Network Working Group S. Smyshlyaev, Ed.
Internet-Draft E. Alekseev
Intended status: Informational E. Smyshlyaeva
Expires: May 1, 2020 A. Babueva
CryptoPro
October 29, 2019
GOST Cipher Suites for Transport Layer Security (TLS) Protocol Version
1.3
draft-smyshlyaev-tls13-gost-suites-00
Abstract
This document specifies a set of cipher suites for the Transport
Layer Security (TLS) protocol Version 1.3 to support the Russian
cryptographic standard algorithms.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 1, 2020.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Smyshlyaev, et al. Expires May 1, 2020 [Page 1]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . 3
3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 3
4. Cipher Suite Definition . . . . . . . . . . . . . . . . . . . 5
4.1. Payload Protection . . . . . . . . . . . . . . . . . . . 5
4.1.1. AEAD Algorithm . . . . . . . . . . . . . . . . . . . 6
4.1.1.1. Block Cipher . . . . . . . . . . . . . . . . . . 7
4.1.1.2. TLSTREE . . . . . . . . . . . . . . . . . . . . . 8
4.1.1.3. SNMAX parameter . . . . . . . . . . . . . . . . . 9
4.2. HASH algorithm . . . . . . . . . . . . . . . . . . . . . 9
5. Signature Scheme Definition . . . . . . . . . . . . . . . . . 10
6. Key Exchange and Authentication . . . . . . . . . . . . . . . 12
6.1. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 13
6.1.1. ECDHE Shared Secret Calculation . . . . . . . . . . . 13
6.1.1.1. ECDHE Parameters . . . . . . . . . . . . . . . . 13
6.1.1.2. ECDHE Shared Secret Calculation on Client Side . 14
6.1.1.3. ECDHE Shared Secret Calculation on Server Side . 15
6.1.2. Values for the Supported Groups Registry . . . . . . 16
6.2. Authentication . . . . . . . . . . . . . . . . . . . . . 17
6.3. Handshake Messages . . . . . . . . . . . . . . . . . . . 17
6.3.1. Hello Messages . . . . . . . . . . . . . . . . . . . 18
6.3.2. CertificateRequest . . . . . . . . . . . . . . . . . 18
6.3.3. CertificateVerify . . . . . . . . . . . . . . . . . . 19
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
8. Historical considerations . . . . . . . . . . . . . . . . . . 21
9. Security Considerations . . . . . . . . . . . . . . . . . . . 21
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 22
10.1. Normative References . . . . . . . . . . . . . . . . . . 22
10.2. Informative References . . . . . . . . . . . . . . . . . 23
Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 23
Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 23
Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction
This document specifies four new cipher suites for the Transport
Layer Security (TLS) Protocol Version 1.3 [RFC8446] to support the
set of Russian cryptographic standard algorithms called GOST
algorithms (see Section 4). These cipher suites use the hash
algorithm GOST R 34.11-2012 [GOST3411-2012] (the English version can
be found in [RFC6986]), the AEAD algorithm MGM [DraftMGM] and the
block ciphers GOST R 34.12-2015 [GOST3412-2015] (the English version
Smyshlyaev, et al. Expires May 1, 2020 [Page 2]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
can be found in [RFC7801]). The GOST cipher suites have the
following values:
TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L = {TBD1};
TLS_GOSTR341112_256_WITH_MAGMA_MGM_L = {TBD2};
TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S = {TBD3};
TLS_GOSTR341112_256_WITH_MAGMA_MGM_S = {TBD4}.
These cipher suites have different key lifetime value (see
[RFC8645]), so they are divided into two types: the _S (strong)
cipher suites and the _L (light) cipher suites (see Section 4.1.1.3,
Section 4.1.1.2).
This document specifies seven new signature schemes (see Section 5)
to be used with GOST cipher suites. These signature schemes use the
signature algorithm GOST R 34.10-2012 [GOST3410-2012] (the English
version can be found in [RFC7091]) and have the following values:
gostr34102012_256a = {TBD5};
gostr34102012_256b = {TBD6};
gostr34102012_256c = {TBD7};
gostr34102012_256d = {TBD8};
gostr34102012_512a = {TBD9};
gostr34102012_512b = {TBD10};
gostr34102012_512c = {TBD11}.
Additionally this document specifies the key exchange and
authentication process in case of negotiating GOST cipher suites (see
Section 6).
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Basic Terms and Definitions
This document uses the following terms and definitions for the sets
and operations on the elements of these sets:
Smyshlyaev, et al. Expires May 1, 2020 [Page 3]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
B_t the set of byte strings of length t, t >= 0, for t = 0 the
B_t set consists of a single empty string of zero length. If
A is an element of B_t, then A = (a_1, a_2, ... , a_t), where
a_1, a_2, ... , a_t are in {0, ... , 255};
B* the set of all byte strings of a finite length (hereinafter
referred to as strings), including the empty string;
A[i..j] the string A[i..j] = (a_i, a_{i+1}, ... , a_j) in B_{j-i+1}
where A = (a_1, ... , a_t) in B_t and 1<=i<=j<=t;
|A| the byte length of the byte string A;
A | C concatenation of strings A and C both belonging to B*, i.e.,
a string in B_{|A|+|C|}, where the left substring in B_|A| is
equal to A, and the right substring in B_|C| is equal to C;
i & j bitwise AND of integers i and j;
STR_t the transformation that maps an integer i = 256^{t-1} * i_1 +
... + 256 * i_{t-1} + i_t into the byte string STR_t(i) =
(i_1, ... , i_t) in B_t (the interpretation of the integer as
a byte string in big-endian format);
str_t the transformation that maps an integer i = 256^{t-1} * i_t +
... + 256 * i_2 + i_1 into the byte string str_t(i) = (i_1,
... , i_t) in B_t (the interpretation of the integer as a
byte string in little-endian format);
k the byte-length of the block cipher key;
n the byte-length of the block cipher block;
E_i elliptic curve indicated by client in "supported_group"
extension;
Q_c the public key stored in the client's certificate;
d_c the private key that corresponds to the Q_c key;
Q_s the public key stored in the server's certificate;
d_s the private key that corresponds to the Q_s key;
q_s subgroup order of group of points of the elliptic curve that
corresponds to Q_s;
P_s the point of order q_s that belongs to the same curve as Q_s;
Smyshlyaev, et al. Expires May 1, 2020 [Page 4]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
4. Cipher Suite Definition
This document defines the following new values for the "Cipher
Suites" registry, that can be used in the ClientHello.cipher_suites
and ServerHello.cipher_suites fields for the particular cipher suite:
CipherSuite TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L = TBD1;
CipherSuite TLS_GOSTR341112_256_WITH_MAGMA_MGM_L = TBD2;
CipherSuite TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S = TBD3;
CipherSuite TLS_GOSTR341112_256_WITH_MAGMA_MGM_S = TBD4;
Each cipher suite defines the pair of the AEAD algorithm and the hash
algorithm. AEAD algorithm is used for the payload protection (see
Section 4.1 for more details) and hash algorithm is used for key
derivation and handshake message authentication.
4.1. Payload Protection
All of the cipher suites described in this document use the block
cipher in Authenticated Encryption with Associated Data (AEAD) mode
(see Section 4.1.1) to protect records. The TLSCiphertext structure
is specified in accordance with [RFC8446] as follows.
struct {
ContentType opaque_type = application_data; /* 23 */
ProtocolVersion legacy_record_version = 0x0303; /*TLSv1.2*/
uint16 length;
opaque encrypted_record[TLSCiphertext.length];
} TLSCiphertext;
The encrypted_record field of TLSCiphertext is set to AEADEncrypted,
where AEADEncrypted is computed as follows:
AEADEncrypted = AEAD-Encrypt(sender_write_key, nonce,
additional_data, plaintext),
where
o AEAD-Encrypt function is defined in Section 4.1.1;
o the traffic key material that consists of the sender_write_key
(either the client_write_key or the server_write_key) and the
sender_write_IV (either the client_write_IV or the
Smyshlyaev, et al. Expires May 1, 2020 [Page 5]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
server_write_IV) parameters is generated in accordance with
Section 7.3 of [RFC8446];
o the nonce is derived from the sequence number and the
sender_write_iv (see Section 5.3 of [RFC8446]);
o the plaintext input to the AEAD algorithm is the encoded
TLSInnerPlaintext structure;
o the additional data input is the record header:
additional_data = TLSCiphertext.opaque_type ||
TLSCiphertext.legacy_record_version ||
TLSCiphertext.length;
In order to decrypt and verify, the cipher takes as input the key,
nonce, additional data and the AEADEncrypted value. The output is
either the plaintext or an error indicating that the decryption
failed.
plaintext of encrypted_record = AEAD-Decrypt(sender_write_key,
nonce, additional_data, AEADEncrypted)
where AEAD-Decrypt function is defined in Section 4.1.1.
4.1.1. AEAD Algorithm
The GOST cipher suites use the block cipher in MGM authenticated
encryption with associated data mode defined in [DraftMGM]. The base
block cipher is defined in Section 4.1.1.1. The size S of the
authentication field is n bytes. The IVlen parameter is n bytes.
The record key material is a key material that is generated from the
traffic key material and is used to protect a record with the certain
sequence number. All of the cipher suites described in this document
use TLSTREE algorithm to derive record key material
(Section 4.1.1.2).
For each record with sequence number seqnum AEAD-Encrypt and AEAD-
Decrypt functions are defined as follows.
Smyshlyaev, et al. Expires May 1, 2020 [Page 6]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
+-------------------------------------------------------------------+
| AEAD-Encrypt(K, nonce, A, P) |
|-------------------------------------------------------------------|
| Input: |
| - encryption key K in B_k, |
| - unique vector nonce in B_IVlen, |
| - additional authenticated data A in B_s, s >= 0, |
| - plaintext P in B_s, s >= 0. |
| Output: |
| - ciphertext C in B_{|P|}, |
| - authentication tag T T in B_S. |
|-------------------------------------------------------------------|
| 1. K^seqnum = TLSTREE(K, seqnum) |
| 2. MGMnonce = nonce[1..1] & 0x7f | nonce[2..IVlen] |
| 3. (MGMnonce, A, C, T) = MGM-Encrypt(K^seqnum, MGMnonce, A, P) |
| 4. Return C | T. |
+-------------------------------------------------------------------+
+-------------------------------------------------------------------+
| AEAD-Decrypt(K, nonce, A, C | T) |
|-------------------------------------------------------------------|
| Input: |
| - encryption key K in B_k, |
| - unique vector nonce in B_IVlen, |
| - additional authenticated data A in B_s, s >= 0, |
| - ciphertext C in B_s, s >= 0 |
| - authentication tag T in B_S. |
| Output: |
| - plaintext P in B_{|C|} or FAIL. |
|-------------------------------------------------------------------|
| 1. K^seqnum = TLSTREE(K, seqnum) |
| 2. MGMnonce = nonce[1..1] & 0x7f | nonce[2..IVlen] |
| 3. res' = MGM-Decrypt(K^seqnum, MGMnonce, A, C, T) |
| 4. IF res' = FAIL then return FAIL; else return P. |
+-------------------------------------------------------------------+
MGM-Encrypt and MGM-Decrypt functions are defined in [DraftMGM],
TLSTREE function is defined in Section 4.1.1.2. The maximum value of
the sequence number seqnum during one TLS 1.3 connection is defined
in Section 4.1.1.3.
4.1.1.1. Block Cipher
The cipher suites TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L and
TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S MUST use Kuznyechik
[RFC7801] as a base block cipher for the AEAD algorithm. The block
length n is 16 bytes and the key length k is 32 bytes.
Smyshlyaev, et al. Expires May 1, 2020 [Page 7]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
The cipher suites TLS_GOSTR341112_256_WITH_MAGMA_MGM_L and
TLS_GOSTR341112_256_WITH_MAGMA_MGM_S MUST uses Magma [GOST3412-2015]
as a base block cipher for the AEAD algorithm. The block length n is
8 bytes and the key length k is 32 bytes.
4.1.1.2. TLSTREE
The GOST cipher suites use the TLSTREE function for the external re-
keying approach (see [RFC8645]). The TLSTREE function is defined as
follows:
TLSTREE(K_root, i) = KDF_3(KDF_2(KDF_1(K_root, STR_8(i & C_1)),
STR_8(i & C_2)), STR_8(i & C_3)),
where
o K_root in B_32;
o i in {0, 1, ... , 2^64 - 1};
o KDF_j(K, D), j = 1, 2, 3, K in B_32, D in B_8, is the key
derivation function based on the KDF_GOSTR3411_2012_256 function
defined in [RFC7836]:
KDF_1(K, D) = KDF_GOSTR3411_2012_256(K, "level1", D);
KDF_2(K, D) = KDF_GOSTR3411_2012_256(K, "level2", D);
KDF_3(K, D) = KDF_GOSTR3411_2012_256(K, "level3", D).
o C_1, C_2, C_3 are constants defined by the particular cipher
suite:
Smyshlyaev, et al. Expires May 1, 2020 [Page 8]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
+------------------------------------------+----------------------+
| CipherSuites | C_1, C_2, C_3 |
+------------------------------------------+----------------------+
|TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L |C_1=0xf800000000000000|
| |C_2=0xfffffff000000000|
| |C_3=0xffffffffffffe000|
+------------------------------------------+----------------------+
|TLS_GOSTR341112_256_WITH_MAGMA_MGM_L |C_1=0xffe0000000000000|
| |C_2=0xffffffffc0000000|
| |C_3=0xffffffffffffff80|
+------------------------------------------+----------------------+
|TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S |C_1=0xffffffffe0000000|
| |C_2=0xffffffffffff0000|
| |C_3=0xfffffffffffffff8|
+------------------------------------------+----------------------+
|TLS_GOSTR341112_256_WITH_MAGMA_MGM_S |C_1=0xfffffffffc000000|
| |C_2=0xffffffffffffe000|
| |C_3=0xffffffffffffffff|
+------------------------------------------+----------------------+
Table 1
4.1.1.3. SNMAX parameter
The SNMAX parameter defines the maximal value of the sequence number
seqnum during one TLS 1.3 connection and is defined as follows:
+------------------------------------------+--------------------+
| CipherSuites | SNMAX |
+------------------------------------------+--------------------+
|TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L | SNMAX = 2^64 - 1 |
+------------------------------------------+--------------------+
|TLS_GOSTR341112_256_WITH_MAGMA_MGM_L | SNMAX = 2^64 - 1 |
+------------------------------------------+--------------------+
|TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S | SNMAX = 2^42 - 1 |
+------------------------------------------+--------------------+
|TLS_GOSTR341112_256_WITH_MAGMA_MGM_S | SNMAX = 2^39 - 1 |
+------------------------------------------+--------------------+
Table 2
4.2. HASH algorithm
The function HASH for all the cipher suites defined in this document
is the GOST R 34.11-2012 [RFC6986] hash algorithm with 32-byte
(256-bit) hash code.
Smyshlyaev, et al. Expires May 1, 2020 [Page 9]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
The function HASH is used for key derivation process (see Section 7.1
of [RFC8446]), Finished message calculation, Transcript-Hash
function, PSK binder value calculation, derivation of record key
material (see Section 4.1.1.2) and other purposes during key exchange
process.
5. Signature Scheme Definition
The signature scheme values are used to indicate to the server/client
which signature algorithms and curves can be used in digital
signatures and are defined by the SignatureSchemeList structure (see
Section 4.2.3 of [RFC8446]) as follows:
struct {
SignatureScheme supported_signature_algorithms<2..2^16-2>;
} SignatureSchemeList;
This document defines new values for the "SignatureAlgorithm"
registry that can be used in the
SignatureSchemeList.supported_signature_algorithms field for the
particular signature scheme:
enum {
gostr34102012_256a(TBD5),
gostr34102012_256b(TBD6),
gostr34102012_256c(TBD7),
gostr34102012_256d(TBD8),
gostr34102012_512a(TBD9),
gostr34102012_512b(TBD10),
gostr34102012_512c(TBD11)
} SignatureScheme;
where the values correspond to the following signature algorithms and
curves:
Smyshlyaev, et al. Expires May 1, 2020 [Page 10]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
+------------------+--------------------------------------+--------+
| SignatureScheme | Signature Algorithm | Refe- |
| Value | | rences |
+------------------+--------------------------------------+--------+
|gostr34102012_256a|GOST R 34.10-2012 + 32-byte key length|RFC 7091|
+------------------+--------------------------------------+--------+
|gostr34102012_256b|GOST R 34.10-2012 + 32-byte key length|RFC 7091|
+------------------+--------------------------------------+--------+
|gostr34102012_256c|GOST R 34.10-2012 + 32-byte key length|RFC 7091|
+------------------+--------------------------------------+--------+
|gostr34102012_256d|GOST R 34.10-2012 + 32-byte key length|RFC 7091|
+------------------+--------------------------------------+--------+
|gostr34102012_512a|GOST R 34.10-2012 + 64-byte key length|RFC 7091|
+------------------+--------------------------------------+--------+
|gostr34102012_512b|GOST R 34.10-2012 + 64-byte key length|RFC 7091|
+------------------+--------------------------------------+--------+
|gostr34102012_512c|GOST R 34.10-2012 + 64-byte key length|RFC 7091|
+------------------+--------------------------------------+--------+
Table 3
+------------------+--------------------------------------+--------+
| SignatureScheme | Curve Identifier Value | Refe- |
| Value | | rences |
+------------------+--------------------------------------+--------+
|gostr34102012_256a| id-tc26-gost-3410-2012-256-paramSetA |RFC 7836|
+------------------+--------------------------------------+--------+
|gostr34102012_256b|id-GostR3410-2001-CryptoPro-A-ParamSet|RFC 4357|
+------------------+--------------------------------------+--------+
|gostr34102012_256c|id-GostR3410-2001-CryptoPro-B-ParamSet|RFC 4357|
+------------------+--------------------------------------+--------+
|gostr34102012_256d|id-GostR3410-2001-CryptoPro-C-ParamSet|RFC 4357|
+------------------+--------------------------------------+--------+
|gostr34102012_512a| id-tc26-gost-3410-12-512-paramSetA |RFC 7836|
+------------------+--------------------------------------+--------+
|gostr34102012_512b| id-tc26-gost-3410-12-512-paramSetB |RFC 7836|
+------------------+--------------------------------------+--------+
|gostr34102012_512c| id-tc26-gost-3410-2012-512-paramSetC |RFC 7836|
+------------------+--------------------------------------+--------+
Table 4
This document defines the SIGN function which is used for computing
signature value in CertificateVerify message (see Section 6.3.3) as
follows.
Smyshlyaev, et al. Expires May 1, 2020 [Page 11]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
+-----------------------------------------------------+
| SIGN(M, d_sign) |
|-----------------------------------------------------|
| Input: |
| - the byte string M in B*; |
| - the sign key d_sign: 0 <= d_sign <= q. |
| Output: |
| - signature value sgn in B_{2*l}. |
|-----------------------------------------------------|
| 1. (r, s) = SIGNGOST(M, d_sign) |
| 2. Return str_l(r) | str_l(s) |
|-----------------------------------------------------+
where
o q is the subgroup order of group of points of the elliptic curve;
o l is defined as follows:
* l = 32 for gostr34102012_256a, gostr34102012_256b,
gostr34102012_256c and gostr34102012_256d values of the
SignatureScheme field;
* l = 64 for gostr34102012_512a, gostr34102012_512b and
gostr34102012_512c values of the SignatureScheme field;
o SIGNGOST(M, d_sign) is the GOST R 34.10-2012 [RFC7091] signature
algorithm.
The signature value sgn is the concatenation of two strings that are
byte representations of r and s values in the little-endian format.
According to [RFC7091] the GOST R 34.10-2012 signature algorithm with
32-byte (256-bit) or 64-byte (512-bit) key length use the GOST R
34.11-2012 [RFC6986] hash algorithm with 32-byte (256-bit) or 64-byte
(512-bit) hash code respectively (the hash algorithm is intrinsic to
the signature algorithm).
6. Key Exchange and Authentication
Key exchange and authentication process in case of using GOST cipher
suites is defined in [RFC8446] and Section 6.1, Section 6.2.
Additionally the proposed cipher suites specify some Handshake
messages (see Section 6.3).
Smyshlyaev, et al. Expires May 1, 2020 [Page 12]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
6.1. Key Exchange
TLS 1.3 supports three basic key exchange modes in accordance with
[RFC8446]:
1. (EC)DHE
2. PSK-only
3. PSK with (EC)DHE
All of the cipher suites described in this document use Diffie-
Hellman over elliptic curves in (EC)DHE and PSK with (EC)DHE key
exchange modes. Diffie-Hellman over finite fields SHOULD NOT be
used. This document defines the process of ECDHE shared secret
calculation (see Section 6.1.1) and specifies the elliptic curves
that can be used during this process (see Section 6.1.2).
In accordance with [RFC8446] PSKs can be divided into two types:
o internal PSKs which can be established during the previous
connection;
o external PSKs which can be established out of band.
This document defines that PSK-only key exchange mode SHOULD be used
only with the internal PSKs. External PSKs SHOULD be used together
with certificates in PSK with (EC)DHE mode only.
6.1.1. ECDHE Shared Secret Calculation
6.1.1.1. ECDHE Parameters
ECDHE parameters for both clients and servers are encoded in the
opaque key_exchange field of a KeyShareEntry in a KeyShare structure.
For GOST cipher suites the contents are the serialized value of the
following struct:
struct {
opaque X[coordinate_length];
opaque Y[coordinate_length];
} PlainPointRepresentation;
Smyshlyaev, et al. Expires May 1, 2020 [Page 13]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
X and Y, respectively, contain the binary representations of the x
and y values of point Q (Q = (x, y)) in the little-endian format and
are specified as follows:
X = str_{coordinate_length}(x);
Y = str_{coordinate_length}(y).
The coordinate_length value is defined in Table 5.
6.1.1.2. ECDHE Shared Secret Calculation on Client Side
The client calculates ECDHE shared secret value in accordance with
the following steps:
1. Chooses from all supported curves E_1, ..., E_R the set of curves
E_{i_1}, ..., E_{i_r}, 1 <= i_1 <= i_r <= R, where
o r >= 1 in the case of first message;
o r = 1 in the case of responding to HelloRetryRequest message,
E_{i_1} SHOULD correspond to the curve indicated in the key_share
extension in the HelloRetryRequest message.
2. Generates ephemeral key pairs (d_C^{i_1}, Q_C^{i_1}), ...,
(d_C^{i_r}, Q_C^{i_r}) corresponding to E_{i_1}, ..., E_{i_r} curves,
where for each i in {i_1, ..., i_r}:
o d_C^i is chosen from {1, ..., q_i - 1} at random;
o Q_C^i = d_C^i * P_i.
3. Sends ClientHello message specified in accordance with
Section 4.1.2 of [RFC8446] and Section 6.3.1, which contains:
o key_share extension with public ephemeral keys Q_C^{i_1}, ...,
Q_C^{i_r} specified in accordance with Section 4.2.8 of [RFC8446];
o supported_group extension with supported curves E_1, ..., E_R
specified in accordance with Section 4.2.7 of [RFC8446].
4. In case of receiving HelloRetryRequest message client should
return to step 1 and correct parameters according to Section 4.1.2 of
[RFC8446]. In case of receiving ServerHello message client proceeds
to the next step. In other cases client MUST terminate the
connection with "unexpected_message" alert.
Smyshlyaev, et al. Expires May 1, 2020 [Page 14]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
5. Extracts curve E_res and ephemeral key Q_S^res, res in {1, ...,
R}, from ServerHello message and checks whether the Q_res belongs to
E_res. If this check fails, the client MUST abort the handshake with
"handshake_failure" alert.
6. Generates Q^ECDHE:
Q^ECDHE = (X^ECDHE, Y^ECDHE) = (h_res * d_C^res) * Q_S^res.
7. Client MUST check whether the computed shared secret Q^ECDHE is
not equal to zero point. If this check fails, the client MUST abort
the handshake with "handshake_failure" alert.
8. Shared secret value ECDHE is the byte representation of the
coordinate X^ECDHE of point Q^ECDHE in the little-endian format:
ECDHE = str_{coordinate_length}(X^ECDHE),
where coordinate_length is defined in Table 5.
6.1.1.3. ECDHE Shared Secret Calculation on Server Side
Upon receiving the ClientHello message, the server calculates ECDHE
shared secret value in accordance with the following steps:
1. Chooses the curve E_res, res in {1, ..., R} from the list of
curves E_1, ..., E_R indicated in supported_group extension in
ClientHello message and the corresponding public ephemeral key value
Q_C^res from the list Q_C^{i_1}, ..., Q_C^{i_r}, 1 <= i_1 <= i_r <=
R, indicated in key_share extension. If no corresponding public
ephemeral key value is found (res in {1, ..., R}\{i_1, ..., i_r}),
server MAY send HelloRetryRequest message with key_share extension
indicated E_res and wait for the next ClientHello message.
2. Checks whether Q_res belongs to E_res. If this check fails, the
server MUST abort the handshake with "handshake_failure" alert.
3. Generates ephemeral key pair (d_S^res, Q_S^res) corresponding to
E_res:
o d_S^res is chosen from {1, ..., q_res - 1} at random;
o Q_S^res = d_S^res * P_res.
4. Sends ServerHello message specified in accordance with
Section 4.1.3 of [RFC8446] and Section 6.3.1 with key_share extension
indicated public ephemeral key value Q_S^res corresponding to E_res.
Smyshlyaev, et al. Expires May 1, 2020 [Page 15]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
5. Generates Q^ECDHE:
Q^ECDHE = (X^ECDHE, Y^ECDHE) = (h_res * d_S^res) * Q_C^res.
6. Server MUST check whether the computed shared secret Q^ECDHE is
not equal to zero point. If this check fails, the server MUST abort
the handshake with "handshake_failure" alert.
7. Shared secret value ECDHE is the byte representation of the
coordinate X^ECDHE of point Q^ECDHE in the little-endian format:
ECDHE = str_{coordinate_length}(X^ECDHE),
where coordinate_length is defined in Table 5.
6.1.2. Values for the Supported Groups Registry
The supported_groups extension indicates the set of elliptic curves
supported by the client and is defined in [RFC8446].
This document defines the following values for the "Supported Groups"
registry:
enum {
GC256A(0x22), GC256B(0x23), GC256C(0x24), GC256D(0x25),
GC512A(0x26), GC512B(0x27), GC512C(0x28)
} NamedGroup;
Where the values correspond to the following curves and the following
values of coordinate_length parameter ("cl" column).
Smyshlyaev, et al. Expires May 1, 2020 [Page 16]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
+-----------+--------------------------------------+----+---------+
|Description| Curve Identifier Value | cl |Reference|
+-----------+--------------------------------------+----+---------+
| GC256A | id-tc26-gost-3410-2012-256-paramSetA | 32 | RFC 7836|
+-----------+--------------------------------------+----+---------+
| GC256B |id-GostR3410-2001-CryptoPro-A-ParamSet| 32 | RFC 4357|
+-----------+--------------------------------------+----+---------+
| GC256C |id-GostR3410-2001-CryptoPro-B-ParamSet| 32 | RFC 4357|
+-----------+--------------------------------------+----+---------+
| GC256D |id-GostR3410-2001-CryptoPro-C-ParamSet| 32 | RFC 4357|
+-----------+--------------------------------------+----+---------+
| GC512A | id-tc26-gost-3410-12-512-paramSetA | 64 | RFC 7836|
+-----------+--------------------------------------+----+---------+
| GC512B | id-tc26-gost-3410-12-512-paramSetB | 64 | RFC 7836|
+-----------+--------------------------------------+----+---------+
| GC512C | id-tc26-gost-3410-2012-512-paramSetC | 64 | RFC 7836|
+-----------+--------------------------------------+----+---------+
Table 5
These values are the same as in [DraftGostTLS12].
6.2. Authentication
In accordance with [RFC8446] authentication can happen via signature
with certificate or via symmetric pre-shared key (PSK). The server
side of the channel is always authenticated; the client side is
optionally authenticated.
PSK-based authentication happens as a side effect of key exchange.
This document defines that external PSKs SHOULD be combined only with
the mutual autentication.
Certificate-based authentication happens via authentication messages.
This document defines the signature schemes that are used for
certificate-based authentication (see Section 5) and specifies some
autehtication messages (see Section 6.3.2, Section 6.3.3).
6.3. Handshake Messages
The proposed cipher suites specify the ClientHello, ServerHello,
CertificateRequest and CertificateVerify handshake messages, that are
described in further detail below.
Smyshlyaev, et al. Expires May 1, 2020 [Page 17]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
6.3.1. Hello Messages
The ClientHello message is generated in accordance with the following
requirements.
o The ClientHello.cipher_suites field SHOULD contain cipher suites
with the values defined in Section 4.
o The ClientHello.extensions field MAY contain the
signature_algorithms and signature_algorithms_cert extensions.
The extension_data field of these extensions contains a
SignatureSchemeList value, where
SignatureSchemeList.supported_signature_algorithms field SHOULD
contain only the values defined in Section 5.
o The ClientHello.extensions field MAY contain the supported_group
extension. The extension_data field of this extension contains a
NamedGroupList value, where NamedGroupList.named_group_list field
SHOULD contain only the values defined in Section 6.1.2.
o The ClientHello.extensions field SHOULD NOT contain early_data
extension.
The ServerHello message is generated in accordance with the following
requirements.
o The ServerHello.cipher_suites field SHOULD contain cipher suites
with the values defined in Section 4.
6.3.2. CertificateRequest
This message is sent when requesting client authentication and is
specified in accordance with [RFC8446] as follows.
struct {
opaque certificate_request_context<0..2^8-1>;
Extension extensions<2..2^16-1>;
} CertificateRequest;
If the GOST cipher suite is negotiated, the CertificateRequest
message MUST meet the following requirements.
o The CertificateRequest.extensions field MUST contain the
signature_algorithms extension. The "extension_data" field of
this extension contains a SignatureSchemeList value, where
Smyshlyaev, et al. Expires May 1, 2020 [Page 18]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
SignatureSchemeList.supported_signature_algorithms field SHOULD
contain only the values defined in Section 5.
o The CertificateRequest.extensions field MAY contain the
signature_algorithms_cert extension. The "extension_data" field
of this extension contains a SignatureSchemeList value, where
SignatureSchemeList.supported_signature_algorithms field SHOULD
contain only the values defined in Section 5.
6.3.3. CertificateVerify
This CertificateVerify message is used to provide explicit proof that
an endpoint possesses the private key corresponding to its
certificate and is specified in accordance with [RFC8446] as follows.
struct {
SignatureScheme algorithm;
opaque signature<0..2^16-1>;
} CertificateVerify;
If the GOST cipher suite is negotiated, the CertificateVerify message
MUST meet the following requirements.
o The CertificateVerify.algorithm field SHOULD contain only the
signature schemes with the values defined in Section 5.
o The CertificateVerify.signature field contains sgn value, which is
computed as follows:
sgn = SIGN(M, d_sign),
o where
* function SIGN is defined in Section 5,
* structure of M is defined in Section 4.4.3 of [RFC8446],
* d_sign is the sender long-term private key that corresponds to
the sender long-term public key Q_sign from the sender's
certificate.
7. IANA Considerations
IANA is asked to assign numbers TBD1, TBD2, TBD3 and TBD4 with the
names TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L,
TLS_GOSTR341112_256_WITH_MAGMA_MGM_L,
Smyshlyaev, et al. Expires May 1, 2020 [Page 19]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S,
TLS_GOSTR341112_256_WITH_MAGMA_MGM_S to the "TLS Cipher Suites"
registry with this document as reference, as shown below.
+-----+-----------------------------------------+-------+----------+
|Value| Description |DTLS-OK| Reference|
+-----+-----------------------------------------+-------+----------+
|TBD1 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L| ? | this RFC |
+-----+-----------------------------------------+-------+----------+
|TBD2 |TLS_GOSTR341112_256_WITH_MAGMA_MGM_L | ? | this RFC |
+-----+-----------------------------------------+-------+----------+
|TBD3 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S| ? | this RFC |
+-----+-----------------------------------------+-------+----------+
|TBD4 |TLS_GOSTR341112_256_WITH_MAGMA_MGM_S | ? | this RFC |
+-----+-----------------------------------------+-------+----------+
Table 6
IANA is asked to assign numbers TBD5, TBD6, TBD7, TBD8, TBD9, TBD10
and TBD11 with the names gostr34102012_256a, gostr34102012_256b,
gostr34102012_256c, gostr34102012_256d, gostr34102012_512a,
gostr34102012_512b, gostr34102012_512c to the "TLS
SignatureAlgorithm" registry, as shown below.
+-----------+----------------------+---------+----------+
| Value | Description | DTLS-OK | Reference|
+-----------+----------------------+---------+----------+
| TBD5 | gostr34102012_256a | ? | this RFC |
+-----------+----------------------+---------+----------+
| TBD6 | gostr34102012_256b | ? | this RFC |
+-----------+----------------------+---------+----------+
| TBD7 | gostr34102012_256c | ? | this RFC |
+-----------+----------------------+---------+----------+
| TBD8 | gostr34102012_256d | ? | this RFC |
+-----------+----------------------+---------+----------+
| TBD9 | gostr34102012_512a | ? | this RFC |
+-----------+----------------------+---------+----------+
| TBD10 | gostr34102012_512b | ? | this RFC |
+-----------+----------------------+---------+----------+
| TBD11 | gostr34102012_512c | ? | this RFC |
+-----------+----------------------+---------+----------+
Table 7
Smyshlyaev, et al. Expires May 1, 2020 [Page 20]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
8. Historical considerations
Due to historical reasons in addition to the curve identifier values
listed in Table 5 there exist some extra identifier values that
correspond to the signature schemes as follows.
+--------------------+-------------------------------------------+
| Description | Curve Identifier Value |
+--------------------+-------------------------------------------+
| gostr34102012_256b | id-GostR3410_2001-CryptoPro-XchA-ParamSet |
| | id-tc26-gost-3410-2012-256-paramSetB |
+--------------------+-------------------------------------------+
| gostr34102012_256c | id-tc26-gost-3410-2012-256-paramSetC |
+--------------------+-------------------------------------------+
| gostr34102012_256d | id-GostR3410-2001-CryptoPro-XchB-ParamSet |
| | id-tc26-gost-3410-2012-256-paramSetD |
+--------------------+-------------------------------------------+
Table 8
Client should be prepared to handle any of them correctly if
corresponding signature scheme is included in the
signature_algorithms or signature_algorithms_cert extensions.
9. Security Considerations
In order to create an effective implementation and to resist attacks
client and server SHOULD stick to the following rules.
1. While using TLSTREE algorithm function KDF_j, j = 1, 2, 3, SHOULD
be invoked only if sequence number seqnum reaches such value that
seqnum & C_j != (seqnum - 1) & C_j.
Otherwise the previous value should be used.
2. For each pre-shared key value PSK the binder_key value should be
computed only once within all connections where ClientHello message
contains a pre_shared_key extension indicating this PSK value.
3. Server SHOULD NOT send Application Data prior to receiving first
client's Finished message in a mutually authenticated connection.
Smyshlyaev, et al. Expires May 1, 2020 [Page 21]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
10. References
10.1. Normative References
[DraftGostTLS12]
Smyshlyaev, S., Belyavsky, D., and M. Saarinen, "GOST
Cipher Suites for Transport Layer Security (TLS) Protocol
Version 1.2", 2019, <https://tools.ietf.org/html/draft-
smyshlyaev-tls12-gost-suites-05>.
[DraftMGM]
Smyshlyaev, S., Nozdrunov, V., Shishkin, V., and E.
Smyshlyaeva, "Multilinear Galois Mode (MGM)", 2018,
<https://tools.ietf.org/html/draft-smyshlyaev-mgm-09>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012:
Hash Function", RFC 6986, DOI 10.17487/RFC6986, August
2013, <https://www.rfc-editor.org/info/rfc6986>.
[RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012:
Digital Signature Algorithm", RFC 7091,
DOI 10.17487/RFC7091, December 2013,
<https://www.rfc-editor.org/info/rfc7091>.
[RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher
"Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016,
<https://www.rfc-editor.org/info/rfc7801>.
[RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V.,
Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines
on the Cryptographic Algorithms to Accompany the Usage of
Standards GOST R 34.10-2012 and GOST R 34.11-2012",
RFC 7836, DOI 10.17487/RFC7836, March 2016,
<https://www.rfc-editor.org/info/rfc7836>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[RFC8645] Smyshlyaev, S., Ed., "Re-keying Mechanisms for Symmetric
Keys", RFC 8645, DOI 10.17487/RFC8645, August 2019,
<https://www.rfc-editor.org/info/rfc8645>.
Smyshlyaev, et al. Expires May 1, 2020 [Page 22]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
10.2. Informative References
[GOST3410-2012]
Federal Agency on Technical Regulating and Metrology,
"Information technology. Cryptographic data security.
Signature and verification processes of [electronic]
digital signature", GOST R 34.10-2012, 2012.
[GOST3411-2012]
Federal Agency on Technical Regulating and Metrology,
"Information technology. Cryptographic Data Security.
Hashing function", GOST R 34.11-2012, 2012.
[GOST3412-2015]
Federal Agency on Technical Regulating and Metrology,
"Information technology. Cryptographic data security.
Block ciphers", GOST R 34.12-2015, 2015.
Appendix A. Test Examples
TODO
Appendix B. Contributors
o Lilia Akhmetzyanova
CryptoPro
lah@cryptopro.ru
o Alexandr Sokolov
CryptoPro
sokolov@cryptopro.ru
o Vasily Nikolaev
CryptoPro
nikolaev@cryptopro.ru
Appendix C. Acknowledgments
Authors' Addresses
Stanislav Smyshlyaev (editor)
CryptoPro
18, Suschevsky val
Moscow 127018
Russian Federation
Phone: +7 (495) 995-48-20
Email: svs@cryptopro.ru
Smyshlyaev, et al. Expires May 1, 2020 [Page 23]
Internet-Draft GOST Cipher Suites for TLS 1.3 October 2019
Evgeny Alekseev
CryptoPro
18, Suschevsky val
Moscow 127018
Russian Federation
Email: alekseev@cryptopro.ru
Ekaterina Smyshlyaeva
CryptoPro
18, Suschevsky val
Moscow 127018
Russian Federation
Email: ess@cryptopro.ru
Alexandra Babueva
CryptoPro
18, Suschevsky val
Moscow 127018
Russian Federation
Email: babueva@cryptopro.ru
Smyshlyaev, et al. Expires May 1, 2020 [Page 24]