Internet Engineering Task Force (IETF)                          A. Popov
Request for Comments: 7465                               Microsoft Corp.
Updates: 5246, 4346, 2246                                  February 2015
Category: Standards Track
ISSN: 2070-1721
        
Internet Engineering Task Force (IETF)                          A. Popov
Request for Comments: 7465                               Microsoft Corp.
Updates: 5246, 4346, 2246                                  February 2015
Category: Standards Track
ISSN: 2070-1721
        

Prohibiting RC4 Cipher Suites

禁止RC4密码套件

Abstract

摘要

This document requires that Transport Layer Security (TLS) clients and servers never negotiate the use of RC4 cipher suites when they establish connections. This applies to all TLS versions. This document updates RFCs 5246, 4346, and 2246.

本文档要求传输层安全性(TLS)客户端和服务器在建立连接时从不协商RC4密码套件的使用。这适用于所有TLS版本。本文档更新了RFCs 5246、4346和2246。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7465.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7465.

Copyright Notice

版权公告

Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2015 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   2
   2.  Changes to TLS  . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
   4.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
     4.1.  Normative References  . . . . . . . . . . . . . . . . . .   3
     4.2.  Informative References  . . . . . . . . . . . . . . . . .   3
   Appendix A.  RC4 Cipher Suites  . . . . . . . . . . . . . . . . .   5
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .   6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   6
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   2
   2.  Changes to TLS  . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
   4.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
     4.1.  Normative References  . . . . . . . . . . . . . . . . . .   3
     4.2.  Informative References  . . . . . . . . . . . . . . . . .   3
   Appendix A.  RC4 Cipher Suites  . . . . . . . . . . . . . . . . .   5
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .   6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   6
        
1. Introduction
1. 介绍

RC4 is a stream cipher that is described in [SCH]; it is widely supported, and often preferred by TLS servers. However, RC4 has long been known to have a variety of cryptographic weaknesses, e.g., see [PAU], [MAN], and [FLU]. Recent cryptanalysis results [ALF] exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts.

RC4是[SCH]中描述的流密码;它得到广泛支持,并且通常是TLS服务器的首选。然而,人们早就知道RC4具有各种密码弱点,例如,see[PAU]、[MAN]和[FLU]。最近的密码分析结果[ALF]利用RC4密钥流中的偏差来恢复重复加密的明文。

These recent results are on the verge of becoming practically exploitable; currently, they require 2^26 sessions or 13x2^30 encryptions. As a result, RC4 can no longer be seen as providing a sufficient level of security for TLS sessions.

这些最新成果即将成为可实际利用的成果;目前,它们需要2^26个会话或13x2^30个加密。因此,RC4不再被视为为为TLS会话提供了足够的安全级别。

This document requires that TLS ([RFC5246] [RFC4346] [RFC2246]) clients and servers never negotiate the use of RC4 cipher suites.

本文档要求TLS([RFC5246][RFC4346][RFC2246])客户端和服务器不得协商RC4密码套件的使用。

1.1. Requirements Language
1.1. 需求语言

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

2. Changes to TLS
2. TLS的更改

Because of the RC4 deficiencies noted in Section 1, the following apply:

由于第1节中指出的RC4缺陷,以下内容适用:

o TLS clients MUST NOT include RC4 cipher suites in the ClientHello message.

o TLS客户端不得在ClientHello消息中包含RC4密码套件。

o TLS servers MUST NOT select an RC4 cipher suite when a TLS client sends such a cipher suite in the ClientHello message.

o 当TLS客户端在ClientHello消息中发送此类密码套件时,TLS服务器不得选择RC4密码套件。

o If the TLS client only offers RC4 cipher suites, the TLS server MUST terminate the handshake. The TLS server MAY send the insufficient_security fatal alert in this case.

o 如果TLS客户端仅提供RC4密码套件,则TLS服务器必须终止握手。在这种情况下,TLS服务器可能会发送不充分的\u安全致命警报。

Appendix A lists the RC4 cipher suites defined for TLS.

附录A列出了为TLS定义的RC4密码套件。

3. Security Considerations
3. 安全考虑

This document helps maintain the security guarantees of the TLS protocol by prohibiting the use of the RC4-based cipher suites (listed in Appendix A), which do not provide a sufficiently high level of security.

本文件通过禁止使用基于RC4的密码套件(列于附录A中)来帮助维护TLS协议的安全保证,这些密码套件不能提供足够高的安全级别。

4. References
4. 工具书类
4.1. Normative References
4.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.

[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999, <http://www.rfc-editor.org/info/rfc2246>.

[RFC2246]Dierks,T.和C.Allen,“TLS协议版本1.0”,RFC2246,1999年1月<http://www.rfc-editor.org/info/rfc2246>.

[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006, <http://www.rfc-editor.org/info/rfc4346>.

[RFC4346]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.1”,RFC 4346,2006年4月<http://www.rfc-editor.org/info/rfc4346>.

[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008, <http://www.rfc-editor.org/info/rfc5246>.

[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,2008年8月<http://www.rfc-editor.org/info/rfc5246>.

4.2. Informative References
4.2. 资料性引用

[ALF] AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., and J. Schuldt, "On the Security of RC4 in TLS and WPA", USENIX Security Symposium, July 2013, <https://www.usenix.org/conference/usenixsecurity13/ security-rc4-tls>.

[ALF]AlFardan,N.,Bernstein,D.,Paterson,K.,Poettering,B.,和J.Schuldt,“关于TLS和WPA中RC4的安全”,USENIX安全研讨会,2013年7月<https://www.usenix.org/conference/usenixsecurity13/ security-rc4-tls>。

[FLU] Fluhrer, S., Mantin, I., and A. Shamir, "Weaknesses in the Key Scheduling Algorithm of RC4", Selected Areas of Cryptography: SAC 2001, Lecture Notes in Computer Science Vol. 2259, pp 1-24, 2001.

[FLU]Fluhrer,S.,Mantin,I.,和A.Shamir,“RC4密钥调度算法的弱点”,密码学的选定领域:SAC 2001,计算机科学第2259卷讲稿,第1-24页,2001年。

[MAN] Mantin, I. and A. Shamir, "A Practical Attack on Broadcast RC4", Fast Software Encryption: FSE 2001, Lecture Notes in Computer Science Vol. 2355, pp 152-164, 2002.

[Mantin,I.和A.Shamir,“对广播RC4的实际攻击”,快速软件加密:FSE 2001,《计算机科学》第2355卷讲稿,第152-164页,2002年。

[PAU] Paul, G. and S. Maitra, "Permutation after RC4 Key Scheduling Reveals the Secret Key", Selected Areas of Cryptography: SAC 2007, Lecture Notes on Computer Science, Vol. 4876, pp 360-337, 2007.

[PAU]Paul,G.和S.Maitra,“RC4密钥调度后的排列揭示了秘密密钥”,密码学的选定领域:SAC 2007,计算机科学讲义,第4876卷,第360-337页,2007年。

[SCH] Schneier, B., "Applied Cryptography: Protocols, Algorithms, and Source Code in C", 2nd Edition, 1996.

[SCH]Schneier,B.“应用密码学:C语言中的协议、算法和源代码”,第二版,1996年。

Appendix A. RC4 Cipher Suites
附录A.RC4密码套件

The following cipher suites defined for TLS use RC4:

为TLS定义的以下密码套件使用RC4:

o TLS_RSA_EXPORT_WITH_RC4_40_MD5

o TLS_RSA_导出_与_RC4_40_MD5

o TLS_RSA_WITH_RC4_128_MD5

o TLS_RSA_和RC4_128_MD5

o TLS_RSA_WITH_RC4_128_SHA

o TLS_RSA_与_RC4_128_SHA

o TLS_DH_anon_EXPORT_WITH_RC4_40_MD5

o TLS_DH_anon_导出_RC4_40_MD5

o TLS_DH_anon_WITH_RC4_128_MD5

o TLS_DH_anon_与RC4_128_MD5

o TLS_KRB5_WITH_RC4_128_SHA

o TLS_KRB5_与_RC4_128_SHA

o TLS_KRB5_WITH_RC4_128_MD5

o TLS_KRB5_带RC4_128_MD5

o TLS_KRB5_EXPORT_WITH_RC4_40_SHA

o TLS_KRB5_出口_RC4_40_SHA

o TLS_KRB5_EXPORT_WITH_RC4_40_MD5

o TLS_KRB5_导出_RC4_40_MD5

o TLS_PSK_WITH_RC4_128_SHA

o TLS_PSK_与_RC4_128_SHA

o TLS_DHE_PSK_WITH_RC4_128_SHA

o TLS_DHE_PSK_与_RC4_128_SHA

o TLS_RSA_PSK_WITH_RC4_128_SHA

o TLS_RSA_PSK_与_RC4_128_SHA

o TLS_ECDH_ECDSA_WITH_RC4_128_SHA

o TLS_ECDH_ECDSA_与_RC4_128_SHA

o TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

o 带RC4的TLS_ECDHE_ECDSA_

o TLS_ECDH_RSA_WITH_RC4_128_SHA

o TLS_ECDH_RSA_与_RC4_128_SHA

o TLS_ECDHE_RSA_WITH_RC4_128_SHA

o TLS_ECDHE_RSA_与_RC4_128_SHA

o TLS_ECDH_anon_WITH_RC4_128_SHA

o TLS_ECDH_anon_与_RC4_128_SHA

o TLS_ECDHE_PSK_WITH_RC4_128_SHA

o 带RC4和128个SHA的TLS_ECDHE_PSK_

Acknowledgements

致谢

This document was inspired by discussions with Magnus Nystrom, Eric Rescorla, Joseph Salowey, Yaron Sheffer, Nagendra Modadugu, and others on the TLS mailing list.

本文件的灵感来源于与Magnus Nystrom、Eric Rescorla、Joseph Salowey、Yaron Sheffer、Nagendra Modadugu以及TLS邮件列表上其他人的讨论。

Author's Address

作者地址

Andrei Popov Microsoft Corp. One Microsoft Way Redmond, WA 98052 USA

安德烈·波波夫微软公司美国华盛顿州雷德蒙微软大道一号,邮编:98052

   EMail: andreipo@microsoft.com
        
   EMail: andreipo@microsoft.com