Internet Engineering Task Force Y. Hori Internet-Draft Saga University Intended status: Informational T. Uehara Expires: May 4, 2016 Ritsumeikan University November 1, 2015 Use of KCipher-2 with Poly1305 in Transport Layer Security draft-kiyomoto-kcipher2-tls-02 Abstract This document describes the use of the KCipher-2 stream cipher with Poly1305 in Transport Layer Security (TLS) protocols version 1.2 and Datagram Transport Layer Security (DTLS) protocols. KCipher-2 is a stream cipher with a 128-bit key and a 128-bit initialization vector, which provides fast, efficient encryption and decryption. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on May 4, 2016. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Hori & Uehara Expires May 4, 2016 [Page 1] Internet-Draft KCipher-2 with Poly1305 for TLS November 2015 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. KCipher2 . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2. Poly1305 Authenticator . . . . . . . . . . . . . . . . . 3 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Cipher Suites Values . . . . . . . . . . . . . . . . . . . . 3 3. Cipher Suite Definitions . . . . . . . . . . . . . . . . . . 3 3.1. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 3 3.2. Cipher . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.3. Pseudorandom Function . . . . . . . . . . . . . . . . . . 3 3.4. AEAD Construction . . . . . . . . . . . . . . . . . . . . 3 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 7.1. Normative References . . . . . . . . . . . . . . . . . . 4 7.2. Informative References . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction This document describes the use of the KCipher-2 [RFC7008] in the Transport Layer Security (TLS) version 1.2 [RFC5246] protocol, as well as in the Datagram Transport Layer Security (DTLS) version 1.2 [RFC6347], or any later versions. Cryptographic operations used in TLS can be categorized in five ways: digital signing, stream cipher encryption, block cipher encryption, authenticated encryption with additional data encryption, and public key encryption [RFC5246]. This document defines the cipher suites to use KCipher-2 for stream cipher encryption in TLS. KCipher-2 is a fast, secure stream cipher algorithm as well as ChaCha20 [ChaCha20]. 1.1. KCipher2 KCipher-2 is a stream cipher algorithm with a 128-bit key and a 128-bit initialization vector (IV). The algorithm and other properties are described in [SECRYPT]. KCipher-2 has been evaluated by the cryptographic technique evaluation project for the Japanese e-Government [CRYPTREC]. KCipher-2 also has been submitted to another international standardization body [ISO18033]. Hori & Uehara Expires May 4, 2016 [Page 2] Internet-Draft KCipher-2 with Poly1305 for TLS November 2015 1.2. Poly1305 Authenticator Poly1305 [POLY1305] is a Wegman-Carter, one-time authenticator designed by D. J. Bernstein. In details, Poly1305 is described in Section 2.5 and 2.6 of [RFC7539] . 1.3. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Cipher Suites Values The following are proposed identifiers and values for the cipher suites of TLS. CipherSuite TLS_ECDHE_RSA_WITH_KCIPHER2_128_POLY1305 = { TBD, TBD }; CipherSuite TLS_ECDHE_ECDSA_WITH_KCIPHER2_128_POLY1305 = { TBD, TBD }; CipherSuite TLS_DHE_RSA_WITH_KCIPHER2_128_POLY1305 = { TBD, TBD }; 3. Cipher Suite Definitions 3.1. Key Exchange The DHE_RSA, ECDHE_RSA, and ECDHE_ECDSA key exchanges are performed as defined in [RFC5246] and [RFC4496]. 3.2. Cipher The KCIPHER2_128 cipher suites use KCipher-2 with a 128-bit key and a 128-bit initialization vector. 3.3. Pseudorandom Function For the cipher suites in this document, [RFC2104] based on SHA-256 is used for TLS PseudoRandom Function (PRF) [RFC5246] with SHA-256 is used as the PRF. 3.4. AEAD Construction KCIPHER2_128_POLY1305 is an authenticated encryption with additional data algorithm. The KCipher-2 and Poly1305 [POLY1305]primitives are combined into an AEAD. Hori & Uehara Expires May 4, 2016 [Page 3] Internet-Draft KCipher-2 with Poly1305 for TLS November 2015 4. Security Considerations As of the time this document was written, we are not aware of any attack on KCipher-2. No security vulnerabilities have been identified in the security evaluations by the KCipher-2 developers and other independent institutions [SECRYPT], [CRYPTREC10], and [KDDI]. Poly1305 is designed to ensure that forged messages are rejected with a probability of 1-(n/2^102) for a 16*n byte message, even after sending 2^64 legitimate messages. 5. IANA Considerations IANA is requested to allocate the following numbers in the TLS Cipher Suite Registry: CipherSuite TLS_ECDHE_RSA_WITH_KCIPHER2_128_POLY1305 = { TBD, TBD }; CipherSuite TLS_ECDHE_ECDSA_WITH_KCIPHER2_128_POLY1305 = { TBD, TBD }; CipherSuite TLS_DHE_RSA_WITH_KCIPHER2_128_POLY1305 = { TBD, TBD }; 6. Acknowledgements Thanks to Marshall Rose for developing the XML2RFC format. Thanks to Shinsaku Kiyomoto who is an author of draft-kiyomoto- kcipher2-tls-01.txt. 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ RFC2119, March 1997, . [RFC4496] Stecher, M. and A. Barbir, "Open Pluggable Edge Services (OPES) SMTP Use Cases", RFC 4496, DOI 10.17487/RFC4496, May 2006, . [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/ RFC5246, August 2008, . Hori & Uehara Expires May 4, 2016 [Page 4] Internet-Draft KCipher-2 with Poly1305 for TLS November 2015 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, January 2012, . [RFC7008] Kiyomoto, S. and W. Shin, "A Description of the KCipher-2 Encryption Algorithm", RFC 7008, DOI 10.17487/RFC7008, August 2013, . [RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, . 7.2. Informative References [ChaCha20] Bernstein, D., "ChaCha, a variant of Salsa20", January 2008, . [CRYPTREC] CRYPTREC (Cryptography Research and Evaluation Committees), , . [CRYPTREC10] Bogdanov, A., Preneel, B., and V. Rijmen, "Security Evaluation of the K2 Stream Cipher", 2010, . [ISO18033] International Organization for Standardization, "Information technology - Security techniques - Encryption algorithms - Part 4: Stream ciphers", ISO/IEC 18033-4, December 2011. [KDDI] Roy, B., "Evaluation of the Word-Oriented Stream Cipher: K2", 2009, . [POLY1305] Bernstein, D., "The Poly1305-AES message-authentication code.", March 2005, . [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, . [SECRYPT] Kiyomoto, S., Tanaka, T., and K. Sakurai, "K2: A Stream Cipher Algorithm Using Dynamic Feedback Control", 2007. Hori & Uehara Expires May 4, 2016 [Page 5] Internet-Draft KCipher-2 with Poly1305 for TLS November 2015 Authors' Addresses Yoshiaki Hori Saga University 1 Honjo Saga-shi, Saga 840-8502 JP Phone: +81-952-28-8982 Email: horiyo@cc.saga-u.ac.jp Tetsutaro Uehara Ritsumeikan University 1-1-1 Noji-higashi Kusatsu-shi, Shiga 525-8577 JP Phone: +81-77-599-4357 Email: uehara@cs.ritsumei.ac.jp Hori & Uehara Expires May 4, 2016 [Page 6]