AES Galois Counter Mode (GCM) Cipher Suites for TLS
RFC 5288
Network Working Group J. Salowey
Request for Comments: 5288 A. Choudhury
Category: Standards Track D. McGrew
Cisco Systems, Inc.
August 2008
AES Galois Counter Mode (GCM) Cipher Suites for TLS
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
This memo describes the use of the Advanced Encryption Standard (AES)
in Galois/Counter Mode (GCM) as a Transport Layer Security (TLS)
authenticated encryption operation. GCM provides both
confidentiality and data origin authentication, can be efficiently
implemented in hardware for speeds of 10 gigabits per second and
above, and is also well-suited to software implementations. This
memo defines TLS cipher suites that use AES-GCM with RSA, DSA, and
Diffie-Hellman-based key exchange mechanisms.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . . 2
3. AES-GCM Cipher Suites . . . . . . . . . . . . . . . . . . . . . 2
4. TLS Versions . . . . . . . . . . . . . . . . . . . . . . . . . 3
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 4
6.1. Counter Reuse . . . . . . . . . . . . . . . . . . . . . . . 4
6.2. Recommendations for Multiple Encryption Processors . . . . 4
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
8.1. Normative References . . . . . . . . . . . . . . . . . . . 6
8.2. Informative References . . . . . . . . . . . . . . . . . . 6
Salowey, et al. Standards Track [Page 1]
RFC 5288 AES-GCM Cipher suites August 2008
1. Introduction
This document describes the use of AES [AES] in Galois Counter Mode
(GCM) [GCM] (AES-GCM) with various key exchange mechanisms as a
cipher suite for TLS. AES-GCM is an authenticated encryption with
associated data (AEAD) cipher (as defined in TLS 1.2 [RFC5246])
providing both confidentiality and data origin authentication. The
following sections define cipher suites based on RSA, DSA, and
Diffie-Hellman key exchanges; ECC-based (Elliptic Curve Cryptography)
cipher suites are defined in a separate document [RFC5289].
AES-GCM is not only efficient and secure, but hardware
implementations can achieve high speeds with low cost and low
latency, because the mode can be pipelined. Applications that
require high data throughput can benefit from these high-speed
implementations. AES-GCM has been specified as a mode that can be
used with IPsec ESP [RFC4106] and 802.1AE Media Access Control (MAC)
Security [IEEE8021AE].
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. AES-GCM Cipher Suites
The following cipher suites use the new authenticated encryption
modes defined in TLS 1.2 with AES in Galois Counter Mode (GCM) [GCM]:
CipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256 = {0x00,0x9C}
CipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384 = {0x00,0x9D}
CipherSuite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = {0x00,0x9E}
CipherSuite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = {0x00,0x9F}
CipherSuite TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = {0x00,0xA0}
CipherSuite TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = {0x00,0xA1}
CipherSuite TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = {0x00,0xA2}
CipherSuite TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = {0x00,0xA3}
CipherSuite TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = {0x00,0xA4}
CipherSuite TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = {0x00,0xA5}
CipherSuite TLS_DH_anon_WITH_AES_128_GCM_SHA256 = {0x00,0xA6}
CipherSuite TLS_DH_anon_WITH_AES_256_GCM_SHA384 = {0x00,0xA7}
These cipher suites use the AES-GCM authenticated encryption with
associated data (AEAD) algorithms AEAD_AES_128_GCM and
AEAD_AES_256_GCM described in [RFC5116]. Note that each of these
AEAD algorithms uses a 128-bit authentication tag with GCM (in
particular, as described in Section 3.5 of [RFC4366], the
Salowey, et al. Standards Track [Page 2]
Show full document text