Internet DRAFT - draft-sca-curdle-tls-sm34
draft-sca-curdle-tls-sm34
Internet Research Task Force Y. Yang
Internet-Draft BaishanCloud
Intended status: Informational R. Tse
Expires: October 24, 2018 Ribose
M-J. Saarinen
Independent Consultant
W. Wong
Hang Seng Management College
April 22, 2018
SM3 and SM4 Cipher Suites for TLS
draft-sca-curdle-tls-sm34-00
Abstract
This document describes TLS cipher suites that utilize the SM3
cryptographic hash algorithm (GB/T 32905-2016) and SM4 symmetric
blockcipher algorithm (GB/T 32907-2016), both published by the State
Cryptography Administration of China (SCA).
This document is a product of the Crypto Forum Research Group (CFRG).
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 24, 2018.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
Yang, et al. Expires October 24, 2018 [Page 1]
Internet-Draft SM3/SM4 TLS Cipher Suites April 2018
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 3
3. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. HMAC-Based . . . . . . . . . . . . . . . . . . . . . . . 3
3.2. Galois Counter Mode-Based . . . . . . . . . . . . . . . . 3
3.3. Counter and CBC-MAC Mode-Based . . . . . . . . . . . . . 4
3.4. OCB . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. TLS Versions . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 5
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1. Normative References . . . . . . . . . . . . . . . . . . 6
7.2. Informative References . . . . . . . . . . . . . . . . . 7
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
The SM3 [I-D.sca-cfrg-sm3] [GBT.32905-2016] [ISO.IEC.10118-3] and SM4
[I-D.ribose-cfrg-sm4] [GBT.32907-2016] [ISO.IEC.18033-3.AMD2]
algorithms are published by the State Cryptography Administration
(SCA) of China [SCA] for authorized use within China. Both
algorithms are published in public, and now commonly available in
cryptographic libraries.
SM3 is as a cryptographic hash algorithm that produces an output hash
value of 256 bits long, based on 512-bit input message blocks, on
input lengths up to 2^(m).
SM4 is a symmetric encryption algorithm, a blockcipher to be exact,
designed for data encryption that acts on 128-bit blocks.
TLS versions at and beyond 1.2 [RFC5246] contain support for
authenticated encryption with additional data (AEAD) cipher modes
[RFC5116].
This document describes the use of SM4 [I-D.ribose-cfrg-sm4] in
conjunction with various key exchange mechanisms as a cipher suite
for TLS, in two ways:
o by using SM4 with authentication encryption modes (CCM, GCM, OCB),
in a manner similar to [RFC7251];
Yang, et al. Expires October 24, 2018 [Page 2]
Internet-Draft SM3/SM4 TLS Cipher Suites April 2018
o by using SM4 together with SM3 [I-D.sca-cfrg-sm3] as MAC, in a
manner similar to [RFC5288], [RFC5289] and [RFC7539].
TODO: describe SM4 AE modes...
2. Terms and Definitions
The key words "*MUST*", "*MUST NOT*", "*REQUIRED*", "*SHALL*",
"*SHALL NOT*", "*SHOULD*", "*SHOULD NOT*", "*RECOMMENDED*", "*NOT
RECOMMENDED*", "*MAY*", and "*OPTIONAL*" in this document are to be
interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only
when, they appear in all capitals, as shown here.
3. Cipher Suites
Cipher suites defined in this document are based on the SM4-CCM
Authenticated Encryption with Associated Data (AEAD) algorithms
AEAD_SM4_128_CCM and AEAD_SM4_256_CCM described in
[[I-D.ribose-cfrg-sm4ae]].
3.1. HMAC-Based
These cipher suites use SM4 in Cipher Block Chaining (CBC) mode with
an HMAC-based MAC:
CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY};
CipherSuite TLS_ECDH_ECDSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY};
CipherSuite TLS_ECDHE_RSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY};
CipherSuite TLS_ECDH_RSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY};
These cipher suites are the same as the corresponding cipher suites
in [RFC5289] (with names here ending in "_SM3" inplace of "_SHA256"),
except for the MAC and Pseudo Random Function (PRF) algorithms.
The PRF is the TLS PRF [RFC5246] with SM3 as the hash function. The
MAC is HMAC [RFC2104] with SM3 as the hash function.
3.2. Galois Counter Mode-Based
These cipher suites use the same asymmetric algorithms as those in
the previous section, but use the authenticated encryption modes
defined in TLS 1.3 [I-D.ietf-tls-tls13] with SM4 in Galois Counter
Mode (GCM):
Yang, et al. Expires October 24, 2018 [Page 3]
Internet-Draft SM3/SM4 TLS Cipher Suites April 2018
CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
CipherSuite TLS_ECDH_ECDSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
CipherSuite TLS_ECDHE_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
CipherSuite TLS_ECDH_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
CipherSuite TLS_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
CipherSuite TLS_DHE_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
CipherSuite TLS_DH_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
CipherSuite TLS_DHE_DSS_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
CipherSuite TLS_DH_DSS_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
CipherSuite TLS_DH_anon_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
These cipher suites use the authenticated encryption with additional
data algorithm AEAD_SM4_GCM described in [[I-D.ribose-cfrg-sm4ae]].
Each of these AEAD algorithms uses a 128-bit authentication tag with
GCM (in particular, as described in 3.5 [RFC4366] and 3 [RFC5288].
The PRF is the TLS PRF [RFC5246] with SM3 as the hash function.
3.3. Counter and CBC-MAC Mode-Based
These cipher suites use the same asymmetric algorithms as those in
the previous section, but use the authenticated encryption modes
defined in TLS 1.3 with SM4 in Counter and CBC-MAC Mode (CCM):
CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_CCM = {0xYY,0xYY};
CipherSuite TLS_ECDH_ECDSA_WITH_SM4_CCM = {0xYY,0xYY};
CipherSuite TLS_ECDHE_RSA_WITH_SM4_CCM = {0xYY,0xYY};
CipherSuite TLS_ECDH_RSA_WITH_SM4_CCM = {0xYY,0xYY};
CipherSuite TLS_RSA_WITH_SM4_CCM = {0xYY,0xYY};
CipherSuite TLS_DHE_RSA_WITH_SM4_CCM = {0xYY,0xYY};
CipherSuite TLS_DH_RSA_WITH_SM4_CCM = {0xYY,0xYY};
CipherSuite TLS_DHE_DSS_WITH_SM4_CCM = {0xYY,0xYY};
CipherSuite TLS_DH_DSS_WITH_SM4_CCM = {0xYY,0xYY};
CipherSuite TLS_DH_anon_WITH_SM4_CCM = {0xYY,0xYY};
These cipher suites use the authenticated encryption with additional
data algorithm AEAD_SM4_CCM described in [[I-D.ribose-cfrg-sm4ae]].
Each of these AEAD algorithms uses a 128-bit authentication tag with
CCM (in particular, as described in 3.5 [RFC4366] and 3 [RFC5288].
The "nonce" input to the AEAD algorithm is as defined in [RFC6655].
The PRF is the TLS PRF [RFC5246] with SM3 as the hash function.
Yang, et al. Expires October 24, 2018 [Page 4]
Internet-Draft SM3/SM4 TLS Cipher Suites April 2018
3.4. OCB
The following cipher suites are defined:
CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_OCB = {0xYY,0xYY}
...
The "nonce" input to the AEAD algorithm is as defined in [RFC6655].
The PRF is the TLS PRF [RFC5246] with SM3 as the hash function.
Further requirements provided in 2 [RFC7251] apply.
4. TLS Versions
These cipher suites make use of the authenticated encryption with
additional data defined in TLS 1.2 [RFC5288].
o They *MUST NOT* be negotiated in older versions of TLS.
o Clients *MUST NOT* offer these cipher suites if they do not offer
TLS 1.2 or later.
o Servers that select an earlier version of TLS *MUST NOT* select
one of these ciphersuites. Earlier versions do not have support
for AEAD; for instance, the TLSCiphertext structure does not have
the "aead" option in TLS 1.1. Because TLS has no way for the
client to indicate that it supports TLS 1.2 but not earlier
versions, a non-compliant server might potentially negotiate TLS
1.1 or earlier and select one of the cipher suites in this
document.
o Clients *MUST* check the TLS version and generate a fatal
"illegal_parameter" alert if they detect an incorrect version.
5. Security Considerations
The security considerations in [RFC4346], [RFC4492],
[I-D.ribose-cfrg-sm4], [I-D.sca-cfrg-sm3] apply.
o Products and services that utilize cryptography are regulated by
the SCA [SCA]; they must be explicitly approved or certified by
the SCA before being allowed to be sold or used in China.
o The cipher suites described in this document *SHOULD** only be
used with TLS 1.3 or greater [I-D.ietf-tls-tls13].
Yang, et al. Expires October 24, 2018 [Page 5]
Internet-Draft SM3/SM4 TLS Cipher Suites April 2018
o CCM security requires that the counter never be reused. The
nonce/IV requirement in Section 3.3 is designed to prevent counter
reuse.
6. IANA Considerations
IANA has assigned the following values for these cipher suites:
CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY};
CipherSuite TLS_ECDH_ECDSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY};
CipherSuite TLS_ECDHE_RSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY};
CipherSuite TLS_ECDH_RSA_WITH_SM4_CBC_SM3 = {0xYY,0xYY};
CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_GCM_SM4 = {0xYY,0xYY};
CipherSuite TLS_ECDH_ECDSA_WITH_SM4_GCM_SM4 = {0xYY,0xYY};
CipherSuite TLS_ECDHE_RSA_WITH_SM4_GCM_SM4 = {0xYY,0xYY};
CipherSuite TLS_ECDH_RSA_WITH_SM4_GCM_SM4 = {0xYY,0xYY};
CipherSuite TLS_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
CipherSuite TLS_DHE_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
CipherSuite TLS_DH_RSA_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
CipherSuite TLS_DHE_DSS_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
CipherSuite TLS_DH_DSS_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
CipherSuite TLS_DH_anon_WITH_SM4_GCM_SM3 = {0xYY,0xYY};
7. References
7.1. Normative References
[GBT.32905-2016]
Standardization Administration of the People's Republic of
China, "GB/T 32905-2016: Information security techniques
-- SM3 cryptographic hash algorithm", August 2016,
<http://www.gb688.cn/bzgk/gb/
newGbInfo?hcno=45B1A67F20F3BF339211C391E9278F5E>.
[GBT.32907-2016]
Standardization Administration of the People's Republic of
China, "GB/T 32907-2016: Information security technology
-- SM4 block cipher algorithm", August 2016,
<http://www.gb688.cn/bzgk/gb/
newGbInfo?hcno=7803DE42D3BC5E80B0C3E5D8E873D56A>.
[I-D.ietf-tls-tls13]
Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", draft-ietf-tls-tls13-28 (work in progress),
March 2018.
Yang, et al. Expires October 24, 2018 [Page 6]
Internet-Draft SM3/SM4 TLS Cipher Suites April 2018
[I-D.ribose-cfrg-sm4]
Tse, R., Wong, W., and M. Saarinen, "The SM4 Blockcipher
Algorithm And Its Modes Of Operations", draft-ribose-cfrg-
sm4-10 (work in progress), April 2018.
[I-D.ribose-cfrg-sm4ae]
Tse, R., Wong, W., and M. Saarinen, "Authenticated
Encryption For The SM4 Blockcipher Algorithm", draft-
ribose-cfrg-sm4ae-00 (work in progress), April 2018.
[I-D.sca-cfrg-sm3]
Shen, S., Lee, X., Tse, R., Wong, W., and P. Yang, "The
SM3 Cryptographic Hash Function", draft-sca-cfrg-sm3-02
(work in progress), January 2018.
[ISO.IEC.10118-3]
International Organization for Standardization, "ISO/IEC
FDIS 10118-3 -- Information technology -- Security
techniques -- Hash-functions -- Part 3: Dedicated hash-
functions", September 2017,
<https://www.iso.org/standard/67116.html>.
[ISO.IEC.18033-3.AMD2]
International Organization for Standardization, "ISO/IEC
WD1 18033-3/AMD2 -- Encryption algorithms -- Part 3: Block
ciphers -- Amendment 2", June 2017,
<https://www.iso.org/standard/54531.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
7.2. Informative References
[BOTAN] Lloyd, J., "Botan: Crypto and TLS for C++11", October
2017, <https://botan.randombit.net>.
Yang, et al. Expires October 24, 2018 [Page 7]
Internet-Draft SM3/SM4 TLS Cipher Suites April 2018
[GB.15629.11-2003]
Standardization Administration of the People's Republic of
China, "Information technology -- Telecommunications and
information exchange between systems -- Local and
metropolitan area networks -- Specific requirements --
Part 11: Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications", May 2003,
<http://www.gb688.cn/bzgk/gb/
newGbInfo?hcno=74B9DD11287E72408C19C4D3A360D1BD>.
[GBT.33560-2017]
Standardization Administration of the People's Republic of
China, "GB/T 33560-2017: Information security technology
-- Cryptographic application identifier criterion
specification", May 2017, <http://www.gb688.cn/bzgk/gb/
newGbInfo?hcno=252CF0F72A7BE339A56DEA7D774E8994>.
[GMT-0002-2012]
Office of State Commercial Administration of China, "GM/T
0002-2012: SM4 block cipher algorithm", March 2012,
<http://www.oscca.gov.cn/Column/Column_32.htm>.
[GMT-0004-2012]
Organization of State Commercial Administration of China,
"GM/T 0004-2012: SM3 Cryptographic Hash Algorithm", March
2012, <http://www.oscca.gov.cn/Column/Column_32.htm>.
[GMT-0006-2012]
Office of State Commercial Administration of China, "GM/T
0006-2012: Cryptographic Application Identifier Criterion
Specification", March 2012,
<http://www.oscca.gov.cn/Column/Column_32.htm>.
[ISO.IEC.18033-3]
International Organization for Standardization, "ISO/IEC
18033-3:2010 -- Encryption algorithms -- Part 3: Block
ciphers", December 2017,
<https://www.iso.org/standard/54531.html>.
[NIST.SP.800-38A]
Dworkin, M., "NIST Special Publication 800-38A:
Recommendation for Block Cipher Modes of Operation --
Methods and Techniques", December 2001,
<http://dx.doi.org/10.6028/NIST.SP.800-38A>.
[OPENSSL] OpenSSL Software Foundation, "OpenSSL: Cryptography and
SSL/TLS Toolkit", October 2017, <https://www.openssl.org>.
Yang, et al. Expires October 24, 2018 [Page 8]
Internet-Draft SM3/SM4 TLS Cipher Suites April 2018
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>.
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346,
DOI 10.17487/RFC4346, April 2006,
<https://www.rfc-editor.org/info/rfc4346>.
[RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
and T. Wright, "Transport Layer Security (TLS)
Extensions", RFC 4366, DOI 10.17487/RFC4366, April 2006,
<https://www.rfc-editor.org/info/rfc4366>.
[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)", RFC 4492,
DOI 10.17487/RFC4492, May 2006,
<https://www.rfc-editor.org/info/rfc4492>.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
<https://www.rfc-editor.org/info/rfc5116>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>.
[RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois
Counter Mode (GCM) Cipher Suites for TLS", RFC 5288,
DOI 10.17487/RFC5288, August 2008,
<https://www.rfc-editor.org/info/rfc5288>.
[RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA-
256/384 and AES Galois Counter Mode (GCM)", RFC 5289,
DOI 10.17487/RFC5289, August 2008,
<https://www.rfc-editor.org/info/rfc5289>.
[RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for
Transport Layer Security (TLS)", RFC 6655,
DOI 10.17487/RFC6655, July 2012,
<https://www.rfc-editor.org/info/rfc6655>.
Yang, et al. Expires October 24, 2018 [Page 9]
Internet-Draft SM3/SM4 TLS Cipher Suites April 2018
[RFC7251] McGrew, D., Bailey, D., Campagna, M., and R. Dugal, "AES-
CCM Elliptic Curve Cryptography (ECC) Cipher Suites for
TLS", RFC 7251, DOI 10.17487/RFC7251, June 2014,
<https://www.rfc-editor.org/info/rfc7251>.
[RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015,
<https://www.rfc-editor.org/info/rfc7539>.
[SCA] State Cryptography Administration of China, "State
Cryptography Administration of China", Dec 2017,
<http://www.sca.gov.cn>.
Appendix A. Acknowledgements
This document borrows heavily from [RFC5288], [RFC5289], [RFC7251].
Authors' Addresses
Paul Y. Yang
BaishanCloud
Building 16-3, Baitasan Street
Shenyang, Liaoning 110000
People's Republic of China
Email: yang.yang@baishancloud.com
URI: https://www.baishancloud.com
Ronald Henry Tse
Ribose
Suite 1111, 1 Pedder Street
Central, Hong Kong
People's Republic of China
Email: ronald.tse@ribose.com
URI: https://www.ribose.com
Markku-Juhani O. Saarinen
Independent Consultant
Email: mjos@iki.fi
URI: https://mjos.fi/
Yang, et al. Expires October 24, 2018 [Page 10]
Internet-Draft SM3/SM4 TLS Cipher Suites April 2018
Wai Kit Wong
Hang Seng Management College
Hang Shin Link, Siu Lek Yuen
Shatin, Hong Kong
People's Republic of China
Email: wongwk@hsmc.edu.hk
URI: https://www.hsmc.edu.hk
Yang, et al. Expires October 24, 2018 [Page 11]