The ChaCha Stream Cipher for Transport Layer Security
draft-mavrogiannopoulos-chacha-tls-03
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
|
|
---|---|---|---|
Authors | Adam Langley , Wan-Teh Chang , Nikos Mavrogiannopoulos , Joachim Strombergson , Simon Josefsson | ||
Last updated | 2014-09-22 | ||
Replaced by | draft-ietf-tls-chacha20-poly1305, draft-ietf-tls-chacha20-poly1305, RFC 7905 | ||
RFC stream | (None) | ||
Formats | |||
Additional resources | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | I-D Exists | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
draft-mavrogiannopoulos-chacha-tls-03
TLS_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_DHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_DHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_RSA_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} 5. Updates to the TLS Standard Stream Cipher The ChaCha20 ciphersuites with HMAC-SHA1 defined in this document differ from the TLS RC4 ciphersuites that have been the basis for the definition of Standard Stream Cipher. Unlike RC4, ChaCha20 requires a nonce per record. This however, does not affect the description of the Standard Stream Cipher if one assumes that a nonce is optional and depends on the cipher's characteristics. Hence, this document modifies the Standard Stream Cipher by adding an implicit nonce. The implicit nonce may consist of o an optional fixed component ("salt"), generated from the key_block; o a variable component, based on the 64-bit TLS record sequence number or the concatenation of the 16-bit epoch with the 48-bit sequence number in case of DTLS. Stream ciphers that don't require a nonce such as RC4 shall ignore it. Other stream ciphers that require a nonce, such as ChaCha20 with HMAC-SHA1, will use the nonce and reset their state on each record. 6. Updates to DTLS The DTLS protocol requires the cipher in use to introduce no dependencies between TLS Records to allow lost or rearranged records. For that it explicitly bans stream ciphers (see Section 3.1 of [RFC6347]). As the stream cipher described in this document, unlike RC4, does not require dependencies between records, this ban of stream ciphers is lifted with this document. Stream ciphers can be used with DTLS if they introduce no dependencies between records. Langley, et al. Expires March 26, 2015 [Page 5] Internet-Draft chacha-tls September 2014 7. Acknowledgements The authors would like to thank Zooko Wilcox-OHearn and Samuel Neves. 8. IANA Considerations IANA is requested to assign the following Cipher Suites in the TLS Cipher Suite Registry: TLS_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_DHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_DHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_RSA_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_ECDHE_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_ECDHE_ECDSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_DHE_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_DHE_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_ECDHE_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_RSA_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} 9. Security Considerations ChaCha20 follows the same basic principle as Salsa20, a cipher with significant security review [SALSA20-SECURITY][ESTREAM]. At the time of writing this document, there are no known significant security problems with either cipher, and ChaCha20 is shown to be more resistant in certain attacks than Salsa20 [SALSA20-ATTACK]. Furthermore ChaCha20 was used as the core of the BLAKE hash function, a SHA3 finalist, that had received considerable cryptanalytic attention [NIST-SHA3]. Poly1305 is designed to ensure that forged messages are rejected with a probability of 1-(n/2^102) for a 16*n byte message, even after sending 2^64 legitimate messages. The cipher suites described in this document require that a nonce is never repeated under the same key. The design presented ensures that Langley, et al. Expires March 26, 2015 [Page 6] Internet-Draft chacha-tls September 2014 by using the TLS sequence number which is unique and does not wrap [RFC5246]. This document should not introduce any other security considerations than those that directly follow from the use of the stream cipher ChaCha20, the AEAD_CHACHA20_POLY1305 construction, and those that directly follow from introducing any set of stream cipher suites into TLS and DTLS (see also the Security Considerations section of [I-D.nir-cfrg-chacha20-poly1305]). 10. References 10.1. Normative References [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999. [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006. [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security", RFC 4347, April 2006. [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)", RFC 4492, May 2006. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. [RFC5489] Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for Transport Layer Security (TLS)", RFC 5489, March 2009. [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, January 2012. [I-D.nir-cfrg-chacha20-poly1305] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF protocols", draft-nir-cfrg-chacha20-poly1305-01 (work in progress), January 2014. Langley, et al. Expires March 26, 2015 [Page 7] Internet-Draft chacha-tls September 2014 10.2. Informative References [CHACHA] Bernstein, D., "ChaCha, a variant of Salsa20", January 2008, <http://cr.yp.to/chacha/chacha-20080128.pdf>. [POLY1305] Bernstein, D., "The Poly1305-AES message-authentication code.", March 2005, <http://cr.yp.to/mac/poly1305-20050329.pdf>. [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, January 2008. [SALSA20SPEC] Bernstein, D., "Salsa20 specification", April 2005, <http://cr.yp.to/snuffle/spec.pdf>. [RFC6101] Freier, A., Karlton, P., and P. Kocher, "The Secure Sockets Layer (SSL) Protocol Version 3.0", RFC 6101, August 2011. [SALSA20-SECURITY] Bernstein, D., "Salsa20 security", April 2005, <http://cr.yp.to/snuffle/security.pdf>. [ESTREAM] Babbage, S., DeCanniere, C., Cantenaut, A., Cid, C., Gilbert, H., Johansson, T., Parker, M., Preneel, B., Rijmen, V., and M. Robshaw, "The eSTREAM Portfolio (rev. 1)", September 2008, <http://www.ecrypt.eu.org/stream/finallist.html>. [CBC-ATTACK] AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking the TLS and DTLS Record Protocols", IEEE Symposium on Security and Privacy , 2013. [RC4-ATTACK] Isobe, T., Ohigashi, T., Watanabe, Y., and M. Morii, "Full Plaintext Recovery Attack on Broadcast RC4", International Workshop on Fast Software Encryption , 2013. [SALSA20-ATTACK] Aumasson, J-P., Fischer, S., Khazaei, S., Meier, W., and C. Rechberger, "New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba", 2007, <http://eprint.iacr.org/2007/472.pdf>. Langley, et al. Expires March 26, 2015 [Page 8] Internet-Draft chacha-tls September 2014 [NIST-SHA3] Chang, S., Burr, W., Kelsey, J., Paul, S., and L. Bassham, "Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition", 2012, <http://dx.doi.org/10.6028/NIST.IR.7896>. Authors' Addresses Adam Langley Google Inc Email: agl@google.com Wan-Teh Chang Google Inc Email: wtc@google.com Nikos Mavrogiannopoulos Red Hat Email: nmav@redhat.com Joachim Strombergson Secworks Sweden AB Email: joachim@secworks.se URI: http://secworks.se/ Simon Josefsson SJD AB Email: simon@josefsson.org URI: http://josefsson.org/ Langley, et al. Expires March 26, 2015 [Page 9]