Internet Research Task Force Y. Yang
Internet-Draft BaishanCloud
Intended status: Informational R. Tse
Expires: October 24, 2018 Ribose
M-J. Saarinen
Independent Consultant
W. Wong
Hang Seng Management College
April 22, 2018

SM3 and SM4 Cipher Suites for TLS
draft-sca-curdle-tls-sm34-00

Abstract

This document describes TLS cipher suites that utilize the SM3 cryptographic hash algorithm (GB/T 32905-2016) and SM4 symmetric blockcipher algorithm (GB/T 32907-2016), both published by the State Cryptography Administration of China (SCA).

This document is a product of the Crypto Forum Research Group (CFRG).

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on October 24, 2018.

Copyright Notice

Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.


Table of Contents

1. Introduction

The SM3 [I-D.sca-cfrg-sm3] [GBT.32905-2016] [ISO.IEC.10118-3] and SM4 [I-D.ribose-cfrg-sm4] [GBT.32907-2016] [ISO.IEC.18033-3.AMD2] algorithms are published by the State Cryptography Administration (SCA) of China [SCA] for authorized use within China. Both algorithms are published in public, and now commonly available in cryptographic libraries.

SM3 is as a cryptographic hash algorithm that produces an output hash value of 256 bits long, based on 512-bit input message blocks, on input lengths up to 2^(m).

SM4 is a symmetric encryption algorithm, a blockcipher to be exact, designed for data encryption that acts on 128-bit blocks.

TLS versions at and beyond 1.2 [RFC5246] contain support for authenticated encryption with additional data (AEAD) cipher modes [RFC5116].

This document describes the use of SM4 [I-D.ribose-cfrg-sm4] in conjunction with various key exchange mechanisms as a cipher suite for TLS, in two ways:

TODO: describe SM4 AE modes…​

2. Terms and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Cipher Suites

Cipher suites defined in this document are based on the SM4-CCM Authenticated Encryption with Associated Data (AEAD) algorithms AEAD_SM4_128_CCM and AEAD_SM4_256_CCM described in [[I-D.ribose-cfrg-sm4ae]].

3.1. HMAC-Based

These cipher suites use SM4 in Cipher Block Chaining (CBC) mode with an HMAC-based MAC:

CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3  = {0xYY,0xYY};
CipherSuite TLS_ECDH_ECDSA_WITH_SM4_CBC_SM3   = {0xYY,0xYY};
CipherSuite TLS_ECDHE_RSA_WITH_SM4_CBC_SM3    = {0xYY,0xYY};
CipherSuite TLS_ECDH_RSA_WITH_SM4_CBC_SM3     = {0xYY,0xYY};

These cipher suites are the same as the corresponding cipher suites in [RFC5289] (with names here ending in "_SM3" inplace of "_SHA256"), except for the MAC and Pseudo Random Function (PRF) algorithms.

The PRF is the TLS PRF [RFC5246] with SM3 as the hash function. The MAC is HMAC [RFC2104] with SM3 as the hash function.

3.2. Galois Counter Mode-Based

These cipher suites use the same asymmetric algorithms as those in the previous section, but use the authenticated encryption modes defined in TLS 1.3 [I-D.ietf-tls-tls13] with SM4 in Galois Counter Mode (GCM):

CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_GCM_SM3  = {0xYY,0xYY};
CipherSuite TLS_ECDH_ECDSA_WITH_SM4_GCM_SM3   = {0xYY,0xYY};
CipherSuite TLS_ECDHE_RSA_WITH_SM4_GCM_SM3    = {0xYY,0xYY};
CipherSuite TLS_ECDH_RSA_WITH_SM4_GCM_SM3     = {0xYY,0xYY};
CipherSuite TLS_RSA_WITH_SM4_GCM_SM3          = {0xYY,0xYY};
CipherSuite TLS_DHE_RSA_WITH_SM4_GCM_SM3      = {0xYY,0xYY};
CipherSuite TLS_DH_RSA_WITH_SM4_GCM_SM3       = {0xYY,0xYY};
CipherSuite TLS_DHE_DSS_WITH_SM4_GCM_SM3      = {0xYY,0xYY};
CipherSuite TLS_DH_DSS_WITH_SM4_GCM_SM3       = {0xYY,0xYY};
CipherSuite TLS_DH_anon_WITH_SM4_GCM_SM3      = {0xYY,0xYY};

These cipher suites use the authenticated encryption with additional data algorithm AEAD_SM4_GCM described in [[I-D.ribose-cfrg-sm4ae]].

Each of these AEAD algorithms uses a 128-bit authentication tag with GCM (in particular, as described in 3.5 and 3.

The PRF is the TLS PRF [RFC5246] with SM3 as the hash function.

3.3. Counter and CBC-MAC Mode-Based

These cipher suites use the same asymmetric algorithms as those in the previous section, but use the authenticated encryption modes defined in TLS 1.3 with SM4 in Counter and CBC-MAC Mode (CCM):

CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_CCM   = {0xYY,0xYY};
CipherSuite TLS_ECDH_ECDSA_WITH_SM4_CCM    = {0xYY,0xYY};
CipherSuite TLS_ECDHE_RSA_WITH_SM4_CCM     = {0xYY,0xYY};
CipherSuite TLS_ECDH_RSA_WITH_SM4_CCM      = {0xYY,0xYY};
CipherSuite TLS_RSA_WITH_SM4_CCM           = {0xYY,0xYY};
CipherSuite TLS_DHE_RSA_WITH_SM4_CCM       = {0xYY,0xYY};
CipherSuite TLS_DH_RSA_WITH_SM4_CCM        = {0xYY,0xYY};
CipherSuite TLS_DHE_DSS_WITH_SM4_CCM       = {0xYY,0xYY};
CipherSuite TLS_DH_DSS_WITH_SM4_CCM        = {0xYY,0xYY};
CipherSuite TLS_DH_anon_WITH_SM4_CCM       = {0xYY,0xYY};

These cipher suites use the authenticated encryption with additional data algorithm AEAD_SM4_CCM described in [[I-D.ribose-cfrg-sm4ae]].

Each of these AEAD algorithms uses a 128-bit authentication tag with CCM (in particular, as described in 3.5 and 3.

The "nonce" input to the AEAD algorithm is as defined in [RFC6655].

The PRF is the TLS PRF [RFC5246] with SM3 as the hash function.

3.4. OCB

The following cipher suites are defined:

CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_OCB = {0xYY,0xYY}
...

The "nonce" input to the AEAD algorithm is as defined in [RFC6655].

The PRF is the TLS PRF [RFC5246] with SM3 as the hash function.

Further requirements provided in 2 apply.

4. TLS Versions

These cipher suites make use of the authenticated encryption with additional data defined in TLS 1.2 [RFC5288].

5. Security Considerations

The security considerations in [RFC4346], [RFC4492], [I-D.ribose-cfrg-sm4], [I-D.sca-cfrg-sm3] apply.

6. IANA Considerations

IANA has assigned the following values for these cipher suites:

CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3  = {0xYY,0xYY};
CipherSuite TLS_ECDH_ECDSA_WITH_SM4_CBC_SM3   = {0xYY,0xYY};
CipherSuite TLS_ECDHE_RSA_WITH_SM4_CBC_SM3    = {0xYY,0xYY};
CipherSuite TLS_ECDH_RSA_WITH_SM4_CBC_SM3     = {0xYY,0xYY};
CipherSuite TLS_ECDHE_ECDSA_WITH_SM4_GCM_SM4  = {0xYY,0xYY};
CipherSuite TLS_ECDH_ECDSA_WITH_SM4_GCM_SM4   = {0xYY,0xYY};
CipherSuite TLS_ECDHE_RSA_WITH_SM4_GCM_SM4    = {0xYY,0xYY};
CipherSuite TLS_ECDH_RSA_WITH_SM4_GCM_SM4     = {0xYY,0xYY};
CipherSuite TLS_RSA_WITH_SM4_GCM_SM3          = {0xYY,0xYY};
CipherSuite TLS_DHE_RSA_WITH_SM4_GCM_SM3      = {0xYY,0xYY};
CipherSuite TLS_DH_RSA_WITH_SM4_GCM_SM3       = {0xYY,0xYY};
CipherSuite TLS_DHE_DSS_WITH_SM4_GCM_SM3      = {0xYY,0xYY};
CipherSuite TLS_DH_DSS_WITH_SM4_GCM_SM3       = {0xYY,0xYY};
CipherSuite TLS_DH_anon_WITH_SM4_GCM_SM3      = {0xYY,0xYY};

7. References

7.1. Normative References

[GBT.32905-2016] Standardization Administration of the People's Republic of China, "GB/T 32905-2016: Information security techniques -- SM3 cryptographic hash algorithm", August 2016.
[GBT.32907-2016] Standardization Administration of the People's Republic of China, "GB/T 32907-2016: Information security technology -- SM4 block cipher algorithm", August 2016.
[I-D.ietf-tls-tls13] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", Internet-Draft draft-ietf-tls-tls13-28, March 2018.
[I-D.ribose-cfrg-sm4] Tse, R., Wong, W. and M. Saarinen, "The SM4 Blockcipher Algorithm And Its Modes Of Operations", Internet-Draft draft-ribose-cfrg-sm4-10, April 2018.
[I-D.ribose-cfrg-sm4ae] Tse, R., Wong, W. and M. Saarinen, "Authenticated Encryption For The SM4 Blockcipher Algorithm", Internet-Draft draft-ribose-cfrg-sm4ae-00, April 2018.
[I-D.sca-cfrg-sm3] Shen, S., Lee, X., Tse, R., Wong, W. and P. Yang, "The SM3 Cryptographic Hash Function", Internet-Draft draft-sca-cfrg-sm3-02, January 2018.
[ISO.IEC.10118-3] International Organization for Standardization, "ISO/IEC FDIS 10118-3 -- Information technology -- Security techniques -- Hash-functions -- Part 3: Dedicated hash-functions", September 2017.
[ISO.IEC.18033-3.AMD2] International Organization for Standardization, "ISO/IEC WD1 18033-3/AMD2 -- Encryption algorithms -- Part 3: Block ciphers -- Amendment 2", June 2017.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017.

7.2. Informative References

[BOTAN] Lloyd, J., "Botan: Crypto and TLS for C++11", October 2017.
[GB.15629.11-2003] Standardization Administration of the People's Republic of China, "Information technology -- Telecommunications and information exchange between systems -- Local and metropolitan area networks -- Specific requirements -- Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications", May 2003.
[GBT.33560-2017] Standardization Administration of the People's Republic of China, "GB/T 33560-2017: Information security technology -- Cryptographic application identifier criterion specification", May 2017.
[GMT-0002-2012] Office of State Commercial Administration of China, "GM/T 0002-2012: SM4 block cipher algorithm", March 2012.
[GMT-0004-2012] Organization of State Commercial Administration of China, "GM/T 0004-2012: SM3 Cryptographic Hash Algorithm", March 2012.
[GMT-0006-2012] Office of State Commercial Administration of China, "GM/T 0006-2012: Cryptographic Application Identifier Criterion Specification", March 2012.
[ISO.IEC.18033-3] International Organization for Standardization, "ISO/IEC 18033-3:2010 -- Encryption algorithms -- Part 3: Block ciphers", December 2017.
[NIST.SP.800-38A] Dworkin, M., "NIST Special Publication 800-38A: Recommendation for Block Cipher Modes of Operation -- Methods and Techniques", December 2001.
[OPENSSL] OpenSSL Software Foundation, "OpenSSL: Cryptography and SSL/TLS Toolkit", October 2017.
[RFC2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997.
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, DOI 10.17487/RFC4346, April 2006.
[RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J. and T. Wright, "Transport Layer Security (TLS) Extensions", RFC 4366, DOI 10.17487/RFC4366, April 2006.
[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C. and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)", RFC 4492, DOI 10.17487/RFC4492, May 2006.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008.
[RFC5288] Salowey, J., Choudhury, A. and D. McGrew, "AES Galois Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, DOI 10.17487/RFC5288, August 2008.
[RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)", RFC 5289, DOI 10.17487/RFC5289, August 2008.
[RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for Transport Layer Security (TLS)", RFC 6655, DOI 10.17487/RFC6655, July 2012.
[RFC7251] McGrew, D., Bailey, D., Campagna, M. and R. Dugal, "AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites for TLS", RFC 7251, DOI 10.17487/RFC7251, June 2014.
[RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015.
[SCA] State Cryptography Administration of China, "State Cryptography Administration of China", Dec 2017.

Appendix A. Acknowledgements

This document borrows heavily from [RFC5288], [RFC5289], [RFC7251].

Authors' Addresses

Paul Y. Yang BaishanCloud Building 16-3, Baitasan Street Shenyang, Liaoning 110000 People's Republic of China EMail: yang.yang@baishancloud.com URI: https://www.baishancloud.com
Ronald Henry Tse Ribose Suite 1111, 1 Pedder Street Central, Hong Kong People's Republic of China EMail: ronald.tse@ribose.com URI: https://www.ribose.com
Markku-Juhani O. Saarinen Independent Consultant EMail: mjos@iki.fi URI: https://mjos.fi/
Wai Kit Wong Hang Seng Management College Hang Shin Link, Siu Lek Yuen Shatin, Hong Kong People's Republic of China EMail: wongwk@hsmc.edu.hk URI: https://www.hsmc.edu.hk