--- 1/draft-ietf-tls-camellia-02.txt 2006-02-05 02:00:08.000000000 +0100 +++ 2/draft-ietf-tls-camellia-03.txt 2006-02-05 02:00:08.000000000 +0100 @@ -1,112 +1,152 @@ INTERNET-DRAFT S. Moriai -TLS Working Group Nippon Telegraph and Telephone Corporation -Expires February 6 2003 August 6 2002 +TLS Working Group Sony Computer Entertainment Inc. +Expiration Date: August 2004 A. Kato + NTT Software Corporation + M. Kanda + Nippon Telegraph and Telephone Corporation + February 2004 Addition of Camellia Ciphersuites to Transport Layer Security (TLS) - + Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as - reference material or to cite them other than as "work in progress." + reference material or to cite them other than as "work in progress". The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt + http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document proposes the addition of new cipher suites to the Transport Layer Security (TLS) protocol to support the Camellia encryption algorithm as a bulk cipher algorithm. 1. Introduction This document proposes the addition of new cipher suites to the TLS - protocol [TLS] to support the Camellia encryption algorithm as a bulk - cipher algorithm. This proposal provides a new option for fast, - efficient, and royalty-free bulk cipher algorithms. + protocol [TLS] to support the Camellia encryption algorithm as a + bulk cipher algorithm. This proposal provides a new option for + fast, efficient, and royalty-free bulk cipher algorithms. - Camellia is a 128-bit block cipher with 128-, 192-, and 256-bit key - sizes, i.e. it supports the same block and key sizes as the Advanced - Encryption Standard (AES). A description of the Camellia cipher - algorithm is in [CamelliaSpec][CamelliaTech]. + Note: This work was done when the first author worked for NTT. - Efficiency on both software and hardware platforms is a remarkable - characteristic of Camellia. In particular, Camellia's small - hardware design is suitable for mobile, portable and low power - applications. Furthermore, Camellia has withstood extensive - cryptanalytic efforts in several open, worldwide cryptographic - evaluation projects. +1.1. Camellia + + Camellia was selected as a recommended cryptographic primitive by + the EU NESSIE (New European Schemes for Signatures, Integrity and + Encryption) project [NESSIE] and included in the list of + cryptographic techniques for Japanese e-Government systems, which + were selected by the Japan CRYPTREC (Cryptography Research and + Evaluation Committees) [CRYPTREC]. Camellia is also included in + specification of the TV-Anytime Forum [TV-ANYTIME]. The TV-Anytime + Forum is an association of organizations that seeks to develop + specifications to enable audio-visual and other services based on + mass-market high volume digital storage in consumer + platforms. Camellia is specified as Ciphersuite in TLS used by Phase + 1 S-7 (Bi-directional Metadata Delivery Protection) + specification. Camellia has been submitted to other several + standardization bodies such as ISO (ISO/IEC 18033) and IETF S/MIME + Mail Security Working Group [Camellia-CMS]. + + Camellia supports 128-bit block size and 128-, 192-, and 256-bit key + sizes, i.e. the same interface specifications as the Advanced + Encryption Standard (AES) [AES]. + + Camellia was jointly developed by NTT and Mitsubishi Electric + Corporation in 2000. It was carefully designed to withstand all + known cryptanalytic attacks and even to have a sufficiently large + security leeway. It has been scrutinized by worldwide + cryptographic experts. + + Camellia was also designed to have suitability for both software + and hardware implementations and to cover all possible encryption + applications that range from low-cost smart cards to high-speed + network systems. Compared to the AES, Camellia offers at least + comparable encryption speed in software and hardware. In + addition, a distinguishing feature is its small hardware design. + Camellia perfectly meets one of the current TLS market + requirements, where low power consumption is a mandatory + condition. + + The Camellia homepage, http://info.isl.ntt.co.jp/camellia/, + contains a wealth of information about camellia, including + detailed specification, security analysis, performance figures, + reference implementation, test vectors, and intellectual property + information. + +1.2. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", + "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase, + as shown) are to be interpreted as described in [RFC2119]. 2. Proposed Cipher Suites The new ciphersuites proposed here have the following definitions: CipherSuite TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x41 }; CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x42 }; CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x43 }; CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x44 }; CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x45 }; CipherSuite TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x46 }; - CipherSuite TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x47 }; - CipherSuite TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x48 }; - CipherSuite TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x49 }; - CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x4A }; - CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x4B }; - CipherSuite TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x4C }; - - Note: The above numeric definitions for Cipher Suites have not yet - been registered. + CipherSuite TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x84 }; + CipherSuite TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x85 }; + CipherSuite TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x86 }; + CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x87 }; + CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x88 }; + CipherSuite TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x89 }; 3. CipherSuite Definitions -3.1 Cipher +3.1. Cipher All the ciphersuites described here use Camellia in cipher block chaining (CBC) mode as a bulk cipher algorithm. Camellia is a 128-bit block cipher with 128-, 192-, and 256-bit key sizes, i.e. it supports the same block and key sizes as the Advanced Encryption Standard (AES). However, this document only defines ciphersuites - for 128- and 256-bit keys as well as AES ciphersuites for TLS [AES]. - They are enough for use in efficient and practical cases as well as - high-security applications. + for 128- and 256-bit keys as well as AES ciphersuites for TLS + [AES-TLS]. They are enough for use in efficient and practical cases + as well as high-security applications. Key Expanded Effective IV Block Cipher Type Material Key Material Key Bits Size Size CAMELLIA_128_CBC Block 16 16 128 16 16 CAMELLIA_256_CBC Block 32 32 256 16 16 -3.2 Hash +3.2. Hash - All the ciphersuites described here use SHA-1 in an HMAC - construction as described in section 5 of [TLS], a modified SHA-1 - version of the algorithm. + All the ciphersuites described here use SHA-1 [SHA-1] in an HMAC + construction as described in section 5 of [TLS]. -3.3 Key exchange +3.3. Key exchange The ciphersuites defined here differ in the type of certificate and key exchange method. They use the following options: CipherSuite Key Exchange Algorithm TLS_RSA_WITH_CAMELLIA_128_CBC_SHA RSA TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA DH_DSS TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA DH_RSA TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE_DSS @@ -119,53 +159,119 @@ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE_DSS TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE_RSA TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA DH_anon For the meanings of the terms RSA, DH_DSS, DH_RSA, DHE_DSS, DHE_RSA and DH_anon, please refer to sections 7.4.2 and 7.4.3 of [TLS]. 4. Security Considerations It is not believed that the new ciphersuites are ever less secure - than the corresponding older ones. Camellia is believed to be + than the corresponding older ones. Camellia is considered to be secure, and it has withstood extensive cryptanalytic efforts in - several open, worldwide cryptographic evaluation projects. + several open, worldwide cryptographic evaluation projects + [CRYPTREC][NESSIE]. + + At the time of writing this document there are no known weak keys + for Camellia. For other security considerations, please refer to the security considerations of the corresponding older ciphersuites described - in [TLS] and [AES]. + in [TLS] and [AES-TLS]. -5. Intellectual Property +5. Intellectual Property Rights - Mitsubishi Electric Corporation (Mitsubishi Electric) and Nippon - Telegraph and Telephone Corporation (NTT) have pending applications - or filed patents which are essential to Camellia. License policy - for these essential patents declared formally by NTT and Mitsubishi - Electric is available on the IETF page of Intellectual Property - Rights Notices. + The IETF takes no position regarding the validity or scope of any + intellectual property or other rights that might be claimed to + pertain to the implementation or use of the technology described + in this document or the extent to which any license under such + rights might or might not be available; neither does it represent + that it has made any effort to identify any such rights. + Information on the IETF's procedures with respect to rights in + standards-track and standards-related documentation can be found + in BCP-11. Copies of claims of rights made available for + publication and any assurances of licenses to be made available, + or the result of an attempt made to obtain a general license or + permission for the use of such proprietary rights by implementors + or users of this specification can be obtained from the IETF + Secretariat. -References + The IETF invites any interested party to bring to its attention + any copyrights, patents or patent applications, or other + proprietary rights which may cover technology that may be required + to practice this standard. Please address the information to the + IETF Executive Director. + + The IETF has been notified of intellectual property rights + claimed in regard to some or all of the specification contained in + this document. For more information consult the online list of + claimed rights. + +6. References + +6.1. Normative References [CamelliaSpec] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, - J. Nakajima, and T. Tokita ``Specification of Camellia - a 128-bit - Block Cipher''. http://info.isl.ntt.co.jp/camellia/ + J. Nakajima, and T. Tokita, "Specification of Camellia - a 128-bit + Block Cipher". + http://info.isl.ntt.co.jp/camellia/CRYPTREC/2001/01espec.pdf. + + [TLS] T. Dierks, and C. Allen, "The TLS Protocol Version 1.0", RFC + 2246, January 1999. + + [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + +6.2. Informative References + [CamelliaTech] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, - J. Nakajima, and T. Tokita ``Camellia: A 128-Bit Block Cipher - Suitable for Multiple Platforms - Design and Analysis -'', In - Selected Areas in Cryptography, 7th Annual International Workshop, - SAC 2000, August 2000, Proceedings, Lecture Notes in Computer - Science 2012, pp.39--56, Springer-Verlag, 2001. + J. Nakajima, and T. Tokita, "Camellia: A 128-Bit Block Cipher + Suitable for Multiple Platforms - Design and Analysis -", In + Selected Areas in Cryptography, 7th Annual International + Workshop, SAC 2000, August 2000, Proceedings, Lecture Notes in + Computer Science 2012, pp.39-56, Springer-Verlag, 2001. - [AES] P. Chown, ``Advanced Encryption Standard (AES) Ciphersuites - for Transport Layer Security (TLS)'', RFC 3268, June 2002. + [Camellia-CMS] S. Moriai and A. Kato, "Use of the Camellia + Encryption Algorithm in Cryptographic Message Syntax (CMS)", + RFC 3657, January 2004. - [TLS] T. Dierks, and C. Allen, ``The TLS Protocol Version 1.0'', RFC - 2246, January 1999. + [AES] NIST, FIPS PUB 197, "Advanced Encryption Standard (AES)", + November 2001. http://csrc.nist.gov/publications/fips/fips197/ + fips-197.{ps,pdf}. -Author's Address + [AES-TLS] P. Chown, "Advanced Encryption Standard (AES) + Ciphersuites for Transport Layer Security (TLS)", RFC 3268, + June 2002. + + [SHA-1] FIPS PUB 180-1, "Secure Hash Standard", National Institute + of Standards and Technology, U.S. Department of Commerce,April 17, + 1995. + + [CRYPTREC] Information-technology Promotion Agency (IPA), Japan, + CRYPTREC. http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html. + + [NESSIE] The NESSIE project (New European Schemes for Signatures, + Integrity and Encryption), + http://www.cosic.esat.kuleuven.ac.be/nessie/. + + [TV-ANYTIME] TV-Anytime Forum, http://www.tv-anytime.org/. + +Authors' Addresses Shiho Moriai + Sony Computer Entertainment Inc. + Phone: +81-3-6438-7523 + Fax: +81-3-6438-8629 + Email: camellia@isl.ntt.co.jp (Camellia team) + shiho@rd.scei.sony.co.jp (Shiho Moriai) + + Akihiro Kato + NTT Software Corporation + Phone: +81-45-212-7934 + Fax: +81-45-212-9800 + Email: akato@po.ntts.co.jp + + Masayuki Kanda Nippon Telegraph and Telephone Corporation - 1-1 Hikarinooka, Yokosuka, 239-0847, Japan - Phone: +81-468-59-2007 - FAX: +81-468-59-3858 - Email: shiho@isl.ntt.co.jp + Phone: +81-46-859-2437 + FAX: +81-46-859-3365 + Email: kanda@isl.ntt.co.jp