[Search] [txt|pdf|bibtex] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01                                                         
Network Working Group                                     L. Schmertmann
Internet-Draft                                           C. Bormann, Ed.
Intended status: Informational                   Universitaet Bremen TZI
Expires: February 16, 2015                               August 15, 2014

          ECDHE-PSK AES-CCM Cipher Suites with Forward Secrecy
                   for Transport Layer Security (TLS)


   RFC 6655 describes the use of the Advanced Encryption Standard (AES)
   in the Counter with Cipher Block Chaining - Message Authentication
   Code (CBC-MAC) Mode (CCM) of operation within Transport Layer
   Security (TLS) and Datagram TLS (DTLS) to provide confidentiality and
   data origin authentication.  The AES-CCM algorithm is amenable to
   compact implementations, making it suitable for constrained
   environments.  It has been chosen as one of the preferred cipher
   suites for use with DTLS in the Constrained Application Protocol,

   The present document defines additional cipher suites that provide
   forward secrecy.  It also discusses an option to replace the Hash-
   based PRF in RFC 6655 by CMAC, reducing the number of cryptographic
   primitives required for implementation.  (The intention is that the
   option is either chosen or not chosen before this document is agreed,
   not that both options are defined.)

   This document is initially addressed at the DICE working group in
   order to build consensus that there is an actual gap to be filled and
   about the technical parameters of a solution for that gap.  Once this
   is agreed, the usual path for agreeing a cipher suite will need to be

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any

Schmertmann & Bormann   Expires February 16, 2015               [Page 1]

Internet-Draft         TLS_ECDHE_PSK_WITH_AES_CCM            August 2014

   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 16, 2015.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  AES-CCM Cipher Suites with Forward Secrecy  . . . . . . . . .   3
   3.  Option: Replacing the SHA-256 PRF with a CMAC-based PRF . . .   3
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   5
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Appendix A.  Recommended Curves and Algorithms  . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   [RFC6655] describes the use of Advanced Encryption Standard (AES)
   [AES] in Counter with CBC-MAC Mode (CCM) [CCM] in several TLS cipher
   suites.  AES-CCM provides both authentication and confidentiality and
   uses as its only primitive the AES encrypt operation (the AES decrypt
   operation is not needed).  This makes it amenable to compact
   implementations, which is advantageous in constrained environments.
   For instance, the use of AES-CCM has been specified for IPsec
   Encapsulating Security Payload (ESP) [RFC4309] and 802.15.4 wireless
   networks [IEEE802154].

Schmertmann & Bormann   Expires February 16, 2015               [Page 2]

Internet-Draft         TLS_ECDHE_PSK_WITH_AES_CCM            August 2014

   One of the cipher suites defined in RFC 6655,
   TLS_PSK_WITH_AES_128_CCM_8, has been made one of the preferred cipher
   suites for use with DTLS in CoAP, [RFC7252].

   The cipher suites defined in RFC 6655 do not provide forward secrecy
   (see [RFC4949] for a definition).

   The cipher suites defined in this document use Ephemeral Elliptic
   Curve Diffie-Hellman (ECDHE) as their key establishment mechanism;
   these cipher suites can be used with DTLS [RFC6347].

   Similar to the way [RFC5489] defines ECDHE_PSK cipher suites for RC4,
   3DES, and AES, the present document defines equivalents of the cipher
   suites defined in RFC 6655 (Table 1).

     | RFC 6655                   | Forward Secrecy (new)            |
     |                            |                                  |

             Table 1: new ECDHE_PSK ciphersuites using AES-CCM

   These cipher suites are only defined for use with TLS version 1.2 and
   above.  They are DTLS-OK.

1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.  AES-CCM Cipher Suites with Forward Secrecy

   The cipher suites defined in this document operate exactly like the
   equivalent cipher suites defined in [RFC6655], except that the
   ECDHE_PSK Key Exchange Algorithm from [RFC5489] is used for forming
   the premaster secret.

3.  Option: Replacing the SHA-256 PRF with a CMAC-based PRF

   For both the cipher suites defined in RFC 6655 and the ones defined
   in the previous section, the PRF is the TLS PRF [RFC5246] with
   SHA-256 as the hash function.

Schmertmann & Bormann   Expires February 16, 2015               [Page 3]

Internet-Draft         TLS_ECDHE_PSK_WITH_AES_CCM            August 2014

   This means that, besides AES encryption and ECDHE, implementations
   have to provide SHA-256.  The option discussed in this section would,
   if taken, replace the SHA-256-based hash function with an AES-based

   In this section, we propose examining the use of AES-CMAC [RFC4493]
   as the function underlying the TLS PRF, based on the recommendations
   in [NISTKDF].  One way to do this (patterned somewhat after
   [RFC4615], but with a counter that attempts to preserve more of the
   entropy) is shown in Figure 1.

     PRF(secret, label, seed) = P_CMAC(secret, label || seed)

     P_CMAC(secret, seed) = STEP(0, 0, secret, A(1) || seed) ||
                            STEP(0, 1, secret, A(2) || seed) ||
                            STEP(0, 2, secret, A(3) || seed) || ...
     A(0) = seed
     A(i) = STEP(1, i, secret, A(i-1))

     STEP(v, i, secret, seed) = AES-CMAC(K(v, i, secret), seed)

     K(v, i, secret) = AES-CMAC((v || 0^127) + i, secret)
     (note that the + is addition)

                     Figure 1: CMAC-based PRF for TLS

   P_CMAC can be iterated as many times as necessary to produce the
   required quantity of data.

   Defining such an alternative PRF requires security analysis that is
   not provided in the present version of this document.

4.  IANA Considerations

   IANA is requested to assign values for the new ciphersuites defined
   in Table 1 from the "TLS Cipher Suite" registry.

5.  Security Considerations

   The security considerations of [RFC5489] and [RFC6655] apply.

   If the option to define a CMAC-based PRF is chosen, this section will
   need to discuss its security considerations.

Schmertmann & Bormann   Expires February 16, 2015               [Page 4]

Internet-Draft         TLS_ECDHE_PSK_WITH_AES_CCM            August 2014

6.  Acknowledgements

   This document borrows heavily from RFC 6655.

7.  References

7.1.  Normative References

   [AES]      National Institute of Standards and Technology,
              "Specification for the Advanced Encryption Standard
              (AES)", FIPS 197, November 2001.

   [CCM]      National Institute of Standards and Technology,
              "Recommendation for Block Cipher Modes of Operation: The
              CCM Mode for Authentication and Confidentiality", SP
              800-38C, May 2004.

   [NISTKDF]  Chen, L., "Recommendation for Key Derivation Using
              Pseudorandom Functions", NIST Special Publication 800-108,

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4492]  Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
              Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
              for Transport Layer Security (TLS)", RFC 4492, May 2006.

   [RFC4493]  Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The
              AES-CMAC Algorithm", RFC 4493, June 2006.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5489]  Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for
              Transport Layer Security (TLS)", RFC 5489, March 2009.

   [RFC5639]  Lochter, M. and J. Merkle, "Elliptic Curve Cryptography
              (ECC) Brainpool Standard Curves and Curve Generation", RFC
              5639, March 2010.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.

   [RFC6655]  McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for
              Transport Layer Security (TLS)", RFC 6655, July 2012.

Schmertmann & Bormann   Expires February 16, 2015               [Page 5]

Internet-Draft         TLS_ECDHE_PSK_WITH_AES_CCM            August 2014

7.2.  Informative References

              Institute of Electrical and Electronics Engineers,
              "Wireless Personal Area Networks", IEEE Standard
              802.15.4-2006, 2006.

   [RFC4309]  Housley, R., "Using Advanced Encryption Standard (AES) CCM
              Mode with IPsec Encapsulating Security Payload (ESP)", RFC
              4309, December 2005.

   [RFC4615]  Song, J., Poovendran, R., Lee, J., and T. Iwata, "The
              Advanced Encryption Standard-Cipher-based Message
              Authentication Code-Pseudo-Random Function-128 (AES-CMAC-
              PRF-128) Algorithm for the Internet Key Exchange Protocol
              (IKE)", RFC 4615, August 2006.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2", RFC
              4949, August 2007.

   [RFC7252]  Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
              Application Protocol (CoAP)", RFC 7252, June 2014.

Appendix A.  Recommended Curves and Algorithms

   This memo does not mandate any particular elliptic curves or
   cryptographic algorithms, for the sake of flexibility.  However,
   since the main motivation for the AES-CCM-ECC cipher suites is their
   suitability for constrained environments, it is valuable to identify
   a particular suitable set of curves and algorithms.

   This appendix identifies a set of elliptic curves and cryptographic
   algorithms that meet the requirements of this note, which are widely
   supported and believed to be secure.

   Where the following recommendations mention a hash function, the hash
   function does not apply if the option to use CMAC as a PRF is chosen.

   The curves and hash algorithms recommended for each cipher suite are:

     An implementation that includes either
     TLS_ECDHE_PSK_WITH_AES_128_CCM_8 SHOULD support the secp256r1
     curve and the SHA-256 hash function.

   More information about the secp256r1, secp384r1, and secp521r1 curves
   is available in Appendix A of [RFC4492].

Schmertmann & Bormann   Expires February 16, 2015               [Page 6]

Internet-Draft         TLS_ECDHE_PSK_WITH_AES_CCM            August 2014

   It is not necessary to implement the above curves and hash functions
   in order to conform to this specification.  Other elliptic curves,
   such as the Brainpool curves [RFC5639] for example, meet the criteria
   laid out in this memo.

Authors' Addresses

   Lars Schmertmann
   Universitaet Bremen TZI
   Postfach 330440
   Bremen  D-28359

   Email: lars@tzi.de

   Carsten Bormann (editor)
   Universitaet Bremen TZI
   Postfach 330440
   Bremen  D-28359

   Phone: +49-421-218-63921
   Email: cabo@tzi.org

Schmertmann & Bormann   Expires February 16, 2015               [Page 7]