Internet Research Task Force Y. Yang Internet-Draft BaishanCloud Intended status: Informational R. Tse Expires: October 24, 2018 Ribose M-J. Saarinen Independent Consultant W. Wong Hang Seng Management College April 22, 2018 SM3 and SM4 Cipher Suites for TLS draft-sca-curdle-tls-sm34-00 Abstract This document describes TLS cipher suites that utilize the SM3 cryptographic hash algorithm (GB/T 32905-2016) and SM4 symmetric blockcipher algorithm (GB/T 32907-2016), both published by the State Cryptography Administration of China (SCA). This document is a product of the Crypto Forum Research Group (CFRG). Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on October 24, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of Yang, et al. Expires October 24, 2018 [Page 1] Internet-Draft SM3/SM4 TLS Cipher Suites April 2018 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 3 3. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. HMAC-Based . . . . . . . . . . . . . . . . . . . . . . . 3 3.2. Galois Counter Mode-Based . . . . . . . . . . . . . . . . 3 3.3. Counter and CBC-MAC Mode-Based . . . . . . . . . . . . . 4 3.4. OCB . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. TLS Versions . . . . . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 7.2. Informative References . . . . . . . . . . . . . . . . . 7 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction The SM3 [I-D.sca-cfrg-sm3] [GBT.32905-2016] [ISO.IEC.10118-3] and SM4 [I-D.ribose-cfrg-sm4] [GBT.32907-2016] [ISO.IEC.18033-3.AMD2] algorithms are published by the State Cryptography Administration (SCA) of China [SCA] for authorized use within China. Both algorithms are published in public, and now commonly available in cryptographic libraries. SM3 is as a cryptographic hash algorithm that produces an output hash value of 256 bits long, based on 512-bit input message blocks, on input lengths up to 2^(m). SM4 is a symmetric encryption algorithm, a blockcipher to be exact, designed for data encryption that acts on 128-bit blocks. TLS versions at and beyond 1.2 [RFC5246] contain support for authenticated encryption with additional data (AEAD) cipher modes [RFC5116]. This document describes the use of SM4 [I-D.ribose-cfrg-sm4] in conjunction with various key exchange mechanisms as a cipher suite for TLS, in two ways: o by using SM4 with authentication encryption modes (CCM, GCM, OCB), in a manner similar to [RFC7251]; Yang, et al. Expires October 24, 2018 [Page 2] Internet-Draft SM3/SM4 TLS Cipher Suites April 2018 o by using SM4 together with SM3 [I-D.sca-cfrg-sm3] as MAC, in a manner similar to [RFC5288], [RFC5289] and [RFC7539]. TODO: describe SM4 AE modes... 2. Terms and Definitions The key words "*MUST*", "*MUST NOT*", "*REQUIRED*", "*SHALL*", "*SHALL NOT*", "*SHOULD*", "*SHOULD NOT*", "*RECOMMENDED*", "*NOT RECOMMENDED*", "*MAY*", and "*OPTIONAL*" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Cipher Suites Cipher suites defined in this document are based on the SM4-CCM Authenticated Encryption with Associated Data (AEAD) algorithms AEAD_SM4_128_CCM and AEAD_SM4_256_CCM described in [[I-D.ribose-cfrg-sm4ae]]. 3.1. HMAC-Based These cipher suites use SM4 in Cipher Block Chaining (CBC) mode with an HMAC-based MAC: CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; CipherSuite TLS_ECDH_ECDSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; CipherSuite TLS_ECDHE_RSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; CipherSuite TLS_ECDH_RSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; These cipher suites are the same as the corresponding cipher suites in [RFC5289] (with names here ending in "_SM3" inplace of "_SHA256"), except for the MAC and Pseudo Random Function (PRF) algorithms. The PRF is the TLS PRF [RFC5246] with SM3 as the hash function. The MAC is HMAC [RFC2104] with SM3 as the hash function. 3.2. Galois Counter Mode-Based These cipher suites use the same asymmetric algorithms as those in the previous section, but use the authenticated encryption modes defined in TLS 1.3 [I-D.ietf-tls-tls13] with SM4 in Galois Counter Mode (GCM): Yang, et al. Expires October 24, 2018 [Page 3] Internet-Draft SM3/SM4 TLS Cipher Suites April 2018 CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; CipherSuite TLS_ECDH_ECDSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; CipherSuite TLS_ECDHE_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; CipherSuite TLS_ECDH_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; CipherSuite TLS_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; CipherSuite TLS_DHE_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; CipherSuite TLS_DH_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; CipherSuite TLS_DHE_DSS_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; CipherSuite TLS_DH_DSS_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; CipherSuite TLS_DH_anon_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; These cipher suites use the authenticated encryption with additional data algorithm AEAD_SM4_GCM described in [[I-D.ribose-cfrg-sm4ae]]. Each of these AEAD algorithms uses a 128-bit authentication tag with GCM (in particular, as described in 3.5 [RFC4366] and 3 [RFC5288]. The PRF is the TLS PRF [RFC5246] with SM3 as the hash function. 3.3. Counter and CBC-MAC Mode-Based These cipher suites use the same asymmetric algorithms as those in the previous section, but use the authenticated encryption modes defined in TLS 1.3 with SM4 in Counter and CBC-MAC Mode (CCM): CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_CCM = {0xYY,0xYY}; CipherSuite TLS_ECDH_ECDSA_WITH_SM4_CCM = {0xYY,0xYY}; CipherSuite TLS_ECDHE_RSA_WITH_SM4_CCM = {0xYY,0xYY}; CipherSuite TLS_ECDH_RSA_WITH_SM4_CCM = {0xYY,0xYY}; CipherSuite TLS_RSA_WITH_SM4_CCM = {0xYY,0xYY}; CipherSuite TLS_DHE_RSA_WITH_SM4_CCM = {0xYY,0xYY}; CipherSuite TLS_DH_RSA_WITH_SM4_CCM = {0xYY,0xYY}; CipherSuite TLS_DHE_DSS_WITH_SM4_CCM = {0xYY,0xYY}; CipherSuite TLS_DH_DSS_WITH_SM4_CCM = {0xYY,0xYY}; CipherSuite TLS_DH_anon_WITH_SM4_CCM = {0xYY,0xYY}; These cipher suites use the authenticated encryption with additional data algorithm AEAD_SM4_CCM described in [[I-D.ribose-cfrg-sm4ae]]. Each of these AEAD algorithms uses a 128-bit authentication tag with CCM (in particular, as described in 3.5 [RFC4366] and 3 [RFC5288]. The "nonce" input to the AEAD algorithm is as defined in [RFC6655]. The PRF is the TLS PRF [RFC5246] with SM3 as the hash function. Yang, et al. Expires October 24, 2018 [Page 4] Internet-Draft SM3/SM4 TLS Cipher Suites April 2018 3.4. OCB The following cipher suites are defined: CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_OCB = {0xYY,0xYY} ... The "nonce" input to the AEAD algorithm is as defined in [RFC6655]. The PRF is the TLS PRF [RFC5246] with SM3 as the hash function. Further requirements provided in 2 [RFC7251] apply. 4. TLS Versions These cipher suites make use of the authenticated encryption with additional data defined in TLS 1.2 [RFC5288]. o They *MUST NOT* be negotiated in older versions of TLS. o Clients *MUST NOT* offer these cipher suites if they do not offer TLS 1.2 or later. o Servers that select an earlier version of TLS *MUST NOT* select one of these ciphersuites. Earlier versions do not have support for AEAD; for instance, the TLSCiphertext structure does not have the "aead" option in TLS 1.1. Because TLS has no way for the client to indicate that it supports TLS 1.2 but not earlier versions, a non-compliant server might potentially negotiate TLS 1.1 or earlier and select one of the cipher suites in this document. o Clients *MUST* check the TLS version and generate a fatal "illegal_parameter" alert if they detect an incorrect version. 5. Security Considerations The security considerations in [RFC4346], [RFC4492], [I-D.ribose-cfrg-sm4], [I-D.sca-cfrg-sm3] apply. o Products and services that utilize cryptography are regulated by the SCA [SCA]; they must be explicitly approved or certified by the SCA before being allowed to be sold or used in China. o The cipher suites described in this document *SHOULD** only be used with TLS 1.3 or greater [I-D.ietf-tls-tls13]. Yang, et al. Expires October 24, 2018 [Page 5] Internet-Draft SM3/SM4 TLS Cipher Suites April 2018 o CCM security requires that the counter never be reused. The nonce/IV requirement in Section 3.3 is designed to prevent counter reuse. 6. IANA Considerations IANA has assigned the following values for these cipher suites: CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; CipherSuite TLS_ECDH_ECDSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; CipherSuite TLS_ECDHE_RSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; CipherSuite TLS_ECDH_RSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY}; CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_GCM_SM4 = {0xYY,0xYY}; CipherSuite TLS_ECDH_ECDSA_WITH_SM4_GCM_SM4 = {0xYY,0xYY}; CipherSuite TLS_ECDHE_RSA_WITH_SM4_GCM_SM4 = {0xYY,0xYY}; CipherSuite TLS_ECDH_RSA_WITH_SM4_GCM_SM4 = {0xYY,0xYY}; CipherSuite TLS_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; CipherSuite TLS_DHE_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; CipherSuite TLS_DH_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; CipherSuite TLS_DHE_DSS_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; CipherSuite TLS_DH_DSS_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; CipherSuite TLS_DH_anon_WITH_SM4_GCM_SM3 = {0xYY,0xYY}; 7. References 7.1. Normative References [GBT.32905-2016] Standardization Administration of the People's Republic of China, "GB/T 32905-2016: Information security techniques -- SM3 cryptographic hash algorithm", August 2016, . [GBT.32907-2016] Standardization Administration of the People's Republic of China, "GB/T 32907-2016: Information security technology -- SM4 block cipher algorithm", August 2016, . [I-D.ietf-tls-tls13] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", draft-ietf-tls-tls13-28 (work in progress), March 2018. Yang, et al. Expires October 24, 2018 [Page 6] Internet-Draft SM3/SM4 TLS Cipher Suites April 2018 [I-D.ribose-cfrg-sm4] Tse, R., Wong, W., and M. Saarinen, "The SM4 Blockcipher Algorithm And Its Modes Of Operations", draft-ribose-cfrg- sm4-10 (work in progress), April 2018. [I-D.ribose-cfrg-sm4ae] Tse, R., Wong, W., and M. Saarinen, "Authenticated Encryption For The SM4 Blockcipher Algorithm", draft- ribose-cfrg-sm4ae-00 (work in progress), April 2018. [I-D.sca-cfrg-sm3] Shen, S., Lee, X., Tse, R., Wong, W., and P. Yang, "The SM3 Cryptographic Hash Function", draft-sca-cfrg-sm3-02 (work in progress), January 2018. [ISO.IEC.10118-3] International Organization for Standardization, "ISO/IEC FDIS 10118-3 -- Information technology -- Security techniques -- Hash-functions -- Part 3: Dedicated hash- functions", September 2017, . [ISO.IEC.18033-3.AMD2] International Organization for Standardization, "ISO/IEC WD1 18033-3/AMD2 -- Encryption algorithms -- Part 3: Block ciphers -- Amendment 2", June 2017, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 7.2. Informative References [BOTAN] Lloyd, J., "Botan: Crypto and TLS for C++11", October 2017, . Yang, et al. Expires October 24, 2018 [Page 7] Internet-Draft SM3/SM4 TLS Cipher Suites April 2018 [GB.15629.11-2003] Standardization Administration of the People's Republic of China, "Information technology -- Telecommunications and information exchange between systems -- Local and metropolitan area networks -- Specific requirements -- Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications", May 2003, . [GBT.33560-2017] Standardization Administration of the People's Republic of China, "GB/T 33560-2017: Information security technology -- Cryptographic application identifier criterion specification", May 2017, . [GMT-0002-2012] Office of State Commercial Administration of China, "GM/T 0002-2012: SM4 block cipher algorithm", March 2012, . [GMT-0004-2012] Organization of State Commercial Administration of China, "GM/T 0004-2012: SM3 Cryptographic Hash Algorithm", March 2012, . [GMT-0006-2012] Office of State Commercial Administration of China, "GM/T 0006-2012: Cryptographic Application Identifier Criterion Specification", March 2012, . [ISO.IEC.18033-3] International Organization for Standardization, "ISO/IEC 18033-3:2010 -- Encryption algorithms -- Part 3: Block ciphers", December 2017, . [NIST.SP.800-38A] Dworkin, M., "NIST Special Publication 800-38A: Recommendation for Block Cipher Modes of Operation -- Methods and Techniques", December 2001, . [OPENSSL] OpenSSL Software Foundation, "OpenSSL: Cryptography and SSL/TLS Toolkit", October 2017, . Yang, et al. Expires October 24, 2018 [Page 8] Internet-Draft SM3/SM4 TLS Cipher Suites April 2018 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, . [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, DOI 10.17487/RFC4346, April 2006, . [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and T. Wright, "Transport Layer Security (TLS) Extensions", RFC 4366, DOI 10.17487/RFC4366, April 2006, . [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)", RFC 4492, DOI 10.17487/RFC4492, May 2006, . [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, . [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, . [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, DOI 10.17487/RFC5288, August 2008, . [RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA- 256/384 and AES Galois Counter Mode (GCM)", RFC 5289, DOI 10.17487/RFC5289, August 2008, . [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for Transport Layer Security (TLS)", RFC 6655, DOI 10.17487/RFC6655, July 2012, . Yang, et al. Expires October 24, 2018 [Page 9] Internet-Draft SM3/SM4 TLS Cipher Suites April 2018 [RFC7251] McGrew, D., Bailey, D., Campagna, M., and R. Dugal, "AES- CCM Elliptic Curve Cryptography (ECC) Cipher Suites for TLS", RFC 7251, DOI 10.17487/RFC7251, June 2014, . [RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, . [SCA] State Cryptography Administration of China, "State Cryptography Administration of China", Dec 2017, . Appendix A. Acknowledgements This document borrows heavily from [RFC5288], [RFC5289], [RFC7251]. Authors' Addresses Paul Y. Yang BaishanCloud Building 16-3, Baitasan Street Shenyang, Liaoning 110000 People's Republic of China Email: yang.yang@baishancloud.com URI: https://www.baishancloud.com Ronald Henry Tse Ribose Suite 1111, 1 Pedder Street Central, Hong Kong People's Republic of China Email: ronald.tse@ribose.com URI: https://www.ribose.com Markku-Juhani O. Saarinen Independent Consultant Email: mjos@iki.fi URI: https://mjos.fi/ Yang, et al. Expires October 24, 2018 [Page 10] Internet-Draft SM3/SM4 TLS Cipher Suites April 2018 Wai Kit Wong Hang Seng Management College Hang Shin Link, Siu Lek Yuen Shatin, Hong Kong People's Republic of China Email: wongwk@hsmc.edu.hk URI: https://www.hsmc.edu.hk Yang, et al. Expires October 24, 2018 [Page 11]