Network Working Group                                          M. Salter
Request for Comments: 5430                      National Security Agency
Category: Informational                                      E. Rescorla
                                                       Network Resonance
                                                              R. Housley
                                                          Vigil Security
                                                              March 2009
        
Network Working Group                                          M. Salter
Request for Comments: 5430                      National Security Agency
Category: Informational                                      E. Rescorla
                                                       Network Resonance
                                                              R. Housley
                                                          Vigil Security
                                                              March 2009
        

Suite B Profile for Transport Layer Security (TLS)

用于传输层安全(TLS)的套件B配置文件

Status of This Memo

关于下段备忘

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2009 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托在本文件出版之日生效的与IETF文件有关的法律规定的约束(http://trustee.ietf.org/license-info). 请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.

本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。

Abstract

摘要

The United States government has published guidelines for "NSA Suite B Cryptography", which defines cryptographic algorithm policy for national security applications. This document defines a profile of Transport Layer Security (TLS) version 1.2 that is fully conformant with Suite B. This document also defines a transitional profile for use with TLS version 1.0 and TLS version 1.1 which employs Suite B algorithms to the greatest extent possible.

美国政府发布了“NSA套件B加密”指南,该指南定义了国家安全应用的加密算法政策。本文档定义了完全符合套件B的传输层安全性(TLS)版本1.2的配置文件。本文档还定义了一个过渡配置文件,用于TLS版本1.0和TLS版本1.1,该版本尽可能使用套件B算法。

Table of Contents

目录

   1. Introduction ....................................................2
   2. Conventions Used in This Document ...............................3
   3. Suite B Requirements ............................................3
   4. Suite B Compliance and Interoperability Requirements ............4
      4.1. Security Levels ............................................7
      4.2. Acceptable Curves ..........................................8
      4.3. Certificates ...............................................8
      4.4. signature_algorithms Extension .............................9
      4.5. CertificateRequest Message .................................9
      4.6. CertificateVerify Message .................................10
      4.7. ServerKeyExchange Message Signature .......................10
   5. Security Considerations ........................................10
   6. Acknowledgements ...............................................10
   7. References .....................................................11
      7.1. Normative References ......................................11
      7.2. Informative References ....................................11
        
   1. Introduction ....................................................2
   2. Conventions Used in This Document ...............................3
   3. Suite B Requirements ............................................3
   4. Suite B Compliance and Interoperability Requirements ............4
      4.1. Security Levels ............................................7
      4.2. Acceptable Curves ..........................................8
      4.3. Certificates ...............................................8
      4.4. signature_algorithms Extension .............................9
      4.5. CertificateRequest Message .................................9
      4.6. CertificateVerify Message .................................10
      4.7. ServerKeyExchange Message Signature .......................10
   5. Security Considerations ........................................10
   6. Acknowledgements ...............................................10
   7. References .....................................................11
      7.1. Normative References ......................................11
      7.2. Informative References ....................................11
        
1. Introduction
1. 介绍

The United States government has posted the Fact Sheet on National Security Agency (NSA) Suite B Cryptography [NSA], and at the time of writing, it states:

美国政府已在国家安全局(NSA)Suite B Cryptography[NSA]上发布了概况介绍,在撰写本文时,它指出:

To complement the existing policy for the use of the Advanced Encryption Standard (AES) to protect national security systems and information as specified in The National Policy on the use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information (CNSSP-15), the National Security Agency (NSA) announced Suite B Cryptography at the 2005 RSA Conference. In addition to the AES, Suite B includes cryptographic algorithms for hashing, digital signatures, and key exchange.

国家安全局(NSA)为补充《使用高级加密标准(AES)保护国家安全系统和信息的国家政策》(CNSSP-15)中规定的使用高级加密标准(AES)保护国家安全系统和信息的现行政策在2005年RSA大会上宣布了Suite B加密技术。除了AES,套件B还包括用于散列、数字签名和密钥交换的加密算法。

Suite B only specifies the cryptographic algorithms to be used. Many other factors need to be addressed in determining whether a particular device implementing a particular set of

套件B仅指定要使用的加密算法。在确定一个特定设备是否实现了一组特定的功能时,还需要考虑许多其他因素

cryptographic algorithms should be used to satisfy a particular requirement.

应使用加密算法来满足特定要求。

Among those factors are "requirements for interoperability both domestically and internationally".

这些因素包括“对国内和国际互操作性的要求”。

This document does not define any new cipher suites; instead, it defines two profiles:

本文件未定义任何新的密码套件;相反,它定义了两个配置文件:

o A Suite B compliant profile for use with TLS version 1.2 [RFC5246] and the cipher suites defined in [RFC5289]. This profile uses only Suite B algorithms.

o 与TLS 1.2版[RFC5246]和[RFC5289]中定义的密码套件一起使用的符合套件B的配置文件。此配置文件仅使用套件B算法。

o A transitional profile for use with TLS version 1.0 [RFC2246] or TLS version 1.1 [RFC4346] and the cipher suites defined in [RFC4492]. This profile uses the Suite B cryptographic algorithms to the greatest extent possible and provides backward compatibility. While the transitional profile is not Suite B compliant, it provides a transition path towards the Suite B compliant profile.

o 用于TLS 1.0版[RFC2246]或TLS 1.1版[RFC4346]以及[RFC4492]中定义的密码套件的过渡配置文件。此配置文件尽可能使用套件B加密算法,并提供向后兼容性。虽然过渡配置文件不符合Suite B,但它提供了通向Suite B兼容配置文件的过渡路径。

2. Conventions Used in This Document
2. 本文件中使用的公约

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

3. Suite B Requirements
3. B组要求

The Fact Sheet on Suite B Cryptography requires that key establishment and authentication algorithms be based on Elliptic Curve Cryptography, and that the encryption algorithm be AES [AES]. Suite B defines two security levels, of 128 and 192 bits.

关于Suite B加密的事实介绍要求密钥建立和身份验证算法基于椭圆曲线加密,并且加密算法为AES[AES]。套件B定义了两个安全级别,128位和192位。

In particular, Suite B includes:

特别是,套件B包括:

Encryption: Advanced Encryption Standard (AES) [AES] -- FIPS 197 (with key sizes of 128 and 256 bits)

加密:高级加密标准(AES)[AES]--FIPS 197(密钥大小为128和256位)

Digital Signature: Elliptic Curve Digital Signature Algorithm (ECDSA) [DSS] - FIPS 186-2 (using the curves with 256- and 384-bit prime moduli)

数字签名:椭圆曲线数字签名算法(ECDSA)[DSS]-FIPS 186-2(使用256位和384位素数模的曲线)

Key Exchange: Elliptic Curve Diffie-Hellman (ECDH) - NIST Special Publication 800-56A [PWKE] (using the curves with 256- and 384-bit prime moduli)

密钥交换:椭圆曲线Diffie-Hellman(ECDH)-NIST特别出版物800-56A[PWKE](使用带256位和384位素数模的曲线)

The 128-bit security level corresponds to an elliptic curve size of 256 bits and AES-128; it also makes use of SHA-256 [SHS]. The 192- bit security level corresponds to an elliptic curve size of 384 bits and AES-256; it also makes use of SHA-384 [SHS].

128位安全级别对应于256位的椭圆曲线大小和AES-128;它还利用SHA-256[SHS]。192位安全级别对应于384位的椭圆曲线大小和AES-256;它还利用SHA-384[SHS]。

Note: Some people refer to the two security levels based on the AES key size that is employed instead of the overall security provided by the combination of Suite B algorithms. At the 128-bit security level, an AES key size of 128 bits is used, which does not lead to any confusion. However, at the 192-bit security level, an AES key size of 256 bits is used, which sometimes leads to an expectation of more security than is offered by the combination of Suite B algorithms.

注意:有些人指的是基于AES密钥大小的两个安全级别,而不是由套件B算法组合提供的总体安全性。在128位安全级别,使用128位的AES密钥大小,这不会导致任何混淆。然而,在192位安全级别上,使用256位的AES密钥大小,这有时会导致比套件B算法组合提供的安全性更高的期望。

To accommodate backward compatibility, a Suite B compliant client or server can be configured to accept a cipher suite that is not part of Suite B. However, whenever a Suite B compliant client and a Suite B compliant server establish a TLS version 1.2 session, only Suite B algorithms are employed.

为了适应向后兼容性,可以将符合套件B的客户端或服务器配置为接受不属于套件B的密码套件。但是,每当符合套件B的客户端和符合套件B的服务器建立TLS版本1.2会话时,仅使用套件B算法。

4. Suite B Compliance and Interoperability Requirements
4. 套件B法规遵从性和互操作性要求

TLS version 1.1 [RFC4346] and earlier do not support Galois Counter Mode (GCM) cipher suites [RFC5289]. However, TLS version 1.2 [RFC5246] and later do support GCM. For Suite B TLS compliance, GCM cipher suites are REQUIRED to be used whenever both the client and the server support the necessary cipher suites. Also, for Suite B TLS compliance, Cipher Block Chaining (CBC) cipher suites are employed when GCM cipher suites cannot be employed.

TLS版本1.1[RFC4346]和更早版本不支持Galois计数器模式(GCM)密码套件[RFC5289]。但是,TLS版本1.2[RFC5246]和更高版本确实支持GCM。对于套件B TLS合规性,只要客户端和服务器都支持必要的密码套件,就需要使用GCM密码套件。此外,对于套件B TLS合规性,当无法使用GCM密码套件时,将使用密码块链接(CBC)密码套件。

For a client to implement the Suite B compliant profile, it MUST implement TLS version 1.2 or later, and the following cipher suite rules apply:

对于要实现与套件B兼容的配置文件的客户端,它必须实现TLS 1.2版或更高版本,并且以下密码套件规则适用:

o A Suite B compliant TLS version 1.2 or later client MUST offer at least two cipher suites for each supported security level. For the 128-bit security level, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MUST be offered in this order in the ClientHello message. For the 192-bit security level, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MUST be offered in this order in the ClientHello message. One of these cipher suites MUST be the first (most preferred) cipher suite in the ClientHello message.

o 与套件B兼容的TLS 1.2版或更高版本客户端必须为每个支持的安全级别提供至少两个密码套件。对于128位安全级别,必须在ClientHello消息中按此顺序提供TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256和TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256。对于192位安全级别,必须在ClientHello消息中按此顺序提供TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384和TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384。其中一个密码套件必须是ClientHello消息中的第一个(最首选)密码套件。

o A Suite B compliant TLS version 1.2 or later client that offers backward compatibility with TLS version 1.1 or earlier servers MAY offer an additional cipher suite for each supported security level. If these cipher suites are offered, they MUST appear after the ones discussed above. For the 128-bit security level, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MAY be offered in the ClientHello message. For the 192-bit security level, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MAY be offered in the ClientHello message.

o 与套件B兼容的TLS版本1.2或更高版本的客户端(提供与TLS版本1.1或更早版本服务器的向后兼容性)可能会为每个受支持的安全级别提供额外的密码套件。如果提供了这些密码套件,它们必须出现在上面讨论的密码套件之后。对于128位安全级别,可以在ClientHello消息中提供TLS_ECDHE_ECDSA_和_AES_128_CBC_SHA。对于192位安全级别,可以在ClientHello消息中提供TLS_ECDHE_ECDSA_和_AES_256_CBC_SHA。

o A Suite B compliant TLS version 1.2 or later client that offers interoperability with non-Suite B compliant servers MAY offer additional cipher suites. If any additional cipher suites are offered, they MUST appear after the ones discussed above in the ClientHello message.

o 与套件B兼容的TLS版本1.2或更高版本的客户端提供与非套件B兼容服务器的互操作性,可能会提供额外的密码套件。如果提供了任何其他密码套件,它们必须出现在ClientHello消息中上述密码套件之后。

For a client to implement the Suite B transitional profile, it MUST implement TLS version 1.1 or earlier and the following cipher suite rules apply:

对于要实现套件B过渡配置文件的客户端,它必须实现TLS 1.1版或更早版本,并且以下密码套件规则适用:

o A Suite B transitional TLS version 1.1 or earlier client MUST offer the cipher suite for the 128-bit security level, the cipher suite for the 192-bit security level, or both. For the 128-bit security level, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MUST be offered in the ClientHello message. For the 192-bit security level, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MUST be offered in the ClientHello message. One of these cipher suites MUST be the first (most preferred) cipher suite in the ClientHello message.

o 套件B transitional TLS 1.1版或更早版本的客户端必须提供128位安全级别的密码套件,192位安全级别的密码套件,或两者都提供。对于128位安全级别,必须在ClientHello消息中提供TLS_ECDHE_ECDSA_和_AES_128_CBC_SHA。对于192位安全级别,必须在ClientHello消息中提供TLS_ECDHE_ECDSA_和_AES_256_CBC_SHA。其中一个密码套件必须是ClientHello消息中的第一个(最首选)密码套件。

o A Suite B transitional TLS version 1.1 or earlier client that offers interoperability with non-Suite B compliant servers MAY offer additional cipher suites. If any additional cipher suites are offered, they MUST appear after the ones discussed above in the ClientHello message.

o 提供与不符合Suite B的服务器互操作性的Suite B transitional TLS 1.1版或更早版本的客户端可能会提供额外的密码套件。如果提供了任何其他密码套件,它们必须出现在ClientHello消息中上述密码套件之后。

A Suite B compliant TLS server MUST be configured to support the 128- bit security level, the 192-bit security level, or both security levels. The cipher suite rules for each of these security levels is described below. If a Suite B compliant TLS server is configured to support both security levels, then the configuration MUST prefer one security level over the other. In practice, this means that the cipher suite rules associated with the cipher suites listed in Section 4.1 for the preferred security level are processed before the cipher suite rules for the less preferred security level.

与Suite B兼容的TLS服务器必须配置为支持128位安全级别、192位安全级别或两种安全级别。下面描述了每个安全级别的密码套件规则。如果将符合Suite B的TLS服务器配置为支持两个安全级别,则该配置必须优先选择一个安全级别而不是另一个。在实践中,这意味着与第4.1节中列出的首选安全级别的密码套件相关联的密码套件规则在处理首选安全级别较低的密码套件规则之前进行处理。

For a server to implement the Suite B conformant profile at the 128- bit security level, the following cipher suite rules apply:

对于在128位安全级别实现与套件B一致的配置文件的服务器,以下密码套件规则适用:

o A Suite B compliant TLS version 1.2 or later server MUST accept the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite if it is offered.

o 与套件B兼容的TLS 1.2版或更高版本服务器必须接受TLS_ECDHE_ECDSA_和_AES_128_GCM_SHA256密码套件(如果提供)。

o If the preceding cipher suite is not offered, then a Suite B compliant TLS version 1.2 or later server MUST accept the TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 cipher suite if it is offered.

o 如果未提供上述密码套件,则符合套件B的TLS 1.2版或更高版本服务器必须接受TLS_ECDHE_ECDSA_和_AES_128_CBC_SHA256密码套件(如果提供)。

o If neither of the preceding two cipher suites is offered, then a Suite B compliant TLS version 1.2 or later server that offers backward compatibility with TLS version 1.1 or earlier clients MAY accept the TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA cipher suite if it is offered.

o 如果前两个密码套件均未提供,则与套件B兼容的TLS 1.2版或更高版本服务器(提供与TLS 1.1版或更早版本客户端的向后兼容性)可以接受TLS_ECDHE_ECDSA_with_AES_128_CBC_SHA密码套件(如果提供)。

o If the server is not offered any of the preceding three cipher suites and interoperability with clients that are not compliant or interoperable with Suite B is desired, then the server MAY accept another offered cipher suite that is considered acceptable by the server administrator.

o 如果服务器未提供上述三个密码套件中的任何一个,并且需要与不兼容或不可与套件B互操作的客户端进行互操作,则服务器可以接受服务器管理员认为可接受的另一个提供的密码套件。

For a server to implement the Suite B transitional profile at the 128-bit security level, the following cipher suite rules apply:

对于以128位安全级别实现套件B过渡配置文件的服务器,以下密码套件规则适用:

o A Suite B transitional TLS version 1.1 or earlier server MUST accept the TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA cipher suite if it is offered.

o 套件B过渡TLS 1.1版或更早版本的服务器必须接受TLS_ECDHE_ECDSA_和_AES_128_CBC_SHA密码套件(如果提供)。

o If the server is not offered the preceding cipher suite and interoperability with clients that are not Suite B transitional is desired, then the server MAY accept another offered cipher suite that is considered acceptable by the server administrator.

o 如果服务器未提供上述密码套件,并且需要与非套件B的客户端进行互操作,则服务器可以接受服务器管理员认为可接受的另一个提供的密码套件。

For a server to implement the Suite B conformant profile at the 192- bit security level, the following cipher suite rules apply:

对于在192位安全级别实现符合套件B的配置文件的服务器,以下密码套件规则适用:

o A Suite B compliant TLS version 1.2 or later server MUST accept the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite if it is offered.

o 符合套件B的TLS 1.2版或更高版本服务器必须接受TLS_ECDHE_ECDSA_和_AES_256_GCM_SHA384密码套件(如果提供)。

o If the preceding cipher suite is not offered, then a Suite B compliant TLS version 1.2 or later server MUST accept the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 cipher suite if it is offered.

o 如果未提供上述密码套件,则与套件B兼容的TLS 1.2版或更高版本服务器必须接受TLS_ECDHE_ECDSA_和_AES_256_CBC_SHA384密码套件(如果提供)。

o If neither of the preceding two cipher suites is offered, then a Suite B compliant TLS version 1.2 or later server that offers backward compatibility with TLS version 1.1 or earlier clients MAY accept the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA cipher suite if it is offered.

o 如果前两个密码套件均未提供,则与套件B兼容的TLS 1.2版或更高版本服务器(提供与TLS 1.1版或更早版本客户端的向后兼容性)可以接受TLS_ECDHE_ECDSA_with_AES_256_CBC_SHA密码套件(如果提供)。

o If the server is not offered any of the preceding three cipher suites and interoperability with clients that are not compliant or interoperable with Suite B is desired, then the server MAY accept another offered cipher suite that is considered acceptable by the server administrator.

o 如果服务器未提供上述三个密码套件中的任何一个,并且需要与不兼容或不可与套件B互操作的客户端进行互操作,则服务器可以接受服务器管理员认为可接受的另一个提供的密码套件。

For a server to implement the Suite B transitional profile at the 192-bit security level, the following cipher suite rules apply:

对于以192位安全级别实现套件B过渡配置文件的服务器,以下密码套件规则适用:

o A Suite B transitional TLS version 1.1 or earlier server MUST accept the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA cipher suite if it is offered.

o 套件B过渡TLS 1.1版或更早版本的服务器必须接受TLS_ECDHE_ECDSA_和_AES_256_CBC_SHA密码套件(如果提供)。

o If the server is not offered the preceding cipher suite and interoperability with clients that are not Suite B transitional is desired, then the server MAY accept another offered cipher suite that is considered acceptable by the server administrator.

o 如果服务器未提供上述密码套件,并且需要与非套件B的客户端进行互操作,则服务器可以接受服务器管理员认为可接受的另一个提供的密码套件。

Note that these rules explicitly permit the use of CBC cipher suites in TLS version 1.2 connections in order to permit operation between Suite B compliant and non-Suite B compliant implementations. For instance, a Suite B compliant TLS version 1.2 client might offer TLS version 1.2 with both GCM and CBC cipher suites when communicating with a non-Suite B TLS version 1.2 server, which then selected the CBC cipher suites. This connection would nevertheless meet the requirements of this specification. However, any two Suite B compliant implementations will negotiate a GCM cipher suite when doing TLS version 1.2.

请注意,这些规则明确允许在TLS 1.2版连接中使用CBC密码套件,以便允许在兼容套件B和不兼容套件B的实现之间进行操作。例如,符合套件B的TLS 1.2版客户端在与非套件B TLS 1.2版服务器通信时,可能会提供同时具有GCM和CBC密码套件的TLS 1.2版,而后者选择CBC密码套件。尽管如此,该连接仍将满足本规范的要求。但是,在执行TLS版本1.2时,任何两个与套件B兼容的实现都将协商GCM密码套件。

4.1. Security Levels
4.1. 安全级别

As described in Section 1, Suite B specifies two security levels: 128-bit and 192-bit. The following table lists the cipher suites for each security level. Within each security level, the cipher suites are listed in their preferred order for selection by a TLS version 1.2 implementation.

如第1节所述,套件B指定了两个安全级别:128位和192位。下表列出了每个安全级别的密码套件。在每个安全级别中,密码套件按其首选顺序列出,供TLS版本1.2实现选择。

       +-----------------------------------------+----------------+
       | Cipher Suite                            | Security Level |
       +-----------------------------------------+----------------+
       | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 128            |
       | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 128            |
       | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    | 128            |
       | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 192            |
       | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 192            |
       | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    | 192            |
       +-----------------------------------------+----------------+
        
       +-----------------------------------------+----------------+
       | Cipher Suite                            | Security Level |
       +-----------------------------------------+----------------+
       | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 128            |
       | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 128            |
       | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    | 128            |
       | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 192            |
       | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 192            |
       | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    | 192            |
       +-----------------------------------------+----------------+
        
4.2. Acceptable Curves
4.2. 可接受曲线

RFC 4492 defines a variety of elliptic curves. For cipher suites defined in this specification, only secp256r1(23) or secp384r1(24) may be used. These are the same curves that appear in FIPS 186-2 [DSS] as P-256 and P-384, respectively. For cipher suites at the 128-bit security level, secp256r1 MUST be used. For cipher suites at the 192-bit security level, secp384r1 MUST be used. RFC 4492 requires that the uncompressed(0) form be supported. The ansiX962_compressed_prime(1) point formats MAY also be supported.

RFC 4492定义了各种椭圆曲线。对于本规范中定义的密码套件,只能使用secp256r1(23)或secp384r1(24)。这些曲线与FIPS 186-2[DSS]中分别出现的P-256和P-384曲线相同。对于128位安全级别的密码套件,必须使用secp256r1。对于192位安全级别的密码套件,必须使用secp384r1。RFC 4492要求支持未压缩(0)表单。也可支持ansiX962_压缩_素数(1)点格式。

Clients desiring to negotiate only a Suite B compliant connection MUST generate a "Supported Elliptic Curves Extension" containing only the allowed curves. These curves MUST match the cipher suite security levels being offered. Clients that are willing to do both Suite B compliant and non-Suite B compliant connections MAY omit the extension or send the extension but offer other curves as well as the appropriate Suite B ones.

希望仅协商符合Suite B的连接的客户端必须生成一个“支持的椭圆曲线扩展”,该扩展只包含允许的曲线。这些曲线必须与提供的密码套件安全级别相匹配。愿意同时进行符合套件B和不符合套件B的连接的客户端可能会忽略扩展或发送扩展,但会提供其他曲线以及相应的套件B曲线。

Servers desiring to negotiate a Suite B compliant connection SHOULD check for the presence of the extension, but MUST NOT negotiate inappropriate curves even if they are offered by the client. This allows a client that is willing to do either Suite B compliant or non-Suite B compliant modes to interoperate with a server that will only do Suite B compliant modes. If the client does not advertise an acceptable curve, the server MUST generate a fatal "handshake_failure" alert and terminate the connection. Clients MUST check the chosen curve to make sure it is acceptable.

希望协商与Suite B兼容的连接的服务器应检查是否存在扩展,但不得协商不适当的曲线,即使这些曲线是由客户端提供的。这允许愿意执行与套件B兼容或与套件B不兼容模式的客户端与只执行与套件B兼容模式的服务器进行互操作。如果客户端没有公布可接受的曲线,服务器必须生成致命的“握手失败”警报并终止连接。客户必须检查所选曲线,以确保其可接受。

4.3. Certificates
4.3. 证书

Server and client certificates used to establish a Suite B compliant connection MUST be signed with ECDSA. Digital signatures MUST be calculated using either the P-256 curve along with the SHA-256 hash algorithm or calculated using the P-384 curve along with the SHA-384 hash algorithm. For certificates used at the 128-bit security level, the subject public key MUST use the P-256 curve and be signed with

用于建立与Suite B兼容的连接的服务器和客户端证书必须使用ECDSA签名。必须使用P-256曲线和SHA-256哈希算法计算数字签名,或者使用P-384曲线和SHA-384哈希算法计算数字签名。对于在128位安全级别上使用的证书,主题公钥必须使用P-256曲线并使用签名

either the P-384 curve or the P-256 curve. For certificates used at the 192-bit security level, the subject public key MUST use the P-384 curve and be signed with the P-384 curve.

P-384曲线或P-256曲线。对于在192位安全级别使用的证书,主题公钥必须使用P-384曲线,并使用P-384曲线签名。

In TLS version 1.0 and TLS version 1.1, the key exchange algorithm used in the TLS_ECDHE_ECDSA-collection of cipher suites requires the server's certificate to be signed with a particular signature scheme. TLS version 1.2 offers more flexibility. This specification does not impose any additional restrictions on the server certificate signature or the signature schemes used elsewhere in the certification path. (Often such restrictions will be useful, and it is expected that this will be taken into account in practices of certification authorities. However, such restrictions are not strictly required, even if it is beyond the capabilities of a client to completely validate a given certification path, the client may be able to validate the server's certificate by relying on a trusted certification authority whose certificate appears as one of the intermediate certificates in the certification path.)

在TLS版本1.0和TLS版本1.1中,密码套件的TLS_ECDHE_ECDSA-collection中使用的密钥交换算法要求使用特定的签名方案对服务器的证书进行签名。TLS版本1.2提供了更大的灵活性。本规范不对服务器证书签名或证书路径中其他地方使用的签名方案施加任何附加限制。(此类限制通常是有用的,预计在认证机构的实践中会考虑到这一点。但是,此类限制不是严格要求的,即使客户端无法完全验证给定的认证路径,客户端也可能能够验证服务器的证书。)通过依赖其证书作为证书路径中的中间证书之一显示的受信任证书颁发机构进行认证。)

Likewise, this specification does not impose restrictions on signature schemes used in the certification path for the client's certificate when mutual authentication is employed.

同样,当采用相互认证时,本规范不对客户端证书的认证路径中使用的签名方案施加限制。

4.4. signature_algorithms Extension
4.4. 签名算法扩展

The signature_algorithms extension is defined in Section 7.4.1.4.1 of TLS version 1.2 [RFC5246]. A Suite B compliant TLS version 1.2 or later client MUST include the signature_algorithms extension. For the 128-bit security level, SHA-256 with ECDSA MUST be offered in the signature_algorithms extension. For the 192-bit security level, SHA-384 with ECDSA MUST be offered in the signature_algorithms extension. Other offerings MAY be included to indicate the signature algorithms that are acceptable in cipher suites that are offered for interoperability with servers that are not compliant with Suite B and to indicate the signature algorithms that are acceptable for certification path validation.

TLS 1.2版[RFC5246]第7.4.1.4.1节定义了签名算法扩展。与套件B兼容的TLS 1.2版或更高版本客户端必须包含签名算法扩展。对于128位安全级别,签名算法扩展中必须提供带有ECDSA的SHA-256。对于192位安全级别,必须在签名算法扩展中提供带有ECDSA的SHA-384。可包括其他产品,以指示密码套件中可接受的签名算法,该密码套件用于与不符合套件B的服务器的互操作性,并指示可用于认证路径验证的签名算法。

4.5. CertificateRequest Message
4.5. 证书请求消息

A Suite B compliant TLS version 1.2 or later server MUST include SHA-256 with ECDSA and/or SHA-384 with ECDSA in the supported_signature_algorithms field of the CertificateRequest message. For the 128-bit security level, SHA-256 with ECDSA MUST appear in the supported_signature_algorithms field. For the 192-bit security level, SHA-384 with ECDSA MUST appear in the supported_signature_algorithms field.

与套件B兼容的TLS 1.2版或更高版本服务器必须在CertificateRequest消息的supported_signature_algorithms字段中包含带有ECDSA的SHA-256和/或带有ECDSA的SHA-384。对于128位安全级别,带有ECDSA的SHA-256必须出现在支持的\u签名\u算法字段中。对于192位安全级别,带有ECDSA的SHA-384必须出现在支持的\u签名\u算法字段中。

4.6. CertificateVerify Message
4.6. 认证消息

A Suite B compliant TLS version 1.2 or later client MUST use SHA-256 with ECDSA or SHA-384 with ECDSA for the signature in the CertificateVerify message. For the 128-bit security level, SHA-256 with ECDSA MUST be used. For the 192-bit security level, SHA-384 with ECDSA MUST be used.

与套件B兼容的TLS 1.2版或更高版本客户端必须将SHA-256与ECDSA或SHA-384与ECDSA一起用于CertificateVerify消息中的签名。对于128位安全级别,必须使用带ECDSA的SHA-256。对于192位安全级别,必须使用带有ECDSA的SHA-384。

4.7. ServerKeyExchange Message Signature
4.7. ServerKeyExchange消息签名

In the TLS_ECDHE_ECDSA-collection of cipher suites, the server sends its ephemeral ECDH public key and a specification of the corresponding curve in the ServerKeyExchange message. These parameters MUST be signed with ECDSA using the private key corresponding to the public key in the server's certificate.

在密码套件的TLS_ECDHE_ECDSA集合中,服务器发送其临时ECDH公钥和ServerKeyExchange消息中相应曲线的说明。必须使用与服务器证书中的公钥对应的私钥,使用ECDSA对这些参数进行签名。

A TLS version 1.1 or earlier server MUST sign the ServerKeyExchange message using SHA-1 with ECDSA.

TLS 1.1版或更早版本的服务器必须使用SHA-1和ECDSA对ServerKeyExchange消息进行签名。

A Suite B compliant TLS version 1.2 or later server MUST sign the ServerKeyExchange message using either SHA-256 with ECDSA or SHA-384 with ECDSA. For the 128-bit security level, SHA-256 with ECDSA MUST be used. For the 192-bit security level, SHA-384 with ECDSA MUST be used.

与套件B兼容的TLS 1.2版或更高版本服务器必须使用SHA-256和ECDSA或SHA-384和ECDSA对ServerKeyExchange消息进行签名。对于128位安全级别,必须使用带ECDSA的SHA-256。对于192位安全级别,必须使用带有ECDSA的SHA-384。

5. Security Considerations
5. 安全考虑

Most of the security considerations for this document are described in "The Transport Layer Security (TLS) Protocol Version 1.2" [RFC5246], "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)" [RFC4492], "AES Galois Counter Mode (GCM) Cipher Suites for TLS" [RFC5288], and "TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)" [RFC5289]. Readers should consult those documents.

“传输层安全(TLS)协议版本1.2”[RFC5246]、“传输层安全(TLS)的椭圆曲线加密(ECC)密码套件”[RFC4492]、“用于TLS的AES伽罗瓦计数器模式(GCM)密码套件”[RFC5288]以及“具有SHA-256/384和AES伽罗瓦计数器模式(GCM)的TLS椭圆曲线密码套件”[RFC5289]。读者应查阅这些文档。

In order to meet the goal of a consistent security level for the entire cipher suite, in Suite B mode TLS implementations MUST ONLY use the curves defined in Section 4.2. Otherwise, it is possible to have a set of symmetric algorithms with much weaker or stronger security properties than the asymmetric (ECC) algorithms.

为了实现整个密码套件的一致安全级别目标,在套件B模式下,TLS实现必须仅使用第4.2节中定义的曲线。否则,可能会有一组对称算法,其安全性比非对称(ECC)算法弱或强得多。

6. Acknowledgements
6. 致谢

Thanks to Pasi Eronen, Steve Hanna, and Paul Hoffman for their review, comments, and insightful suggestions.

感谢Pasi Eronen、Steve Hanna和Paul Hoffman的评论、评论和富有洞察力的建议。

This work was supported by the US Department of Defense.

这项工作得到了美国国防部的支持。

7. References
7. 工具书类
7.1. Normative References
7.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)", RFC 4492, May 2006.

[RFC4492]Blake Wilson,S.,Bolyard,N.,Gupta,V.,Hawk,C.,和B.Moeller,“用于传输层安全(TLS)的椭圆曲线密码(ECC)密码套件”,RFC 4492,2006年5月。

[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008.

[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,2008年8月。

[RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)", RFC 5289, August 2008.

[RFC5289]Rescorla,E.“具有SHA-256/384和AES伽罗瓦计数器模式(GCM)的TLS椭圆曲线密码套件”,RFC 5289,2008年8月。

[AES] National Institute of Standards and Technology, "Specification for the Advanced Encryption Standard (AES)", FIPS 197, November 2001.

[AES]国家标准与技术研究所,“高级加密标准(AES)规范”,FIPS 197,2001年11月。

[DSS] National Institute of Standards and Technology, "Digital Signature Standard", FIPS 186-2, January 2000.

[DSS]国家标准与技术研究所,“数字签名标准”,FIPS 186-22000年1月。

[PWKE] National Institute of Standards and Technology, "Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised)", NIST Special Publication 800-56A, March 2007.

[PWKE]国家标准与技术研究所,“使用离散对数加密的成对密钥建立方案的建议(修订版)”,NIST特别出版物800-56A,2007年3月。

[SHS] National Institute of Standards and Technology, "Secure Hash Standard", FIPS 180-2, August 2002.

[SHS]国家标准与技术研究所,“安全哈希标准”,FIPS 180-22002年8月。

7.2. Informative References
7.2. 资料性引用

[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999.

[RFC2246]Dierks,T.和C.Allen,“TLS协议版本1.0”,RFC2246,1999年1月。

[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006.

[RFC4346]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.1”,RFC 4346,2006年4月。

[RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, August 2008.

[RFC5288]Salowey,J.,Choudhury,A.,和D.McGrew,“用于TLS的AES伽罗瓦计数器模式(GCM)密码套件”,RFC 5288,2008年8月。

[NSA] National Security Agency, "Fact Sheet NSA Suite B Cryptography", <http://www.nsa.gov/ia/Industry/crypto_suite_b.cfm>.

[NSA]国家安全局,“NSA套件B加密概况”<http://www.nsa.gov/ia/Industry/crypto_suite_b.cfm>.

Authors' Addresses

作者地址

Margaret Salter National Security Agency 9800 Savage Rd. Fort Meade 20755-6709 USA

美国米德堡萨维奇路9800号玛格丽特·索尔特国家安全局20755-6709

   EMail: msalter@restarea.ncsc.mil
        
   EMail: msalter@restarea.ncsc.mil
        

Eric Rescorla Network Resonance 2064 Edgewood Drive Palo Alto 94303 USA

Eric Rescorla网络共振2064 Edgewood Drive美国帕洛阿尔托94303

   EMail: ekr@rtfm.com
        
   EMail: ekr@rtfm.com
        

Russ Housley Vigil Security 918 Spring Knoll Drive Herndon 21070 USA

Russ Housley Vigil Security 918 Spring Knoll Drive Herndon 21070美国

   EMail: housley@vigilsec.com
        
   EMail: housley@vigilsec.com