[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Nits]

Versions: 00

Internet Research Task Force                                     Y. Yang
Internet-Draft                                              BaishanCloud
Intended status: Informational                                    R. Tse
Expires: October 24, 2018                                         Ribose
                                                           M-J. Saarinen
                                                  Independent Consultant
                                                                 W. Wong
                                            Hang Seng Management College
                                                          April 22, 2018


                   SM3 and SM4 Cipher Suites for TLS
                      draft-sca-curdle-tls-sm34-00

Abstract

   This document describes TLS cipher suites that utilize the SM3
   cryptographic hash algorithm (GB/T 32905-2016) and SM4 symmetric
   blockcipher algorithm (GB/T 32907-2016), both published by the State
   Cryptography Administration of China (SCA).

   This document is a product of the Crypto Forum Research Group (CFRG).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 24, 2018.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of



Yang, et al.            Expires October 24, 2018                [Page 1]


Internet-Draft          SM3/SM4 TLS Cipher Suites             April 2018


   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terms and Definitions . . . . . . . . . . . . . . . . . . . .   3
   3.  Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  HMAC-Based  . . . . . . . . . . . . . . . . . . . . . . .   3
     3.2.  Galois Counter Mode-Based . . . . . . . . . . . . . . . .   3
     3.3.  Counter and CBC-MAC Mode-Based  . . . . . . . . . . . . .   4
     3.4.  OCB . . . . . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  TLS Versions  . . . . . . . . . . . . . . . . . . . . . . . .   5
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  10

1.  Introduction

   The SM3 [I-D.sca-cfrg-sm3] [GBT.32905-2016] [ISO.IEC.10118-3] and SM4
   [I-D.ribose-cfrg-sm4] [GBT.32907-2016] [ISO.IEC.18033-3.AMD2]
   algorithms are published by the State Cryptography Administration
   (SCA) of China [SCA] for authorized use within China.  Both
   algorithms are published in public, and now commonly available in
   cryptographic libraries.

   SM3 is as a cryptographic hash algorithm that produces an output hash
   value of 256 bits long, based on 512-bit input message blocks, on
   input lengths up to 2^(m).

   SM4 is a symmetric encryption algorithm, a blockcipher to be exact,
   designed for data encryption that acts on 128-bit blocks.

   TLS versions at and beyond 1.2 [RFC5246] contain support for
   authenticated encryption with additional data (AEAD) cipher modes
   [RFC5116].

   This document describes the use of SM4 [I-D.ribose-cfrg-sm4] in
   conjunction with various key exchange mechanisms as a cipher suite
   for TLS, in two ways:

   o  by using SM4 with authentication encryption modes (CCM, GCM, OCB),
      in a manner similar to [RFC7251];



Yang, et al.            Expires October 24, 2018                [Page 2]


Internet-Draft          SM3/SM4 TLS Cipher Suites             April 2018


   o  by using SM4 together with SM3 [I-D.sca-cfrg-sm3] as MAC, in a
      manner similar to [RFC5288], [RFC5289] and [RFC7539].

   TODO: describe SM4 AE modes...

2.  Terms and Definitions

   The key words "*MUST*", "*MUST NOT*", "*REQUIRED*", "*SHALL*",
   "*SHALL NOT*", "*SHOULD*", "*SHOULD NOT*", "*RECOMMENDED*", "*NOT
   RECOMMENDED*", "*MAY*", and "*OPTIONAL*" in this document are to be
   interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only
   when, they appear in all capitals, as shown here.

3.  Cipher Suites

   Cipher suites defined in this document are based on the SM4-CCM
   Authenticated Encryption with Associated Data (AEAD) algorithms
   AEAD_SM4_128_CCM and AEAD_SM4_256_CCM described in
   [[I-D.ribose-cfrg-sm4ae]].

3.1.  HMAC-Based

   These cipher suites use SM4 in Cipher Block Chaining (CBC) mode with
   an HMAC-based MAC:

   CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3  = {0xYY,0xYY};
   CipherSuite TLS_ECDH_ECDSA_WITH_SM4_CBC_SM3   = {0xYY,0xYY};
   CipherSuite TLS_ECDHE_RSA_WITH_SM4_CBC_SM3    = {0xYY,0xYY};
   CipherSuite TLS_ECDH_RSA_WITH_SM4_CBC_SM3     = {0xYY,0xYY};

   These cipher suites are the same as the corresponding cipher suites
   in [RFC5289] (with names here ending in "_SM3" inplace of "_SHA256"),
   except for the MAC and Pseudo Random Function (PRF) algorithms.

   The PRF is the TLS PRF [RFC5246] with SM3 as the hash function.  The
   MAC is HMAC [RFC2104] with SM3 as the hash function.

3.2.  Galois Counter Mode-Based

   These cipher suites use the same asymmetric algorithms as those in
   the previous section, but use the authenticated encryption modes
   defined in TLS 1.3 [I-D.ietf-tls-tls13] with SM4 in Galois Counter
   Mode (GCM):








Yang, et al.            Expires October 24, 2018                [Page 3]


Internet-Draft          SM3/SM4 TLS Cipher Suites             April 2018


   CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_GCM_SM3  = {0xYY,0xYY};
   CipherSuite TLS_ECDH_ECDSA_WITH_SM4_GCM_SM3   = {0xYY,0xYY};
   CipherSuite TLS_ECDHE_RSA_WITH_SM4_GCM_SM3    = {0xYY,0xYY};
   CipherSuite TLS_ECDH_RSA_WITH_SM4_GCM_SM3     = {0xYY,0xYY};
   CipherSuite TLS_RSA_WITH_SM4_GCM_SM3          = {0xYY,0xYY};
   CipherSuite TLS_DHE_RSA_WITH_SM4_GCM_SM3      = {0xYY,0xYY};
   CipherSuite TLS_DH_RSA_WITH_SM4_GCM_SM3       = {0xYY,0xYY};
   CipherSuite TLS_DHE_DSS_WITH_SM4_GCM_SM3      = {0xYY,0xYY};
   CipherSuite TLS_DH_DSS_WITH_SM4_GCM_SM3       = {0xYY,0xYY};
   CipherSuite TLS_DH_anon_WITH_SM4_GCM_SM3      = {0xYY,0xYY};

   These cipher suites use the authenticated encryption with additional
   data algorithm AEAD_SM4_GCM described in [[I-D.ribose-cfrg-sm4ae]].

   Each of these AEAD algorithms uses a 128-bit authentication tag with
   GCM (in particular, as described in 3.5 [RFC4366] and 3 [RFC5288].

   The PRF is the TLS PRF [RFC5246] with SM3 as the hash function.

3.3.  Counter and CBC-MAC Mode-Based

   These cipher suites use the same asymmetric algorithms as those in
   the previous section, but use the authenticated encryption modes
   defined in TLS 1.3 with SM4 in Counter and CBC-MAC Mode (CCM):

   CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_CCM   = {0xYY,0xYY};
   CipherSuite TLS_ECDH_ECDSA_WITH_SM4_CCM    = {0xYY,0xYY};
   CipherSuite TLS_ECDHE_RSA_WITH_SM4_CCM     = {0xYY,0xYY};
   CipherSuite TLS_ECDH_RSA_WITH_SM4_CCM      = {0xYY,0xYY};
   CipherSuite TLS_RSA_WITH_SM4_CCM           = {0xYY,0xYY};
   CipherSuite TLS_DHE_RSA_WITH_SM4_CCM       = {0xYY,0xYY};
   CipherSuite TLS_DH_RSA_WITH_SM4_CCM        = {0xYY,0xYY};
   CipherSuite TLS_DHE_DSS_WITH_SM4_CCM       = {0xYY,0xYY};
   CipherSuite TLS_DH_DSS_WITH_SM4_CCM        = {0xYY,0xYY};
   CipherSuite TLS_DH_anon_WITH_SM4_CCM       = {0xYY,0xYY};

   These cipher suites use the authenticated encryption with additional
   data algorithm AEAD_SM4_CCM described in [[I-D.ribose-cfrg-sm4ae]].

   Each of these AEAD algorithms uses a 128-bit authentication tag with
   CCM (in particular, as described in 3.5 [RFC4366] and 3 [RFC5288].

   The "nonce" input to the AEAD algorithm is as defined in [RFC6655].

   The PRF is the TLS PRF [RFC5246] with SM3 as the hash function.






Yang, et al.            Expires October 24, 2018                [Page 4]


Internet-Draft          SM3/SM4 TLS Cipher Suites             April 2018


3.4.  OCB

   The following cipher suites are defined:

   CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_OCB = {0xYY,0xYY}
   ...

   The "nonce" input to the AEAD algorithm is as defined in [RFC6655].

   The PRF is the TLS PRF [RFC5246] with SM3 as the hash function.

   Further requirements provided in 2 [RFC7251] apply.

4.  TLS Versions

   These cipher suites make use of the authenticated encryption with
   additional data defined in TLS 1.2 [RFC5288].

   o  They *MUST NOT* be negotiated in older versions of TLS.

   o  Clients *MUST NOT* offer these cipher suites if they do not offer
      TLS 1.2 or later.

   o  Servers that select an earlier version of TLS *MUST NOT* select
      one of these ciphersuites.  Earlier versions do not have support
      for AEAD; for instance, the TLSCiphertext structure does not have
      the "aead" option in TLS 1.1.  Because TLS has no way for the
      client to indicate that it supports TLS 1.2 but not earlier
      versions, a non-compliant server might potentially negotiate TLS
      1.1 or earlier and select one of the cipher suites in this
      document.

   o  Clients *MUST* check the TLS version and generate a fatal
      "illegal_parameter" alert if they detect an incorrect version.

5.  Security Considerations

   The security considerations in [RFC4346], [RFC4492],
   [I-D.ribose-cfrg-sm4], [I-D.sca-cfrg-sm3] apply.

   o  Products and services that utilize cryptography are regulated by
      the SCA [SCA]; they must be explicitly approved or certified by
      the SCA before being allowed to be sold or used in China.

   o  The cipher suites described in this document *SHOULD** only be
      used with TLS 1.3 or greater [I-D.ietf-tls-tls13].





Yang, et al.            Expires October 24, 2018                [Page 5]


Internet-Draft          SM3/SM4 TLS Cipher Suites             April 2018


   o  CCM security requires that the counter never be reused.  The
      nonce/IV requirement in Section 3.3 is designed to prevent counter
      reuse.

6.  IANA Considerations

   IANA has assigned the following values for these cipher suites:

   CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3  = {0xYY,0xYY};
   CipherSuite TLS_ECDH_ECDSA_WITH_SM4_CBC_SM3   = {0xYY,0xYY};
   CipherSuite TLS_ECDHE_RSA_WITH_SM4_CBC_SM3    = {0xYY,0xYY};
   CipherSuite TLS_ECDH_RSA_WITH_SM4_CBC_SM3     = {0xYY,0xYY};
   CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_GCM_SM4  = {0xYY,0xYY};
   CipherSuite TLS_ECDH_ECDSA_WITH_SM4_GCM_SM4   = {0xYY,0xYY};
   CipherSuite TLS_ECDHE_RSA_WITH_SM4_GCM_SM4    = {0xYY,0xYY};
   CipherSuite TLS_ECDH_RSA_WITH_SM4_GCM_SM4     = {0xYY,0xYY};
   CipherSuite TLS_RSA_WITH_SM4_GCM_SM3          = {0xYY,0xYY};
   CipherSuite TLS_DHE_RSA_WITH_SM4_GCM_SM3      = {0xYY,0xYY};
   CipherSuite TLS_DH_RSA_WITH_SM4_GCM_SM3       = {0xYY,0xYY};
   CipherSuite TLS_DHE_DSS_WITH_SM4_GCM_SM3      = {0xYY,0xYY};
   CipherSuite TLS_DH_DSS_WITH_SM4_GCM_SM3       = {0xYY,0xYY};
   CipherSuite TLS_DH_anon_WITH_SM4_GCM_SM3      = {0xYY,0xYY};


7.  References

7.1.  Normative References

   [GBT.32905-2016]
              Standardization Administration of the People's Republic of
              China, "GB/T 32905-2016: Information security techniques
              -- SM3 cryptographic hash algorithm", August 2016,
              <http://www.gb688.cn/bzgk/gb/
              newGbInfo?hcno=45B1A67F20F3BF339211C391E9278F5E>.

   [GBT.32907-2016]
              Standardization Administration of the People's Republic of
              China, "GB/T 32907-2016: Information security technology
              -- SM4 block cipher algorithm", August 2016,
              <http://www.gb688.cn/bzgk/gb/
              newGbInfo?hcno=7803DE42D3BC5E80B0C3E5D8E873D56A>.

   [I-D.ietf-tls-tls13]
              Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", draft-ietf-tls-tls13-28 (work in progress),
              March 2018.





Yang, et al.            Expires October 24, 2018                [Page 6]


Internet-Draft          SM3/SM4 TLS Cipher Suites             April 2018


   [I-D.ribose-cfrg-sm4]
              Tse, R., Wong, W., and M. Saarinen, "The SM4 Blockcipher
              Algorithm And Its Modes Of Operations", draft-ribose-cfrg-
              sm4-10 (work in progress), April 2018.

   [I-D.ribose-cfrg-sm4ae]
              Tse, R., Wong, W., and M. Saarinen, "Authenticated
              Encryption For The SM4 Blockcipher Algorithm", draft-
              ribose-cfrg-sm4ae-00 (work in progress), April 2018.

   [I-D.sca-cfrg-sm3]
              Shen, S., Lee, X., Tse, R., Wong, W., and P. Yang, "The
              SM3 Cryptographic Hash Function", draft-sca-cfrg-sm3-02
              (work in progress), January 2018.

   [ISO.IEC.10118-3]
              International Organization for Standardization, "ISO/IEC
              FDIS 10118-3 -- Information technology -- Security
              techniques -- Hash-functions -- Part 3: Dedicated hash-
              functions", September 2017,
              <https://www.iso.org/standard/67116.html>.

   [ISO.IEC.18033-3.AMD2]
              International Organization for Standardization, "ISO/IEC
              WD1 18033-3/AMD2 -- Encryption algorithms -- Part 3: Block
              ciphers -- Amendment 2", June 2017,
              <https://www.iso.org/standard/54531.html>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

7.2.  Informative References

   [BOTAN]    Lloyd, J., "Botan: Crypto and TLS for C++11", October
              2017, <https://botan.randombit.net>.










Yang, et al.            Expires October 24, 2018                [Page 7]


Internet-Draft          SM3/SM4 TLS Cipher Suites             April 2018


   [GB.15629.11-2003]
              Standardization Administration of the People's Republic of
              China, "Information technology -- Telecommunications and
              information exchange between systems -- Local and
              metropolitan area networks -- Specific requirements --
              Part 11: Wireless LAN Medium Access Control (MAC) and
              Physical Layer (PHY) Specifications", May 2003,
              <http://www.gb688.cn/bzgk/gb/
              newGbInfo?hcno=74B9DD11287E72408C19C4D3A360D1BD>.

   [GBT.33560-2017]
              Standardization Administration of the People's Republic of
              China, "GB/T 33560-2017: Information security technology
              -- Cryptographic application identifier criterion
              specification", May 2017, <http://www.gb688.cn/bzgk/gb/
              newGbInfo?hcno=252CF0F72A7BE339A56DEA7D774E8994>.

   [GMT-0002-2012]
              Office of State Commercial Administration of China, "GM/T
              0002-2012: SM4 block cipher algorithm", March 2012,
              <http://www.oscca.gov.cn/Column/Column_32.htm>.

   [GMT-0004-2012]
              Organization of State Commercial Administration of China,
              "GM/T 0004-2012: SM3 Cryptographic Hash Algorithm", March
              2012, <http://www.oscca.gov.cn/Column/Column_32.htm>.

   [GMT-0006-2012]
              Office of State Commercial Administration of China, "GM/T
              0006-2012: Cryptographic Application Identifier Criterion
              Specification", March 2012,
              <http://www.oscca.gov.cn/Column/Column_32.htm>.

   [ISO.IEC.18033-3]
              International Organization for Standardization, "ISO/IEC
              18033-3:2010 -- Encryption algorithms -- Part 3: Block
              ciphers", December 2017,
              <https://www.iso.org/standard/54531.html>.

   [NIST.SP.800-38A]
              Dworkin, M., "NIST Special Publication 800-38A:
              Recommendation for Block Cipher Modes of Operation --
              Methods and Techniques", December 2001,
              <http://dx.doi.org/10.6028/NIST.SP.800-38A>.

   [OPENSSL]  OpenSSL Software Foundation, "OpenSSL: Cryptography and
              SSL/TLS Toolkit", October 2017, <https://www.openssl.org>.




Yang, et al.            Expires October 24, 2018                [Page 8]


Internet-Draft          SM3/SM4 TLS Cipher Suites             April 2018


   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
              Hashing for Message Authentication", RFC 2104,
              DOI 10.17487/RFC2104, February 1997,
              <https://www.rfc-editor.org/info/rfc2104>.

   [RFC4346]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.1", RFC 4346,
              DOI 10.17487/RFC4346, April 2006,
              <https://www.rfc-editor.org/info/rfc4346>.

   [RFC4366]  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
              and T. Wright, "Transport Layer Security (TLS)
              Extensions", RFC 4366, DOI 10.17487/RFC4366, April 2006,
              <https://www.rfc-editor.org/info/rfc4366>.

   [RFC4492]  Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
              Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
              for Transport Layer Security (TLS)", RFC 4492,
              DOI 10.17487/RFC4492, May 2006,
              <https://www.rfc-editor.org/info/rfc4492>.

   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated
              Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
              <https://www.rfc-editor.org/info/rfc5116>.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246,
              DOI 10.17487/RFC5246, August 2008,
              <https://www.rfc-editor.org/info/rfc5246>.

   [RFC5288]  Salowey, J., Choudhury, A., and D. McGrew, "AES Galois
              Counter Mode (GCM) Cipher Suites for TLS", RFC 5288,
              DOI 10.17487/RFC5288, August 2008,
              <https://www.rfc-editor.org/info/rfc5288>.

   [RFC5289]  Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA-
              256/384 and AES Galois Counter Mode (GCM)", RFC 5289,
              DOI 10.17487/RFC5289, August 2008,
              <https://www.rfc-editor.org/info/rfc5289>.

   [RFC6655]  McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for
              Transport Layer Security (TLS)", RFC 6655,
              DOI 10.17487/RFC6655, July 2012,
              <https://www.rfc-editor.org/info/rfc6655>.







Yang, et al.            Expires October 24, 2018                [Page 9]


Internet-Draft          SM3/SM4 TLS Cipher Suites             April 2018


   [RFC7251]  McGrew, D., Bailey, D., Campagna, M., and R. Dugal, "AES-
              CCM Elliptic Curve Cryptography (ECC) Cipher Suites for
              TLS", RFC 7251, DOI 10.17487/RFC7251, June 2014,
              <https://www.rfc-editor.org/info/rfc7251>.

   [RFC7539]  Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
              Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015,
              <https://www.rfc-editor.org/info/rfc7539>.

   [SCA]      State Cryptography Administration of China, "State
              Cryptography Administration of China", Dec 2017,
              <http://www.sca.gov.cn>.

Appendix A.  Acknowledgements

   This document borrows heavily from [RFC5288], [RFC5289], [RFC7251].

Authors' Addresses

   Paul Y. Yang
   BaishanCloud
   Building 16-3, Baitasan Street
   Shenyang, Liaoning  110000
   People's Republic of China

   Email: yang.yang@baishancloud.com
   URI:   https://www.baishancloud.com


   Ronald Henry Tse
   Ribose
   Suite 1111, 1 Pedder Street
   Central, Hong Kong
   People's Republic of China

   Email: ronald.tse@ribose.com
   URI:   https://www.ribose.com


   Markku-Juhani O. Saarinen
   Independent Consultant

   Email: mjos@iki.fi
   URI:   https://mjos.fi/







Yang, et al.            Expires October 24, 2018               [Page 10]


Internet-Draft          SM3/SM4 TLS Cipher Suites             April 2018


   Wai Kit Wong
   Hang Seng Management College
   Hang Shin Link, Siu Lek Yuen
   Shatin, Hong Kong
   People's Republic of China

   Email: wongwk@hsmc.edu.hk
   URI:   https://www.hsmc.edu.hk











































Yang, et al.            Expires October 24, 2018               [Page 11]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/