[Docs] [txt|pdf] [Tracker] [Email] [Nits] [IPR]

Versions: 00 01 02 03 RFC 6367

Network Working Group                                           S. Kanno
Internet-Draft                                  NTT Software Corporation
Intended status: Informational                                  M. Kanda
Expires: August 8, 2011                                              NTT
                                                        February 4, 2011


Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)
                      draft-kanno-tls-camellia-00

Abstract

   This document specifies forty-two cipher suites for the Transport
   Security Layer (TLS) protocol to additional support the Camellia
   encryption algorithm as a block cipher.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 8, 2011.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.




Kanno & Kanda            Expires August 8, 2011                 [Page 1]

Internet-Draft     Addition of Camellia cipher for TLS     February 2011


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Proposed Cipher Suites . . . . . . . . . . . . . . . . . . . .  4
     2.1.  HMAC based Cipher Suites . . . . . . . . . . . . . . . . .  4
     2.2.  Galois Counter Mode(GCM) based Cipher Suites . . . . . . .  4
     2.3.  Pre-Shared Key (PSK) based Cipher Suites . . . . . . . . .  5
   3.  Cipher Suite Definitions . . . . . . . . . . . . . . . . . . .  6
     3.1.  Key Exchange . . . . . . . . . . . . . . . . . . . . . . .  6
     3.2.  Cipher . . . . . . . . . . . . . . . . . . . . . . . . . .  6
     3.3.  PRFs . . . . . . . . . . . . . . . . . . . . . . . . . . .  6
     3.4.  PSK cipher suites  . . . . . . . . . . . . . . . . . . . .  6
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  9
     6.1.  Normative References . . . . . . . . . . . . . . . . . . .  9
     6.2.  Informative References . . . . . . . . . . . . . . . . . .  9
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
































Kanno & Kanda            Expires August 8, 2011                 [Page 2]

Internet-Draft     Addition of Camellia cipher for TLS     February 2011


1.  Introduction

   This document proposes the addition of new cipher suites to the
   Transport Layer Security (TLS) [6] protocol to support the Camellia
   [2] encryption algorithm as a block cipher algorithm.  The proposed
   cipher suites include variants using SHA-2 family of cryptographic
   hash functions and Galois counter mode (GCM) [11].  Elliptic curve
   cipher suites and pre-shared key (PSK) cipher suites are also
   included.

   The Camellia algorithm and its properties are described in [2].

1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC2119 [1].


































Kanno & Kanda            Expires August 8, 2011                 [Page 3]

Internet-Draft     Addition of Camellia cipher for TLS     February 2011


2.  Proposed Cipher Suites

2.1.  HMAC based Cipher Suites

   The eight cipher suites use Camellia [2] in Cipher Block Chaining
   (CBC) [2] mode with a SHA-2 family HMAC using elliptic curves
   encryption:

   CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD};
   CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD};
   CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256  = {TBD,TBD};
   CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384  = {TBD,TBD};
   CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   = {TBD,TBD};
   CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   = {TBD,TBD};
   CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256    = {TBD,TBD};
   CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384    = {TBD,TBD};

2.2.  Galois Counter Mode(GCM) based Cipher Suites

   The twenty cipher suites use the same asymmetric key algorithms as
   those in the previous section but use the authenticated encryption
   modes defined in TLS 1.2 [6] with the Camellia in GCM [11].

  CipherSuite TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256          = {TBD,TBD};
  CipherSuite TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384          = {TBD,TBD};
  CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256      = {TBD,TBD};
  CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384      = {TBD,TBD};
  CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256       = {TBD,TBD};
  CipherSuite TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384       = {TBD,TBD};
  CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256      = {TBD,TBD};
  CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384      = {TBD,TBD};
  CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256       = {TBD,TBD};
  CipherSuite TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384       = {TBD,TBD};
  CipherSuite TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256      = {TBD,TBD};
  CipherSuite TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384      = {TBD,TBD};
  CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256  = {TBD,TBD};
  CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384  = {TBD,TBD};
  CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256   = {TBD,TBD};
  CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384   = {TBD,TBD};
  CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256    = {TBD,TBD};
  CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384    = {TBD,TBD};
  CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256     = {TBD,TBD};
  CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384     = {TBD,TBD};








Kanno & Kanda            Expires August 8, 2011                 [Page 4]

Internet-Draft     Addition of Camellia cipher for TLS     February 2011


2.3.  Pre-Shared Key (PSK) based Cipher Suites

   The fourteen cipher suites describe pre-shared key cipher suites.
   The first six cipher suites use Camellia with GCM and the next eight
   cipher suites use the Camellia with SHA-2 family HMAC using
   asymmetric key encryption or elliptic curves encryption.

    CipherSuite TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256        = {TBD,TBD};
    CipherSuite TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384        = {TBD,TBD};
    CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256    = {TBD,TBD};
    CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384    = {TBD,TBD};
    CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256    = {TBD,TBD};
    CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384    = {TBD,TBD};
    CipherSuite TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256        = {TBD,TBD};
    CipherSuite TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384        = {TBD,TBD};
    CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256    = {TBD,TBD};
    CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384    = {TBD,TBD};
    CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256    = {TBD,TBD};
    CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384    = {TBD,TBD};
    CipherSuite TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256  = {TBD,TBD};
    CipherSuite TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384  = {TBD,TBD};






























Kanno & Kanda            Expires August 8, 2011                 [Page 5]

Internet-Draft     Addition of Camellia cipher for TLS     February 2011


3.  Cipher Suite Definitions

3.1.  Key Exchange

   The RSA, DHE_RSA, DH_RSA, DHE_DSS, DH_DSS, ECDH, DH_anon, and ECDHE
   key exchanges are performed as defined in RFC5246 [6].

3.2.  Cipher

   The CAMELLIA_128_CBC cipher suites use Camellia [2] in CBC mode with
   a 128-bit key and 128-bit IV; the CAMELLIA_256_CBC cipher suites use
   a 256-bit key and 128-bit IV.

   AES authenticated encryption with additional data algorithms,
   AEAD_AES_128_GCM and AEAD_AES_256_GCM are described in RFC5116 [5].
   And AES GCM cipher suites for TLS are described in RFC5288 [7].  AES
   and Camellia share common characteristics including key sizes and
   block length.  CAMELLIA_128_GCM and CAMELLIA_256_GCM are defined
   according as those of AES.

3.3.  PRFs

   The hash algorithms and PRF algorithms for TLS 1.2 SHALL be as
   follows:

   a) The cipher suites ending with _SHA256 use HMAC-SHA-256 as the MAC
   algorithm, The PRF is the TLS PRF [6] with SHA-256 as the hash
   function,
   b) The cipher suites ending with _SHA384 use HMAC-SHA-384 as the MAC
   algorithm, The PRF is the TLS PRF [6] with SHA-384 as the hash
   function.

   When used with TLS versions prior to 1.2, the PRF is calculated as
   specified in the appropriate version of the TLS specification.

3.4.  PSK cipher suites

   Pre-shared key cipher suites for TLS are described in RFC4279 [3],
   RFC4785 [4], RFC5487 [9], and RFC5489 [10].












Kanno & Kanda            Expires August 8, 2011                 [Page 6]

Internet-Draft     Addition of Camellia cipher for TLS     February 2011


4.  Security Considerations

   At the time of writing this document there are no known weak keys for
   Camellia.  And no security problem has been found on Camellia (see
   NESSIE [12], CRYPTREC [13], and LNCS 5867[14]).

   The security considerations in previous RFCs (RFC4279 [3], RFC4785
   [4], RFC5116 [5], RFC5288 [7], RFC5289 [8], RFC5487 [9]), and GCM
   [11] apply to this document as well.










































Kanno & Kanda            Expires August 8, 2011                 [Page 7]

Internet-Draft     Addition of Camellia cipher for TLS     February 2011


5.  IANA Considerations

   IANA is requested to allocate (has allocated) the following numbers
   in the TLS Cipher Suite Registry:

  CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256  = {TBD,TBD};
  CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384  = {TBD,TBD};
  CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256   = {TBD,TBD};
  CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384   = {TBD,TBD};
  CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256    = {TBD,TBD};
  CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384    = {TBD,TBD};
  CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256     = {TBD,TBD};
  CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384     = {TBD,TBD};
  CipherSuite TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256          = {TBD,TBD};
  CipherSuite TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384          = {TBD,TBD};
  CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256      = {TBD,TBD};
  CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384      = {TBD,TBD};
  CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256       = {TBD,TBD};
  CipherSuite TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384       = {TBD,TBD};
  CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256      = {TBD,TBD};
  CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384      = {TBD,TBD};
  CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256       = {TBD,TBD};
  CipherSuite TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384       = {TBD,TBD};
  CipherSuite TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256      = {TBD,TBD};
  CipherSuite TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384      = {TBD,TBD};
  CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256  = {TBD,TBD};
  CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384  = {TBD,TBD};
  CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256   = {TBD,TBD};
  CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384   = {TBD,TBD};
  CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256    = {TBD,TBD};
  CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384    = {TBD,TBD};
  CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256     = {TBD,TBD};
  CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384     = {TBD,TBD};
  CipherSuite TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256          = {TBD,TBD};
  CipherSuite TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384          = {TBD,TBD};
  CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256      = {TBD,TBD};
  CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384      = {TBD,TBD};
  CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256      = {TBD,TBD};
  CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384      = {TBD,TBD};
  CipherSuite TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256          = {TBD,TBD};
  CipherSuite TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384          = {TBD,TBD};
  CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256      = {TBD,TBD};
  CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384      = {TBD,TBD};
  CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256      = {TBD,TBD};
  CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384      = {TBD,TBD};
  CipherSuite TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256    = {TBD,TBD};
  CipherSuite TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384    = {TBD,TBD};




Kanno & Kanda            Expires August 8, 2011                 [Page 8]

Internet-Draft     Addition of Camellia cipher for TLS     February 2011


6.  References

6.1.  Normative References

   [1]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", BCP 14, RFC 2119, March 1997.

   [2]   Matsui, M., Nakajima, J., and S. Moriai, "A Description of the
         Camellia Encryption Algorithm", RFC 3713, April 2004.

   [3]   Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites for
         Transport Layer Security (TLS)", RFC 4279, December 2005.

   [4]   Blumenthal, U. and P. Goel, "Pre-Shared Key (PSK) Ciphersuites
         with NULL Encryption for Transport Layer Security (TLS)",
         RFC 4785, January 2007.

   [5]   McGrew, D., "An Interface and Algorithms for Authenticated
         Encryption", RFC 5116, January 2008.

   [6]   Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS)
         Protocol Version 1.2", RFC 5246, August 2008.

   [7]   Salowey, J., Choudhury, A., and D. McGrew, "AES Galois Counter
         Mode (GCM) Cipher Suites for TLS", RFC 5288, August 2008.

   [8]   Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA-256/
         384 and AES Galois Counter Mode (GCM)", RFC 5289, August 2008.

   [9]   Badra, M., "Pre-Shared Key Cipher Suites for TLS with SHA-256/
         384 and AES Galois Counter Mode", RFC 5487, March 2009.

   [10]  Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for Transport
         Layer Security (TLS)", RFC 5489, March 2009.

   [11]  Dworkin, M., "Recommendation for Block Cipher Modes of
         Operation: Galois/Counter Mode (GCM) for Confidentiality and
         Authentication", April 2006, <http://csrc.nist.gov/
         publications/drafts/Draft-NIST_SP800-38D_Public_Comment.pdf>.

6.2.  Informative References

   [12]  "The NESSIE project (New European Schemes for Signatures,
         Integrity and Encryption)",
         <http://www.cosic.esat.kuleuven.ac.be/nessie/>.

   [13]  Information-technology Promotion Agency (IPA), "Cryptography
         Research and Evaluation Committees",



Kanno & Kanda            Expires August 8, 2011                 [Page 9]

Internet-Draft     Addition of Camellia cipher for TLS     February 2011


         <http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html>.

   [14]  Mala, H., Shakiba, M., and M. Dakhil-alian, "New Results on
         Impossible Differential Cryptanalysis of Reduced Round
         Camellia-128", November 2009,
         <http://www.springerlink.com/content/e55783u422436g77/>.













































Kanno & Kanda            Expires August 8, 2011                [Page 10]

Internet-Draft     Addition of Camellia cipher for TLS     February 2011


Authors' Addresses

   Satoru Kanno
   NTT Software Corporation

   Phone: +81-45-212-9803
   Fax:   +81-45-212-9800
   Email: kanno.satoru@po.ntts.co.jp


   Masayuki Kanda
   NTT

   Phone: +81-422-59-3456
   Fax:   +81-422-59-4015
   Email: kanda.masayuki@lab.ntt.co.jp



































Kanno & Kanda            Expires August 8, 2011                [Page 11]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/