One document matched: draft-ietf-tls-ecc-new-mac-05.xml
<?xml version="1.0"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc4346 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4346.xml">
<!ENTITY rfc4492 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4492.xml">
<!ENTITY rfc3686 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3686.xml">
<!ENTITY rfc5116 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5116.xml">
<!ENTITY I-D.ietf-tls-rfc4346-bis SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-tls-rfc4346-bis.xml">
<!ENTITY I-D.ietf-tls-ctr SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-tls-ctr.xml">
<!ENTITY I-D.ietf-tls-rsa-aes-gcm SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-tls-rsa-aes-gcm.xml">
]>
<!-- $Id -->
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc inline="yes"?>
<?rfc toc="yes" ?>
<?rfc iprnotified="no" ?>
<?rfc compact="yes" ?>
<?rfc sortrefs="no" ?>
<?rfc colonspace='yes' ?>
<rfc category="info" ipr="full3978" docName="draft-ietf-tls-ecc-new-mac-05.txt">
<front>
<title abbrev="TLS ECC New MAC">TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode</title>
<author initials="E.K." surname="Rescorla"
fullname="Eric Rescorla">
<organization>RTFM, Inc.</organization>
<address>
<postal>
<street>2064 Edgewood Drive</street>
<city>Palo Alto</city>
<code>94303</code>
<state>CA</state>
<country>USA</country>
</postal>
<email>ekr@rtfm.com</email>
</address>
</author>
<date month="April" year="2008" />
<abstract>
<t>RFC 4492 describes elliptic curve cipher suites for
Transport Layer Security (TLS). However, all those
cipher suites use SHA-1 as their MAC algorithm. This
document describes sixteen new CipherSuites for TLS/DTLS
which specify stronger digest algorithms. Eight
use HMAC with SHA-256 or SHA-384 and eight use
AES in Galois Counter Mode (GCM).
</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="intro">
<t>
RFC 4492 <xref target="RFC4492"/> describes Elliptic Curve Cryptography
(ECC) cipher suites for Transport Layer Security (TLS). However, all of the RFC
4492 suites use HMAC-SHA1 as their MAC algorithm. Due to recent
analytic work on SHA-1 <xref target="Wang05"/>, the IETF is gradually moving away
from SHA-1 and towards stronger hash algorithms. This document
specifies TLS ECC cipher suites which use SHA-256 and SHA-384
rather than SHA-1.
</t>
<t>
TLS 1.2 <xref target="I-D.ietf-tls-rfc4346-bis"/>, adds support for authenticated encryption with additional data (AEAD)
cipher modes <xref target="RFC5116"/>. This document
also specifies a set of ECC cipher suites using one such mode,
Galois Counter Mode (GCM) <xref target="GCM"/>. Another document
<xref target="I-D.ietf-tls-rsa-aes-gcm"/>, provides support for
GCM with other key establishment methods.
</t>
<section title="Conventions Used In This Document">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119"></xref>.</t>
</section>
</section>
<section title="Cipher Suites">
<t>
This document defines 8 new cipher suites to be added to TLS. All use
Elliptic Curve Cryptography for key exchange and digital signature, as
defined in RFC 4492.
</t>
<section title="HMAC-based Cipher Suites">
<t>
The first eight cipher suites use AES <xref target="AES"/> in CBC
<xref target="CBC"/> mode with an
HMAC-based MAC:
</t>
<artwork>
CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX};
CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX};
CipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX};
CipherSuite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX};
</artwork>
<t>
These eight cipher suites are the same as the corresponding cipher
suites in RFC 4492 (TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
and TLS_ECDH_RSA_WITH_AES_256_CBC_SHA) except for the hash and PRF
algorithms, which are SHA-256 and SHA-384 <xref target="SHS"/> as follows.
</t>
<artwork>
Cipher Suite MAC PRF
------------ --- ---
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 HMAC-SHA-256 P_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 HMAC-SHA-384 P_SHA384
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 HMAC-SHA-256 P_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 HMAC-SHA-384 P_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 HMAC-SHA-256 P_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 HMAC-SHA-384 P_SHA384
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 HMAC-SHA-256 P_SHA256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 HMAC-SHA-384 P_SHA384
</artwork>
</section>
<section title="Galois Counter Mode-based Cipher Suites">
<t>
The second eight cipher suites use the same asymmetric algorithms
as those in the previous section but use the
new authenticated encryption
modes defined in TLS 1.2 with AES in Galois Counter Mode (GCM)
<xref target="GCM"/>:
</t>
<artwork>
CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX};
CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX};
CipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX};
CipherSuite TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX};
</artwork>
<t>
These cipher suites use authenticated encryption with additional
data algorithms AEAD_AES_128_GCM and AEAD_AES_256_GCM described in
<xref target="RFC5116"/>. GCM is used
as described in <xref target="I-D.ietf-tls-rsa-aes-gcm"/>.
</t>
<t>
<artwork>
Cipher Suite PRF
------------ ---
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 P_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 P_SHA384
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 P_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 P_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 P_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 P_SHA384
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 P_SHA256
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 P_SHA384
</artwork>
</t>
</section>
</section>
<section title="Security Considerations">
<t>The security considerations in RFC 4346, RFC 4492, and
<xref target="I-D.ietf-tls-rsa-aes-gcm"/> apply to
this document as well. In addition, as described in
<xref target="I-D.ietf-tls-rsa-aes-gcm"/>, these cipher
suites may only be used with TLS 1.2 or greater.
</t>
</section>
<section title="IANA Considerations">
<t>
IANA has assigned the following values for these cipher suites:
<artwork>
CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX};
CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX};
CipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX};
CipherSuite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX};
CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX};
CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX};
CipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX};
CipherSuite TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX};
CipherSuite TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX};
</artwork>
</t>
</section>
<section title="Acknowledgements">
<t>
This work was supported by the US Department of Defense.
</t>
<t>
David McGrew contributed substantual sections of the GCM nonce
text as well as providing a review of this document.</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc4492;
&rfc5116;
&I-D.ietf-tls-rfc4346-bis;
<reference anchor="AES">
<front>
<title abbrev="AES">Specification for the Advanced Encryption Standard (AES)</title>
<author initials="" surname="National Institute of Standards and Technology" fullname="National Institute of Standards and Technology"><organization></organization>
</author>
<date month="November" year="2001" />
</front>
<seriesInfo name="FIPS"
value="197" />
</reference>
<reference anchor="SHS">
<front>
<title abbrev="SHS">Secure Hash Standard</title>
<author initials="" surname="National Institute of Standards and Technology" fullname="National Institute of Standards and Technology">
</author>
<date month="August" year="2002" />
</front>
<seriesInfo name="FIPS"
value="180-2" />
</reference>
<reference anchor="CBC">
<front>
<title abbrev="GCM">Recommendation for Block Cipher Modes of Operation - Methods and Techniques</title>
<author initials="" surname="National Institute of Standards and Technology" fullname="National Institute of Standards and Technology">
</author>
<date month="December" year="2001" />
</front>
<seriesInfo name="SP"
value="800-38A" />
</reference>
<reference anchor="GCM">
<front>
<title abbrev="GCM">Recommendation for Block Cipher Modes of Operation: Galois;/Counter Mode (GCM) for Confidentiality and Authentication</title>
<author initials="" surname="National Institute of Standards and Technology" fullname="National Institute of Standards and Technology">
</author>
<date month="November" year="2007" />
</front>
<seriesInfo name="SP"
value="800-38D" />
</reference>
</references>
<references title="Informative References">
<reference anchor="Wang05">
<front>
<title abbrev="Wang05">Finding Collisions in the Full SHA-1</title>
<author initials="X" surname="Wang" fullname="Xiaoyun Wang"/>
<author initials="Y.L." surname="Yin" fullname="Yiqun Lisa Yin"/>
<author initials="H." surname="Yu" fullname="Hongbo Yu"/>
<date month="August" year="2005"/>
</front>
<seriesInfo name="CRYPTO" value="2005"/>
</reference>
&I-D.ietf-tls-rsa-aes-gcm;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 04:51:19 |