draft-ietf-tls-camellia-00.txt   draft-ietf-tls-camellia-01.txt 
INTERNET-DRAFT S. Moriai INTERNET-DRAFT S. Moriai
TLS Working Group Nippon Telegraph and Telephone Corporation TLS Working Group Nippon Telegraph and Telephone Corporation
Expires April 2001 October 2000 Expires November 2001 May 2001
Addition of the Camellia Encryption Algorithm to TLS Addition of the Camellia Encryption Algorithm to TLS
<draft-ietf-tls-camellia-00.txt> <draft-ietf-tls-camellia-01.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is NOT offered in accordance This document is an Internet-Draft and is in full conformance with
with Section 10 of RFC2026, and the author does not provide the IETF all provisions of Section 10 of RFC2026.
with any rights other than to publish as an Internet-Draft.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress." reference material or to cite them other than as "work in progress."
skipping to change at page 1, line 36 skipping to change at page 1, line 36
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Abstract Abstract
This document proposes the addition of new cipher suites to the TLS This document proposes the addition of new cipher suites to the TLS
protocol 1.0 to support the Camellia encryption algorithm as a bulk protocol 1.0 to support the Camellia encryption algorithm as a bulk
cipher algorithm. cipher algorithm. Please send comments on this document to the TLS
mailing list.
1. Introduction 1. Introduction
The demands placed on cryptographic primitives are changing: the This document proposes the addition of new cipher suites to the TLS
required level of security is increasing to match the progress made protocol 1.0 [4] to support the Camellia encryption algorithm as a
in computational power and cryptanalytic techniques, and more bulk cipher algorithm. This proposal provides a new option for bulk
efficiency on a wide variety of platforms is required as they are cipher algorithms.
being implemented in a wide variety of applications. However, the
TLS Protocol Version 1.0 [4] currently does not support cipher
suites including 128-bit block ciphers that offer a high level of
security and performance.
Camellia is a block cipher with 128-bit block size and 128-, 192-, Camellia is a block cipher with 128-bit block size and 128-, 192-,
and 256-bit key sizes, i.e. the same interface specifications as the and 256-bit key sizes, i.e. the same interface specifications as the
Advanced Encryption Standard (AES). The algorithm description is in Advanced Encryption Standard (AES). The algorithm description is in
[1] or [3]. Efficiency on both software and hardware platforms is a [1][3]. Efficiency on both software and hardware platforms is a
remarkable characteristic of Camellia in addition to its high level remarkable characteristic of Camellia in addition to its high level
of security. It is confirmed that Camellia provides strong security of security. It is confirmed that Camellia provides strong security
against differential and linear cryptanalysis. An optimized against differential and linear cryptanalysis. An optimized
implementation of Camellia in assembly language can encrypt on a implementation of Camellia in assembly language can encrypt on a
Pentium III (800MHz) at the rate of more than 276 Mbits per second, Pentium III (1.13GHz) at the rate of 471 Mbits per second. In
which is much faster than the speed of an optimized DES addition, a distinguishing feature is its small hardware design.
implementation. In addition, a distinguishing feature is its small The hardware design, which includes the parts for key schedule,
hardware design. The hardware design, which includes the parts for encryption and decryption, occupies only 9.66K gates using a 0.35um
key scheduling, encryption and decryption, occupies approximately CMOS ASIC library, which is in the smallest class among all existing
11K gates, which is the smallest among all existing 128-bit block 128-bit block ciphers as far as we know [2].
ciphers as far as we know [2].
This document proposes the addition of new cipher suites to the TLS
protocol 1.0 [4] to support Camellia as a bulk cipher algorithm.
The proposed change is minimal, just the addition of a new option
for bulk cipher algorithms.
2. The CipherSuites
We propose the following new cipher suites. 2. Cipher Suites
CipherSuite TLS_RSA_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x2F }; We propose the new cipher suites below following the AES
CipherSuite TLS_DH_DSS_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x30 }; ciphersuites.
CipherSuite TLS_DH_RSA_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x31 };
CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x32 };
CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x33 };
CipherSuite TLS_DH_anon_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x34 };
CipherSuite TLS_RSA_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x35 }; CipherSuite TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x41 };
CipherSuite TLS_DH_DSS_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x36 }; CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x42 };
CipherSuite TLS_DH_RSA_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x37 }; CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x43 };
CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x38 }; CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x44 };
CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x39 }; CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x45 };
CipherSuite TLS_DH_anon_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x3A }; CipherSuite TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x46 };
CipherSuite TLS_RSA_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3B }; CipherSuite TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x47 };
CipherSuite TLS_DH_DSS_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3C }; CipherSuite TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x48 };
CipherSuite TLS_DH_RSA_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3D }; CipherSuite TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x49 };
CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3E }; CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x4A };
CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3F }; CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x4B };
CipherSuite TLS_DH_anon_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x40 }; CipherSuite TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x4C };
Note: The above numeric definitions for CipherSuites have not yet Note: The above numeric definitions for CipherSuites have not yet
been registered. The numeric definitions follow the numbers given been registered. The numeric definitions follow the numbers given
in the CipherSuite of TLS standard [4]. in the CipherSuite of the TLS standard.
3. CipherSuite Definitions 3. CipherSuite Definitions
CipherSuite Is Key Cipher Hash CipherSuite Is Key Cipher Hash
Exportable Exchange Exportable Exchange
TLS_RSA_WITH_CAMELLIA_CBC_128_SHA RSA CAMELLIA_CBC_128 SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA RSA CAMELLIA_128_CBC SHA
TLS_DH_DSS_WITH_CAMELLIA_CBC_128_SHA DH_DSS CAMELLIA_CBC_128 SHA TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA DH_DSS CAMELLIA_128_CBC SHA
TLS_DH_RSA_WITH_CAMELLIA_CBC_128_SHA DH_RSA CAMELLIA_CBC_128 SHA TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA DH_RSA CAMELLIA_128_CBC SHA
TLS_DHE_DSS_WITH_CAMELLIA_CBC_128_SHA DHE_DSS CAMELLIA_CBC_128 SHA TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE_DSS CAMELLIA_128_CBC SHA
TLS_DHE_RSA_WITH_CAMELLIA_CBC_128_SHA DHE_RSA CAMELLIA_CBC_128 SHA TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE_RSA CAMELLIA_128_CBC SHA
TLS_DH_anon_WITH_CAMELLIA_CBC_128_SHA DH_anon CAMELLIA_CBC_128 SHA TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA DH_anon CAMELLIA_128_CBC SHA
TLS_RSA_WITH_CAMELLIA_CBC_192_SHA RSA CAMELLIA_CBC_192 SHA
TLS_DH_DSS_WITH_CAMELLIA_CBC_192_SHA DH_DSS CAMELLIA_CBC_192 SHA
TLS_DH_RSA_WITH_CAMELLIA_CBC_192_SHA DH_RSA CAMELLIA_CBC_192 SHA
TLS_DHE_DSS_WITH_CAMELLIA_CBC_192_SHA DHE_DSS CAMELLIA_CBC_192 SHA
TLS_DHE_RSA_WITH_CAMELLIA_CBC_192_SHA DHE_RSA CAMELLIA_CBC_192 SHA
TLS_DH_anon_WITH_CAMELLIA_CBC_192_SHA DH_anon CAMELLIA_CBC_192 SHA
TLS_RSA_WITH_CAMELLIA_CBC_256_SHA RSA CAMELLIA_CBC_256 SHA
TLS_DH_DSS_WITH_CAMELLIA_CBC_256_SHA DH_DSS CAMELLIA_CBC_256 SHA
TLS_DH_RSA_WITH_CAMELLIA_CBC_256_SHA DH_RSA CAMELLIA_CBC_256 SHA
TLS_DHE_DSS_WITH_CAMELLIA_CBC_256_SHA DHE_DSS CAMELLIA_CBC_256 SHA
TLS_DHE_RSA_WITH_CAMELLIA_CBC_256_SHA DHE_RSA CAMELLIA_CBC_256 SHA
TLS_DH_anon_WITH_CAMELLIA_CBC_256_SHA DH_anon CAMELLIA_CBC_256 SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA RSA CAMELLIA_256_CBC SHA
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA DH_DSS CAMELLIA_256_CBC SHA
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA DH_RSA CAMELLIA_256_CBC SHA
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE_DSS CAMELLIA_256_CBC SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE_RSA CAMELLIA_256_CBC SHA
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA DH_anon CAMELLIA_256_CBC SHA
Key Expanded Effective IV Block Key Expanded Effective IV Block
Cipher Type Material Key Material Key Bits Size Size Cipher Type Material Key Material Key Bits Size Size
CAMELLIA_CBC_128 Block 16 16 128 16 16 CAMELLIA_128_CBC Block 16 16 128 16 16
CAMELLIA_CBC_192 Block 24 24 192 16 16 CAMELLIA_256_CBC Block 32 32 256 16 16
CAMELLIA_CBC_256 Block 32 32 256 16 16
Note: Key Exchange Algorithms and Hash Functions are defined in TLS. Note: Key Exchange Algorithms and Hash Functions are defined in TLS.
4. Security Considerations 4. Security Considerations
The security of Camellia was evaluated by utilizing state-of-the-art Security considerations except Camellia are discussed in [4]. The
security of Camellia is evaluated by utilizing state-of-the-art
cryptanalytic techniques. We confirmed that Camellia has no cryptanalytic techniques. We confirmed that Camellia has no
differential and linear characteristics that hold with probability differential and linear characteristics that hold with probability
more than 2^(-128), which means that it is extremely unlikely that more than 2^(-128), which means that it is extremely unlikely that
differential and linear attacks will succeed against Camellia. differential and linear attacks will succeed against Camellia.
Moreover, Camellia was designed to offer security against other Moreover, Camellia was designed to offer security against other
advanced cryptanalytic attacks including higher order differential advanced cryptanalytic attacks including higher order differential
attacks, interpolation attacks, related-key attacks, truncated attacks, interpolation attacks, related-key attacks, truncated
differential attacks, and so on [3]. differential attacks, and so on [3].
5. Intellectual Property Statement 5. Intellectual Property Statement
Mitsubishi Electric Corporation (Mitsubishi Electric) and Nippon Mitsubishi Electric Corporation (Mitsubishi Electric) and Nippon
Telegraph and Telephone Corporation (NTT) have filed patent Telegraph and Telephone Corporation (NTT) have pending applications
applications on the techniques used in the block cipher Camellia. or filed patents which are essential to Camellia. License policy
For more information, please contact MISTY@isl.melco.co.jp and/or for these essential patents declared formally by NTT and Mitsubishi
camellia@isl.ntt.co.jp. Electric will be available on the IETF page of Intellectual Property
Rights Notices.
References References
[1] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, [1] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
J. Nakajima, and T. Tokita J. Nakajima, and T. Tokita
``Specification of Camellia --- a 128-bit Block Cipher'', ``Specification of Camellia --- a 128-bit Block Cipher'',
2000. http://info.isl.ntt.co.jp/camellia/ 2000. http://info.isl.ntt.co.jp/camellia/
[2] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, [2] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
J. Nakajima, and T. Tokita J. Nakajima, and T. Tokita
``Camellia: A 128-Bit Block Cipher Suitable for Multiple ``Camellia: A 128-Bit Block Cipher Suitable for Multiple
Platforms'', 2000. http://info.isl.ntt.co.jp/camellia/ Platforms'', 2000. http://info.isl.ntt.co.jp/camellia/
[3] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, [3] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
J. Nakajima, and T. Tokita J. Nakajima, and T. Tokita
``Camellia: A 128-Bit Block Cipher Suitable for Multiple ``Camellia: A 128-Bit Block Cipher Suitable for Multiple
Platforms --- Design and Analysis ---'', in Workshop Record Platforms --- Design and Analysis ---'', In Selected Areas in
of SAC 2000, Seventh Annual Workshop on Selected Areas in Cryptography, 7th Annual International Workshop, SAC 2000,
Cryptography, pp.41--54, 14-15 August 2000. (to appear in Waterloo, Ontario, Canada, August 2000, Proceedings,
Lecture Notes in Computer Science of Spring-Verlag) Lecture Notes in Computer Science 2012, pp.39--56,
Springer-Verlag, 2001.
[4] T. Dierks, and C. Allen, "The TLS Protocol Version 1.0", RFC [4] T. Dierks, and C. Allen, ``The TLS Protocol Version 1.0'', RFC
2246, January 1999. 2246, January 1999.
Author's Addresses Author's Addresses
Shiho Moriai Shiho Moriai
Nippon Telegraph and Telephone Corporation Nippon Telegraph and Telephone Corporation
1-1 Hikarinooka, Yokosuka, 239-0847, Japan 1-1 Hikarinooka, Yokosuka, 239-0847, Japan
Phone: +81-468-59-2007 Phone: +81-468-59-2007
FAX: +81-468-59-3858 FAX: +81-468-59-3858
Email: shiho@isl.ntt.co.jp Email: shiho@isl.ntt.co.jp
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/