One document matched: draft-josefsson-salsa20-tls-04.xml
<?xml version="1.0"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2246 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2246.xml'>
<!ENTITY RFC4346 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4346.xml'>
<!ENTITY RFC5246 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml'>
<!ENTITY RFC4347 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4347.xml'>
<!ENTITY RFC6347 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.6347.xml'>
<!ENTITY RFC4492 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4492.xml'>
<!ENTITY RFC5489 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5489.xml'>
<!ENTITY RFC6101 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.6101.xml'>
<!ENTITY RFC6234 SYSTEM 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.6234.xml'>
]>
<?rfc compact="no"?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<rfc category="info" ipr="trust200902"
docName="draft-josefsson-salsa20-tls-04">
<front>
<title abbrev="salsa20tls">
The Salsa20 Stream Cipher for Transport Layer Security
</title>
<author initials="S." surname="Josefsson"
fullname="Simon Josefsson">
<organization>SJD AB</organization>
<address>
<email>simon@josefsson.org</email>
<uri>http://josefsson.org/</uri>
</address>
</author>
<author initials="J." surname="Strombergson"
fullname="Joachim Strombergson">
<organization>Secworks Sweden AB</organization>
<address>
<email>joachim@secworks.se</email>
<uri>http://secworks.se/</uri>
</address>
</author>
<author initials="N." surname="Mavrogiannopoulos"
fullname="Nikos Mavrogiannopoulos">
<organization>Red Hat</organization>
<address>
<email>nmav@redhat.com</email>
</address>
</author>
<date month="November" year="2013"/>
<abstract>
<t>This document describe how the Salsa20 stream cipher can be
used in the Transport Layer Security (TLS) and Datagram
Transport Layer Security (DTLS) protocols.</t>
</abstract>
</front>
<middle>
<section anchor="intro"
title="Introduction">
<t>This document describe how the Salsa20 stream cipher can be
used in the Transport Layer Security (TLS) version 1.0 <xref
target="RFC2246"/>, TLS version 1.1 <xref target="RFC4346"/>,
and TLS version 1.2 <xref target="RFC5246"/> protocols, as well
as in the Datagram Transport Layer Security (DTLS) versions 1.0
<xref target="RFC4347"/> and 1.2 <xref target="RFC6347"/>. It
can also be used with Secure Sockets Layer (SSL) version 3.0
<xref target="RFC6101"/>.</t>
<t><xref target="SALSA20SPEC">Salsa20</xref> is a stream cipher
that has been designed for high performance in software
implementations. The cipher has compact implementation and uses
few resources and inexpensive operations that makes it suitable
for implementation on a wide range of architectures. It
has been designed to prevent leakage of information through side
channel analysis, has a simple and fast key setup and provides
good overall performance.
Salsa20 is one of the ciphers selected as part of the eSTREAM
portfolio of stream ciphers <xref target="ESTREAM"/>.</t>
<t>Recent attacks <xref target="CBC-ATTACK"/> have indicated
problems with CBC-mode cipher suites in TLS and DTLS as well as
issues with the only supported stream cipher (RC4) <xref
target="RC4-ATTACK"/>. While the existing AEAD ciphersuites address these
issues, concerns about their performance, on general purpose
CPUs, are sometimes raised <xref target="AEAD-PERFORMANCE"/>.
Moreover, the DTLS protocol cannot take advantage of the fast RC4 stream
cipher because it does not provide random access in the key stream.
</t>
<t>Therefore, a new stream cipher to replace RC4 and address all the
previous issues is needed. It is the purpose of this document to describe
a secure stream cipher for both TLS and DTLS that is comparable to RC4 in
speed on a wide range of platforms.</t>
</section>
<section anchor="salsa20suites"
title="Salsa20 Cipher Suites">
<t>The following variants of Salsa20 are specified. The variants
provide a range of performance and security that can be selected
as appropriate.
<list style='hanging'>
<t hangText="ESTREAM_SALSA20:">
Salsa20 with 12 rounds and a 256 bit key. This
cipher is the high performant eSTREAM Salsa20 with 256 bit key.
</t>
<t hangText="SALSA20:">
Salsa20 with 20 rounds and a 256 bit key. This
is the original (conservative with respect to security) variant of Salsa20.</t>
</list>
</t>
<t>In the next sections different ciphersuites are defined that utilize the Salsa20
cipher combined with various MAC methods</t>
<t>In all cases, the pseudorandom function (PRF) for TLS 1.2 is the TLS PRF
with SHA-256 as the hash function. When used with TLS versions
prior to 1.2, the PRF is calculated as specified in the
appropriate version of the TLS specification.</t>
<section anchor="salsa20suites-sha1"
title="Salsa20 Cipher Suites with HMAC-SHA1">
<t>The following CipherSuites are defined: (note that the third column
contains the suggested to IANA ciphersuite numbers)</t>
<figure>
<artwork><![CDATA[
TLS_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x10}
TLS_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x11}
TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x12}
TLS_ECDHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x13}
TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x14}
TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x15}
TLS_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x16}
TLS_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x17}
TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x18}
TLS_ECDHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x19}
TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1A}
TLS_RSA_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1B}
TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1C}
TLS_DHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1D}
TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1E}
TLS_DHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1F}
]]></artwork>
</figure>
<t>Note that Salsa20 requires a 64-bit nonce. That nonce is
updated on the encryption of every TLS record, and is set to be
the 64-bit TLS record sequence number. In case of DTLS the
64-bit nonce is formed as the concatenation of the 16-bit epoch
with the 48-bit sequence number.</t>
<t>The RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, DHE_PSK,
RSA_PSK, ECDHE_PSK key exchanges are performed as defined in
<xref target="RFC5246"/>, <xref target="RFC4492"/>, and <xref
target="RFC5489"/>.</t>
<t>The MAC algorithm used in the ciphersuites above is HMAC-SHA1 <xref
target="RFC6234"/>.</t>
</section>
</section>
<section anchor="streamcipher"
title="The TLS GenericStreamCipher">
<t>The ciphersuites defined in this document differ from the TLS RC4 ciphersuites
that have been the basis for the definition of GenericStreamCipher.
Unlike RC4, Salsa20 requires a nonce per record. This however, does not affect
the description of the GenericStreamCipher if one assumes that a nonce is
optional and depends on the cipher's characteristics (in that case RC4 uses a
0 byte nonce, and Salsa20 an 8-byte nonce).
</t>
<t>As specified in TLS <xref target="RFC5246"/> the MAC is computed before encryption and the stream
cipher encrypts the entire block, including the MAC.</t>
</section>
<section anchor="ack"
title="Acknowledgements">
<t>The authors would like to thank D. J. Bernstein, David
McGrew, Wan-Teh Chang, and Adam Langley for discussion and
suggestions.</t>
</section>
<section anchor="iana"
title="IANA Considerations">
<t>IANA is requested to allocate the following numbers in the
TLS Cipher Suite Registry (note that the third column
contains the suggested ciphersuite numbers):</t>
<figure>
<artwork><![CDATA[
TLS_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x10}
TLS_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x11}
TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x12}
TLS_ECDHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x13}
TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x14}
TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x15}
TLS_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x16}
TLS_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x17}
TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x18}
TLS_ECDHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x19}
TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1A}
TLS_RSA_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1B}
TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1C}
TLS_DHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1D}
TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1E}
TLS_DHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1F}
]]></artwork>
</figure>
</section>
<section anchor="security"
title="Security Considerations">
<t>The security of Salsa20 is discussed in the <xref
target="SALSA20-SECURITY">Salsa20 security</xref> paper.
At the time of writing this document, there are no known significant
security problems with the eSTREAM variant of Salsa20, nor with the
original 20 round variant. As of early 2013, the best
cryptanalysis breaks 8 out of 20 rounds to recover the 256-bit
secret key in 2^251 operations, using 2^31 keystream pairs (see
<xref target="SALSA20-ATTACK"/>). For more background, see the
eSTREAM report <xref target="ESTREAM"/>.</t>
<t>There are no ciphersuites defined in this document that utilize
the variant of Salsa20 with 128-bit key material, because (due to the
design of Salsa20) they provide no performance advantage over the
256-bit variant.</t>
<t>This document should not introduce any other security
considerations than those that directly follow from any use of
the stream cipher Salsa20 and those that directly follow from
introducing any set of stream cipher suites into TLS and
DTLS.</t>
</section>
<section anchor="selection"
title="Algorithm Selection Background">
<t>This draft uses Salsa20, a winner of an international competion
of stream ciphers (eStream), which is easily implementable without
leaking information through side-channels, i.e. timing and power
attacks.</t>
<t>Suggestions has been made to instead use Chacha <xref
target="CHACHASPEC"/>, a derivative of Salsa20 that has been shown
to be 7% faster in hardware and occupy 10% less space <xref
target="VLSI-IMPL"/>. In our opinion the performance benefits
don't justify switching from a winner of an international
competition to another algorithm (even if it is a derivative of
it).</t>
<t>This draft adds a new cipher to existing TLS and DTLS implementations
which is combined with the existing MAC algorithms in TLS (i.e.,
HMAC-SHA1). That allows the new cipher to replace the, currently known
to be broken, RC4 ciphersuites, in all TLS versions.</t>
</section>
</middle>
<back>
<references title="Normative References">
&RFC2246;
&RFC4346;
&RFC5246;
&RFC4347;
&RFC4492;
&RFC5489;
&RFC6347;
&RFC6234;
<reference anchor="SALSA20SPEC">
<front>
<title>Salsa20 specification</title>
<author initials="D.J." surname="Bernstein"
fullname="D.J. Bernstein"/>
<date month="April" year="2005" />
</front>
<seriesInfo name="WWW" value="http://cr.yp.to/snuffle/spec.pdf" />
</reference>
</references>
<references title="Informative References">
&RFC6101;
<reference anchor="SALSA20-SECURITY">
<front>
<title>Salsa20 security</title>
<author initials="D.J." surname="Bernstein"
fullname="D.J. Bernstein"/>
<date month="April" year="2005" />
</front>
<seriesInfo name="WWW" value="http://cr.yp.to/snuffle/security.pdf" />
</reference>
<reference anchor="ESTREAM">
<front>
<title>The eSTREAM Portfolio (rev. 1)</title>
<author initials="S." surname="Babbage"
fullname="Steve Babbage"/>
<author initials="C." surname="DeCanniere"
fullname="Christophe De Canniere"/>
<author initials="A." surname="Cantenaut"
fullname="Anne Cantenaut"/>
<author initials="C." surname="Cid"
fullname="Carlos Cid"/>
<author initials="H." surname="Gilbert"
fullname="Henri Gilbert"/>
<author initials="T." surname="Johansson"
fullname="Thomas Johansson"/>
<author initials="M." surname="Parker"
fullname="Matthew Parker"/>
<author initials="B." surname="Preneel"
fullname="Bart Preneel"/>
<author initials="V." surname="Rijmen"
fullname="Vincent Rijmen"/>
<author initials="M." surname="Robshaw"
fullname="Matthew Robshaw"/>
<date month="September" year="2008" />
</front>
<seriesInfo name="WWW" value="http://www.ecrypt.eu.org/stream/finallist.html" />
</reference>
<reference anchor="CBC-ATTACK">
<front>
<title>Lucky Thirteen: Breaking the
TLS and DTLS Record Protocols</title>
<author initials="N.J." surname="AlFardan"
fullname="Nadhem J. AlFardan"/>
<author initials="K." surname="Paterson"
fullname="K. Paterson"/>
<date year="2013" />
</front>
<seriesInfo name="IEEE Symposium on Security and Privacy" value=""/>
</reference>
<reference anchor="RC4-ATTACK">
<front>
<title>Full Plaintext Recovery Attack on Broadcast RC4</title>
<author initials="T." surname="Isobe"
fullname="Takanori Isobe"/>
<author initials="T." surname="Ohigashi"
fullname="Toshihiro Ohigashi"/>
<author initials="Y." surname="Watanabe"
fullname="Yuhei Watanabe"/>
<author initials="M." surname="Morii"
fullname="Masakatu Morii"/>
<date year="2013" />
</front>
<seriesInfo name="International Workshop on Fast Software Encryption" value=""/>
</reference>
<reference anchor="AEAD-PERFORMANCE">
<front>
<title>The Software Performance of Authenticated-Encryption Modes</title>
<author initials="T." surname="Krovetz"
fullname="Ted Krovetz"/>
<author initials="P." surname="Rogaway"
fullname="Phillip Rogaway"/>
<date year="2011" />
</front>
<seriesInfo name="International Workshop on Fast Software Encryption" value=""/>
</reference>
<reference anchor="SALSA20-ATTACK">
<front>
<title>New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba</title>
<author initials="J-P." surname="Aumasson"
fullname="Jean-Philippe Aumasson"/>
<author initials="S." surname="Fischer"
fullname="Simon Fischer"/>
<author initials="S." surname="Khazaei"
fullname="Shahram Khazaei"/>
<author initials="W." surname="Meier"
fullname="Willi Meier"/>
<author initials="C." surname="Rechberger"
fullname="Christian Rechberger"/>
<date year="2007" />
</front>
<seriesInfo name="WWW" value="http://eprint.iacr.org/2007/472.pdf"/>
</reference>
<reference anchor="CHACHASPEC">
<front>
<title>ChaCha, a variant of Salsa20</title>
<author initials="D.J." surname="Bernstein"
fullname="D.J. Bernstein"/>
<date month="January" year="2008" />
</front>
<seriesInfo name="WWW" value="http://cr.yp.to/chacha/chacha-20080128.pdf"/>
</reference>
<reference anchor="VLSI-IMPL">
<front>
<title>VLSI hardware evaluation of the stream
ciphers Salsa20 and ChaCha, and the compression function Rumba.</title>
<author initials="L." surname="Henzen"
fullname="Henzen"/>
<author initials="F." surname="Carbognani"
fullname="Carbognani"/>
<author initials="W." surname="Fichtner"
fullname="Fichtner"/>
<date year="2008" />
</front>
</reference>
<!-- <reference anchor="KEY-RECOVERY-MAC">
<front>
<title>Key-recovery attacks on universal hash function based
MAC algorithms.</title>
<author initials="H." surname="Handschuh"
fullname="Helena Handschuh"/>
<author initials="B." surname="Preneel"
fullname="Bart Preneel"/>
<date year="2008" />
</front>
</reference>-->
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-21 18:02:57 |