| draft-ietf-tls-camellia-05.txt | draft-ietf-tls-camellia-06.txt | |||
|---|---|---|---|---|
| skipping to change at page 1, line 13 | skipping to change at page 1, line 13 | |||
| INTERNET-DRAFT S. Moriai | INTERNET-DRAFT S. Moriai | |||
| TLS Working Group Sony Computer Entertainment Inc. | TLS Working Group Sony Computer Entertainment Inc. | |||
| Expiration Date: March 2005 A. Kato | Expiration Date: March 2005 A. Kato | |||
| NTT Software Corporation | NTT Software Corporation | |||
| M. Kanda | M. Kanda | |||
| Nippon Telegraph and Telephone Corporation | Nippon Telegraph and Telephone Corporation | |||
| October 2004 | October 2004 | |||
| Addition of Camellia Ciphersuites to Transport Layer Security (TLS) | Addition of Camellia Ciphersuites to Transport Layer Security (TLS) | |||
| <draft-ietf-tls-camellia-05.txt> | <draft-ietf-tls-camellia-06.txt> | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, I certify that any applicable | By submitting this Internet-Draft, we certify that any applicable | |||
| patent or other IPR claims of which I am aware have been | patent or other IPR claims of which we am aware have been | |||
| disclosed, and any of which I become aware will be disclosed, in | disclosed, and any of which we become aware will be disclosed, in | |||
| accordance with RFC 3668. | accordance with RFC 3668. | |||
| This document is an Internet-Draft and is in full conformance with | ||||
| all provisions of Section 10 of RFC2026. | ||||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six | Internet-Drafts are draft documents valid for a maximum of six | |||
| months and may be updated, replaced, or obsoleted by other documents | months and may be updated, replaced, or obsoleted by other | |||
| at any time. It is inappropriate to use Internet-Drafts as | documents at any time. It is inappropriate to use Internet-Drafts | |||
| reference material or to cite them other than as "work in progress". | as reference material or to cite them other than as "work in | |||
| progress". | ||||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| Abstract | Abstract | |||
| This document proposes the addition of new cipher suites to the | This document proposes the addition of new cipher suites to the | |||
| Transport Layer Security (TLS) protocol to support the Camellia | Transport Layer Security (TLS) protocol to support the Camellia | |||
| encryption algorithm as a bulk cipher algorithm. | encryption algorithm as a bulk cipher algorithm. | |||
| 1. Introduction | 1. Introduction | |||
| This document proposes the addition of new cipher suites to the TLS | This document proposes the addition of new cipher suites to the | |||
| protocol [TLS] to support the Camellia encryption algorithm as a | TLS protocol [TLS] to support the Camellia encryption algorithm as | |||
| bulk cipher algorithm. This proposal provides a new option for | a bulk cipher algorithm. This proposal provides a new option for | |||
| fast, efficient, and royalty-free bulk cipher algorithms. | fast and efficient bulk cipher algorithms. | |||
| Note: This work was done when the first author worked for NTT. | Note: This work was done when the first author worked for NTT. | |||
| 1.1. Camellia | 1.1. Camellia | |||
| Camellia was selected as a recommended cryptographic primitive by | Camellia was selected as a recommended cryptographic primitive by | |||
| the EU NESSIE (New European Schemes for Signatures, Integrity and | the EU NESSIE (New European Schemes for Signatures, Integrity and | |||
| Encryption) project [NESSIE] and included in the list of | Encryption) project [NESSIE] and included in the list of | |||
| cryptographic techniques for Japanese e-Government systems, which | cryptographic techniques for Japanese e-Government systems, which | |||
| were selected by the Japan CRYPTREC (Cryptography Research and | were selected by the Japan CRYPTREC (Cryptography Research and | |||
| skipping to change at page 2, line 27 | skipping to change at page 2, line 25 | |||
| specifications to enable audio-visual and other services based on | specifications to enable audio-visual and other services based on | |||
| mass-market high volume digital storage in consumer | mass-market high volume digital storage in consumer | |||
| platforms. Camellia is specified as Ciphersuite in TLS used by | platforms. Camellia is specified as Ciphersuite in TLS used by | |||
| Phase 1 S-7 (Bi-directional Metadata Delivery Protection) | Phase 1 S-7 (Bi-directional Metadata Delivery Protection) | |||
| specification and S-5 (TV-Anytime Rights Management and Protection | specification and S-5 (TV-Anytime Rights Management and Protection | |||
| Information for Broadcast Applications) specification. Camellia | Information for Broadcast Applications) specification. Camellia | |||
| has been submitted to other several standardization bodies such as | has been submitted to other several standardization bodies such as | |||
| ISO (ISO/IEC 18033) and IETF S/MIME Mail Security Working Group | ISO (ISO/IEC 18033) and IETF S/MIME Mail Security Working Group | |||
| [Camellia-CMS]. | [Camellia-CMS]. | |||
| Camellia supports 128-bit block size and 128-, 192-, and 256-bit key | Camellia supports 128-bit block size and 128-, 192-, and 256-bit | |||
| sizes, i.e. the same interface specifications as the Advanced | key sizes, i.e. the same interface specifications as the Advanced | |||
| Encryption Standard (AES) [AES]. | Encryption Standard (AES) [AES]. | |||
| Camellia was jointly developed by NTT and Mitsubishi Electric | Camellia was jointly developed by NTT and Mitsubishi Electric | |||
| Corporation in 2000. It was carefully designed to withstand all | Corporation in 2000. It was carefully designed to withstand all | |||
| known cryptanalytic attacks and even to have a sufficiently large | known cryptanalytic attacks and even to have a sufficiently large | |||
| security leeway. It has been scrutinized by worldwide | security leeway. It has been scrutinized by worldwide | |||
| cryptographic experts. | cryptographic experts. | |||
| Camellia was also designed to have suitability for both software | Camellia was also designed to have suitability for both software | |||
| and hardware implementations and to cover all possible encryption | and hardware implementations and to cover all possible encryption | |||
| skipping to change at page 2, line 51 | skipping to change at page 2, line 49 | |||
| comparable encryption speed in software and hardware. In | comparable encryption speed in software and hardware. In | |||
| addition, a distinguishing feature is its small hardware design. | addition, a distinguishing feature is its small hardware design. | |||
| Camellia perfectly meets one of the current TLS market | Camellia perfectly meets one of the current TLS market | |||
| requirements, where low power consumption is a mandatory | requirements, where low power consumption is a mandatory | |||
| condition. | condition. | |||
| The algorithm specification and object identifiers are described | The algorithm specification and object identifiers are described | |||
| in [Camellia-Desc]. The Camellia homepage, | in [Camellia-Desc]. The Camellia homepage, | |||
| http://info.isl.ntt.co.jp/camellia/, contains a wealth of | http://info.isl.ntt.co.jp/camellia/, contains a wealth of | |||
| information about camellia, including detailed specification, | information about camellia, including detailed specification, | |||
| security analysis, performance figures, reference implementation, | security analysis, performance figures, reference implementation | |||
| test vectors, and intellectual property information. | and test vectors. | |||
| 1.2. Terminology | 1.2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD | |||
| "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase, | NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in | |||
| as shown) are to be interpreted as described in [RFC2119]. | uppercase, as shown) are to be interpreted as described in | |||
| [RFC2119]. | ||||
| 2. Proposed Cipher Suites | 2. Proposed Cipher Suites | |||
| The new ciphersuites proposed here have the following definitions: | The new ciphersuites proposed here have the following definitions: | |||
| CipherSuite TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x41 }; | CipherSuite TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x41 }; | |||
| CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x42 }; | CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x42 }; | |||
| CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x43 }; | CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x43 }; | |||
| CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x44 }; | CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x44 }; | |||
| CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x45 }; | CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x45 }; | |||
| skipping to change at page 3, line 30 | skipping to change at page 3, line 29 | |||
| CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x87 }; | CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x87 }; | |||
| CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x88 }; | CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x88 }; | |||
| CipherSuite TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x89 }; | CipherSuite TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x89 }; | |||
| 3. CipherSuite Definitions | 3. CipherSuite Definitions | |||
| 3.1. Cipher | 3.1. Cipher | |||
| All the ciphersuites described here use Camellia in cipher block | All the ciphersuites described here use Camellia in cipher block | |||
| chaining (CBC) mode as a bulk cipher algorithm. Camellia is a | chaining (CBC) mode as a bulk cipher algorithm. Camellia is a | |||
| 128-bit block cipher with 128-, 192-, and 256-bit key sizes, i.e. it | 128-bit block cipher with 128-, 192-, and 256-bit key sizes, | |||
| supports the same block and key sizes as the Advanced Encryption | i.e. it supports the same block and key sizes as the Advanced | |||
| Standard (AES). However, this document only defines ciphersuites | Encryption Standard (AES). However, this document only defines | |||
| for 128- and 256-bit keys as well as AES ciphersuites for TLS | ciphersuites for 128- and 256-bit keys as well as AES ciphersuites | |||
| [AES-TLS]. They are enough for use in efficient and practical cases | for TLS [AES-TLS]. They are enough for use in efficient and | |||
| as well as high-security applications. | practical cases as well as high-security applications. | |||
| Key Expanded Effective IV Block | Key Expanded Effective IV Block | |||
| Cipher Type Material Key Material Key Bits Size Size | Cipher Type Material Key Material Key Bits Size Size | |||
| CAMELLIA_128_CBC Block 16 16 128 16 16 | CAMELLIA_128_CBC Block 16 16 128 16 16 | |||
| CAMELLIA_256_CBC Block 32 32 256 16 16 | CAMELLIA_256_CBC Block 32 32 256 16 16 | |||
| 3.2. Hash | 3.2. Hash | |||
| All the ciphersuites described here use SHA-1 [SHA-1] in an HMAC | All the ciphersuites described here use SHA-1 [SHA-1] in an HMAC | |||
| construction as described in section 5 of [TLS]. | construction as described in section 5 of [TLS]. | |||
| 3.3. Key exchange | 3.3. Key exchange | |||
| The ciphersuites defined here differ in the type of certificate and | The ciphersuites defined here differ in the type of certificate | |||
| key exchange method. They use the following options: | and key exchange method. They use the following options: | |||
| CipherSuite Key Exchange Algorithm | CipherSuite Key Exchange Algorithm | |||
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA RSA | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA RSA | |||
| TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA DH_DSS | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA DH_DSS | |||
| TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA DH_RSA | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA DH_RSA | |||
| TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE_DSS | TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE_DSS | |||
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE_RSA | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE_RSA | |||
| TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA DH_anon | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA DH_anon | |||
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA RSA | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA RSA | |||
| TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA DH_DSS | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA DH_DSS | |||
| TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA DH_RSA | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA DH_RSA | |||
| TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE_DSS | TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE_DSS | |||
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE_RSA | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE_RSA | |||
| TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA DH_anon | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA DH_anon | |||
| For the meanings of the terms RSA, DH_DSS, DH_RSA, DHE_DSS, DHE_RSA | For the meanings of the terms RSA, DH_DSS, DH_RSA, DHE_DSS, | |||
| and DH_anon, please refer to sections 7.4.2 and 7.4.3 of [TLS]. | DHE_RSA and DH_anon, please refer to sections 7.4.2 and 7.4.3 of | |||
| [TLS]. | ||||
| 4. Security Considerations | 4. Security Considerations | |||
| It is not believed that the new ciphersuites are ever less secure | It is not believed that the new ciphersuites are ever less secure | |||
| than the corresponding older ones. Camellia is considered to be | than the corresponding older ones. Camellia is considered to be | |||
| secure, and it has withstood extensive cryptanalytic efforts in | secure, and it has withstood extensive cryptanalytic efforts in | |||
| several open, worldwide cryptographic evaluation projects | several open, worldwide cryptographic evaluation projects | |||
| [CRYPTREC][NESSIE]. | [CRYPTREC][NESSIE]. | |||
| At the time of writing this document there are no known weak keys | At the time of writing this document there are no known weak keys | |||
| skipping to change at page 5, line 17 | skipping to change at page 5, line 13 | |||
| IETF at ietf-ipr@ietf.org. | IETF at ietf-ipr@ietf.org. | |||
| 6. References | 6. References | |||
| 6.1. Normative References | 6.1. Normative References | |||
| [Camellia-Desc] Matsui, M., Nakajima, J., Moriai, S., "A | [Camellia-Desc] Matsui, M., Nakajima, J., Moriai, S., "A | |||
| Description of the Camellia Encryption Algorithm", RFC3713, | Description of the Camellia Encryption Algorithm", RFC3713, | |||
| April 2004. | April 2004. | |||
| [TLS] T. Dierks, and C. Allen, "The TLS Protocol Version 1.0", RFC | [TLS] Dierks, T. and Allen, C. "The TLS Protocol Version 1.0", | |||
| 2246, January 1999. | RFC 2246, January 1999. | |||
| [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| 6.2. Informative References | 6.2. Informative References | |||
| [CamelliaTech] Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., | [CamelliaTech] Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., | |||
| Moriai, S., Nakajima, J., and Tokita, T., "Camellia: A 128-Bit | Moriai, S., Nakajima, J., and Tokita, T., "Camellia: A 128-Bit | |||
| Block Cipher Suitable for Multiple Platforms - Design and | Block Cipher Suitable for Multiple Platforms - Design and | |||
| Analysis -", In Selected Areas in Cryptography, 7th Annual | Analysis -", In Selected Areas in Cryptography, 7th Annual | |||
| International Workshop, SAC 2000, August 2000, Proceedings, | International Workshop, SAC 2000, August 2000, Proceedings, | |||
| Lecture Notes in Computer Science 2012, pp.39-56, | Lecture Notes in Computer Science 2012, pp.39-56, | |||
| Springer-Verlag, 2001. | Springer-Verlag, 2001. | |||
| [Camellia-CMS] Moriai, S. and Kato, A., "Use of the Camellia | [Camellia-CMS] Moriai, S. and Kato, A., "Use of the Camellia | |||
| Encryption Algorithm in CMS", January 2004, RFC3657. | Encryption Algorithm in CMS", January 2004, RFC3657. | |||
| [AES] NIST, FIPS PUB 197, "Advanced Encryption Standard (AES)", | [AES] NIST, FIPS PUB 197, "Advanced Encryption Standard (AES)", | |||
| November 2001. http://csrc.nist.gov/publications/fips/fips197/ | November 2001. http://csrc.nist.gov/publications/fips/fips197/ | |||
| fips-197.{ps,pdf}. | fips-197.{ps,pdf}. | |||
| [AES-TLS] P. Chown, "Advanced Encryption Standard (AES) | [AES-TLS] Chown, P., "Advanced Encryption Standard (AES) | |||
| Ciphersuites for Transport Layer Security (TLS)", RFC 3268, | Ciphersuites for Transport Layer Security (TLS)", RFC 3268, | |||
| June 2002. | June 2002. | |||
| [SHA-1] FIPS PUB 180-1, "Secure Hash Standard", National Institute | [SHA-1] FIPS PUB 180-1, "Secure Hash Standard", National Institute | |||
| of Standards and Technology, U.S. Department of Commerce,April 17, | of Standards and Technology, U.S. Department of Commerce,April | |||
| 1995. | 17, 1995. | |||
| [CRYPTREC] Information-technology Promotion Agency (IPA), Japan, | [CRYPTREC] Information-technology Promotion Agency (IPA), Japan, | |||
| CRYPTREC. http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html. | CRYPTREC. | |||
| http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html. | ||||
| [NESSIE] The NESSIE project (New European Schemes for Signatures, | [NESSIE] The NESSIE project (New European Schemes for Signatures, | |||
| Integrity and Encryption), | Integrity and Encryption), | |||
| http://www.cosic.esat.kuleuven.ac.be/nessie/. | http://www.cosic.esat.kuleuven.ac.be/nessie/. | |||
| [TV-ANYTIME] TV-Anytime Forum, http://www.tv-anytime.org/. | [TV-ANYTIME] TV-Anytime Forum, http://www.tv-anytime.org/. | |||
| 7. Full Copyright Statement | 7. Full Copyright Statement | |||
| Copyright (C) The Internet Society (2004). This document is | Copyright (C) The Internet Society (2004). This document is | |||
| subject to the rights, licenses and restrictions contained in BCP | subject to the rights, licenses and restrictions contained in BCP | |||
| 78 and except as set forth therein, the authors retain all their | 78 and except as set forth therein, the authors retain all their | |||
| rights. | rights. | |||
| This document and the information contained herein are provided on | This document and the information contained herein are provided on | |||
| an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE | an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE | |||
| REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND | REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND | |||
| THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, | THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, | |||
| EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT | |||
| End of changes. | ||||
This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||