draft-ietf-tls-chacha20-poly1305-03.txt | draft-ietf-tls-chacha20-poly1305-04.txt | |||
---|---|---|---|---|
Network Working Group A. Langley | Network Working Group A. Langley | |||
Internet-Draft W. Chang | Internet-Draft W. Chang | |||
Updates: 5246, 6347 (if approved) Google Inc | Updates: 5246, 6347 (if approved) Google Inc | |||
Intended status: Standards Track N. Mavrogiannopoulos | Intended status: Standards Track N. Mavrogiannopoulos | |||
Expires: June 2, 2016 Red Hat | Expires: June 18, 2016 Red Hat | |||
J. Strombergson | J. Strombergson | |||
Secworks Sweden AB | Secworks Sweden AB | |||
S. Josefsson | S. Josefsson | |||
SJD AB | SJD AB | |||
November 30, 2015 | December 16, 2015 | |||
ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS) | ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS) | |||
draft-ietf-tls-chacha20-poly1305-03 | draft-ietf-tls-chacha20-poly1305-04 | |||
Abstract | Abstract | |||
This document describes the use of the ChaCha stream cipher and | This document describes the use of the ChaCha stream cipher and | |||
Poly1305 authenticator in the Transport Layer Security (TLS) and | Poly1305 authenticator in the Transport Layer Security (TLS) and | |||
Datagram Transport Layer Security (DTLS) protocols. | Datagram Transport Layer Security (DTLS) protocols. | |||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on June 2, 2016. | This Internet-Draft will expire on June 18, 2016. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
skipping to change at page 4, line 5 ¶ | skipping to change at page 4, line 5 ¶ | |||
The nonce is constructed from the record sequence number and shared | The nonce is constructed from the record sequence number and shared | |||
secret, both of which are known to the recipient. The advantage is | secret, both of which are known to the recipient. The advantage is | |||
that no per-record, explicit nonce need be transmitted, which saves | that no per-record, explicit nonce need be transmitted, which saves | |||
eight bytes per record and prevents implementations from mistakenly | eight bytes per record and prevents implementations from mistakenly | |||
using a random nonce. Thus, in the terms of [RFC5246], | using a random nonce. Thus, in the terms of [RFC5246], | |||
SecurityParameters.fixed_iv_length is twelve bytes and | SecurityParameters.fixed_iv_length is twelve bytes and | |||
SecurityParameters.record_iv_length is zero bytes. | SecurityParameters.record_iv_length is zero bytes. | |||
The following cipher suites are defined. | The following cipher suites are defined. | |||
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} | |||
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} | |||
TLS_DHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} | |||
TLS_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} | |||
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} | |||
TLS_DHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} | |||
TLS_RSA_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} | |||
The DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, ECDHE_PSK, DHE_PSK and | The DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, ECDHE_PSK, DHE_PSK and | |||
RSA_PSK key exchanges for these cipher suites are unaltered and thus | RSA_PSK key exchanges for these cipher suites are unaltered and thus | |||
are performed as defined in [RFC5246], [RFC4492], and [RFC5489]. | are performed as defined in [RFC5246], [RFC4492], and [RFC5489]. | |||
The pseudorandom function (PRF) for all the cipher suites defined in | The pseudorandom function (PRF) for all the cipher suites defined in | |||
this document is the TLS PRF with SHA-256 as the hash function. | this document is the TLS PRF with SHA-256 as the hash function. | |||
3. IANA Considerations | 3. IANA Considerations | |||
IANA is requested to add the following entries in the TLS Cipher | IANA is requested to add the following entries in the TLS Cipher | |||
Suite Registry: | Suite Registry: | |||
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0xA8} | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} {0xCC, 0xA8} | |||
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0xA9} | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} {0xCC, 0xA9} | |||
TLS_DHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0xAA} | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} {0xCC, 0xAA} | |||
TLS_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0xAB} | TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} {0xCC, 0xAB} | |||
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0xAC} | TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} {0xCC, 0xAC} | |||
TLS_DHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0xAD} | TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} {0xCC, 0xAD} | |||
TLS_RSA_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0xAE} | TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} {0xCC, 0xAE} | |||
The cipher suite numbers listed in the second column are numbers used | The cipher suite numbers listed in the second column are numbers used | |||
for cipher suite interoperability testing and it's suggested that | for cipher suite interoperability testing and it's suggested that | |||
IANA use these values for assignment. | IANA use these values for assignment. | |||
4. Security Considerations | 4. Security Considerations | |||
ChaCha20 follows the same basic principle as Salsa20[SALSA20SPEC], a | ChaCha20 follows the same basic principle as Salsa20[SALSA20SPEC], a | |||
cipher with significant security review [SALSA20-SECURITY][ESTREAM]. | cipher with significant security review [SALSA20-SECURITY][ESTREAM]. | |||
At the time of writing this document, there are no known significant | At the time of writing this document, there are no known significant | |||
End of changes. 8 change blocks. | ||||
18 lines changed or deleted | 18 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |