diff options
Diffstat (limited to 'doc/rfc/rfc6367.txt')
-rw-r--r-- | doc/rfc/rfc6367.txt | 451 |
1 files changed, 451 insertions, 0 deletions
diff --git a/doc/rfc/rfc6367.txt b/doc/rfc/rfc6367.txt new file mode 100644 index 0000000..2b1fff6 --- /dev/null +++ b/doc/rfc/rfc6367.txt @@ -0,0 +1,451 @@ + + + + + + +Internet Engineering Task Force (IETF) S. Kanno +Request for Comments: 6367 NTT Software Corporation +Category: Informational M. Kanda +ISSN: 2070-1721 NTT + September 2011 + + + Addition of the Camellia Cipher Suites to + Transport Layer Security (TLS) + +Abstract + + This document specifies forty-two cipher suites for the Transport + Security Layer (TLS) protocol to support the Camellia encryption + algorithm as a block cipher. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc6367. + +Copyright Notice + + Copyright (c) 2011 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + + + +Kanno & Kanda Informational [Page 1] + +RFC 6367 Camellia Cipher Suites for TLS September 2011 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 + 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 2 + 2. Proposed Cipher Suites . . . . . . . . . . . . . . . . . . . . 3 + 2.1. HMAC-Based Cipher Suites . . . . . . . . . . . . . . . . . 3 + 2.2. GCM-Based Cipher Suites . . . . . . . . . . . . . . . . . . 3 + 2.3. PSK-Based Cipher Suites . . . . . . . . . . . . . . . . . . 4 + 3. Cipher Suite Definitions . . . . . . . . . . . . . . . . . . . 4 + 3.1. Key Exchange . . . . . . . . . . . . . . . . . . . . . . . 4 + 3.2. Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 3.3. PRFs . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 + 3.4. PSK Cipher Suites . . . . . . . . . . . . . . . . . . . . . 5 + 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 + 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 + 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 + 6.1. Normative References . . . . . . . . . . . . . . . . . . . 6 + 6.2. Informative References . . . . . . . . . . . . . . . . . . 7 + +1. Introduction + + The Camellia cipher suites are already specified in RFC 5932 [15] + with SHA-256-based Hashed Message Authentication Code (HMAC) using + asymmetric key encryption. This document proposes the addition of + new cipher suites to the Transport Layer Security (TLS) [8] protocol + to support the Camellia [4] cipher algorithm as a block cipher + algorithm. The proposed cipher suites include variants using the + SHA-2 family of cryptographic hash functions [13] and Galois Counter + Mode (GCM) [14]. Elliptic curve cipher suites and pre-shared key + (PSK) [5] cipher suites are also included. + +1.1. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [3]. + + + + + + + + + + + + + + + +Kanno & Kanda Informational [Page 2] + +RFC 6367 Camellia Cipher Suites for TLS September 2011 + + +2. Proposed Cipher Suites + +2.1. HMAC-Based Cipher Suites + + The eight cipher suites use Camellia [4] in Cipher Block Chaining + (CBC) [4] mode with a SHA-2 family HMAC using the elliptic curve + cryptosystem: + + CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x72}; + CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x73}; + CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x74}; + CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x75}; + CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x76}; + CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x77}; + CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x78}; + CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x79}; + +2.2. GCM-Based Cipher Suites + + The twenty cipher suites use the same asymmetric key algorithms as + those in the previous section but use the authenticated encryption + modes defined in TLS 1.2 [8] with Camellia in GCM [14]. + +CipherSuite TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x7A}; +CipherSuite TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x7B}; +CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x7C}; +CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x7D}; +CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x7E}; +CipherSuite TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x7F}; +CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x80}; +CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x81}; +CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x82}; +CipherSuite TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x83}; +CipherSuite TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x84}; +CipherSuite TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x85}; +CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x86}; +CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x87}; +CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x88}; +CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x89}; +CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x8A}; +CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x8B}; +CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x8C}; +CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x8D}; + + + + + + + + +Kanno & Kanda Informational [Page 3] + +RFC 6367 Camellia Cipher Suites for TLS September 2011 + + +2.3. PSK-Based Cipher Suites + + The fourteen cipher suites describe PSK cipher suites. The first six + cipher suites use Camellia with GCM, and the next eight cipher suites + use Camellia with SHA-2 family HMAC using asymmetric key encryption + or the elliptic curve cryptosystem. + + CipherSuite TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x8D}; + CipherSuite TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x8F}; + CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x90}; + CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x91}; + CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x92}; + CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x93}; + CipherSuite TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x94}; + CipherSuite TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x95}; + CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x96}; + CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x97}; + CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x98}; + CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x99}; + CipherSuite TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x9A}; + CipherSuite TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x9B}; + +3. Cipher Suite Definitions + +3.1. Key Exchange + + The RSA, DHE_RSA, DH_RSA, DHE_DSS, DH_DSS, ECDH, DH_anon, and ECDHE + key exchanges are performed as defined in RFC 5246 [8]. + +3.2. Cipher + + This document describes cipher suites based on Camellia cipher using + CBC mode and GCM. The details are as follows. + + The CAMELLIA_128_CBC cipher suites use Camellia [4] in CBC mode with + a 128-bit key and 128-bit Initialization Vector (IV); the + CAMELLIA_256_CBC cipher suites use a 256-bit key and 128-bit IV. + + Advanced Encryption Standard (AES) [19] authenticated encryption with + additional data algorithms, AEAD_AES_128_GCM and AEAD_AES_256_GCM, + are described in RFC 5116 [7]. AES GCM cipher suites for TLS are + described in RFC 5288 [9]. AES and Camellia share common + characteristics including key sizes and block length. + CAMELLIA_128_GCM and CAMELLIA_256_GCM are defined according to those + of AES. + + + + + + +Kanno & Kanda Informational [Page 4] + +RFC 6367 Camellia Cipher Suites for TLS September 2011 + + +3.3. PRFs + + The hash algorithms and pseudorandom function (PRF) algorithms for + TLS 1.2 [8] SHALL be as follows: + + a. The cipher suites ending with _SHA256 use HMAC-SHA-256 [1] as the + MAC algorithm. The PRF is the TLS PRF [8] with SHA-256 [13] as + the hash function. + + b. The cipher suites ending with _SHA384 use HMAC-SHA-384 [1] as the + MAC algorithm. The PRF is the TLS PRF [8] with SHA-384 [13] as + the hash function. + + When used with TLS versions prior to 1.2 (TLS 1.0 [2] and TLS 1.1 + [6]), the PRF is calculated as specified in the appropriate version + of the TLS specification. + +3.4. PSK Cipher Suites + + PSK cipher suites for TLS are described in RFC 5487 [11] as to SHA- + 256/384 and RFC 5489 [12] as to ECDHE_PSK. + +4. Security Considerations + + At the time of writing this document, there are no known weak keys + for Camellia. Additionally, no security problems with Camellia have + been found (see NESSIE [16], CRYPTREC [17], and LNCS 5867[18]). + + The security considerations in previous RFCs (RFC 5116 [7], RFC 5289 + [10], and RFC 5487 [11]) apply to this document as well. + +5. IANA Considerations + + IANA allocated the following numbers in the TLS Cipher Suite + Registry: + +CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x72}; +CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x73}; +CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x74}; +CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x75}; +CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x76}; +CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x77}; +CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x78}; +CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x79}; +CipherSuite TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x7A}; +CipherSuite TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x7B}; +CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x7C}; +CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x7D}; + + + +Kanno & Kanda Informational [Page 5] + +RFC 6367 Camellia Cipher Suites for TLS September 2011 + + +CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x7E}; +CipherSuite TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x7F}; +CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x80}; +CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x81}; +CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x82}; +CipherSuite TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x83}; +CipherSuite TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x84}; +CipherSuite TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x85}; +CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x86}; +CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x87}; +CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x88}; +CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x89}; +CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x8A}; +CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x8B}; +CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x8C}; +CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x8D}; +CipherSuite TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x8E}; +CipherSuite TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x8F}; +CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x90}; +CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x91}; +CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 = {0xC0,0x92}; +CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 = {0xC0,0x93}; +CipherSuite TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x94}; +CipherSuite TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x95}; +CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x96}; +CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x97}; +CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x98}; +CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x99}; +CipherSuite TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {0xC0,0x9A}; +CipherSuite TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {0xC0,0x9B}; + +6. References + +6.1. Normative References + + [1] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing + for Message Authentication", RFC 2104, February 1997. + + [2] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", + RFC 2246, January 1999. + + [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [4] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the + Camellia Encryption Algorithm", RFC 3713, April 2004. + + + + + +Kanno & Kanda Informational [Page 6] + +RFC 6367 Camellia Cipher Suites for TLS September 2011 + + + [5] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites for + Transport Layer Security (TLS)", RFC 4279, December 2005. + + [6] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) + Protocol Version 1.1", RFC 4346, April 2006. + + [7] McGrew, D., "An Interface and Algorithms for Authenticated + Encryption", RFC 5116, January 2008. + + [8] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) + Protocol Version 1.2", RFC 5246, August 2008. + + [9] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois Counter + Mode (GCM) Cipher Suites for TLS", RFC 5288, August 2008. + + [10] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA-256/ + 384 and AES Galois Counter Mode (GCM)", RFC 5289, August 2008. + + [11] Badra, M., "Pre-Shared Key Cipher Suites for TLS with SHA-256/ + 384 and AES Galois Counter Mode", RFC 5487, March 2009. + + [12] Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for Transport + Layer Security (TLS)", RFC 5489, March 2009. + + [13] National Institute of Standards and Technology, "Secure Hash + Standard (SHS)", FIPS PUB 180, October 2008, + <http://csrc.nist.gov/publications/fips/fips180-3/ + fips180-3_final.pdf>. + + [14] Dworkin, M., "Recommendation for Block Cipher Modes of + Operation: Galois/Counter Mode (GCM) for Confidentiality and + Authentication", Special Publication 800-38D, April 2006, + <http://csrc.nist.gov/publications/nistpubs/800-38D/ + SP-800-38D.pdf>. + +6.2. Informative References + + [15] Kato, A., Kanda, M., and S. Kanno, "Camellia Cipher Suites for + TLS", RFC 5932, June 2010. + + [16] "The NESSIE Project (New European Schemes for Signatures, + Integrity and Encryption)", + <http://www.cosic.esat.kuleuven.be/nessie/>. + + [17] "CRYPTREC (Cryptography Research and Evaluation Committees)", + <http://www.cryptrec.go.jp/english/estimation.html>. + + + + + +Kanno & Kanda Informational [Page 7] + +RFC 6367 Camellia Cipher Suites for TLS September 2011 + + + [18] Mala, H., Shakiba, M., Dakhilalian, M., and G. Bagherikaram, + "New Results on Impossible Differential Cryptanalysis of + Reduced Round Camellia-128", LNCS 5867, November 2009, + <http://www.springerlink.com/content/e55783u422436g77/>. + + [19] National Institute of Standards and Technology, "Advanced + Encryption Standard (AES)", FIPS PUB 197, November 2001, + <http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf>. + +Authors' Addresses + + Satoru Kanno + NTT Software Corporation + + Phone: +81-45-212-9803 + Fax: +81-45-212-9800 + EMail: kanno.satoru@po.ntts.co.jp + + + Masayuki Kanda + NTT + + Phone: +81-422-59-3456 + Fax: +81-422-59-4015 + EMail: kanda.masayuki@lab.ntt.co.jp + + + + + + + + + + + + + + + + + + + + + + + + + + +Kanno & Kanda Informational [Page 8] + |