draft-ietf-curdle-cms-chacha20-poly1305-01.txt   draft-ietf-curdle-cms-chacha20-poly1305-02.txt 
Internet-Draft R. Housley Internet-Draft R. Housley
Intended status: Standards Track Vigil Security Intended status: Standards Track Vigil Security
Expires: 7 March 2017 7 September 2016 Expires: 22 March 2017 22 September 2016
Using ChaCha20-Poly1305 Authenticated Encryption Using ChaCha20-Poly1305 Authenticated Encryption
in the Cryptographic Message Syntax (CMS) in the Cryptographic Message Syntax (CMS)
<draft-ietf-curdle-cms-chacha20-poly1305-01.txt> <draft-ietf-curdle-cms-chacha20-poly1305-02.txt>
Abstract Abstract
This document describes the conventions for using ChaCha20-Poly1305 This document describes the conventions for using ChaCha20-Poly1305
Authenticated Encryption in the Cryptographic Message Syntax (CMS). Authenticated Encryption in the Cryptographic Message Syntax (CMS).
ChaCha20-Poly1305 is a construction of the ChaCha stream cipher and ChaCha20-Poly1305 is an authenticated encryption algorithm
Poly1305 authenticator. constructed of the ChaCha stream cipher and Poly1305 authenticator.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 4 November 2016. This Internet-Draft will expire on 22 March 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 5, line 35 skipping to change at page 5, line 35
AEADChaCha20Poly1305Nonce ::= OCTET STRING (SIZE(12)) AEADChaCha20Poly1305Nonce ::= OCTET STRING (SIZE(12))
The AEADChaCha20Poly1305Nonce contains a 12-octet nonce. With the The AEADChaCha20Poly1305Nonce contains a 12-octet nonce. With the
CMS, the content-authenticated-encryption key is normally used for a CMS, the content-authenticated-encryption key is normally used for a
single content. Within the scope of any content-authenticated- single content. Within the scope of any content-authenticated-
encryption key, the nonce value MUST be unique. That is, the set of encryption key, the nonce value MUST be unique. That is, the set of
nonce values used with any given key MUST NOT contain any duplicate nonce values used with any given key MUST NOT contain any duplicate
values. values.
4. IANA Considerations 4. S/MIME Capabilities
{{{ This can be written once the Object Identifier is assigned. }}}
5. IANA Considerations
IANA is requested to add the following entry in the SMI Security for IANA is requested to add the following entry in the SMI Security for
S/MIME Algorithms (1.2.840.113549.1.9.16.3) registry: S/MIME Algorithms (1.2.840.113549.1.9.16.3) registry:
TBD1 id-alg-AEADChaCha20Poly1305 [This Document] TBD1 id-alg-AEADChaCha20Poly1305 [This Document]
IANA is requested to add the following entry in the SMI Security for IANA is requested to add the following entry in the SMI Security for
S/MIME Module Identifier (1.2.840.113549.1.9.16.0) registry: S/MIME Module Identifier (1.2.840.113549.1.9.16.0) registry:
TBD2 id-mod-CMS-AEADChaCha20Poly1305 [This Document] TBD2 id-mod-CMS-AEADChaCha20Poly1305 [This Document]
5. Security Considerations 6. Security Considerations
The CMS AuthEnvelopedData provides all of the tools needed to avoid The CMS AuthEnvelopedData provides all of the tools needed to avoid
reuse of the same nonce value under the same key. Automated key reuse of the same nonce value under the same key. Automated key
management is discussed in Section 2. management is discussed in Section 2.
When using AEAD_CHACHA20_POLY1305, the resulting ciphertext is always When using AEAD_CHACHA20_POLY1305, the resulting ciphertext is always
the same size as the original plaintext. Some other mechanism needs the same size as the original plaintext. Some other mechanism needs
to be used in conjunction with AEAD_CHACHA20_POLY1305 if disclosure to be used in conjunction with AEAD_CHACHA20_POLY1305 if disclosure
of the size of the plaintext is a concern. of the size of the plaintext is a concern.
The amount of encrypted data possible in a single invocation of The amount of encrypted data possible in a single invocation of
AEAD_CHACHA20_POLY1305 is 2^32-1 blocks of 64 octets each, because of AEAD_CHACHA20_POLY1305 is 2^32-1 blocks of 64 octets each, because of
the size of the block counter field in the ChaCha20 block function. the size of the block counter field in the ChaCha20 block function.
This gives a total of 247,877,906,880 octets, which likely ot be This gives a total of 247,877,906,880 octets, which likely to be
sufficient to handle the size of any CMS content type. Note that sufficient to handle the size of any CMS content type. Note that
ciphertext length field in the authentication buffer will accomodate ciphertext length field in the authentication buffer will accomodate
2^64 octets, which is much larger than necessary. 2^64 octets, which is much larger than necessary.
The AEAD_CHACHA20_POLY1305 construction is a novel composition of The AEAD_CHACHA20_POLY1305 construction is a novel composition of
ChaCha20 and Poly1305. A security analysis of this composition is ChaCha20 and Poly1305. A security analysis of this composition is
given in [PROCTER]. given in [PROCTER].
Implementations must randomly generate content-authenticated- Implementations must randomly generate content-authenticated-
encryption keys. The use of inadequate pseudo-random number encryption keys. The use of inadequate pseudo-random number
generators (PRNGs) to generate cryptographic keys can result in generators (PRNGs) to generate cryptographic keys can result in
little or no security. An attacker may find it much easier to little or no security. An attacker may find it much easier to
reproduce the PRNG environment that produced the keys, searching the reproduce the PRNG environment that produced the keys, searching the
resulting small set of possibilities, rather than brute force resulting small set of possibilities, rather than brute force
searching the whole key space. The generation of quality random searching the whole key space. The generation of quality random
numbers is difficult. RFC 4086 [RANDOM] offers important guidance in numbers is difficult. RFC 4086 [RANDOM] offers important guidance in
this area. this area.
6. Acknowledgements 7. Acknowledgements
Thanks to Jim Schaad for his review and insightful comments. Thanks to Jim Schaad for his review and insightful comments.
7. Normative References 8. Normative References
[AUTHENV] Housley, R., "Cryptographic Message Syntax (CMS) [AUTHENV] Housley, R., "Cryptographic Message Syntax (CMS)
Authenticated-Enveloped-Data Content Type", RFC 5083, Authenticated-Enveloped-Data Content Type", RFC 5083,
November 2007. November 2007.
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC
5652, September 2009. 5652, September 2009.
[FORIETF] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF [FORIETF] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
Protocols", RFC 7539, May 2015. Protocols", RFC 7539, May 2015.
skipping to change at page 7, line 17 skipping to change at page 7, line 17
[X680] ITU-T, "Information technology -- Abstract Syntax Notation [X680] ITU-T, "Information technology -- Abstract Syntax Notation
One (ASN.1): Specification of basic notation", ITU-T One (ASN.1): Specification of basic notation", ITU-T
Recommendation X.680, 2015. Recommendation X.680, 2015.
[X690] ITU-T, "Information technology -- ASN.1 encoding rules: [X690] ITU-T, "Information technology -- ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules Encoding Rules (CER) and Distinguished Encoding Rules
(DER)", ITU-T Recommendation X.690, 2015. (DER)", ITU-T Recommendation X.690, 2015.
8. Informative References 9. Informative References
[AEAD] McGrew, D., "An Interface and Algorithms for Authenticated [AEAD] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, January 2008. Encryption", RFC 5116, January 2008.
[CHACHA] Bernstein, D., "ChaCha, a variant of Salsa20", January [CHACHA] Bernstein, D., "ChaCha, a variant of Salsa20", January
2008, 2008,
<http://cr.yp.to/chacha/chacha-20080128.pdf>. <http://cr.yp.to/chacha/chacha-20080128.pdf>.
[ESTREAM] Babbage, S., DeCanniere, C., Cantenaut, A., Cid, C., [ESTREAM] Babbage, S., DeCanniere, C., Cantenaut, A., Cid, C.,
Gilbert, H., Johansson, T., Parker, M., Preneel, B., Gilbert, H., Johansson, T., Parker, M., Preneel, B.,
 End of changes. 10 change blocks. 
11 lines changed or deleted 15 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/