datatracker.ietf.org
Sign In
Version 4.50, 2013-05-15
Report a bug

Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS)
RFC 3268

Document type:RFC - Proposed Standard (IETF Stream)
Obsoleted by RFC 5246
Was draft-ietf-tls-ciphersuite
Published: 2002-07
Other versions: plain text, pdf, html 
Network Working Group                                           P. Chown
Request for Comments: 3268                            Skygate Technology
Category: Standards Track                                      June 2002

  Advanced Encryption Standard (AES) Ciphersuites for Transport Layer
                             Security (TLS)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

Abstract

   This document proposes several new ciphersuites.  At present, the
   symmetric ciphers supported by Transport Layer Security (TLS) are
   RC2, RC4, International Data Encryption Algorithm (IDEA), Data
   Encryption Standard (DES), and triple DES.  The protocol would be
   enhanced by the addition of Advanced Encryption Standard (AES)
   ciphersuites.

Overview

   At present, the symmetric ciphers supported by TLS are RC2, RC4,
   IDEA, DES, and triple DES.  The protocol would be enhanced by the
   addition of AES [AES] ciphersuites, for the following reasons:

   1. RC2, RC4, and IDEA are all subject to intellectual property
      claims.  RSA Security Inc. has trademark rights in the names RC2
      and RC4, and claims that the RC4 algorithm itself is a trade
      secret.  Ascom Systec Ltd. owns a patent on the IDEA algorithm.

   2. Triple DES is much less efficient than more modern ciphers.

   3. Now that the AES process is completed there will be commercial
      pressure to use the selected cipher.  The AES is efficient and has
      withstood extensive cryptanalytic efforts.  The AES is therefore a
      desirable choice.

Chown                       Standards Track                     [Page 1]
RFC 3268                AES Ciphersuites for TLS               June 2002

   4. Currently the DHE ciphersuites only allow triple DES (along with
      some "export" variants which do not use a satisfactory key
      length).  At the same time the DHE ciphersuites are the only ones
      to offer forward secrecy.

   This document proposes several new ciphersuites, with the aim of
   overcoming these problems.

Cipher Usage

   The new ciphersuites proposed here are very similar to the following,
   defined in [TLS]:

   TLS_RSA_WITH_3DES_EDE_CBC_SHA
   TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
   TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
   TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
   TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
   TLS_DH_anon_WITH_3DES_EDE_CBC_SHA

   All the ciphersuites described here use the AES in cipher block
   chaining (CBC) mode.  Furthermore, they use SHA-1 [SHA-1] in an HMAC
   construction as described in section 5 of [TLS].  (Although the TLS
   ciphersuite names include the text "SHA", this actually refers to the
   modified SHA-1 version of the algorithm.)

   The ciphersuites differ in the type of certificate and key exchange
   method.  The ciphersuites defined here use the following options for
   this part of the protocol:

   CipherSuite                        Certificate type (if applicable)
                                      and key exchange algorithm

   TLS_RSA_WITH_AES_128_CBC_SHA       RSA
   TLS_DH_DSS_WITH_AES_128_CBC_SHA    DH_DSS
   TLS_DH_RSA_WITH_AES_128_CBC_SHA    DH_RSA
   TLS_DHE_DSS_WITH_AES_128_CBC_SHA   DHE_DSS
   TLS_DHE_RSA_WITH_AES_128_CBC_SHA   DHE_RSA
   TLS_DH_anon_WITH_AES_128_CBC_SHA   DH_anon

   TLS_RSA_WITH_AES_256_CBC_SHA       RSA
   TLS_DH_DSS_WITH_AES_256_CBC_SHA    DH_DSS
   TLS_DH_RSA_WITH_AES_256_CBC_SHA    DH_RSA
   TLS_DHE_DSS_WITH_AES_256_CBC_SHA   DHE_DSS
   TLS_DHE_RSA_WITH_AES_256_CBC_SHA   DHE_RSA
   TLS_DH_anon_WITH_AES_256_CBC_SHA   DH_anon

Chown                       Standards Track                     [Page 2]
RFC 3268                AES Ciphersuites for TLS               June 2002

   For the meanings of the terms RSA, DH_DSS, DH_RSA, DHE_DSS, DHE_RSA
   and DH_anon, please refer to sections 7.4.2 and 7.4.3 of [TLS].

   The AES supports key lengths of 128, 192 and 256 bits.  However, this
   document only defines ciphersuites for 128- and 256-bit keys.  This
   is to avoid unnecessary proliferation of ciphersuites.  Rijndael
   actually allows for 192- and 256-bit block sizes as well as the 128-
   bit blocks mandated by the AES process.  The ciphersuites defined
   here all use 128-bit blocks.

   The new ciphersuites will have the following definitions:

   CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA      = { 0x00, 0x2F };
   CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA   = { 0x00, 0x30 };