| blob | 3660aaf764fed5ed27120e146551eafc0aa6dea2 |
3 Network Working Group N. Modadugu
4 Internet-Draft Stanford University
5 Expires: April 19, 2006 E. Rescorla
6 Network Resonance
7 October 16, 2005
10 AES Counter Mode Cipher Suites for TLS and DTLS
11 draft-modadugu-tls-ctr-00
13 Status of this Memo
15 By submitting this Internet-Draft, each author represents that any
16 applicable patent or other IPR claims of which he or she is aware
17 have been or will be disclosed, and any of which he or she becomes
18 aware will be disclosed, in accordance with Section 6 of BCP 79.
20 Internet-Drafts are working documents of the Internet Engineering
21 Task Force (IETF), its areas, and its working groups. Note that
22 other groups may also distribute working documents as Internet-
23 Drafts.
25 Internet-Drafts are draft documents valid for a maximum of six months
26 and may be updated, replaced, or obsoleted by other documents at any
27 time. It is inappropriate to use Internet-Drafts as reference
28 material or to cite them other than as "work in progress."
30 The list of current Internet-Drafts can be accessed at
31 http://www.ietf.org/ietf/1id-abstracts.txt.
33 The list of Internet-Draft Shadow Directories can be accessed at
34 http://www.ietf.org/shadow.html.
36 This Internet-Draft will expire on April 19, 2006.
38 Copyright Notice
40 Copyright (C) The Internet Society (2005).
42 Abstract
44 This document describes the use of the Advanced Encryption Standard
45 (AES) Counter Mode for use as a Transport Layer Security (TLS) and
46 Datagram Transport Layer Security (DTLS) confidentiality mechanism.
54 Modadugu & Rescorla Expires April 19, 2006 [Page 1]
55 \f
56 Internet-Draft TLS/DTLS AES-CTR October 2005
59 Table of Contents
61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
62 1.1. Conventions Used In This Document . . . . . . . . . . . . . 3
63 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3
64 3. Encrypting Records with AES Counter Mode . . . . . . . . . . . 4
65 3.1. TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
66 3.1.1. AES Counter Mode . . . . . . . . . . . . . . . . . . . 4
67 3.2. DTLS . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
68 3.3. Padding . . . . . . . . . . . . . . . . . . . . . . . . . . 6
69 3.4. Session Resumption . . . . . . . . . . . . . . . . . . . . 6
70 4. Design Rationale . . . . . . . . . . . . . . . . . . . . . . . 6
71 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
72 5.1. Maximum Key Lifetime . . . . . . . . . . . . . . . . . . . 7
73 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
74 7. Normative References . . . . . . . . . . . . . . . . . . . . . 7
75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8
76 Intellectual Property and Copyright Statements . . . . . . . . . . 9
110 Modadugu & Rescorla Expires April 19, 2006 [Page 2]
111 \f
112 Internet-Draft TLS/DTLS AES-CTR October 2005
115 1. Introduction
117 Transport Layer Security [3] provides channel-oriented security for
118 application layer protocols. In TLS, cryptographic algorithms are
119 specified in "Cipher Suites, which consist of a group of algorithms
120 to be used together."
122 Cipher suites supported by TLS are divided into stream and block
123 ciphers. Counter mode ciphers behave like stream ciphers, but are
124 constructed based on a block cipher primitive (that is, counter mode
125 operation of a block cipher results in a stream cipher.) This
126 specification is limited to discussion of the operation of AES in
127 counter mode (AES-CTR.)
129 Counter mode ciphers (CTR) offer a number of attractive features over
130 other block cipher modes and stream ciphers such as RC4:
132 Low Bandwidth: AES-CTR provides a saving of 17-32 bytes per record
133 compared to AES-CBC as used in TLS 1.1 and DTLS. 16 bytes are
134 saved from not having to transmit an explicit IV, and another 1-16
135 bytes are saved from the absence of the padding block.
137 Random Access: AES-CTR is capable of random access within the key
138 stream. For DTLS, this implies that records can be processed out
139 of order without dependency on packet arrival order, and also
140 without keystream buffering.
142 Parallelizable: As a consequence of AES-CTR supporting random access
143 within the key stream, the cipher can be easily parallelized.
145 Multiple mode support: AES-CTR support in TLS/DTLS allows for
146 implementator to support both a stream (CTR) and block (CBC)
147 cipher through the implemention of a single symmetric algorithm.
149 1.1. Conventions Used In This Document
151 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
152 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
153 document are to be interpreted as described in [1].
156 2. Terminology
158 This document reuses some terminology introduced in [2] and [3]. The
159 term 'counter block' has the same meaning as used in RFC3686,
160 however, the term 'IV', in this document, holds the meaning defined
161 in [3].
166 Modadugu & Rescorla Expires April 19, 2006 [Page 3]
167 \f
168 Internet-Draft TLS/DTLS AES-CTR October 2005
171 3. Encrypting Records with AES Counter Mode
173 The use of AES-CTR in TLS/DTLS turns out to be fairly
174 straightforward, with the additional benefit that the method of
175 operation in TLS/DTLS mimics, to a large extent, that in IPsec. The
176 primary constraint on the use of counter mode ciphers is that for a
177 given key, a counter block value MUST never be used more than once
178 (see Section 7. of [2] for a detailed explanation.) In TLS/DTLS
179 ensuring that counter block values never repeat during a given
180 session is straightforward as explained in the following sections.
182 SSL/TLS records encrypted with AES CTR mode use a
183 CipherSpec.cipher_type of GenericStreamCipher (Section 6.2.3 of [3].)
185 3.1. TLS
187 The cipher stream generated by AES-CTR is much like the cipher stream
188 generated by stream ciphers like RC4. For reasons described in
189 Section 7. of [2], a counter block value MUST never be used more than
190 once with a given key. This is achieved by having part of the per-
191 record IV determined by the record sequence number. Although the
192 client and server use the same sequence number space, they use
193 different keys and IVs.
195 3.1.1. AES Counter Mode
197 AES counter mode requires the encryptor and decryptor to share a per-
198 record unique counter block. A given counter block MUST never be
199 used more than once with the same key. For a more in-depth
200 discussion of AES-CTR operation, refer to Section 2.1 of [2]. The
201 following description of AES-CTR mode has been adapted from [2].
203 To encrypt a payload with AES-CTR, the encryptor partitions the
204 plaintext, PT, into 128-bit blocks. The final block MAY be less than
205 128 bits.
207 PT = PT[1] PT[2] ... PT[n]
209 Each PT block is XORed with a block of the key stream to generate the
210 ciphertext, CT. The AES encryption of each counter block results in
211 128 bits of key stream.
213 To construct the counter block, the most significant 48 bits of the
214 counter block are set to the 48 low order bits of the client_write_IV
215 (for the half-duplex stream originated by the client) or the 48 low
216 order bits of the server_write_IV (for the half-duplex stream
217 originated by the server.) The following 64 bits of the counter
218 block are set to record sequence number, and the remaining 16 bits
222 Modadugu & Rescorla Expires April 19, 2006 [Page 4]
223 \f
224 Internet-Draft TLS/DTLS AES-CTR October 2005
227 function as the block counter. The least significant bit of the
228 counter block is initially set to one. This counter value is
229 incremented by one to generate subsequent counter blocks, each
230 resulting in another 128 bits of key stream.
232 struct {
233 case client:
234 uint48 client_write_IV; // low order 48-bits
235 case server:
236 uint48 server_write_IV; // low order 48-bits
237 uint64 seq_num;
238 uint16 blk_ctr;
239 } CtrBlk;
241 The seq_num and blk_ctr fields of the counter block are initialized
242 for each record processed, while the IV is initialized immediately
243 after a key calculation is made (key calculations are made whenver a
244 TLS/DTLS handshake, either full or abbreviated, is executed.) seq_num
245 is set to the sequence number of the record, and blk_ctr is
246 initialized to 1.
248 Note that the block counter does not overflow since the maximum TLS/
249 DTLS record size is 14 KB and 16 bits of blk_ctr allow the generation
250 of 1MB of keying material per record.
252 The encryption of n plaintext blocks can be summarized as:
254 FOR i := 1 to n-1 DO
255 CT[i] := PT[i] XOR AES(CtrBlk)
256 CtrBlk := CtrBlk + 1
257 END
258 CT[n] := PT[n] XOR TRUNC(AES(CtrBlk))
260 The AES() function performs AES encryption with the fresh key.
262 The TRUNC() function truncates the output of the AES encrypt
263 operation to the same length as the final plaintext block, returning
264 the most significant bits.
266 Decryption is similar. The decryption of n ciphertext blocks can be
267 summarized as:
269 FOR i := 1 to n-1 DO
270 PT[i] := CT[i] XOR AES(CtrBlk)
271 CtrBlk := CtrBlk + 1
272 END
273 PT[n] := CT[n] XOR TRUNC(AES(CtrBlk))
278 Modadugu & Rescorla Expires April 19, 2006 [Page 5]
279 \f
280 Internet-Draft TLS/DTLS AES-CTR October 2005
283 For TLS, no part of the counter block need be transmitted, since the
284 client_write_IV and server_write_IV are derived during the key
285 calculation phase, and the record sequence number is implicit.
287 3.2. DTLS
289 The operation of AES-CTR in DTLS is the same as in TLS, with the only
290 difference being the inclusion of the epoch in the counter block.
291 The counter block is constructed as follows for DTLS:
293 struct {
294 case client:
295 uint48 client_write_IV; // low order 48-bits
296 case server:
297 uint48 server_write_IV; // low order 48-bits
298 uint16 epoch;
299 uint48 seq_num;
300 uint16 blk_ctr;
301 } CtrBlk;
303 The epoch and record sequence number used for generating the counter
304 block are extracted from the received record.
306 3.3. Padding
308 Stream ciphers in TLS and DTLS do not require plaintext padding.
310 3.4. Session Resumption
312 TLS supports session resumption via caching of session ID's and
313 connection parameters on both client and server. While resumed
314 sessions use the same master secret that was originally negotiated, a
315 resumed session uses new keys that are derived, in part, using fresh
316 client_random and server_random parameters. As a result resumed
317 sessions do not use the same encryption keys or IVs as the original
318 session.
321 4. Design Rationale
323 An alternate design for the construction of the counter block would
324 be the use of an explicit 'record tag' (as a substitute for the
325 implicit record sequence number) that could potentially be generated
326 via an LFSR. Such a design, however, suffers two major drawbacks
327 when used in the TLS or DTLS protocol, without offering any
328 significant benefit: (1) in both TLS and DTLS inclusion of such a tag
329 would incur a bandwidth cost, (2) all TLS and DTLS associations have
330 per-record sequence numbers which can be used to ensure counter
334 Modadugu & Rescorla Expires April 19, 2006 [Page 6]
335 \f
336 Internet-Draft TLS/DTLS AES-CTR October 2005
339 uniqueness.
342 5. Security Considerations
344 See Section 7. of [2].
346 5.1. Maximum Key Lifetime
348 TLS/DTLS sessions employing AES-CTR MUST be renegotiated before
349 sequence numbers repeat. In the case of TLS, this implies a maximum
350 of 2^64 records per session, while for DTLS the maximum is 2^48 (with
351 the remaining bits reserved for epoch.)
354 6. IANA Considerations
356 IANA has assigned the following values for AES-CTR mode ciphers:
358 CipherSuite TLS_RSA_WITH_AES_128_CTR_SHA = { 0xXX, 0xXX };
359 CipherSuite TLS_DH_DSS_WITH_AES_128_CTR_SHA = { 0xXX, 0xXX };
360 CipherSuite TLS_DH_RSA_WITH_AES_128_CTR_SHA = { 0xXX, 0xXX };
361 CipherSuite TLS_DHE_DSS_WITH_AES_128_CTR_SHA = { 0xXX, 0xXX };
362 CipherSuite TLS_DHE_RSA_WITH_AES_128_CTR_SHA = { 0xXX, 0xXX };
363 CipherSuite TLS_DH_anon_WITH_AES_128_CTR_SHA = { 0xXX, 0xXX };
365 CipherSuite TLS_RSA_WITH_AES_256_CTR_SHA = { 0xXX, 0xXX };
366 CipherSuite TLS_DH_DSS_WITH_AES_256_CTR_SHA = { 0xXX, 0xXX };
367 CipherSuite TLS_DH_RSA_WITH_AES_256_CTR_SHA = { 0xXX, 0xXX };
368 CipherSuite TLS_DHE_DSS_WITH_AES_256_CTR_SHA = { 0xXX, 0xXX };
369 CipherSuite TLS_DHE_RSA_WITH_AES_256_CTR_SHA = { 0xXX, 0xXX };
370 CipherSuite TLS_DH_anon_WITH_AES_256_CTR_SHA = { 0xXX, 0xXX };
372 7. Normative References
374 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
375 Levels", BCP 14, RFC 2119, March 1997.
377 [2] Housley, R., "Using Advanced Encryption Standard (AES) Counter
378 Mode With IPsec Encapsulating Security Payload (ESP)", RFC 3686,
379 January 2004.
381 [3] Dierks, T. and E. Rescorla, "The TLS Protocol Version 1.1",
382 draft-ietf-tls-rfc2246-bis-13 (work in progress), June 2005.
390 Modadugu & Rescorla Expires April 19, 2006 [Page 7]
391 \f
392 Internet-Draft TLS/DTLS AES-CTR October 2005
395 Authors' Addresses
397 Nagendra Modadugu
398 Stanford University
399 353 Serra Mall
400 Stanford, CA 94305
401 USA
403 Email: nagendra@cs.stanford.edu
406 Eric Rescorla
407 Network Resonance
408 2483 E. Bayshore Rd., #212
409 Palo Alto, CA 94303
410 USA
412 Email: ekr@networkresonance.com
446 Modadugu & Rescorla Expires April 19, 2006 [Page 8]
447 \f
448 Internet-Draft TLS/DTLS AES-CTR October 2005
451 Intellectual Property Statement
453 The IETF takes no position regarding the validity or scope of any
454 Intellectual Property Rights or other rights that might be claimed to
455 pertain to the implementation or use of the technology described in
456 this document or the extent to which any license under such rights
457 might or might not be available; nor does it represent that it has
458 made any independent effort to identify any such rights. Information
459 on the procedures with respect to rights in RFC documents can be
460 found in BCP 78 and BCP 79.
462 Copies of IPR disclosures made to the IETF Secretariat and any
463 assurances of licenses to be made available, or the result of an
464 attempt made to obtain a general license or permission for the use of
465 such proprietary rights by implementers or users of this
466 specification can be obtained from the IETF on-line IPR repository at
467 http://www.ietf.org/ipr.
469 The IETF invites any interested party to bring to its attention any
470 copyrights, patents or patent applications, or other proprietary
471 rights that may cover technology that may be required to implement
472 this standard. Please address the information to the IETF at
473 ietf-ipr@ietf.org.
476 Disclaimer of Validity
478 This document and the information contained herein are provided on an
479 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
480 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
481 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
482 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
483 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
484 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
487 Copyright Statement
489 Copyright (C) The Internet Society (2005). This document is subject
490 to the rights, licenses and restrictions contained in BCP 78, and
491 except as set forth therein, the authors retain all their rights.
494 Acknowledgment
496 Funding for the RFC Editor function is currently provided by the
497 Internet Society.
502 Modadugu & Rescorla Expires April 19, 2006 [Page 9]
503 \f