draft-ietf-tcpinc-tcpcrypt-12.txt   draft-ietf-tcpinc-tcpcrypt-13.txt 
Network Working Group A. Bittau Network Working Group A. Bittau
Internet-Draft Google Internet-Draft Google
Intended status: Experimental D. Giffin Intended status: Experimental D. Giffin
Expires: December 31, 2018 Stanford University Expires: March 10, 2019 Stanford University
M. Handley M. Handley
University College London University College London
D. Mazieres D. Mazieres
Stanford University Stanford University
Q. Slack Q. Slack
Sourcegraph Sourcegraph
E. Smith E. Smith
Kestrel Institute Kestrel Institute
June 29, 2018 September 6, 2018
Cryptographic protection of TCP Streams (tcpcrypt) Cryptographic protection of TCP Streams (tcpcrypt)
draft-ietf-tcpinc-tcpcrypt-12 draft-ietf-tcpinc-tcpcrypt-13
Abstract Abstract
This document specifies tcpcrypt, a TCP encryption protocol designed This document specifies tcpcrypt, a TCP encryption protocol designed
for use in conjunction with the TCP Encryption Negotiation Option for use in conjunction with the TCP Encryption Negotiation Option
(TCP-ENO). Tcpcrypt coexists with middleboxes by tolerating (TCP-ENO). Tcpcrypt coexists with middleboxes by tolerating
resegmentation, NATs, and other manipulations of the TCP header. The resegmentation, NATs, and other manipulations of the TCP header. The
protocol is self-contained and specifically tailored to TCP protocol is self-contained and specifically tailored to TCP
implementations, which often reside in kernels or other environments implementations, which often reside in kernels or other environments
in which large external software dependencies can be undesirable. in which large external software dependencies can be undesirable.
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 31, 2018. This Internet-Draft will expire on March 10, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 9, line 44 skipping to change at page 9, line 44
operations using "ss[i]", the next session secret in the sequence operations using "ss[i]", the next session secret in the sequence
derived from the original PRK. derived from the original PRK.
A host signals willingness to resume with a particular session secret A host signals willingness to resume with a particular session secret
by sending a SYN segment with a resumption suboption: that is, an ENO by sending a SYN segment with a resumption suboption: that is, an ENO
suboption containing the negotiated TEP identifier of the previous suboption containing the negotiated TEP identifier of the previous
session, half of the "resumption identifier" for the new session, and session, half of the "resumption identifier" for the new session, and
a "resumption nonce". a "resumption nonce".
The resumption nonce MUST have a minimum length of zero bytes and The resumption nonce MUST have a minimum length of zero bytes and
maximum length of eight bytes. An implementation MUST either send maximum length of eight bytes. The value MUST be chosen randomly or
four or more bytes of nonce for all resumption attempts, or else using a mechanism that guarantees uniqueness even in the face of
default to a minimum of four bytes and provide an interface for virtual machine cloning or other re-execution of the same session.
system administrators to configure other minimum lengths. In the An attacker who can force either side of a connection to reuse a
latter case, documentation accompanying the configuration interface session secret with the same nonce will completely break the security
MUST explain that using nonce values shorter than four bytes is only of tcpcrypt. Reuse of session secrets is possible in the event of
safe if there is no risk of the system participating in multiple virtual machine cloning or reuse of system-level hibernation state.
resumptions from the same session secret, as could happen with live Implementations SHOULD provide an API through which to set the
virtual-machine cloning. The resumption nonce MUST be chosen resumption nonce length, and MUST default to eight bytes if they
randomly or using a mechanism that guarantees uniqueness even in the cannot prohibit the reuse of session secrets.
face of virtual machine cloning or other re-execution of the same
session.
The resumption identifier is calculated from a session secret "ss[i]" The resumption identifier is calculated from a session secret "ss[i]"
as follows: as follows:
resume[i] = CPRF(ss[i], CONST_RESUME, 18) resume[i] = CPRF(ss[i], CONST_RESUME, 18)
To name a session for resumption, a host sends either the first or To name a session for resumption, a host sends either the first or
second half of the resumption identifier, according to the role it second half of the resumption identifier, according to the role it
played in the original session with secret "ss[0]". played in the original session with secret "ss[0]".
skipping to change at page 28, line 34 skipping to change at page 28, line 34
Dan Boneh and Michael Hamburg were co-authors of the draft that Dan Boneh and Michael Hamburg were co-authors of the draft that
became this document. became this document.
12. References 12. References
12.1. Normative References 12.1. Normative References
[I-D.ietf-tcpinc-tcpeno] [I-D.ietf-tcpinc-tcpeno]
Bittau, A., Giffin, D., Handley, M., Mazieres, D., and E. Bittau, A., Giffin, D., Handley, M., Mazieres, D., and E.
Smith, "TCP-ENO: Encryption Negotiation Option", draft- Smith, "TCP-ENO: Encryption Negotiation Option", draft-
ietf-tcpinc-tcpeno-18 (work in progress), November 2017. ietf-tcpinc-tcpeno-19 (work in progress), June 2018.
[IEEE-1363] [IEEE-1363]
IEEE, "IEEE Standard Specifications for Public-Key IEEE, "IEEE Standard Specifications for Public-Key
Cryptography (IEEE Std 1363-2000)", 2000. Cryptography (IEEE Std 1363-2000)", 2000.
[NIST-DSS] [NIST-DSS]
NIST, "FIPS PUB 186-4: Digital Signature Standard (DSS)", NIST, "FIPS PUB 186-4: Digital Signature Standard (DSS)",
2013. 2013.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
skipping to change at page 29, line 50 skipping to change at page 29, line 50
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
12.2. Informative References 12.2. Informative References
[I-D.ietf-tcpinc-api] [I-D.ietf-tcpinc-api]
Bittau, A., Boneh, D., Giffin, D., Handley, M., Mazieres, Bittau, A., Boneh, D., Giffin, D., Handley, M., Mazieres,
D., and E. Smith, "Interface Extensions for TCP-ENO and D., and E. Smith, "Interface Extensions for TCP-ENO and
tcpcrypt", draft-ietf-tcpinc-api-05 (work in progress), tcpcrypt", draft-ietf-tcpinc-api-06 (work in progress),
September 2017. June 2018.
[NIST-fail] [NIST-fail]
Bernstein, D. and T. Lange, "Failures in NIST's ECC Bernstein, D. and T. Lange, "Failures in NIST's ECC
standards", 2016, standards", 2016,
<https://cr.yp.to/newelliptic/nistecc-20160106.pdf>. <https://cr.yp.to/newelliptic/nistecc-20160106.pdf>.
[RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts -
Communication Layers", STD 3, RFC 1122, Communication Layers", STD 3, RFC 1122,
DOI 10.17487/RFC1122, October 1989, DOI 10.17487/RFC1122, October 1989,
<https://www.rfc-editor.org/info/rfc1122>. <https://www.rfc-editor.org/info/rfc1122>.
 End of changes. 7 change blocks. 
19 lines changed or deleted 17 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/