draft-ietf-tls-psk-new-mac-aes-gcm-02.txt   draft-ietf-tls-psk-new-mac-aes-gcm-03.txt 
TLS Working Group Mohamad Badra TLS Working Group Mohamad Badra
Internet Draft LIMOS Laboratory Internet Draft LIMOS Laboratory
Intended status: Standards Track September 23, 2008 Intended status: Standards Track September 25, 2008
Expires: February 2009
Pre-Shared Key Cipher Suites for Transport Layer Security (TLS) with Pre-Shared Key Cipher Suites for Transport Layer Security (TLS) with
SHA-256/384 and AES Galois Counter Mode SHA-256/384 and AES Galois Counter Mode
draft-ietf-tls-psk-new-mac-aes-gcm-02.txt draft-ietf-tls-psk-new-mac-aes-gcm-03.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 34 skipping to change at page 1, line 32
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress." reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on February 23, 2009. This Internet-Draft will expire on March 25, 2009.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (C) The IETF Trust (2008).
Abstract Abstract
RFC 4279 and RFC 4785 describe pre-shared key cipher suites for RFC 4279 and RFC 4785 describe pre-shared key cipher suites for
Transport Layer Security (TLS). However, all those cipher suites Transport Layer Security (TLS). However, all those cipher suites
use SHA-1 as their MAC algorithm. This document describes a set of use SHA-1 as their MAC algorithm. This document describes a set of
cipher suites for TLS/DTLS which uses stronger digest algorithms pre-shared key cipher suites for TLS which uses stronger digest
(i.e., SHA-256 or SHA-384) and another which uses the Advanced algorithms (i.e., SHA-256 or SHA-384) and another set which uses the
Encryption Standard (AES) in Galois Counter Mode (GCM). Advanced Encryption Standard (AES) in Galois Counter Mode (GCM).
Table of Contents Table of Contents
1. Introduction...................................................3 1. Introduction...................................................3
1.1. Conventions used in this document.........................3 1.1. Conventions used in this document.........................3
2. PSK, DHE_PSK and RSA_PSK Key Exchange Algorithms with AES-GCM..3 2. PSK, DHE_PSK and RSA_PSK Key Exchange Algorithms with AES-GCM..3
3. PSK, DHE_PSK and RSA_PSK Key Exchange with SHA-256/384.........4 3. PSK, DHE_PSK and RSA_PSK Key Exchange with SHA-256/384.........4
3.1. PSK Key Exchange Algorithm with SHA-256/384...............4 3.1. PSK Key Exchange Algorithm with SHA-256/384...............4
3.2. DHE_PSK Key Exchange Algorithm with SHA-256/384...........4 3.2. DHE_PSK Key Exchange Algorithm with SHA-256/384...........5
3.3. RSA_PSK Key Exchange Algorithm with SHA-256/384...........5 3.3. RSA_PSK Key Exchange Algorithm with SHA-256/384...........5
4. Security Considerations........................................5 4. Security Considerations........................................5
5. IANA Considerations............................................5 5. IANA Considerations............................................5
6. Acknowledgments................................................5 6. Acknowledgments................................................6
7. References.....................................................6 7. References.....................................................6
7.1. Normative References......................................6 7.1. Normative References......................................6
7.2. Informative References....................................7 7.2. Informative References....................................7
Author's Addresses................................................7 Author's Addresses................................................7
Intellectual Property and Copyright Statements....................7 Intellectual Property and Copyright Statements....................8
1. Introduction 1. Introduction
The benefits of pre-shared symmetric-key vs. public-/private-key
pair based authentication for the key exchange in TLS have been
explained in the Introduction of [RFC4279]. This document leverages
the already defined algorithms for the application of newer,
generally regarded stronger, cryptographic primitives and building
blocks.
TLS 1.2 [RFC5246] adds support for authenticated encryption with TLS 1.2 [RFC5246] adds support for authenticated encryption with
additional data (AEAD) cipher modes [RFC5116]. This document additional data (AEAD) cipher modes [RFC5116]. This document
describes the use of Advanced Encryption Standard (AES) [AES] in describes the use of Advanced Encryption Standard (AES) [AES] in
Galois Counter Mode (GCM) [GCM] (AES-GCM) with various pre-shared Galois Counter Mode (GCM) [GCM] (AES-GCM) with various pre-shared
key (PSK) key exchange mechanisms ([RFC4279] and [RFC4785]) as a key (PSK) authenticated key exchange mechanisms ([RFC4279] and
cipher suite for Transport Layer Security (TLS). [RFC4785]) in cipher suites for Transport Layer Security (TLS).
This document also specifies PSK cipher suites for TLS which replace This document also specifies PSK cipher suites for TLS which replace
SHA-1 by SHA-256 or SHA-384 [SHS]. RFC 4279 [RFC4279] and RFC 4785 SHA-1 by SHA-256 or SHA-384 [SHS]. RFC 4279 [RFC4279] and RFC 4785
[RFC4785] describe PSK cipher suites for TLS. However, all of the [RFC4785] describe PSK cipher suites for TLS. However, all of the
RFC 4279 and the RFC 4785 cipher suites use HMAC-SHA1 as their MAC RFC 4279 and the RFC 4785 cipher suites use HMAC-SHA1 as their MAC
algorithm. Due to recent analytic work on SHA-1 [Wang05], the IETF algorithm. Due to recent analytic work on SHA-1 [Wang05], the IETF
is gradually moving away from SHA-1 and towards stronger hash is gradually moving away from SHA-1 and towards stronger hash
algorithms. algorithms.
ECC based cipher suites with SHA-256/384 and AES-GCM are defined in Related TLS cipher suites with key exchange algorithms that are
[RFC5289]; RSA, DSS and Diffie-Hellman based cipher suites are authenticated using public/private key pairs have recently been
specified in [RFC5288]. The reader is expected to become familiar specified:
with these two memos prior to studying this document.
- RSA, DSS, and Diffie-Hellman based cipher suites in [RFC5288],
and
-ECC based cipher suites with SHA-256/384 and AES-GCM in
[RFC5289].
The reader is expected to become familiar with these two memos prior
to studying this document.
1.1. Conventions used in this document 1.1. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. PSK, DHE_PSK and RSA_PSK Key Exchange Algorithms with AES-GCM 2. PSK, DHE_PSK and RSA_PSK Key Exchange Algorithms with AES-GCM
The following six cipher suites use the new authenticated encryption The following six cipher suites use the new authenticated encryption
skipping to change at page 3, line 50 skipping to change at page 4, line 17
(PFS). (PFS).
CipherSuite TLS_PSK_WITH_AES_128_GCM_SHA256 = {0xXX,0xXX}; CipherSuite TLS_PSK_WITH_AES_128_GCM_SHA256 = {0xXX,0xXX};
CipherSuite TLS_PSK_WITH_AES_256_GCM_SHA384 = {0xXX,0xXX}; CipherSuite TLS_PSK_WITH_AES_256_GCM_SHA384 = {0xXX,0xXX};
CipherSuite TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = {0xXX,0xXX}; CipherSuite TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = {0xXX,0xXX};
CipherSuite TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = {0xXX,0xXX}; CipherSuite TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = {0xXX,0xXX};
CipherSuite TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = {0xXX,0xXX}; CipherSuite TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = {0xXX,0xXX};
CipherSuite TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = {0xXX,0xXX}; CipherSuite TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = {0xXX,0xXX};
These cipher suites use authenticated encryption with additional These cipher suites use authenticated encryption with additional
data (AEAD) algorithms AEAD_AES_128_GCM and AEAD_AES_256_GCM data (AEAD) algorithms AEAD_AES_128_GCM and AEAD_AES_256_GCM as
described in RFC 5116. GCM is used as described in [RFC5288]. described in RFC 5116. GCM is used as described in [RFC5288].
The PSK, DHE_PSK and RSA_PSK key exchanges are performed as defined The PSK, DHE_PSK and RSA_PSK key exchanges are performed as defined
in [RFC4279]. in [RFC4279].
The PRFs SHALL be as follows: The PRFs SHALL be as follows:
For cipher suites ending with _SHA256, the PRF is the TLS PRF For cipher suites ending with _SHA256, the PRF is the TLS PRF
[RFC5246] with SHA-256 as the hash function. [RFC5246] with SHA-256 as the hash function.
For cipher suites ending with _SHA384, the PRF is the TLS PRF For cipher suites ending with _SHA384, the PRF is the TLS PRF
[RFC5246] with SHA-384 as the hash function. [RFC5246] with SHA-384 as the hash function.
Implementations MUST send TLS Alert bad_record_mac for all types of Implementations MUST send a TLS Alert 'bad_record_mac' for all types
failures encountered in processing the AES-GCM algorithm. of failures encountered in processing the AES-GCM algorithm.
3. PSK, DHE_PSK and RSA_PSK Key Exchange with SHA-256/384 3. PSK, DHE_PSK and RSA_PSK Key Exchange with SHA-256/384
The cipher suites described in this section use AES [AES] in CBC The cipher suites described in this section use AES [AES] in CBC
[CBC] mode with an HMAC-based MAC. [CBC] mode with an HMAC-based MAC.
3.1. PSK Key Exchange Algorithm with SHA-256/384 3.1. PSK Key Exchange Algorithm with SHA-256/384
CipherSuite TLS_PSK_WITH_AES_128_CBC_SHA256 = {0xXX,0xXX}; CipherSuite TLS_PSK_WITH_AES_128_CBC_SHA256 = {0xXX,0xXX};
CipherSuite TLS_PSK_WITH_AES_256_CBC_SHA384 = {0xXX,0xXX}; CipherSuite TLS_PSK_WITH_AES_256_CBC_SHA384 = {0xXX,0xXX};
skipping to change at page 5, line 4 skipping to change at page 5, line 21
For cipher suites ending with _SHA384, the PRF is the TLS PRF For cipher suites ending with _SHA384, the PRF is the TLS PRF
[RFC5246] with SHA-384 as the hash function. [RFC5246] with SHA-384 as the hash function.
The MAC is HMAC [RFC2104] with SHA-384 as the hash function. The MAC is HMAC [RFC2104] with SHA-384 as the hash function.
3.2. DHE_PSK Key Exchange Algorithm with SHA-256/384 3.2. DHE_PSK Key Exchange Algorithm with SHA-256/384
CipherSuite TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = {0xXX,0xXX}; CipherSuite TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = {0xXX,0xXX};
CipherSuite TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = {0xXX,0xXX}; CipherSuite TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = {0xXX,0xXX};
CipherSuite TLS_DHE_PSK_WITH_NULL_SHA256 = {0xXX,0xXX}; CipherSuite TLS_DHE_PSK_WITH_NULL_SHA256 = {0xXX,0xXX};
CipherSuite TLS_DHE_PSK_WITH_NULL_SHA384 = {0xXX,0xXX}; CipherSuite TLS_DHE_PSK_WITH_NULL_SHA384 = {0xXX,0xXX};
The above four cipher suites are the same as the corresponding The above four cipher suites are the same as the corresponding
cipher suites in RFC 4279 and RFC 4785 (with names ending in "_SHA" cipher suites in RFC 4279 and RFC 4785 (with names ending in "_SHA"
in place of "_SHA256" or "_SHA384"), except for the hash and PRF in place of "_SHA256" or "_SHA384"), except for the hash and PRF
algorithms, as explained in section 3.1. algorithms, as explained in section 3.1.
3.3. RSA_PSK Key Exchange Algorithm with SHA-256/384 3.3. RSA_PSK Key Exchange Algorithm with SHA-256/384
CipherSuite TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = {0xXX,0xXX}; CipherSuite TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = {0xXX,0xXX};
CipherSuite TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = {0xXX,0xXX}; CipherSuite TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = {0xXX,0xXX};
CipherSuite TLS_RSA_PSK_WITH_NULL_SHA256 = {0xXX,0xXX};
CipherSuite TLS_RSA_PSK_WITH_NULL_SHA384 = {0xXX,0xXX};
The above two cipher suites are the same as the corresponding cipher The above four cipher suites are the same as the corresponding
suites in RFC 4279 and RFC 4785 (with names ending in "_SHA" in cipher suites in RFC 4279 and RFC 4785 (with names ending in "_SHA"
place of "_SHA256" or "_SHA384"), except for the hash and PRF in place of "_SHA256" or "_SHA384"), except for the hash and PRF
algorithms, as explained in section 3.1. algorithms, as explained in section 3.1.
4. Security Considerations 4. Security Considerations
The security considerations in RFC 4279, RFC 4758, and [RFC5288] The security considerations in [RFC4279], [RFC4758] and [RFC5288]
apply to this document as well. In addition, as described in apply to this document as well. In addition, as described in
[RFC5288], these cipher suites may only be used with TLS 1.2 or [RFC5288], these cipher suites may only be used with TLS 1.2 or
greater. greater.
5. IANA Considerations 5. IANA Considerations
IANA has assigned the following values for the cipher suites defined IANA has assigned the following values for the cipher suites defined
in this document: in this document:
CipherSuite TLS_PSK_WITH_AES_128_GCM_SHA256 = {0xXX,0xXX}; CipherSuite TLS_PSK_WITH_AES_128_GCM_SHA256 = {0xXX,0xXX};
skipping to change at page 5, line 47 skipping to change at page 6, line 21
CipherSuite TLS_PSK_WITH_AES_128_CBC_SHA256 = {0xXX,0xXX}; CipherSuite TLS_PSK_WITH_AES_128_CBC_SHA256 = {0xXX,0xXX};
CipherSuite TLS_PSK_WITH_AES_256_CBC_SHA384 = {0xXX,0xXX}; CipherSuite TLS_PSK_WITH_AES_256_CBC_SHA384 = {0xXX,0xXX};
CipherSuite TLS_PSK_WITH_NULL_SHA256 = {0xXX,0xXX}; CipherSuite TLS_PSK_WITH_NULL_SHA256 = {0xXX,0xXX};
CipherSuite TLS_PSK_WITH_NULL_SHA384 = {0xXX,0xXX}; CipherSuite TLS_PSK_WITH_NULL_SHA384 = {0xXX,0xXX};
CipherSuite TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = {0xXX,0xXX}; CipherSuite TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = {0xXX,0xXX};
CipherSuite TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = {0xXX,0xXX}; CipherSuite TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = {0xXX,0xXX};
CipherSuite TLS_DHE_PSK_WITH_NULL_SHA256 = {0xXX,0xXX}; CipherSuite TLS_DHE_PSK_WITH_NULL_SHA256 = {0xXX,0xXX};
CipherSuite TLS_DHE_PSK_WITH_NULL_SHA384 = {0xXX,0xXX}; CipherSuite TLS_DHE_PSK_WITH_NULL_SHA384 = {0xXX,0xXX};
CipherSuite TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = {0xXX,0xXX}; CipherSuite TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = {0xXX,0xXX};
CipherSuite TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = {0xXX,0xXX}; CipherSuite TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = {0xXX,0xXX};
CipherSuite TLS_RSA_PSK_WITH_NULL_SHA256 = {0xXX,0xXX};
CipherSuite TLS_RSA_PSK_WITH_NULL_SHA384 = {0xXX,0xXX};
6. Acknowledgments 6. Acknowledgments
This draft borrows heavily from [RFC5289] and [RFC5288]. This draft borrows heavily from [RFC5289] and [RFC5288].
The author appreciates Alfred Hoenes for his detailed review and The author appreciates Alfred Hoenes for his detailed review and
effort on issues resolving discussion. The author would like also effort on issues resolving discussion. The author would like also
to acknowledge Ibrahim Hajjeh, Simon Josefsson, Hassnaa Moustafa, to acknowledge Ibrahim Hajjeh, Simon Josefsson, Hassnaa Moustafa,
Joseph Salowey and Pascal Urien for their reviews of the content of Joseph Salowey and Pascal Urien for their reviews of the content of
the document. the document.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [AES] National Institute of Standards and Technology,
Requirement Levels", BCP 14, RFC 2119, March 1997. "Specification for the Advanced Encryption Standard
(AES)", FIPS 197, November 2001.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [CBC] National Institute of Standards and Technology,
(TLS) Protocol Version 1.2", RFC 5246, August 2008. "Recommendation for Block Cipher Modes of Operation -
Methods and Techniques", SP 800-38A, December 2001.
[GCM] National Institute of Standards and Technology,
"Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) for Confidentiality and
Authentication", SP 800-38D, November 2007.
[SHS] National Institute of Standards and Technology, "Secure
Hash Standard", FIPS 180-2, August 2002.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, February Hashing for Message Authentication", RFC 2104, February
1997. 1997.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Encryption", RFC 5116, January 2008. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites [RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites
for Transport Layer Security (TLS)", RFC 4279, December for Transport Layer Security (TLS)", RFC 4279, December
2005. 2005.
[RFC4785] Blumenthal, U., Goel, P., "Pre-Shared Key (PSK) [RFC4785] Blumenthal, U., Goel, P., "Pre-Shared Key (PSK)
Ciphersuites with NULL Encryption for Transport Layer Ciphersuites with NULL Encryption for Transport Layer
Security (TLS)", RFC 4785, January 2007. Security (TLS)", RFC 4785, January 2007.
[AES] National Institute of Standards and Technology, [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
"Specification for the Advanced Encryption Standard Encryption", RFC 5116, January 2008.
(AES)", FIPS 197, November 2001.
[SHS] National Institute of Standards and Technology, "Secure
Hash Standard", FIPS 180-2, August 2002.
[CBC] National Institute of Standards and Technology,
"Recommendation for Block Cipher Modes of Operation -
Methods and Techniques", SP 800-38A, December 2001.
[GCM] National Institute of Standards and Technology, [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
"Recommendation for Block Cipher Modes of Operation: (TLS) Protocol Version 1.2", RFC 5246, August 2008.
Galois/Counter Mode (GCM) for Confidentiality and
Authentication", SP 800-38D, November 2007.
[RFC5288] Salowey, J., A. Choudhury, and C. McGrew, "RSA based AES- [RFC5288] Salowey, J., A. Choudhury, and C. McGrew, "RSA based AES-
GCM Cipher Suites for TLS", RFC 5288, August 2008. GCM Cipher Suites for TLS", RFC 5288, August 2008.
7.2. Informative References 7.2. Informative References
[Wang05] Wang, X., Yin, Y., and H. Yu, "Finding Collisions in the
Full SHA-1", CRYPTO 2005, August 2005.
[RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA- [RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA-
256/384 and AES Galois Counter Mode", RFC 5289, August 256/384 and AES Galois Counter Mode", RFC 5289, August
2008. 2008.
[Wang05] Wang, X., Yin, Y., and H. Yu, "Finding Collisions in the
Full SHA-1", CRYPTO 2005, August 2005.
Author's Addresses Author's Addresses
Mohamad Badra Mohamad Badra
LIMOS Laboratory - UMR6158, CNRS LIMOS Laboratory - UMR6158, CNRS
France France
Email: badra@isima.fr Email: badra@isima.fr
Intellectual Property Statement Intellectual Property Statement
 End of changes. 24 change blocks. 
47 lines changed or deleted 65 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/