Network Working Group C. Bartle
Internet-Draft Apple, Inc.
Intended status: Standards Track N. Aviram
Expires: 16 December 2022 14 June 2022
Deprecating Obsolete Key Exchange Methods in TLS draft-ietf-tls-deprecate-obsolete-kex-00
TLSドラフトドラフトで時代遅れの主要な交換方法を非難する
Abstract
概要
This document makes several prescriptions regarding the following key exchange methods in TLS, most of which have been superseded by better options:
このドキュメントは、TLSの次の主要な交換方法に関するいくつかの処方箋を作成します。これらのほとんどは、より良いオプションに取って代わられています。
1. This document deprecates the use of RSA key exchange in TLS.
1. このドキュメントは、TLSでのRSAキーエクスチェンジの使用を非難しています。
2. It limits the use of Diffie Hellman key exchange over a finite field to avoid known vulnerabilities and improper security properties.
2. 既知の脆弱性と不適切なセキュリティプロパティを避けるために、有限フィールドでのDiffie Hellman Key Exchangeの使用を制限します。
3. It discourages the use of static elliptic curve Diffie Hellman cipher suites.
3. 静的な楕円曲線Diffie Hellman cipher Suitesの使用を思いとどまらせます。
Status of This Memo
本文書の位置付け
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
このインターネットドラフトは、BCP 78およびBCP 79の規定に完全に適合して提出されています。
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
インターネットドラフトは、インターネットエンジニアリングタスクフォース(IETF)の作業文書です。他のグループは、作業文書をインターネットドラフトとして配布する場合もあることに注意してください。現在のインターネットドラフトのリストは、https://datatracker.ietf.org/drafts/current/にあります。
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
インターネットドラフトは、最大6か月間有効なドラフトドキュメントであり、いつでも他のドキュメントで更新、交換、または廃止される場合があります。インターネットドラフトを参照資料として使用したり、「進行中の作業」以外に引用することは不適切です。
This Internet-Draft will expire on 16 December 2022.
このインターネットドラフトは、2022年12月16日に期限切れになります。
Copyright Notice
著作権表示
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.
著作権(c)2022 IETF Trustおよび文書著者として特定された人。全著作権所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.
このドキュメントは、BCP 78およびIETFドキュメント(https://trustee.ietf.org/ license-info)に関連するIETF Trustの法的規定の対象となります。この文書に関するあなたの権利と制限を説明するので、これらの文書を注意深く確認してください。このドキュメントから抽出されたコードコンポーネントには、セクション4.Eで説明されている法的規定のセクション4.Eで説明されており、修正されたBSDライセンスで説明されているように保証なしで提供される修正されたBSDライセンステキストを含める必要があります。
Table of Contents
目次
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . 4
2. Non-Ephemeral Diffie Hellman . . . . . . . . . . . . . . . . 4
3. Ephemeral Finite Field Diffie Hellman . . . . . . . . . . . . 4
4. RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . 5
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
8.1. Normative References . . . . . . . . . . . . . . . . . . 6
8.2. Informative References . . . . . . . . . . . . . . . . . 8
Appendix A. DH Cipher Suites Deprecated by This Document . . . . 10
Appendix B. ECDH Cipher Suites Whose Use Is Discouraged by This
Document . . . . . . . . . . . . . . . . . . . . . . . . 13
Appendix C. DHE Cipher Suites Refered to by This Document . . . 15
Appendix D. RSA Cipher Suites Deprecated by This Document . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20
TLS supports a variety of key exchange algorithms, including RSA, Diffie Hellman over a finite field, and elliptic curve Diffie Hellman (ECDH).
TLSは、RSA、Diffie Hellmanを有限フィールド上のDiffie Hellman、Elliptic Curve Diffie Hellman(ECDH)など、さまざまな主要な交換アルゴリズムをサポートしています。
Diffie Hellman key exchange, over any group, comes in ephemeral and non-ephemeral varieties. Non-ephemeral DH algorithms use static DH public keys included in the authenticating peer's certificate; see [RFC4492] for discussion. In contrast, ephemeral DH algorithms use ephemeral DH public keys sent in the handshake and authenticated by the peer's certificate. Ephemeral and non-ephemeral finite field DH algorithms are called DHE and DH (or FFDHE and FFDH), respectively, and ephemeral and non-ephemeral elliptic curve DH algorithms are called ECDHE and ECDH, respectively [RFC4492].
Diffie Hellman Key Exchangeは、あらゆるグループで、はかないものと非著しい品種で提供されます。非著しいDHアルゴリズムは、認証ピアの証明書に含まれる静的DHパブリックキーを使用します。ディスカッションについては[RFC4492]を参照してください。対照的に、一時的なDHアルゴリズムは、握手で送信され、ピアの証明書によって認証された一時的なDHパブリックキーを使用します。短命および非femeral的な有限磁場DHアルゴリズムは、それぞれDHEおよびDH(またはFFDHEおよびFFDH)と呼ばれ、はかなか楕円曲線DHアルゴリズムはそれぞれECDHEおよびECDHと呼ばれます[RFC4492]。
In general, non-ephemeral cipher suites are not recommended due to their lack of forward secrecy. However, as demonstrated by the [Raccoon] attack on finite-field DH, public key reuse, either via
一般に、前向きな秘密の欠如のために、非femer的な暗号スイートは推奨されません。ただし、有限フィールドDHに対する[アライグマ]攻撃によって実証されているように、公開キーの再利用
non-ephemeral cipher suites or reused keys with ephemeral cipher suites, can lead to timing side channels that may leak connection secrets. For elliptic curve DH, invalid curve attacks similarly exploit secret reuse in order to break security [ICA], further demonstrating the risk of reusing public keys. While both side channels can be avoided in implementations, experience shows that in practice, implementations may fail to thwart such attacks due to the complexity and number of the required mitigations.
はかない暗号スイートを備えた非femer的な暗号スイートまたは再利用キーは、接続の秘密を漏らす可能性のあるタイミングサイドチャネルにつながる可能性があります。楕円曲線DHの場合、無効な曲線攻撃は、セキュリティを破るために秘密の再利用を同様に活用し、パブリックキーを再利用するリスクをさらに実証します。両方のサイドチャネルは実装では回避できますが、経験では、実際には、必要な緩和の複雑さと数のためにそのような攻撃を阻止できない可能性があることが示されています。
Additionally, RSA key exchange suffers from security problems that are independent of implementation choices as well as problems that stem purely from the difficulty of implementing security countermeasures correctly.
さらに、RSAキーエクスチェンジは、実装の選択肢とは無関係のセキュリティ問題や、セキュリティ対策を正しく実装することの難しさに起因する問題に苦しんでいます。
At a rough glance, the problems affecting FFDHE are as follows:
大まかに、FFDHEに影響する問題は次のとおりです。
1. FFDHE suffers from interoperability problems because there is no mechanism for negotiating the group size, and some implementations only support small group sizes (see [RFC7919], Section 1).
1. FFDHEは、グループサイズを交渉するメカニズムがなく、一部の実装は小グループサイズのみをサポートするため、相互運用性の問題に苦しんでいます([RFC7919]、セクション1を参照)。
2. In practice, some operators use 1024-bit FFDHE groups since this is the maximum size that ensures wide support (see [RFC7919], Section 1). This size leaves only a small security margin vs. the current discrete log record, which stands at 795 bits [DLOG795].
2. 実際には、一部の演算子は1024ビットFFDHEグループを使用しています。これは、幅広いサポートを保証する最大サイズであるためです([RFC7919]、セクション1を参照)。このサイズは、795ビット[DLOG795]にある現在の離散ログレコードに対して、小さなセキュリティマージンのみを残します。
3. Expanding on the previous point, just a handful of very large computations allow an attacker to cheaply decrypt a relatively large fraction of FFDHE traffic (namely, traffic encrypted using particular standardized groups) [weak-dh].
3. 前のポイントで拡大すると、ほんの一握りの非常に大きな計算により、攻撃者は比較的大部分のFFDHEトラフィック(つまり、特定の標準化されたグループを使用して暗号化されたトラフィック)を安価に復号化することができます[Weak-DH]。
4. When secrets are not fully ephemeral, FFDHE suffers from the [Raccoon] side channel attack. (Note that FFDH is inherently vulnerable to the Raccoon attack unless constant-time mitigations are employed.)
4. 秘密が完全にはかない場合、ffdheは[アライグマ]サイドチャネル攻撃に苦しんでいます。(FFDHは、一定の時間の緩和が採用されない限り、Raccoon攻撃に対して本質的に脆弱であることに注意してください。)
5. FFDHE groups may have small subgroups, which enables several attacks [subgroups].
5. FFDHEグループには小さなサブグループがある場合があり、いくつかの攻撃を可能にします[サブグループ]。
The problems affecting RSA key exchange are as follows:
RSAキー交換に影響を与える問題は次のとおりです。
1. RSA key exchange offers no forward secrecy, by construction.
1. RSAキーエクスチェンジは、建設により、前向きな秘密を提供しません。
2. RSA key exchange may be vulnerable to Bleichenbacher's attack [BLEI]. Experience shows that variants of this attack arise every few years because implementing the relevant countermeasure correctly is difficult (see [ROBOT], [NEW-BLEI], [DROWN]).
2. RSAキー交換は、Bleichenbacherの攻撃[BLEI]に対して脆弱な場合があります。経験のある攻撃のバリエーションは、関連する対策を正しく実装することが困難であるため、この攻撃のバリエーションが数年ごとに発生することが示されています([ロボット]、[New-Blei]、[Drown]を参照)。
3. In addition to the above point, there is no convenient mechanism in TLS for the domain separation of keys. Therefore, a single endpoint that is vulnerable to Bleichenbacher's attack would affect all endpoints sharing the same RSA key (see [XPROT], [DROWN]).
3. 上記のポイントに加えて、キーのドメイン分離のためのTLSには便利なメカニズムはありません。したがって、Bleichenbacherの攻撃に対して脆弱な単一のエンドポイントは、同じRSAキーを共有するすべてのエンドポイントに影響します([XPROT]、[DROWN]を参照)。
Given these problems, this document updates [RFC4346], [RFC5246], [RFC4162], [RFC6347], [RFC5932], [RFC5288], [RFC6209], [RFC6367], [RFC8422], [RFC5289], and [RFC5469] to remediate the above problems.
これらの問題を考慮して、このドキュメントは[RFC4346]、[RFC5246]、[RFC4162]、[RFC6347]、[RFC5932]、[RFC5288]、[RFC6209]、[RFC6367]、[RFC5289]、[RFC5289]を更新します。]上記の問題を修正する。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
この文書のキーワード "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", および "OPTIONAL" はBCP 14 [RFC2119] [RFC8174]で説明されているように、すべて大文字の場合にのみ解釈されます。
Clients MUST NOT offer non-ephemeral FFDH cipher suites in TLS 1.2 connections. (Note that TLS 1.0 and 1.1 are deprecated by [RFC8996] and TLS 1.3 does not support FFDH [RFC8446].) This includes all cipher suites listed in the table in Appendix A.
クライアントは、TLS 1.2接続で非著しいFFDH暗号スイートを提供してはなりません。(TLS 1.0と1.1は[RFC8996]によって非推奨され、TLS 1.3はFFDH [RFC8446]をサポートしていないことに注意してください。)これには、付録Aの表にリストされているすべての暗号スイートが含まれます。
Clients SHOULD NOT offer non-ephemeral ECDH cipher suites in TLS 1.2 connections. (Note that TLS 1.0 and 1.1 are deprecated by [RFC8996] and TLS 1.3 does not support ECDH [RFC8446].) This includes all cipher suites listed in the table in Appendix B.
クライアントは、TLS 1.2接続で非femeral ECDH暗号スイートを提供しないでください。(TLS 1.0と1.1は[RFC8996]によって非推奨され、TLS 1.3はECDH [RFC8446]をサポートしていないことに注意してください。)これには、付録Bの表に記載されているすべての暗号スイートが含まれます。
Clients and servers MAY offer fully ephemeral FFDHE cipher suites in TLS 1.2 connections under the following conditions:
クライアントとサーバーは、次の条件下でTLS 1.2接続で完全には短いFFDHE Cipherスイートを提供する場合があります。
1. Clients and servers MUST NOT reuse ephemeral DHE public keys across TLS connections for all existing (and future) TLS versions. Doing so invalidates forward secrecy properties of these connections. For DHE, such reuse may also lead to vulnerabilities such as those used in the [Raccoon] attack. See Section 6 for related discussion.
1. クライアントとサーバーは、すべての既存の(および将来の)TLSバージョンのTLS接続全体のパブリックキーの一時的なDHEを再利用してはなりません。そうすることで、これらの接続の秘密のプロパティを前方に無効にします。DHEの場合、そのような再利用は、[アライグマ]攻撃で使用されるような脆弱性にもつながる可能性があります。関連する議論については、セクション6を参照してください。
2. The group is one of the following well-known groups described in [RFC7919]: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192.
2. このグループは、[RFC7919]で説明されている次のよく知られたグループの1つです。FFDHE2048、FFDHE3072、FFDHE4096、FFDHE6144、FFDHE8192。
(Note that TLS 1.0 and 1.1 are deprecated by [RFC8996]. TLS 1.3 satisfies the second point above [RFC8446] and is not vulnerable to the [Raccoon] Attack.)
(TLS 1.0と1.1は[RFC8996]によって非推奨されていることに注意してください。TLS1.3は上の2番目のポイント[RFC8446]を満たし、[RACCOON]攻撃に対して脆弱ではありません。)
We note that, previously, supporting the broadest range of clients would have required supporting either RSA key exchange or 1024-bit FFDHE. This is no longer the case, and it is possible to support most clients released since circa 2015 using 2048-bit FFDHE or more modern key exchange methods, and without RSA key exchange [server_side_tls].
以前は、最も幅広いクライアントをサポートすることは、RSAキーエクスチェンジまたは1024ビットFFDHEのいずれかをサポートする必要があることに注意してください。これはもはやそうではなく、2015年頃から2048ビットFFDHEまたはより近代的なキー交換方法を使用して、RSAキー交換[Server_Side_tls]を使用してリリースされたほとんどのクライアントをサポートすることができます。
All the cipher suites that do not meet the above requirements are listed in the table in Appendix C.
上記の要件を満たさないすべての暗号スイートは、付録Cの表にリストされています。
Clients and servers MUST NOT offer RSA cipher suites in TLS 1.2 connections. (Note that TLS 1.0 and 1.1 are deprecated by [RFC8996], and TLS 1.3 does not support static RSA [RFC8446].) This includes all cipher suites listed in the table in Appendix D. Note that these cipher suites are already marked as not recommended in the "TLS Cipher Suites" registry.
クライアントとサーバーは、TLS 1.2接続でRSA暗号スイートを提供してはなりません。(TLS 1.0と1.1は[RFC8996]によって非推奨されており、TLS 1.3は静的RSA [RFC8446]をサポートしていないことに注意してください。)これには、付録Dの表に記載されているすべての暗号スイートが含まれます。「TLS Cipher Suites」レジストリで推奨されます。
This document makes no requests to IANA. Note that all cipher suites listed in Section 4 and in Section 2 are already marked as not recommended in the "TLS Cipher Suites" registry.
このドキュメントは、IANAにリクエストを行いません。セクション4およびセクション2にリストされているすべての暗号スイートは、「TLS暗号スイート」レジストリでは推奨されていないものとして既にマークされていることに注意してください。
Non-ephemeral finite field DH cipher suites (TLS_DH_*), as well as ephemeral key reuse for finite field DH cipher suites, are prohibited due to the [Raccoon] attack. Both are already considered bad practice since they do not provide forward secrecy. However, Raccoon revealed that timing side channels in processing TLS premaster secrets may be exploited to reveal the encrypted premaster secret.
[アライグマ]攻撃のため、非femeral有限畑DH暗号スイート(TLS_DH_*)および有限フィールドDH暗号スイートの短命キーの再利用は禁止されています。どちらも、前方の秘密を提供しないため、すでに悪い慣行と見なされています。しかし、RACCOONは、TLS Prepreasterの秘密を処理するタイミングサイドチャネルが悪用されて、暗号化されたPremaster Secretを明らかにすることができることを明らかにしました。
As for non-ephemeral elliptic curve DH cipher suites, forgoing forward secrecy not only allows retroactive decryption in the event of key compromise but may also enable a broad category of attacks where the attacker exploits key reuse to repeatedly query a cryptographic secret.
非femer的楕円曲線dh暗号スイートについては、将来の秘密が重要な妥協が発生した場合に遡及的な復号化を可能にするだけでなく、攻撃者がキーの再利用を悪用して暗号化の秘密を繰り返し照会する攻撃の幅広い攻撃を可能にする可能性もあります。
This category includes, but is not necessarily limited to, the following examples:
このカテゴリには、次の例が含まれますが、必ずしも限定的ではありません。
1. Invalid curve attacks, where the attacker exploits key reuse to repeatedly query and eventually learn the key itself. These attacks have been shown to be practical against real-world TLS implementations [ICA].
1. 無効な曲線攻撃。攻撃者がキーの再利用を悪用して繰り返し照会し、最終的にキー自体を学習します。これらの攻撃は、実際のTLS実装[ICA]に対して実用的であることが示されています。
2. Side channel attacks, where the attacker exploits key reuse and an additional side channel to learn a cryptographic secret. As one example of such attacks, refer to [MAY4].
2. サイドチャネル攻撃。攻撃者がキーの再利用と、暗号化の秘密を学ぶための追加のサイドチャネルを悪用します。そのような攻撃の一例として、[May4]を参照してください。
3. Fault attacks, where the attacker exploits key reuse and incorrect calculations to learn a cryptographic secret. As one example of such attacks, see [PARIS256].
3. 断層攻撃。攻撃者が重要な再利用を悪用し、暗号化の秘密を学ぶために計算を誤っています。そのような攻撃の一例として、[Paris256]を参照してください。
Such attacks are often implementation-dependent, including the above examples. However, these examples demonstrate that building a system that reuses keys and avoids this category of attacks is difficult in practice. In contrast, avoiding key reuse not only prevents decryption in the event of key compromise, but also precludes this category of attacks altogether. Therefore, this document discourages the reuse of elliptic curve DH public keys.
このような攻撃は、上記の例を含めて、多くの場合、実装に依存します。ただし、これらの例は、このカテゴリの攻撃を再利用して回避するシステムを構築することが実際に困難であることを示しています。対照的に、キーの再利用を避けることは、重要な妥協が発生した場合に復号化を防ぐだけでなく、このカテゴリの攻撃を完全に排除します。したがって、この文書は、楕円曲線DHパブリックキーの再利用を思いとどまらせます。
This document was inspired by discussions on the TLS WG mailing list and a suggestion by Filippo Valsorda following the release of the [Raccoon] attack. Thanks to Christopher A. Wood for writing up the initial draft of this document.
このドキュメントは、TLS WGメーリングリストに関する議論と、[RACCOON]攻撃のリリース後のFilippo Valsordaによる提案に触発されました。この文書の最初のドラフトを書き上げてくれたクリストファーA.ウッドに感謝します。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC2119] Bradner、S。、「要件レベルを示すためにRFCで使用するためのキーワード」、BCP 14、RFC 2119、DOI 10.17487/RFC2119、1997年3月、<https://www.rfc-editor.org/info/RFC2119>。
[RFC4162] Lee, H.J., Yoon, J.H., and J.I. Lee, "Addition of SEED Cipher Suites to Transport Layer Security (TLS)", RFC 4162, DOI 10.17487/RFC4162, August 2005, <https://www.rfc-editor.org/info/rfc4162>.
[RFC4162] Lee、H.J.、Yoon、J.H。、およびJ.I.Lee、「レイヤーセキュリティ(TLS)への種子暗号スイートの追加」、RFC 4162、DOI 10.17487/RFC4162、2005年8月、<https://www.rfc-editor.org/info/rfc4162>。
[RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)", RFC 4279, DOI 10.17487/RFC4279, December 2005, <https://www.rfc-editor.org/info/rfc4279>.
[RFC4279] Eronen、P.、ed。およびH. Tschofenig編、「輸送層のセキュリティ(TLS)のための事前共有キーヒルスーツ」、RFC 4279、DOI 10.17487/RFC4279、2005年12月、<https://www.rfc-editor.org/info/RFC42799>。
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, DOI 10.17487/RFC4346, April 2006, <https://www.rfc-editor.org/info/rfc4346>.
[RFC4346] Dierks、T。およびE. Rescorla、「The Transport Layer Security(TLS)Protocolバージョン1.1」、RFC 4346、DOI 10.17487/RFC4346、2006年4月、<https://www.rfc-editor.org/info/RFC4346>。
[RFC4785] Blumenthal, U. and P. Goel, "Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)", RFC 4785, DOI 10.17487/RFC4785, January 2007, <https://www.rfc-editor.org/info/rfc4785>.
[RFC4785] Blumenthal、U.およびP. Goel、「輸送層のセキュリティ(TLS)のヌル暗号化を備えた事前共有キー(PSK)シッパースーツ」、RFC 4785、DOI 10.17487/RFC4785、2007年1月、<https:// wwwwwwwwwwwwwwwwwwwwwwwwwwwwww.rfc-editor.org/info/rfc4785>。
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, <https://www.rfc-editor.org/info/rfc5246>.
[RFC5246] Dierks、T。およびE. Rescorla、「The Transport Layer Security(TLS)Protocolバージョン1.2」、RFC 5246、DOI 10.17487/RFC5246、2008年8月、<https://www.rfc-editor.org/info/RFC5246>。
[RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, DOI 10.17487/RFC5288, August 2008, <https://www.rfc-editor.org/info/rfc5288>.
[RFC5288] Salowey、J.、Choudhury、A。、およびD. McGrew、「AES Galois Counter Mode(GCM)Cipher Suites for TLS」、RFC 5288、DOI 10.17487/RFC5288、2008年8月、<https:// www。rfc-editor.org/info/rfc5288>。
[RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)", RFC 5289, DOI 10.17487/RFC5289, August 2008, <https://www.rfc-editor.org/info/rfc5289>.
[RFC5289] Rescorla、E。、「SHA-256/384およびAES Galoisカウンターモード(GCM)を備えたTLS楕円曲線暗号」、RFC 5289、DOI 10.17487/RFC5289、2008年8月、<HTTPS://WW.RFC-editor.org/info/rfc5289>。
[RFC5469] Eronen, P., Ed., "DES and IDEA Cipher Suites for Transport Layer Security (TLS)", RFC 5469, DOI 10.17487/RFC5469, February 2009, <https://www.rfc-editor.org/info/rfc5469>.
[RFC5469] Eronen、P.、ed。、「輸送層のセキュリティ(TLS)のためのDESおよびアイデア暗号スイート」、RFC 5469、DOI 10.17487/RFC5469、2009年2月、<https://www.rfc-editor.org/情報/RFC5469>。
[RFC5487] Badra, M., "Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES Galois Counter Mode", RFC 5487, DOI 10.17487/RFC5487, March 2009, <https://www.rfc-editor.org/info/rfc5487>.
[RFC5487] Badra、M。、「SHA-256/384およびAES GaloisカウンターモードのTLSの事前共有キー暗号スイート」、RFC 5487、DOI 10.17487/RFC5487、2009年3月、<https://ww.rfc-editor.org/info/rfc5487>。
[RFC5932] Kato, A., Kanda, M., and S. Kanno, "Camellia Cipher Suites for TLS", RFC 5932, DOI 10.17487/RFC5932, June 2010, <https://www.rfc-editor.org/info/rfc5932>.
[RFC5932] Kato、A.、Kanda、M。、およびS. Kanno、「TLSのCamellia Cipher Suites」、RFC 5932、DOI 10.17487/RFC5932、2010年6月、<https://www.rfc-editor.org/g/情報/RFC5932>。
[RFC6209] Kim, W., Lee, J., Park, J., and D. Kwon, "Addition of the ARIA Cipher Suites to Transport Layer Security (TLS)", RFC 6209, DOI 10.17487/RFC6209, April 2011, <https://www.rfc-editor.org/info/rfc6209>.
[RFC6209] Kim、W.、Lee、J.、Park、J。、およびD. Kwon、「層セキュリティ(TLS)へのARIA暗号スイートの追加」、RFC 6209、DOI 10.17487/RFC6209、2011年4月、2011年4月、<https://www.rfc-editor.org/info/rfc6209>。
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, January 2012, <https://www.rfc-editor.org/info/rfc6347>.
[RFC6347] Rescorla、E。およびN. Modadugu、「データグラムトランスポートレイヤーセキュリティバージョン1.2」、RFC 6347、DOI 10.17487/RFC6347、2012年1月、<https://www.rfc-editor.org/info/rfc6347>
[RFC6367] Kanno, S. and M. Kanda, "Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)", RFC 6367, DOI 10.17487/RFC6367, September 2011, <https://www.rfc-editor.org/info/rfc6367>.
[RFC6367] Kanno、S。およびM. Kanda、「層のセキュリティ(TLS)へのCamelia暗号スイートの追加」、RFC 6367、DOI 10.17487/RFC6367、2011年9月、<https://www.rfc-editor。org/info/rfc6367>。
[RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for Transport Layer Security (TLS)", RFC 6655, DOI 10.17487/RFC6655, July 2012, <https://www.rfc-editor.org/info/rfc6655>.
[RFC6655] McGrew、D。およびD. Bailey、「輸送層のセキュリティ用AES-CCM暗号スイート(TLS)」、RFC 6655、DOI 10.17487/RFC6655、2012年7月、<https://www.rfc-editor.org/info/rfc6655>。
[RFC7905] Langley, A., Chang, W., Mavrogiannopoulos, N., Strombergson, J., and S. Josefsson, "ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)", RFC 7905, DOI 10.17487/RFC7905, June 2016, <https://www.rfc-editor.org/info/rfc7905>.
[RFC7905] Langley、A.、Chang、W.、Mavrogiannopoulos、N.、Strombergson、J.、およびS. Josefsson、 "Chacha20-Poly1305輸送層セキュリティ(TLS)"、RFC 7905、DOI 10.17487/RFC79055、2016年6月、<https://www.rfc-editor.org/info/rfc7905>。
[RFC7919] Gillmor, D., "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)", RFC 7919, DOI 10.17487/RFC7919, August 2016, <https://www.rfc-editor.org/info/rfc7919>.
[RFC7919] Gillmor、D。、「輸送層のセキュリティ(TLS)のための有限界面ディフェルマンの短命パラメーター」、RFC 7919、DOI 10.17487/RFC7919、2016年8月、<https://www.rfc-editor.org///情報/RFC7919>。
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8174] Leiba、B。、「RFC 2119キーワードの大文字と小文字のあいまいさ」、BCP 14、RFC 8174、DOI 10.17487/RFC8174、2017年5月、<https://www.rfc-editor.org/info/RFC8174>。
[RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier", RFC 8422, DOI 10.17487/RFC8422, August 2018, <https://www.rfc-editor.org/info/rfc8422>.
[RFC8422] Nir、Y.、Josefsson、S。、およびM. Pegourie-Gonnard、「輸送層セキュリティ(TLS)バージョン(TLS)バージョン用の楕円曲線暗号化(ECC)暗号スイート」、RFC 8422、DOI 10.17487/RFC8422、2018年8月、<https://www.rfc-editor.org/info/rfc8422>。
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, <https://www.rfc-editor.org/info/rfc8446>.
[RFC8446] Rescorla、E。、「輸送層セキュリティ(TLS)プロトコルバージョン1.3」、RFC 8446、DOI 10.17487/RFC8446、2018年8月、<https://www.rfc-editor.org/info/rfc846>
[RFC8996] Moriarty, K. and S. Farrell, "Deprecating TLS 1.0 and TLS 1.1", BCP 195, RFC 8996, DOI 10.17487/RFC8996, March 2021, <https://www.rfc-editor.org/info/rfc8996>.
[RFC8996] Moriarty、K。およびS. Farrell、「TLS 1.0およびTLS 1.1を非難する」、BCP 195、RFC 8996、DOI 10.17487/RFC8996、2021年3月、<https://www.rfc-editor.org/info//RFC8996>。
[BLEI] Bleichenbacher, D., "Chosen Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1", Advances in Cryptology -- CRYPTO'98, LNCS vol. 1462, pages: 1-12 , 1998.
[Blei] Bleichenbacher、D。、「RSA暗号化標準PKCS#1に基づくプロトコルに対する暗号文攻撃を選択した」、暗号学の進歩-Crypto'98、LNCS Vol。1462、ページ:1-12、1998。
[DLOG795] Boudot, F., Gaudry, P., Guillevic, A., Heninger, N., Thomé, E., and P. Zimmermann, "Comparing the difficulty of factorization and discrete logarithm: a 240-digit experiment", 17 August 2020, <https://eprint.iacr.org/2020/697>.
[Dlog795] Boudot、F.、Gaudry、P.、Guillevic、A.、Heninger、N.、Thomé、E。、およびP. Zimmermann、「因数分解と離散対数の難しさを比較:240桁の実験」、2020年8月17日、<https://eprint.iacr.org/2020/697>。
[DROWN] Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., Valenta, L., Adrian, D., Halderman, J. A., Dukhovni, V., Käsper, E., Cohney, S., Engels, S., Paar, C., and Y. Shavitt, "DROWN: Breaking TLS using SSLv2", August 2016, <https://drownattack.com/drown-attack-paper.pdf>.
[Drown] Aviram、N.、Schinzel、S.、Somorovsky、J.、Heninger、N.、Dankel、M.、Steube、J.、Valenta、L.、Adrian、D.、Halderman、J.A.、Dukhovni、V V。、Käsper、E.、Cohney、S.、Engels、S.、Paar、C。、およびY. Shavitt、「Drown:SSLv2を使用してTLSを破る」、2016年8月、<https://drownattack.com/drown-Attack-Paper.pdf>。
[ICA] Jager, T., Schwenk, J., and J. Somorovsky, "Practical invalid curve attacks on TLS-ECDH", 21 September 2015, <https://citeseerx.ist.psu.edu/viewdoc/ download?doi=10.1.1.704.7932&rep=rep1&type=pdf>.
[ICA] Jager、T.、Schwenk、J。、およびJ. Somorovsky、「TLS-ECDHに対する実用的な曲線攻撃」、2015年9月21日、<https://citeseerx.ist.psu.edu/viewdoc/ダウンロード?doi = 10.1.1.704.7932&rep = rep1&type = pdf>。
[MAY4] Genkin, D., Valenta, L., and Y. Yarom, "May the fourth be with you: A microarchitectural side channel attack on several real-world applications of curve25519", n.d., <https://dl.acm.org/doi/pdf/10.1145/3133956.3134029>.
[May4] Genkin、D.、Valenta、L。、およびY. Yarom、「4番目はあなたと一緒になるかもしれません:Curve25519のいくつかの現実世界のアプリケーションに対する微小職人サイドチャネル攻撃」、n.d.、<https:// dl。acm.org/doi/pdf/10.1145/3133956.3134029>。
[NEW-BLEI] Meyer, C., Somorovsky, J., Weiss, E., Schwenk, J., Schinzel, S., and E. Tews, "Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks", August 2014, <https://www.usenix.org/system/files/conference/ usenixsecurity14/sec14-paper-meyer.pdf>.
[New-Blei] Meyer、C.、Somorovsky、J.、Weiss、E.、Schwenk、J.、Schinzel、S.、およびE. Tews、「SSL/TLS実装の再訪:新しいBleichenbacherサイドチャネルと攻撃」2014年8月、<https://www.usenix.org/system/files/conference/ usenixsecurity14/sec14-paper-meyer.pdf>。
[PARIS256] Devlin, S. and F. Valsorda, "The PARIS256 Attack", n.d., <https://i.blackhat.com/us-18/Wed-August-8/us-18-Valsorda-Squeezing-A-Key-Through-A-Carry-Bit-wp.pdf>.
[Paris256] Devlin、S。and F. Valsorda、「The Paris256 Attack」、n.d.、<https://i.blackhat.com/us-18/wed-august-8/us-8-valsorda-squeezing-a-key-through-a-carry-bit-wp.pdf>。
[Raccoon] Merget, R., Brinkmann, M., Aviram, N., Somorovsky, J., Mittmann, J., and J. Schwenk, "Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E)", 9 September 2020, <https://raccoon-attack.com/RacoonAttack.pdf>.
[Raccoon] Merget、R.、Brinkmann、M.、Aviram、N.、Somorovsky、J.、Mittmann、J。、およびJ. Schwenk、「Raccoon Attack:TLSで最も有意なビットオークルの発見と悪用 - dh(e) "、2020年9月9日、<https://raccoon-attack.com/racoonAttack.pdf>。
[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)", RFC 4492, DOI 10.17487/RFC4492, May 2006, <https://www.rfc-editor.org/info/rfc4492>.
[RFC4492] Blake-Wilson、S.、Bolyard、N.、Gupta、V.、Hawk、C。、およびB. Moeller、 "楕円曲線暗号化(ECC)輸送層セキュリティ(TLS)の暗号スイート"、RFC 4492、doi 10.17487/rfc4492、2006年5月、<https://www.rfc-editor.org/info/rfc4492>。
[ROBOT] Boeck, H., Somorovsky, J., and C. Young, "Return Of Bleichenbacher's Oracle Threat (ROBOT)", 27th USENIX Security Symposium , 2018.
[Robot] Boeck、H.、Somorovsky、J。、およびC. Young、「BleichenbacherのOracle Threat(Robot)の復帰」、27th Usenix Security Symposium、2018。
[SC-tls-des-idea-ciphers-to-historic] "Moving single-DES and IDEA TLS ciphersuites to Historic", 25 January 2021, <https://datatracker.ietf.org/doc/status-change-tls-des-idea-ciphers-to-historic/>.
[sc-tls-des-idea-cifers-to-historic]「移動シングルデスとアイデアtls ciphersuitesへの歴史的」、2021年1月25日、<https://datatracker.ietf.org/doc/status-change-tls-des-idea-cifers-to-Historic/>。
[server_side_tls] King, A., "Server Side TLS", July 2020, <https://wiki.mozilla.org/Security/Server_Side_TLS>.
[server_side_tls] King、A。、 "Server Side TLS"、2020年7月、<https://wiki.mozilla.org/security/server_side_tls>。
[subgroups] Valenta, L., Adrian, D., Sanso, A., Cohney, S., Fried, J., Hastings, M., Halderman, J. A., and N. Heninger, "Measuring small subgroup attacks against Diffie-Hellman", 15 October 2016, <https://eprint.iacr.org/2016/995/20161017:193515>.
[サブグループ] Valenta、L.、Adrian、D.、Sanso、A.、Cohney、S.、Fried、J.、Hastings、M.、Halderman、J。A.、およびN. Heninger、「Diffieに対する小さなサブグループ攻撃の測定Hellman "、2016年10月15日、<https://eprint.iacr.org/2016/995/20161017:193515>。
[weak-dh] Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J. A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Zanella-Béguelin, S., and P. Zimmermann, "Weak Diffie-Hellman and the Logjam Attack", October 2015, <https://weakdh.org/>.
[weak-dh] Adrian、D.、Bhargavan、K.、Durumeric、Z.、Gaudry、P.、Green、M.、Halderman、J。A.、Heninger、N.、Springall、D.、Thomé、E.、Valenta、L.、Vandersloot、B.、Wustrow、E.、Zanella-Béguelin、S。、およびP. Zimmermann、「弱いDiffie-Hellman and the Logjam Attack」、2015年10月、<https://weakdh.org/>。
[XPROT] Jager, T., Schwenk, J., and J. Somorovsky, "On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption", Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security , 2015.
[Xprot] Jager、T.、Schwenk、J.、およびJ. Somorovsky、「TLS 1.3のセキュリティとPKCS#1 V1.5暗号化の弱点に対するQUIC」、第22 ACM SIGSAC会議に関するコンピューターおよび通信に関する議事録の議事録についてセキュリティ、2015年。
+==========================================+====================+
| Ciphersuite | Reference |
+==========================================+====================+
| TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA | [RFC4346] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_DES_CBC_SHA | [RFC5469] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA | [RFC5246] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA | [RFC4346] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_DES_CBC_SHA | [RFC5469] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA | [RFC5246] |
+------------------------------------------+--------------------+
| TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 | [RFC4346][RFC6347] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_RC4_128_MD5 | [RFC5246][RFC6347] |
+------------------------------------------+--------------------+
| TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA | [RFC4346] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_DES_CBC_SHA | [RFC5469] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_3DES_EDE_CBC_SHA | [RFC5246] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_AES_128_CBC_SHA | [RFC5246] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_AES_128_CBC_SHA | [RFC5246] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_AES_128_CBC_SHA | [RFC5246] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_AES_256_CBC_SHA | [RFC5246] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_AES_256_CBC_SHA | [RFC5246] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_AES_256_CBC_SHA | [RFC5246] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_AES_128_CBC_SHA256 | [RFC5246] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_AES_128_CBC_SHA256 | [RFC5246] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA | [RFC5932] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA | [RFC5932] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA | [RFC5932] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_AES_256_CBC_SHA256 | [RFC5246] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_AES_256_CBC_SHA256 | [RFC5246] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_AES_128_CBC_SHA256 | [RFC5246] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_AES_256_CBC_SHA256 | [RFC5246] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA | [RFC5932] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA | [RFC5932] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA | [RFC5932] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_SEED_CBC_SHA | [RFC4162] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_SEED_CBC_SHA | [RFC4162] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_SEED_CBC_SHA | [RFC4162] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_AES_128_GCM_SHA256 | [RFC5288] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_AES_256_GCM_SHA384 | [RFC5288] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_AES_128_GCM_SHA256 | [RFC5288] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_AES_256_GCM_SHA384 | [RFC5288] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_AES_128_GCM_SHA256 | [RFC5288] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_AES_256_GCM_SHA384 | [RFC5288] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 | [RFC5932] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 | [RFC5932] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 | [RFC5932] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 | [RFC5932] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 | [RFC5932] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 | [RFC5932] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 | [RFC6209] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 | [RFC6209] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 | [RFC6209] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 | [RFC6209] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 | [RFC6209] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 | [RFC6209] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 | [RFC6209] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 | [RFC6209] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 | [RFC6209] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 | [RFC6209] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 | [RFC6209] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 | [RFC6209] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] |
+------------------------------------------+--------------------+
| TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] |
+------------------------------------------+--------------------+
| TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] |
+------------------------------------------+--------------------+
| TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] |
+------------------------------------------+--------------------+
Table 1
表1
Appendix B. ECDH Cipher Suites Whose Use Is Discouraged by This Document
付録B.このドキュメントによって使用されているECDH暗号スイート
+=============================================+====================+
| Ciphersuite | Reference |
+=============================================+====================+
| TLS_ECDH_ECDSA_WITH_NULL_SHA | [RFC8422] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_RC4_128_SHA | [RFC8422][RFC6347] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | [RFC8422] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | [RFC8422] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | [RFC8422] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_NULL_SHA | [RFC8422] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_RC4_128_SHA | [RFC8422][RFC6347] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | [RFC8422] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | [RFC8422] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | [RFC8422] |
+---------------------------------------------+--------------------+
| TLS_ECDH_anon_WITH_NULL_SHA | [RFC8422] |
+---------------------------------------------+--------------------+
| TLS_ECDH_anon_WITH_RC4_128_SHA | [RFC8422][RFC6347] |
+---------------------------------------------+--------------------+
| TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | [RFC8422] |
+---------------------------------------------+--------------------+
| TLS_ECDH_anon_WITH_AES_128_CBC_SHA | [RFC8422] |
+---------------------------------------------+--------------------+
| TLS_ECDH_anon_WITH_AES_256_CBC_SHA | [RFC8422] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | [RFC5289] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | [RFC5289] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | [RFC5289] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | [RFC5289] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | [RFC5289] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | [RFC5289] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | [RFC5289] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | [RFC5289] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 | [RFC6209] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 | [RFC6209] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 | [RFC6209] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 | [RFC6209] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 | [RFC6209] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 | [RFC6209] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 | [RFC6209] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 | [RFC6209] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 | [RFC6367] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 | [RFC6367] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 | [RFC6367] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 | [RFC6367] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] |
+---------------------------------------------+--------------------+
| TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] |
+---------------------------------------------+--------------------+
| TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] |
+---------------------------------------------+--------------------+
Table 2
表2
+=========================================+==============================================+
|Ciphersuite |Reference |
+=========================================+==============================================+
|TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA |[RFC4346] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_DES_CBC_SHA |[RFC5469][SC-tls-des-idea-ciphers-to-historic]|
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA |[RFC4346] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_DES_CBC_SHA |[RFC5469][SC-tls-des-idea-ciphers-to-historic]|
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_NULL_SHA |[RFC4785] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_AES_128_CBC_SHA |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_AES_128_CBC_SHA |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_AES_256_CBC_SHA |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_AES_256_CBC_SHA |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA |[RFC5932] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA |[RFC5932] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA |[RFC5932] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA |[RFC5932] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_RC4_128_SHA |[RFC4279][RFC6347] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA |[RFC4279] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_AES_128_CBC_SHA |[RFC4279] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_AES_256_CBC_SHA |[RFC4279] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_SEED_CBC_SHA |[RFC4162] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_SEED_CBC_SHA |[RFC4162] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |[RFC5288] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |[RFC5288] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 |[RFC5288] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 |[RFC5288] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 |[RFC5487] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 |[RFC5487] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 |[RFC5487] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 |[RFC5487] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_NULL_SHA256 |[RFC5487] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_NULL_SHA384 |[RFC5487] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 |[RFC5932] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 |[RFC5932] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 |[RFC5932] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 |[RFC5932] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 |[RFC6367] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 |[RFC6367] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 |[RFC6367] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 |[RFC6367] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 |[RFC6367] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 |[RFC6367] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 |[RFC6367] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 |[RFC6367] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_AES_128_CCM |[RFC6655] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_AES_256_CCM |[RFC6655] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_AES_128_CCM_8 |[RFC6655] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_AES_256_CCM_8 |[RFC6655] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_AES_128_CCM |[RFC6655] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_AES_256_CCM |[RFC6655] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256|[RFC7905] |
+-----------------------------------------+----------------------------------------------+
|TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256|[RFC7905] |
+-----------------------------------------+----------------------------------------------+
Table 3
表3
+=========================================+==============================================+
|Ciphersuite |Reference |
+=========================================+==============================================+
|TLS_RSA_WITH_NULL_MD5 |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_NULL_SHA |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_EXPORT_WITH_RC4_40_MD5 |[RFC4346][RFC6347] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_RC4_128_MD5 |[RFC5246][RFC6347] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_RC4_128_SHA |[RFC5246][RFC6347] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 |[RFC4346] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_IDEA_CBC_SHA |[RFC5469][SC-tls-des-idea-ciphers-to-historic]|
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_EXPORT_WITH_DES40_CBC_SHA |[RFC4346] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_DES_CBC_SHA |[RFC5469][SC-tls-des-idea-ciphers-to-historic]|
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_3DES_EDE_CBC_SHA |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_NULL_SHA |[RFC4785] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_AES_128_CBC_SHA |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_AES_256_CBC_SHA |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_NULL_SHA256 |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_AES_128_CBC_SHA256 |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_AES_256_CBC_SHA256 |[RFC5246] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_CAMELLIA_128_CBC_SHA |[RFC5932] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_CAMELLIA_256_CBC_SHA |[RFC5932] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_RC4_128_SHA |[RFC4279][RFC6347] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA |[RFC4279] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_AES_128_CBC_SHA |[RFC4279] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_AES_256_CBC_SHA |[RFC4279] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_SEED_CBC_SHA |[RFC4162] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_AES_128_GCM_SHA256 |[RFC5288] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_AES_256_GCM_SHA384 |[RFC5288] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 |[RFC5487] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 |[RFC5487] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 |[RFC5487] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 |[RFC5487] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_NULL_SHA256 |[RFC5487] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_NULL_SHA384 |[RFC5487] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 |[RFC5932] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 |[RFC5932] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_ARIA_128_CBC_SHA256 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_ARIA_256_CBC_SHA384 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_ARIA_128_GCM_SHA256 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_ARIA_256_GCM_SHA384 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 |[RFC6209] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 |[RFC6367] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 |[RFC6367] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 |[RFC6367] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 |[RFC6367] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 |[RFC6367] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 |[RFC6367] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_AES_128_CCM |[RFC6655] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_AES_256_CCM |[RFC6655] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_AES_128_CCM_8 |[RFC6655] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_WITH_AES_256_CCM_8 |[RFC6655] |
+-----------------------------------------+----------------------------------------------+
|TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256|[RFC7905] |
+-----------------------------------------+----------------------------------------------+
Table 4
表4
Authors' Addresses
著者のアドレス
Carrick Bartle Apple, Inc. Email: cbartle@apple.com
Carrick Bartle Apple、Inc。メール:cbartle@apple.com
Nimrod Aviram Email: nimrod.aviram@gmail.com
nimrod aviramメール:nimrod.aviram@gmail.com