One document matched: draft-ietf-tls-rsa-aes-gcm-02.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc2246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2246.xml">
<!ENTITY rfc4346 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4346.xml">
<!ENTITY rfc4347 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4347.xml">
<!ENTITY rfc4106 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4106.xml">
<!ENTITY ietf-tls-rfc4346-bis SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-tls-rfc4346-bis.xml">
<!ENTITY ietf-tls-ecc-new-mac SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-tls-ecc-new-mac.xml">
<!ENTITY rescorla-tls-suiteb SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.rescorla-tls-suiteb.xml">
<!ENTITY rfc5116 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5116.xml">
]>
<?rfc toc="yes"?>
<?rfc tocompact="no"?>
<?rfc tocdepth="6"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes"?>
<rfc ipr="full3978" category="std" docName="draft-ietf-tls-rsa-aes-gcm-02">
<front>
<title abbrev="AES-GCM Ciphersuites">AES-GCM Cipher Suites for TLS</title>
<author fullname="Joseph Salowey" initials="J" surname="Salowey">
<organization> Cisco Systems, Inc. </organization>
<address>
<postal>
<street>2901 3rd. Ave</street>
<city>Seattle</city>
<code>98121</code>
<region>WA</region>
<country>USA</country>
</postal>
<email> jsalowey@cisco.com </email>
</address>
</author>
<author fullname="Abhijit Choudhury" initials="A" surname="Choudhury">
<organization> Cisco Systems, Inc. </organization>
<address>
<postal>
<street>3625 Cisco Way</street>
<city>San Jose </city>
<code>95134</code>
<region>CA</region>
<country>USA</country>
</postal>
<email> abhijitc@cisco.com </email>
</address>
</author>
<author fullname="David McGrew" initials="D" surname="McGrew">
<organization>Cisco Systems, Inc.</organization>
<address><postal>
<street>170 W Tasman Drive</street>
<city>San Jose </city>
<code>95134</code>
<region>CA</region>
<country>USA</country>
</postal><email> mcgrew@cisco.com </email></address>
</author>
<date month="February" year="2008"/>
<area> Security Area </area>
<workgroup> TLS Working Group </workgroup>
<abstract>
<t> This memo describes the use of the Advanced Encryption Standard
(AES)
in Galois/Counter Mode (GCM) as a Transport Layer Security (TLS)
authenticated encryption operation. GCM provides both confidentiality
and data origin authentication, can be efficiently implemented in
hardware for speeds of 10 gigabits per second and above, and is also
well-suited to software implementations. This memo defines TLS
ciphersuites that use AES-GCM with RSA, DSS and Diffie-Hellman based key exchange mechanisms.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>This document describes the use of AES <xref target="AES" ></xref>in Galois Counter Mode (GCM) <xref target="GCM"></xref> (AES-GCM) with various key exchange mechanisms as a ciphersuite for TLS. AES-GCM is not only efficient and secure, but hardware implementations can achieve high speeds with low cost and low latency, because the mode can be pipelined. Applications
like CAPWAP, which uses DTLS, can benefit from the high-speed
implementations when wireless termination points (WTPs) and
controllers (ACs) have to meet requirements to support higher throughputs in the future. AES-GCM has been specified as a mode that can be used with IPsec ESP <xref target="RFC4106"></xref> and 802.1AE MAC Security <xref target="IEEE8021AE"></xref>. This document defines ciphersutes based on RSA, DSS and Diffie-Hellman key exchanges; ECC based ciphersuites are defined in a separate document <xref target="I-D.ietf-tls-ecc-new-mac"></xref>. AES-GCM is an authenticated encryption with associated data (AEAD) cipher, as defined in TLS 1.2 <xref target="I-D.ietf-tls-rfc4346-bis"></xref>. The ciphersuites defined in this draft may be used with Datagram TLS defined in <xref target="RFC4347"></xref>. This memo uses GCM in a way similar to <xref target="I-D.ietf-tls-ecc-new-mac"></xref>.</t>
</section>
<section title="Conventions Used In This Document">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119"></xref></t>
</section>
<section title="AES-GCM Cipher Suites" anchor="rsasuite">
<t> The following ciphersuites use the new authenticated encryption
modes defined in TLS 1.2 with AES in Galois Counter Mode (GCM) <xref target="GCM"/>:</t>
<t><list style="hanging" >
<t>CipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_anon_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_anon_WITH_AES_256_GCM_SHA384 = {TBD,TBD}
</t></list></t>
<t>These ciphersuites use the AES-GCM authenticated encryption with associated data (AEAD) algorithms AEAD_AES_128_GCM and AEAD_AES_256_GCM described in <xref target="RFC5116"></xref>. Note that each of these AEAD algorithms uses a 128-bit authentication tag with GCM. The "nonce" SHALL be 12 bytes long and it is "partially
implicit" (see section 3.2.1 in <xref target="RFC5116"></xref>). Part of the nonce is generated as part of
the handshake process and is static for the entire session and the other part
is carried in each packet.
</t>
<figure >
<artwork >
Struct{
opaque salt[4];
opaque explicit_nonce_part[8];
} GCMNonce</artwork>
</figure>
<t> The salt is the "implicit" part of the nonce and is not sent in the packet. It is either the client_write_IV if the client is sending or the server_write_IV if the server is sending. These IVs SHALL be 4 bytes long, therefore, for all the algorithms
defined in this section, SecurityParameters.fixed_iv_length=4.
</t>
<t> The explicit_nonce_part is chosen by the sender and included in the
packet. Each value of the explicit_nonce_part MUST be distinct for each distinct invocation of GCM encrypt function for any fixed key. Failure to meet this uniqueness
requirement can significantly degrade security. The explicit_nonce_part is carried in the IV field of the GenericAEADCipher structure. For all the algorithms defined in this section, SecurityParameters.record_iv_length=8. </t>
<t>In the case of TLS the explicit_nonce_part MAY be the 64-bit sequence number. In the case of Datagram TLS <xref target="RFC4347" /> the explicit_nonce_part MAY be formed from the concatenation of the 16-bit epoch with the 48-bit DTLS seq_num.</t>
<t>The RSA, DHE_RSA, DH_RSA, DHE_DSS, DH_DSS, and DH_anon key exchanges are performed as defined in <xref target="I-D.ietf-tls-rfc4346-bis"></xref>.</t>
<t>The PRF algorithms SHALL be as follows:</t><t>For ciphersuites ending in _SHA256 the hash function is SHA256.</t> <t>For ciphersuites ending in _SHA384 the hash function is SHA384.</t>
</section>
<section title="TLS Versions">
<t>These ciphersuites make use of the authenticated encryption with additional data defined in TLS 1.2 <xref target="I-D.ietf-tls-rfc4346-bis"></xref>. They MUST NOT be negotiated in older versions of TLS.
Clients MUST NOT offer these cipher suites if they do not offer TLS
1.2 or later. Servers which select an earlier version of TLS MUST
NOT select one of these cipher suites. Because TLS has no way for
the client to indicate that it supports TLS 1.2 but not earlier, a
non-compliant server might potentially negotiate TLS 1.1 or earlier
and select one of the cipher suites in this document. Clients MUST
check the TLS version and generate a fatal "illegal_parameter" alert
if they detect an incorrect version.</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>IANA has assigned the following values for the ciphersuites defined in this draft:</t><t><list style="hanging" >
<t>CipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_anon_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_anon_WITH_AES_256_GCM_SHA384 = {TBD,TBD}
</t></list></t>
</section>
<section anchor="Security" title="Security Considerations">
<t> The security considerations in <xref target="I-D.ietf-tls-rfc4346-bis"></xref> apply to this
document as well. The remainder of this section describes security
considerations specific to the cipher suites described in this
document.</t>
<section title="Counter Reuse">
<t>AES-GCM security requires that the counter is never reused. The IV construction in <xref target="rsasuite"></xref> is designed to prevent counter reuse. </t>
</section>
<section title="Recommendations for Multiple Encryption Processors">
<t>If multiple cryptographic processors are in use by the sender, then
the sender MUST ensure that, for a particular key, each value of the explicit_nonce_part used with that key is distinct. In this case each
encryption processor SHOULD include in the explicit_nonce_part
a fixed value that is distinct for each processor. The recommended
format is</t>
<figure >
<artwork >
explicit_nonce_part = FixedDistinct || Variable
</artwork>
</figure>
<t> where the FixedDistinct field is distinct for each encryption
processor, but is fixed for a given processor, and the Variable
field is distinct for each distinct nonce used by a particular
encryption processor. When this method is used, the FixedDistinct
fields used by the different processors MUST have the same length.</t>
<t> In the terms of Figure 2 in <xref target="RFC5116"></xref>, the Salt is the Fixed-Common
part of the nonce (it is fixed, and it is common across all
encryption processors), the FixedDistinct field exactly corresponds
to the Fixed-Distinct field, and the Variable field corresponds to the Counter field, and the explicit part exactly corresponds to the explicit_nonce_part.</t>
<t> For clarity, we provide an example for TLS in which there are two distinct
encryption processors, each of which uses a one-byte FixedDistinct
field:</t>
<figure >
<artwork >
Salt = eedc68dc
FixedDistinct = 01 (for the first encryption processor)
FixedDistinct = 02 (for the second encryption processor)
</artwork>
</figure>
<t> The GCMnonces generated by the first encryption processor, and their
corresponding explicit_nonce_parts, are:</t>
<figure >
<artwork >
GCMNonce explicit_nonce_part
------------------------ ----------------------------
eedc68dc0100000000000000 0100000000000000
eedc68dc0100000000000001 0100000000000001
eedc68dc0100000000000002 0100000000000002
...
</artwork>
</figure>
<t> The GCMnonces generated by the second encryption processor, and their
corresponding explicit_nonce_parts, are</t>
<figure >
<artwork >
GCMNonce explicit_nonce_part
------------------------ ----------------------------
eedc68dc0200000000000000 0200000000000000
eedc68dc0200000000000001 0200000000000001
eedc68dc0200000000000002 0200000000000002
...
</artwork>
</figure>
</section>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>This draft borrows heavily from <xref target="I-D.ietf-tls-ecc-new-mac"></xref>. The authors would like to thank Alex Lam and Pasi Eronen for providing useful comments during the review of this draft.</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc4347;
&ietf-tls-rfc4346-bis;
&mcgrew-auth-enc;
&rfc5116;
<reference anchor="GCM">
<front>
<title>Recommendation for Block Cipher Modes of Operation:
Galois Counter Mode (GCM) for Confidentiality and
Authentication</title>
<author>
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="April" year="2006"></date>
</front>
<seriesInfo name="SP" value="800-38D"></seriesInfo>
</reference>
<reference anchor="AES">
<front>
<title>Specification for the Advanced Encryption Standard (AES)</title>
<author>
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="November" year="2001"></date>
</front>
<seriesInfo name="FIPS" value="197"></seriesInfo>
</reference>
</references>
<references title="Informative References">
&rfc4106;
&ietf-tls-ecc-new-mac;
<reference anchor="IEEE8021AE">
<front>
<title>Media Access Control Security</title>
<author>
<organization>Institute of Electrical and Electronics Engineers</organization>
</author>
<date month="August" year="2006"></date>
</front>
<seriesInfo name="IEEE Standard" value="802.1AE"></seriesInfo>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 07:48:50 |