draft-ietf-tls-ciphersuite-06.txt   rfc3268.txt 
Network Working Group Pete Chown Network Working Group P. Chown
INTERNET DRAFT Skygate Technology Request for Comments: 3268 Skygate Technology
<draft-ietf-tls-ciphersuite-06.txt> 09 January 2002 Category: Standards Track June 2002
AES Ciphersuites for TLS Advanced Encryption Standard (AES) Ciphersuites for Transport Layer
Security (TLS)
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document specifies an Internet standards track protocol for the
all provisions of Section 10 of RFC2026. Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Internet-Drafts are working documents of the Internet Engineering Official Protocol Standards" (STD 1) for the standardization state
Task Force (IETF), its areas, and its working groups. Note that and status of this protocol. Distribution of this memo is unlimited.
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six Copyright Notice
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as ``work in
progress.''
The list of current Internet-Drafts can be accessed at Copyright (C) The Internet Society (2002). All Rights Reserved.
<http://www.ietf.org/ietf/1id-abstracts.txt>
The list of Internet-Draft Shadow Directories can be accessed at Abstract
<http://www.ietf.org/shadow.html>
Distribution of this document is unlimited. Please send comments to This document proposes several new ciphersuites. At present, the
the author (pc@skygate.co.uk) or to the Transport Layer Security symmetric ciphers supported by Transport Layer Security (TLS) are
Working Group's discussion list (ietf-tls@lists.certicom.com). RC2, RC4, International Data Encryption Algorithm (IDEA), Data
Encryption Standard (DES), and triple DES. The protocol would be
enhanced by the addition of Advanced Encryption Standard (AES)
ciphersuites.
Overview Overview
At present, the symmetric ciphers supported by TLS are RC2, RC4, At present, the symmetric ciphers supported by TLS are RC2, RC4,
IDEA, DES and triple DES. The protocol would be enhanced by the IDEA, DES, and triple DES. The protocol would be enhanced by the
addition of AES [AES] ciphersuites, for the following reasons: addition of AES [AES] ciphersuites, for the following reasons:
1. RC2, RC4 and IDEA are all subject to intellectual property
claims. RSA Security Inc has trademark rights in the names RC2
and RC4, and claims that the RC4 algorithm itself is a trade
secret. Ascom Systec Ltd owns a patent on the IDEA algorithm.
2. Triple DES is much less efficient than more modern ciphers.
3. Now the AES process is completed there will be commercial 1. RC2, RC4, and IDEA are all subject to intellectual property
pressure to use the selected cipher. The AES is efficient and claims. RSA Security Inc. has trademark rights in the names RC2
has withstood extensive cryptanalytic efforts. The AES is and RC4, and claims that the RC4 algorithm itself is a trade
secret. Ascom Systec Ltd. owns a patent on the IDEA algorithm.
ietf-tls-ciphersuite-06 AES Ciphersuites for TLS 09 January 2002 2. Triple DES is much less efficient than more modern ciphers.
therefore a desirable choice. 3. Now that the AES process is completed there will be commercial
pressure to use the selected cipher. The AES is efficient and has
withstood extensive cryptanalytic efforts. The AES is therefore a
desirable choice.
4. Currently the DHE ciphersuites only allow triple DES (along 4. Currently the DHE ciphersuites only allow triple DES (along with
with some ``export'' variants which do not use a satisfactory some "export" variants which do not use a satisfactory key
key length). At the same time the DHE ciphersuites are the length). At the same time the DHE ciphersuites are the only ones
only ones to offer forward secrecy. to offer forward secrecy.
This document proposes several new ciphersuites, with the aim of This document proposes several new ciphersuites, with the aim of
overcoming these problems. overcoming these problems.
Cipher Usage Cipher Usage
The new ciphersuites proposed here are very similar to the The new ciphersuites proposed here are very similar to the following,
following, defined in [TLS]: defined in [TLS]:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
All the ciphersuites described here use the AES in cipher block
chaining (CBC) mode. Furthermore, they use SHA-1 [SHA-1] in an
HMAC construction as described in section 5 of [TLS]. (Although
the TLS ciphersuite names include the text ``SHA'', this actually
refers to the modified SHA-1 version of the algorithm.)
The ciphersuites differ in the type of certificate and key exchange TLS_RSA_WITH_3DES_EDE_CBC_SHA
method. The ciphersuites defined here use the following options TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
for this part of the protocol: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
ietf-tls-ciphersuite-06 AES Ciphersuites for TLS 09 January 2002 All the ciphersuites described here use the AES in cipher block
chaining (CBC) mode. Furthermore, they use SHA-1 [SHA-1] in an HMAC
construction as described in section 5 of [TLS]. (Although the TLS
ciphersuite names include the text "SHA", this actually refers to the
modified SHA-1 version of the algorithm.)
CipherSuite Certificate type (if applicable) The ciphersuites differ in the type of certificate and key exchange
and key exchange algorithm method. The ciphersuites defined here use the following options for
this part of the protocol:
TLS_RSA_WITH_AES_128_CBC_SHA RSA CipherSuite Certificate type (if applicable)
TLS_DH_DSS_WITH_AES_128_CBC_SHA DH_DSS and key exchange algorithm
TLS_DH_RSA_WITH_AES_128_CBC_SHA DH_RSA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA
TLS_DH_anon_WITH_AES_128_CBC_SHA DH_anon
TLS_RSA_WITH_AES_256_CBC_SHA RSA TLS_RSA_WITH_AES_128_CBC_SHA RSA
TLS_DH_DSS_WITH_AES_256_CBC_SHA DH_DSS TLS_DH_DSS_WITH_AES_128_CBC_SHA DH_DSS
TLS_DH_RSA_WITH_AES_256_CBC_SHA DH_RSA TLS_DH_RSA_WITH_AES_128_CBC_SHA DH_RSA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE_DSS TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA
TLS_DH_anon_WITH_AES_256_CBC_SHA DH_anon TLS_DH_anon_WITH_AES_128_CBC_SHA DH_anon
For the meanings of the terms RSA, DH_DSS, DH_RSA, DHE_DSS, DHE_RSA TLS_RSA_WITH_AES_256_CBC_SHA RSA
and DH_anon, please refer to sections 7.4.2 and 7.4.3 of [TLS]. TLS_DH_DSS_WITH_AES_256_CBC_SHA DH_DSS
TLS_DH_RSA_WITH_AES_256_CBC_SHA DH_RSA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE_DSS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA
TLS_DH_anon_WITH_AES_256_CBC_SHA DH_anon
For the meanings of the terms RSA, DH_DSS, DH_RSA, DHE_DSS, DHE_RSA
and DH_anon, please refer to sections 7.4.2 and 7.4.3 of [TLS].
The AES supports key lengths of 128, 192 and 256 bits. However, The AES supports key lengths of 128, 192 and 256 bits. However, this
this document only defines ciphersuites for 128- and 256-bit keys. document only defines ciphersuites for 128- and 256-bit keys. This
This is to avoid unnecessary proliferation of ciphersuites. is to avoid unnecessary proliferation of ciphersuites. Rijndael
Rijndael actually allows for 192- and 256-bit block sizes as well actually allows for 192- and 256-bit block sizes as well as the 128-
as the 128-bit blocks mandated by the AES process. The bit blocks mandated by the AES process. The ciphersuites defined
ciphersuites defined here all use 128-bit blocks. here all use 128-bit blocks.
The new ciphersuites will have the following definitions: The new ciphersuites will have the following definitions:
CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F }; CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F };
CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 }; CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 };
CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 }; CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 };
CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 }; CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 };
CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 }; CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 };
CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 }; CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 };
CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x35 }; CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x35 };
CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x36 }; CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x36 };
CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 }; CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 };
CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x38 }; CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x38 };
CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x39 }; CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x39 };
CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00, 0x3A }; CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00, 0x3A };
Security Considerations Security Considerations
It is not believed that the new ciphersuites are ever less secure It is not believed that the new ciphersuites are ever less secure
than the corresponding older ones. The AES is believed to be than the corresponding older ones. The AES is believed to be secure,
and it has withstood extensive cryptanalytic attack.
ietf-tls-ciphersuite-06 AES Ciphersuites for TLS 09 January 2002 The ephemeral Diffie-Hellman ciphersuites provide forward secrecy
without any known reduction in security in other areas. To obtain
the maximum benefit from these ciphersuites:
secure, and it has withstood extensive cryptanalytic attack. 1. The ephemeral keys should only be used once. With the TLS
protocol as currently defined there is no significant efficiency
gain from reusing ephemeral keys.
The ephemeral Diffie-Hellman ciphersuites provide forward secrecy 2. Ephemeral keys should be destroyed securely when they are no
without any known reduction in security in other areas. To obtain longer required.
the maximum benefit from these ciphersuites:
1. The ephemeral keys should only be used once. With the TLS 3. The random number generator used to create ephemeral keys must not
protocol as currently defined there is no significant reveal past output even when its internal state is compromised.
efficiency gain from reusing ephemeral keys.
2. Ephemeral keys should be destroyed securely when they are no [TLS] describes the anonymous Diffie-Hellman (ADH) ciphersuites as
longer required. deprecated. The ADH ciphersuites defined here are not deprecated.
However, when they are used, particular care must be taken:
3. The random number generator used to create ephemeral keys must 1. ADH provides confidentiality but not authentication. This means
not reveal past output even when its internal state is that (if authentication is required) the communicating parties
compromised. must authenticate to each other by some means other than TLS.
[TLS] describes the anonymous Diffie-Hellman (ADH) ciphersuites as 2. ADH is vulnerable to man-in-the-middle attacks, as a consequence
deprecated. The ADH ciphersuites defined here are not deprecated. of the lack of authentication. The parties must have a way of
However, when they are used, particular care must be taken: determining whether they are participating in the same TLS
connection. If they are not, they can deduce that they are under
attack, and presumably abort the connection.
1. ADH provides confidentiality but not authentication. This For example, if the parties share a secret, it is possible to
means that (if authentication is required) the communicating compute a MAC of the TLS Finished message. An attacker would have
parties must authenticate to each other by some means other to negotiate two different TLS connections; one with each
than TLS. communicating party. The Finished messages would be different in
each case, because they depend on the parties' public keys (among
other things). For this reason, the MACs computed by each party
would be different.
2. ADH is vulnerable to man-in-the-middle attacks, as a It is important to note that authentication techniques which do
consequence of the lack of authentication. The parties must not use the Finished message do not usually provide protection
have a way of determining whether they are participating in the from this attack. For example, the client could authenticate to
same TLS connection. If they are not, they can deduce that the server with a password, but it would still be vulnerable to
they are under attack, and presumably abort the connection. man-in-the-middle attacks.
For example, if the parties share a secret, it is possible to Recent research has identified a chosen plaintext attack which
compute a MAC of the TLS Finished message. An attacker would applies to all ciphersuites defined in [TLS] which use CBC mode.
have to negotiate two different TLS connections; one with each This weakness does not affect the common use of TLS on the World
communicating party. The Finished messages would be different Wide Web, but may affect the use of TLS in other applications.
in each case, because they depend on the parties' public keys When TLS is used in an application where this attack is possible,
(among other things). For this reason, the MACs computed by attackers can determine the truth or otherwise of a hypothesis
each party would be different. that particular plaintext data was sent earlier in the session.
No key material is compromised.
It is important to note that authentication techniques which do It is likely that the CBC construction will be changed in a future
not use the Finished message do not usually provide protection revision of the TLS protocol.
from this attack. For example, the client could authenticate
to the server with a password, but it would still be vulnerable
to man-in-the-middle attacks.
Copyright Intellectual Property
ietf-tls-ciphersuite-06 AES Ciphersuites for TLS 09 January 2002
Copyright (C) The Internet Society 2001. All Rights Reserved. The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use other technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
This document and translations of it may be copied and furnished to The IETF invites any interested party to bring to its attention any
others, and derivative works that comment on or otherwise explain copyrights, patents or patent applications, or other proprietary
it or assist in its implementation may be prepared, copied, rights which may cover technology that may be required to practice
published and distributed, in whole or in part, without restriction this standard. Please address the information to the IETF Executive
of any kind, provided that the above copyright notice and this Director.
paragraph are included on all such copies and derivative works.
However, this document itself may not be modified in any way, such
as by removing the copyright notice or references to the Internet
Society or other Internet organizations, except as needed for the
purpose of developing Internet standards in which case the
procedures for copyrights defined in the Internet Standards process
must be followed, or as required to translate it into languages
other than English.
The limited permissions granted above are perpetual and will not be During the development of the AES, NIST published the following
revoked by the Internet Society or its successors or assignees. statement on intellectual property:
This document and the information contained herein is provided on SPECIAL NOTE - Intellectual Property
an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property NIST reminds all interested parties that the adoption of AES is
being conducted as an open standards-setting activity.
Specifically, NIST has requested that all interested parties
identify to NIST any patents or inventions that may be required
for the use of AES. NIST hereby gives public notice that it may
seek redress under the antitrust laws of the United States against
any party in the future who might seek to exercise patent rights
against any user of AES that have not been disclosed to NIST in
response to this request for information.
The IETF takes no position regarding the validity or scope of any Acknowledgements
intellectual property or other rights that might be claimed to
pertain to the implementation or use other technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances
of licenses to be made available, or the result of an attempt made
to obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification
can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any I would like to thank the ietf-tls mailing list contributors who have
copyrights, patents or patent applications, or other proprietary made helpful suggestions for this document.
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
ietf-tls-ciphersuite-06 AES Ciphersuites for TLS 09 January 2002 References
During the development of the AES, NIST published the following [TLS] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC
statement on intellectual property: 2246, January 1999.
SPECIAL NOTE - Intellectual Property [AES] National Institute of Standards and Technology,
"Specification for the Advanced Encryption Standard (AES)"
FIPS 197. November 26, 2001.
NIST reminds all interested parties that the adoption of [SHA-1] FIPS PUB 180-1, "Secure Hash Standard," National Institute
AES is being conducted as an open standards-setting of Standards and Technology, U.S. Department of Commerce,
activity. Specifically, NIST has requested that all April 17, 1995.
interested parties identify to NIST any patents or
inventions that may be required for the use of AES. NIST
hereby gives public notice that it may seek redress under
the antitrust laws of the United States against any party
in the future who might seek to exercise patent rights
against any user of AES that have not been disclosed to
NIST in response to this request for information.
Acknowledgements Author's Address
I would like to thank the ietf-tls mailing list contributors who Pete Chown
have made helpful suggestions for this document. Skygate Technology Ltd
8 Lombard Road
London
SW19 3TZ
United Kingdom
References Phone: +44 20 8542 7856
EMail: pc@skygate.co.uk
[TLS] T. Dierks, C. Allen, "The TLS Protocol Version 1.0" RFC-2246. Full Copyright Statement
January, 1999.
[AES] National Institute of Standards and Technology, Copyright (C) The Internet Society (2002). All Rights Reserved.
"Specification for the Advanced Encryption Standard (AES)" FIPS
197. November 26, 2001.
[SHA-1] FIPS PUB 180-1, "Secure Hash Standard," National Institute This document and translations of it may be copied and furnished to
of Standards and Technology, U.S. Department of Commerce, April 17, others, and derivative works that comment on or otherwise explain it
1995. or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
Author's Address The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
Pete Chown This document and the information contained herein is provided on an
Skygate Technology Ltd "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
8 Lombard Road TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
London BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
SW19 3TZ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
United Kingdom MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Phone: +44 20 8542 7856 Acknowledgement
Email: pc@skygate.co.uk
Funding for the RFC Editor function is currently provided by the
Internet Society.
 End of changes. 57 change blocks. 
213 lines changed or deleted 209 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/