Transport Layer Security Working Group John Banes INTERNET-DRAFT Microsoft Corporation Expires January, 2002 Richard Harrington Qpass Incorporated July 19, 2001 56-bit Export Cipher Suites For TLS draft-ietf-tls-56-bit-ciphersuites-01.txt 1. Status of this Memo This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html 2. Introduction This document describes several cipher suites to be used with the Transport Layer Security (TLS) protocol. Changes in US export regulations in 1999 permitted the export of software programs using 56-bit data encryption and 1024-bit key exchange. The cipher suites described in this document were designed to take advantage of this change in the regulations. 3. The CipherSuites The following values define the CipherSuite codes used in the client hello and server hello messages. The following CipherSuite definitions require that the server provide an RSA certificate that can be used for key exchange. The server may request either an RSA or a DSS signature-capable certificate in the certificate request message. CipherSuite TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = { 0x00,0x62 }; CipherSuite TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = { 0x00,0x64 }; Banes Expires January, 2002 [Page 1] INTERNET-DRAFT 56-bit Export TLS January 15, 1999 The following CipherSuite definitions are used for server-authenticated (and optionally client-authenticated) Diffie-Hellman. DHE denotes ephemeral Diffie-Hellman, where the Diffie-Hellman parameters are signed by a DSS certificate, which has been signed by the CA. CipherSuite TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = { 0x00,0x63 }; CipherSuite TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = { 0x00,0x65 }; CipherSuite TLS_DHE_DSS_WITH_RC4_128_SHA = { 0x00,0x66 }; 4. CipherSuite definitions CipherSuite Is Key Cipher Hash Exportable Exchange TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA * RSA_EXPORT1024 DES_CBC SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA * RSA_EXPORT1024 RC4_56 SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA * RSA_EXPORT1024 DES_CBC SHA TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA * DHE_DSS_EXPORT1024 RC4_56 SHA TLS_DHE_DSS_WITH_RC4_128_SHA DHE_DSS RC4_128 SHA * Indicates IsExportable is True Key Exchange Algorithm Description Key size limit RSA_EXPORT1024 RSA key exchange RSA = 1024 bits DHE_DSS_EXPORT1024 Ephemeral DH with DSS signatures DH = 1024 bits Key size limit The key size limit gives the size of the largest public key that can be legally used for encryption in cipher suites that are exportable. Key Expanded Effective IV Block Cipher Type Material Key Material Key Bits Size Size RC4_56 Stream 7 16 56 0 N/A DES_CBC Block 8 8 56 8 8 5. Implementation Notes When an RSA_EXPORT1024 cipher suite is used, and the server's RSA Key is larger than 1024 bits in length, then the server must send a server key exchange message to the client. This message is to contain a temporary RSA key, signed by the server. This temporary RSA key should be the maximum allowable length (i.e., 1024 bits). Banes Expires January, 2002 [Page 2] INTERNET-DRAFT 56-bit Export TLS January 15, 1999 Servers with a large RSA key will often maintain two temporary RSA keys: a 512-bit key used to support the RSA_EXPORT cipher suites, and a 1024-bit key used to support the RSA_EXPORT1024 cipher suites. When 56-bit DES keys are derived for an export cipher suite, the additional export key derivation step must be performed. That is, the final read and write DES keys (and the IV) are not taken directly from the key_block. 6. References [TLS] T. Dierks, C. Allen, The TLS Protocol, , November 1998. 7. Authors John Banes Richard Harrington Microsoft Corp. Qpass Inc. jbanes@microsoft.com rharrington@qpass.com Banes Expires January, 2002 [Page 3]