summaryrefslogtreecommitdiff
path: root/doc/protocol/draft-hajjeh-tls-identity-protection-00.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/protocol/draft-hajjeh-tls-identity-protection-00.txt')
-rw-r--r--doc/protocol/draft-hajjeh-tls-identity-protection-00.txt505
1 files changed, 0 insertions, 505 deletions
diff --git a/doc/protocol/draft-hajjeh-tls-identity-protection-00.txt b/doc/protocol/draft-hajjeh-tls-identity-protection-00.txt
deleted file mode 100644
index a9b65adb2c..0000000000
--- a/doc/protocol/draft-hajjeh-tls-identity-protection-00.txt
+++ /dev/null
@@ -1,505 +0,0 @@
-
-
-
-Internet Engineering Task Force I. Hajjeh
- ESRGroups
- M. Badra
- ISIMA Laboratory
-
-Expires: April 2007 November, 2006
-
- Identity Protection Ciphersuites for Transport Layer Security
- <draft-hajjeh-tls-identity-protection-00.txt>
-
-
-Status of this Memo
-
- By submitting this Internet-Draft, each author represents that any
- applicable patent or other IPR claims of which he or she is aware
- have been or will be disclosed, and any of which he or she becomes
- aware will be disclosed, in accordance with Section 6 of BCP 79.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six
- months and may be updated, replaced, or obsoleted by other documents
- at any time. It is inappropriate to use Internet-Drafts as
- reference material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt.
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
- This Internet-Draft will expire on April 2007.
-
- Copyright Notice
-
- Copyright (C) The Internet Society (2006). All Rights Reserved.
-
-Abstract
-
- TLS defines several ciphersuites providing authentication, data
- protection and session key exchange between two communicating
- entities. Some of these ciphersuites are used for completely
- anonymous key exchange, in which neither party is authenticated.
- However, they are vulnerable to man-in-the-middle attacks and are
- therefore deprecated.
-
- This document defines a set of ciphersuites to add client identity
- protection to the Transport Layer Security (TLS) protection.
-
-
-Hajjeh & Badra Expires April 2007 [Page 1]
-
-Internet-draft Identity Protection Ciphersuites for TLS November 2006
-
-1. Introduction
-
- TLS is the most deployed security protocol for securing exchanges.
- It provides end-to-end secure communications between two entities
- with authentication and data protection.
-
- TLS supports three authentication modes: authentication of both
- parties, only server-side authentication, and anonymous key
- exchange. For each mode, TLS specifies a set of ciphersuites.
- However, anonymous ciphersuites are strongly discouraged because
- they cannot prevent man-in-the-middle attacks.
-
- Client identity protection may be established by changing the order
- of the messages that the client sends after receiving
- ServerHelloDone [CORELLA]. This is done by sending the
- ChangeCipherSpec message before the Certificate and the
- CertificateVerify messages and after the ClientKeyExchange message.
- However, it requires a major change to TLS machine state as long as
- a new TLS version.
-
- Client identity protection may also be done through a EDH exchange
- before establishing an ordinary handshake with identity information
- [RESCORLA]. This wouldn't however be secure enough against active
- attackers and wouldn't be favorable for some environments (e.g.
- mobile), due to the additional cryptographic computations.
-
- Client identity protection may be also possible, assuming that the
- client permits renegotiation after the first server authentication.
- However, this requires more cryptographic computations and augments
- significantly the number of rounds trips.
-
- Finally, client identity protection may be realized by exchanging a
- TLS extension that negotiates the symmetric encryption algorithm to
- be used for client certificate encrypting/decrypting [EAPTLSIP].
- This solution may suffer from interoperability issues related to TLS
- Extensions, TLS 1.0 and TLS 1.1 implementations, as described in
- [INTEROP].
-
- This document defines a set of ciphersuites to add client identity
- protection to TLS protocol. Client identity protection is provided
- by symmetrically encrypting the client certificate with a key
- derived from the SecurityParameters.master_secret,
- SecurityParameters.server_random and
- SecurityParameters.client_random. The symmetric encryption algorithm
- is set to the cipher algorithm of the ServerHello.cipher_suite.
-
-1.2. Requirements language
-
- The key words "MUST", "MUST NOT" and "MAY" in this document are to
- be interpreted as described in RFC-2119.
-
-
-Hajjeh & Badra Expires April 2007 [Page 2]
-
-Internet-draft Identity Protection Ciphersuites for TLS November 2006
-
-2. TLS Identity Protection overview
-
- This document specifies a set of ciphersuites for TLS. These
- ciphersuites reuse existing key exchange algorithms that require
- based-certificates authentication, and reuse also existing MAC,
- stream and bloc ciphers algorithms from [TLS] and [TLSCTR],
- [TLSECC], [TLSAES] and [TLSCAM]. Their names include the text "IP"
- to refer to the client identity protection. An example is shown
- below.
-
- CipherSuite Key Exchange Cipher Hash
-
- TLS_IP_RSA_EXPORT_WITH_RC4_40_MD5 RSA RC4 40 MD5
- TLS_IP_DHE_DSS_WITH_AES_128_CBC_SHA DHE AES 128_CBC SHA
-
- If the client has not a certificate with a type appropriate for one
- of the supported cipher key exchange algorithms or if the client
- will not be able to send such a certificate, it MUST NOT include any
- ciphersuite with client identity protection in the
- ClientHello.cipher_suites.
-
- If the server selects a ciphersuite with client identity protection,
- the server MUST request a certificate from the client.
-
- If the server selects one of the ciphersuites defined in this
- document, the client MUST encrypt its certificate using the
- symmetric algorithm selected by the server from the list in
- ClientHello.cipher_suites and a key derived from the
- SecurityParameters.master_secret (see section 3 for the key
- computation).
-
- In the case of DH_DSS and DH_RSA ciphersuites with client
- authentication, the ClientKeyExchange message always contains
- explicit Diffie-Hellman public value and it is possible to correlate
- sessions by the same client. Consequently, DH_DSS and DH_RSA are not
- currently omitted from this document.
-
- For EDH, the client MUST explicitly send its EDH public value in the
- ClientKeyExchange message.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hajjeh & Badra Expires April 2007 [Page 3]
-
-Internet-draft Identity Protection Ciphersuites for TLS November 2006
-
- Client Server
-
- ClientHello -------->
- ServerHello
- Certificate
- ServerKeyExchange*
- CertificateRequest
- <-------- ServerHelloDone
- ClientKeyExchange
- {Certificate}
- CertificateVerify
- [ChangeCipherSpec]
- Finished -------->
- [ChangeCipherSpec]
- <-------- Finished
- Application Data <-------> Application Data
-
- * Indicates optional or situation-dependent messages that are not
- always sent.
- {} Indicates messages that are symmetrically encrypted.
-
- The ciphersuites in Section 4 (IP_RSA Key Exchange Algorithm) use
- RSA based certificates to mutually authenticate a RSA exchange with
- the client identity protection.
- The ciphersuites in Section 5 (IP_EDH Key Exchange Algorithm) use
- EDH_RSA or EDH_DSS to mutually authenticate a Diffie-Hellman
- exchange with the client identity protection.
-
- The ciphersuites in Section 6 (IP_ECC Key Exchange Algorithm) are
- TBC.
-
-3. Key computation to encrypt/decrypt client's certificate
-
- Before sending its certificate, the client is able to compute the
- master secret and then the key_block. Thus, the client and the
- server derive from the key_block a key called
- identity_protection_key. This key is deployed by the client
- (respectively the server) to encrypt (respectively decrypt) the
- client's certificate.
-
- The identity_protection_key is set to the low order bits of the
- key_block, and its length is set appropriately to
- ServerHello.cipher_suite. For example, if the client and the server
- have agreed on using a ciphersuite with RC4_128 as symmetric
- cryptography, they therefore set their key to the low order 128-bits
- of the key_block.
-
- Exportable encryption algorithms (for which CipherSpec.is_exportable
- is true) require additional processing as follows to derive their
- final identity_protection_key:
-
-
-Hajjeh & Badra Expires April 2007 [Page 4]
-
-Internet-draft Identity Protection Ciphersuites for TLS November 2006
-
-
- final_identity_protection_key =
- PRF(SecurityParameters.identity_protection_key,
- "identity_protection_key",
- SecurityParameters.client_random +
- SecurityParameters.server_random);
-
-4. IP_RSA Key Exchange Algorithm
-
- This section defines additional ciphersuites that use RSA based
- certificates to authenticate a RSA exchange. These ciphersuites give
- client identity protection.
-
- CipherSuite Key Exchange Cipher Hash
-
- TLS_IP_RSA_EXPORT_WITH_RC4_40_MD5 RSA RC4_40 MD5
- TLS_IP_RSA_WITH_RC4_128_MD5 RSA RC4_128 MD5
- TLS_IP_RSA_WITH_RC4_128_SHA RSA RC4_128 SHA
- TLS_IP_RSA_EXPORT_WITH_RC2_CBC_40_MD5 RSA RC2_CBC_40 MD5
- TLS_IP_RSA_WITH_IDEA_CBC_SHA RSA IDEA_CBC SHA
- TLS_IP_RSA_EXPORT_WITH_DES40_CBC_SHA RSA DES40_CBC_ SHA
- TLS_IP_RSA_WITH_DES_CBC_SHA RSA DES_CBC SHA
- TLS_IP_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES_EDE SHA
- TLS_IP_RSA_WITH_AES_128_CBC_SHA RSA AES_128_CBC SHA
- TLS_IP_RSA_WITH_AES_256_CBC_SHA RSA AES_256_CBC SHA
- TLS_IP_RSA_WITH_AES_128_CTR_SHA RSA AES_128_CTR SHA
- TLS_IP_RSA_WITH_CAMELLIA_128_CBC_SHA RSA CAMELLIA_128_CBC SHA
- TLS_IP_RSA_WITH_AES_256_CTR_SHA RSA AES_256_CTR SHA
- TLS_IP_RSA_WITH_CAMELLIA_256_CBC_SHA RSA CAMELLIA_256_CBC SHA
-
-5. IP_EDH Key Exchange Algorithm
-
- This section defines additional ciphersuites that use EDH with RSA
- or DSS based certificates to authenticate a Diffie-Hellman exchange.
- These ciphersuites give client identity protection.
-
- The client MUST explicitly send its EDH public value in the
- ClientKeyExchange message.
-
- Note that this document does not specify any CipherSpec that uses DH
- RSA or DSS based certificates.
-
- CipherSuite Key Exchange Cipher Hash
-
- TLS_IP_DHE_DSS_WITH_DES_CBC_SHA DHE DES_CBC SHA
- TLS_IP_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE 3DES_EDE_CBC SHA
- TLS_IP_DHE_RSA_WITH_DES_CBC_SHA DHE DES_CBC SHA
- TLS_IP_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE 3DES_EDE_CBC SHA
- TLS_IP_DHE_DSS_WITH_AES_128_CBC_SHA DHE AES_128_CBC SHA
- TLS_IP_DHE_RSA_WITH_AES_128_CBC_SHA DHE AES_128_CBC SHA
-
-
-Hajjeh & Badra Expires April 2007 [Page 5]
-
-Internet-draft Identity Protection Ciphersuites for TLS November 2006
-
- TLS_IP_DHE_DSS_WITH_AES_256_CBC_SHA DHE AES_256_CBC SHA
- TLS_IP_DHE_RSA_WITH_AES_256_CBC_SHA DHE AES_256_CBC SHA
- TLS_IP_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE CAMELLIA_128_CBC SHA
- TLS_IP_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE CAMELLIA_128_CBC SHA
- TLS_IP_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE CAMELLIA_256_CBC SHA
- TLS_IP_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE CAMELLIA_256_CBC SHA
- TLS_IP_DHE_DSS_WITH_AES_128_CTR_SHA DHE AES_128_CTR SHA
- TLS_IP_DHE_RSA_WITH_AES_128_CTR_SHA DHE AES_128_CTR SHA
- TLS_IP_DHE_DSS_WITH_AES_256_CTR_SHA DHE AES_256_CTR SHA
- TLS_IP_DHE_RSA_WITH_AES_256_CTR_SHA DHE AES_256_CTR SHA
-
-6. IP_ECC Key Exchange Algorithm
-
- TBC.
-
-7. Security Considerations
-
- The security considerations described throughout [TLS], [DTLS],
- [TLS1.1], [TLSAES] and [TLSAES] apply here as well.
-
-8. IANA Considerations
-
- This section provides guidance to the IANA regarding registration of
- values related to the identity protection ciphersuites.
-
- CipherSuite TLS_IP_RSA_EXPORT_WITH_RC4_40_MD5 = { 0xXX,0xXX };
- CipherSuite TLS_IP_RSA_WITH_RC4_128_MD5 = { 0xXX,0xXX };
- CipherSuite TLS_IP_RSA_WITH_RC4_128_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0xXX,0xXX };
- CipherSuite TLS_IP_RSA_WITH_IDEA_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_RSA_WITH_DES_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_RSA_WITH_3DES_EDE_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_RSA_WITH_AES_128_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_RSA_WITH_AES_256_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_RSA_WITH_AES_128_CTR_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_RSA_WITH_CAMELLIA_128_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_RSA_WITH_AES_256_CTR_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_RSA_WITH_CAMELLIA_256_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_DHE_DSS_WITH_DES_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_DHE_DSS_WITH_3DES_EDE_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_DHE_RSA_WITH_DES_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_DHE_RSA_WITH_3DES_EDE_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_DHE_DSS_WITH_AES_128_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_DHE_RSA_WITH_AES_128_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_DHE_DSS_WITH_AES_256_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_DHE_RSA_WITH_AES_256_CBC_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA= { 0xXX,0xXX };
- CipherSuite TLS_IP_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA= { 0xXX,0xXX };
- CipherSuite TLS_IP_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA= { 0xXX,0xXX };
-
-
-Hajjeh & Badra Expires April 2007 [Page 6]
-
-Internet-draft Identity Protection Ciphersuites for TLS November 2006
-
- CipherSuite TLS_IP_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA= { 0xXX,0xXX };
- CipherSuite TLS_IP_DHE_DSS_WITH_AES_128_CTR_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_DHE_RSA_WITH_AES_128_CTR_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_DHE_DSS_WITH_AES_256_CTR_SHA = { 0xXX,0xXX };
- CipherSuite TLS_IP_DHE_RSA_WITH_AES_256_CTR_SHA = { 0xXX,0xXX };
-
- Note: For implementation and deployment facilities, it is helpful to
- reserve a specific registry sub-range (minor, major) for identity
- protection ciphersuites.
-
-References
-
- [TLS] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
- RFC 2246, January 1999.
-
- [TLS1.1] Dierks, T. and E. Rescorla, "The TLS Protocol Version
- 1.1", RFC 4346, April 2005.
-
- [DTLS] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
- Security", RFC 4347, April 2006.
-
- [TLSCAM] Moriai, S., Kato, A., Kanda M., "Addition of Camellia
- Cipher Suites to Transport Layer Security (TLS)",
- RFC 4132, July 2005.
-
- [TLSAES] Chown, P., "Advanced Encryption Standard (AES)
- Ciphersuites for Transport Layer Security (TLS)",
- RFC 3268, June 2002.
-
- [TLSECC] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C.,
- Moeller, B., "Elliptic Curve Cryptography (ECC) Cipher
- Suites for Transport Layer Security (TLS)", RFC 4492, May
- 2006
-
- [TLSCTR] Modadugu, N. and E. Rescorla, "AES Counter Mode Cipher
- Suites for TLS and DTLS", draft-ietf-tls-ctr-01.txt (work
- in progress), June 2006.
-
- [EAPTLSIP] Urien, P. and M. Badra, "Identity Protection within EAP-
- TLS",
- draft-urien-badra-eap-tls-identity-protection-01.txt
- (work in progress), October 2006.
-
- [INTEROP] Pettersen, Y., "Clientside interoperability
- experiences for the SSL and TLS protocols", draft-ietf-
- tls-interoperability-00 (work in progress), October 2006.
-
- [CORELLA] Corella, F., "adding client identity protection to TLS",
- message on ietf-tls@lists.certicom.com mailing list,
- http://www.imc.org/ietf-tls/mail-archive/msg02004.html,
-
-
-Hajjeh & Badra Expires April 2007 [Page 7]
-
-Internet-draft Identity Protection Ciphersuites for TLS November 2006
-
- August 2000.
-
- [RESCORLA] Rescorla, E., "SSL and TLS: Designing and Building Secure
- Systems", Addison-Wesley, March 2001.
-
-Author's Addresses
-
- Ibrahim Hajjeh
- ESRGroups, Security WG
- France Email: Ibrahim.Hajjeh@esrgroups.org
-
- Mohamad Badra
- LIMOS Laboratory - UMR (6158), CNRS
- France Email: badra@isima.fr
-
- Intellectual Property Statement
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed
- to pertain to the implementation or use of the technology described
- in this document or the extent to which any license under such
- rights might or might not be available; nor does it represent that
- it has made any independent effort to identify any such rights.
- Information on the IETF's procedures with respect to rights in IETF
- Documents can be found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use
- of such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository
- at http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at ietf-
- ipr@ietf.org.
-
- Disclaimer of Validity
-
- This document and the information contained herein are provided on
- an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
- REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
- INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
- IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
- THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
- Copyright Statement
-
-
-Hajjeh & Badra Expires April 2007 [Page 8]
-
-Internet-draft Identity Protection Ciphersuites for TLS November 2006
-
-
- Copyright (C) The Internet Society (2006). This document is subject
- to the rights, licenses and restrictions contained in BCP 78, and
- except as set forth therein, the authors retain all their rights.
-
- Acknowledgment
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hajjeh & Badra Expires April 2007 [Page 9] \ No newline at end of file
View Lorry Controller Status