Document

TLS (Transport Layer
Security) への new cipher
suites 提案について
盛合志帆
[email protected]
NTT 情報流通プラットフォーム研究所
1
2000.9.7. 第48回IETF報告会
Copyright (C) NTT 2000
Outline
TLS WGでの活動紹介
48回 IETF会議でのTLS WGの概要
TLS ver.1.0で規定されている暗号アルゴ
リズムと新規提案
私が行った提案内容の紹介
2000.9.7. 第48回IETF報告会
2
Copyright (C) NTT 2000
TLS (Transport Layer Security) WG
’96 Established
 began with SSL ver.3.0
’99 RFC2246 (TLS Protocol ver.1.0)
published as a Proposed Standard
RFC2712 (Addition of Kerberos Cipher
Suites to TLS) also published as a
Proposed Standard
2000.9.7. 第48回IETF報告会
3
Copyright (C) NTT 2000
Purpose of TLS WG
To advance the TLS Protocol to Internet
Standard
To publish documents defining new
cipher suites for use with TLS as needed
2000.9.7. 第48回IETF報告会
4
Copyright (C) NTT 2000
TLS: Goals and Milestones
Nov 2000
 First revised draft of TLS specification
Apr 2001
 Submit specification to IESG for
consideration as Draft Standard
2000.9.7. 第48回IETF報告会
5
Copyright (C) NTT 2000
Agenda of TLS WG at the 48th
IETF Meeting in Pittsburgh
Update TLS charter
Getting to Draft Standard
Presentation and discussion on WTLS
(Wireless Transport Layer Security)
Proposed cipher suites specifications
Presentation: TLS on mobile devices
(by Vipul Gupta)
2000.9.7. 第48回IETF報告会
6
Copyright (C) NTT 2000
Cipher Suites in TLS ver.1.0
Key Exchange Algorithms
 Diffie-Hellman, RSA, DSS
Bulk Cipher Algorithms
 RC2, RC4, DES, 3DES, DES40, IDEA
MAC Algorithms
 MD5, SHA-1
上記の組み合わせでcipher suiteを指定
 TLS_RSA_WITH_3DES_EDE_CBC_SHA
RSAで
鍵交換
2000.9.7. 第48回IETF報告会
Triple DES
(CBCモード)で暗号化
7
SHA-1
で認証
Copyright (C) NTT 2000
Proposed New Cipher Suites
MISTY-1
Camellia, EPOC, PSEC
SEED/HAS-160
2000.9.7. 第48回IETF報告会
8
Copyright (C) NTT 2000
48th IETF Meeting in Pittsburgh 発表資料より
Proposal of addition of
new cipher suites to TLS
to support Camellia,
EPOC, and PSEC
Shiho Moriai
[email protected]
NTT Laboratories
9
2000.9.7. 第48回IETF報告会
Copyright (C) NTT 2000
128-bit Block Cipher
Camellia
Kazumaro Aoki* Tetsuya Ichikawa†
Masayuki Kanda* Mitsuru Matsui†
Shiho Moriai*
Junko Nakajima†
Toshio Tokita†
* NTT
† Mitsubishi Electric Corporation
10
2000.9.7. 第48回IETF報告会
Copyright (C) NTT 2000
What’s Camellia?
128-bit Block Cipher
 Jointly developed by NTT and Mitsubishi
 Designed by experienced cryptanalysists
and programmers
Supports 128-, 192-, 256-bit keys
 Same interface as Advanced Encryption
Standard (AES)
 Offer more security against exhaustive key
search
2000.9.7. 第48回IETF報告会
11
Copyright (C) NTT 2000
Design Goals
High level of security
 State-of-the-art cipher analysis technology
Efficiency on multiple platforms
 Software : 8-bit, 32-bit, 64-bit processors
 Hardware : compact and high-performance
2000.9.7. 第48回IETF報告会
12
Copyright (C) NTT 2000
Software Performance (128-bit keys)
On a Pentium III
 309 cycles/block (Assembly)
= 469Mbps (1.13GHz)
Much faster than DES
Comparable speed to the AES finalists
RC6
Rijndael
Twofish
Camellia
Mars
Serpent
229
238
288
309
312
Encryption speed on
P6 [cycles/block]
759
*The programs are written in assembly language by Aoki,
Lipmaa, and Osvik. Each figure is the fastest as far as we know.
2000.9.7. 第48回IETF報告会
13
Copyright (C) NTT 2000
Hardware (128-bit keys)
ASIC (0.35mm CMOS)
 Small Size Hardware 11KGates
• Smallest among existing 128-bit block ciphers
 High Performance Hardware
Area
[Kgates]
MARS
RC6
Rijndael
Serpent
Twofish
Camellia
DES*
2000.9.7.
2,936
1,643
613
504
432
273
54
Throughput
[Mbit/s]
226
204
1,950
932
394
1,171
1,161
*DES is a 64-bit
block cipher.
The above data (except Camellia) are presented by Ichikawa et al. at the 3rd AES conference.
14
Copyright (C) NTT 2000
第48回IETF報告会
Security Consideration
Camellia provides strong security
against differential and linear
cryptanalysis.
 Moreover, Camellia was designed to offer
security against other advanced
cryptanalytic attacks:
• truncated differential attacks,
• higher order differential attacks,
• interpolation attacks,
• related-key attacks, ...
2000.9.7. 第48回IETF報告会
15
Copyright (C) NTT 2000
For more information…
Camellia Home Page
http://info.isl.ntt.co.jp/camellia/
 Specification & Sample code
 Technical papers on design rationale,
performance, software implementation
techniques, and security evaluation
 Internet-Draft on description of Camellia
is available now.
<draft-nakajima-camellia-00.txt>
2000.9.7. 第48回IETF報告会
16
Copyright (C) NTT 2000
Public Key Algorithms
EPOC and PSEC
Tatsuaki Okamoto
Shigenori Uchiyama
Eiichiro Fujisaki
NTT
17
2000.9.7. 第48回IETF報告会
Copyright (C) NTT 2000
Provable Security of Public Key
Algorithms
Flaw in RSA with PKCS #1 Ver.1
 Importance of security against adaptively
chosen ciphertext attacks
EPOC & PSEC
 Developed by Okamoto et al. (NTT)
 Provably secure under the random oracle
model in the strongest sense (i.e., nonmalleable against adaptively chosen
ciphertext attacks)
2000.9.7. 第48回IETF報告会
18
Copyright (C) NTT 2000
EPOC (Efficient Probabilistic PublicKey Encryption Scheme)
Novelty
 Essentially different from any other
previous schemes including RSA-Rabin and
Diffie-Hellman
Security
 Provably as secure as factoring in the
strongest sense
Efficiency
 Compared with RSA(PKCS#1 Ver.2) with
small e (216+1), encryption speed is slower,
but decryption speed is faster.
2000.9.7. 第48回IETF報告会
19
Copyright (C) NTT 2000
PSEC (Provably Secure Elliptic
Curve Encryption Scheme)
Security
 Provably as secure as elliptic-curve DiffieHellman problem in the strongest sense
Efficiency
 Almost as efficient as most common ECC,
elliptic-curve ElGamal (Diffie-Hellman)
scheme
2000.9.7. 第48回IETF報告会
20
Copyright (C) NTT 2000
Toward International Standards
EPOC
 IEEE P1363a (royalty free if selected)
Camellia
 ISO/IEC JTC 1/SC27
 NESSIE (New European Schemes for
Signature, Integrity, and Encryption)
2000.9.7. 第48回IETF報告会
21
Copyright (C) NTT 2000
Sample Code
Camellia
 http://info.isl.ntt.co.jp/camellia/
EPOC & PSEC
 http://www.nttmcl.com/sec/
2000.9.7. 第48回IETF報告会
22
Copyright (C) NTT 2000
Conclusion
Camellia is a 128-bit block cipher with
high security and performance
 suitable for bulk encryption
PSEC and EPOC are public-key
algorithms with provable security and
efficiency
 suitable for key exchange and
authentication
2000.9.7. 第48回IETF報告会
23
Copyright (C) NTT 2000
Conclusion (Cont.)
Add them to Transport Layer Security!!
enum { null, rc4, rc2, des, 3des, des0, idea, …,
camellia } BulkCipherAlgorithm
enum { rsa, diffie-hellman, epoc, psec }
KeyExchangeAlgorithm
enum { anonymous, rsa, dsa, epoc, psec }
SignatureAlgorithm
2000.9.7. 第48回IETF報告会
24
Copyright (C) NTT 2000

Download Report