--- 1/draft-ietf-tls-camellia-00.txt 2006-02-05 02:00:05.000000000 +0100 +++ 2/draft-ietf-tls-camellia-01.txt 2006-02-05 02:00:05.000000000 +0100 @@ -1,23 +1,23 @@ + INTERNET-DRAFT S. Moriai TLS Working Group Nippon Telegraph and Telephone Corporation -Expires April 2001 October 2000 +Expires November 2001 May 2001 Addition of the Camellia Encryption Algorithm to TLS - + Status of this Memo - This document is an Internet-Draft and is NOT offered in accordance - with Section 10 of RFC2026, and the author does not provide the IETF - with any rights other than to publish as an Internet-Draft. + This document is an Internet-Draft and is in full conformance with + all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." @@ -25,159 +25,138 @@ The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document proposes the addition of new cipher suites to the TLS protocol 1.0 to support the Camellia encryption algorithm as a bulk - cipher algorithm. + cipher algorithm. Please send comments on this document to the TLS + mailing list. 1. Introduction - The demands placed on cryptographic primitives are changing: the - required level of security is increasing to match the progress made - in computational power and cryptanalytic techniques, and more - efficiency on a wide variety of platforms is required as they are - being implemented in a wide variety of applications. However, the - TLS Protocol Version 1.0 [4] currently does not support cipher - suites including 128-bit block ciphers that offer a high level of - security and performance. + This document proposes the addition of new cipher suites to the TLS + protocol 1.0 [4] to support the Camellia encryption algorithm as a + bulk cipher algorithm. This proposal provides a new option for bulk + cipher algorithms. Camellia is a block cipher with 128-bit block size and 128-, 192-, and 256-bit key sizes, i.e. the same interface specifications as the Advanced Encryption Standard (AES). The algorithm description is in - [1] or [3]. Efficiency on both software and hardware platforms is a + [1][3]. Efficiency on both software and hardware platforms is a remarkable characteristic of Camellia in addition to its high level of security. It is confirmed that Camellia provides strong security against differential and linear cryptanalysis. An optimized implementation of Camellia in assembly language can encrypt on a - Pentium III (800MHz) at the rate of more than 276 Mbits per second, - which is much faster than the speed of an optimized DES - implementation. In addition, a distinguishing feature is its small - hardware design. The hardware design, which includes the parts for - key scheduling, encryption and decryption, occupies approximately - 11K gates, which is the smallest among all existing 128-bit block - ciphers as far as we know [2]. - - This document proposes the addition of new cipher suites to the TLS - protocol 1.0 [4] to support Camellia as a bulk cipher algorithm. - The proposed change is minimal, just the addition of a new option - for bulk cipher algorithms. - -2. The CipherSuites + Pentium III (1.13GHz) at the rate of 471 Mbits per second. In + addition, a distinguishing feature is its small hardware design. + The hardware design, which includes the parts for key schedule, + encryption and decryption, occupies only 9.66K gates using a 0.35um + CMOS ASIC library, which is in the smallest class among all existing + 128-bit block ciphers as far as we know [2]. - We propose the following new cipher suites. +2. Cipher Suites - CipherSuite TLS_RSA_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x2F }; - CipherSuite TLS_DH_DSS_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x30 }; - CipherSuite TLS_DH_RSA_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x31 }; - CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x32 }; - CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x33 }; - CipherSuite TLS_DH_anon_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x34 }; + We propose the new cipher suites below following the AES + ciphersuites. - CipherSuite TLS_RSA_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x35 }; - CipherSuite TLS_DH_DSS_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x36 }; - CipherSuite TLS_DH_RSA_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x37 }; - CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x38 }; - CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x39 }; - CipherSuite TLS_DH_anon_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x3A }; + CipherSuite TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x41 }; + CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x42 }; + CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x43 }; + CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x44 }; + CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x45 }; + CipherSuite TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x46 }; - CipherSuite TLS_RSA_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3B }; - CipherSuite TLS_DH_DSS_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3C }; - CipherSuite TLS_DH_RSA_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3D }; - CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3E }; - CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3F }; - CipherSuite TLS_DH_anon_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x40 }; + CipherSuite TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x47 }; + CipherSuite TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x48 }; + CipherSuite TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x49 }; + CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x4A }; + CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x4B }; + CipherSuite TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x4C }; Note: The above numeric definitions for CipherSuites have not yet been registered. The numeric definitions follow the numbers given - in the CipherSuite of TLS standard [4]. + in the CipherSuite of the TLS standard. 3. CipherSuite Definitions CipherSuite Is Key Cipher Hash Exportable Exchange -TLS_RSA_WITH_CAMELLIA_CBC_128_SHA RSA CAMELLIA_CBC_128 SHA -TLS_DH_DSS_WITH_CAMELLIA_CBC_128_SHA DH_DSS CAMELLIA_CBC_128 SHA -TLS_DH_RSA_WITH_CAMELLIA_CBC_128_SHA DH_RSA CAMELLIA_CBC_128 SHA -TLS_DHE_DSS_WITH_CAMELLIA_CBC_128_SHA DHE_DSS CAMELLIA_CBC_128 SHA -TLS_DHE_RSA_WITH_CAMELLIA_CBC_128_SHA DHE_RSA CAMELLIA_CBC_128 SHA -TLS_DH_anon_WITH_CAMELLIA_CBC_128_SHA DH_anon CAMELLIA_CBC_128 SHA - -TLS_RSA_WITH_CAMELLIA_CBC_192_SHA RSA CAMELLIA_CBC_192 SHA -TLS_DH_DSS_WITH_CAMELLIA_CBC_192_SHA DH_DSS CAMELLIA_CBC_192 SHA -TLS_DH_RSA_WITH_CAMELLIA_CBC_192_SHA DH_RSA CAMELLIA_CBC_192 SHA -TLS_DHE_DSS_WITH_CAMELLIA_CBC_192_SHA DHE_DSS CAMELLIA_CBC_192 SHA -TLS_DHE_RSA_WITH_CAMELLIA_CBC_192_SHA DHE_RSA CAMELLIA_CBC_192 SHA -TLS_DH_anon_WITH_CAMELLIA_CBC_192_SHA DH_anon CAMELLIA_CBC_192 SHA - -TLS_RSA_WITH_CAMELLIA_CBC_256_SHA RSA CAMELLIA_CBC_256 SHA -TLS_DH_DSS_WITH_CAMELLIA_CBC_256_SHA DH_DSS CAMELLIA_CBC_256 SHA -TLS_DH_RSA_WITH_CAMELLIA_CBC_256_SHA DH_RSA CAMELLIA_CBC_256 SHA -TLS_DHE_DSS_WITH_CAMELLIA_CBC_256_SHA DHE_DSS CAMELLIA_CBC_256 SHA -TLS_DHE_RSA_WITH_CAMELLIA_CBC_256_SHA DHE_RSA CAMELLIA_CBC_256 SHA -TLS_DH_anon_WITH_CAMELLIA_CBC_256_SHA DH_anon CAMELLIA_CBC_256 SHA +TLS_RSA_WITH_CAMELLIA_128_CBC_SHA RSA CAMELLIA_128_CBC SHA +TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA DH_DSS CAMELLIA_128_CBC SHA +TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA DH_RSA CAMELLIA_128_CBC SHA +TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE_DSS CAMELLIA_128_CBC SHA +TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE_RSA CAMELLIA_128_CBC SHA +TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA DH_anon CAMELLIA_128_CBC SHA +TLS_RSA_WITH_CAMELLIA_256_CBC_SHA RSA CAMELLIA_256_CBC SHA +TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA DH_DSS CAMELLIA_256_CBC SHA +TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA DH_RSA CAMELLIA_256_CBC SHA +TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE_DSS CAMELLIA_256_CBC SHA +TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE_RSA CAMELLIA_256_CBC SHA +TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA DH_anon CAMELLIA_256_CBC SHA Key Expanded Effective IV Block Cipher Type Material Key Material Key Bits Size Size - CAMELLIA_CBC_128 Block 16 16 128 16 16 - CAMELLIA_CBC_192 Block 24 24 192 16 16 - CAMELLIA_CBC_256 Block 32 32 256 16 16 + CAMELLIA_128_CBC Block 16 16 128 16 16 + CAMELLIA_256_CBC Block 32 32 256 16 16 Note: Key Exchange Algorithms and Hash Functions are defined in TLS. 4. Security Considerations - The security of Camellia was evaluated by utilizing state-of-the-art + Security considerations except Camellia are discussed in [4]. The + security of Camellia is evaluated by utilizing state-of-the-art cryptanalytic techniques. We confirmed that Camellia has no differential and linear characteristics that hold with probability more than 2^(-128), which means that it is extremely unlikely that differential and linear attacks will succeed against Camellia. Moreover, Camellia was designed to offer security against other advanced cryptanalytic attacks including higher order differential attacks, interpolation attacks, related-key attacks, truncated differential attacks, and so on [3]. 5. Intellectual Property Statement Mitsubishi Electric Corporation (Mitsubishi Electric) and Nippon - Telegraph and Telephone Corporation (NTT) have filed patent - applications on the techniques used in the block cipher Camellia. - For more information, please contact MISTY@isl.melco.co.jp and/or - camellia@isl.ntt.co.jp. + Telegraph and Telephone Corporation (NTT) have pending applications + or filed patents which are essential to Camellia. License policy + for these essential patents declared formally by NTT and Mitsubishi + Electric will be available on the IETF page of Intellectual Property + Rights Notices. References [1] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, and T. Tokita ``Specification of Camellia --- a 128-bit Block Cipher'', 2000. http://info.isl.ntt.co.jp/camellia/ [2] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, and T. Tokita ``Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms'', 2000. http://info.isl.ntt.co.jp/camellia/ [3] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, and T. Tokita ``Camellia: A 128-Bit Block Cipher Suitable for Multiple - Platforms --- Design and Analysis ---'', in Workshop Record - of SAC 2000, Seventh Annual Workshop on Selected Areas in - Cryptography, pp.41--54, 14-15 August 2000. (to appear in - Lecture Notes in Computer Science of Spring-Verlag) + Platforms --- Design and Analysis ---'', In Selected Areas in + Cryptography, 7th Annual International Workshop, SAC 2000, + Waterloo, Ontario, Canada, August 2000, Proceedings, + Lecture Notes in Computer Science 2012, pp.39--56, + Springer-Verlag, 2001. - [4] T. Dierks, and C. Allen, "The TLS Protocol Version 1.0", RFC + [4] T. Dierks, and C. Allen, ``The TLS Protocol Version 1.0'', RFC 2246, January 1999. Author's Addresses Shiho Moriai Nippon Telegraph and Telephone Corporation 1-1 Hikarinooka, Yokosuka, 239-0847, Japan Phone: +81-468-59-2007 FAX: +81-468-59-3858 Email: shiho@isl.ntt.co.jp