One document matched: draft-josefsson-salsa20-tls-02.xml
<?xml version="1.0"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2246 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2246.xml'>
<!ENTITY RFC4346 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4346.xml'>
<!ENTITY RFC5246 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml'>
<!ENTITY RFC4347 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4347.xml'>
<!ENTITY RFC6347 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.6347.xml'>
<!ENTITY RFC4418 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4418.xml'>
<!ENTITY RFC4492 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4492.xml'>
<!ENTITY RFC5489 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5489.xml'>
<!ENTITY RFC6101 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.6101.xml'>
<!ENTITY RFC6234 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.6234.xml'>
]>
<?rfc compact="no"?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<rfc category="info" ipr="trust200902"
docName="draft-josefsson-salsa20-tls-02">
<front>
<title abbrev="salsa20tls">
The Salsa20 Stream Cipher for Transport Layer Security
</title>
<author initials="S." surname="Josefsson"
fullname="Simon Josefsson">
<organization>SJD AB</organization>
<address>
<email>simon@josefsson.org</email>
<uri>http://josefsson.org/</uri>
</address>
</author>
<author initials="J." surname="Strombergson"
fullname="Joachim Strombergson">
<organization>Secworks Sweden AB</organization>
<address>
<email>joachim@secworks.se</email>
<uri>http://secworks.se/</uri>
</address>
</author>
<author initials="N." surname="Mavrogiannopoulos"
fullname="Nikos Mavrogiannopoulos">
<organization>KU Leuven</organization>
<address>
<email>nikos.mavrogiannopoulos@esat.kuleuven.be</email>
</address>
</author>
<date month="April" year="2013"/>
<abstract>
<t>This document describe how the Salsa20 stream cipher can be
used in the Transport Layer Security (TLS) and Datagram
Transport Layer Security (DTLS) protocols.</t>
</abstract>
</front>
<middle>
<section anchor="intro"
title="Introduction">
<t>This document describe how the Salsa20 stream cipher can be
used in the Transport Layer Security (TLS) version 1.0 <xref
target="RFC2246"/>, TLS version 1.1 <xref target="RFC4346"/>,
and TLS version 1.2 <xref target="RFC5246"/> protocols, as well
as in the Datagram Transport Layer Security (DTLS) versions 1.0
<xref target="RFC4347"/> and 1.2 <xref target="RFC6347"/>. It
can also be used with Secure Sockets Layer (SSL) version 3.0
<xref target="RFC6101"/>.</t>
<t><xref target="SALSA20SPEC">Salsa20</xref> is a stream cipher
that has been designed for high performance in software
implementations. The cipher has compact implementation and uses
few resources and inexpensive operations that makes it suitable
for implementation on a wide range of architectures. It
has been designed to prevent leakage of information through side
channel analysis, has a simple initialization sequence and provides good
key agility and performance.
Salsa20 is one of the ciphers selected as part of the eSTREAM
portfolio of stream ciphers <xref target="ESTREAM"/>.</t>
<t>Recent attacks <xref target="CBC-ATTACK"/> have indicated
problems with CBC-mode cipher suites in TLS and DTLS as well as
issues with the only supported stream cipher (RC4) <xref
target="RC4-ATTACK"/>. While the existing AEAD ciphersuites address these
issues, concerns about their performance, on general purpose
CPUs, are sometimes raised <xref target="AEAD-PERFORMANCE"/>.</t>
<t>Moreover, the RC4 cipher cannot be used in DTLS because it
does not provide random access in the key stream. That allowed no
choice of a fast stream cipher in the context of DTLS.</t>
<t>The purpose of this document is to provide an alternative
stream cipher for both TLS and DTLS that is comparable to RC4 in
speed on a wide range of platforms.</t>
</section>
<section anchor="salsa20suites"
title="Salsa20 Cipher Suites">
<t>The following variants of Salsa20 are specified. The variants
provide a range of performance and security that can be selected
as appropriate.
<list style='hanging'>
<t hangText="ESTREAM_SALSA20:">
Salsa20 with 12 rounds and a 256 bit key. This
cipher is the high performant eSTREAM Salsa20 with 256 bit key.
</t>
<t hangText="SALSA20:">
Salsa20 with 20 rounds and a 256 bit key. This
is the original (conservative with respect to security) variant of Salsa20.</t>
</list>
</t>
<t>In the next sections different ciphersuites are defined that utilize the Salsa20
cipher combined with various MAC methods</t>
<t>In all cases, the pseudorandom function (PRF) for TLS 1.2 is the TLS PRF
with SHA-256 as the hash function. When used with TLS versions
prior to 1.2, the PRF is calculated as specified in the
appropriate version of the TLS specification.</t>
<section anchor="salsa20suites-sha1"
title="Salsa20 Cipher Suites with HMAC-SHA1">
<t>The following CipherSuites are defined:</t>
<figure>
<artwork><![CDATA[
TLS_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_DHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_ECDHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_DHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_RSA_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_ECDHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
]]></artwork>
</figure>
<t>Note that Salsa20 requires a 64-bit nonce. That nonce is
updated on the encryption of every TLS record, and is set to be
the 64-bit TLS record sequence number. In case of DTLS the
64-bit nonce is formed as the concatenation of the 16-bit epoch
with the 48-bit sequence number.</t>
<t>The RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, DHE_PSK,
RSA_PSK, ECDHE_PSK key exchanges are performed as defined in
<xref target="RFC5246"/>, <xref target="RFC4492"/>, and <xref
target="RFC5489"/>.</t>
<t>The MAC algorithm used in the ciphersuites above is HMAC-SHA1 <xref
target="RFC6234"/>.</t>
</section>
<section anchor="salsa20suites-umac"
title="Salsa20 Cipher Suites with UMAC-96">
<t>The following CipherSuites utilize Salsa20 in combination with
UMAC-96 <xref target="RFC4418"/>, a very fast MAC algorithm based on
Universal Hashing.</t>
<figure>
<artwork><![CDATA[
TLS_RSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_RSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_DHE_RSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_DHE_RSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_ECDHE_RSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_ECDHE_ECDSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_DHE_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_DHE_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_RSA_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_RSA_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_ECDHE_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
]]></artwork>
</figure>
<t>Note that both Salsa20 and UMAC-96 are used with a 64-bit nonce.
That nonce is set to be the 64-bit TLS record sequence number.
In case of DTLS the 64-bit nonce is formed as the concatenation of
the 16-bit epoch with the 48-bit sequence number.</t>
<t>The RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, DHE_PSK,
RSA_PSK, ECDHE_PSK key exchanges are performed as defined in
<xref target="RFC5246"/>, <xref target="RFC4492"/>, and <xref
target="RFC5489"/>.</t>
</section>
</section>
<section anchor="streamcipher"
title="The TLS GenericStreamCipher">
<t>The ciphersuites defined in this document differ from the TLS RC4 ciphersuites
that have been the basis for the definition of GenericStreamCipher.
Unlike RC4, Salsa20 requires a nonce per record. This however, does not affect
the description of the GenericStreamCipher if one assumes that a nonce is
optional and depends on the cipher's characteristics (in that case RC4 uses a
0 byte nonce, and Salsa20 an 8-byte nonce).
</t>
<t>
Moreover, in order to accommodate MAC algorithms like UMAC that require
a nonce as part of their operation, the document extends the MAC algorithm as
specified in the TLS protocol. The extended MAC includes a nonce as a second
parameter. MAC algorithms that do not require a nonce, such as HMAC, are assumed
to ignore the nonce input value. The MAC in a GenericStreamCipher is then calculated
as follows.
</t>
<t>
<figure>
<artwork><![CDATA[
MAC(MAC_write_key, nonce,
seq_num +
TLSCompressed.type +
TLSCompressed.version +
TLSCompressed.length +
TLSCompressed.fragment);
]]></artwork>
</figure>
</t>
<t>where "+" denotes concatenation.</t>
<t>
<list style='hanging'>
<t hangText="nonce">The nonce for this record. If the size of the nonce
accepted by the MAC is 64-bits then nonce equals the sequence number
(or the concatenation of the 16-bit epoch with the 48-bit sequence number in
DTLS). Otherwise the MAC algorithm must specify how the nonce is formed.
</t>
<t hangText="seq_num">The sequence number for this record.</t>
<t hangText="MAC">The MAC algorithm specified by
SecurityParameters.mac_algorithm.</t>
</list>
</t>
<t>As specified in TLS <xref target="RFC5246"/> the MAC is computed before encryption and the stream
cipher encrypts the entire block, including the MAC.</t>
</section>
<section anchor="ack"
title="Acknowledgements">
<t>The authors would like to thank D. J. Bernstein, David
McGrew, Wan-Teh Chang, and Adam Langley for discussion and
suggestions.</t>
</section>
<section anchor="iana"
title="IANA Considerations">
<t>IANA is requested to allocate the following numbers in the
TLS Cipher Suite Registry:</t>
<figure>
<artwork><![CDATA[
TLS_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_DHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_ECDHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_DHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_RSA_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_ECDHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD}
TLS_RSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_RSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_DHE_RSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_DHE_RSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_ECDHE_RSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_ECDHE_ECDSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_DHE_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_DHE_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_RSA_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_RSA_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD}
TLS_ECDHE_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD}
]]></artwork>
</figure>
</section>
<section anchor="security"
title="Security Considerations">
<t>The security of Salsa20 is discussed in the <xref
target="SALSA20-SECURITY">Salsa20 security</xref> paper.
At the time of writing this document, there are no known significant
security problems with the eSTREAM variant of Salsa20, nor with the
original 20 round variant. As of early 2013, the best
cryptanalysis breaks 8 out of 20 rounds to recover the 256-bit
secret key in 2^251 operations, using 2^31 keystream pairs (see
<xref target="SALSA20-ATTACK"/>). For more background, see the
eSTREAM report <xref target="ESTREAM"/>.</t>
<t>There are no ciphersuites defined in this document that utilize
the variant of Salsa20 with 128-bit key material, because (due to the
design of Salsa20) they provide no performance advantage over the
256-bit variant.</t>
<t>The ciphersuites that utilize UMAC-96 use a short MAC (96-bits),
to be consistent with the MAC size used in the TLS Finished messages,
which is also 96-bits, and thus allow room for more data in TLS
records. The security considerations of <xref target="RFC4418"/>
also apply.</t>
<t>This document should not introduce any other security
considerations than those that directly follow from any use of
the stream cipher Salsa20 and those that directly follow from
introducing any set of stream cipher suites into TLS and
DTLS.</t>
</section>
</middle>
<back>
<references title="Normative References">
&RFC2246;
&RFC4346;
&RFC5246;
&RFC4347;
&RFC4418;
&RFC4492;
&RFC5489;
&RFC6347;
&RFC6234;
<reference anchor="SALSA20SPEC">
<front>
<title>Salsa20 specification</title>
<author initials="D.J." surname="Bernstein"
fullname="D.J. Bernstein"/>
<date month="April" year="2005" />
</front>
<seriesInfo name="WWW" value="http://cr.yp.to/snuffle/spec.pdf" />
</reference>
</references>
<references title="Informative References">
&RFC6101;
<reference anchor="SALSA20-SECURITY">
<front>
<title>Salsa20 security</title>
<author initials="D.J." surname="Bernstein"
fullname="D.J. Bernstein"/>
<date month="April" year="2005" />
</front>
<seriesInfo name="WWW" value="http://cr.yp.to/snuffle/security.pdf" />
</reference>
<reference anchor="ESTREAM">
<front>
<title>The eSTREAM Portfolio (rev. 1)</title>
<author initials="S." surname="Babbage"
fullname="Steve Babbage"/>
<author initials="C." surname="DeCanniere"
fullname="Christophe De Canniere"/>
<author initials="A." surname="Cantenaut"
fullname="Anne Cantenaut"/>
<author initials="C." surname="Cid"
fullname="Carlos Cid"/>
<author initials="H." surname="Gilbert"
fullname="Henri Gilbert"/>
<author initials="T." surname="Johansson"
fullname="Thomas Johansson"/>
<author initials="M." surname="Parker"
fullname="Matthew Parker"/>
<author initials="B." surname="Preneel"
fullname="Bart Preneel"/>
<author initials="V." surname="Rijmen"
fullname="Vincent Rijmen"/>
<author initials="M." surname="Robshaw"
fullname="Matthew Robshaw"/>
<date month="September" year="2008" />
</front>
<seriesInfo name="WWW" value="http://www.ecrypt.eu.org/stream/finallist.html" />
</reference>
<reference anchor="CBC-ATTACK">
<front>
<title>Lucky Thirteen: Breaking the
TLS and DTLS Record Protocols</title>
<author initials="N.J." surname="AlFardan"
fullname="Nadhem J. AlFardan"/>
<author initials="K." surname="Paterson"
fullname="K. Paterson"/>
<date year="2013" />
</front>
<seriesInfo name="IEEE Symposium on Security and Privacy" value=""/>
</reference>
<reference anchor="RC4-ATTACK">
<front>
<title>Full Plaintext Recovery Attack on Broadcast RC4</title>
<author initials="T." surname="ISOBE"
fullname="Takanori ISOBE"/>
<author initials="T." surname="OHIGASHI"
fullname="Toshihiro OHIGASHI"/>
<author initials="Y." surname="WATANABE"
fullname="Yuhei WATANABE"/>
<author initials="M." surname="MORII"
fullname="Masakatu MORII"/>
<date year="2013" />
</front>
<seriesInfo name="International Workshop on Fast Software Encryption" value=""/>
</reference>
<reference anchor="AEAD-PERFORMANCE">
<front>
<title>The Software Performance of Authenticated-Encryption Modes</title>
<author initials="T." surname="Krovetz"
fullname="Ted Krovetz"/>
<author initials="P." surname="Rogaway"
fullname="Phillip Rogaway"/>
<date year="2011" />
</front>
<seriesInfo name="International Workshop on Fast Software Encryption" value=""/>
</reference>
<reference anchor="SALSA20-ATTACK">
<front>
<title>New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba</title>
<author initials="J-P." surname="Aumasson"
fullname="Jean-Philippe Aumasson"/>
<author initials="S." surname="Fischer"
fullname="Simon Fischer"/>
<author initials="S." surname="Khazaei"
fullname="Shahram Khazaei"/>
<author initials="W." surname="Meier"
fullname="Willi Meier"/>
<author initials="C." surname="Rechberger"
fullname="Christian Rechberger"/>
<date year="2007" />
</front>
<seriesInfo name="WWW" value="http://eprint.iacr.org/2007/472.pdf"/>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-21 18:06:10 |