draft-ietf-tls-ciphersuite-01.txt   draft-ietf-tls-ciphersuite-02.txt 
Network Working Group Pete Chown Network Working Group Pete Chown
INTERNET DRAFT Skygate Technology INTERNET DRAFT Skygate Technology
<draft-ietf-tls-ciphersuite-01.txt> 27 October 2000 <draft-ietf-tls-ciphersuite-02.txt> 15 November 2000
AES Ciphersuites for TLS AES Ciphersuites for TLS
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 2, line 5 skipping to change at page 2, line 5
claims. RSA Security Inc has trademark rights in the names RC2 claims. RSA Security Inc has trademark rights in the names RC2
and RC4, and claims that the RC4 algorithm itself is a trade and RC4, and claims that the RC4 algorithm itself is a trade
secret. Ascom Systec Ltd owns a patent on the IDEA algorithm. secret. Ascom Systec Ltd owns a patent on the IDEA algorithm.
2. Triple DES is much less efficient than more modern ciphers. 2. Triple DES is much less efficient than more modern ciphers.
3. Now the AES process is completed there will be commercial pres¡ 3. Now the AES process is completed there will be commercial pres¡
sure to use the selected cipher. The AES is efficient and has sure to use the selected cipher. The AES is efficient and has
withstood extensive cryptanalytic efforts. The AES is withstood extensive cryptanalytic efforts. The AES is
ietf-tls-ciphersuite-01 AES Ciphersuites for TLS 27 October 2000 ietf-tls-ciphersuite-02 AES Ciphersuites for TLS 15 November 2000
therefore a desirable choice. therefore a desirable choice.
4. Currently the DHE ciphersuites only allow triple DES (along 4. Currently the DHE ciphersuites only allow triple DES (along
with some ``export'' variants which offer reduced key lengths). with some ``export'' variants which offer reduced key lengths).
At the same time the DHE ciphersuites are the only ones to At the same time the DHE ciphersuites are the only ones to
offer forward secrecy. offer forward secrecy.
This document proposes several new ciphersuites, with the aim of This document proposes several new ciphersuites, with the aim of
overcoming these problems. overcoming these problems.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC 2119.
Cipher Usage Cipher Usage
The new ciphersuites proposed here are very similar to the follow¡ The new ciphersuites proposed here are very similar to the follow¡
ing, defined in [TLS]: ing, defined in [TLS]:
TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
All the ciphersuites described here use the AES in cipher block All the ciphersuites described here use the AES in cipher block
chaining (CBC) mode. Furthermore, they use SHA-1 in an HMAC con¡ chaining (CBC) mode. Furthermore, they use SHA-1 [SHA-1] in an
struction as described in section 5 of [TLS]. (Although the TLS HMAC construction as described in section 5 of [TLS]. (Although
ciphersuite names include the text ``SHA'', this actually refers to the TLS ciphersuite names include the text ``SHA'', this actually
the modified SHA-1 version of the algorithm.) refers to the modified SHA-1 version of the algorithm.)
The ciphersuites differ in the type of certificate and key exchange The ciphersuites differ in the type of certificate and key exchange
method. The ciphersuites defined here use the following options method. The ciphersuites defined here use the following options
for this part of the protocol: for this part of the protocol:
CipherSuite Certificate type and key CipherSuite Certificate type (if applicable)
exchange algorithm and key exchange algorithm
TLS_RSA_WITH_AES_128_CBC_SHA RSA TLS_RSA_WITH_AES_128_CBC_SHA RSA
TLS_DH_DSS_WITH_AES_128_CBC_SHA DH_DSS TLS_DH_DSS_WITH_AES_128_CBC_SHA DH_DSS
TLS_DH_RSA_WITH_AES_128_CBC_SHA DH_RSA TLS_DH_RSA_WITH_AES_128_CBC_SHA DH_RSA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA
TLS_DH_anon_WITH_AES_128_CBC_SHA DH_anon
For the meanings of the terms RSA, DH_DSS, DH_RSA, DHE_DSS and For the meanings of the terms RSA, DH_DSS, DH_RSA, DHE_DSS, DHE_RSA
DHE_RSA, please refer to section 7.4.2 of [TLS]. and DH_anon, please refer to sections 7.4.2 and 7.4.3 of [TLS].
ietf-tls-ciphersuite-02 AES Ciphersuites for TLS 15 November 2000
The AES supports key lengths of 128, 192 and 256 bits. At the pre¡ The AES supports key lengths of 128, 192 and 256 bits. At the pre¡
sent time, all of these are believed to be secure against even the sent time, all of these are believed to be secure against even the
best equipped attackers. The overall strength of TLS is such that best equipped attackers. The overall strength of TLS is such that
there is no gain from using a key length longer than 128 bits. there is no gain from using a key length longer than 128 bits.
Accordingly the AES will use 128 bit keys. Accordingly the AES will use 128 bit keys.
ietf-tls-ciphersuite-01 AES Ciphersuites for TLS 27 October 2000
The new ciphersuites will have the following definitions: The new ciphersuites will have the following definitions:
CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F }; CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F };
CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 }; CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 };
CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 }; CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 };
CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 }; CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 };
CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 }; CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 };
CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 };
Implementations SHOULD provide TLS_RSA_WITH_AES_128_CBC_SHA and In the absence of an application profile standard specifying other¡
TLS_DHE_RSA_WITH_AES_128_CBC_SHA. Implementations MAY provide any wise:
of the other ciphersuites described above.
1. Servers MUST provide at least one of
TLS_RSA_WITH_AES_128_CBC_SHA and
TLS_DHE_RSA_WITH_AES_128_CBC_SHA.
2. Clients MUST provide both TLS_RSA_WITH_AES_128_CBC_SHA and
TLS_DHE_RSA_WITH_AES_128_CBC_SHA.
(A TLS implementation which does not follow this requirement is
non-compliant with this RFC. However, it will still be a valid TLS
implementation if it complies with [TLS].)
Implementations MAY provide any of the other ciphersuites described
above.
Security Considerations Security Considerations
It is not believed that the new ciphersuites are ever less secure It is not believed that the new ciphersuites are ever less secure
than the corresponding older ones. The AES is believed to be than the corresponding older ones. The AES is believed to be
secure, and it has withstood extensive cryptanalytic attack. secure, and it has withstood extensive cryptanalytic attack.
The ephemeral Diffie-Hellman ciphersuites provide forward secrecy The ephemeral Diffie-Hellman ciphersuites provide forward secrecy
without any known reduction in security in other areas. To obtain without any known reduction in security in other areas. To obtain
the maximum benefit from these ciphersuites: the maximum benefit from these ciphersuites:
1. The ephemeral keys should only be used once. With the TLS pro¡ 1. The ephemeral keys should only be used once. With the TLS pro¡
tocol as currently defined there is no efficiency gain from tocol as currently defined there is no efficiency gain from
reusing ephemeral keys. reusing ephemeral keys.
2. Ephemeral keys should be destroyed securely when they are no 2. Ephemeral keys should be destroyed securely when they are no
longer required. longer required.
ietf-tls-ciphersuite-02 AES Ciphersuites for TLS 15 November 2000
3. The random number generator used to create ephemeral keys must 3. The random number generator used to create ephemeral keys must
not reveal past output even when its internal state is compro¡ not reveal past output even when its internal state is compro¡
mised. mised.
[TLS] describes the anonymous Diffie-Hellman (ADH) ciphersuites as
deprecated. The ADH ciphersuite defined here is not deprecated.
However, when it is used, particular care must be taken:
1. ADH provides confidentiality but not authentication. This
means that (if authentication is required) the communicating
parties must authenticate to each other by some means other
than TLS.
2. ADH is vulnerable to man-in-the-middle attacks, as a conse¡
quence of the lack of authentication. The parties must have a
way of determining whether they are participating in the same
TLS connection. If they are not, they can deduce that they are
under attack, and presumably abort the connection.
For example, if the parties share a secret, it is possible to
compute a MAC of the TLS Finished message. An attacker would
have to negotiate two different TLS connections; one with each
communicating party. The Finished messages would be different
in each case, because they depend on the master secret. For
this reason, the MACs computed by each party would be differ¡
ent.
It is important to note that authentication techniques which do
not use the Finished message do not usually provide protection
from this attack. For example, the client could authenticate
to the server with a password, but it would still be vulnerable
to man-in-the-middle attacks.
Copyright Copyright
Copyright (C) The Internet Society 2000. All Rights Reserved. Copyright (C) The Internet Society 2000. All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain others, and derivative works that comment on or otherwise explain
it or assist in its implementation may be prepared, copied, pub¡ it or assist in its implementation may be prepared, copied, pub¡
lished and distributed, in whole or in part, without restriction of lished and distributed, in whole or in part, without restriction of
any kind, provided that the above copyright notice and this para¡ any kind, provided that the above copyright notice and this para¡
graph are included on all such copies and derivative works. How¡ graph are included on all such copies and derivative works. How¡
ever, this document itself may not be modified in any way, such as ever, this document itself may not be modified in any way, such as
by removing the copyright notice or references to the Internet by removing the copyright notice or references to the Internet
Society or other Internet organizations, except as needed for the Society or other Internet organizations, except as needed for the
purpose of developing Internet standards in which case the proce¡ purpose of developing Internet standards in which case the proce¡
dures for copyrights defined in the Internet Standards process must dures for copyrights defined in the Internet Standards process must
ietf-tls-ciphersuite-01 AES Ciphersuites for TLS 27 October 2000 ietf-tls-ciphersuite-02 AES Ciphersuites for TLS 15 November 2000
be followed, or as required to translate it into languages other be followed, or as required to translate it into languages other
than English. than English.
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees. revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on This document and the information contained herein is provided on
an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGI¡ an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGI¡
NEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, NEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
skipping to change at page 5, line 5 skipping to change at page 6, line 5
NIST reminds all interested parties that the adoption of NIST reminds all interested parties that the adoption of
AES is being conducted as an open standards-setting AES is being conducted as an open standards-setting
activity. Specifically, NIST has requested that all activity. Specifically, NIST has requested that all
interested parties identify to NIST any patents or inven¡ interested parties identify to NIST any patents or inven¡
tions that may be required for the use of AES. NIST tions that may be required for the use of AES. NIST
hereby gives public notice that it may seek redress under hereby gives public notice that it may seek redress under
the antitrust laws of the United States against any party the antitrust laws of the United States against any party
in the future who might seek to exercise patent rights in the future who might seek to exercise patent rights
ietf-tls-ciphersuite-01 AES Ciphersuites for TLS 27 October 2000 ietf-tls-ciphersuite-02 AES Ciphersuites for TLS 15 November 2000
against any user of AES that have not been disclosed to against any user of AES that have not been disclosed to
NIST in response to this request for information. NIST in response to this request for information.
One of the authors of Rijndael signed the following disclaimer when One of the authors of Rijndael signed the following disclaimer when
submitting the algorithm to NIST for consideration in the AES pro¡ submitting the algorithm to NIST for consideration in the AES pro¡
cess: cess:
I, Joan Daemen, do hereby declare that to the best of my I, Joan Daemen, do hereby declare that to the best of my
knowledge the practice of the algorithm, reference imple¡ knowledge the practice of the algorithm, reference imple¡
skipping to change at page 6, line 5 skipping to change at page 7, line 5
the use of the algorithm intending it to be available on the use of the algorithm intending it to be available on
a worldwide, non-exclusive, royalty-free basis. a worldwide, non-exclusive, royalty-free basis.
I do hereby agree to provide the statements for any I do hereby agree to provide the statements for any
patent or patent application identified to cover practice patent or patent application identified to cover practice
of my algorithm, reference implementation or mathemati¡ of my algorithm, reference implementation or mathemati¡
cally optimized implementations and the right to use such cally optimized implementations and the right to use such
implementations for the purposes of the AES evaluation implementations for the purposes of the AES evaluation
process. process.
ietf-tls-ciphersuite-01 AES Ciphersuites for TLS 27 October 2000 ietf-tls-ciphersuite-02 AES Ciphersuites for TLS 15 November 2000
I understand that NIST will announce the selected algo¡ I understand that NIST will announce the selected algo¡
rithm(s) and proceed to publish the draft FIPS for public rithm(s) and proceed to publish the draft FIPS for public
comment. If my algorithm (or the derived algorithm) is comment. If my algorithm (or the derived algorithm) is
not selected for inclusion in the FIPS (including those not selected for inclusion in the FIPS (including those
not selected for second round of public evaluation), I not selected for second round of public evaluation), I
understand that all rights, including use rights of the understand that all rights, including use rights of the
reference and mathematically optimized implementations, reference and mathematically optimized implementations,
revert back to the submitter (and other owner[s] as revert back to the submitter (and other owner[s] as
appropriate). Additionally, should the U.S. Government appropriate). Additionally, should the U.S. Government
skipping to change at page 7, line 5 skipping to change at page 8, line 5
Acknowledgements Acknowledgements
I would like to thank the ietf-tls mailing list contributors who I would like to thank the ietf-tls mailing list contributors who
have made helpful suggestions for this document. have made helpful suggestions for this document.
References References
[TLS] T. Dierks, C. Allen, "The TLS Protocol Version 1.0" RFC-2246. [TLS] T. Dierks, C. Allen, "The TLS Protocol Version 1.0" RFC-2246.
January, 1999. January, 1999.
ietf-tls-ciphersuite-01 AES Ciphersuites for TLS 27 October 2000 ietf-tls-ciphersuite-02 AES Ciphersuites for TLS 15 November 2000
[AES] J. Daemen, V. Rijmen, "The Rijndael Block Cipher" [AES] J. Daemen, V. Rijmen, "The Rijndael Block Cipher"
http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf 3rd http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf 3rd
September 1999. September 1999.
[SHA-1] FIPS PUB 180-1, "Secure Hash Standard," National Institute
of Standards and Technology, U.S. Department of Commerce, April 17,
1995.
Author's Address Author's Address
Pete Chown Pete Chown
Skygate Technology Ltd Skygate Technology Ltd
8 Lombard Road 8 Lombard Road
London London
SW19 3TZ SW19 3TZ
United Kingdom United Kingdom
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/