Network Working Group S. Kanno
Internet-Draft NTT Software Corporation
Intended status: Informational M. Kanda
Expires: August 1, 2011 NTT
January 28, 2011
Camellia cipher for the Secure Shell Transport Layer Protocol
draft-kanno-secsh-camellia-02
Abstract
Secure shell (SSH) is a secure remote-login protocol. SSH provides
for algorithms that provide authentication, key agreement,
confidentiality, and data-integrity services. The purpose of this
document is to specify the Camellia cipher as symmetric encryption
algorithm for the SSH Transport Layer Protocol.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 1, 2011.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
Kanno & Kanda Expires August 1, 2011 [Page 1]
Internet-Draft Camellia for Secure Shell January 2011
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.1. Normative . . . . . . . . . . . . . . . . . . . . . . . . 9
7.2. Informative . . . . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
Kanno & Kanda Expires August 1, 2011 [Page 2]
Internet-Draft Camellia for Secure Shell January 2011
1. Introduction
The SSH protocol [3] can support many different symmetric ciphers as
encryption methods.
This document describes the necessary information to use the Camellia
[1] symmetric cipher in the SSH protocol.
This document specifies three modes (Cipher Block Chaining (CBC)
mode, Counter (CTR) mode, and Galois Counter Mode (GCM)) as
encryption method.
Kanno & Kanda Expires August 1, 2011 [Page 3]
Internet-Draft Camellia for Secure Shell January 2011
2. Encryption
This document describes the Camellia cipher for use with the SSH
Transport Protocol. For the Camellia modes, these specifications
comply with AES:
Modes Specifications
---------------------------------------
Camellia in CBC mode RFC4253
Camellia in CTR mode RFC4344
Camellia in GCM mode RFC5647
This document describes the following new methods:
camellia256-cbc OPTIONAL Camellia in CBC mode,
with a 256-bit key
camellia192-cbc OPTIONAL Camellia with a 192-bit key
camellia128-cbc OPTIONAL Camellia with a 128-bit key
camellia256-ctr OPTIONAL Camellia in CTR mode,
with 256-bit key
camellia192-ctr OPTIONAL Camellia with a 192-bit key
camellia128-ctr OPTIONAL Camellia with a 128-bit key
AEAD_CAMELLIA_256_GCM OPTIONAL Camellia in GCM mode,
with a 256-bit key
AEAD_CAMELLIA_128_GCM OPTIONAL Camellia with a 128-bit key
The "camellia256-cbc" cipher is Camellia in CBC mode. This version
uses a 256-bit key. The "camellia192-cbc" cipher is the same as
above, but with a 192-bit key. The "camellia128-cbc" cipher is the
same as above, but with a 128-bit key.
The "camellia256-ctr" cipher is Camellia in CTR mode. This version
uses a 256-bit key. The "camellia192-ctr" cipher is the same as
above, but with a 192-bit key. The "camellia256-ctr" cipher is the
same as above, but with a 256-bit key.
The "AEAD_CAMELLIA_256_GCM" is Camellia in GCM mode. This version
uses a 256-bit key. The "AEAD_CAMELLIA_128_GCM" is the same as
above, but with a 128-bit key.
Kanno & Kanda Expires August 1, 2011 [Page 4]
Internet-Draft Camellia for Secure Shell January 2011
3. MAC
This document describes the Camellia-GCM for use with the SSH
Transport Protocol as a MAC. For the MAC of Camellia-GCM, the
specification comply with AES for GCM mode:
Modes Specification
--------------------------------------
Camellia in GCM mode RFC5647
This document describes the addition of the following two entities to
the SSH MAC algorithm names registry described in [2]:
AEAD_CAMELLIA_256_GCM OPTIONAL Camellia in GCM mode,
with a 256-bit key
AEAD_CAMELLIA_128_GCM OPTIONAL Camellia with a 128-bit key
The "AEAD_CAMELLIA_256_GCM" is Camellia in GCM mode. This version
uses a 256-bit key. The "AEAD_CAMELLIA_128_GCM" is the same as
above, but with a 128-bit key.
Kanno & Kanda Expires August 1, 2011 [Page 5]
Internet-Draft Camellia for Secure Shell January 2011
4. Key Exchange
The Camellia cipher uses these key exchange protocols as well as AES.
These key exchange protocols are described in Section 7 of [3],
Section 5.1 of [6], and Section 4 and 5 of [5].
Kanno & Kanda Expires August 1, 2011 [Page 6]
Internet-Draft Camellia for Secure Shell January 2011
5. Security Considerations
At the time of writing this document there are no known weak keys for
Camellia. And no security problem has been found on Camellia (see
[7], [8], and [9]).
For the SSH security considerations, this document refers to Section
14 of [3], Section 6 of [4], Section 8 of [6], and Section 9 of [5].
Kanno & Kanda Expires August 1, 2011 [Page 7]
Internet-Draft Camellia for Secure Shell January 2011
6. IANA Considerations
The eight encryption algorithm names are defined in Section 2, and
the two MAC algorithm names are defined in Section 3. These names
request to add to the Secure Shell Encryption Algorithm Name
registry.
Kanno & Kanda Expires August 1, 2011 [Page 8]
Internet-Draft Camellia for Secure Shell January 2011
7. References
7.1. Normative
[1] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the
Camellia Encryption Algorithm", RFC 3713, April 2004.
[2] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH) Protocol
Assigned Numbers", RFC 4250, January 2006.
[3] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Transport
Layer Protocol", RFC 4253, January 2006.
[4] Bellare, M., Kohno, T., and C. Namprempre, "The Secure Shell
(SSH) Transport Layer Encryption Modes", RFC 4344, January 2006.
[5] Stebila, D. and J. Green, "Elliptic Curve Algorithm Integration
in the Secure Shell Transport Layer", RFC 5656, December 2009.
[6] Igoe, K. and J. Solinas, "AES Galois Counter Mode for the Secure
Shell Transport Layer Protocol", RFC 5647, August 2009.
[7] Mala, H., Shakiba, M., and M. Dakhil-alian, "New Results on
Impossible Differential Cryptanalysis of Reduced Round Camellia-
128", November 2009,
.
7.2. Informative
[8] "The NESSIE project (New European Schemes for Signatures,
Integrity and Encryption)",
.
[9] Information-technology Promotion Agency (IPA), "Cryptography
Research and Evaluation Committees",
.
Kanno & Kanda Expires August 1, 2011 [Page 9]
Internet-Draft Camellia for Secure Shell January 2011
Authors' Addresses
Satoru Kanno
NTT Software Corporation
Phone: +81-45-212-9803
Fax: +81-45-212-9800
Email: kanno.satoru@po.ntts.co.jp
Masayuki Kanda
NTT
Phone: +81-422-59-3456
Fax: +81-422-59-4015
Email: kanda.masayuki@lab.ntt.co.jp
Kanno & Kanda Expires August 1, 2011 [Page 10]