draft-ietf-curdle-cms-chacha20-poly1305-00.txt   draft-ietf-curdle-cms-chacha20-poly1305-01.txt 
Internet-Draft R. Housley Internet-Draft R. Housley
Intended status: Standards Track Vigil Security Intended status: Standards Track Vigil Security
Expires: 4 November 2016 4 May 2016 Expires: 7 March 2017 7 September 2016
Using ChaCha20-Poly1305 Authenticated Encryption Using ChaCha20-Poly1305 Authenticated Encryption
in the Cryptographic Message Syntax (CMS) in the Cryptographic Message Syntax (CMS)
<draft-ietf-curdle-cms-chacha20-poly1305-00.txt> <draft-ietf-curdle-cms-chacha20-poly1305-01.txt>
Abstract Abstract
This document describes the conventions for using ChaCha20-Poly1305 This document describes the conventions for using ChaCha20-Poly1305
Authenticated Encryption in the Cryptographic Message Syntax (CMS). Authenticated Encryption in the Cryptographic Message Syntax (CMS).
ChaCha20-Poly1305 is a construction of the ChaCha stream cipher and ChaCha20-Poly1305 is a construction of the ChaCha stream cipher and
Poly1305 authenticator. Poly1305 authenticator.
Status of This Memo Status of This Memo
skipping to change at page 2, line 22 skipping to change at page 2, line 22
ChaCha [CHACHA] is a stream cipher developed by D. J. Bernstein in ChaCha [CHACHA] is a stream cipher developed by D. J. Bernstein in
2008. It is a refinement of Salsa20, which is one of the ciphers in 2008. It is a refinement of Salsa20, which is one of the ciphers in
the eSTREAM portfolio [ESTREAM]. the eSTREAM portfolio [ESTREAM].
ChaCha20 is the 20-round variant of ChaCha; it requires a 256-bit key ChaCha20 is the 20-round variant of ChaCha; it requires a 256-bit key
and a 96-bit nonce. ChaCha20 is described in [FORIETF]. and a 96-bit nonce. ChaCha20 is described in [FORIETF].
Poly1305 [POLY1305] is a Wegman-Carter, one-time authenticator Poly1305 [POLY1305] is a Wegman-Carter, one-time authenticator
designed by D. J. Bernstein. Poly1305 produces a 16-byte designed by D. J. Bernstein. Poly1305 produces a 16-byte
authentication tag; it requires a a 256-bit, single-use key. authentication tag; it requires a 256-bit, single-use key. Poly1305
Poly1305 is also described in [FORIETF]. is also described in [FORIETF].
ChaCha20 and Poly1305 have been designed for high performance in ChaCha20 and Poly1305 have been designed for high performance
software implementations. They can typically be implemented with few software implementations. They can typically be implemented with few
resources and inexpensive operations, making them suitable on a wide resources and inexpensive operations, making them suitable on a wide
range of systems. They have also been designed to minimize leakage range of systems. They have also been designed to minimize leakage
of information through side channels. of information through side channels.
1.1. The ChaCha20 and Poly1305 AEAD Construction 1.1. The ChaCha20 and Poly1305 AEAD Construction
ChaCha20 and Poly1305 have been combined to create an Authenticated ChaCha20 and Poly1305 have been combined to create an Authenticated
Encryption with Associated Data (AEAD) algorithm [AEAD]. This AEAD Encryption with Associated Data (AEAD) algorithm [AEAD]. This AEAD
algorithm is often referred to as AEAD_CHACHA20_POLY1305, and it is algorithm is often referred to as AEAD_CHACHA20_POLY1305, and it is
described in [FORIETF]. described in [FORIETF].
AEAD_CHACHA20_POLY1305 accepts four inputs: a 256-bit key, a 96-bit AEAD_CHACHA20_POLY1305 accepts four inputs: a 256-bit key, a 96-bit
nonce, an arbitrary length plaintext, and an arbitrary length nonce, an arbitrary length plaintext, and an arbitrary length
additional authenticated data (AAD). A nonce value cannot be used additional authenticated data (AAD). As the name implies, a nonce
securely more than once with the same key. value cannot be used securely more than once with the same key.
A high-level summary of AEAD_CHACHA20_POLY1305 authenticated A high-level summary of AEAD_CHACHA20_POLY1305 authenticated
encryption processing is: encryption processing is:
1) A Poly1305 one-time key is generated from the 256-bit key and 1) A Poly1305 one-time key is generated from the 256-bit key and
and nonce using the procedure described in Section 2.6 of and nonce using the procedure described in Section 2.6 of
[FORIETF]. [FORIETF].
2) The ChaCha20 encryption function is used to encrypt the 2) The ChaCha20 encryption function is used to encrypt the
plaintext, using the same key and nonce, and with the initial plaintext, using the same key and nonce, and with the initial
skipping to change at page 3, line 42 skipping to change at page 3, line 42
document are to be interpreted as described in RFC 2119 [STDWORDS]. document are to be interpreted as described in RFC 2119 [STDWORDS].
1.3. ASN.1 1.3. ASN.1
CMS values are generated using ASN.1 [X680], which uses the Basic CMS values are generated using ASN.1 [X680], which uses the Basic
Encoding Rules (BER) and the Distinguished Encoding Rules (DER) Encoding Rules (BER) and the Distinguished Encoding Rules (DER)
[X690]. [X690].
2. Automated Key Management 2. Automated Key Management
The reuse of an ChaCha20 and Poly1305 AEAD nonce/key combination The reuse of an AEAD_CHACHA20_POLY1305 nonce value with the same key
destroys the security guarantees. As a result, it can be extremely destroys the security guarantees. As a result, it can be extremely
difficult to use the ChaCha20 and Poly1305 AEAD securely when using difficult to use AEAD_CHACHA20_POLY1305 securely when using
statically configured keys. For safety's sake, implementations MUST statically configured keys. For safety's sake, implementations MUST
use an automated key management system [KEYMGMT]. use an automated key management system [KEYMGMT].
The CMS authenticated-enveloped-data content type supports four The CMS authenticated-enveloped-data content type supports four
general key management techniques: general key management techniques:
Key Transport: the content-authenticated-encryption key is Key Transport: the content-authenticated-encryption key is
encrypted in the recipient's public key; encrypted in the recipient's public key;
Key Agreement: the recipient's public key and the sender's Key Agreement: the recipient's public key and the sender's
skipping to change at page 7, line 10 skipping to change at page 7, line 10
5652, September 2009. 5652, September 2009.
[FORIETF] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF [FORIETF] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
Protocols", RFC 7539, May 2015. Protocols", RFC 7539, May 2015.
[STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate [STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[X680] ITU-T, "Information technology -- Abstract Syntax Notation [X680] ITU-T, "Information technology -- Abstract Syntax Notation
One (ASN.1): Specification of basic notation", ITU-T One (ASN.1): Specification of basic notation", ITU-T
Recommendation X.680, 2002. Recommendation X.680, 2015.
[X690] ITU-T, "Information technology -- ASN.1 encoding rules: [X690] ITU-T, "Information technology -- ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules Encoding Rules (CER) and Distinguished Encoding Rules
(DER)", ITU-T Recommendation X.690, 2002. (DER)", ITU-T Recommendation X.690, 2015.
8. Informative References 8. Informative References
[AEAD] McGrew, D., "An Interface and Algorithms for Authenticated [AEAD] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, January 2008. Encryption", RFC 5116, January 2008.
[CHACHA] Bernstein, D., "ChaCha, a variant of Salsa20", January [CHACHA] Bernstein, D., "ChaCha, a variant of Salsa20", January
2008, 2008,
<http://cr.yp.to/chacha/chacha-20080128.pdf>. <http://cr.yp.to/chacha/chacha-20080128.pdf>.
 End of changes. 9 change blocks. 
11 lines changed or deleted 11 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/