Skip to main content

The ChaCha Stream Cipher for Transport Layer Security
draft-mavrogiannopoulos-chacha-tls-03

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
Authors Adam Langley , Wan-Teh Chang , Nikos Mavrogiannopoulos , Joachim Strombergson , Simon Josefsson
Last updated 2014-09-22
Replaced by draft-ietf-tls-chacha20-poly1305, draft-ietf-tls-chacha20-poly1305, RFC 7905
RFC stream (None)
Formats
Additional resources
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-mavrogiannopoulos-chacha-tls-03
TLS_RSA_WITH_CHACHA20_POLY1305         = {0xTBD, 0xTBD}
     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305   = {0xTBD, 0xTBD}
     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD}

     TLS_DHE_RSA_WITH_CHACHA20_POLY1305     = {0xTBD, 0xTBD}
     TLS_DHE_PSK_WITH_CHACHA20_POLY1305     = {0xTBD, 0xTBD}

     TLS_PSK_WITH_CHACHA20_POLY1305         = {0xTBD, 0xTBD}
     TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305   = {0xTBD, 0xTBD}
     TLS_RSA_PSK_WITH_CHACHA20_POLY1305     = {0xTBD, 0xTBD}

5.  Updates to the TLS Standard Stream Cipher

   The ChaCha20 ciphersuites with HMAC-SHA1 defined in this document
   differ from the TLS RC4 ciphersuites that have been the basis for the
   definition of Standard Stream Cipher.  Unlike RC4, ChaCha20 requires
   a nonce per record.  This however, does not affect the description of
   the Standard Stream Cipher if one assumes that a nonce is optional
   and depends on the cipher's characteristics.

   Hence, this document modifies the Standard Stream Cipher by adding an
   implicit nonce.  The implicit nonce may consist of

   o  an optional fixed component ("salt"), generated from the
      key_block;

   o  a variable component, based on the 64-bit TLS record sequence
      number or the concatenation of the 16-bit epoch with the 48-bit
      sequence number in case of DTLS.

   Stream ciphers that don't require a nonce such as RC4 shall ignore
   it.  Other stream ciphers that require a nonce, such as ChaCha20 with
   HMAC-SHA1, will use the nonce and reset their state on each record.

6.  Updates to DTLS

   The DTLS protocol requires the cipher in use to introduce no
   dependencies between TLS Records to allow lost or rearranged records.
   For that it explicitly bans stream ciphers (see Section 3.1 of
   [RFC6347]).

   As the stream cipher described in this document, unlike RC4, does not
   require dependencies between records, this ban of stream ciphers is
   lifted with this document.  Stream ciphers can be used with DTLS if
   they introduce no dependencies between records.

Langley, et al.          Expires March 26, 2015                 [Page 5]
Internet-Draft                 chacha-tls                 September 2014

7.  Acknowledgements

   The authors would like to thank Zooko Wilcox-OHearn and Samuel Neves.

8.  IANA Considerations

   IANA is requested to assign the following Cipher Suites in the TLS
   Cipher Suite Registry:

     TLS_RSA_WITH_CHACHA20_POLY1305         = {0xTBD, 0xTBD}
     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305   = {0xTBD, 0xTBD}
     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD}

     TLS_DHE_RSA_WITH_CHACHA20_POLY1305     = {0xTBD, 0xTBD}
     TLS_DHE_PSK_WITH_CHACHA20_POLY1305     = {0xTBD, 0xTBD}

     TLS_PSK_WITH_CHACHA20_POLY1305         = {0xTBD, 0xTBD}
     TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305   = {0xTBD, 0xTBD}
     TLS_RSA_PSK_WITH_CHACHA20_POLY1305     = {0xTBD, 0xTBD}

     TLS_RSA_WITH_CHACHA20_SHA              = {0xTBD, 0xTBD}
     TLS_ECDHE_RSA_WITH_CHACHA20_SHA        = {0xTBD, 0xTBD}
     TLS_ECDHE_ECDSA_WITH_CHACHA20_SHA      = {0xTBD, 0xTBD}

     TLS_DHE_RSA_WITH_CHACHA20_SHA          = {0xTBD, 0xTBD}
     TLS_DHE_PSK_WITH_CHACHA20_SHA          = {0xTBD, 0xTBD}

     TLS_PSK_WITH_CHACHA20_SHA              = {0xTBD, 0xTBD}
     TLS_ECDHE_PSK_WITH_CHACHA20_SHA        = {0xTBD, 0xTBD}
     TLS_RSA_PSK_WITH_CHACHA20_SHA          = {0xTBD, 0xTBD}

9.  Security Considerations

   ChaCha20 follows the same basic principle as Salsa20, a cipher with
   significant security review [SALSA20-SECURITY][ESTREAM].  At the time
   of writing this document, there are no known significant security
   problems with either cipher, and ChaCha20 is shown to be more
   resistant in certain attacks than Salsa20 [SALSA20-ATTACK].
   Furthermore ChaCha20 was used as the core of the BLAKE hash function,
   a SHA3 finalist, that had received considerable cryptanalytic
   attention [NIST-SHA3].

   Poly1305 is designed to ensure that forged messages are rejected with
   a probability of 1-(n/2^102) for a 16*n byte message, even after
   sending 2^64 legitimate messages.

   The cipher suites described in this document require that a nonce is
   never repeated under the same key.  The design presented ensures that

Langley, et al.          Expires March 26, 2015                 [Page 6]
Internet-Draft                 chacha-tls                 September 2014

   by using the TLS sequence number which is unique and does not wrap
   [RFC5246].

   This document should not introduce any other security considerations
   than those that directly follow from the use of the stream cipher
   ChaCha20, the AEAD_CHACHA20_POLY1305 construction, and those that
   directly follow from introducing any set of stream cipher suites into
   TLS and DTLS (see also the Security Considerations section of
   [I-D.nir-cfrg-chacha20-poly1305]).

10.  References

10.1.  Normative References

   [RFC2246]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
              RFC 2246, January 1999.

   [RFC4346]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.1", RFC 4346, April 2006.

   [RFC4347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security", RFC 4347, April 2006.

   [RFC4492]  Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
              Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
              for Transport Layer Security (TLS)", RFC 4492, May 2006.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5489]  Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for
              Transport Layer Security (TLS)", RFC 5489, March 2009.

   [RFC6234]  Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
              (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.

   [I-D.nir-cfrg-chacha20-poly1305]
              Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
              protocols", draft-nir-cfrg-chacha20-poly1305-01 (work in
              progress), January 2014.

Langley, et al.          Expires March 26, 2015                 [Page 7]
Internet-Draft                 chacha-tls                 September 2014

10.2.  Informative References

   [CHACHA]   Bernstein, D., "ChaCha, a variant of Salsa20", January
              2008, <http://cr.yp.to/chacha/chacha-20080128.pdf>.

   [POLY1305]
              Bernstein, D., "The Poly1305-AES message-authentication
              code.", March 2005,
              <http://cr.yp.to/mac/poly1305-20050329.pdf>.

   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated
              Encryption", RFC 5116, January 2008.

   [SALSA20SPEC]
              Bernstein, D., "Salsa20 specification", April 2005,
              <http://cr.yp.to/snuffle/spec.pdf>.

   [RFC6101]  Freier, A., Karlton, P., and P. Kocher, "The Secure
              Sockets Layer (SSL) Protocol Version 3.0", RFC 6101,
              August 2011.

   [SALSA20-SECURITY]
              Bernstein, D., "Salsa20 security", April 2005,
              <http://cr.yp.to/snuffle/security.pdf>.

   [ESTREAM]  Babbage, S., DeCanniere, C., Cantenaut, A., Cid, C.,
              Gilbert, H., Johansson, T., Parker, M., Preneel, B.,
              Rijmen, V., and M. Robshaw, "The eSTREAM Portfolio (rev.
              1)", September 2008,
              <http://www.ecrypt.eu.org/stream/finallist.html>.

   [CBC-ATTACK]
              AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking
              the TLS and DTLS Record Protocols", IEEE Symposium on
              Security and Privacy , 2013.

   [RC4-ATTACK]
              Isobe, T., Ohigashi, T., Watanabe, Y., and M. Morii, "Full
              Plaintext Recovery Attack on Broadcast RC4", International
              Workshop on Fast Software Encryption , 2013.

   [SALSA20-ATTACK]
              Aumasson, J-P., Fischer, S., Khazaei, S., Meier, W., and
              C. Rechberger, "New Features of Latin Dances: Analysis of
              Salsa, ChaCha, and Rumba", 2007,
              <http://eprint.iacr.org/2007/472.pdf>.

Langley, et al.          Expires March 26, 2015                 [Page 8]
Internet-Draft                 chacha-tls                 September 2014

   [NIST-SHA3]
              Chang, S., Burr, W., Kelsey, J., Paul, S., and L. Bassham,
              "Third-Round Report of the SHA-3 Cryptographic Hash
              Algorithm Competition", 2012,
              <http://dx.doi.org/10.6028/NIST.IR.7896>.

Authors' Addresses

   Adam Langley
   Google Inc

   Email: agl@google.com

   Wan-Teh Chang
   Google Inc

   Email: wtc@google.com

   Nikos Mavrogiannopoulos
   Red Hat

   Email: nmav@redhat.com

   Joachim Strombergson
   Secworks Sweden AB

   Email: joachim@secworks.se
   URI:   http://secworks.se/

   Simon Josefsson
   SJD AB

   Email: simon@josefsson.org
   URI:   http://josefsson.org/

Langley, et al.          Expires March 26, 2015                 [Page 9]