Internet DRAFT - draft-mcgrew-tls-aes-ccm

draft-mcgrew-tls-aes-ccm






TLS Working Group                                              D. McGrew
Internet-Draft                                             Cisco Systems
Intended status: Standards Track                               D. Bailey
Expires: November 9, 2012              RSA, the Security Division of EMC
                                                             May 8, 2012


                     AES-CCM Cipher Suites for TLS
                      draft-mcgrew-tls-aes-ccm-04

Abstract

   This memo describes the use of the Advanced Encryption Standard (AES)
   in the Counter and CBC-MAC Mode (CCM) of operation within Transport
   Layer Security (TLS) and Datagram TLS (DTLS) to provide
   confidentiality and data origin authentication.  The AES-CCM
   algorithm is amenable to compact implementations, making it suitable
   for constrained environments.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on November 9, 2012.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of



McGrew & Bailey         Expires November 9, 2012                [Page 1]

Internet-Draft            AES-CCM Ciphersuites                  May 2012


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3

   2.  Conventions Used In This Document . . . . . . . . . . . . . . . 3

   3.  RSA Based AES-CCM Cipher Suites . . . . . . . . . . . . . . . . 3

   4.  PSK Based AES-CCM Cipher Suites . . . . . . . . . . . . . . . . 4

   5.  TLS Versions  . . . . . . . . . . . . . . . . . . . . . . . . . 5

   6.  New AEAD algorithms . . . . . . . . . . . . . . . . . . . . . . 5
     6.1.  AES-128-CCM with an 8-octet Integrity Check Value (ICV) . . 5
     6.2.  AES-256-CCM with a 8-octet Integrity Check Value (ICV)  . . 6

   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6

   8.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
     8.1.  Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . 6
     8.2.  Counter Reuse . . . . . . . . . . . . . . . . . . . . . . . 6

   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 6

   10. References  . . . . . . . . . . . . . . . . . . . . . . . . . . 7
     10.1. Normative References  . . . . . . . . . . . . . . . . . . . 7
     10.2. Informative References  . . . . . . . . . . . . . . . . . . 7

   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 8


















McGrew & Bailey         Expires November 9, 2012                [Page 2]

Internet-Draft            AES-CCM Ciphersuites                  May 2012


1.  Introduction

   This document describes the use of Advanced Encryption Standard (AES)
   [AES] in Counter with CBC-MAC Mode (CCM) [CCM] in several TLS
   ciphersuites.  AES-CCM provides both authentication and
   confidentiality and uses as its only primitive the AES encrypt
   operation (the AES decrypt operation is not needed).  This makes it
   amenable to compact implementations, which is advantageous in
   constrained environments.  Of course, adoption outside of constrained
   environments is necessary to enable interoperability, such as that
   between web clients and embedded servers, or between embedded clients
   and web servers.  The use of AES-CCM has been specified for IPsec ESP
   [RFC4309] and 802.15.4 wireless networks [IEEE802154].

   Authenticated encryption, in addition to providing confidentiality
   for the plaintext that is encrypted, provides a way to check its
   integrity and authenticity.  Authenticated Encryption with Associated
   Data, or AEAD [RFC5116], adds the ability to check the integrity and
   authenticity of some associated data that is not encrypted.  This
   note utilizes the AEAD facility within TLS 1.2 [RFC5246] and the AES-
   CCM-based AEAD algorithms defined in [RFC5116].  Additional AEAD
   algorithms are defined, which use AES-CCM but which have shorter
   authentication tags, and therefore are more suitable for use across
   networks in which bandwidth is constrained and message sizes may be
   small.

   The ciphersuites defined in this document use RSA or Pre-Shared Key
   (PSK) as their key establishment mechanism; these ciphersuites can be
   used with DTLS [RFC6347].  Since the abiltiy to use AEAD ciphers was
   introduced in DTLS version 1.2, the ciphersuites defined in this note
   cannot be used with earlier versions of that protocol.


2.  Conventions Used In This Document

   he key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119]


3.  RSA Based AES-CCM Cipher Suites

   The ciphersuites defined in this document are based on the the AES-
   CCM authenticated encryption with associated data (AEAD) algorithms
   AEAD_AES_128_CCM and AEAD_AES_256_CCM described in [RFC5116].  The
   following RSA-based ciphersuites are defined:





McGrew & Bailey         Expires November 9, 2012                [Page 3]

Internet-Draft            AES-CCM Ciphersuites                  May 2012


      CipherSuite TLS_RSA_WITH_AES_128_CCM = {TBD1,TBD1}
      CipherSuite TLS_RSA_WITH_AES_256_CCM = {TBD2,TBD2)
      CipherSuite TLS_DHE_RSA_WITH_AES_128_CCM = {TBD3,TBD3}
      CipherSuite TLS_DHE_RSA_WITH_AES_256_CCM = {TBD4,TBD4}
      CipherSuite TLS_RSA_WITH_AES_128_CCM_8 = {TBD5,TBD5}
      CipherSuite TLS_RSA_WITH_AES_256_CCM_8 = {TBD6,TBD6)
      CipherSuite TLS_DHE_RSA_WITH_AES_128_CCM_8 = {TBD7,TBD7}
      CipherSuite TLS_DHE_RSA_WITH_AES_256_CCM_8 = {TBD8,TBD8}

   These ciphersuites make use of the AEAD capability in TLS 1.2
   [RFC5246].  Each uses AES-CCM; those that end in "_8" have an 8-octet
   authentication tag, while the other ciphersuites have 16-octet
   authentication tags.

   The HMAC truncation option described in Section 7 of [RFC6066] (which
   negotiates the "truncated_hmac" TLS extension) does not have an
   effect on cipher suites that do not use HMAC.

   The "nonce" input to the AEAD algorithm is exactly that of [RFC5288]:
   the "nonce" SHALL be 12 bytes long and is constructed as follows:

            struct {
               case client:
                  uint32 client_write_IV;  // low order 32-bits
               case server:
                  uint32 server_write_IV;  // low order 32-bits
               uint64 seq_num;
            } CCMNonce.

   In DTLS, the 64-bit seq_num is the 16-bit epoch concatenated with the
   48-bit seq_num.

   These ciphersuites make use of the default TLS 1.2 Pseudorandom
   Function (PRF), which uses HMAC with the SHA-256 hash function.  The
   RSA and RSA-DHE key exchange is performed as defined in [RFC5246].


4.  PSK Based AES-CCM Cipher Suites

   As in Section Section 3, these ciphersuites follow [RFC5116].  The
   PSK and DHE_PSK key exchange is performed as in [RFC4279].  The
   following ciphersuites are defined:

      CipherSuite TLS_PSK_WITH_AES_128_CCM = {TBD9,TBD9}
      CipherSuite TLS_PSK_WITH_AES_256_CCM = {TBD10,TBD10)
      CipherSuite TLS_DHE_PSK_WITH_AES_128_CCM = {TBD11,TBD11}
      CipherSuite TLS_DHE_PSK_WITH_AES_256_CCM = {TBD12,TBD12}
      CipherSuite TLS_PSK_WITH_AES_128_CCM_8 = {TBD13,TBD13}



McGrew & Bailey         Expires November 9, 2012                [Page 4]

Internet-Draft            AES-CCM Ciphersuites                  May 2012


      CipherSuite TLS_PSK_WITH_AES_256_CCM_8 = {TBD14,TBD14)
      CipherSuite TLS_PSK_DHE_WITH_AES_128_CCM_8 = {TBD15,TBD15}
      CipherSuite TLS_PSK_DHE_WITH_AES_256_CCM_8 = {TBD16,TBD16}

   The "nonce" input to the AEAD algorithm is defined as in Section
   Section 3.

   These ciphersuites make use of the default TLS 1.2 Pseudorandom
   Function (PRF), which uses HMAC with the SHA-256 hash function.  The
   PSK and PSK-DHE key exchange is performed as defined in [RFC5487].


5.  TLS Versions

   These ciphersuites make use of the authenticated encryption with
   additional data (AEAD) defined in TLS 1.2 [RFC5288].  Earlier
   versions of TLS do not have support for AEAD; for instance, the
   TLSCiphertext structure does not have the "aead" option in TLS 1.1.
   Consequently, these ciphersuites MUST NOT be negotiated in older
   versions of TLS.  Clients MUST NOT offer these cipher suites if they
   do not offer TLS 1.2 or later.  Servers which select an earlier
   version of TLS MUST NOT select one of these cipher suites.  Because
   TLS has no way for the client to indicate that it supports TLS 1.2
   but not earlier, a non-compliant server might potentially negotiate
   TLS 1.1 or earlier and select one of the cipher suites in this
   document.  Clients MUST check the TLS version and generate a fatal
   "illegal_parameter" alert if they detect an incorrect version.


6.  New AEAD algorithms

   The following AEAD algorithms are defined:
      AEAD_AES_128_CCM_8 = TBD17
      AEAD_AES_256_CCM_8 = TBD18

6.1.  AES-128-CCM with an 8-octet Integrity Check Value (ICV)

   The AEAD_AES_128_CCM_8 authenticated encryption algorithm is
   identical to the AEAD_AES_128_CCM algorithm (see Section 5.3 of
   [RFC5116]), except that it uses eight octets for authentication,
   instead of the full sixteen octets used by AEAD_AES_128_CCM.  The
   AEAD_AES_128_CCM_8 ciphertext consists of the ciphertext output of
   the CCM encryption operation concatenated with the 8-octet
   authentication tag output of the CCM encryption operation.  Test
   cases are provided in [CCM].  The input and output lengths are as for
   AEAD_AES_128_CCM.  An AEAD_AES_128_CCM_8 ciphertext is exactly 8
   octets longer than its corresponding plaintext.




McGrew & Bailey         Expires November 9, 2012                [Page 5]

Internet-Draft            AES-CCM Ciphersuites                  May 2012


6.2.  AES-256-CCM with a 8-octet Integrity Check Value (ICV)

   The AEAD_AES_256_CCM_8 authenticated encryption algorithm is
   identical to the AEAD_AES_256_CCM algorithm (see Section 5.4 of
   [RFC5116]), except that it uses eight octets for authentication,
   instead of the full sixteen octets used by AEAD_AES_256_CCM.  The
   AEAD_AES_256_CCM_8 ciphertext consists of the ciphertext output of
   the CCM encryption operation concatenated with the 8-octet
   authentication tag output of the CCM encryption operation.  Test
   cases are provided in [CCM].  The input and output lengths are as as
   for AEAD_AES_128_CCM.  An AEAD_AES_128_CCM_8 ciphertext is exactly 8
   octets longer than its corresponding plaintext.


7.  IANA Considerations

   IANA is requested to assign the values for the ciphersuites defined
   in Section 3 and Section 4 from the TLS and DTLS CipherSuite
   registries, and the values of the AEAD algorithms defined in
   Section 6 from the AEAD algorithm registry.  IANA, please note that
   the DTLS-OK column should be marked as "Y" for each of these
   algorithms.


8.  Security Considerations

8.1.  Perfect Forward Secrecy

   The perfect forward secrecy properties of RSA based TLS ciphersuites
   are discussed in the security analysis of [RFC5246].  It should be
   noted that only the ephemeral Diffie-Hellman based ciphersuites are
   capable of providing perfect forward secrecy.

8.2.  Counter Reuse

   AES-CCM security requires that the counter is never reused.  The IV
   construction in Section 3 is designed to prevent counter reuse.


9.  Acknowledgements

   This draft borrows heavily from [RFC5288].  Thanks are due to Stephen
   Farrell and Robert Cragie for their input.


10.  References





McGrew & Bailey         Expires November 9, 2012                [Page 6]

Internet-Draft            AES-CCM Ciphersuites                  May 2012


10.1.  Normative References

   [AES]      National Institute of Standards and Technology,
              "Specification for the Advanced Encryption Standard
              (AES)", FIPS 197, November 2001.

   [CCM]      National Institute of Standards and Technology,
              "Recommendation for Block Cipher Modes of Operation: The
              CCM Mode for Authentication and Confidentiality", SP 800-
              38C, May 2004.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4279]  Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites
              for Transport Layer Security (TLS)", RFC 4279,
              December 2005.

   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated
              Encryption", RFC 5116, January 2008.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5288]  Salowey, J., Choudhury, A., and D. McGrew, "AES Galois
              Counter Mode (GCM) Cipher Suites for TLS", RFC 5288,
              August 2008.

   [RFC5487]  Badra, M., "Pre-Shared Key Cipher Suites for TLS with SHA-
              256/384 and AES Galois Counter Mode", RFC 5487,
              March 2009.

   [RFC6066]  Eastlake, D., "Transport Layer Security (TLS) Extensions:
              Extension Definitions", RFC 6066, January 2011.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.

10.2.  Informative References

   [IEEE802154]
              Institute of Electrical and Electronics Engineers,
              "Wireless Personal Area Networks", IEEE Standard 802.15.4-
              2006, 2006.

   [RFC4309]  Housley, R., "Using Advanced Encryption Standard (AES) CCM
              Mode with IPsec Encapsulating Security Payload (ESP)",
              RFC 4309, December 2005.



McGrew & Bailey         Expires November 9, 2012                [Page 7]

Internet-Draft            AES-CCM Ciphersuites                  May 2012


Authors' Addresses

   David McGrew
   Cisco Systems
   13600 Dulles Technology Drive
   Herndon, VA  20171
   USA

   Email: mcgrew@cisco.com


   Daniel V. Bailey
   RSA, the Security Division of EMC
   174 Middlesex Tpke.
   Bedford, MA  01463
   USA

   Email: dbailey@rsa.com

































McGrew & Bailey         Expires November 9, 2012                [Page 8]