AES-CCM Cipher Suites for TLS
draft-mcgrew-tls-aes-ccm-00

Abstract

This memo describes the use of the Advanced Encryption Standard (AES) in the Counter and CBC-MAC Mode (CCM) of operation within Transport Layer Security (TLS) to provide confidentiality and data origin authentication. The AES-CCM algorithm is amenable to compact implementations, making it suitable for constrained environments.

Status of this Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

This Internet-Draft will expire on December 12, 2010.

Copyright Notice

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

Table of Contents

1.  Introduction

2.  Conventions Used In This Document

3.  RSA Based AES-CCM Cipher Suites

4.  PSK Based AES-CCM Cipher Suites

5.  TLS Versions

6.  New AEAD algorithms
    6.1.  AES-128-CCM with an 8-octet ICV
    6.2.  AES-256-CCM with a 8-octet ICV

7.  IANA Considerations

8.  Security Considerations
    8.1.  Perfect Forward Secrecy
    8.2.  Counter Reuse

9.  Acknowledgements

10.  References
    10.1.  Normative References
    10.2.  Informative References

§  Authors' Addresses

1.  Introduction

This document describes the use of Advanced Encryption Standard (AES) [AES] (National Institute of Standards and Technology, “Specification for the Advanced Encryption Standard (AES),” November 2001.) in Counter with CBC-MAC Mode (CCM) [CCM] (National Institute of Standards and Technology, “Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality,” May 2004.) in several TLS ciphersuites. AES-CCM provides both authentication and confidentiality and uses as its only primitive the AES encrypt operation (the AES decrypt operation is not needed). This makes it amenable to compact implementations, which makes it useful in constrained environments. The use of AES-CCM has been specified for use with IPsec ESP [RFC4309] (Housley, R., “Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP),” December 2005.) and 802.15.4 wireless networks [IEEE802154] (Institute of Electrical and Electronics Engineers, “Wireless Personal Area Networks,” 2006.).

Authenticated encryption, in addition to providing confidentiality for the plaintext that is encrypted, provides a way to check its integrity and authenticity. Authenticated Encryption with Associated Data, or AEAD [RFC5116] (McGrew, D., “An Interface and Algorithms for Authenticated Encryption,” January 2008.), adds the ability to check the integrity and authenticity of some associated data that is not encrypted. This note utilizes the AEAD facility within TLS 1.2 [RFC5246] (Dierks, T. and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.2,” August 2008.) and the AES-CCM-based AEAD algorithms defined in [RFC5116] (McGrew, D., “An Interface and Algorithms for Authenticated Encryption,” January 2008.). Additional AEAD algorithms are defined, which use AES-CCM but which have shorter authentication tags, and therefore are more suitable for use across networks in which bandwidth is constrained and message sizes may be small.

The ciphersuites defined in this document use RSA or Pre-Shared Key (PSK) as their key establishment mechanism; these ciphersuites can be used with DTLS [RFC4347] (Rescorla, E. and N. Modadugu, “Datagram Transport Layer Security,” April 2006.).

2.  Conventions Used In This Document

he key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.)

3.  RSA Based AES-CCM Cipher Suites

The ciphersuites defined in this document are based on the the AES-CCM authenticated encryption with associated data (AEAD) algorithms AEAD_AES_128_CCM and AEAD_AES_256_CCM described in [RFC5116] (McGrew, D., “An Interface and Algorithms for Authenticated Encryption,” January 2008.). The following RSA-based ciphersuites are defined:

CipherSuite TLS_RSA_WITH_AES_128_CCM = {TBD1,TBD1} CipherSuite TLS_RSA_WITH_AES_256_CCM = {TBD2,TBD2)
CipherSuite TLS_RSA_DHE_WITH_AES_128_CCM = {TBD3,TBD3}
CipherSuite TLS_RSA_DHE_WITH_AES_256_CCM = {TBD4,TBD4}
CipherSuite TLS_RSA_WITH_AES_128_CCM_8 = {TBD5,TBD5}
CipherSuite TLS_RSA_WITH_AES_256_CCM_8 = {TBD6,TBD6)
CipherSuite TLS_RSA_DHE_WITH_AES_128_CCM_8 = {TBD7,TBD7}
CipherSuite TLS_RSA_DHE_WITH_AES_256_CCM_8 = {TBD8,TBD8}

These ciphersuites make use of the AEAD capability in TLS 1.2 [RFC5246] (Dierks, T. and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.2,” August 2008.). Note that each of these AEAD algorithms uses a 128-bit authentication tag with CCM.

The HMAC truncation option described in Section 3.5 of [RFC4366] (Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and T. Wright, “Transport Layer Security (TLS) Extensions,” April 2006.) (which negotiates the "truncated_hmac" TLS extension) does not have an effect on cipher suites that do not use HMAC.

The "nonce" input to the AEAD algorithm is exactly that of [RFC5288] (Salowey, J., Choudhury, A., and D. McGrew, “AES Galois Counter Mode (GCM) Cipher Suites for TLS,” August 2008.): the "nonce" SHALL be 12 bytes long and is constructed as follows:

struct {
   case client:
      uint32 client_write_IV;  // low order 32-bits
   case server:
      uint32 server_write_IV;  // low order 32-bits
   uint64 seq_num;
} CCMNonce.

In DTLS, the 64-bit seq_num is the 16-bit epoch concatenated with the 48-bit seq_num.

These ciphersuites make use of the default TLS 1.2 Pseudorandom Function (PRF), which uses HMAC with the SHA-256 hash function. The RSA and RSA-DHE key exchange is performed as defined in [RFC5288] (Salowey, J., Choudhury, A., and D. McGrew, “AES Galois Counter Mode (GCM) Cipher Suites for TLS,” August 2008.).

4.  PSK Based AES-CCM Cipher Suites

As in Section Section 3 (RSA Based AES-CCM Cipher Suites), these ciphersuites follow [RFC5116] (McGrew, D., “An Interface and Algorithms for Authenticated Encryption,” January 2008.). The following ciphersuites are defined:

CipherSuite TLS_PSK_WITH_AES_128_CCM = {TBD9,TBD9} CipherSuite TLS_PSK_WITH_AES_256_CCM = {TBD10,TBD10)
CipherSuite TLS_PSK_DHE_WITH_AES_128_CCM = {TBD11,TBD11}
CipherSuite TLS_PSK_DHE_WITH_AES_256_CCM = {TBD12,TBD12}
CipherSuite TLS_PSK_WITH_AES_128_CCM_8 = {TBD13,TBD13}
CipherSuite TLS_PSK_WITH_AES_256_CCM_8 = {TBD14,TBD14)
CipherSuite TLS_PSK_DHE_WITH_AES_128_CCM_8 = {TBD15,TBD15}
CipherSuite TLS_PSK_DHE_WITH_AES_256_CCM_8 = {TBD16,TBD16}

The "nonce" input to the AEAD algorithm is defined as in Section Section 3 (RSA Based AES-CCM Cipher Suites).

These ciphersuites make use of the default TLS 1.2 Pseudorandom Function (PRF), which uses HMAC with the SHA-256 hash function. The PSK and PSK-DHE key exchange is performed as defined in [RFC5487] (Badra, M., “Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES Galois Counter Mode,” March 2009.).

5.  TLS Versions

These ciphersuites make use of the authenticated encryption with additional data defined in TLS 1.2 [RFC5288] (Salowey, J., Choudhury, A., and D. McGrew, “AES Galois Counter Mode (GCM) Cipher Suites for TLS,” August 2008.). They MUST NOT be negotiated in older versions of TLS. Clients MUST NOT offer these cipher suites if they do not offer TLS 1.2 or later. Servers which select an earlier version of TLS MUST NOT select one of these cipher suites. Because TLS has no way for the client to indicate that it supports TLS 1.2 but not earlier, a non-compliant server might potentially negotiate TLS 1.1 or earlier and select one of the cipher suites in this document. Clients MUST check the TLS version and generate a fatal "illegal_parameter" alert if they detect an incorrect version.

6.  New AEAD algorithms

The following AEAD algorithms are defined:

AEAD_AES_128_CCM_8 = TBD17 AEAD_AES_256_CCM_8 = TBD18
AEAD_AES_128_CCM_12 = TBD19
AEAD_AES_256_CCM_12 = TBD20

6.1.  AES-128-CCM with an 8-octet ICV

The AEAD_AES_128_CCM_8 authenticated encryption algorithm is identical to the AEAD_AES_128_CCM algorithm (see Section 5.3 of [RFC5116] (McGrew, D., “An Interface and Algorithms for Authenticated Encryption,” January 2008.)), except that it uses eight octets for authentication, instead of the full sixteen octets used by AEAD_AES_128_CCM. The AEAD_AES_128_CCM_8 ciphertext consists of the ciphertext output of the CCM encryption operation concatenated with the 8-octet authentication tag output of the CCM encryption operation. Test cases are provided in [CCM]. The input and output lengths are as for AEAD_AES_128_CCM. An AEAD_AES_128_CCM_8 ciphertext is exactly 8 octets longer than its corresponding plaintext.

6.2.  AES-256-CCM with a 8-octet ICV

The AEAD_AES_256_CCM_8 authenticated encryption algorithm is identical to the AEAD_AES_256_CCM algorithm (see Section 5.4 of [RFC5116] (McGrew, D., “An Interface and Algorithms for Authenticated Encryption,” January 2008.)), except that it uses eight octets for authentication, instead of the full sixteen octets used by AEAD_AES_256_CCM. The AEAD_AES_256_CCM_8 ciphertext consists of the ciphertext output of the CCM encryption operation concatenated with the 8-octet authentication tag output of the CCM encryption operation. Test cases are provided in [CCM]. The input and output lengths are as as for AEAD_AES_128_CCM. An AEAD_AES_128_CCM_8 ciphertext is exactly 8 octets longer than its corresponding plaintext.

7.  IANA Considerations

IANA has assigned the values for the ciphersuites defined in Section 3 (RSA Based AES-CCM Cipher Suites) and Section 4 (PSK Based AES-CCM Cipher Suites) and the values of the AEAD algorithms defined in Section 6 (New AEAD algorithms).

8.  Security Considerations

8.1.  Perfect Forward Secrecy

The perfect forward secrecy properties of RSA based TLS ciphersuites are discussed in the security analysis of [RFC4346] (Dierks, T. and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.1,” April 2006.). It should be noted that only the ephemeral Diffie-Hellman based ciphersuites are capable of providing perfect forward secrecy.

8.2.  Counter Reuse

AES-CCM security requires that the counter is never reused. The IV construction in Section 3 (RSA Based AES-CCM Cipher Suites) is designed to prevent counter reuse.

9.  Acknowledgements

This draft borrows heavily from [RFC5288] (Salowey, J., Choudhury, A., and D. McGrew, “AES Galois Counter Mode (GCM) Cipher Suites for TLS,” August 2008.).

10.  References

10.1. Normative References

10.2. Informative References

Authors' Addresses