| TLS Working Group | D. McGrew |
| Internet-Draft | Cisco Systems |
| Intended status: Informational | D. Bailey |
| Expires: January 02, 2014 | RSA/EMC |
| M. Campagna | |
| R. Dugal | |
| Certicom Corp. | |
| July 2013 |
AES-CCM ECC Cipher Suites for TLS
draft-mcgrew-tls-aes-ccm-ecc-07
This memo describes the use of the Advanced Encryption Standard (AES) in the Counter and CBC-MAC Mode (CCM) of operation within Transport Layer Security (TLS) to provide confidentiality and data origin authentication. The AES-CCM algorithm is amenable to compact implementations, making it suitable for constrained environments. The ciphersuites defined in this document use Elliptic Curve Cryptography (ECC), and are advantageous in networks with limited bandwidth.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 02, 2014.
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document describes the use of Advanced Encryption Standard (AES) [AES] in Counter with CBC-MAC Mode (CCM) [CCM] in several TLS ciphersuites. AES-CCM provides both authentication and confidentiality and uses as its only primitive the AES encrypt operation (the AES decrypt operation is not needed). This makes it amenable to compact implementations, which is advantageous in constrained environments. Of course, adoption outside of constrained environments is necessary to enable interoperability, such as that between web clients and embedded servers, or between embedded clients and web servers. The use of AES-CCM has been specified for IPsec ESP [RFC4309] and 802.15.4 wireless networks [IEEE802154].
Authenticated encryption, in addition to providing confidentiality for the plaintext that is encrypted, provides a way to check its integrity and authenticity. Authenticated Encryption with Associated Data, or AEAD [RFC5116], adds the ability to check the integrity and authenticity of some associated data that is not encrypted. This memo utilizes the AEAD facility within TLS 1.2 [RFC5246] and the AES-CCM-based AEAD algorithms defined in [RFC5116] and [RFC6655] . All of these algorithms use AES-CCM; some have shorter authentication tags, and are therefore more suitable for use across networks in which bandwidth is constrained and message sizes may be small.
The ciphersuites defined in this document use Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) as their key establishment mechanism; these ciphersuites can be used with DTLS [RFC6347].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
The ciphersuites defined in this document are based on the AES-CCM authenticated encryption with associated data (AEAD) algorithms AEAD_AES_128_CCM and AEAD_AES_256_CCM described in [RFC5116]. The following ciphersuites are defined:
These ciphersuites make use of the AEAD capability in TLS 1.2 [RFC5246]. Note that each of these AEAD algorithms uses AES-CCM. Ciphersuites ending with "8" use eight-octet authentication tags; the other ciphersuites have 16 octet authentication tags.
The HMAC truncation option described in Section 7 of [RFC6066] (which negotiates the "truncated_hmac" TLS extension) does not have an effect on the cipher suites defined in this note, because they do not use HMAC to protect TLS records.
The "nonce" input to the AEAD algorithm is as defined in [RFC6655].
In DTLS, the 64-bit seq_num field is the 16-bit DTLS epoch field concatenated with the 48-bit sequence_number field. The epoch and sequence_number appear in the DTLS record layer.
This construction allows the internal counter to be 32-bits long, which is a convenient size for use with CCM.
These ciphersuites make use of the default TLS 1.2 Pseudorandom Function (PRF), which uses HMAC with the SHA-256 hash function.
The ECDHE_ECDSA key exchange is performed as defined in [RFC4492], with the following additional stipulations:
Implementations of these ciphersuites will interoperate with [RFC4492], but can be more compact than a full implementation of that RFC.
The following AEAD algorithms are used:
Implementations SHOULD select elliptic curves and hash functions so that AES-128 is used with a curve and a hash function supporting a 128-bit security level, and AES-256 is used with a curve and a hash function supporting a 192-bit or 256-bit security level. More detailed guidance on cryptographic parameter selection is given in [SP800-57] (see especially Tables 2 and 3).
Appendix A describes suitable curves and hash functions that are widely available.
These ciphersuites make use of the authenticated encryption with additional data defined in TLS 1.2 [RFC5288]. They MUST NOT be negotiated in older versions of TLS. Clients MUST NOT offer these cipher suites if they do not offer TLS 1.2 or later. Servers which select an earlier version of TLS MUST NOT select one of these cipher suites. Earlier versions do not have support for AEAD; for instance, the TLSCiphertext structure does not have the "aead" option in TLS 1.1. Because TLS has no way for the client to indicate that it supports TLS 1.2 but not earlier, a non-compliant server might potentially negotiate TLS 1.1 or earlier and select one of the cipher suites in this document. Clients MUST check the TLS version and generate a fatal "illegal_parameter" alert if they detect an incorrect version.
The 07 version removed the mandatory-to-implement elliptic curves and hash functions, and replaced them with non-normative guidance, which is in Appendix A.
The 06 version replaced obsoleted references with updated ones to RFC6066, RFC6655, RFC5246, fixes a boilerplate error, and corrects the section reference for the truncated HMAC RFC. It also changes the mandatory-to-implement curves and hash algorithms to be less restrictive, so that the specification can potentially be used with curves other than secp256r1, secp384r1, and secp521r1. A reference to SP 800-57 was added to provide guidance on parameter selection.
The 05 version updated the IANA considerations.
The 04 version changed the intended status to "Informational", and removed the redundant definition of the AEAD nonce and replaced it with a reference to draft-mcgrew-tls-aes-ccm, to avoid incompatible descriptions.
The 03 version removed materials that are redundant with draft-mcgrew-tls-aes-ccm, and replaced them with references to that draft. That draft has been approved for RFC and will be a suitable stable normative reference.
The 02 version removed the AEAD_AES_128_CCM_12 and AEAD_AES_256_CCM_12 AEAD algorithms, because they were not needed in any ciphersuites. The AES-256 ciphersuites were retained, however, to provide a secure cipher for use with the higher security curves secp384r1 and secp521r1.
This section is to be removed by the RFC editor upon publication.
IANA is requested to assign the values for the ciphersuites defined in Section Section 2 from the TLS and DTLS CipherSuite registries. IANA, please note that the DTLS-OK column should be marked as "Y" for each of these algorithms.
The perfect forward secrecy properties of ephemeral Diffie-Hellman ciphersuites are discussed in the security analysis of [RFC5246]. This analysis applies to the ECDHE ciphersuites.
AES-CCM security requires that the counter is never reused. The IV construction in Section 2 is designed to prevent counter reuse.
This draft borrows heavily from [RFC5288]. Thanks are due to Robert Cragie for his great help in making this work complete, correct, and useful, and to Peter Dettman for his review.
This draft is motivated by the considerations raised in the Zigbee Smart Energy 2.0 working group.
| [RFC4309] | Housley, R., "Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)", RFC 4309, December 2005. |
| [IEEE802154] | Institute of Electrical and Electronics Engineers, "Wireless Personal Area Networks", IEEE Standard 802.15.4-2006, 2006. |
This memo does not mandate any particular elliptic curves or cryptographic algorithms, for the sake of flexibility. However, since the main motivation for the AES-CCM-ECC ciphersuites is their suitability for constrained environments, it is valuable to identify a particular suitable set of curves and algorithms.
This appendix identifies a set of elliptic curves and cryptographic algorithms that meet the requirements of this note, which are widely supported and believed to be secure.
The curves and hash algorithms recommended for each ciphersuite are:
More information about the secp256r1, secp384r1, and secp521r1 curves is available in Appendix A of [RFC4492].
It is not necessary to implement the above curves and hash functions in order to conform to this specification. Other elliptic curves, such as the Brainpool curves [RFC5639] for example, meet the criteria laid out in this memo.