Internet Engineering Task Force (IETF) M. Salter
Request for Comments: 6460 National Security Agency
Obsoletes: 5430 R. Housley
Category: Informational Vigil Security
ISSN: 2070-1721 January 2012
Internet Engineering Task Force (IETF) M. Salter
Request for Comments: 6460 National Security Agency
Obsoletes: 5430 R. Housley
Category: Informational Vigil Security
ISSN: 2070-1721 January 2012
Suite B Profile for Transport Layer Security (TLS)
用于传输层安全(TLS)的套件B配置文件
Abstract
摘要
The United States government has published guidelines for "NSA Suite B Cryptography" that define cryptographic algorithm policy for national security applications. This document defines a profile of Transport Layer Security (TLS) version 1.2 that is fully compliant with Suite B.
美国政府已经发布了“NSA套件B加密”指南,该指南定义了国家安全应用的加密算法政策。本文档定义了传输层安全性(TLS)版本1.2的配置文件,该版本完全符合套件B。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6460.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6460.
Copyright Notice
版权公告
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Table of Contents
目录
1. Introduction ....................................................2
2. Conventions Used in This Document ...............................3
3. Suite B Requirements ............................................3
3.1. Minimum Levels of Security (minLOS) for Suite B TLS ........4
3.2. Suite B TLS Authentication .................................5
4. Suite B Compliance and Interoperability Requirements ............5
4.1. Acceptable Curves ..........................................6
4.2. Certificates ...............................................7
4.3. signature_algorithms Extension .............................7
4.4. CertificateRequest Message .................................8
4.5. CertificateVerify Message ..................................8
4.6. ServerKeyExchange Message Signature ........................8
5. Security Considerations .........................................8
6. Acknowledgments .................................................9
7. References ......................................................9
7.1. Normative References .......................................9
7.2. Informative References ....................................10
Annex A. A Transitional Suite B Profile for TLS 1.1 and 1.0 .......11
Annex B. Changes since RFC 5430 ...................................13
1. Introduction ....................................................2
2. Conventions Used in This Document ...............................3
3. Suite B Requirements ............................................3
3.1. Minimum Levels of Security (minLOS) for Suite B TLS ........4
3.2. Suite B TLS Authentication .................................5
4. Suite B Compliance and Interoperability Requirements ............5
4.1. Acceptable Curves ..........................................6
4.2. Certificates ...............................................7
4.3. signature_algorithms Extension .............................7
4.4. CertificateRequest Message .................................8
4.5. CertificateVerify Message ..................................8
4.6. ServerKeyExchange Message Signature ........................8
5. Security Considerations .........................................8
6. Acknowledgments .................................................9
7. References ......................................................9
7.1. Normative References .......................................9
7.2. Informative References ....................................10
Annex A. A Transitional Suite B Profile for TLS 1.1 and 1.0 .......11
Annex B. Changes since RFC 5430 ...................................13
This document specifies the conventions for using National Security Agency (NSA) Suite B Cryptography [SuiteB] with the Transport Layer Security (TLS) protocol, and the Datagram Transport Layer Security (DTLS) protocol.
本文件规定了将国家安全局(NSA)套件B加密[SuiteB]与传输层安全(TLS)协议和数据报传输层安全(DTLS)协议结合使用的约定。
This document does not define any new cipher suites; instead, it defines a Suite B compliant profile for use with TLS version 1.2 [RFC5246], DTLS version 1.2 [RFC6347], and the cipher suites defined in [RFC5289]. This profile uses only Suite B algorithms.
本文件未定义任何新的密码套件;相反,它定义了一个与套件B兼容的配置文件,用于TLS版本1.2[RFC5246]、DTLS版本1.2[RFC6347]和[RFC5289]中定义的密码套件。此配置文件仅使用套件B算法。
RFC 5430 defined an additional transitional profile for use with TLS versions 1.0 [RFC2246] and 1.1 [RFC4346] or with DTLS version 1.0 [RFC4347] and the cipher suites defined in [RFC4492]. When either the client or the server does not support TLS version 1.2 and DTLS version 1.2, the transitional profile can be used to achieve interoperability that is not Suite B compliant. The description for the transitional profile appears in Annex A of this document.
RFC 5430定义了一个附加的过渡配置文件,用于TLS版本1.0[RFC2246]和1.1[RFC4346]或DTLS版本1.0[RFC4347]以及[RFC4492]中定义的密码套件。当客户机或服务器不支持TLS版本1.2和DTLS版本1.2时,可以使用过渡配置文件来实现与套件B不兼容的互操作性。过渡剖面的说明见本文件附件A。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
We will use the notation "ECDSA-256" to represent the use of the Elliptic Curve Digital Signature Algorithm (ECDSA) with the P-256 curve and the SHA-256 hash function. Similarly, "ECDSA-384" will represent the use of the ECDSA with the P-384 curve and the SHA-384 hash function.
我们将使用符号“ECDSA-256”来表示椭圆曲线数字签名算法(ECDSA)与P-256曲线和SHA-256哈希函数的使用。类似地,“ECDSA-384”将表示ECDSA与P-384曲线和SHA-384哈希函数的使用。
The Fact Sheet on Suite B Cryptography requires key establishment and authentication algorithms based on Elliptic Curve Cryptography and encryption using AES [AES]. Suite B algorithms are defined to support two minimum levels of security: 128 and 192 bits.
关于Suite B加密的事实介绍要求基于椭圆曲线加密和使用AES[AES]加密的密钥建立和身份验证算法。套件B算法定义为支持两个最低安全级别:128位和192位。
In particular, Suite B includes the following:
特别是,套件B包括以下内容:
Encryption: Advanced Encryption Standard (AES) [AES] -- FIPS 197 (with key sizes of 128 and 256 bits)
加密:高级加密标准(AES)[AES]--FIPS 197(密钥大小为128和256位)
Digital Signature: Elliptic Curve Digital Signature Algorithm (ECDSA) [DSS] - FIPS 186-3 (using the curves with 256- and 384-bit prime moduli)
数字签名:椭圆曲线数字签名算法(ECDSA)[DSS]-FIPS 186-3(使用256位和384位素数模的曲线)
Key Exchange: Elliptic Curve Diffie-Hellman (ECDH) - NIST Special Publication 800-56A [PWKE] (using the curves with 256- and 384-bit prime moduli)
密钥交换:椭圆曲线Diffie-Hellman(ECDH)-NIST特别出版物800-56A[PWKE](使用带256位和384位素数模的曲线)
The two elliptic curves used in Suite B each appear in the literature under two different names. For sake of clarity, we list both names below:
套件B中使用的两条椭圆曲线分别以两个不同的名称出现在文献中。为清楚起见,我们在下面列出了这两个名称:
Curve NIST name [SECG] name
--------------------------------
P-256 nistp256 secp256r1
P-384 nistp384 secp384r1
Curve NIST name [SECG] name
--------------------------------
P-256 nistp256 secp256r1
P-384 nistp384 secp384r1
The purpose of this document is to specify the requirements for a Suite B compliant implementation of TLS (hereafter referred to as "Suite B TLS").
本文件的目的是规定符合B套的TLS实施要求(以下简称“B套TLS”)。
Suite B provides two levels of cryptographic security, namely a 128-bit minimum level of security (minLOS_128) and a 192-bit minimum level of security (minLOS_192). Each level defines a minimum strength that all cryptographic algorithms must provide.
套件B提供两种加密安全级别,即128位最低安全级别(minLOS_128)和192位最低安全级别(minLOS_192)。每个级别定义了所有加密算法必须提供的最小强度。
The following combination of algorithms and key sizes are used in Suite B TLS:
套件B TLS中使用了以下算法和密钥大小组合:
Suite B Combination 1 Suite B Combination 2
-------------------------------- --------------------------------
AES with 128-bit key in GCM mode AES with 256-bit key in GCM mode
ECDH using the 256-bit prime ECDH using the 384-bit prime
modulus curve P-256 [DSS] modulus curve P-384 [DSS]
TLS PRF with SHA-256 [SHS] TLS PRF with SHA-384 [SHS]
Suite B Combination 1 Suite B Combination 2
-------------------------------- --------------------------------
AES with 128-bit key in GCM mode AES with 256-bit key in GCM mode
ECDH using the 256-bit prime ECDH using the 384-bit prime
modulus curve P-256 [DSS] modulus curve P-384 [DSS]
TLS PRF with SHA-256 [SHS] TLS PRF with SHA-384 [SHS]
Suite B TLS configured at a minimum level of security of 128 bits MUST use a TLS cipher suite satisfying either SuiteB_Combination_1 in its entirety or SuiteB_Combination_2 in its entirety.
以128位的最低安全级别配置的套件B TLS必须使用满足整个SuiteB_组合_1或整个SuiteB_组合_2的TLS密码套件。
Suite B TLS configured at a minimum level of security of 192 bits MUST use a TLS cipher suite satisfying SuiteB_Combination_2 in its entirety.
以192位的最低安全级别配置的套件B TLS必须全部使用满足SuiteB_组合_2的TLS密码套件。
The specific Suite B compliant cipher suites for each combination are listed in Section 4.
第4节列出了每种组合的特定套件B兼容密码套件。
For Suite B TLS, ECDH uses the Ephemeral Unified Model Scheme with cofactor set to 1 (see Section 6.1.2.2 in [PWKE]).
对于套件B TLS,ECDH使用临时统一模型方案,辅因子设置为1(见[PWKE]第6.1.2.2节)。
To accommodate backward compatibility, a Suite B TLS client or server MAY be configured to accept a cipher suite that is not part of Suite B. However, whenever a Suite B TLS client and a Suite B TLS server establish a TLS version 1.2 session, Suite B algorithms MUST be employed.
为了适应向后兼容性,可以将套件B TLS客户端或服务器配置为接受不属于套件B的密码套件。但是,每当套件B TLS客户端和套件B TLS服务器建立TLS版本1.2会话时,必须使用套件B算法。
Suite B TLS MUST use ECDSA for digital signatures; authentication methods other than ECDSA-256 and ECDSA-384 MUST NOT be used for TLS authentication. If a relying party receives a signature based on any other authentication method, it MUST return a TLS error and stop the TLS handshake.
套件B TLS必须使用ECDSA进行数字签名;TLS身份验证不得使用ECDSA-256和ECDSA-384以外的身份验证方法。如果依赖方收到基于任何其他身份验证方法的签名,它必须返回TLS错误并停止TLS握手。
A system compliant with the Suite B TLS and configured at a minimum level of security of 128 bits MUST use either ECDSA-256 or ECDSA-384 for client or server authentication. One party can authenticate with ECDSA-256 when the other party authenticates with ECDSA-384. This flexibility allows interoperation between a client and a server that have ECDSA authentication keys of different sizes.
符合Suite B TLS并以128位最低安全级别配置的系统必须使用ECDSA-256或ECDSA-384进行客户端或服务器身份验证。当另一方使用ECDSA-384进行身份验证时,一方可以使用ECDSA-256进行身份验证。这种灵活性允许客户端和具有不同大小ECDSA身份验证密钥的服务器之间进行互操作。
Clients and servers in a system configured at a minimum level of security of 128 bits MUST be able to verify ECDSA-256 signatures and SHOULD be able to verify ECDSA-384 signatures unless it is absolutely certain that the implementation will never need to verify certificates originating from an authority that uses an ECDSA-384 signing key.
以128位的最低安全级别配置的系统中的客户端和服务器必须能够验证ECDSA-256签名,并且应该能够验证ECDSA-384签名,除非绝对确定实现永远不需要验证来自使用ECDSA-384签名密钥的机构的证书。
A system compliant with the Suite B TLS and configured at a minimum level of security of 192 bits MUST use ECDSA-384 for client and server authentication.
符合Suite B TLS并以192位最低安全级别配置的系统必须使用ECDSA-384进行客户端和服务器身份验证。
Clients and servers in a system configured at a minimum level of security of 192 bits MUST be able to verify ECDSA-384 signatures.
以192位最低安全级别配置的系统中的客户端和服务器必须能够验证ECDSA-384签名。
In all cases, the client MUST authenticate the server. The server MAY authenticate the client, as needed by the specific application.
在所有情况下,客户端都必须对服务器进行身份验证。服务器可以根据特定应用程序的需要对客户端进行身份验证。
TLS versions 1.1 [RFC4346] and earlier do not support Galois/ Counter Mode (GCM) cipher suites [RFC5289]. However, TLS version 1.2 [RFC5246] and later do support GCM. For Suite B TLS, GCM cipher suites MUST be used; therefore, a Suite B TLS client MUST implement TLS version 1.2 or later.
TLS版本1.1[RFC4346]和更早版本不支持Galois/计数器模式(GCM)密码套件[RFC5289]。但是,TLS版本1.2[RFC5246]和更高版本确实支持GCM。对于套件B TLS,必须使用GCM密码套件;因此,Suite B TLS客户端必须实现TLS版本1.2或更高版本。
A Suite B TLS client configured at a minimum level of security of 128 bits MUST offer the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 or the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite in the ClientHello message. The TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite is preferred; if offered, it MUST appear before the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite.
以128位最低安全级别配置的套件B TLS客户端必须在ClientHello消息中提供TLS_ECDHE_ECDSA_和_AES_128_GCM_SHA256或TLS_ECDHE_ECDSA_和_AES_256_GCM_SHA384密码套件。首选TLS_ECDHE_ECDSA_和_AES_128_GCM_SHA256密码套件;如果提供,它必须出现在TLS_ECDHE_ECDSA_和_AES_256_GCM_SHA384密码套件之前。
If configured at a minimum level of security of 192 bits, the client MUST offer the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite and MUST NOT offer the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite.
如果以192位的最低安全级别配置,则客户端必须提供TLS_ECDHE_ECDSA_和_AES_256_GCM_SHA384密码套件,并且不得提供TLS_ECDHE_ECDSA_和_AES_128_GCM_SHA256密码套件。
One of these two cipher suites MUST be the first (most preferred) cipher suites in the ClientHello message. A Suite B TLS client that offers interoperability with servers that are not Suite B compliant MAY offer additional cipher suites, but any additional cipher suites MUST appear after the two Suite B compliant cipher suites in the ClientHello message.
这两个密码套件中的一个必须是ClientHello消息中的第一个(最首选)密码套件。提供与不符合套件B的服务器互操作性的套件B TLS客户端可以提供额外的密码套件,但任何额外的密码套件必须出现在ClientHello消息中两个符合套件B的密码套件之后。
A Suite B TLS server MUST implement TLS version 1.2 or later.
套件B TLS服务器必须实现TLS版本1.2或更高版本。
A Suite B TLS server configured at a minimum level of security of 128 bits MUST accept either the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite or the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite if it is offered in the ClientHello message, with the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite being preferred.
以128位最低安全级别配置的套件B TLS服务器必须接受TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256密码套件或TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384密码套件(如果在ClientHello消息中提供),首选TLS_ECDHE_ECDSA_ECDSA_WITH_AES_GCM_SHA256密码套件。
A Suite B TLS server configured at a minimum level of security of 192 bits MUST accept the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite if it is offered in the ClientHello message.
配置为192位最低安全级别的套件B TLS服务器必须接受TLS_ECDHE_ECDSA_和_AES_256_GCM_SHA384密码套件(如果在ClientHello消息中提供)。
If the server is not offered either of the Suite B cipher suites, and interoperability with clients that are not Suite B compliant is desired, then the Suite B TLS server MAY accept another offered cipher suite that is considered acceptable by the server administrator.
如果服务器未提供任何套件B密码套件,并且需要与不符合套件B的客户端进行互操作,则套件B TLS服务器可以接受服务器管理员认为可接受的另一个提供的密码套件。
RFC 4492 defines a variety of elliptic curves. Suite B TLS connections MUST use secp256r1(23) or secp384r1(24). These are the same curves that appear in FIPS 186-3 [DSS] as P-256 and P-384, respectively. Secp256r1 MUST be used for the key exchange in all cipher suites in this specification using AES-128; secp384r1 MUST be used for the key exchange in all cipher suites in this specification using AES-256. RFC 4492 requires that the uncompressed(0) form be supported. The ansiX962_compressed_prime(1) point format MAY also be supported.
RFC 4492定义了各种椭圆曲线。套件B TLS连接必须使用secp256r1(23)或secp384r1(24)。这些曲线与FIPS 186-3[DSS]中分别出现的P-256和P-384曲线相同。必须使用AES-128在本规范的所有密码套件中使用Secp256r1进行密钥交换;必须使用AES-256将secp384r1用于本规范中所有密码套件中的密钥交换。RFC 4492要求支持未压缩(0)表单。也可支持ansiX962_压缩_素数(1)点格式。
Clients desiring to negotiate only a Suite B TLS connection MUST generate a "Supported Elliptic Curves Extension" containing only the allowed curves. Clients operating at a minimum level of security of 128 bits MUST include secp256r1 and SHOULD include secp384r1 in the extension. Clients operating at a minimum level of security of 192 bits MUST include secp384r1 in the extension. In order to be able to
希望仅协商Suite B TLS连接的客户机必须生成仅包含允许曲线的“支持的椭圆曲线扩展”。以128位最低安全级别运行的客户端必须包括secp256r1,并且扩展中应包括secp384r1。以192位的最低安全级别运行的客户端必须在扩展中包含secp384r1。为了能够
verify ECDSA signatures, a client and server in a system configured at a minimum level of security of 128 bits MUST support secp256r1 and SHOULD support secp384r1 unless it is absolutely certain that the client and server will never need to use or verify certificates originating from an authority which uses an ECDSA-384 signing key. A client and server in a system configured at a minimum level of 192 bits MUST support secp384r1.
验证ECDSA签名,以128位最低安全级别配置的系统中的客户端和服务器必须支持secp256r1,并应支持secp384r1,除非绝对确定客户端和服务器永远不需要使用或验证来自使用ECDSA-384签名密钥的机构的证书。系统中配置为最低192位的客户端和服务器必须支持secp384r1。
TLS connections that offer options that are both compliant and non-compliant with Suite B MAY omit the extension, or they MAY send the extension but offer other curves as well as the appropriate Suite B ones.
提供与套件B兼容和不兼容选项的TLS连接可能会忽略扩展,或者可能会发送扩展,但提供其他曲线以及相应的套件B曲线。
Servers desiring to negotiate a Suite B TLS connection SHOULD check for the presence of the extension, but they MUST NOT select a curve that is not Suite B even if it is offered by the client. This allows a client that is willing to do either Suite B or non-Suite B TLS connections to interoperate with a server that will only do Suite B TLS. If the client does not advertise an acceptable curve, the server MUST generate a fatal "handshake_failure" alert and terminate the connection. Clients MUST check the chosen curve to make sure that it is one of the Suite B curves.
希望协商套件B TLS连接的服务器应检查是否存在扩展,但不得选择非套件B的曲线,即使该曲线由客户端提供。这允许愿意进行套件B或非套件B TLS连接的客户机与只进行套件B TLS的服务器进行互操作。如果客户端没有公布可接受的曲线,服务器必须生成致命的“握手失败”警报并终止连接。客户必须检查所选曲线,以确保它是套件B曲线之一。
Server and client certificates used to establish a Suite B TLS connection MUST be signed with ECDSA and MUST be compliant with the "Suite B Certificate and Certificate Revocation List (CRL) Profile", [RFC5759].
用于建立Suite B TLS连接的服务器和客户端证书必须使用ECDSA签名,并且必须符合“Suite B证书和证书吊销列表(CRL)配置文件”[RFC5759]。
The signature_algorithms extension is defined in Section 7.4.1.4.1 of TLS version 1.2 [RFC5246]. A Suite B TLS version 1.2 or later client MUST include the signature_algorithms extension. A Suite B TLS client configured at a minimum level of security of 128 bits MUST offer SHA-256 with ECDSA and SHOULD offer ECDSA with SHA-384 in the signature_algorithms extension unless it is absolutely certain that a client will never need to use or verify certificates originating from an authority that uses an ECDSA-384 signing key. A Suite B TLS client configured at a minimum level of 192 bits MUST offer ECDSA with SHA-384 in the signature_algorithms extension.
TLS 1.2版[RFC5246]第7.4.1.4.1节定义了签名算法扩展。Suite B TLS 1.2或更高版本的客户端必须包含签名算法扩展。以128位的最低安全级别配置的Suite B TLS客户端必须提供带有ECDSA的SHA-256,并应在signature_算法扩展中提供带有SHA-384的ECDSA,除非绝对确定客户端永远不需要使用或验证来自使用ECDSA-384签名密钥的机构的证书。以192位的最低级别配置的Suite B TLS客户端必须在签名算法扩展中提供带有SHA-384的ECDSA。
Following the guidance in [RFC5759], Suite B TLS connections MUST only accept signature algorithms ECDSA with either SHA-256 or SHA-384 for certification path validation. (Note that this is a change from [RFC5430].)
按照[RFC5759]中的指导,套件B TLS连接必须仅接受带有SHA-256或SHA-384的签名算法ECDSA进行认证路径验证。(请注意,这是对[RFC5430]的更改。)
Other offerings MAY be included to indicate the acceptable signature algorithms in cipher suites that are offered for interoperability with servers not compliant with Suite B and to indicate the signature algorithms that are acceptable for certification path validation in non-compliant Suite B TLS connections.
可以包括其他选项,以指示密码套件中可接受的签名算法,该密码套件用于与不符合套件B的服务器的互操作性,并指示不符合套件B TLS连接中可接受的认证路径验证的签名算法。
A Suite B TLS server configured at a minimum level of security of 128 bits MUST include ECDSA with SHA-256 and SHOULD include ECDSA with SHA-384 in the supported_signature_algorithms field of the CertificateRequest message unless it is absolutely certain that a server will never need to verify certificates originating from an authority that uses an ECDSA-384 signing key. A Suite B TLS server configured at a minimum level of security of 192 bits MUST include ECDSA with SHA-384 in the supported_signature_algorithms field.
以128位的最低安全级别配置的套件B TLS服务器必须包括带有SHA-256的ECDSA,并且应该在CertificateRequest消息的supported_signature_algorithms(支持的签名算法)字段中包括带有SHA-384的ECDSA,除非绝对确定服务器永远不需要验证来自使用ECDSA-384签名密钥。以192位的最低安全级别配置的Suite B TLS服务器必须在supported_signature_algorithms(支持的签名算法)字段中包含带有SHA-384的ECDSA。
Using the definitions found in Section 3.2, a Suite B TLS client MUST use ECDSA-256 or ECDSA-384 for the signature in the CertificateVerify message. A Suite B TLS client configured at a minimum security level of 128 bits MUST use ECDSA-256 or ECDSA-384. A Suite B TLS client configured at a minimum security level of 192 bits MUST use ECDSA-384.
使用第3.2节中的定义,Suite B TLS客户端必须使用ECDSA-256或ECDSA-384作为CertificateVerify消息中的签名。以128位的最低安全级别配置的Suite B TLS客户端必须使用ECDSA-256或ECDSA-384。以192位的最低安全级别配置的Suite B TLS客户端必须使用ECDSA-384。
In the TLS_ECDHE_ECDSA-collection of cipher suites, the server sends its ephemeral ECDH public key and a specification of the corresponding curve in the ServerKeyExchange message. These parameters MUST be signed with ECDSA using the server's private key, which corresponds to the public key in the server's certificate.
在密码套件的TLS_ECDHE_ECDSA集合中,服务器发送其临时ECDH公钥和ServerKeyExchange消息中相应曲线的说明。必须使用服务器的私钥(与服务器证书中的公钥相对应)与ECDSA对这些参数进行签名。
A Suite B TLS server MUST sign the ServerKeyExchange message using either ECDSA-256 or ECDSA-384. A system configured at a minimum level of security of 128 bits MUST use either ECDSA-256 or ECDSA-384. A system configured at a minimum level of security of 192-bits MUST use ECDSA-384.
套件B TLS服务器必须使用ECDSA-256或ECDSA-384对ServerKeyExchange消息进行签名。以128位最低安全级别配置的系统必须使用ECDSA-256或ECDSA-384。以192位的最低安全级别配置的系统必须使用ECDSA-384。
Most of the security considerations for this document are described in "The Transport Layer Security (TLS) Protocol Version 1.2" [RFC5246], "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)" [RFC4492], "AES Galois Counter Mode
“传输层安全(TLS)协议版本1.2”[RFC5246]、“传输层安全(TLS)椭圆曲线密码(ECC)套件”[RFC4492]、“AES Galois计数器模式”中描述了本文档的大多数安全注意事项
(GCM) Cipher Suites for TLS" [RFC5288], and "TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)" [RFC5289]. Readers should consult those documents.
(GCM)TLS的密码套件“[RFC5288]和“具有SHA-256/384和AES伽罗瓦计数器模式(GCM)的TLS椭圆曲线密码套件”[RFC5289]。读者应查阅这些文档。
In order to meet the goal of a consistent security level for the entire cipher suite, Suite B TLS implementations MUST ONLY use the curves defined in Section 4.1. Otherwise, it is possible to have a set of symmetric algorithms with much weaker or stronger security properties than the asymmetric (ECC) algorithms.
为了实现整个密码套件的一致安全级别目标,套件B TLS实施必须仅使用第4.1节中定义的曲线。否则,可能会有一组对称算法,其安全性比非对称(ECC)算法弱或强得多。
The authors would like to thank Eric Rescorla for his work on the original RFC 5430.
作者要感谢Eric Rescorla在原始RFC 5430上的工作。
This work was supported by the US Department of Defense.
这项工作得到了美国国防部的支持。
[AES] National Institute of Standards and Technology, "Specification for the Advanced Encryption Standard (AES)", FIPS 197, November 2001.
[AES]国家标准与技术研究所,“高级加密标准(AES)规范”,FIPS 197,2001年11月。
[DSS] National Institute of Standards and Technology, "Digital Signature Standard", FIPS 186-3, June 2009.
[DSS]国家标准与技术研究所,“数字签名标准”,FIPS 186-3,2009年6月。
[PWKE] National Institute of Standards and Technology, "Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised)", NIST Special Publication 800-56A, March 2007.
[PWKE]国家标准与技术研究所,“使用离散对数加密的成对密钥建立方案的建议(修订版)”,NIST特别出版物800-56A,2007年3月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security", RFC 4347, April 2006.
[RFC4347]Rescorla,E.和N.Modadugu,“数据报传输层安全”,RFC 4347,2006年4月。
[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)", RFC 4492, May 2006.
[RFC4492]Blake Wilson,S.,Bolyard,N.,Gupta,V.,Hawk,C.,和B.Moeller,“用于传输层安全(TLS)的椭圆曲线密码(ECC)密码套件”,RFC 4492,2006年5月。
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,2008年8月。
[RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)", RFC 5289, August 2008.
[RFC5289]Rescorla,E.“具有SHA-256/384和AES伽罗瓦计数器模式(GCM)的TLS椭圆曲线密码套件”,RFC 5289,2008年8月。
[RFC5759] Solinas, J. and L. Zieglar, "Suite B Certificate and Certificate Revocation List (CRL) Profile", RFC 5759, January 2010.
[RFC5759]Solinas,J.和L.Zieglar,“套件B证书和证书撤销列表(CRL)配置文件”,RFC 5759,2010年1月。
[SHS] National Institute of Standards and Technology, "Secure Hash Standard", FIPS 180-3, October 2008.
[SHS]国家标准与技术研究所,“安全哈希标准”,FIPS 180-32008年10月。
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, January 2012.
[RFC6347]Rescorla,E.和N.Modadugu,“数据报传输层安全版本1.2”,RFC 6347,2012年1月。
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999.
[RFC2246]Dierks,T.和C.Allen,“TLS协议版本1.0”,RFC2246,1999年1月。
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006.
[RFC4346]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.1”,RFC 4346,2006年4月。
[RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, August 2008.
[RFC5288]Salowey,J.,Choudhury,A.,和D.McGrew,“用于TLS的AES伽罗瓦计数器模式(GCM)密码套件”,RFC 5288,2008年8月。
[RFC5430] Salter, M., Rescorla, E., and R. Housley, "Suite B Profile for Transport Layer Security (TLS)", RFC 5430, March 2009.
[RFC5430]Salter,M.,Rescorla,E.,和R.Housley,“传输层安全(TLS)的套件B配置文件”,RFC 5430,2009年3月。
[SECG] Brown, D., "SEC 2: Recommended Elliptic Curve Domain Parameters", http://www.secg.org/download/aid-784/sec2-v2.pdf, February 2010.
[SECG]Brown,D.,“第2节:建议的椭圆曲线域参数”,http://www.secg.org/download/aid-784/sec2-v2.pdf,2010年2月。
[SuiteB] National Security Agency, "Fact Sheet NSA Suite B Cryptography", November 2010, http://www.nsa.gov/ia/programs/suiteb_cryptography/.
[SuiteB]美国国家安全局,“NSA套件B加密概况”,2010年11月,http://www.nsa.gov/ia/programs/suiteb_cryptography/.
Annex A. A Transitional Suite B Profile for TLS 1.1 and 1.0
附件A.TLS 1.1和1.0的过渡套房B剖面图
A transitional profile is described for use with TLS version 1.0 [RFC2246], TLS version 1.1 [RFC4346], or DTLS version 1.0 [RFC4347] and the cipher suites defined in [RFC4492]. This profile uses the Suite B cryptographic algorithms to the greatest extent possible and provides backward compatibility. While the transitional profile is not a Suite B Compliant implementation of TLS, it provides a transitional path towards the Suite B compliant Profile.
描述了用于TLS 1.0版[RFC2246]、TLS 1.1版[RFC4346]或DTLS 1.0版[RFC4347]和[RFC4492]中定义的密码套件的过渡配置文件。此配置文件尽可能使用套件B加密算法,并提供向后兼容性。虽然过渡配置文件不是与套件B兼容的TLS实现,但它提供了通向与套件B兼容的配置文件的过渡路径。
The following combination of algorithms and key sizes are defined for use with the Suite B TLS transitional profile:
定义了以下算法和密钥大小组合,以用于套件B TLS过渡配置文件:
Transitional Suite B Combination 1 Transitional Suite B Combination 2
---------------------------------- ----------------------------------
AES with 128-bit key in CBC mode AES with 256-bit key in CBC mode
ECDH using the 256-bit prime ECDH using the 384-bit prime
modulus curve P-256 [DSS] modulus curve P-384 [DSS]
Standard TLS PRF Standard TLS PRF
(with SHA-1 and MD5) (with SHA-1 and MD5)
HMAC with SHA-1 for message HMAC with SHA-1 for message
authentication authentication
Transitional Suite B Combination 1 Transitional Suite B Combination 2
---------------------------------- ----------------------------------
AES with 128-bit key in CBC mode AES with 256-bit key in CBC mode
ECDH using the 256-bit prime ECDH using the 384-bit prime
modulus curve P-256 [DSS] modulus curve P-384 [DSS]
Standard TLS PRF Standard TLS PRF
(with SHA-1 and MD5) (with SHA-1 and MD5)
HMAC with SHA-1 for message HMAC with SHA-1 for message
authentication authentication
A Transitional Suite B TLS system configured at a minimum level of security of 128 bits MUST use a TLS cipher suite satisfying either Transitional Suite B Combination 1 in its entirety or Transitional Suite B Combination 2 in its entirety.
以128位的最低安全级别配置的过渡套件B TLS系统必须使用满足过渡套件B组合1整体或过渡套件B组合2整体的TLS密码套件。
A Transitional Suite B TLS system configured at a minimum level of security of 192 bits MUST use a TLS cipher suite satisfying Transitional Suite B Combination 2 in its entirety.
以192位的最低安全级别配置的过渡套件B TLS系统必须全部使用满足过渡套件B组合2的TLS密码套件。
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA satisfy the requirements of Transitional Suite B Combination 1 and Transitional Suite B Combination 2, respectively.
TLS_ECDHE_ECDSA_与_AES_128_CBC_SHA和TLS_ECDHE_ECDSA_与_AES_256_CBC_SHA分别满足过渡套房B组合1和过渡套房B组合2的要求。
A Transitional Suite B TLS client MUST implement TLS version 1.1 or earlier.
过渡套件B TLS客户端必须实现TLS 1.1版或更早版本。
A Transitional Suite B TLS system configured at a minimum level of security of 128 bits, MUST offer the TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA cipher suite and/or the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA cipher suite in the
以128位最低安全级别配置的过渡套件B TLS系统必须提供TLS_ECDHE_ECDSA_和_AES_128_CBC_SHA密码套件和/或TLS_ECDHE_ECDSA_和_AES_256_CBC_SHA密码套件
ClientHello message. The TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA cipher suite is preferred; if it is offered, it MUST appear before the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA cipher suite (if present).
ClientHello留言。首选TLS_ECDHE_ECDSA_和_AES_128_CBC_SHA密码套件;如果提供,它必须出现在TLS_ECDHE_ECDSA_和_AES_256_CBC_SHA密码套件(如果存在)之前。
A Transitional Suite B TLS system configured at a minimum level of security of 192 bits MUST offer the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA cipher suite in the ClientHello message.
以192位的最低安全级别配置的过渡套件B TLS系统必须在ClientHello消息中为TLS_ECDHE_ECDSA_提供带有_AES_256_CBC_SHA密码套件。
One of these Transitional Suite B cipher suites MUST be the first (most preferred) in the ClientHello message.
其中一个过渡套件B密码套件必须是ClientHello消息中的第一个(首选)。
A Transitional Suite B client that offers interoperability with servers that are not Suite B transitional MAY offer additional cipher suites. If any additional cipher suites are offered, they MUST appear after the Transitional Suite B cipher suites in the ClientHello message.
提供与非SuiteB Transitional的服务器互操作性的Transitional SuiteB客户端可能会提供额外的密码套件。如果提供了任何其他密码套件,它们必须出现在ClientHello消息中过渡套件B密码套件之后。
A Transitional Suite B TLS server MUST implement TLS version 1.1 or earlier.
过渡套件B TLS服务器必须实现TLS版本1.1或更低版本。
A Transitional Suite B TLS server configured at a minimum level of security of 128 bits MUST accept the TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA cipher suite (preferred) or the TLS_ECHDE_ECDSA_WITH_AES_256_CBC_SHA cipher suite if offered in the ClientHello message.
以128位最低安全级别配置的过渡套件B TLS服务器必须接受TLS_ECDHE_ECDSA_和_AES_128_CBC_SHA密码套件(首选)或TLS_ECHDE_ECDSA_和_AES_256_CBC_SHA密码套件(如果在ClientHello消息中提供)。
A Transitional Suite B TLS server configured at a minimum level of security of 192 bits MUST accept the TLS_ECHDE_ECDSA_WITH_AES_256_CBC_SHA cipher suite if offered in the ClientHello message.
以192位最低安全级别配置的过渡套件B TLS服务器必须接受TLS_ECHDE_ECDSA_和_AES_256_CBC_SHA密码套件(如果在ClientHello消息中提供)。
If a Transitional Suite B TLS server is not offered the Transitional Suite B cipher suites and interoperability with non-Transitional Suite B clients is desired, then the server MAY accept another offered cipher suite that is considered acceptable by the server administrator.
如果过渡套件B TLS服务器未提供过渡套件B密码套件,并且需要与非过渡套件B客户端的互操作性,则服务器可以接受服务器管理员认为可接受的另一个提供的密码套件。
A Transitional Suite B TLS server MUST sign the ServerKeyExchange message using ECDSA with SHA-1. The Transitional Suite B profile does not impose any additional restrictions on the server certificate signature or the signature schemes used elsewhere in the certification path. Likewise, the Transitional Suite B Profile does not impose restrictions on signature schemes used in the certification path for the client's certificate when mutual authentication is employed.
过渡套件B TLS服务器必须使用ECDSA和SHA-1对ServerKeyExchange消息进行签名。过渡套件B配置文件不会对服务器证书签名或证书路径中其他位置使用的签名方案施加任何附加限制。同样,当采用相互认证时,过渡套件B配置文件不会对客户端证书的认证路径中使用的签名方案施加限制。
Annex B. Changes since RFC 5430
附件B.自RFC 5430以来的变化
The changes from RFC 5430 [RFC5430] are as follows:
RFC 5430[RFC5430]的变化如下:
- The transitional profile for use with TLS version 1.0, TLS version 1.1, and DTLS version 1.0 was moved to an annex.
- 与TLS 1.0版、TLS 1.1版和DTLS 1.0版一起使用的过渡配置文件已移至附录中。
- The requirement of Section 4 of RFC 5430 that a Suite B TLS 1.2 Client offer the TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 cipher suites was removed.
- RFC 5430第4节要求套件B TLS 1.2客户提供TLS_ECDHE_ECDSA_和_AES_128_CBC_SHA256或TLS_ECDHE_ECDSA_和_AES_256_CBC_SHA384密码套件的要求被删除。
- A Suite B TLS system configured at a minimum level of security of 128 bits MUST use either TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, with the first being preferred.
- 以128位的最低安全级别配置的套件B TLS系统必须使用TLS_ECDHE_ECDSA_搭配_AES_128_GCM_SHA256或TLS_ECDHE_ECDSA_搭配_AES_256_GCM_SHA384,首选第一种。
- A Suite B TLS system configured at a minimum level of security of 128 bits MUST use either ECDSA on the secp256r1 curve with SHA-256 or ECDSA on the secp384r1 curve with SHA-384. One party can authenticate with ECDSA on the secp256r1 curve and SHA-256 when the other party authenticates with ECDSA on the secp384r1 curve and SHA-384.
- 以128位最低安全级别配置的套件B TLS系统必须在secp256r1曲线上使用ECDSA(含SHA-256)或在secp384r1曲线上使用ECDSA(含SHA-384)。当另一方在secp384r1曲线和SHA-384上使用ECDSA进行身份验证时,一方可以在secp256r1曲线和SHA-256上使用ECDSA进行身份验证。
- A system desiring to negotiate a Suite B TLS connection at a minimum level of security of 128 bits MUST generate a "Supported Elliptic Curves Extension", MUST include secp256r1 in the extension, and SHOULD include secp384r1 in the extension.
- 希望以128位的最低安全级别协商Suite B TLS连接的系统必须生成“支持的椭圆曲线扩展”,扩展中必须包含secp256r1,扩展中应该包含secp384r1。
- A client and server, in order to verify digital signatures in a Suite B TLS system configured at a minimum level of security of 128 bits, MUST support secp256r1 and SHOULD support secp384r1.
- 为了验证以128位最低安全级别配置的Suite B TLS系统中的数字签名,客户机和服务器必须支持secp256r1,并应支持secp384r1。
- A Suite B TLS client configured at a minimum level of security of 128 bits MUST offer SHA-256 with ECDSA and SHOULD offer SHA-384 with ECDSA in the signature_algorithms extension.
- 以128位的最低安全级别配置的套件B TLS客户端必须提供带有ECDSA的SHA-256,并应在签名算法扩展中提供带有ECDSA的SHA-384。
- Certification path validation MUST only include certificates containing an ECDSA public key on the secp256r1 curve or on the secp384r1 curve. The ECDSA public keys used in the certification path MUST be in non-descending order of size from the end entity public key to the root public key.
- 证书路径验证必须仅包括secp256r1曲线或secp384r1曲线上包含ECDSA公钥的证书。证书路径中使用的ECDSA公钥的大小必须按从最终实体公钥到根公钥的非降序排列。
- A Suite B TLS server configured at a minimum level of security of 128 bits MUST include ECDSA with SHA-256 and SHOULD include ECDSA with SHA-384 in the supported_signature_algorithms field of the CertificateRequest message.
- 以128位的最低安全级别配置的套件B TLS服务器必须包括带有SHA-256的ECDSA,并且应在CertificateRequest消息的supported_signature_algorithms字段中包括带有SHA-384的ECDSA。
- A Suite B TLS client configured at a minimum level of security of 128 bits MUST use ECDSA on the secp256r1 curve and SHA-256 or ECDSA on the secp384r1 curve and SHA-384.
- 以128位最低安全级别配置的套件B TLS客户端必须在secp256r1曲线和SHA-256上使用ECDSA,或在secp384r1曲线和SHA-384上使用ECDSA。
- A Suite B TLS server configured at a minimum level of security of 128 bits MUST use either ECDSA on the secp256r1 curve and SHA-256 or ECDSA on the secp384r1 curve and SHA-384 when signing the ServerKeyExchange message.
- 对ServerKeyExchange消息签名时,以128位最低安全级别配置的Suite B TLS服务器必须在secp256r1曲线和SHA-256上使用ECDSA,或在secp384r1曲线和SHA-384上使用ECDSA。
Authors' Addresses
作者地址
Margaret Salter National Security Agency 9800 Savage Rd. Fort Meade 20755-6709 USA EMail: misalte@nsa.gov
玛格丽特·索尔特国家安全局美国米德堡萨维奇路9800号20755-6709电子邮件:misalte@nsa.gov
Russ Housley Vigil Security 918 Spring Knoll Drive Herndon 21070 USA EMail: housley@vigilsec.com
Russ Housley Vigil Security 918 Spring Knoll Drive Herndon 21070美国电子邮件:housley@vigilsec.com