INTERNET-DRAFT S. Moriai TLS Working Group Nippon Telegraph and Telephone Corporation Expires April 2001 October 2000 Addition of the Camellia Encryption Algorithm to TLS Status of this Memo This document is an Internet-Draft and is NOT offered in accordance with Section 10 of RFC2026, and the author does not provide the IETF with any rights other than to publish as an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document proposes the addition of new cipher suites to the TLS protocol 1.0 to support the Camellia encryption algorithm as a bulk cipher algorithm. 1. Introduction The demands placed on cryptographic primitives are changing: the required level of security is increasing to match the progress made in computational power and cryptanalytic techniques, and more efficiency on a wide variety of platforms is required as they are being implemented in a wide variety of applications. However, the TLS Protocol Version 1.0 [4] currently does not support cipher suites including 128-bit block ciphers that offer a high level of security and performance. MORIAI [Page 1] INTERNET-DRAFT Addition of Camellia to TLS October 2000 Camellia is a block cipher with 128-bit block size and 128-, 192-, and 256-bit key sizes, i.e. the same interface specifications as the Advanced Encryption Standard (AES). The algorithm description is in [1] or [3]. Efficiency on both software and hardware platforms is a remarkable characteristic of Camellia in addition to its high level of security. It is confirmed that Camellia provides strong security against differential and linear cryptanalysis. An optimized implementation of Camellia in assembly language can encrypt on a Pentium III (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In addition, a distinguishing feature is its small hardware design. The hardware design, which includes the parts for key scheduling, encryption and decryption, occupies approximately 11K gates, which is the smallest among all existing 128-bit block ciphers as far as we know [2]. This document proposes the addition of new cipher suites to the TLS protocol 1.0 [4] to support Camellia as a bulk cipher algorithm. The proposed change is minimal, just the addition of a new option for bulk cipher algorithms. 2. The CipherSuites We propose the following new cipher suites. CipherSuite TLS_RSA_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x2F }; CipherSuite TLS_DH_DSS_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x30 }; CipherSuite TLS_DH_RSA_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x31 }; CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x32 }; CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x33 }; CipherSuite TLS_DH_anon_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x34 }; CipherSuite TLS_RSA_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x35 }; CipherSuite TLS_DH_DSS_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x36 }; CipherSuite TLS_DH_RSA_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x37 }; CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x38 }; CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x39 }; CipherSuite TLS_DH_anon_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x3A }; CipherSuite TLS_RSA_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3B }; CipherSuite TLS_DH_DSS_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3C }; CipherSuite TLS_DH_RSA_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3D }; CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3E }; CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3F }; CipherSuite TLS_DH_anon_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x40 }; Note: The above numeric definitions for CipherSuites have not yet been registered. The numeric definitions follow the numbers given in the CipherSuite of TLS standard [4]. 3. CipherSuite Definitions MORIAI [Page 2] INTERNET-DRAFT Addition of Camellia to TLS October 2000 CipherSuite Is Key Cipher Hash Exportable Exchange TLS_RSA_WITH_CAMELLIA_CBC_128_SHA RSA CAMELLIA_CBC_128 SHA TLS_DH_DSS_WITH_CAMELLIA_CBC_128_SHA DH_DSS CAMELLIA_CBC_128 SHA TLS_DH_RSA_WITH_CAMELLIA_CBC_128_SHA DH_RSA CAMELLIA_CBC_128 SHA TLS_DHE_DSS_WITH_CAMELLIA_CBC_128_SHA DHE_DSS CAMELLIA_CBC_128 SHA TLS_DHE_RSA_WITH_CAMELLIA_CBC_128_SHA DHE_RSA CAMELLIA_CBC_128 SHA TLS_DH_anon_WITH_CAMELLIA_CBC_128_SHA DH_anon CAMELLIA_CBC_128 SHA TLS_RSA_WITH_CAMELLIA_CBC_192_SHA RSA CAMELLIA_CBC_192 SHA TLS_DH_DSS_WITH_CAMELLIA_CBC_192_SHA DH_DSS CAMELLIA_CBC_192 SHA TLS_DH_RSA_WITH_CAMELLIA_CBC_192_SHA DH_RSA CAMELLIA_CBC_192 SHA TLS_DHE_DSS_WITH_CAMELLIA_CBC_192_SHA DHE_DSS CAMELLIA_CBC_192 SHA TLS_DHE_RSA_WITH_CAMELLIA_CBC_192_SHA DHE_RSA CAMELLIA_CBC_192 SHA TLS_DH_anon_WITH_CAMELLIA_CBC_192_SHA DH_anon CAMELLIA_CBC_192 SHA TLS_RSA_WITH_CAMELLIA_CBC_256_SHA RSA CAMELLIA_CBC_256 SHA TLS_DH_DSS_WITH_CAMELLIA_CBC_256_SHA DH_DSS CAMELLIA_CBC_256 SHA TLS_DH_RSA_WITH_CAMELLIA_CBC_256_SHA DH_RSA CAMELLIA_CBC_256 SHA TLS_DHE_DSS_WITH_CAMELLIA_CBC_256_SHA DHE_DSS CAMELLIA_CBC_256 SHA TLS_DHE_RSA_WITH_CAMELLIA_CBC_256_SHA DHE_RSA CAMELLIA_CBC_256 SHA TLS_DH_anon_WITH_CAMELLIA_CBC_256_SHA DH_anon CAMELLIA_CBC_256 SHA Key Expanded Effective IV Block Cipher Type Material Key Material Key Bits Size Size CAMELLIA_CBC_128 Block 16 16 128 16 16 CAMELLIA_CBC_192 Block 24 24 192 16 16 CAMELLIA_CBC_256 Block 32 32 256 16 16 Note: Key Exchange Algorithms and Hash Functions are defined in TLS. 4. Security Considerations The security of Camellia was evaluated by utilizing state-of-the-art cryptanalytic techniques. We confirmed that Camellia has no differential and linear characteristics that hold with probability more than 2^(-128), which means that it is extremely unlikely that differential and linear attacks will succeed against Camellia. Moreover, Camellia was designed to offer security against other advanced cryptanalytic attacks including higher order differential attacks, interpolation attacks, related-key attacks, truncated differential attacks, and so on [3]. 5. Intellectual Property Statement Mitsubishi Electric Corporation (Mitsubishi Electric) and Nippon Telegraph and Telephone Corporation (NTT) have filed patent applications on the techniques used in the block cipher Camellia. For more information, please contact MISTY@isl.melco.co.jp and/or MORIAI [Page 3] INTERNET-DRAFT Addition of Camellia to TLS October 2000 camellia@isl.ntt.co.jp. References [1] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, and T. Tokita ``Specification of Camellia --- a 128-bit Block Cipher'', 2000. http://info.isl.ntt.co.jp/camellia/ [2] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, and T. Tokita ``Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms'', 2000. http://info.isl.ntt.co.jp/camellia/ [3] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, and T. Tokita ``Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms --- Design and Analysis ---'', in Workshop Record of SAC 2000, Seventh Annual Workshop on Selected Areas in Cryptography, pp.41--54, 14-15 August 2000. (to appear in Lecture Notes in Computer Science of Spring-Verlag) [4] T. Dierks, and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999. Author's Addresses Shiho Moriai Nippon Telegraph and Telephone Corporation 1-1 Hikarinooka, Yokosuka, 239-0847, Japan Phone: +81-468-59-2007 FAX: +81-468-59-3858 Email: shiho@isl.ntt.co.jp MORIAI [Page 4]