AES Galois Counter Mode (GCM) Cipher Suites for TLS
RFC 5288
Document Type RFC - Proposed Standard (August 2008; Errata)
Last updated 2020-01-21
Replaces draft-salowey-tls-rsa-aes-gcm
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Reviews
SECDIR Last Call Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5288 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Pasi Eronen
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                         J. Salowey
Request for Comments: 5288                                  A. Choudhury
Category: Standards Track                                      D. McGrew
                                                     Cisco Systems, Inc.
                                                             August 2008

          AES Galois Counter Mode (GCM) Cipher Suites for TLS

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This memo describes the use of the Advanced Encryption Standard (AES)
   in Galois/Counter Mode (GCM) as a Transport Layer Security (TLS)
   authenticated encryption operation.  GCM provides both
   confidentiality and data origin authentication, can be efficiently
   implemented in hardware for speeds of 10 gigabits per second and
   above, and is also well-suited to software implementations.  This
   memo defines TLS cipher suites that use AES-GCM with RSA, DSA, and
   Diffie-Hellman-based key exchange mechanisms.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 2
   2.  Conventions Used in This Document . . . . . . . . . . . . . . . 2
   3.  AES-GCM Cipher Suites . . . . . . . . . . . . . . . . . . . . . 2
   4.  TLS Versions  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4
   6.  Security Considerations . . . . . . . . . . . . . . . . . . . . 4
     6.1.  Counter Reuse . . . . . . . . . . . . . . . . . . . . . . . 4
     6.2.  Recommendations for Multiple Encryption Processors  . . . . 4
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 5
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 6
     8.1.  Normative References  . . . . . . . . . . . . . . . . . . . 6
     8.2.  Informative References  . . . . . . . . . . . . . . . . . . 6

Salowey, et al.             Standards Track                     [Page 1]
RFC 5288                 AES-GCM Cipher suites               August 2008

1.  Introduction

   This document describes the use of AES [AES] in Galois Counter Mode
   (GCM) [GCM] (AES-GCM) with various key exchange mechanisms as a
   cipher suite for TLS.  AES-GCM is an authenticated encryption with
   associated data (AEAD) cipher (as defined in TLS 1.2 [RFC5246])
   providing both confidentiality and data origin authentication.  The
   following sections define cipher suites based on RSA, DSA, and
   Diffie-Hellman key exchanges; ECC-based (Elliptic Curve Cryptography)
   cipher suites are defined in a separate document [RFC5289].

   AES-GCM is not only efficient and secure, but hardware
   implementations can achieve high speeds with low cost and low
   latency, because the mode can be pipelined.  Applications that
   require high data throughput can benefit from these high-speed
   implementations.  AES-GCM has been specified as a mode that can be
   used with IPsec ESP [RFC4106] and 802.1AE Media Access Control (MAC)
   Security [IEEE8021AE].

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  AES-GCM Cipher Suites

   The following cipher suites use the new authenticated encryption
   modes defined in TLS 1.2 with AES in Galois Counter Mode (GCM) [GCM]:

      CipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256 = {0x00,0x9C}
      CipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384 = {0x00,0x9D}
      CipherSuite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = {0x00,0x9E}
      CipherSuite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = {0x00,0x9F}
      CipherSuite TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = {0x00,0xA0}
      CipherSuite TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = {0x00,0xA1}
      CipherSuite TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = {0x00,0xA2}
      CipherSuite TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = {0x00,0xA3}
      CipherSuite TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = {0x00,0xA4}
      CipherSuite TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = {0x00,0xA5}
      CipherSuite TLS_DH_anon_WITH_AES_128_GCM_SHA256 = {0x00,0xA6}
      CipherSuite TLS_DH_anon_WITH_AES_256_GCM_SHA384 = {0x00,0xA7}

   These cipher suites use the AES-GCM authenticated encryption with
   associated data (AEAD) algorithms AEAD_AES_128_GCM and
   AEAD_AES_256_GCM described in [RFC5116].  Note that each of these
   AEAD algorithms uses a 128-bit authentication tag with GCM (in
   particular, as described in Section 3.5 of [RFC4366], the

Salowey, et al.             Standards Track                     [Page 2]
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools