Internet DRAFT - draft-katagi-tls-clefia

draft-katagi-tls-clefia






Network Working Group                                          M. Katagi
Internet-Draft                                          Sony Corporation
Intended status: Informational                               May 2, 2012
Expires: November 3, 2012


        CLEFIA Cipher Suites for Transport Layer Security (TLS)
                       draft-katagi-tls-clefia-02

Abstract

   This document specifies a set of cipher suites for the Transport
   Security Layer (TLS) protocol to support the CLEFIA encryption
   algorithm as a block cipher.  CLEFIA is a lightweight block cipher
   and suitable for constrained devices.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on November 3, 2012.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.




Katagi                  Expires November 3, 2012                [Page 1]

Internet-Draft        CLEFIA Cipher Suites for TLS              May 2012


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  CLEFIA . . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Proposed Cipher Suites . . . . . . . . . . . . . . . . . . . .  4
     2.1.  SHA-1 based Cipher Suites  . . . . . . . . . . . . . . . .  4
     2.2.  CBC + HMAC based Cipher Suites . . . . . . . . . . . . . .  4
     2.3.  GCM based Cipher Suites  . . . . . . . . . . . . . . . . .  5
     2.4.  PSK based Cipher Suites  . . . . . . . . . . . . . . . . .  5
   3.  Cipher Suite Definitions . . . . . . . . . . . . . . . . . . .  7
     3.1.  Key Exchange . . . . . . . . . . . . . . . . . . . . . . .  7
     3.2.  Cipher . . . . . . . . . . . . . . . . . . . . . . . . . .  7
     3.3.  Hash and PRFs  . . . . . . . . . . . . . . . . . . . . . .  7
       3.3.1.  Hash and PRFs prior to TLS 1.2 . . . . . . . . . . . .  7
       3.3.2.  Hash and PRFs for TLS 1.2  . . . . . . . . . . . . . .  7
     3.4.  PSK cipher suites  . . . . . . . . . . . . . . . . . . . .  7
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  9
   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
     7.1.  Normative References . . . . . . . . . . . . . . . . . . . 12
     7.2.  Informative References . . . . . . . . . . . . . . . . . . 13
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 15



























Katagi                  Expires November 3, 2012                [Page 2]

Internet-Draft        CLEFIA Cipher Suites for TLS              May 2012


1.  Introduction

   This document specifies cipher suites for the Transport Layer
   Security (TLS) [RFC5246] protocol to support the CLEFIA [RFC6114]
   encryption algorithm as a block cipher algorithm.  The proposed
   ciphersuites include variants using the SHA-2 family of cryptographic
   hash functions [FIPS180-3] and Galois/Counter Mode (GCM) [GCM].
   Elliptic Curve Cryptography (ECC) cipher suites and Pre-Shared Key
   (PSK) [RFC4279] cipher suites are also included.

1.1.  CLEFIA

   CLEFIA is a 128-bit blockcipher algorithm, with key lengths of 128,
   192, and 256 bits, which is compatible with the interface of the
   Advanced Encryption Standard (AES) [FIPS-197].  The algorithm of
   CLEFIA was published in 2007 [FSE07].  Since AES was designed,
   cryptographic technologies have been advancing: new techniques on
   attack, design and implementation are extensively studied.  CLEFIA is
   designed based on the state-of-the-art techniques on design and
   analysis of block ciphers.  The security of CLEFIA has been
   scrutinized in the public community, and no security weaknesses have
   been reported so far.

   CLEFIA is a general purpose blockcipher, and offers high performance
   in software and hardware.  Especially, CLEFIA has an advantage in
   efficient hardware implementation over AES, Camellia, and SEED, which
   can be used in TLS.  Its gate efficiency, which is defined as the
   ratio of speed to gate size, is superior to these ciphers [ISCAS08].

   CLEFIA is standardized in ISO/IEC 29192-2 [ISO29192-2].  ISO/IEC
   29192 is a standardization project of "LightWeight Cryptography
   (LWC)", which is a cryptographic algorithm or protocol tailored for
   implementation in constrained environments including RFID tags,
   sensors, contactless smart cards and so on.  LWC contributes to the
   security of the constrained devices connecting with IP.  CLEFIA is
   also proposed in the CRYPTREC project for the revision of the
   e-Government recommended ciphers list in Japan [CRYPTREC].

   The algorithm specification is described in RFC6114 [RFC6114].
   Further information about CLEFIA, which includes design rationale,
   security evaluations, implementation results, and a reference code,
   is available from [CLEFIAWEB].

1.2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC2119 [RFC2119].



Katagi                  Expires November 3, 2012                [Page 3]

Internet-Draft        CLEFIA Cipher Suites for TLS              May 2012


2.  Proposed Cipher Suites

2.1.  SHA-1 based Cipher Suites

   The eight cipher suites use CLEFIA [RFC6114] in Cipher Block Chaining
   (CBC) mode with SHA-1 [FIPS180-3].

     CipherSuite TLS_RSA_WITH_CLEFIA_128_CBC_SHA            = {TBD,TBD};
     CipherSuite TLS_DHE_DSS_WITH_CLEFIA_128_CBC_SHA        = {TBD,TBD};
     CipherSuite TLS_DHE_RSA_WITH_CLEFIA_128_CBC_SHA        = {TBD,TBD};
     CipherSuite TLS_DH_anon_WITH_CLEFIA_128_CBC_SHA        = {TBD,TBD};
     CipherSuite TLS_ECDHE_ECDSA_WITH_CLEFIA_128_CBC_SHA    = {TBD,TBD};
     CipherSuite TLS_ECDHE_RSA_WITH_CLEFIA_128_CBC_SHA      = {TBD,TBD};
     CipherSuite TLS_PSK_WITH_CLEFIA_128_CBC_SHA            = {TBD,TBD};
     CipherSuite TLS_DHE_PSK_WITH_CLEFIA_128_CBC_SHA        = {TBD,TBD};

2.2.  CBC + HMAC based Cipher Suites

   The twenty cipher suites use CLEFIA in Cipher Block Chaining (CBC)
   mode with Hash-based Message Authentication Code (HMAC) with the
   SHA-2 family.  Eight out of twenty use elliptic curves cryptography.

     CipherSuite TLS_RSA_WITH_CLEFIA_128_CBC_SHA256         = {TBD,TBD};
     CipherSuite TLS_DH_DSS_WITH_CLEFIA_128_CBC_SHA256      = {TBD,TBD};
     CipherSuite TLS_DH_RSA_WITH_CLEFIA_128_CBC_SHA256      = {TBD,TBD};
     CipherSuite TLS_DHE_DSS_WITH_CLEFIA_128_CBC_SHA256     = {TBD,TBD};
     CipherSuite TLS_DHE_RSA_WITH_CLEFIA_128_CBC_SHA256     = {TBD,TBD};
     CipherSuite TLS_DH_anon_WITH_CLEFIA_128_CBC_SHA256     = {TBD,TBD};
     CipherSuite TLS_RSA_WITH_CLEFIA_256_CBC_SHA384         = {TBD,TBD};
     CipherSuite TLS_DH_DSS_WITH_CLEFIA_256_CBC_SHA384      = {TBD,TBD};
     CipherSuite TLS_DH_RSA_WITH_CLEFIA_256_CBC_SHA384      = {TBD,TBD};
     CipherSuite TLS_DHE_DSS_WITH_CLEFIA_256_CBC_SHA384     = {TBD,TBD};
     CipherSuite TLS_DHE_RSA_WITH_CLEFIA_256_CBC_SHA384     = {TBD,TBD};
     CipherSuite TLS_DH_anon_WITH_CLEFIA_256_CBC_SHA384     = {TBD,TBD};

     CipherSuite TLS_ECDHE_ECDSA_WITH_CLEFIA_128_CBC_SHA256 = {TBD,TBD};
     CipherSuite TLS_ECDH_ECDSA_WITH_CLEFIA_128_CBC_SHA256  = {TBD,TBD};
     CipherSuite TLS_ECDHE_RSA_WITH_CLEFIA_128_CBC_SHA256   = {TBD,TBD};
     CipherSuite TLS_ECDH_RSA_WITH_CLEFIA_128_CBC_SHA256    = {TBD,TBD};
     CipherSuite TLS_ECDHE_ECDSA_WITH_CLEFIA_256_CBC_SHA384 = {TBD,TBD};
     CipherSuite TLS_ECDH_ECDSA_WITH_CLEFIA_256_CBC_SHA384  = {TBD,TBD};
     CipherSuite TLS_ECDHE_RSA_WITH_CLEFIA_256_CBC_SHA384   = {TBD,TBD};
     CipherSuite TLS_ECDH_RSA_WITH_CLEFIA_256_CBC_SHA384    = {TBD,TBD};








Katagi                  Expires November 3, 2012                [Page 4]

Internet-Draft        CLEFIA Cipher Suites for TLS              May 2012


2.3.  GCM based Cipher Suites

   The twenty cipher suites use the same asymmetric key algorithms as
   those in the previous section but use the authenticated encryption
   modes defined in TLS 1.2 [RFC5246] with CLEFIA in GCM [GCM].

    CipherSuite TLS_RSA_WITH_CLEFIA_128_GCM_SHA256          = {TBD,TBD};
    CipherSuite TLS_DHE_RSA_WITH_CLEFIA_128_GCM_SHA256      = {TBD,TBD};
    CipherSuite TLS_DH_RSA_WITH_CLEFIA_128_GCM_SHA256       = {TBD,TBD};
    CipherSuite TLS_DHE_DSS_WITH_CLEFIA_128_GCM_SHA256      = {TBD,TBD};
    CipherSuite TLS_DH_DSS_WITH_CLEFIA_128_GCM_SHA256       = {TBD,TBD};
    CipherSuite TLS_DH_anon_WITH_CLEFIA_128_GCM_SHA256      = {TBD,TBD};
    CipherSuite TLS_RSA_WITH_CLEFIA_256_GCM_SHA384          = {TBD,TBD};
    CipherSuite TLS_DHE_RSA_WITH_CLEFIA_256_GCM_SHA384      = {TBD,TBD};
    CipherSuite TLS_DH_RSA_WITH_CLEFIA_256_GCM_SHA384       = {TBD,TBD};
    CipherSuite TLS_DHE_DSS_WITH_CLEFIA_256_GCM_SHA384      = {TBD,TBD};
    CipherSuite TLS_DH_DSS_WITH_CLEFIA_256_GCM_SHA384       = {TBD,TBD};
    CipherSuite TLS_DH_anon_WITH_CLEFIA_256_GCM_SHA384      = {TBD,TBD};

    CipherSuite TLS_ECDHE_ECDSA_WITH_CLEFIA_128_GCM_SHA256  = {TBD,TBD};
    CipherSuite TLS_ECDH_ECDSA_WITH_CLEFIA_128_GCM_SHA256   = {TBD,TBD};
    CipherSuite TLS_ECDHE_RSA_WITH_CLEFIA_128_GCM_SHA256    = {TBD,TBD};
    CipherSuite TLS_ECDH_RSA_WITH_CLEFIA_128_GCM_SHA256     = {TBD,TBD};
    CipherSuite TLS_ECDHE_ECDSA_WITH_CLEFIA_256_GCM_SHA384  = {TBD,TBD};
    CipherSuite TLS_ECDH_ECDSA_WITH_CLEFIA_256_GCM_SHA384   = {TBD,TBD};
    CipherSuite TLS_ECDHE_RSA_WITH_CLEFIA_256_GCM_SHA384    = {TBD,TBD};
    CipherSuite TLS_ECDH_RSA_WITH_CLEFIA_256_GCM_SHA384     = {TBD,TBD};

2.4.  PSK based Cipher Suites

   The fourteen cipher suites describe PSK cipher suites.  The first
   eight cipher suites use the CLEFIA in CBC mode with HMAC with the
   SHA-2 family and the next six cipher suites use CLEFIA in GCM.

     CipherSuite TLS_PSK_WITH_CLEFIA_128_CBC_SHA256        = {TBD,TBD};
     CipherSuite TLS_DHE_PSK_WITH_CLEFIA_128_CBC_SHA256    = {TBD,TBD};
     CipherSuite TLS_RSA_PSK_WITH_CLEFIA_128_CBC_SHA256    = {TBD,TBD};
     CipherSuite TLS_ECDHE_PSK_WITH_CLEFIA_128_CBC_SHA256  = {TBD,TBD};
     CipherSuite TLS_PSK_WITH_CLEFIA_256_CBC_SHA384        = {TBD,TBD};
     CipherSuite TLS_DHE_PSK_WITH_CLEFIA_256_CBC_SHA384    = {TBD,TBD};
     CipherSuite TLS_RSA_PSK_WITH_CLEFIA_256_CBC_SHA384    = {TBD,TBD};
     CipherSuite TLS_ECDHE_PSK_WITH_CLEFIA_256_CBC_SHA384  = {TBD,TBD};

     CipherSuite TLS_PSK_WITH_CLEFIA_128_GCM_SHA256        = {TBD,TBD};
     CipherSuite TLS_DHE_PSK_WITH_CLEFIA_128_GCM_SHA256    = {TBD,TBD};
     CipherSuite TLS_RSA_PSK_WITH_CLEFIA_128_GCM_SHA256    = {TBD,TBD};
     CipherSuite TLS_PSK_WITH_CLEFIA_256_GCM_SHA384        = {TBD,TBD};
     CipherSuite TLS_DHE_PSK_WITH_CLEFIA_256_GCM_SHA384    = {TBD,TBD};



Katagi                  Expires November 3, 2012                [Page 5]

Internet-Draft        CLEFIA Cipher Suites for TLS              May 2012


     CipherSuite TLS_RSA_PSK_WITH_CLEFIA_256_GCM_SHA384    = {TBD,TBD};


















































Katagi                  Expires November 3, 2012                [Page 6]

Internet-Draft        CLEFIA Cipher Suites for TLS              May 2012


3.  Cipher Suite Definitions

3.1.  Key Exchange

   The RSA, DHE_RSA, DH_RSA, DHE_DSS, DH_DSS, ECDH, DH_anon, and ECDHE
   key exchanges are performed as defined in RFC5246 [RFC5246].

3.2.  Cipher

   The CLEFIA_128_CBC cipher suites use CLEFIA [RFC6114] in CBC mode
   with a 128-bit key and 128-bit Initialization Vector (IV); the
   CLEFIA_256_CBC cipher suites use a 256-bit key and 128-bit IV.

   AES-authenticated encryption with associated data algorithms,
   AEAD_AES_128_GCM and AEAD_AES_256_GCM are described in RFC5116
   [RFC5116].  AES GCM cipher suites for TLS are described in RFC5288
   [RFC5288].  AES and CLEFIA share common characteristics, including
   key sizes and block length.  CLEFIA_128_GCM and CLEFIA_256_GCM are
   defined according to those characteristics of AES.

3.3.  Hash and PRFs

3.3.1.  Hash and PRFs prior to TLS 1.2

   The cipher suites ending with _SHA use HMAC-SHA1 as the MAC
   algorithm.

   When used with TLS versions prior to TLS 1.2 ( TLS 1.0 [RFC2246] and
   TLS 1.1 [RFC4346]), the PRF is calculated as specified in the
   appropriate version of the TLS specification.

3.3.2.  Hash and PRFs for TLS 1.2

   The hash algorithms and pseudorandom function (PRF) algorithms for
   TLS 1.2 [RFC5246] SHALL be as follows:

   a) The cipher suites ending with _SHA256 use HMAC-SHA-256 [RFC2104]
   as the MAC algorithm, The PRF is the TLS PRF [RFC5246] with SHA-256
   [FIPS180-3] as the hash function,
   b) The cipher suites ending with _SHA384 use HMAC-SHA-384 [RFC2104]
   as the MAC algorithm, The PRF is the TLS PRF [RFC5246] with SHA-384
   [FIPS180-3] as the hash function.

3.4.  PSK cipher suites

   PSK cipher suites for TLS are described in RFC4279 [RFC4279], RFC4785
   [RFC4785], RFC5487 [RFC5487], and RFC5489 [RFC5489].




Katagi                  Expires November 3, 2012                [Page 7]

Internet-Draft        CLEFIA Cipher Suites for TLS              May 2012


4.  Security Considerations

   The security of CLEFIA algorithm has been scrutinized in the public
   community since the algorithm was proposed, but no security
   weaknesses have been reported so far.

   The cipher suites with SHA-1 are included in this document for
   interoperability with TLS prior to 1.2.  NIST SP 800-131A describes
   that SHA-1 for non-digital signature applications (including HMAC-
   SHA-1) is acceptable; no security risk is currently known.  The use
   of SHA-1 for digital signature generation by US Federal government
   agencies is allowed through 2013, but the user must accept some risk
   [SP800-131A].  SHA-1 may be used for digital signature verification
   in legacy-use, but there may be risk in doing so.  Methods for
   mitigating this risk should be considered [SP800-131A].

   For other security considerations, please refer to the security
   considerations in previous RFCs ([RFC4279], [RFC4785], [RFC5116],
   [RFC5288], [RFC5289], [RFC5487], and [GCM]).  These apply to this
   document as well.































Katagi                  Expires November 3, 2012                [Page 8]

Internet-Draft        CLEFIA Cipher Suites for TLS              May 2012


5.  IANA Considerations

   IANA is requested to allocate (has allocated) the following numbers
   in the TLS Cipher Suite Registry:

    CipherSuite TLS_RSA_WITH_CLEFIA_128_CBC_SHA             = {TBD,TBD};
    CipherSuite TLS_DHE_DSS_WITH_CLEFIA_128_CBC_SHA         = {TBD,TBD};
    CipherSuite TLS_DHE_RSA_WITH_CLEFIA_128_CBC_SHA         = {TBD,TBD};
    CipherSuite TLS_DH_anon_WITH_CLEFIA_128_CBC_SHA         = {TBD,TBD};
    CipherSuite TLS_ECDHE_ECDSA_WITH_CLEFIA_128_CBC_SHA     = {TBD,TBD};
    CipherSuite TLS_ECDHE_RSA_WITH_CLEFIA_128_CBC_SHA       = {TBD,TBD};
    CipherSuite TLS_PSK_WITH_CLEFIA_128_CBC_SHA             = {TBD,TBD};
    CipherSuite TLS_DHE_PSK_WITH_CLEFIA_128_CBC_SHA         = {TBD,TBD};

    CipherSuite TLS_RSA_WITH_CLEFIA_128_CBC_SHA256          = {TBD,TBD};
    CipherSuite TLS_DH_DSS_WITH_CLEFIA_128_CBC_SHA256       = {TBD,TBD};
    CipherSuite TLS_DH_RSA_WITH_CLEFIA_128_CBC_SHA256       = {TBD,TBD};
    CipherSuite TLS_DHE_DSS_WITH_CLEFIA_128_CBC_SHA256      = {TBD,TBD};
    CipherSuite TLS_DHE_RSA_WITH_CLEFIA_128_CBC_SHA256      = {TBD,TBD};
    CipherSuite TLS_DH_anon_WITH_CLEFIA_128_CBC_SHA256      = {TBD,TBD};
    CipherSuite TLS_RSA_WITH_CLEFIA_256_CBC_SHA384          = {TBD,TBD};
    CipherSuite TLS_DH_DSS_WITH_CLEFIA_256_CBC_SHA384       = {TBD,TBD};
    CipherSuite TLS_DH_RSA_WITH_CLEFIA_256_CBC_SHA384       = {TBD,TBD};
    CipherSuite TLS_DHE_DSS_WITH_CLEFIA_256_CBC_SHA384      = {TBD,TBD};
    CipherSuite TLS_DHE_RSA_WITH_CLEFIA_256_CBC_SHA384      = {TBD,TBD};
    CipherSuite TLS_DH_anon_WITH_CLEFIA_256_CBC_SHA384      = {TBD,TBD};

    CipherSuite TLS_ECDHE_ECDSA_WITH_CLEFIA_128_CBC_SHA256  = {TBD,TBD};
    CipherSuite TLS_ECDH_ECDSA_WITH_CLEFIA_128_CBC_SHA256   = {TBD,TBD};
    CipherSuite TLS_ECDHE_RSA_WITH_CLEFIA_128_CBC_SHA256    = {TBD,TBD};
    CipherSuite TLS_ECDH_RSA_WITH_CLEFIA_128_CBC_SHA256     = {TBD,TBD};
    CipherSuite TLS_ECDHE_ECDSA_WITH_CLEFIA_256_CBC_SHA384  = {TBD,TBD};
    CipherSuite TLS_ECDH_ECDSA_WITH_CLEFIA_256_CBC_SHA384   = {TBD,TBD};
    CipherSuite TLS_ECDHE_RSA_WITH_CLEFIA_256_CBC_SHA384    = {TBD,TBD};
    CipherSuite TLS_ECDH_RSA_WITH_CLEFIA_256_CBC_SHA384     = {TBD,TBD};

    CipherSuite TLS_RSA_WITH_CLEFIA_128_GCM_SHA256          = {TBD,TBD};
    CipherSuite TLS_DHE_RSA_WITH_CLEFIA_128_GCM_SHA256      = {TBD,TBD};
    CipherSuite TLS_DH_RSA_WITH_CLEFIA_128_GCM_SHA256       = {TBD,TBD};
    CipherSuite TLS_DHE_DSS_WITH_CLEFIA_128_GCM_SHA256      = {TBD,TBD};
    CipherSuite TLS_DH_DSS_WITH_CLEFIA_128_GCM_SHA256       = {TBD,TBD};
    CipherSuite TLS_DH_anon_WITH_CLEFIA_128_GCM_SHA256      = {TBD,TBD};
    CipherSuite TLS_RSA_WITH_CLEFIA_256_GCM_SHA384          = {TBD,TBD};
    CipherSuite TLS_DHE_RSA_WITH_CLEFIA_256_GCM_SHA384      = {TBD,TBD};
    CipherSuite TLS_DH_RSA_WITH_CLEFIA_256_GCM_SHA384       = {TBD,TBD};
    CipherSuite TLS_DHE_DSS_WITH_CLEFIA_256_GCM_SHA384      = {TBD,TBD};
    CipherSuite TLS_DH_DSS_WITH_CLEFIA_256_GCM_SHA384       = {TBD,TBD};
    CipherSuite TLS_DH_anon_WITH_CLEFIA_256_GCM_SHA384      = {TBD,TBD};



Katagi                  Expires November 3, 2012                [Page 9]

Internet-Draft        CLEFIA Cipher Suites for TLS              May 2012


    CipherSuite TLS_ECDHE_ECDSA_WITH_CLEFIA_128_GCM_SHA256  = {TBD,TBD};
    CipherSuite TLS_ECDH_ECDSA_WITH_CLEFIA_128_GCM_SHA256   = {TBD,TBD};
    CipherSuite TLS_ECDHE_RSA_WITH_CLEFIA_128_GCM_SHA256    = {TBD,TBD};
    CipherSuite TLS_ECDH_RSA_WITH_CLEFIA_128_GCM_SHA256     = {TBD,TBD};
    CipherSuite TLS_ECDHE_ECDSA_WITH_CLEFIA_256_GCM_SHA384  = {TBD,TBD};
    CipherSuite TLS_ECDH_ECDSA_WITH_CLEFIA_256_GCM_SHA384   = {TBD,TBD};
    CipherSuite TLS_ECDHE_RSA_WITH_CLEFIA_256_GCM_SHA384    = {TBD,TBD};
    CipherSuite TLS_ECDH_RSA_WITH_CLEFIA_256_GCM_SHA384     = {TBD,TBD};

    CipherSuite TLS_PSK_WITH_CLEFIA_128_CBC_SHA256          = {TBD,TBD};
    CipherSuite TLS_DHE_PSK_WITH_CLEFIA_128_CBC_SHA256      = {TBD,TBD};
    CipherSuite TLS_RSA_PSK_WITH_CLEFIA_128_CBC_SHA256      = {TBD,TBD};
    CipherSuite TLS_ECDHE_PSK_WITH_CLEFIA_128_CBC_SHA256    = {TBD,TBD};
    CipherSuite TLS_PSK_WITH_CLEFIA_256_CBC_SHA384          = {TBD,TBD};
    CipherSuite TLS_DHE_PSK_WITH_CLEFIA_256_CBC_SHA384      = {TBD,TBD};
    CipherSuite TLS_RSA_PSK_WITH_CLEFIA_256_CBC_SHA384      = {TBD,TBD};
    CipherSuite TLS_ECDHE_PSK_WITH_CLEFIA_256_CBC_SHA384    = {TBD,TBD};

    CipherSuite TLS_PSK_WITH_CLEFIA_128_GCM_SHA256          = {TBD,TBD};
    CipherSuite TLS_DHE_PSK_WITH_CLEFIA_128_GCM_SHA256      = {TBD,TBD};
    CipherSuite TLS_RSA_PSK_WITH_CLEFIA_128_GCM_SHA256      = {TBD,TBD};
    CipherSuite TLS_PSK_WITH_CLEFIA_256_GCM_SHA384          = {TBD,TBD};
    CipherSuite TLS_DHE_PSK_WITH_CLEFIA_256_GCM_SHA384      = {TBD,TBD};
    CipherSuite TLS_RSA_PSK_WITH_CLEFIA_256_GCM_SHA384      = {TBD,TBD};



























Katagi                  Expires November 3, 2012               [Page 10]

Internet-Draft        CLEFIA Cipher Suites for TLS              May 2012


6.  Acknowledgements

   We would like to thank Shoichi Sakane for providing valuable
   comments.















































Katagi                  Expires November 3, 2012               [Page 11]

Internet-Draft        CLEFIA Cipher Suites for TLS              May 2012


7.  References

7.1.  Normative References

   [FIPS180-3]
              National Institute of Standards and Technology, "Secure
              Hash Standard (SHS)", FIPS PUB 180-3, October 2008, <http:
              //csrc.nist.gov/publications/fips/fips180-3/
              fips180-3_final.pdf>.

   [GCM]      Dworkin, M., "Recommendation for Block Cipher Modes of
              Operation: Galois/Counter Mode (GCM) for Confidentiality
              and Authentication", April 2006, <http://csrc.nist.gov/
              publications/drafts/
              Draft-NIST_SP800-38D_Public_Comment.pdf>.

   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
              Hashing for Message Authentication", RFC 2104,
              February 1997.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4279]  Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites
              for Transport Layer Security (TLS)", RFC 4279,
              December 2005.

   [RFC4785]  Blumenthal, U. and P. Goel, "Pre-Shared Key (PSK)
              Ciphersuites with NULL Encryption for Transport Layer
              Security (TLS)", RFC 4785, January 2007.

   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated
              Encryption", RFC 5116, January 2008.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5288]  Salowey, J., Choudhury, A., and D. McGrew, "AES Galois
              Counter Mode (GCM) Cipher Suites for TLS", RFC 5288,
              August 2008.

   [RFC5289]  Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA-
              256/384 and AES Galois Counter Mode (GCM)", RFC 5289,
              August 2008.

   [RFC5487]  Badra, M., "Pre-Shared Key Cipher Suites for TLS with SHA-
              256/384 and AES Galois Counter Mode", RFC 5487,
              March 2009.



Katagi                  Expires November 3, 2012               [Page 12]

Internet-Draft        CLEFIA Cipher Suites for TLS              May 2012


   [RFC5489]  Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for
              Transport Layer Security (TLS)", RFC 5489, March 2009.

   [RFC6114]  Katagi, M. and S. Moriai, "The 128-Bit Blockcipher
              CLEFIA", RFC 6114, March 2011.

7.2.  Informative References

   [CLEFIAWEB]
              Sony Corporation, "The 128-bit blockcipher CLEFIA",
              <http://www.sony.net/clefia>.

   [CRYPTREC]
              Cryptography Research and Evaluation Committees, "the
              revision of the e-Government Recommended Ciphers List",
              <http://www.cryptrec.go.jp/>.

   [FIPS-197]
              National Institute of Standards and Technology, "Advanced
              Encryption Standard (AES)", FIPS PUB 197, November 2001, <
              http://csrc.nist.gov/publications/fips/fips197/
              fips-197.pdf>.

   [FSE07]    Shirai, T., Shibutani, K., Akishita, T., Moriai, S., and
              T. Iwata, "The 128-bit Blockcipher CLEFIA", proceedings of
              Fast Software Encryption 2007 - FSE 2007,
              LNCS4593, pp.181-195, Springer-Verlag, 2007.

   [ISCAS08]  Sugawara, T., Homma, N., Aoki, T., and A. Satoh, "High-
              performance ASIC implementations of the 128-bit block
              cipher CLEFIA", ISCAS 2008, pp.2925-2928, IEEE, 2008.

   [ISO29192-2]
              ISO/IEC 29192-2, "Information technology - Security
              techniques - Lightweight cryptography - Part 2: Block
              ciphers", <http://www.iso.org/iso/iso_catalogue/
              catalogue_tc/catalogue_detail.htm?csnumber=56552>.

   [RFC2246]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
              RFC 2246, January 1999.

   [RFC4346]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.1", RFC 4346, April 2006.

   [SP800-131A]
              National Institute of Standards and Technology,
              "Transitions: Recommendation for Transitioning the Use of
              Cryptographic Algorithms and Key Lengths", SP 800-131A,



Katagi                  Expires November 3, 2012               [Page 13]

Internet-Draft        CLEFIA Cipher Suites for TLS              May 2012


              January 2011, <http://csrc.nist.gov/publications/nistpubs/
              800-131A/sp800-131A.pdf>.

















































Katagi                  Expires November 3, 2012               [Page 14]

Internet-Draft        CLEFIA Cipher Suites for TLS              May 2012


Author's Address

   Masanobu Katagi
   Sony Corporation

   Phone: +81-3-5448-3701
   Fax:   +81-3-5448-6438
   Email: Masanobu.Katagi@jp.sony.com











































Katagi                  Expires November 3, 2012               [Page 15]