[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Diff1] [Diff2] [Nits]
Versions: 00 01 02 03 04 05 06 07 08
TLS N. Cam-Winget
Internet-Draft Cisco Systems
Intended status: Informational J. Visoky
Expires: April 24, 2021 ODVA
October 21, 2020
TLS 1.3 Authentication and Integrity only Cipher Suites
draft-camwinget-tls-ts13-macciphersuites-08
Abstract
There are use cases, specifically in Internet of Things (IoT) and
constrained environments that do not require confidentiality, though
message integrity for all communications and mutual authentication
during tunnel establishment are both still mandated. Examples of
such use cases are given, although a threat model is necessary to
determine whether or not a given situation falls into this catergory
of use cases. In order to serve these use cases, this document
defines the use of HMAC only cipher suites for TLS 1.3, which
provides mutual authentication and data authenticity, but not data
confidentiality. The approach described in this document is not
endorsed by the IETF and does not have IETF consensus, but is
presented here to enable interoperable implementation of a reduced
security mechanism that provides authentication and message integrity
without supporting confidentiality.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 24, 2021.
Cam-Winget & Visoky Expires April 24, 2021 [Page 1]
Internet-Draft IoT Ciphers October 2020
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Applicability Statement . . . . . . . . . . . . . . . . . . . 3
4. Cryptographic Negotiation Using Integrity only Cipher Suites 5
5. Record Payload Protection for Integrity only Cipher Suites . 5
6. Key Schedule when using Integrity only Cipher Suites . . . . 7
7. Error Alerts . . . . . . . . . . . . . . . . . . . . . . . . 7
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
9. Security and Privacy Considerations . . . . . . . . . . . . . 8
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
11.1. Normative References . . . . . . . . . . . . . . . . . . 8
11.2. Informative Reference . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
There are several use cases in which communications privacy is not
strictly needed, although authenticity of the communications
transport is still very important. For example, within the
Industrial Automation space there could be TCP or UDP communications
which command a robotic arm to move a certain distance at a certain
speed. Without authenticity guarantees, an attacker could modify the
packets to change the movement of the robotic arm, potentially
causing physical damage. However, the motion control commands are
not considered to be sensitive information and thus there is no
requirement to provide confidentiality. Another IoT example with no
strong requirement for confidentiality is the reporting of weather
information; however, message authenticity is required to ensure
integrity of the message.
Cam-Winget & Visoky Expires April 24, 2021 [Page 2]
Internet-Draft IoT Ciphers October 2020
There is no requirement to encrypt messages in environments where the
information is not confidential; such as when there is no
intellectual property associated with the processes, or where the
threat model does not indicate any outsider attacks (such as in a
closed system). Note however, this situation will not apply equally
to all use cases (for example, a robotic arm might be used in one
case for a process that does not involve any intellectual property,
but in another case that does). Therefore, it is important that a
user or system developer carefully examine both the sensitivity of
the data and the system threat model to determine the need for
encryption before deploying equipment
Besides having a strong need for authenticity and no need for
confidentiality, many of these systems also have a strong requirement
for low latency. Furthermore, several classes of IoT device
(industrial or otherwise) have limited processing capability.
However, these IoT systems still gain great benefit from leveraging
TLS 1.3 for secure communications. Given the reduced need for
confidentiality TLS 1.3 [RFC8446] cipher suites that maintain data
integrity without confidentiality are described in this document.
The approach described in this document is not endorsed by the IETF
and does not have IETF consensus, but is presented here to enable
interoperable implementation of a reduced security mechanism that
provides authentication and message integrity with supporting
confidentiality.
2. Terminology
Although this document is not an IETF Standards Track publication it
adopts the conventions for normatve language to provide clarity of
instructions to the implementer. The key words "MUST", "MUST NOT",
"REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only
when, they appear in all capitals, as shown here.
3. Applicability Statement
The two HMAC SHA [RFC6234] based cipher suites referenced in this
document are intended for a small limited set of applications where
confidentiality requirements are relaxed and the need to minimize the
cryptographic algorithms are prioritized. This section describes
some of those applicable use cases.
Use cases in the industrial automation industry, while requiring data
integrity, often do not require confidential communications. Mainly,
information communicated to unmanned machines to execute repetitive
tasks does not convey private information. For example, there could
Cam-Winget & Visoky Expires April 24, 2021 [Page 3]
Internet-Draft IoT Ciphers October 2020
be a system with a robotic arm that paints the body of a car. This
equipment is used within a car manufacturing plant, and is just one
piece of equipment in a multi-step manufacturing process. The
movements of this robotic arm are likely not a trade secret or
sensitive intellectual property, although some portions of the
manufacturing of the car might very well contain sesitivie
intellectual property. Even the mixture for the paint itself might
be confidential, but the mixing is done by a completely different
piece of equipment and therefore communciation to/from that equipment
can be encrypted without requiring the communication to/from the
robotic arm to be encrypted. Modern manufacturing often has
segmented equipment with different levelsof risk on intellectual
property, although nearly every communciation interaction has strong
data authenticity requirements.
Another use case which is closely related is that of fine grained
time updates. Motion systems often rely on time synchronization to
ensure proper execution. Time updates are essentially public, there
is no threat from an attacker knowing the time update information.
This should make intuitive sense to those not familiar with these
applications; rarely if ever does time information present a serious
attack surface dealing with privacy. However the authenticity is
still quite important. Modification of the data can at best lead to
a denial-of-service attack, although a more intelligent threat actor
might be able to cause actual physical damage. As these time
synchronization updates are very fine-grained, it is again important
for latency to be very low.
A third use case deals with data related to alarms. Industrial
control sensing equipment can be configured to send alarm information
when it meets certain conditions, for example, temperature goes above
or below a given threshhold. Often times this data is used to detect
certain out-of-tolerance conditions, allowing an operator or
automated system to take corrective action. Once again, in many
systems the reading of this data doesn't grant the attacker
information that can be exploited, it is generally just information
regarding the physical state of the system. At the same time, being
able to modify this data would allow an attacker to either trigger
alarms falsely or to cover up evidence of an attack that might allow
for detection of their malicious activity. Furthermore, sensors are
often low powered devices that might struggle to process encrypted
and authenticated data. These sensors might be very cost sensitive
such that there is not enough processing power for data encryption.
Sending data that is just authenticated significantly eases the
burden placed on these devices, yet still allows the data to be
protected against any tampering threats. A user can always chose to
pay more for a sensor with encryption capability, but for some data
authenticity will be sufficient.
Cam-Winget & Visoky Expires April 24, 2021 [Page 4]
Internet-Draft IoT Ciphers October 2020
A fourth use case considers the protection of commands in the railway
industry. In railway control systems, no confidentiality
requirements are applied for the command exchange between an
interlocking controller and a railway equipment controller (for
instance, a railway point controller of a tram track where the
position of the controlled point is publicly available). However,
protecting integrity of those commands is vital, otherwise, an
adversary could change the target position of the point by modifying
the commands, which consequently could lead to the derailment of a
passing train. Furthermore, requirements for providing blackbox
recording of the safety related network traffic can only be fulfilled
through using integrity only ciphers, to be able to provide the
safety related commands to a third party, which is responsible for
the analysis after an accident.
The above use cases describe the relaxed requirements to provide
confidentiality, and as these devices come with a small runtime
memory footprint and reduced processing power, the need to minimize
the number of cryptographic algorithms used is prioritized.
4. Cryptographic Negotiation Using Integrity only Cipher Suites
The cryptographic negotiation as specified in [RFC8446] Section 4.1.1
remains the same, with the inclusion of the following cipher suites:
TLS_SHA256_SHA256 {0xC0, 0xB4}
TLS_SHA384_SHA384 {0xC0, 0xB5}
These cipher suites allow the use of SHA-256 or SHA-384 as the HMACs
for data integrity protection as well as its use for HKDF. The
authentication mechanisms remain unchanged with the intent to only
update the cipher suites to relax the need for confidentiality.
Given that these cipher suites do not support confidentiality, they
MUST only be used with certificate-based authentication and Diffie-
Hellman key exchange.
5. Record Payload Protection for Integrity only Cipher Suites
The record payload protection as defined in [RFC8446] can be retained
when integrity only cipher suites are used. This section describes
the mapping of record payload structures when integrity only cipher
suites are employed.
Given that there is no encryption to be done at the record layer, the
operations "Protect" and "Unprotect" take the place of "AEAD-Encrypt"
and "AEAD-Decrypt", respectively, as referenced in [RFC8446]
Cam-Winget & Visoky Expires April 24, 2021 [Page 5]
Internet-Draft IoT Ciphers October 2020
As integrity is provided with protection over the full record, the
encrypted_record in the TLSCiphertext along with the additional_data
input to protected_data (termed AEADEncrypted data in [RFC8446]) as
defined in Section 5.2 of [RFC8446] remains the same. The
TLSCiphertext.length for the integrity cipher suites will be:
TLS_SHA256_SHA256: TLSCiphertext.length = TLSPlaintext.length + 1
(type field) + length_of_padding + 32 (HMAC) =
TLSInnerPlaintext_length + 32 (HMAC)
TLS_SHA384_SHA384: TLSCiphertext.length = TLSPlaintext.length + 1
(type field) + length_of_padding + 48 (HMAC) =
TLSInnerPlaintext_length + 48 (HMAC)
Note that TLSInnerPlaintext_length is not defined as an explicit
field in [RFC8446], this refers to the length of the
TLSInnterPlaintext structure
The resulting protected_record is the concatenation of the
TLSInnerPlaintext with the resulting HMAC. With this mapping, the
record validation order as defined in Section 5.2 of [RFC8446]
remains the same. That is, encrypted_record field of TLSCiphertext
is set to:
TLSCiphertext = TLS13-HMAC-Protected = TLSInnerPlaintext ||
HMAC(write_key, nonce || additional_data || TLSInnerPlaintext)
Here "nonce" refers to the per-record nonce described in section 5.3
of [RFC8446].
For DTLS 1.3, the DTLSCiphertext is set to:
DTLSCiphertext = DTLS13-HMAC-Protected = DTLSInnerPlaintext ||
HMAC(write_key, nonce || additional_data || DTLSInnerPlaintext)
The DTLS "nonce" refers to the per-record nonce described in section
4.2.2 of [DTLS13].
The Protect and Unprotect operations provide the integrity protection
using HMAC SHA-256 or SHA-384 as described in [RFC6234].
Due to the lack of encryption of the plaintext, record padding is not
needed, although it can be optionally included.
Cam-Winget & Visoky Expires April 24, 2021 [Page 6]
Internet-Draft IoT Ciphers October 2020
6. Key Schedule when using Integrity only Cipher Suites
The key derivation process for Integrity only Cipher Suites remains
the same as defined in [RFC8446]. The only difference is that the
keys used to protect the tunnel apply to the negotiated HMAC SHA-256
or HMAC SHA-384 ciphers. Note that the traffic key material
(client_write_key, client_write_iv, server_write_key and
server_write_iv) MUST be calculated as per RFC 8446, section 7.3.
The key lengths and IVs for these cipher suites are according to the
hash lenghts. In other words, the following key lenghts and IV
lengths SHALL be:
+-------------------+------------+-----------+
| Cipher Suite | Key Length | IV Length |
+-------------------+------------+-----------+
| TLS_SHA256_SHA256 | 32 Bytes | 32 Bytes |
| TLS_SHA384_SHA384 | 48 Bytes | 48 Bytes |
+-------------------+------------+-----------+
7. Error Alerts
The error alerts as defined by [RFC8446] remains the same, in
particular:
bad_record_mac: This alert can also occur for a record whose message
authentication code can not be validated. Since these cipher suites
do not involve record encryption this alert will only occur when the
HMAC fails to verify.
decrypt_error: This alert as described in [RFC8446] Section 6.2
occurs when the signature or message authentication code can not be
validated.
8. IANA Considerations
IANA has granted registration the following specifically for this
document within the TLS Cipher Suites Registry:
TLS_SHA256_SHA256 {0xC0, 0xB4} cipher suite and TLS_SHA384_SHA384
{0xC0, 0xB5} cipher suite.
Note that both of these cipher suites are registered with the DTLS-OK
column set to Y and the Recommended column set to N
No further IANA action is requested by this document.
Cam-Winget & Visoky Expires April 24, 2021 [Page 7]
Internet-Draft IoT Ciphers October 2020
9. Security and Privacy Considerations
In general, with the exception of confidentiality and privacy, the
security considerations detailed in [RFC8446] and in [RFC5246] apply
to this document. Furthermore, as the cipher suites described in
this document do not provide any confidentiality, it is important
that they only be used in cases where there are no confidentiality or
privacy requirements and concerns; and the runtime memory
requirements can accommodate support for more cryptographic
constructs.
With the lack of data encryption specified in this draft, no
confidentiality or privacy is provided for the data transported via
the TLS session. To highlight the loss of privacy, the information
carried in the TLS handshake, which includes both the Server and
Client certificates, while integrity protected, will be sent
unencrypted. Similarly, other TLS extensions that may be carried in
the Server's EncryptedExtensions message will only be integrity
protected without provisions for confidentiality. Furthermore, with
this lack of confidentiality, PSK data MUST NOT be sent in the
handshake while using these cipher suites.
Given the lack of confidentiality, these cipher suites MUST NOT be
enabled by default. As these cipher suites are meant to serve the
IoT market, it is important that any IoT endpoint that uses them be
explicitly configured with a policy of non-confidential
communications.
10. Acknowledgements
The authors would like to acknowledge the work done by Industrial
Communications Standards Groups (such as ODVA) as the motivation for
this document. We would also like to thank Steffen Fries for
providing a fourth use case. In addition, we are grateful for the
advice and feedback from Joe Salowey, Blake Anderson, David McGrew,
Clement Zeller, and Peter Wu.
11. References
11.1. Normative References
[DTLS13] IETF Internet Drafts editor,
"https://tools.ietf.org/id/draft-ietf-tls-dtls13-38.txt".
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
Cam-Winget & Visoky Expires April 24, 2021 [Page 8]
Internet-Draft IoT Ciphers October 2020
[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011,
<https://www.rfc-editor.org/info/rfc6234>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
11.2. Informative Reference
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>.
Authors' Addresses
Nancy Cam-Winget
Cisco Systems
3550 Cisco Way
San Jose, CA 95134
USA
Email: ncamwing@cisco.com
Jack Visoky
ODVA
1 Allen Bradley Dr
Mayfield Heights, OH 44124
USA
Email: jmvisoky@ra.rockwell.com
Cam-Winget & Visoky Expires April 24, 2021 [Page 9]
Html markup produced by rfcmarkup 1.129d, available from
https://tools.ietf.org/tools/rfcmarkup/