draft-ietf-tls-ciphersuite-05.txt   draft-ietf-tls-ciphersuite-06.txt 
Network Working Group Pete Chown Network Working Group Pete Chown
INTERNET DRAFT Skygate Technology INTERNET DRAFT Skygate Technology
<draft-ietf-tls-ciphersuite-05.txt> 14 August 2001 <draft-ietf-tls-ciphersuite-06.txt> 09 January 2002
AES Ciphersuites for TLS AES Ciphersuites for TLS
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other docu¡ months and may be updated, replaced, or obsoleted by other
ments at any time. It is inappropriate to use Internet-Drafts as documents at any time. It is inappropriate to use Internet-Drafts
reference material or to cite them other than as ``work in as reference material or to cite them other than as ``work in
progress.'' progress.''
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
<http://www.ietf.org/ietf/1id-abstracts.txt> <http://www.ietf.org/ietf/1id-abstracts.txt>
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
<http://www.ietf.org/shadow.html> <http://www.ietf.org/shadow.html>
Distribution of this document is unlimited. Please send comments to Distribution of this document is unlimited. Please send comments to
the author (pc@skygate.co.uk) or to the Transport Layer Security the author (pc@skygate.co.uk) or to the Transport Layer Security
skipping to change at page 1, line 48 skipping to change at page 1, line 48
IDEA, DES and triple DES. The protocol would be enhanced by the IDEA, DES and triple DES. The protocol would be enhanced by the
addition of AES [AES] ciphersuites, for the following reasons: addition of AES [AES] ciphersuites, for the following reasons:
1. RC2, RC4 and IDEA are all subject to intellectual property 1. RC2, RC4 and IDEA are all subject to intellectual property
claims. RSA Security Inc has trademark rights in the names RC2 claims. RSA Security Inc has trademark rights in the names RC2
and RC4, and claims that the RC4 algorithm itself is a trade and RC4, and claims that the RC4 algorithm itself is a trade
secret. Ascom Systec Ltd owns a patent on the IDEA algorithm. secret. Ascom Systec Ltd owns a patent on the IDEA algorithm.
2. Triple DES is much less efficient than more modern ciphers. 2. Triple DES is much less efficient than more modern ciphers.
3. Now the AES process is completed there will be commercial pres¡ 3. Now the AES process is completed there will be commercial
sure to use the selected cipher. The AES is efficient and has pressure to use the selected cipher. The AES is efficient and
withstood extensive cryptanalytic efforts. The AES is has withstood extensive cryptanalytic efforts. The AES is
ietf-tls-ciphersuite-05 AES Ciphersuites for TLS 14 August 2001 ietf-tls-ciphersuite-06 AES Ciphersuites for TLS 09 January 2002
therefore a desirable choice. therefore a desirable choice.
4. Currently the DHE ciphersuites only allow triple DES (along 4. Currently the DHE ciphersuites only allow triple DES (along
with some ``export'' variants which do not use a satisfactory with some ``export'' variants which do not use a satisfactory
key length). At the same time the DHE ciphersuites are the key length). At the same time the DHE ciphersuites are the
only ones to offer forward secrecy. only ones to offer forward secrecy.
This document proposes several new ciphersuites, with the aim of This document proposes several new ciphersuites, with the aim of
overcoming these problems. overcoming these problems.
Cipher Usage Cipher Usage
The new ciphersuites proposed here are very similar to the follow¡ The new ciphersuites proposed here are very similar to the
ing, defined in [TLS]: following, defined in [TLS]:
TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
All the ciphersuites described here use the AES in cipher block All the ciphersuites described here use the AES in cipher block
chaining (CBC) mode. Furthermore, they use SHA-1 [SHA-1] in an chaining (CBC) mode. Furthermore, they use SHA-1 [SHA-1] in an
HMAC construction as described in section 5 of [TLS]. (Although HMAC construction as described in section 5 of [TLS]. (Although
the TLS ciphersuite names include the text ``SHA'', this actually the TLS ciphersuite names include the text ``SHA'', this actually
refers to the modified SHA-1 version of the algorithm.) refers to the modified SHA-1 version of the algorithm.)
The ciphersuites differ in the type of certificate and key exchange The ciphersuites differ in the type of certificate and key exchange
method. The ciphersuites defined here use the following options method. The ciphersuites defined here use the following options
for this part of the protocol: for this part of the protocol:
ietf-tls-ciphersuite-05 AES Ciphersuites for TLS 14 August 2001 ietf-tls-ciphersuite-06 AES Ciphersuites for TLS 09 January 2002
CipherSuite Certificate type (if applicable) CipherSuite Certificate type (if applicable)
and key exchange algorithm and key exchange algorithm
TLS_RSA_WITH_AES_128_CBC_SHA RSA TLS_RSA_WITH_AES_128_CBC_SHA RSA
TLS_DH_DSS_WITH_AES_128_CBC_SHA DH_DSS TLS_DH_DSS_WITH_AES_128_CBC_SHA DH_DSS
TLS_DH_RSA_WITH_AES_128_CBC_SHA DH_RSA TLS_DH_RSA_WITH_AES_128_CBC_SHA DH_RSA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA
TLS_DH_anon_WITH_AES_128_CBC_SHA DH_anon TLS_DH_anon_WITH_AES_128_CBC_SHA DH_anon
skipping to change at page 3, line 29 skipping to change at page 3, line 29
TLS_DH_RSA_WITH_AES_256_CBC_SHA DH_RSA TLS_DH_RSA_WITH_AES_256_CBC_SHA DH_RSA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE_DSS TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE_DSS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA
TLS_DH_anon_WITH_AES_256_CBC_SHA DH_anon TLS_DH_anon_WITH_AES_256_CBC_SHA DH_anon
For the meanings of the terms RSA, DH_DSS, DH_RSA, DHE_DSS, DHE_RSA For the meanings of the terms RSA, DH_DSS, DH_RSA, DHE_DSS, DHE_RSA
and DH_anon, please refer to sections 7.4.2 and 7.4.3 of [TLS]. and DH_anon, please refer to sections 7.4.2 and 7.4.3 of [TLS].
The AES supports key lengths of 128, 192 and 256 bits. However, The AES supports key lengths of 128, 192 and 256 bits. However,
this document only defines ciphersuites for 128- and 256-bit keys. this document only defines ciphersuites for 128- and 256-bit keys.
This is to avoid unnecessary proliferation of ciphersuites. Rijn¡ This is to avoid unnecessary proliferation of ciphersuites.
dael actually allows for 192- and 256-bit block sizes as well as Rijndael actually allows for 192- and 256-bit block sizes as well
the 128-bit blocks mandated by the AES process. The ciphersuites as the 128-bit blocks mandated by the AES process. The
defined here all use 128-bit blocks. ciphersuites defined here all use 128-bit blocks.
The new ciphersuites will have the following definitions: The new ciphersuites will have the following definitions:
CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F }; CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F };
CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 }; CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 };
CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 }; CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 };
CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 }; CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 };
CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 }; CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 };
CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 }; CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 };
skipping to change at page 4, line 5 skipping to change at page 4, line 5
CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 }; CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 };
CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x38 }; CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x38 };
CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x39 }; CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x39 };
CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00, 0x3A }; CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00, 0x3A };
Security Considerations Security Considerations
It is not believed that the new ciphersuites are ever less secure It is not believed that the new ciphersuites are ever less secure
than the corresponding older ones. The AES is believed to be than the corresponding older ones. The AES is believed to be
ietf-tls-ciphersuite-05 AES Ciphersuites for TLS 14 August 2001 ietf-tls-ciphersuite-06 AES Ciphersuites for TLS 09 January 2002
secure, and it has withstood extensive cryptanalytic attack. secure, and it has withstood extensive cryptanalytic attack.
The ephemeral Diffie-Hellman ciphersuites provide forward secrecy The ephemeral Diffie-Hellman ciphersuites provide forward secrecy
without any known reduction in security in other areas. To obtain without any known reduction in security in other areas. To obtain
the maximum benefit from these ciphersuites: the maximum benefit from these ciphersuites:
1. The ephemeral keys should only be used once. With the TLS pro¡ 1. The ephemeral keys should only be used once. With the TLS
tocol as currently defined there is no significant efficiency protocol as currently defined there is no significant
gain from reusing ephemeral keys. efficiency gain from reusing ephemeral keys.
2. Ephemeral keys should be destroyed securely when they are no 2. Ephemeral keys should be destroyed securely when they are no
longer required. longer required.
3. The random number generator used to create ephemeral keys must 3. The random number generator used to create ephemeral keys must
not reveal past output even when its internal state is compro¡ not reveal past output even when its internal state is
mised. compromised.
[TLS] describes the anonymous Diffie-Hellman (ADH) ciphersuites as [TLS] describes the anonymous Diffie-Hellman (ADH) ciphersuites as
deprecated. The ADH ciphersuites defined here are not deprecated. deprecated. The ADH ciphersuites defined here are not deprecated.
However, when they are used, particular care must be taken: However, when they are used, particular care must be taken:
1. ADH provides confidentiality but not authentication. This 1. ADH provides confidentiality but not authentication. This
means that (if authentication is required) the communicating means that (if authentication is required) the communicating
parties must authenticate to each other by some means other parties must authenticate to each other by some means other
than TLS. than TLS.
2. ADH is vulnerable to man-in-the-middle attacks, as a conse¡ 2. ADH is vulnerable to man-in-the-middle attacks, as a
quence of the lack of authentication. The parties must have a consequence of the lack of authentication. The parties must
way of determining whether they are participating in the same have a way of determining whether they are participating in the
TLS connection. If they are not, they can deduce that they are same TLS connection. If they are not, they can deduce that
under attack, and presumably abort the connection. they are under attack, and presumably abort the connection.
For example, if the parties share a secret, it is possible to For example, if the parties share a secret, it is possible to
compute a MAC of the TLS Finished message. An attacker would compute a MAC of the TLS Finished message. An attacker would
have to negotiate two different TLS connections; one with each have to negotiate two different TLS connections; one with each
communicating party. The Finished messages would be different communicating party. The Finished messages would be different
in each case, because they depend on the parties' public keys in each case, because they depend on the parties' public keys
(among other things). For this reason, the MACs computed by (among other things). For this reason, the MACs computed by
each party would be different. each party would be different.
It is important to note that authentication techniques which do It is important to note that authentication techniques which do
not use the Finished message do not usually provide protection not use the Finished message do not usually provide protection
from this attack. For example, the client could authenticate from this attack. For example, the client could authenticate
to the server with a password, but it would still be vulnerable to the server with a password, but it would still be vulnerable
to man-in-the-middle attacks. to man-in-the-middle attacks.
Copyright Copyright
ietf-tls-ciphersuite-05 AES Ciphersuites for TLS 14 August 2001 ietf-tls-ciphersuite-06 AES Ciphersuites for TLS 09 January 2002
Copyright (C) The Internet Society 2001. All Rights Reserved. Copyright (C) The Internet Society 2001. All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain others, and derivative works that comment on or otherwise explain
it or assist in its implementation may be prepared, copied, pub¡ it or assist in its implementation may be prepared, copied,
lished and distributed, in whole or in part, without restriction of published and distributed, in whole or in part, without restriction
any kind, provided that the above copyright notice and this para¡ of any kind, provided that the above copyright notice and this
graph are included on all such copies and derivative works. How¡ paragraph are included on all such copies and derivative works.
ever, this document itself may not be modified in any way, such as However, this document itself may not be modified in any way, such
by removing the copyright notice or references to the Internet as by removing the copyright notice or references to the Internet
Society or other Internet organizations, except as needed for the Society or other Internet organizations, except as needed for the
purpose of developing Internet standards in which case the proce¡ purpose of developing Internet standards in which case the
dures for copyrights defined in the Internet Standards process must procedures for copyrights defined in the Internet Standards process
be followed, or as required to translate it into languages other must be followed, or as required to translate it into languages
than English. other than English.
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees. revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on This document and the information contained herein is provided on
an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGI¡ an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
NEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WAR¡ THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
RANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to per¡ intellectual property or other rights that might be claimed to
tain to the implementation or use other technology described in pertain to the implementation or use other technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances claims of rights made available for publication and any assurances
of licenses to be made available, or the result of an attempt made of licenses to be made available, or the result of an attempt made
to obtain a general license or permission for the use of such pro¡ to obtain a general license or permission for the use of such
prietary rights by implementors or users of this specification can proprietary rights by implementors or users of this specification
be obtained from the IETF Secretariat. can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive this standard. Please address the information to the IETF Executive
Director. Director.
ietf-tls-ciphersuite-05 AES Ciphersuites for TLS 14 August 2001 ietf-tls-ciphersuite-06 AES Ciphersuites for TLS 09 January 2002
During the development of the AES, NIST published the following During the development of the AES, NIST published the following
statement on intellectual property: statement on intellectual property:
SPECIAL NOTE - Intellectual Property SPECIAL NOTE - Intellectual Property
NIST reminds all interested parties that the adoption of NIST reminds all interested parties that the adoption of
AES is being conducted as an open standards-setting AES is being conducted as an open standards-setting
activity. Specifically, NIST has requested that all activity. Specifically, NIST has requested that all
interested parties identify to NIST any patents or inven¡ interested parties identify to NIST any patents or
tions that may be required for the use of AES. NIST inventions that may be required for the use of AES. NIST
hereby gives public notice that it may seek redress under hereby gives public notice that it may seek redress under
the antitrust laws of the United States against any party the antitrust laws of the United States against any party
in the future who might seek to exercise patent rights in the future who might seek to exercise patent rights
against any user of AES that have not been disclosed to against any user of AES that have not been disclosed to
NIST in response to this request for information. NIST in response to this request for information.
One of the authors of Rijndael signed the following disclaimer when
submitting the algorithm to NIST for consideration in the AES pro¡
cess:
I, Joan Daemen, do hereby declare that to the best of my
knowledge the practice of the algorithm, reference imple¡
mentation, and mathematically optimized implementations,
I have submitted, known as Rijndael may be covered by the
following U.S. and/or foreign patents:
none
I do hereby declare that I am aware of no patent applica¡
tions which may cover the practice of my submitted algo¡
rithm, reference implementation or mathematically opti¡
mized implementations.
I do hereby understand that my submitted algorithm may
not be selected for inclusion in the Advanced Encryption
Standard. I also understand and agree that after the
close of the submission period, my submission may not be
withdrawn from public consideration for inclusion in the
Federal Information Processing Standard (FIPS) for
Advanced Encryption Standard (AES). I further understand
that I will not receive financial compensation from the
government for my submission. I certify that, to the
best of my knowledge, I have fully disclosed all patents
and patent applications relating to my algorithm. I also
understand that the U.S. Government may, during the
course of the lifetime of the AES or during the FIPS pub¡
lic review process, modify the algorithm's specifications
(e.g., to protect against a newly discovered
ietf-tls-ciphersuite-05 AES Ciphersuites for TLS 14 August 2001
vulnerability). Should my submission be selected for
inclusion in the AES, I hereby agree not to place any
restrictions on the use of the algorithm intending it to
be available on a worldwide, non-exclusive, royalty-free
basis.
I do hereby agree to provide the statements for any
patent or patent application identified to cover practice
of my algorithm, reference implementation or mathemati¡
cally optimized implementations and the right to use such
implementations for the purposes of the AES evaluation
process.
I understand that NIST will announce the selected algo¡
rithm(s) and proceed to publish the draft FIPS for public
comment. If my algorithm (or the derived algorithm) is
not selected for inclusion in the FIPS (including those
not selected for second round of public evaluation), I
understand that all rights, including use rights of the
reference and mathematically optimized implementations,
revert back to the submitter (and other owner[s] as
appropriate). Additionally, should the U.S. Government
not select my algorithm for inclusion in the AES after a
period of four years from the close of the submission
date for candidate algorithms, all rights revert to the
submitter (and other owner[s] as appropriate).
[signed]
Title: Cryptographer
Dated: 10-6-98
Place: Brussels
The following disclaimer was signed at the start of the second
"round" of the AES process:
Dear Mr Foti [of NIST],
Hereby we confirm that the original patent and patent
application information, as provided to NIST with our
original submission in June 1998, has not changed. To
the best of our knowledge, there are no patents or patent
applications covering the practice of the algorithm, ref¡
erence implementation or the mathematically optimized
implementations.
ietf-tls-ciphersuite-05 AES Ciphersuites for TLS 14 August 2001
[signed]
Joan Daemen, Vincent Rijmen
Acknowledgements Acknowledgements
I would like to thank the ietf-tls mailing list contributors who I would like to thank the ietf-tls mailing list contributors who
have made helpful suggestions for this document. have made helpful suggestions for this document.
References References
[TLS] T. Dierks, C. Allen, "The TLS Protocol Version 1.0" RFC-2246. [TLS] T. Dierks, C. Allen, "The TLS Protocol Version 1.0" RFC-2246.
January, 1999. January, 1999.
[AES] J. Daemen, V. Rijmen, "The Rijndael Block Cipher" [AES] National Institute of Standards and Technology,
http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf 3rd "Specification for the Advanced Encryption Standard (AES)" FIPS
September 1999. 197. November 26, 2001.
[SHA-1] FIPS PUB 180-1, "Secure Hash Standard," National Institute [SHA-1] FIPS PUB 180-1, "Secure Hash Standard," National Institute
of Standards and Technology, U.S. Department of Commerce, April 17, of Standards and Technology, U.S. Department of Commerce, April 17,
1995. 1995.
Author's Address Author's Address
Pete Chown Pete Chown
Skygate Technology Ltd Skygate Technology Ltd
8 Lombard Road 8 Lombard Road
 End of changes. 

This html diff was produced by rfcdiff 1.25, available from http://www.levkowetz.com/ietf/tools/rfcdiff/