher suites defined in this document are based on the SM4-CCM 114 Authenticated Encryption with Associated Data (AEAD) algorithms 115 AEAD_SM4_128_CCM and AEAD_SM4_256_CCM described in 116 [[I-D.ribose-cfrg-sm4ae]]. 118 3.1. HMAC-Based 120 These cipher suites use SM4 in Cipher Block Chaining (CBC) mode with 121 an HMAC-based MAC: 123 CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; 124 CipherSuite TLS_ECDH_ECDSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; 125 CipherSuite TLS_ECDHE_RSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; 126 CipherSuite TLS_ECDH_RSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; 128 These cipher suites are the same as the corresponding cipher suites 129 in [RFC5289] (with names here ending in "_SM3" inplace of "_SHA256"), 130 except for the MAC and Pseudo Random Function (PRF) algorithms. 132 The PRF is the TLS PRF [RFC5246] with SM3 as the hash function. The 133 MAC is HMAC [RFC2104] with SM3 as the hash function. 135 3.2. Galois Counter Mode-Based 137 These cipher suites use the same asymmetric algorithms as those in 138 the previous section, but use the authenticated encryption modes 139 defined in TLS 1.3 [I-D.ietf-tls-tls13] with SM4 in Galois Counter 140 Mode (GCM): 142 CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 143 CipherSuite TLS_ECDH_ECDSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 144 CipherSuite TLS_ECDHE_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 145 CipherSuite TLS_ECDH_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 146 CipherSuite TLS_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 147 CipherSuite TLS_DHE_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 148 CipherSuite TLS_DH_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 149 CipherSuite TLS_DHE_DSS_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 150 CipherSuite TLS_DH_DSS_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 151 CipherSuite TLS_DH_anon_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 153 These cipher suites use the authenticated encryption with additional 154 data algorithm AEAD_SM4_GCM described in [[I-D.ribose-cfrg-sm4ae]]. 156 Each of these AEAD algorithms uses a 128-bit authentication tag with 157 GCM (in particular, as described in 3.5 [RFC4366] and 3 [RFC5288]. 159 The PRF is the TLS PRF [RFC5246] with SM3 as the hash function. 161 3.3. Counter and CBC-MAC Mode-Based 163 These cipher suites use the same asymmetric algorithms as those in 164 the previous section, but use the authenticated encryption modes 165 defined in TLS 1.3 with SM4 in Counter and CBC-MAC Mode (CCM): 167 CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_CCM = {0xYY,0xYY}; 168 CipherSuite TLS_ECDH_ECDSA_WITH_SM4_CCM = {0xYY,0xYY}; 169 CipherSuite TLS_ECDHE_RSA_WITH_SM4_CCM = {0xYY,0xYY}; 170 CipherSuite TLS_ECDH_RSA_WITH_SM4_CCM = {0xYY,0xYY}; 171 CipherSuite TLS_RSA_WITH_SM4_CCM = {0xYY,0xYY}; 172 CipherSuite TLS_DHE_RSA_WITH_SM4_CCM = {0xYY,0xYY}; 173 CipherSuite TLS_DH_RSA_WITH_SM4_CCM = {0xYY,0xYY}; 174 CipherSuite TLS_DHE_DSS_WITH_SM4_CCM = {0xYY,0xYY}; 175 CipherSuite TLS_DH_DSS_WITH_SM4_CCM = {0xYY,0xYY}; 176 CipherSuite TLS_DH_anon_WITH_SM4_CCM = {0xYY,0xYY}; 178 These cipher suites use the authenticated encryption with additional 179 data algorithm AEAD_SM4_CCM described in [[I-D.ribose-cfrg-sm4ae]]. 181 Each of these AEAD algorithms uses a 128-bit authentication tag with 182 CCM (in particular, as described in 3.5 [RFC4366] and 3 [RFC5288]. 184 The "nonce" input to the AEAD algorithm is as defined in [RFC6655]. 186 The PRF is the TLS PRF [RFC5246] with SM3 as the hash function. 188 3.4. OCB 190 The following cipher suites are defined: 192 CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_OCB = {0xYY,0xYY} 193 ... 195 The "nonce" input to the AEAD algorithm is as defined in [RFC6655]. 197 The PRF is the TLS PRF [RFC5246] with SM3 as the hash function. 199 Further requirements provided in 2 [RFC7251] apply. 201 4. TLS Versions 203 These cipher suites make use of the authenticated encryption with 204 additional data defined in TLS 1.2 [RFC5288]. 206 o They *MUST NOT* be negotiated in older versions of TLS. 208 o Clients *MUST NOT* offer these cipher suites if they do not offer 209 TLS 1.2 or later. 211 o Servers that select an earlier version of TLS *MUST NOT* select 212 one of these ciphersuites. Earlier versions do not have support 213 for AEAD; for instance, the TLSCiphertext structure does not have 214 the "aead" option in TLS 1.1. Because TLS has no way for the 215 client to indicate that it supports TLS 1.2 but not earlier 216 versions, a non-compliant server might potentially negotiate TLS 217 1.1 or earlier and select one of the cipher suites in this 218 document. 220 o Clients *MUST* check the TLS version and generate a fatal 221 "illegal_parameter" alert if they detect an incorrect version. 223 5. Security Considerations 225 The security considerations in [RFC4346], [RFC4492], 226 [I-D.ribose-cfrg-sm4], [I-D.sca-cfrg-sm3] apply. 228 o Products and services that utilize cryptography are regulated by 229 the SCA [SCA]; they must be explicitly approved or certified by 230 the SCA before being allowed to be sold or used in China. 232 o The cipher suites described in this document *SHOULD** only be 233 used with TLS 1.3 or greater [I-D.ietf-tls-tls13]. 235 o CCM security requires that the counter never be reused. The 236 nonce/IV requirement in Section 3.3 is designed to prevent counter 237 reuse. 239 6. IANA Considerations 241 IANA has assigned the following values for these cipher suites: 243 CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; 244 CipherSuite TLS_ECDH_ECDSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; 245 CipherSuite TLS_ECDHE_RSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; 246 CipherSuite TLS_ECDH_RSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; 247 CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_GCM_SM4 = {0xYY,0xYY}; 248 CipherSuite TLS_ECDH_ECDSA_WITH_SM4_GCM_SM4 = {0xYY,0xYY}; 249 CipherSuite TLS_ECDHE_RSA_WITH_SM4_GCM_SM4 = {0xYY,0xYY}; 250 CipherSuite TLS_ECDH_RSA_WITH_SM4_GCM_SM4 = {0xYY,0xYY}; 251 CipherSuite TLS_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 252 CipherSuite TLS_DHE_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 253 CipherSuite TLS_DH_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 254 CipherSuite TLS_DHE_DSS_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 255 CipherSuite TLS_DH_DSS_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 256 CipherSuite TLS_DH_anon_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 258 7. References 260 7.1. Normative References 262 [GBT.32905-2016] 263 Standardization Administration of the People's Republic of 264 China, "GB/T 32905-2016: Information security techniques 265 -- SM3 cryptographic hash algorithm", August 2016, 266 . 269 [GBT.32907-2016] 270 Standardization Administration of the People's Republic of 271 China, "GB/T 32907-2016: Information security technology 272 -- SM4 block cipher algorithm", August 2016, 273 . 276 [I-D.ietf-tls-tls13] 277 Rescorla, E., "The Transport Layer Security (TLS) Protocol 278 Version 1.3", draft-ietf-tls-tls13-28 (work in progress), 279 March 2018. 281 [I-D.ribose-cfrg-sm4] 282 Tse, R., Wong, W., and M. Saarinen, "The SM4 Blockcipher 283 Algorithm And Its Modes Of Operations", draft-ribose-cfrg- 284 sm4-10 (work in progress), April 2018. 286 [I-D.ribose-cfrg-sm4ae] 287 Tse, R., Wong, W., and M. Saarinen, "Authenticated 288 Encryption For The SM4 Blockcipher Algorithm", draft- 289 ribose-cfrg-sm4ae-00 (work in progress), April 2018. 291 [I-D.sca-cfrg-sm3] 292 Shen, S., Lee, X., Tse, R., Wong, W., and P. Yang, "The 293 SM3 Cryptographic Hash Function", draft-sca-cfrg-sm3-02 294 (work in progress), January 2018. 296 [ISO.IEC.10118-3] 297 International Organization for Standardization, "ISO/IEC 298 FDIS 10118-3 -- Information technology -- Security 299 techniques -- Hash-functions -- Part 3: Dedicated hash- 300 functions", September 2017, 301 . 303 [ISO.IEC.18033-3.AMD2] 304 International Organization for Standardization, "ISO/IEC 305 WD1 18033-3/AMD2 -- Encryption algorithms -- Part 3: Block 306 ciphers -- Amendment 2", June 2017, 307 . 309 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 310 Requirement Levels", BCP 14, RFC 2119, 311 DOI 10.17487/RFC2119, March 1997, 312 . 314 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 315 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 316 May 2017, . 318 7.2. Informative References 320 [BOTAN] Lloyd, J., "Botan: Crypto and TLS for C++11", October 321 2017, . 323 [GB.15629.11-2003] 324 Standardization Administration of the People's Republic of 325 China, "Information technology -- Telecommunications and 326 information exchange between systems -- Local and 327 metropolitan area networks -- Specific requirements -- 328 Part 11: Wireless LAN Medium Access Control (MAC) and 329 Physical Layer (PHY) Specifications", May 2003, 330 . 333 [GBT.33560-2017] 334 Standardization Administration of the People's Republic of 335 China, "GB/T 33560-2017: Information security technology 336 -- Cryptographic application identifier criterion 337 specification", May 2017, . 340 [GMT-0002-2012] 341 Office of State Commercial Administration of China, "GM/T 342 0002-2012: SM4 block cipher algorithm", March 2012, 343 . 345 [GMT-0004-2012] 346 Organization of State Commercial Administration of China, 347 "GM/T 0004-2012: SM3 Cryptographic Hash Algorithm", March 348 2012, . 350 [GMT-0006-2012] 351 Office of State Commercial Administration of China, "GM/T 352 0006-2012: Cryptographic Application Identifier Criterion 353 Specification", March 2012, 354 . 356 [ISO.IEC.18033-3] 357 International Organization for Standardization, "ISO/IEC 358 18033-3:2010 -- Encryption algorithms -- Part 3: Block 359 ciphers", December 2017, 360 . 362 [NIST.SP.800-38A] 363 Dworkin, M., "NIST Special Publication 800-38A: 364 Recommendation for Block Cipher Modes of Operation -- 365 Methods and Techniques", December 2001, 366 . 368 [OPENSSL] OpenSSL Software Foundation, "OpenSSL: Cryptography and 369 SSL/TLS Toolkit", October 2017, . 371 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 372 Hashing for Message Authentication", RFC 2104, 373 DOI 10.17487/RFC2104, February 1997, 374 . 376 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security 377 (TLS) Protocol Version 1.1", RFC 4346, 378 DOI 10.17487/RFC4346, April 2006, 379 . 381 [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., 382 and T. Wright, "Transport Layer Security (TLS) 383 Extensions", RFC 4366, DOI 10.17487/RFC4366, April 2006, 384 . 386 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 387 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 388 for Transport Layer Security (TLS)", RFC 4492, 389 DOI 10.17487/RFC4492, May 2006, 390 . 392 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 393 Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, 394 . 396 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 397 (TLS) Protocol Version 1.2", RFC 5246, 398 DOI 10.17487/RFC5246, August 2008, 399 . 401 [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois 402 Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, 403 DOI 10.17487/RFC5288, August 2008, 404 . 406 [RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA- 407 256/384 and AES Galois Counter Mode (GCM)", RFC 5289, 408 DOI 10.17487/RFC5289, August 2008, 409 . 411 [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for 412 Transport Layer Security (TLS)", RFC 6655, 413 DOI 10.17487/RFC6655, July 2012, 414 . 416 [RFC7251] McGrew, D., Bailey, D., Campagna, M., and R. Dugal, "AES- 417 CCM Elliptic Curve Cryptography (ECC) Cipher Suites for 418 TLS", RFC 7251, DOI 10.17487/RFC7251, June 2014, 419 . 421 [RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF 422 Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, 423 . 425 [SCA] State Cryptography Administration of China, "State 426 Cryptography Administration of China", Dec 2017, 427 . 429 Appendix A. Acknowledgements 431 This document borrows heavily from [RFC5288], [RFC5289], [RFC7251]. 433 Authors' Addresses 435 Paul Y. Yang 436 BaishanCloud 437 Building 16-3, Baitasan Street 438 Shenyang, Liaoning 110000 439 People's Republic of China 441 Email: yang.yang@baishancloud.com 442 URI: https://www.baishancloud.com 444 Ronald Henry Tse 445 Ribose 446 Suite 1111, 1 Pedder Street 447 Central, Hong Kong 448 People's Republic of China 450 Email: ronald.tse@ribose.com 451 URI: https://www.ribose.com 453 Markku-Juhani O. Saarinen 454 Independent Consultant 456 Email: mjos@iki.fi 457 URI: https://mjos.fi/ 458 Wai Kit Wong 459 Hang Seng Management College 460 Hang Shin Link, Siu Lek Yuen 461 Shatin, Hong Kong 462 People's Republic of China 464 Email: wongwk@hsmc.edu.hk 465 URI: https://www.hsmc.edu.hk