ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
RFC 7905

Document Type RFC - Proposed Standard (June 2016; No errata)
Last updated 2016-06-22
Replaces draft-mavrogiannopoulos-chacha-tls
Stream IETF
Formats plain text pdf html bibtex
Stream WG state Submitted to IESG for Publication
Document shepherd Sean Turner
Shepherd write-up Show (last changed 2016-03-10)
IESG IESG state RFC 7905 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Stephen Farrell
Send notices to "Sean Turner" <sean@sn3rd.com>
IANA IANA review state IANA OK - Actions Needed
IANA action state RFC-Ed-Ack
Internet Engineering Task Force (IETF)                        A. Langley
Request for Comments: 7905                                      W. Chang
Updates: 5246, 6347                                         Google, Inc.
Category: Standards Track                           N. Mavrogiannopoulos
ISSN: 2070-1721                                                  Red Hat
                                                         J. Strombergson
                                                      Secworks Sweden AB
                                                            S. Josefsson
                                                                  SJD AB
                                                               June 2016

   ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)

Abstract

   This document describes the use of the ChaCha stream cipher and
   Poly1305 authenticator in the Transport Layer Security (TLS) and
   Datagram Transport Layer Security (DTLS) protocols.

   This document updates RFCs 5246 and 6347.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7905.

Langley, et al.              Standards Track                    [Page 1]
RFC 7905                 ChaCha-Poly1305 for TLS               June 2016

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  ChaCha20 Cipher Suites  . . . . . . . . . . . . . . . . . . .   4
   3.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     5.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

Langley, et al.              Standards Track                    [Page 2]
RFC 7905                 ChaCha-Poly1305 for TLS               June 2016

1.  Introduction

   This document describes the use of the ChaCha stream cipher and
   Poly1305 authenticator in version 1.2 or later of the Transport Layer
   Security (TLS) protocol [RFC5246] as well as version 1.2 or later of
   the Datagram Transport Layer Security (DTLS) protocol [RFC6347].

   ChaCha [CHACHA] is a stream cipher developed by D. J. Bernstein in
   2008.  It is a refinement of Salsa20, which is one of the selected
   ciphers in the eSTREAM portfolio [ESTREAM], and it was used as the
   core of the SHA-3 finalist, BLAKE.

   The variant of ChaCha used in this document has 20 rounds, a 96-bit
   nonce, and a 256-bit key; it is referred to as "ChaCha20".  This is
   the conservative variant (with respect to security) of the ChaCha
   family and is described in [RFC7539].

   Poly1305 [POLY1305] is a Wegman-Carter, one-time authenticator
   designed by D. J. Bernstein.  Poly1305 takes a 256-bit, one-time key
   and a message, and it produces a 16-byte tag that authenticates the
   message such that an attacker has a negligible chance of producing a
   valid tag for an inauthentic message.  It is described in [RFC7539].

   ChaCha and Poly1305 have both been designed for high performance in
   software implementations.  They typically admit a compact
   implementation that uses few resources and inexpensive operations,
   which makes them suitable on a wide range of architectures.  They
   have also been designed to minimize leakage of information through
Show full document text