1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
|
Network Working Group N. Modadugu
Internet-Draft Stanford University
Expires: April 19, 2006 E. Rescorla
Network Resonance
October 16, 2005
AES Counter Mode Cipher Suites for TLS and DTLS
draft-modadugu-tls-ctr-00
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 19, 2006.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document describes the use of the Advanced Encryption Standard
(AES) Counter Mode for use as a Transport Layer Security (TLS) and
Datagram Transport Layer Security (DTLS) confidentiality mechanism.
Modadugu & Rescorla Expires April 19, 2006 [Page 1]
�
Internet-Draft TLS/DTLS AES-CTR October 2005
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Conventions Used In This Document . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Encrypting Records with AES Counter Mode . . . . . . . . . . . 4
3.1. TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1.1. AES Counter Mode . . . . . . . . . . . . . . . . . . . 4
3.2. DTLS . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.3. Padding . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.4. Session Resumption . . . . . . . . . . . . . . . . . . . . 6
4. Design Rationale . . . . . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
5.1. Maximum Key Lifetime . . . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
7. Normative References . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8
Intellectual Property and Copyright Statements . . . . . . . . . . 9
Modadugu & Rescorla Expires April 19, 2006 [Page 2]
�
Internet-Draft TLS/DTLS AES-CTR October 2005
1. Introduction
Transport Layer Security [3] provides channel-oriented security for
application layer protocols. In TLS, cryptographic algorithms are
specified in "Cipher Suites, which consist of a group of algorithms
to be used together."
Cipher suites supported by TLS are divided into stream and block
ciphers. Counter mode ciphers behave like stream ciphers, but are
constructed based on a block cipher primitive (that is, counter mode
operation of a block cipher results in a stream cipher.) This
specification is limited to discussion of the operation of AES in
counter mode (AES-CTR.)
Counter mode ciphers (CTR) offer a number of attractive features over
other block cipher modes and stream ciphers such as RC4:
Low Bandwidth: AES-CTR provides a saving of 17-32 bytes per record
compared to AES-CBC as used in TLS 1.1 and DTLS. 16 bytes are
saved from not having to transmit an explicit IV, and another 1-16
bytes are saved from the absence of the padding block.
Random Access: AES-CTR is capable of random access within the key
stream. For DTLS, this implies that records can be processed out
of order without dependency on packet arrival order, and also
without keystream buffering.
Parallelizable: As a consequence of AES-CTR supporting random access
within the key stream, the cipher can be easily parallelized.
Multiple mode support: AES-CTR support in TLS/DTLS allows for
implementator to support both a stream (CTR) and block (CBC)
cipher through the implemention of a single symmetric algorithm.
1.1. Conventions Used In This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [1].
2. Terminology
This document reuses some terminology introduced in [2] and [3]. The
term 'counter block' has the same meaning as used in RFC3686,
however, the term 'IV', in this document, holds the meaning defined
in [3].
Modadugu & Rescorla Expires April 19, 2006 [Page 3]
�
Internet-Draft TLS/DTLS AES-CTR October 2005
3. Encrypting Records with AES Counter Mode
The use of AES-CTR in TLS/DTLS turns out to be fairly
straightforward, with the additional benefit that the method of
operation in TLS/DTLS mimics, to a large extent, that in IPsec. The
primary constraint on the use of counter mode ciphers is that for a
given key, a counter block value MUST never be used more than once
(see Section 7. of [2] for a detailed explanation.) In TLS/DTLS
ensuring that counter block values never repeat during a given
session is straightforward as explained in the following sections.
SSL/TLS records encrypted with AES CTR mode use a
CipherSpec.cipher_type of GenericStreamCipher (Section 6.2.3 of [3].)
3.1. TLS
The cipher stream generated by AES-CTR is much like the cipher stream
generated by stream ciphers like RC4. For reasons described in
Section 7. of [2], a counter block value MUST never be used more than
once with a given key. This is achieved by having part of the per-
record IV determined by the record sequence number. Although the
client and server use the same sequence number space, they use
different keys and IVs.
3.1.1. AES Counter Mode
AES counter mode requires the encryptor and decryptor to share a per-
record unique counter block. A given counter block MUST never be
used more than once with the same key. For a more in-depth
discussion of AES-CTR operation, refer to Section 2.1 of [2]. The
following description of AES-CTR mode has been adapted from [2].
To encrypt a payload with AES-CTR, the encryptor partitions the
plaintext, PT, into 128-bit blocks. The final block MAY be less than
128 bits.
PT = PT[1] PT[2] ... PT[n]
Each PT block is XORed with a block of the key stream to generate the
ciphertext, CT. The AES encryption of each counter block results in
128 bits of key stream.
To construct the counter block, the most significant 48 bits of the
counter block are set to the 48 low order bits of the client_write_IV
(for the half-duplex stream originated by the client) or the 48 low
order bits of the server_write_IV (for the half-duplex stream
originated by the server.) The following 64 bits of the counter
block are set to record sequence number, and the remaining 16 bits
Modadugu & Rescorla Expires April 19, 2006 [Page 4]
�
Internet-Draft TLS/DTLS AES-CTR October 2005
function as the block counter. The least significant bit of the
counter block is initially set to one. This counter value is
incremented by one to generate subsequent counter blocks, each
resulting in another 128 bits of key stream.
struct {
case client:
uint48 client_write_IV; // low order 48-bits
case server:
uint48 server_write_IV; // low order 48-bits
uint64 seq_num;
uint16 blk_ctr;
} CtrBlk;
The seq_num and blk_ctr fields of the counter block are initialized
for each record processed, while the IV is initialized immediately
after a key calculation is made (key calculations are made whenver a
TLS/DTLS handshake, either full or abbreviated, is executed.) seq_num
is set to the sequence number of the record, and blk_ctr is
initialized to 1.
Note that the block counter does not overflow since the maximum TLS/
DTLS record size is 14 KB and 16 bits of blk_ctr allow the generation
of 1MB of keying material per record.
The encryption of n plaintext blocks can be summarized as:
FOR i := 1 to n-1 DO
CT[i] := PT[i] XOR AES(CtrBlk)
CtrBlk := CtrBlk + 1
END
CT[n] := PT[n] XOR TRUNC(AES(CtrBlk))
The AES() function performs AES encryption with the fresh key.
The TRUNC() function truncates the output of the AES encrypt
operation to the same length as the final plaintext block, returning
the most significant bits.
Decryption is similar. The decryption of n ciphertext blocks can be
summarized as:
FOR i := 1 to n-1 DO
PT[i] := CT[i] XOR AES(CtrBlk)
CtrBlk := CtrBlk + 1
END
PT[n] := CT[n] XOR TRUNC(AES(CtrBlk))
Modadugu & Rescorla Expires April 19, 2006 [Page 5]
�
Internet-Draft TLS/DTLS AES-CTR October 2005
For TLS, no part of the counter block need be transmitted, since the
client_write_IV and server_write_IV are derived during the key
calculation phase, and the record sequence number is implicit.
3.2. DTLS
The operation of AES-CTR in DTLS is the same as in TLS, with the only
difference being the inclusion of the epoch in the counter block.
The counter block is constructed as follows for DTLS:
struct {
case client:
uint48 client_write_IV; // low order 48-bits
case server:
uint48 server_write_IV; // low order 48-bits
uint16 epoch;
uint48 seq_num;
uint16 blk_ctr;
} CtrBlk;
The epoch and record sequence number used for generating the counter
block are extracted from the received record.
3.3. Padding
Stream ciphers in TLS and DTLS do not require plaintext padding.
3.4. Session Resumption
TLS supports session resumption via caching of session ID's and
connection parameters on both client and server. While resumed
sessions use the same master secret that was originally negotiated, a
resumed session uses new keys that are derived, in part, using fresh
client_random and server_random parameters. As a result resumed
sessions do not use the same encryption keys or IVs as the original
session.
4. Design Rationale
An alternate design for the construction of the counter block would
be the use of an explicit 'record tag' (as a substitute for the
implicit record sequence number) that could potentially be generated
via an LFSR. Such a design, however, suffers two major drawbacks
when used in the TLS or DTLS protocol, without offering any
significant benefit: (1) in both TLS and DTLS inclusion of such a tag
would incur a bandwidth cost, (2) all TLS and DTLS associations have
per-record sequence numbers which can be used to ensure counter
Modadugu & Rescorla Expires April 19, 2006 [Page 6]
�
Internet-Draft TLS/DTLS AES-CTR October 2005
uniqueness.
5. Security Considerations
See Section 7. of [2].
5.1. Maximum Key Lifetime
TLS/DTLS sessions employing AES-CTR MUST be renegotiated before
sequence numbers repeat. In the case of TLS, this implies a maximum
of 2^64 records per session, while for DTLS the maximum is 2^48 (with
the remaining bits reserved for epoch.)
6. IANA Considerations
IANA has assigned the following values for AES-CTR mode ciphers:
CipherSuite TLS_RSA_WITH_AES_128_CTR_SHA = { 0xXX, 0xXX };
CipherSuite TLS_DH_DSS_WITH_AES_128_CTR_SHA = { 0xXX, 0xXX };
CipherSuite TLS_DH_RSA_WITH_AES_128_CTR_SHA = { 0xXX, 0xXX };
CipherSuite TLS_DHE_DSS_WITH_AES_128_CTR_SHA = { 0xXX, 0xXX };
CipherSuite TLS_DHE_RSA_WITH_AES_128_CTR_SHA = { 0xXX, 0xXX };
CipherSuite TLS_DH_anon_WITH_AES_128_CTR_SHA = { 0xXX, 0xXX };
CipherSuite TLS_RSA_WITH_AES_256_CTR_SHA = { 0xXX, 0xXX };
CipherSuite TLS_DH_DSS_WITH_AES_256_CTR_SHA = { 0xXX, 0xXX };
CipherSuite TLS_DH_RSA_WITH_AES_256_CTR_SHA = { 0xXX, 0xXX };
CipherSuite TLS_DHE_DSS_WITH_AES_256_CTR_SHA = { 0xXX, 0xXX };
CipherSuite TLS_DHE_RSA_WITH_AES_256_CTR_SHA = { 0xXX, 0xXX };
CipherSuite TLS_DH_anon_WITH_AES_256_CTR_SHA = { 0xXX, 0xXX };
7. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Housley, R., "Using Advanced Encryption Standard (AES) Counter
Mode With IPsec Encapsulating Security Payload (ESP)", RFC 3686,
January 2004.
[3] Dierks, T. and E. Rescorla, "The TLS Protocol Version 1.1",
draft-ietf-tls-rfc2246-bis-13 (work in progress), June 2005.
Modadugu & Rescorla Expires April 19, 2006 [Page 7]
�
Internet-Draft TLS/DTLS AES-CTR October 2005
Authors' Addresses
Nagendra Modadugu
Stanford University
353 Serra Mall
Stanford, CA 94305
USA
Email: nagendra@cs.stanford.edu
Eric Rescorla
Network Resonance
2483 E. Bayshore Rd., #212
Palo Alto, CA 94303
USA
Email: ekr@networkresonance.com
Modadugu & Rescorla Expires April 19, 2006 [Page 8]
�
Internet-Draft TLS/DTLS AES-CTR October 2005
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Modadugu & Rescorla Expires April 19, 2006 [Page 9]
�
|
