One document matched: draft-ietf-tls-rsa-aes-gcm-03.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc2246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2246.xml">
<!ENTITY rfc4346 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4346.xml">
<!ENTITY rfc4347 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4347.xml">
<!ENTITY rfc4106 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4106.xml">
<!ENTITY ietf-tls-rfc4346-bis SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-tls-rfc4346-bis.xml">
<!ENTITY ietf-tls-ecc-new-mac SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-tls-ecc-new-mac.xml">
<!ENTITY rescorla-tls-suiteb SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.rescorla-tls-suiteb.xml">
<!ENTITY rfc5116 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5116.xml">
]>
<?rfc toc="yes"?>
<?rfc tocompact="no"?>
<?rfc tocdepth="6"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes"?>
<rfc ipr="full3978" category="std" docName="draft-ietf-tls-rsa-aes-gcm-03">
<front>
<title abbrev="AES-GCM Cipher suites">AES-GCM Cipher Suites for TLS</title>
<author fullname="Joseph Salowey" initials="J" surname="Salowey">
<organization> Cisco Systems, Inc. </organization>
<address>
<postal>
<street>2901 3rd. Ave</street>
<city>Seattle</city>
<code>98121</code>
<region>WA</region>
<country>USA</country>
</postal>
<email> jsalowey@cisco.com </email>
</address>
</author>
<author fullname="Abhijit Choudhury" initials="A" surname="Choudhury">
<organization> Cisco Systems, Inc. </organization>
<address>
<postal>
<street>3625 Cisco Way</street>
<city>San Jose </city>
<code>95134</code>
<region>CA</region>
<country>USA</country>
</postal>
<email> abhijitc@cisco.com </email>
</address>
</author>
<author fullname="David McGrew" initials="D" surname="McGrew">
<organization>Cisco Systems, Inc.</organization>
<address><postal>
<street>170 W Tasman Drive</street>
<city>San Jose </city>
<code>95134</code>
<region>CA</region>
<country>USA</country>
</postal><email> mcgrew@cisco.com </email></address>
</author>
<date month="April" year="2008"/>
<area> Security Area </area>
<workgroup> TLS Working Group </workgroup>
<abstract>
<t> This memo describes the use of the Advanced Encryption Standard
(AES)
in Galois/Counter Mode (GCM) as a Transport Layer Security (TLS)
authenticated encryption operation. GCM provides both confidentiality
and data origin authentication, can be efficiently implemented in
hardware for speeds of 10 gigabits per second and above, and is also
well-suited to software implementations. This memo defines TLS
cipher suites that use AES-GCM with RSA, DSS and Diffie-Hellman based key exchange mechanisms.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>This document describes the use of AES <xref target="AES" ></xref> in Galois Counter Mode (GCM) <xref target="GCM"></xref> (AES-GCM) with various key exchange mechanisms as a cipher suite for TLS. AES-GCM is an authenticated encryption with associated data (AEAD) cipher (as defined in TLS 1.2 <xref target="I-D.ietf-tls-rfc4346-bis"></xref>) providing both confidentiality and data origin authentication. The following sections define cipher suites based on RSA, DSS and Diffie-Hellman key exchanges; ECC based cipher suites are defined in a separate document <xref target="I-D.ietf-tls-ecc-new-mac"></xref>. </t>
<t>AES-GCM is not only efficient and secure, but hardware implementations can achieve high speeds with low cost and low latency, because the mode can be pipelined. Applications that require high data throughput can benefit from these high-speed implementations. AES-GCM has been specified as a mode that can be used with IPsec ESP <xref target="RFC4106"></xref> and 802.1AE MAC Security <xref target="IEEE8021AE"></xref>. </t>
</section>
<section title="Conventions Used In This Document">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119"></xref>.</t>
</section>
<section title="AES-GCM Cipher Suites" anchor="rsasuite">
<t> The following cipher suites use the new authenticated encryption
modes defined in TLS 1.2 with AES in Galois Counter Mode (GCM) <xref target="GCM"/>:</t>
<t><list style="hanging" >
<t>CipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_anon_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_anon_WITH_AES_256_GCM_SHA384 = {TBD,TBD}
</t></list></t>
<t>These cipher suites use the AES-GCM authenticated encryption with associated data (AEAD) algorithms AEAD_AES_128_GCM and AEAD_AES_256_GCM described in <xref target="RFC5116"></xref>. Note that each of these AEAD algorithms uses a 128-bit authentication tag with GCM.
The "nonce" SHALL be 12 bytes long consisting of two parts as follows: (this is an example of a "partially explicit" nonce; see section 3.2.1 in <xref target="RFC5116"></xref>).
</t>
<figure >
<artwork >
struct{
opaque salt[4];
opaque nonce_explicit[8];
} GCMNonce;</artwork>
</figure>
<t> The salt is the "implicit" part of the nonce and is not sent in the packet. Instead the salt is generated as part of the handshake process: it is either the client_write_IV (when the client is sending) or the server_write_IV (when the server is sending). The salt length (SecurityParameters.fixed_iv_length) is 4 octets.
</t>
<t> The nonce_explicit is the "explicit" part of the nonce. It is chosen by the sender and is carried in each TLS record in the GenericAEADCipher.nonce_explicit field. The nonce_explicit length (SecurityParameters.record_iv_length) is 8 octets. </t>
<t>Each value of the nonce_explicit MUST be distinct for each distinct invocation of GCM encrypt function for any fixed key. Failure to meet this uniqueness
requirement can significantly degrade security. The nonce_explicit MAY be the 64-bit sequence number.</t>
<t>The RSA, DHE_RSA, DH_RSA, DHE_DSS, DH_DSS, and DH_anon key exchanges are performed as defined in <xref target="I-D.ietf-tls-rfc4346-bis"></xref>.</t>
<t>The PRF algorithms SHALL be as follows:</t>
<list>
<t><vspace>1</vspace>For cipher suites ending with _SHA256, the PRF is the TLS PRF <xref target="I-D.ietf-tls-rfc4346-bis"></xref> with SHA-256 as the hash function.</t>
<t><vspace>1</vspace>For cipher suites ending with _SHA384, the PRF is the TLS PRF <xref target="I-D.ietf-tls-rfc4346-bis"></xref> with SHA-384 as the hash function.</t></list>
<t>Implementations MUST send TLS Alert bad_record_mac for all types of failures encountered in processing the AES-GCM algorithm. </t>
</section>
<section title="TLS Versions">
<t>These cipher suites make use of the authenticated encryption with additional data defined in TLS 1.2 <xref target="I-D.ietf-tls-rfc4346-bis"></xref>. They MUST NOT be negotiated in older versions of TLS.
Clients MUST NOT offer these cipher suites if they do not offer TLS
1.2 or later. Servers which select an earlier version of TLS MUST
NOT select one of these cipher suites. Because TLS has no way for
the client to indicate that it supports TLS 1.2 but not earlier, a
non-compliant server might potentially negotiate TLS 1.1 or earlier
and select one of the cipher suites in this document. Clients MUST
check the TLS version and generate a fatal "illegal_parameter" alert
if they detect an incorrect version.</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>IANA has assigned the following values for the cipher suites defined in this draft:</t><t><list style="hanging" >
<t>CipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_anon_WITH_AES_128_GCM_SHA256 = {TBD,TBD}<vspace></vspace>
CipherSuite TLS_DH_anon_WITH_AES_256_GCM_SHA384 = {TBD,TBD}
</t></list></t>
</section>
<section anchor="Security" title="Security Considerations">
<t> The security considerations in <xref target="I-D.ietf-tls-rfc4346-bis"></xref> apply to this
document as well. The remainder of this section describes security
considerations specific to the cipher suites described in this
document.</t>
<section title="Counter Reuse">
<t>AES-GCM security requires that the counter is never reused. The IV construction in <xref target="rsasuite"></xref> is designed to prevent counter reuse. </t>
</section>
<section title="Recommendations for Multiple Encryption Processors">
<t>If multiple cryptographic processors are in use by the sender, then
the sender MUST ensure that, for a particular key, each value of the nonce_explicit used with that key is distinct. In this case each
encryption processor SHOULD include in the nonce_explicit
a fixed value that is distinct for each processor. The recommended
format is</t>
<figure >
<artwork >
nonce_explicit = FixedDistinct || Variable
</artwork>
</figure>
<t> where the FixedDistinct field is distinct for each encryption
processor, but is fixed for a given processor, and the Variable
field is distinct for each distinct nonce used by a particular
encryption processor. When this method is used, the FixedDistinct
fields used by the different processors MUST have the same length.</t>
<t> In the terms of Figure 2 in <xref target="RFC5116"></xref>, the Salt is the Fixed-Common
part of the nonce (it is fixed, and it is common across all
encryption processors), the FixedDistinct field exactly corresponds
to the Fixed-Distinct field, and the Variable field corresponds to the Counter field, and the explicit part exactly corresponds to the nonce_explicit.</t>
<t> For clarity, we provide an example for TLS in which there are two distinct
encryption processors, each of which uses a one-byte FixedDistinct
field:</t>
<figure >
<artwork >
Salt = eedc68dc
FixedDistinct = 01 (for the first encryption processor)
FixedDistinct = 02 (for the second encryption processor)
</artwork>
</figure>
<t> The GCMnonces generated by the first encryption processor, and their
corresponding nonce_explicit, are:</t>
<figure >
<artwork >
GCMNonce nonce_explicit
------------------------ ----------------------------
eedc68dc0100000000000000 0100000000000000
eedc68dc0100000000000001 0100000000000001
eedc68dc0100000000000002 0100000000000002
...
</artwork>
</figure>
<t> The GCMnonces generated by the second encryption processor, and their
corresponding nonce_explicit, are</t>
<figure >
<artwork >
GCMNonce nonce_explicit
------------------------ ----------------------------
eedc68dc0200000000000000 0200000000000000
eedc68dc0200000000000001 0200000000000001
eedc68dc0200000000000002 0200000000000002
...
</artwork>
</figure>
</section>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>This draft borrows heavily from <xref target="I-D.ietf-tls-ecc-new-mac"></xref>. The authors would like to thank Alex Lam, Simon Josefsson and Pasi Eronen for providing useful comments during the review of this draft.</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&ietf-tls-rfc4346-bis;
&mcgrew-auth-enc;
&rfc5116;
<reference anchor="GCM">
<front>
<title>Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC</title>
<author fullname="Morris Dworkin" initials="M" surname="Dworkin" >
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="November" year="2007"></date>
</front>
<seriesInfo name="National Institute of Standards and Technology SP" value="800-38D"></seriesInfo>
</reference>
<reference anchor="AES">
<front>
<title>Advanced Encryption Standard (AES)</title>
<author>
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="November" year="2001"></date>
</front>
<seriesInfo name="FIPS" value="197"></seriesInfo>
</reference>
</references>
<references title="Informative References">
&rfc4106;
&ietf-tls-ecc-new-mac;
<reference anchor="IEEE8021AE">
<front>
<title>Media Access Control Security</title>
<author>
<organization>Institute of Electrical and Electronics Engineers</organization>
</author>
<date month="August" year="2006"></date>
</front>
<seriesInfo name="IEEE Standard" value="802.1AE"></seriesInfo>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:06:22 |