Network Working Group A. Kato
Internet-Draft NTT Software Corporation
Updates: 4132 (if approved) M. Kanda
Intended status: Standards Track Nippon Telegraph and Telephone
Expires: January 8, 2009 Corporation
S. Kanno
NTT Software Corporation
July 7, 2008
Camellia Cipher Suites for TLS
draft-kato-tls-rfc4132bis-00
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 8, 2009.
Abstract
This document specifies set of cipher suites to the Transport Layer
Security (TLS) protocol to support the Camellia encryption algorithm
as a block cipher algorithm. This proposal provides options for fast
and efficient block cipher algorithms.
Kato, et al. Expires January 8, 2009 [Page 1]
�
Internet-Draft Camellia Cipher Suites for TLS July 2008
1. Introduction
This document proposes the addition of new cipher suites to the
Transport Layer Security (TLS) [RFC4346] protocol to support the
Camellia encryption algorithm as a block cipher algorithm.
Camellia is a symmetric cipher with a Feistel structure. Camellia
was developed jointly by NTT and Mitsubishi Electric Corporation in
2000. It was designed to withstand all known cryptanalytic attacks,
and it has been scrutinized by worldwide cryptographic experts.
Camellia is suitable for implementation in software and hardware,
offering encryption speed in software and hardware implementations
that is comparable to Advanced Encryption Standard (AES)
[FIPS.197.2001].
Camellia supports 128-bit block size and 128-, 192-, and 256-bit key
lengths, i.e., the same interface specifications as the AES.
Therefore, it is easy to implement Camellia based algorithms by
replacing the AES block of AES based algorithms with a Camellia
block.
Camellia already has been adopted by the IETF and other international
standardization organizations; in particular, the IETF has published
specifications for the use of Camellia with IPsec [RFC4312], TLS
[RFC4132], S/MIME [RFC3657] and XML [RFC4051]. Camellia is one of
the three ISO/IEC international standard [ISO/IEC 18033-3] 128-bit
block ciphers (Camellia, AES, and SEED). Camellia was selected as a
recommended cryptographic primitive by the EU NESSIE (New European
Schemes for Signatures, Integrity and Encryption) project [NESSIE]
and was included in the list of cryptographic techniques for Japanese
e-Government systems that was selected by the Japanese CRYPTREC
(Cryptography Research and Evaluation Committees) [CRYPTREC].
Since optimized source code is provided under several open source
licenses [open source license], Camellia is also adopted by several
open source projects (OpenSSL, FreeBSD, and Linux). Camellia is also
adopted by Mozilla and Camellia is ready for use with Firefox 3.0
released in June 2008.
The algorithm specification and object identifiers are described in
[RFC3713]
The Camellia web site [Camellia web site] contains a wealth of
information about Camellia, including detailed specification,
security analysis, performance figures, reference implementation,
optimized implementation, test vectors(TV), and intellectual property
information.
Kato, et al. Expires January 8, 2009 [Page 2]
�
Internet-Draft Camellia Cipher Suites for TLS July 2008
1.1. Terminology
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" that
appear in this document are to be interpreted as described in
[RFC2119].
2. Proposed Cipher Suites
The cipher suites proposed here have the following definitions:
CipherSuite TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x41 };
CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x42 };
CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x43 };
CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x44 };
CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x45 };
CipherSuite TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x46 };
CipherSuite TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x84 };
CipherSuite TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x85 };
CipherSuite TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x86 };
CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x87 };
CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x88 };
CipherSuite TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x89 };
CipherSuite TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DHE_anon_WITH_CAMELLIA_128_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DHE_anon_WITH_CAMELLIA_256_CBC_SHA256 = { TBD,TBD };
3. Cipher Suite Definitions
3.1. Key Exchange
The cipher suites defined here differ in the type of certificate and
key exchange method. They use the following options:
Kato, et al. Expires January 8, 2009 [Page 3]
�
Internet-Draft Camellia Cipher Suites for TLS July 2008
Indicator of
Cipher Suite Key Exchange Algorithm
RSA RSA
DH_DSS DH_DSS
DH_RSA DH_RSA
DHE_DSS DHE_DSS
DHE_RSA DHE_RSA
DH_anon DH_anon
For the meanings of the terms RSA, DH_DSS, DH_RSA, DHE_DSS, DHE_RSA,
and DH_anon, please refer to section 7.4.2. of [RFC4346].
3.2. Cipher
The cipher suites defined here and key sizes. They use the following
options:
Indicator of Key Expanded Effective IV Block
Cipher Suite Type Material Key Material Key Bits Size Size
CAMELLIA_128_CBC Block 16 16 128 16 16
CAMELLIA_256_CBC Block 32 32 256 16 16
3.3. MAC
The cipher suites defined here uses different type of hash functions
for calucuret MAC. They use the following options:
Indicator of
Cipher Suite MAC PRF
SHA HMAC-SHA-1 P_SHA-256
SHA256 HMAC-SHA-256 P_SHA-256
TLS1.1 or earlier versions uses SHA-1/MD5 combination for PRF. When
server and client select cipher suites indicated by SHA in TLS1.1 or
earlier versions, PRF MUST be calclated by TLS1.1 or earlier versions
manner.
Ciphersuite indicated by SHA256, SHA384 and SHA512 MUST NOT be
negotiated by TLS1.1 or earlier versions. Clients MUST NOT offer
cipher suites indicated by SHA256, SHA384 and SHA512 if they do not
offer TLS 1.2 or later. Servers which select an earlier version of
TLS MUST NOT select one of cipher suites indicated by SHA256, SHA384
and SHA512.
Because TLS has no way for the client to indicate that it supports
Kato, et al. Expires January 8, 2009 [Page 4]
�
Internet-Draft Camellia Cipher Suites for TLS July 2008
TLS 1.2 but not earlier, a non-compliant server might potentially
negotiate TLS 1.1 or earlier and select one of the cipher suites in
this document. Clients MUST check the TLS version and generate a
fatal "illegal_parameter" alert if they detect an incorrect version.
4. IANA Considerations
IANA has assigned the following values for these cipher suites:
CipherSuite TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x41 };
CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x42 };
CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x43 };
CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x44 };
CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x45 };
CipherSuite TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = { 0x00,0x46 };
CipherSuite TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x84 };
CipherSuite TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x85 };
CipherSuite TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x86 };
CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x87 };
CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x88 };
CipherSuite TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = { 0x00,0x89 };
CipherSuite TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DHE_anon_WITH_CAMELLIA_128_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = { TBD,TBD };
CipherSuite TLS_DHE_anon_WITH_CAMELLIA_256_CBC_SHA256 = { TBD,TBD };
5. Security Considerations
At the time of writing this document, there are no known weak keys
for Camellia.
5.1. Downgrade Attack
TLS negotiation is only as secure as the weakest cipher suite that is
supported. For instance, an implementation which supports both 160-
Kato, et al. Expires January 8, 2009 [Page 5]
�
Internet-Draft Camellia Cipher Suites for TLS July 2008
bit and 256-bit elliptic curves can be subject to an active downgrade
attack to the 160-bit security level. An attacker who can attack
that can then forge the Finished handshake check and successfully
mount a man-in-the-middle attack.
6. References
6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4132] Moriai, S., Kato, A., and M. Kanda, "Addition of Camellia
Cipher Suites to Transport Layer Security (TLS)",
RFC 4132, July 2005.
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
6.2. Informative References
[CRYPTREC]
Information-technology Promotion Agency (IPA),
"Cryptography Research and Evaluation Committees",
<http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html>.
[Camellia web site]
"Camellia web site",
<http://info.isl.ntt.co.jp/camellia/>.
[FIPS.197.2001]
National Institute of Standards and Technology, "Advanced
Encryption Standard (AES)", FIPS PUB 197, November 2001, <
http://csrc.nist.gov/publications/fips/fips197/
fips-197.pdf>.
[ISO/IEC 18033-3]
International Organization for Standardization,
"Information technology - Security techniques - Encryption
algorithms - Part 3: Block ciphers", ISO/IEC 18033-3,
July 2005.
[NESSIE] "The NESSIE project (New European Schemes for Signatures,
Integrity and Encryption)",
<http://www.cosic.esat.kuleuven.ac.be/nessie/>.
[RFC3657] Moriai, S. and A. Kato, "Use of the Camellia Encryption
Kato, et al. Expires January 8, 2009 [Page 6]
�
Internet-Draft Camellia Cipher Suites for TLS July 2008
Algorithm in Cryptographic Message Syntax (CMS)",
RFC 3657, January 2004.
[RFC3713] Matsui, M., Nakajima, J., and S. Moriai, "A Description of
the Camellia Encryption Algorithm", RFC 3713, April 2004.
[RFC4051] Eastlake, D., "Additional XML Security Uniform Resource
Identifiers (URIs)", RFC 4051, April 2005.
[RFC4312] Kato, A., Moriai, S., and M. Kanda, "The Camellia Cipher
Algorithm and Its Use With IPsec", RFC 4312,
December 2005.
[open source license]
"Camellia open source software",
<http://info.isl.ntt.co.jp/crypt/eng/camellia/
source.html>.
Authors' Addresses
Akihiro Kato
NTT Software Corporation
Phone: +81-45-212-7577
Fax: +81-45-212-9800
Email: akato@po.ntts.co.jp
Masayuki Kanda
Nippon Telegraph and Telephone Corporation
Phone: +81-422-59-3456
Fax: +81-422-59-4015
Email: kanda.masayuki@lab.ntt.co.jp
Satoru Kanno
NTT Software Corporation
Phone: +81-45-212-7577
Fax: +81-45-212-9800
Email: kanno-s@po.ntts.co.jp
Kato, et al. Expires January 8, 2009 [Page 7]
�
Internet-Draft Camellia Cipher Suites for TLS July 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Kato, et al. Expires January 8, 2009 [Page 8]
�