| draft-ietf-httpbis-encryption-encoding-07.txt | draft-ietf-httpbis-encryption-encoding-08.txt | |||
|---|---|---|---|---|
| HTTP Working Group M. Thomson | HTTP Working Group M. Thomson | |||
| Internet-Draft Mozilla | Internet-Draft Mozilla | |||
| Intended status: Standards Track February 13, 2017 | Intended status: Standards Track March 2, 2017 | |||
| Expires: August 17, 2017 | Expires: September 3, 2017 | |||
| Encrypted Content-Encoding for HTTP | Encrypted Content-Encoding for HTTP | |||
| draft-ietf-httpbis-encryption-encoding-07 | draft-ietf-httpbis-encryption-encoding-08 | |||
| Abstract | Abstract | |||
| This memo introduces a content coding for HTTP that allows message | This memo introduces a content coding for HTTP that allows message | |||
| payloads to be encrypted. | payloads to be encrypted. | |||
| Note to Readers | Note to Readers | |||
| Discussion of this draft takes place on the HTTP working group | Discussion of this draft takes place on the HTTP working group | |||
| mailing list (ietf-http-wg@w3.org), which is archived at | mailing list (ietf-http-wg@w3.org), which is archived at | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 17, 2017. | This Internet-Draft will expire on September 3, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 26 ¶ | skipping to change at page 2, line 26 ¶ | |||
| 2. The "aes128gcm" HTTP Content Coding . . . . . . . . . . . . . 3 | 2. The "aes128gcm" HTTP Content Coding . . . . . . . . . . . . . 3 | |||
| 2.1. Encryption Content Coding Header . . . . . . . . . . . . 5 | 2.1. Encryption Content Coding Header . . . . . . . . . . . . 5 | |||
| 2.2. Content Encryption Key Derivation . . . . . . . . . . . . 6 | 2.2. Content Encryption Key Derivation . . . . . . . . . . . . 6 | |||
| 2.3. Nonce Derivation . . . . . . . . . . . . . . . . . . . . 6 | 2.3. Nonce Derivation . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3.1. Encryption of a Response . . . . . . . . . . . . . . . . 7 | 3.1. Encryption of a Response . . . . . . . . . . . . . . . . 7 | |||
| 3.2. Encryption with Multiple Records . . . . . . . . . . . . 8 | 3.2. Encryption with Multiple Records . . . . . . . . . . . . 8 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 4.1. Message Truncation . . . . . . . . . . . . . . . . . . . 9 | 4.1. Message Truncation . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.2. Key and Nonce Reuse . . . . . . . . . . . . . . . . . . . 9 | 4.2. Key and Nonce Reuse . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.3. Data Encryption Limits . . . . . . . . . . . . . . . . . 9 | 4.3. Data Encryption Limits . . . . . . . . . . . . . . . . . 10 | |||
| 4.4. Content Integrity . . . . . . . . . . . . . . . . . . . . 10 | 4.4. Content Integrity . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.5. Leaking Information in Header Fields . . . . . . . . . . 10 | 4.5. Leaking Information in Header Fields . . . . . . . . . . 10 | |||
| 4.6. Poisoning Storage . . . . . . . . . . . . . . . . . . . . 11 | 4.6. Poisoning Storage . . . . . . . . . . . . . . . . . . . . 11 | |||
| 4.7. Sizing and Timing Attacks . . . . . . . . . . . . . . . . 11 | 4.7. Sizing and Timing Attacks . . . . . . . . . . . . . . . . 11 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 5.1. The "aes128gcm" HTTP Content Coding . . . . . . . . . . . 11 | 5.1. The "aes128gcm" HTTP Content Coding . . . . . . . . . . . 12 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 12 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 12 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 13 | 6.2. Informative References . . . . . . . . . . . . . . . . . 13 | |||
| Appendix A. JWE Mapping . . . . . . . . . . . . . . . . . . . . 14 | Appendix A. JWE Mapping . . . . . . . . . . . . . . . . . . . . 14 | |||
| Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 14 | Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 15 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 15 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 1. Introduction | 1. Introduction | |||
| It is sometimes desirable to encrypt the contents of a HTTP message | It is sometimes desirable to encrypt the contents of a HTTP message | |||
| (request or response) so that when the payload is stored (e.g., with | (request or response) so that when the payload is stored (e.g., with | |||
| a HTTP PUT), only someone with the appropriate key can read it. | a HTTP PUT), only someone with the appropriate key can read it. | |||
| For example, it might be necessary to store a file on a server | For example, it might be necessary to store a file on a server | |||
| without exposing its contents to that server. Furthermore, that same | without exposing its contents to that server. Furthermore, that same | |||
| skipping to change at page 4, line 14 ¶ | skipping to change at page 4, line 14 ¶ | |||
| The "aes128gcm" content coding uses a fixed record size. The final | The "aes128gcm" content coding uses a fixed record size. The final | |||
| encoding consists of a header (see Section 2.1) and zero or more | encoding consists of a header (see Section 2.1) and zero or more | |||
| fixed size encrypted records; the final record can be smaller than | fixed size encrypted records; the final record can be smaller than | |||
| the record size. | the record size. | |||
| The record size determines the length of each portion of plaintext | The record size determines the length of each portion of plaintext | |||
| that is enciphered. The record size ("rs") is included in the | that is enciphered. The record size ("rs") is included in the | |||
| content coding header (see Section 2.1). | content coding header (see Section 2.1). | |||
| +-----------+ content | +-----------+ content | |||
| | data | any length up to rs-17 octets | | data | any length up to rs-17 octets | |||
| +-----------+ | +-----------+ | |||
| | | | | |||
| v | v | |||
| +-----------+-----+ add a delimiter octet (0x01 or 0x02) | +-----------+-----+ add a delimiter octet (0x01 or 0x02) | |||
| | data | pad | the 0x00-valued octets to rs-16 | | data | pad | then 0x00-valued octets to rs-16 | |||
| +-----------+-----+ (or less on the last record) | +-----------+-----+ (or less on the last record) | |||
| | | | | |||
| v | v | |||
| +--------------------+ encrypt with AEAD_AES_128_GCM; | +--------------------+ encrypt with AEAD_AES_128_GCM; | |||
| | ciphertext | final size is rs; | | ciphertext | final size is rs; | |||
| +--------------------+ the last record can be smaller | +--------------------+ the last record can be smaller | |||
| AEAD_AES_128_GCM produces ciphertext 16 octets longer than its input | AEAD_AES_128_GCM produces ciphertext 16 octets longer than its input | |||
| plaintext. Therefore, the unencrypted content of each record is | plaintext. Therefore, the unencrypted content of each record is | |||
| shorter than the record size by 16 octets. Valid records always | shorter than the record size by 16 octets. Valid records always | |||
| contain at least a padding delimiter octet and a 16 octet | contain at least a padding delimiter octet and a 16 octet | |||
| authentication tag. | authentication tag. | |||
| Each record contains a single padding delimiter octet followed by any | Each record contains a single padding delimiter octet followed by any | |||
| number of zero octets. The last record uses a padding delimiter | number of zero octets. The last record uses a padding delimiter | |||
| octet set to the value 2, all other records have a padding delimiter | octet set to the value 2, all other records have a padding delimiter | |||
| octet value of 1. A decrypter MUST fail if the unencrypted content | octet value of 1. | |||
| of a record is all zero-valued. A decrypter MUST fail if the last | ||||
| record contains a padding delimiter with a value other than 2; a | On decryption, the padding delimiter is the last non-zero valued | |||
| decrypter MUST fail if any record other than the last contains a | octet of the record. A decrypter MUST fail if the record contains no | |||
| padding delimiter with a value other than 1. | non-zero octet. A decrypter MUST fail if the last record contains a | |||
| padding delimiter with a value other than 2 or if any record other | ||||
| than the last contains a padding delimiter with a value other than 1. | ||||
| The nonce for each record is a 96-bit value constructed from the | The nonce for each record is a 96-bit value constructed from the | |||
| record sequence number and the input keying material. Nonce | record sequence number and the input keying material. Nonce | |||
| derivation is covered in Section 2.3. | derivation is covered in Section 2.3. | |||
| The additional data passed to each invocation of AEAD_AES_128_GCM is | The additional data passed to each invocation of AEAD_AES_128_GCM is | |||
| a zero-length octet sequence. | a zero-length octet sequence. | |||
| A consequence of this record structure is that range requests | A consequence of this record structure is that range requests | |||
| [RFC7233] and random access to encrypted payload bodies are possible | [RFC7233] and random access to encrypted payload bodies are possible | |||
| skipping to change at page 12, line 14 ¶ | skipping to change at page 12, line 24 ¶ | |||
| o Description: AES-GCM encryption with a 128-bit content encryption | o Description: AES-GCM encryption with a 128-bit content encryption | |||
| key | key | |||
| o Reference: this specification | o Reference: this specification | |||
| 6. References | 6. References | |||
| 6.1. Normative References | 6.1. Normative References | |||
| [FIPS180-4] | [FIPS180-4] | |||
| Department of Commerce, National., "NIST FIPS 180-4, | National Institute of Standards and Technology, U.S. | |||
| Secure Hash Standard", March 2012, | Department of Commerce, "NIST FIPS 180-4, Secure Hash | |||
| <http://csrc.nist.gov/publications/fips/fips180-4/ | Standard", DOI 10.6028/NIST.FIPS.180-4, August 2015, | |||
| fips-180-4.pdf>. | <http://nvlpubs.nist.gov/nistpubs/FIPS/ | |||
| NIST.FIPS.180-4.pdf>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <http://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | |||
| 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November | 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November | |||
| 2003, <http://www.rfc-editor.org/info/rfc3629>. | 2003, <http://www.rfc-editor.org/info/rfc3629>. | |||
| skipping to change at page 13, line 48 ¶ | skipping to change at page 14, line 8 ¶ | |||
| <http://www.rfc-editor.org/info/rfc7516>. | <http://www.rfc-editor.org/info/rfc7516>. | |||
| [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext | [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext | |||
| Transfer Protocol Version 2 (HTTP/2)", RFC 7540, | Transfer Protocol Version 2 (HTTP/2)", RFC 7540, | |||
| DOI 10.17487/RFC7540, May 2015, | DOI 10.17487/RFC7540, May 2015, | |||
| <http://www.rfc-editor.org/info/rfc7540>. | <http://www.rfc-editor.org/info/rfc7540>. | |||
| [XMLENC] Eastlake, D., Reagle, J., Hirsch, F., Roessler, T., | [XMLENC] Eastlake, D., Reagle, J., Hirsch, F., Roessler, T., | |||
| Imamura, T., Dillaway, B., Simon, E., Yiu, K., and M. | Imamura, T., Dillaway, B., Simon, E., Yiu, K., and M. | |||
| Nystroem, "XML Encryption Syntax and Processing", W3C | Nystroem, "XML Encryption Syntax and Processing", W3C | |||
| Recommendation REC-xmlenc-core1-20130411 , January 2013, | Recommendation REC-xmlenc-core1-20130411, January 2013, | |||
| <https://www.w3.org/TR/2013/REC-xmlenc-core1-20130411>. | <https://www.w3.org/TR/2013/REC-xmlenc-core1-20130411>. | |||
| Appendix A. JWE Mapping | Appendix A. JWE Mapping | |||
| The "aes128gcm" content coding can be considered as a sequence of | The "aes128gcm" content coding can be considered as a sequence of | |||
| JSON Web Encryption (JWE) objects [RFC7516], each corresponding to a | JSON Web Encryption (JWE) objects [RFC7516], each corresponding to a | |||
| single fixed size record that includes trailing padding. The | single fixed size record that includes trailing padding. The | |||
| following transformations are applied to a JWE object that might be | following transformations are applied to a JWE object that might be | |||
| expressed using the JWE Compact Serialization: | expressed using the JWE Compact Serialization: | |||
| End of changes. 11 change blocks. | ||||
| 23 lines changed or deleted | 26 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||