| RFC 8998 | SM Cipher Suites for TLS 1.3 | March 2021 |
| Yang | Informational | [Page] |
This document specifies how to use the ShangMi (SM) cryptographicalgorithms with Transport Layer Security (TLS) protocol version 1.3.¶
The use of these algorithms with TLS 1.3 is not endorsed by theIETF. The SM algorithms are becoming mandatory in China, sothis document provides a description of how to use the SM algorithmswith TLS 1.3 and specifies a profile of TLS 1.3 so thatimplementers can produce interworkingimplementations.¶
This document is not an Internet Standards Track specification; it is published for informational purposes.¶
This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not candidates for any level of Internet Standard; see Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc8998.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
This document describes two new cipher suites, a signature algorithm and akey exchange mechanism for the Transport LayerSecurity (TLS) protocol version 1.3 (TLS 1.3) ([RFC8446]).These all utilize several ShangMi (SM) cryptographic algorithmsto fulfill the authentication and confidentiality requirements of TLS 1.3. The new cipher suites are as follows (see alsoSection 2):¶
CipherSuite TLS_SM4_GCM_SM3 = { 0x00, 0xC6 }; CipherSuite TLS_SM4_CCM_SM3 = { 0x00, 0xC7 };¶For a more detailedintroduction to SM cryptographic algorithms, please seeSection 1.1.These cipher suites follow the TLS 1.3 requirements. Specifically,all the cipher suites use SM4 in either Galois/Counter (GCM) modeor Counter with CBC-MAC (CCM) mode to meet the needs of TLS 1.3 to have an encryption algorithm that is Authenticated Encryption with Associated Data (AEAD) capable.The key exchange mechanism utilizes Elliptic Curve Diffie-HellmanEphemeral (ECDHE) over the SM2 elliptic curve, and the signature algorithm combinesthe SM3 hash function and the SM2 elliptic curve signature scheme.¶
For details about how these mechanisms negotiate shared encryptionkeys, authenticate the peer(s), and protect the record structure, please seeSection 3.¶
The cipher suites, signature algorithm, and key exchange mechanismdefined in this document are not recommended by the IETF. The SMalgorithms are becoming mandatory in China, so this documentprovides a description of how to use them with TLS 1.3 and specifiesa profile of TLS 1.3 so that implementers can produce interworkingimplementations.¶
Several different SMcryptographic algorithms are used to integrate with TLS 1.3,including SM2 for authentication, SM4 forencryption, and SM3 as the hash function.¶
SM2 is a set of cryptographic algorithms based on elliptic curve cryptography, including a digital signature, public key encryption and key exchange scheme. In this document, onlythe SM2 digital signature algorithm and basic key exchange scheme are involved, which have already been addedto ISO/IEC 14888-3:2018[ISO-SM2] (as well as to[GBT.32918.2-2016]).SM4 is a block cipher defined in[GBT.32907-2016] and now is being standardizedby ISO to ISO/IEC 18033-3:2010[ISO-SM4]. SM3 is a hash function that produces an output of 256 bits. SM3 has already been accepted by ISO inISO/IEC 10118-3:2018[ISO-SM3] and has also been described by[GBT.32905-2016].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Although this document is not an IETF Standards Track publication, itadopts the conventions for normative language to provide clarity ofinstruction to the implementer and to indicate requirement levelsfor compliant TLS 1.3 implementations.¶
The cipher suites defined here have the following identifiers:¶
CipherSuite TLS_SM4_GCM_SM3 = { 0x00, 0xC6 }; CipherSuite TLS_SM4_CCM_SM3 = { 0x00, 0xC7 };¶To accomplish a TLS 1.3 handshake, additional objects have been introduced along withthe cipher suites as follows:¶
SignatureScheme sm2sig_sm3 = { 0x0708 };¶ NamedGroup curveSM2 = { 41 };¶The new cipher suites defined in this document are only applicable to TLS 1.3.Implementations of this documentMUST NOT apply these cipher suites to any olderversions of TLS.¶
The Chinese government requires the use of the SM2 signature algorithm.This section specifies the use of the SM2 signature algorithm as the authentication method for a TLS 1.3 handshake.¶
The SM2 signature algorithm is defined in[ISO-SM2]. The SM2 signature algorithm isbased on elliptic curves. The SM2 signature algorithm uses a fixed elliptic curveparameter set defined in[GBT.32918.5-2017]. This curve is named "curveSM2" and has been assigned the value 41, as shown inSection 2. Unlike other public key algorithms based on elliptic curve cryptography like the Elliptic Curve Digital Signature Algorithm (ECDSA), SM2MUST NOT select other elliptic curves.But it is acceptable to write test cases that use other elliptic curve parametersets for SM2; see Annex F.14 of[ISO-SM2] as a reference.¶
Implementations of the signature scheme and key exchange mechanism defined in this documentMUST conform towhat[GBT.32918.5-2017] requires; that is to say, the only valid elliptic curveparameter set for the SM2 signature algorithm (a.k.a. curveSM2) is defined as follows:¶
y2 = x3 + ax + b¶
p = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFF a = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFC b = 28E9FA9E 9D9F5E34 4D5A9E4B CF6509A7 F39789F5 15AB8F92 DDBCBD41 4D940E93 n = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF 7203DF6B 21C6052B 53BBF409 39D54123 Gx = 32C4AE2C 1F198119 5F990446 6A39C994 8FE30BBF F2660BE1 715A4589 334C74C7 Gy = BC3736A2 F4F6779C 59BDCEE3 6B692153 D0A9877C C62A4740 02DF32E5 2139F0A0¶
The SM2 signature algorithm requests an identifier value when generating or verifyinga signature. In all uses except when a client of a server needs to verify a peer'sSM2 certificate in the Certificate message, an implementation of this documentMUST use the following ASCII string value as the SM2 identifier when doing aTLS 1.3 key exchange:¶
TLSv1.3+GM+Cipher+Suite¶
If either a client or a server needs to verify the peer's SM2 certificatecontained in the Certificate message, then the following ASCII string valueMUST beused as the SM2 identifier according to[GMT.0009-2012]:¶
1234567812345678¶
Expressed as octets, this is:¶
0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38¶
In practice, the SM2 identifier used in a certificate signature depends on thecertificate authority (CA) who signs that certificate. CAs may choose values other than the ones mentionedabove. Implementations of this documentSHOULD confirm this information by themselves.¶
The use of the algorithms defined by this document is negotiated duringthe TLS handshake with information exchanged in the Hello messages.¶
To use the cipher suites defined by this document, a TLS 1.3 client includesthe new cipher suites in the "cipher_suites"array of the ClientHello structure defined inSection 4.1.2 of [RFC8446].¶
Other requirements of this TLS 1.3 profile on the extensions ofClientHello message are as follows:¶
If a TLS 1.3 server receives a ClientHello message containing the algorithmsdefined in this document, itMAY choose to use them. Ifso, then the serverMUST put one of the new cipher suites defined in thisdocument into its ServerHello's "cipher_suites" array and eventually send itto the client side.¶
A TLS 1.3 server's choice of what cipher suite to use depends on the configurationof the server. For instance, a TLS 1.3 server may or not be configured to include thenew cipher suites defined in this document. Typical TLS 1.3server applications also provide a mechanism that configures the cipher suitepreference on the server side. If a server is not configured to use the cipher suitesdefined in this document, itSHOULD choose another cipher suite in the list thatthe TLS 1.3 client provides; otherwise, the serverMUST abort the handshake withan "illegal_parameter" alert.¶
The following extensionMUST conform to the new requirements:¶
If a CertificateRequest message is sent by the server to require the clientto send its certificate for authentication purposes, for conformance to thisprofile, the following isREQUIRED:¶
When a server sends the Certificate message containing the server certificateto the client side, several new rules are added that will affect the certificateselection:¶
In the CertificateVerify message, the signature algorithmMUST be "sm2sig_sm3",indicating that the hash functionMUST be SM3 and the signature algorithmMUST beSM2.¶
As described inSection 1.1, SM2 is actually a set of cryptographicalgorithms, including one key exchange protocol that defines methods such askey derivation function, etc. This document does not define an SM2 key exchangeprotocol, and an SM2 key exchange protocolSHALL NOT be used in the key exchangesteps defined inSection 3.3. Implementations of this documentMUST always conform towhat TLS 1.3[RFC8446] and its successors require regarding the key derivation andrelated methods.¶
The new cipher suites introduced in this document add two new AEAD encryptionalgorithms, AEAD_SM4_GCM and AEAD_SM4_CCM, which stand for SM4 cipher in Galois/Countermode and SM4 cipher[GBT.32907-2016] in Counter with CBC-MAC mode, respectively.The hash function for both cipher suites is SM3 ([ISO-SM3]).¶
This section defines the AEAD_SM4_GCM and AEAD_SM4_CCM AEAD algorithms in astyle similar to what[RFC5116] used to define AEAD ciphers based on the AES cipher.¶
The AEAD_SM4_GCM authenticated encryption algorithm works as specified in[GCM],using SM4 as the block cipher, by providing the key, nonce, plaintext, andassociated data to that mode of operation. An authentication tag conforming tothe requirements of TLS 1.3 as specified inSection 5.2 of [RFC8446]MUST be constructed usingthe details in the TLS record header. The additional data input that forms theauthentication tagMUST be the TLS record header. The AEAD_SM4_GCM ciphertext is formed byappending the authentication tag provided as an output to the GCM encryptionoperation to the ciphertext that is output by that operation. AEAD_SM4_GCM has four inputs: an SM4 key, an initialization vector (IV), a plaintext content, and optional additional authenticated data (AAD). AEAD_SM4_GCM generates two outputs: a ciphertext and message authentication code (also called an authentication tag). To have a common set of terms for AEAD_SM4_GCM and AEAD_SM4_CCM, the AEAD_SM4_GCM IV is referred to as a nonce in the remainder of this document. A simple test vector of AEAD_SM4_GCM and AEAD_SM4_CCM is given inAppendix A of this document.¶
The nonce is generated by the party performing the authenticated encryption operation.Within the scope of any authenticated encryption key, the nonce valueMUST be unique.That is, the set of nonce values used with any given keyMUST NOT contain any duplicates.Using the same nonce for two different messages encrypted with the same keydestroys the security properties of GCM mode. To generate the nonce, implementations of this documentMUST conform to TLS 1.3 (see[RFC8446],Section 5.3).¶
The input and output lengths are as follows:¶
The AEAD_SM4_CCM authenticated encryption algorithm works as specified in[CCM]using SM4 as the block cipher. AEAD_SM4_CCM has four inputs: an SM4 key, a nonce,a plaintext, and optional additional authenticated data (AAD). AEAD_SM4_CCMgenerates two outputs: a ciphertext and a message authentication code (also calledan authentication tag). The formatting and counter generation functions are asspecified in Appendix A of[CCM], and the values of the parametersidentified in that appendix are as follows:¶
An authentication tag is also used in AEAD_SM4_CCM. The generation of the authenticationtagMUST conform to TLS 1.3 (See[RFC8446],Section 5.2).The AEAD_SM4_CCM ciphertext is formed by appending the authentication tag providedas an output to the CCM encryption operation to the ciphertext that is outputby that operation. The input and output lengths are as follows:¶
To generate the nonce, implementations of this documentMUST conform toTLS 1.3 (see[RFC8446],Section 5.3).¶
IANA has assigned the values {0x00,0xC6} and {0x00,0xC7} with the names"TLS_SM4_GCM_SM3" and "TLS_SM4_CCM_SM3"to the "TLS Cipher Suites" registry with this document as reference:¶
| Value | Description | DTLS-OK | Recommended | Reference |
|---|---|---|---|---|
| 0x00,0xC6 | TLS_SM4_GCM_SM3 | No | No | RFC 8998 |
| 0x00,0xC7 | TLS_SM4_CCM_SM3 | No | No | RFC 8998 |
IANA has assigned the value 0x0708 with the name "sm2sig_sm3" to the"TLS SignatureScheme" registry:¶
| Value | Description | Recommended | Reference |
|---|---|---|---|
| 0x0708 | sm2sig_sm3 | No | RFC 8998 |
IANA has assigned the value 41 with the name "curveSM2" to the"TLS Supported Groups" registry:¶
| Value | Description | DTLS-OK | Recommended | Reference |
|---|---|---|---|---|
| 41 | curveSM2 | No | No | RFC 8998 |
At the time of writing, there are no known weak keys for SMcryptographic algorithms SM2, SM3 and SM4, and no security issueshave been found for these algorithms.¶
All values are in hexadecimal and are in network byte order (big endian).¶
Initialization Vector: 00001234567800000000ABCDKey: 0123456789ABCDEFFEDCBA9876543210Plaintext: AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB CCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDD EEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFF EEEEEEEEEEEEEEEEAAAAAAAAAAAAAAAAAssociated Data: FEEDFACEDEADBEEFFEEDFACEDEADBEEFABADDAD2CipherText: 17F399F08C67D5EE19D0DC9969C4BB7D 5FD46FD3756489069157B282BB200735 D82710CA5C22F0CCFA7CBF93D496AC15 A56834CBCF98C397B4024A2691233B8DAuthentication Tag: 83DE3541E4C2B58177E065A9BF7B62EC¶
Initialization Vector: 00001234567800000000ABCDKey: 0123456789ABCDEFFEDCBA9876543210Plaintext: AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB CCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDD EEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFF EEEEEEEEEEEEEEEEAAAAAAAAAAAAAAAAAssociated Data: FEEDFACEDEADBEEFFEEDFACEDEADBEEFABADDAD2CipherText: 48AF93501FA62ADBCD414CCE6034D895 DDA1BF8F132F042098661572E7483094 FD12E518CE062C98ACEE28D95DF4416B ED31A2F04476C18BB40C84A74B97DC5BAuthentication Tag: 16842D4FA186F56AB33256971FA110F4¶