Network Working Group                                        E. Rescorla
Request for Comments:  5289                                   RTFM, Inc.
Category:  Informational                                     August 2008
        
Network Working Group                                        E. Rescorla
Request for Comments:  5289                                   RTFM, Inc.
Category:  Informational                                     August 2008
        

TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)

具有SHA-256/384和AES伽罗瓦计数器模式(GCM)的TLS椭圆曲线密码套件

Status of This Memo

关于下段备忘

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Abstract

摘要

RFC 4492 describes elliptic curve cipher suites for Transport Layer Security (TLS). However, all those cipher suites use HMAC-SHA-1 as their Message Authentication Code (MAC) algorithm. This document describes sixteen new cipher suites for TLS that specify stronger MAC algorithms. Eight use Hashed Message Authentication Code (HMAC) with SHA-256 or SHA-384, and eight use AES in Galois Counter Mode (GCM).

RFC4492描述了用于传输层安全(TLS)的椭圆曲线密码套件。然而,所有这些密码套件都使用HMAC-SHA-1作为其消息认证码(MAC)算法。本文档描述了16个新的TLS密码套件,它们指定了更强的MAC算法。八个在SHA-256或SHA-384中使用哈希消息身份验证码(HMAC),八个在伽罗瓦计数器模式(GCM)中使用AES。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 2
   2.  Conventions Used in This Document . . . . . . . . . . . . . . . 2
   3.  Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . . 2
     3.1.  HMAC-Based Cipher Suites  . . . . . . . . . . . . . . . . . 2
     3.2.  Galois Counter Mode-Based Cipher Suites . . . . . . . . . . 3
   4.  Security Considerations . . . . . . . . . . . . . . . . . . . . 3
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 3
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 4
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 4
     7.1.  Normative References  . . . . . . . . . . . . . . . . . . . 4
     7.2.  Informative References  . . . . . . . . . . . . . . . . . . 5
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 2
   2.  Conventions Used in This Document . . . . . . . . . . . . . . . 2
   3.  Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . . 2
     3.1.  HMAC-Based Cipher Suites  . . . . . . . . . . . . . . . . . 2
     3.2.  Galois Counter Mode-Based Cipher Suites . . . . . . . . . . 3
   4.  Security Considerations . . . . . . . . . . . . . . . . . . . . 3
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 3
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 4
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 4
     7.1.  Normative References  . . . . . . . . . . . . . . . . . . . 4
     7.2.  Informative References  . . . . . . . . . . . . . . . . . . 5
        
1. Introduction
1. 介绍

RFC 4492 [RFC4492] describes Elliptic Curve Cryptography (ECC) cipher suites for Transport Layer Security (TLS). However, all of the RFC 4492 suites use HMAC-SHA1 as their MAC algorithm. Due to recent analytic work on SHA-1 [Wang05], the IETF is gradually moving away from SHA-1 and towards stronger hash algorithms. This document specifies TLS ECC cipher suites that use SHA-256 and SHA-384 [SHS] rather than SHA-1.

RFC 4492[RFC4492]描述了用于传输层安全(TLS)的椭圆曲线密码(ECC)密码套件。然而,所有RFC4492套件都使用HMAC-SHA1作为其MAC算法。由于最近对SHA-1的分析工作[Wang05],IETF正逐渐从SHA-1转向更强的散列算法。本文件规定了使用SHA-256和SHA-384[SHS]而非SHA-1的TLS ECC密码套件。

TLS 1.2 [RFC5246], adds support for authenticated encryption with additional data (AEAD) cipher modes [RFC5116]. This document also specifies a set of ECC cipher suites using one such mode, Galois Counter Mode (GCM) [GCM]. Another document [RFC5288] provides support for GCM with other key establishment methods.

TLS 1.2[RFC5246],增加了对使用附加数据(AEAD)密码模式进行身份验证加密的支持[RFC5116]。本文件还规定了一组ECC密码套件,使用一种模式,即伽罗瓦计数器模式(GCM)[GCM]。另一份文件[RFC5288]提供了对GCM和其他关键建立方法的支持。

2. Conventions Used in This Document
2. 本文件中使用的公约

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

3. Cipher Suites
3. 密码套件

This document defines 16 new cipher suites to be added to TLS. All use Elliptic Curve Cryptography for key exchange and digital signature, as defined in RFC 4492.

本文档定义了要添加到TLS的16个新密码套件。根据RFC 4492中的定义,所有这些都使用椭圆曲线密码进行密钥交换和数字签名。

3.1. HMAC-Based Cipher Suites
3.1. 基于HMAC的密码套件

The first eight cipher suites use AES [AES] in Cipher Block Chaining (CBC) [CBC] mode with an HMAC-based MAC:

前八个密码套件在基于HMAC的MAC的密码块链接(CBC)[CBC]模式中使用AES[AES]:

     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  = {0xC0,0x23};
     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  = {0xC0,0x24};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256   = {0xC0,0x25};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384   = {0xC0,0x26};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256    = {0xC0,0x27};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384    = {0xC0,0x28};
     CipherSuite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256     = {0xC0,0x29};
     CipherSuite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384     = {0xC0,0x2A};
        
     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  = {0xC0,0x23};
     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  = {0xC0,0x24};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256   = {0xC0,0x25};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384   = {0xC0,0x26};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256    = {0xC0,0x27};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384    = {0xC0,0x28};
     CipherSuite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256     = {0xC0,0x29};
     CipherSuite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384     = {0xC0,0x2A};
        

These eight cipher suites are the same as the corresponding cipher suites in RFC 4492 (with names ending in "_SHA" in place of "_SHA256" or "_SHA384"), except for the MAC and Pseudo Random Function (PRF) algorithms.

除了MAC和伪随机函数(PRF)算法外,这八个密码套件与RFC 4492中相应的密码套件相同(名称以“_SHA”结尾,而不是“_SHA256”或“_SHA384”)。

These SHALL be as follows:

具体如下:

o For cipher suites ending with _SHA256, the PRF is the TLS PRF [RFC5246] with SHA-256 as the hash function. The MAC is HMAC [RFC2104] with SHA-256 as the hash function.

o 对于以_SHA256结尾的密码套件,PRF是TLS PRF[RFC5246],SHA-256作为哈希函数。MAC为HMAC[RFC2104],SHA-256为哈希函数。

o For cipher suites ending with _SHA384, the PRF is the TLS PRF [RFC5246] with SHA-384 as the hash function. The MAC is HMAC [RFC2104] with SHA-384 as the hash function.

o 对于以_SHA384结尾的密码套件,PRF是TLS PRF[RFC5246],SHA-384作为哈希函数。MAC是HMAC[RFC2104],SHA-384作为哈希函数。

3.2. Galois Counter Mode-Based Cipher Suites
3.2. 基于伽罗瓦计数器模式的密码套件

The second eight cipher suites use the same asymmetric algorithms as those in the previous section but use the new authenticated encryption modes defined in TLS 1.2 with AES in Galois Counter Mode (GCM) [GCM]:

第二个八个密码套件使用与前一节相同的非对称算法,但使用TLS 1.2中定义的新认证加密模式,AES采用伽罗瓦计数器模式(GCM)[GCM]:

     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  = {0xC0,0x2B};
     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  = {0xC0,0x2C};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256   = {0xC0,0x2D};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384   = {0xC0,0x2E};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    = {0xC0,0x2F};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    = {0xC0,0x30};
     CipherSuite TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256     = {0xC0,0x31};
     CipherSuite TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384     = {0xC0,0x32};
        
     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  = {0xC0,0x2B};
     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  = {0xC0,0x2C};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256   = {0xC0,0x2D};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384   = {0xC0,0x2E};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    = {0xC0,0x2F};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    = {0xC0,0x30};
     CipherSuite TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256     = {0xC0,0x31};
     CipherSuite TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384     = {0xC0,0x32};
        

These cipher suites use authenticated encryption with additional data algorithms AEAD_AES_128_GCM and AEAD_AES_256_GCM described in [RFC5116]. GCM is used as described in [RFC5288].

这些密码套件使用经过身份验证的加密以及[RFC5116]中所述的附加数据算法AEAD_AES_128_GCM和AEAD_AES_256_GCM。GCM的使用如[RFC5288]所述。

The PRFs SHALL be as follows:

PRF应如下所示:

o For cipher suites ending with _SHA256, the PRF is the TLS PRF [RFC5246] with SHA-256 as the hash function.

o 对于以_SHA256结尾的密码套件,PRF是TLS PRF[RFC5246],SHA-256作为哈希函数。

o For cipher suites ending with _SHA384, the PRF is the TLS PRF [RFC5246] with SHA-384 as the hash function.

o 对于以_SHA384结尾的密码套件,PRF是TLS PRF[RFC5246],SHA-384作为哈希函数。

4. Security Considerations
4. 安全考虑

The security considerations in RFC 4346, RFC 4492, and [RFC5288] apply to this document as well. In addition, as described in [RFC5288], these cipher suites may only be used with TLS 1.2 or greater.

RFC 4346、RFC 4492和[RFC5288]中的安全注意事项也适用于本文档。此外,如[RFC5288]所述,这些密码套件只能用于TLS 1.2或更高版本。

5. IANA Considerations
5. IANA考虑

IANA has assigned the following values for these cipher suites:

IANA为这些密码套件分配了以下值:

     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  = {0xC0,0x23};
     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  = {0xC0,0x24};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256   = {0xC0,0x25};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384   = {0xC0,0x26};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256    = {0xC0,0x27};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384    = {0xC0,0x28};
     CipherSuite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256     = {0xC0,0x29};
     CipherSuite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384     = {0xC0,0x2A};
     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  = {0xC0,0x2B};
     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  = {0xC0,0x2C};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256   = {0xC0,0x2D};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384   = {0xC0,0x2E};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    = {0xC0,0x2F};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    = {0xC0,0x30};
     CipherSuite TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256     = {0xC0,0x31};
     CipherSuite TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384     = {0xC0,0x32};
        
     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  = {0xC0,0x23};
     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  = {0xC0,0x24};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256   = {0xC0,0x25};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384   = {0xC0,0x26};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256    = {0xC0,0x27};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384    = {0xC0,0x28};
     CipherSuite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256     = {0xC0,0x29};
     CipherSuite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384     = {0xC0,0x2A};
     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  = {0xC0,0x2B};
     CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  = {0xC0,0x2C};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256   = {0xC0,0x2D};
     CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384   = {0xC0,0x2E};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    = {0xC0,0x2F};
     CipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    = {0xC0,0x30};
     CipherSuite TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256     = {0xC0,0x31};
     CipherSuite TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384     = {0xC0,0x32};
        
6. Acknowledgements
6. 致谢

This work was supported by the US Department of Defense.

这项工作得到了美国国防部的支持。

David McGrew, Pasi Eronen, and Alfred Hoenes provided reviews of this document.

David McGrew、Pasi Eronen和Alfred Hoenes对本文件进行了审查。

7. References
7. 工具书类
7.1. Normative References
7.1. 规范性引用文件

[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.

[RFC2104]Krawczyk,H.,Bellare,M.,和R.Canetti,“HMAC:用于消息认证的键控哈希”,RFC 2104,1997年2月。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)", RFC 4492, May 2006.

[RFC4492]Blake Wilson,S.,Bolyard,N.,Gupta,V.,Hawk,C.,和B.Moeller,“用于传输层安全(TLS)的椭圆曲线密码(ECC)密码套件”,RFC 4492,2006年5月。

[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, January 2008.

[RFC5116]McGrew,D.“认证加密的接口和算法”,RFC 5116,2008年1月。

[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008.

[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,2008年8月。

[RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES-GCM Cipher Suites for TLS", RFC 5288, August 2008.

[RFC5288]Salowey,J.,Choudhury,A.,和D.McGrew,“用于TLS的AES-GCM密码套件”,RFC 5288,2008年8月。

[AES] National Institute of Standards and Technology, "Specification for the Advanced Encryption Standard (AES)", FIPS 197, November 2001.

[AES]国家标准与技术研究所,“高级加密标准(AES)规范”,FIPS 197,2001年11月。

[SHS] National Institute of Standards and Technology, "Secure Hash Standard", FIPS 180-2, August 2002.

[SHS]国家标准与技术研究所,“安全哈希标准”,FIPS 180-22002年8月。

[CBC] National Institute of Standards and Technology, "Recommendation for Block Cipher Modes of Operation - Methods and Techniques", SP 800-38A, December 2001.

[CBC]国家标准与技术研究所,“分组密码操作模式建议-方法和技术”,SP 800-38A,2001年12月。

[GCM] National Institute of Standards and Technology, "Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication", SP 800-38D, November 2007.

[GCM]国家标准与技术研究所,“分组密码操作模式建议:用于保密和认证的Galois/计数器模式(GCM)”,SP 800-38D,2007年11月。

7.2. Informative References
7.2. 资料性引用

[Wang05] Wang, X., Yin, Y., and H. Yu, "Finding Collisions in the Full SHA-1", CRYPTO 2005, August 2005.

[Wang05]Wang,X.,Yin,Y.,和H.Yu,“在完整的SHA-1中发现碰撞”,CRYPTO 2005,2005年8月。

Author's Address

作者地址

Eric Rescorla RTFM, Inc. 2064 Edgewood Drive Palo Alto 94303 USA

Eric Rescorla RTFM,Inc.美国帕洛阿尔托埃奇伍德大道2064号94303

   EMail:  ekr@rtfm.com
        
   EMail:  ekr@rtfm.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The IETF Trust (2008).

版权所有(C)IETF信托基金(2008年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.