One document matched: draft-mcgrew-tls-aes-ccm-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc2246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2246.xml">
<!ENTITY rfc4346 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4346.xml">
<!ENTITY rfc4347 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4347.xml">
<!ENTITY rfc4309 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4309.xml">
<!ENTITY rfc4366 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4366.xml">
<!ENTITY rfc5288 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5288.xml">
<!ENTITY ietf-tls-rfc4346-bis SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-tls-rfc4346-bis.xml">
<!ENTITY ietf-tls-ctr SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-tls-ctr.xml">
<!ENTITY mcgrew-auth-enc SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.mcgrew-auth-enc.xml">
<!ENTITY rescorla-tls-suiteb SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.rescorla-tls-suiteb.xml">
<!ENTITY rfc4309 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4309.xml">
<!ENTITY rfc5246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY rfc5116 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5116.xml">
<!ENTITY rfc5430 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5430.xml">
<!ENTITY rfc5246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY rfc5487 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5487.xml">
]>
<?rfc toc="yes"?>
<?rfc tocompact="no"?>
<?rfc tocdepth="6"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes"?>
<rfc ipr="trust200902" category="std" docName="draft-mcgrew-tls-aes-ccm-01">
<front>
<title abbrev="AES-CCM Ciphersuites">AES-CCM Cipher Suites for TLS</title>
<author fullname="David McGrew" initials="D" surname="McGrew">
<organization>Cisco Systems, Inc.</organization>
<address><postal>
<street>170 W Tasman Drive</street>
<city>San Jose </city>
<code>95134</code>
<region>CA</region>
<country>USA</country>
</postal><email> mcgrew@cisco.com </email></address>
</author>
<author fullname="Daniel V. Bailey" initials="D"surname="Bailey">
<organization>RSA, the Security Division of EMC</organization>
<address><postal>
<street>174 Middlesex
Tpke.</street>
<city>Bedford</city>
<code>01463</code>
<region>MA</region>
<country>USA</country>
</postal><email> dbailey@rsa.com
</email></address>
</author>
<date month="March" year="2011"/>
<area> Security Area </area>
<workgroup> TLS Working Group </workgroup>
<abstract>
<t>This memo describes the use of the Advanced
Encryption Standard (AES) in the Counter and
CBC-MAC Mode (CCM) of operation within Transport
Layer Security (TLS) to provide confidentiality
and data origin authentication. The AES-CCM
algorithm is amenable to compact implementations,
making it suitable for constrained
environments.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>This document describes the use of Advanced Encryption Standard
(AES) <xref target="AES"></xref> in Counter with CBC-MAC Mode
(CCM) <xref target="CCM"></xref> in several TLS ciphersuites.
AES-CCM provides both authentication and confidentiality and uses
as its only primitive the AES encrypt operation (the AES decrypt
operation is not needed). This makes it amenable to compact
implementations, which is advantageous in constrained
environments. The use of AES-CCM has been specified for
IPsec ESP <xref target="RFC4309"></xref> and 802.15.4 wireless
networks <xref target="IEEE802154"></xref>.
</t>
<t>
Authenticated encryption, in addition to providing confidentiality
for the plaintext that is encrypted, provides a way to check its
integrity and authenticity. Authenticated Encryption with
Associated Data, or AEAD <xref target="RFC5116"/>, adds the ability
to check the integrity and authenticity of some associated data that
is not encrypted. This note utilizes the AEAD facility within TLS
1.2 <xref target="RFC5246"></xref> and the AES-CCM-based AEAD
algorithms defined in <xref target="RFC5116"/>. Additional AEAD
algorithms are defined, which use AES-CCM but which have shorter
authentication tags, and therefore are more suitable for use across
networks in which bandwidth is constrained and message sizes may be
small.
</t>
<t>
The ciphersuites defined in this document use RSA or Pre-Shared Key
(PSK) as their key establishment mechanism; these ciphersuites can be
used with DTLS <xref target="RFC4347"></xref>.
</t>
</section>
<section title="Conventions Used In This Document">
<t>he key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as described
in <xref target="RFC2119"></xref></t>
</section>
<section title="RSA Based AES-CCM Cipher Suites" anchor="rsasuite">
<t>The ciphersuites defined in this document
are based on the the AES-CCM authenticated
encryption with associated data (AEAD)
algorithms AEAD_AES_128_CCM and
AEAD_AES_256_CCM described
in <xref target="RFC5116"></xref>.
The following RSA-based ciphersuites are defined:</t>
<t><list style="hanging" >
<t>
CipherSuite TLS_RSA_WITH_AES_128_CCM = {TBD1,TBD1}<vspace></vspace>
CipherSuite TLS_RSA_WITH_AES_256_CCM = {TBD2,TBD2)<vspace></vspace>
CipherSuite TLS_RSA_DHE_WITH_AES_128_CCM = {TBD3,TBD3}<vspace></vspace>
CipherSuite TLS_RSA_DHE_WITH_AES_256_CCM = {TBD4,TBD4}<vspace></vspace>
CipherSuite TLS_RSA_WITH_AES_128_CCM_8 = {TBD5,TBD5}<vspace></vspace>
CipherSuite TLS_RSA_WITH_AES_256_CCM_8 = {TBD6,TBD6)<vspace></vspace>
CipherSuite TLS_RSA_DHE_WITH_AES_128_CCM_8 = {TBD7,TBD7}<vspace></vspace>
CipherSuite TLS_RSA_DHE_WITH_AES_256_CCM_8 = {TBD8,TBD8}
</t>
</list></t>
<t>These ciphersuites make use of the AEAD capability in TLS
1.2 <xref target="RFC5246"></xref>.
Note that each of these
AEAD algorithms uses a 128-bit authentication tag with CCM.
</t>
<t>
The HMAC truncation option described in Section 3.5 of
<xref target="RFC4366"/> (which negotiates the "truncated_hmac" TLS
extension) does not have an effect on cipher suites that do not use
HMAC.
</t>
<t>
The "nonce" input to the AEAD algorithm is exactly that of
<xref target="RFC5288"/>: the "nonce" SHALL be 12 bytes long and
is constructed as follows:
</t>
<figure >
<artwork align="center">
struct {
case client:
uint32 client_write_IV; // low order 32-bits
case server:
uint32 server_write_IV; // low order 32-bits
uint64 seq_num;
} CCMNonce.</artwork>
</figure>
<t>In DTLS, the 64-bit seq_num is the 16-bit epoch concatenated with the
48-bit seq_num.</t>
<t>These ciphersuites make use of the default TLS 1.2 Pseudorandom
Function (PRF), which uses HMAC with the SHA-256 hash
function. The RSA and RSA-DHE key exchange is performed as defined
in <xref target="RFC5288"></xref>.
</t>
</section>
<section title="PSK Based AES-CCM Cipher Suites" anchor="psksuite">
<t>As in Section <xref target="rsasuite"></xref>,
these ciphersuites follow <xref target="RFC5116"></xref>.
The following ciphersuites are defined:</t>
<t><list style="hanging" >
<t>
CipherSuite TLS_PSK_WITH_AES_128_CCM = {TBD9,TBD9}<vspace></vspace>
CipherSuite TLS_PSK_WITH_AES_256_CCM = {TBD10,TBD10)<vspace></vspace>
CipherSuite TLS_PSK_DHE_WITH_AES_128_CCM = {TBD11,TBD11}<vspace></vspace>
CipherSuite TLS_PSK_DHE_WITH_AES_256_CCM = {TBD12,TBD12}<vspace></vspace>
CipherSuite TLS_PSK_WITH_AES_128_CCM_8 = {TBD13,TBD13}<vspace></vspace>
CipherSuite TLS_PSK_WITH_AES_256_CCM_8 = {TBD14,TBD14)<vspace></vspace>
CipherSuite TLS_PSK_DHE_WITH_AES_128_CCM_8 = {TBD15,TBD15}<vspace></vspace>
CipherSuite TLS_PSK_DHE_WITH_AES_256_CCM_8 = {TBD16,TBD16}
</t>
</list></t>
<t>
The "nonce" input to the AEAD
algorithm is defined as in Section <xref target="rsasuite"></xref>.
</t>
<t>These ciphersuites make use of the default TLS 1.2 Pseudorandom
Function (PRF), which uses HMAC with the SHA-256 hash
function. The PSK and PSK-DHE key exchange is performed as defined
in <xref target="RFC5487"></xref>.
</t>
</section>
<section title="TLS Versions">
<t>These ciphersuites make use of the
authenticated encryption with additional data defined in TLS
1.2 <xref target="RFC5288"></xref>. They MUST NOT
be negotiated in older versions of TLS. Clients MUST NOT offer
these cipher suites if they do not offer TLS 1.2 or later. Servers
which select an earlier version of TLS MUST NOT select one of these
cipher suites. Because TLS has no way for the client to indicate
that it supports TLS 1.2 but not earlier, a non-compliant server
might potentially negotiate TLS 1.1 or earlier and select one of
the cipher suites in this document. Clients MUST check the TLS
version and generate a fatal "illegal_parameter" alert if they
detect an incorrect version.</t>
</section>
<section anchor="newaead" title="New AEAD algorithms">
<t>
The following AEAD algorithms are defined:
<list style="hanging" >
<t>
AEAD_AES_128_CCM_8 = TBD17 <vspace></vspace>
AEAD_AES_256_CCM_8 = TBD18<vspace></vspace>
AEAD_AES_128_CCM_12 = TBD19 <vspace></vspace>
AEAD_AES_256_CCM_12 = TBD20
</t>
</list>
</t>
<section title="AES-128-CCM with an 8-octet Integrity Check Value (ICV)">
<t>
The AEAD_AES_128_CCM_8 authenticated encryption algorithm is
identical to the AEAD_AES_128_CCM algorithm (see Section 5.3 of
<xref target="RFC5116"/>), except that it uses eight octets for
authentication, instead of the full sixteen octets used by
AEAD_AES_128_CCM. The AEAD_AES_128_CCM_8 ciphertext consists of
the ciphertext output of the CCM encryption operation concatenated
with the 8-octet authentication tag output of the CCM encryption
operation. Test cases are provided in [CCM]. The input and output
lengths are as for AEAD_AES_128_CCM. An AEAD_AES_128_CCM_8
ciphertext is exactly 8 octets longer than its corresponding
plaintext.
</t>
</section>
<section title="AES-256-CCM with a 8-octet Integrity Check Value (ICV)">
<t>
The AEAD_AES_256_CCM_8 authenticated encryption algorithm is
identical to the AEAD_AES_256_CCM algorithm (see Section 5.4 of
<xref target="RFC5116"/>), except that it uses eight octets for
authentication, instead of the full sixteen octets used by
AEAD_AES_256_CCM. The AEAD_AES_256_CCM_8 ciphertext consists of
the ciphertext output of the CCM encryption operation concatenated
with the 8-octet authentication tag output of the CCM encryption
operation. Test cases are provided in [CCM]. The input and output
lengths are as as for AEAD_AES_128_CCM. An AEAD_AES_128_CCM_8
ciphertext is exactly 8 octets longer than its corresponding
plaintext.
</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>
IANA has assigned the values for the ciphersuites defined in
<xref target="rsasuite"/> and <xref target="psksuite"/> and
the values of the AEAD algorithms defined in <xref target="newaead"/>.
</t>
</section>
<section anchor="Security" title="Security Considerations">
<section title="Perfect Forward Secrecy">
<t>The perfect forward secrecy
properties of RSA based TLS
ciphersuites are discussed in the
security analysis
of <xref target="RFC4346"></xref>. It
should be noted that only the
ephemeral Diffie-Hellman based
ciphersuites are capable of providing
perfect forward secrecy. </t>
</section>
<section title="Counter Reuse">
<t>AES-CCM security requires that the
counter is never reused. The IV
construction
in <xref target="rsasuite"></xref> is
designed to prevent counter
reuse. </t>
</section>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>This draft borrows heavily from <xref target="RFC5288"></xref>.</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc4346;
&rfc2119;
&rfc4347;
&rfc4366;
&rfc5288;
&rfc5116;
&rfc5246;
&rfc5487;
<reference anchor="CCM">
<front>
<title>Recommendation for
Block Cipher Modes of
Operation: The CCM Mode for
Authentication and
Confidentiality
</title>
<author>
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="May" year="2004"></date>
</front>
<seriesInfo name="SP" value="800-38C"></seriesInfo>
</reference>
<reference anchor="AES">
<front>
<title>Specification for the Advanced Encryption Standard (AES)</title>
<author>
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="November" year="2001"></date>
</front>
<seriesInfo name="FIPS" value="197"></seriesInfo>
</reference>
</references>
<references title="Informative References">
&rfc4309;
<reference anchor="IEEE802154">
<front>
<title>Wireless Personal Area Networks</title>
<author>
<organization>Institute of Electrical and Electronics Engineers</organization>
</author>
<date year="2006"></date>
</front>
<seriesInfo name="IEEE Standard" value="802.15.4-2006"></seriesInfo>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 03:11:40 |