Network Working Group P. Chown Request for Comments: 3268 Skygate Technology Category: Standards Track June 2002
Network Working Group P. Chown Request for Comments: 3268 Skygate Technology Category: Standards Track June 2002
Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS)
用于传输层安全(TLS)的高级加密标准(AES)密码套件
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2002). All Rights Reserved.
版权所有(C)互联网协会(2002年)。版权所有。
Abstract
摘要
This document proposes several new ciphersuites. At present, the symmetric ciphers supported by Transport Layer Security (TLS) are RC2, RC4, International Data Encryption Algorithm (IDEA), Data Encryption Standard (DES), and triple DES. The protocol would be enhanced by the addition of Advanced Encryption Standard (AES) ciphersuites.
本文档提出了几种新的密码套件。目前,传输层安全(TLS)支持的对称密码有RC2、RC4、国际数据加密算法(IDEA)、数据加密标准(DES)和三重DES。通过添加高级加密标准(AES)密码套件,该协议将得到增强。
Overview
概述
At present, the symmetric ciphers supported by TLS are RC2, RC4, IDEA, DES, and triple DES. The protocol would be enhanced by the addition of AES [AES] ciphersuites, for the following reasons:
目前,TLS支持的对称密码有RC2、RC4、IDEA、DES和三重DES。该协议将通过添加AES[AES]密码套件来增强,原因如下:
1. RC2, RC4, and IDEA are all subject to intellectual property claims. RSA Security Inc. has trademark rights in the names RC2 and RC4, and claims that the RC4 algorithm itself is a trade secret. Ascom Systec Ltd. owns a patent on the IDEA algorithm.
1. RC2、RC4和IDEA均受知识产权要求的约束。RSA Security Inc.拥有名称为RC2和RC4的商标权,并声称RC4算法本身是商业秘密。Ascom Systec Ltd.拥有IDEA算法的专利。
2. Triple DES is much less efficient than more modern ciphers.
2. 三重DES的效率远远低于更现代的密码。
3. Now that the AES process is completed there will be commercial pressure to use the selected cipher. The AES is efficient and has withstood extensive cryptanalytic efforts. The AES is therefore a desirable choice.
3. 现在AES过程已经完成,使用所选密码将面临商业压力。AES是高效的,并且经受了广泛的密码分析工作。因此,AES是理想的选择。
4. Currently the DHE ciphersuites only allow triple DES (along with some "export" variants which do not use a satisfactory key length). At the same time the DHE ciphersuites are the only ones to offer forward secrecy.
4. 目前,DHE密码套件只允许三重DES(以及一些“导出”变体,它们没有使用令人满意的密钥长度)。同时,DHE密码套件是唯一提供前向保密的。
This document proposes several new ciphersuites, with the aim of overcoming these problems.
本文提出了几种新的密码套件,旨在克服这些问题。
Cipher Usage
密码用法
The new ciphersuites proposed here are very similar to the following, defined in [TLS]:
此处提出的新密码套件与[TLS]中定义的以下密码套件非常相似:
TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
该系统由RSA和RSA组成,其中RSA和EDE和CBC和DSS组成,DSS和RSA和EDE和CBC和DSS组成,RSA和CBC和DSS组成,DSS和CBC和DSS组成
All the ciphersuites described here use the AES in cipher block chaining (CBC) mode. Furthermore, they use SHA-1 [SHA-1] in an HMAC construction as described in section 5 of [TLS]. (Although the TLS ciphersuite names include the text "SHA", this actually refers to the modified SHA-1 version of the algorithm.)
这里描述的所有密码套件都在密码块链接(CBC)模式下使用AES。此外,他们在HMAC施工中使用SHA-1[SHA-1],如[TLS]第5节所述。(尽管TLS密码套件名称包含文本“SHA”,但这实际上是指该算法的修改版SHA-1。)
The ciphersuites differ in the type of certificate and key exchange method. The ciphersuites defined here use the following options for this part of the protocol:
密码套件在证书类型和密钥交换方法上有所不同。此处定义的密码套件对协议的这一部分使用以下选项:
CipherSuite Certificate type (if applicable) and key exchange algorithm
CipherSuite证书类型(如果适用)和密钥交换算法
TLS_RSA_WITH_AES_128_CBC_SHA RSA TLS_DH_DSS_WITH_AES_128_CBC_SHA DH_DSS TLS_DH_RSA_WITH_AES_128_CBC_SHA DH_RSA TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA TLS_DH_anon_WITH_AES_128_CBC_SHA DH_anon
带AES的TLS\U RSA\U 128\U CBC\U SHA RSA TLS\U DH DSS\U带AES\U 128\U CBC\U SHA DH DSS\U带AES\U 128\U CBC\U SHA DH RSA TLS\U CBC\U DSS\U 128\U CBC\U SHA DHE\U DSS\U带AES\U AES\U 128\U CBC\U SHA DHE\U RSA\U SHA DH SHA DH SHA\U 128\U AES
TLS_RSA_WITH_AES_256_CBC_SHA RSA TLS_DH_DSS_WITH_AES_256_CBC_SHA DH_DSS TLS_DH_RSA_WITH_AES_256_CBC_SHA DH_RSA TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE_DSS TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA TLS_DH_anon_WITH_AES_256_CBC_SHA DH_anon
带AES的TLS\U RSA\U 256\U CBC\U SHA RSA\U DH DSS\U带AES\U 256\U CBC\U SHA DH\U DSS\U带AES\U 256\U CBC\U SHA DH RSA\U RSA TLS\U AES\U 256\U CBC\U SHA DHE\U DSS\U带AES\U AES\U CBC\U DHE\U RSA\U 256\U CBC\U SHA DH SHA DHA\U THA DHU带AES
For the meanings of the terms RSA, DH_DSS, DH_RSA, DHE_DSS, DHE_RSA and DH_anon, please refer to sections 7.4.2 and 7.4.3 of [TLS].
关于术语RSA、DH_DSS、DH_RSA、DHE_DSS、DHE_RSA和DH_anon的含义,请参考[TLS]第7.4.2节和第7.4.3节。
The AES supports key lengths of 128, 192 and 256 bits. However, this document only defines ciphersuites for 128- and 256-bit keys. This is to avoid unnecessary proliferation of ciphersuites. Rijndael actually allows for 192- and 256-bit block sizes as well as the 128- bit blocks mandated by the AES process. The ciphersuites defined here all use 128-bit blocks.
AES支持128、192和256位的密钥长度。但是,本文档仅定义128位和256位密钥的密码套件。这是为了避免密码套件不必要的扩散。Rijndael实际上允许192位和256位的块大小,以及AES进程强制要求的128位块。这里定义的密码套件都使用128位块。
The new ciphersuites will have the following definitions:
新密码套件将具有以下定义:
CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F }; CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 }; CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 }; CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 }; CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 }; CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 };
CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F }; CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 }; CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 }; CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 }; CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 }; CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 };
CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x35 }; CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x36 }; CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 }; CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x38 }; CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x39 }; CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00, 0x3A };
CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x35 }; CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x36 }; CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 }; CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x38 }; CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x39 }; CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00, 0x3A };
Security Considerations
安全考虑
It is not believed that the new ciphersuites are ever less secure than the corresponding older ones. The AES is believed to be secure, and it has withstood extensive cryptanalytic attack.
人们并不认为新的密码套件比相应的旧密码套件更不安全。AES被认为是安全的,并且经受了广泛的密码分析攻击。
The ephemeral Diffie-Hellman ciphersuites provide forward secrecy without any known reduction in security in other areas. To obtain the maximum benefit from these ciphersuites:
短暂的Diffie-Hellman密码套件提供了前向保密性,而不会降低其他领域的安全性。要从这些密码套件中获得最大的好处:
1. The ephemeral keys should only be used once. With the TLS protocol as currently defined there is no significant efficiency gain from reusing ephemeral keys.
1. 临时键只能使用一次。对于目前定义的TLS协议,重用临时密钥不会带来显著的效率提高。
2. Ephemeral keys should be destroyed securely when they are no longer required.
2. 临时钥匙不再需要时,应安全销毁。
3. The random number generator used to create ephemeral keys must not reveal past output even when its internal state is compromised.
3. 用于创建临时密钥的随机数生成器不得显示过去的输出,即使其内部状态受损。
[TLS] describes the anonymous Diffie-Hellman (ADH) ciphersuites as deprecated. The ADH ciphersuites defined here are not deprecated. However, when they are used, particular care must be taken:
[TLS]将匿名Diffie-Hellman(ADH)密码套件描述为已弃用。此处定义的ADH密码套件未被弃用。但是,在使用时,必须特别小心:
1. ADH provides confidentiality but not authentication. This means that (if authentication is required) the communicating parties must authenticate to each other by some means other than TLS.
1. ADH提供机密性,但不提供身份验证。这意味着(如果需要身份验证),通信双方必须通过TLS以外的其他方式相互进行身份验证。
2. ADH is vulnerable to man-in-the-middle attacks, as a consequence of the lack of authentication. The parties must have a way of determining whether they are participating in the same TLS connection. If they are not, they can deduce that they are under attack, and presumably abort the connection.
2. 由于缺乏身份验证,ADH容易受到中间人攻击。双方必须有办法确定是否参与相同的TLS连接。如果他们没有,他们可以推断他们正在受到攻击,并可能中止连接。
For example, if the parties share a secret, it is possible to compute a MAC of the TLS Finished message. An attacker would have to negotiate two different TLS connections; one with each communicating party. The Finished messages would be different in each case, because they depend on the parties' public keys (among other things). For this reason, the MACs computed by each party would be different.
例如,如果双方共享一个秘密,则可以计算TLS完成消息的MAC。攻击者必须协商两个不同的TLS连接;每个通信方一个。完成的消息在每种情况下都会有所不同,因为它们取决于各方的公钥(除其他外)。因此,各方计算的MAC将不同。
It is important to note that authentication techniques which do not use the Finished message do not usually provide protection from this attack. For example, the client could authenticate to the server with a password, but it would still be vulnerable to man-in-the-middle attacks.
需要注意的是,不使用完成消息的身份验证技术通常不会提供此攻击的保护。例如,客户端可以使用密码对服务器进行身份验证,但它仍然容易受到中间人攻击。
Recent research has identified a chosen plaintext attack which applies to all ciphersuites defined in [TLS] which use CBC mode. This weakness does not affect the common use of TLS on the World Wide Web, but may affect the use of TLS in other applications. When TLS is used in an application where this attack is possible, attackers can determine the truth or otherwise of a hypothesis that particular plaintext data was sent earlier in the session. No key material is compromised.
最近的研究发现了一种选择明文攻击,它适用于[TLS]中定义的所有使用CBC模式的密码套件。这一弱点不会影响TLS在万维网上的普遍使用,但可能会影响TLS在其他应用中的使用。当TLS用于可能发生此攻击的应用程序时,攻击者可以确定特定明文数据在会话早期发送的假设是否属实。没有关键材料被泄露。
It is likely that the CBC construction will be changed in a future revision of the TLS protocol.
CBC结构很可能在TLS协议的未来版本中发生变化。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use other technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the
IETF对可能声称与本文件中描述的实施或使用其他技术有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何努力来确定任何此类权利。关于
IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat.
IETF关于标准跟踪和标准相关文件中权利的程序可在BCP-11中找到。可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涉及实施本标准所需技术的专有权利。请将信息发送给IETF执行董事。
During the development of the AES, NIST published the following statement on intellectual property:
在AES的开发过程中,NIST发布了以下关于知识产权的声明:
SPECIAL NOTE - Intellectual Property
特别说明-知识产权
NIST reminds all interested parties that the adoption of AES is being conducted as an open standards-setting activity. Specifically, NIST has requested that all interested parties identify to NIST any patents or inventions that may be required for the use of AES. NIST hereby gives public notice that it may seek redress under the antitrust laws of the United States against any party in the future who might seek to exercise patent rights against any user of AES that have not been disclosed to NIST in response to this request for information.
NIST提醒所有相关方,AES的采用是一项开放的标准制定活动。具体而言,NIST已要求所有相关方向NIST确认AES使用可能需要的任何专利或发明。NIST特此发布公告,表示其可根据美国反托拉斯法对未来可能寻求对AES的任何用户行使专利权的任何一方寻求补救,但该用户尚未根据本信息请求向NIST披露。
Acknowledgements
致谢
I would like to thank the ietf-tls mailing list contributors who have made helpful suggestions for this document.
我要感谢ietf tls邮件列表投稿人,他们为本文档提供了有用的建议。
References
工具书类
[TLS] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999.
[TLS]Dierks,T.和C.Allen,“TLS协议版本1.0”,RFC 2246,1999年1月。
[AES] National Institute of Standards and Technology, "Specification for the Advanced Encryption Standard (AES)" FIPS 197. November 26, 2001.
[AES]国家标准与技术研究所,“高级加密标准(AES)规范”FIPS 197。2001年11月26日。
[SHA-1] FIPS PUB 180-1, "Secure Hash Standard," National Institute of Standards and Technology, U.S. Department of Commerce, April 17, 1995.
[SHA-1]FIPS PUB 180-1,“安全哈希标准”,美国商务部国家标准与技术研究所,1995年4月17日。
Author's Address
作者地址
Pete Chown Skygate Technology Ltd 8 Lombard Road London SW19 3TZ United Kingdom
英国伦敦伦巴第路8号Pete Chown Skygate Technology Ltd SW19 3TZ
Phone: +44 20 8542 7856 EMail: pc@skygate.co.uk
Phone: +44 20 8542 7856 EMail: pc@skygate.co.uk
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2002). All Rights Reserved.
版权所有(C)互联网协会(2002年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。