rfc9150.original   rfc9150.txt 
TLS N. Cam-Winget Independent Submission N. Cam-Winget
Internet-Draft Cisco Systems Request for Comments: 9150 Cisco Systems
Intended status: Informational J. Visoky Category: Informational J. Visoky
Expires: December 19, 2021 ODVA ISSN: 2070-1721 ODVA
June 17, 2021 January 2022
TLS 1.3 Authentication and Integrity only Cipher Suites TLS 1.3 Authentication and Integrity-Only Cipher Suites
draft-camwinget-tls-ts13-macciphersuites-12
Abstract Abstract
This document defines the use of HMAC-only cipher suites for TLS 1.3, This document defines the use of cipher suites for TLS 1.3 based on
which provides server and optionally mutual authentication and data Hashed Message Authentication Code (HMAC). Using these cipher suites
provides server and, optionally, mutual authentication and data
authenticity, but not data confidentiality. Cipher suites with these authenticity, but not data confidentiality. Cipher suites with these
properties are not of general applicability, but there are use cases, properties are not of general applicability, but there are use cases,
specifically in Internet of Things (IoT) and constrained specifically in Internet of Things (IoT) and constrained
environments, that do not require confidentiality of exchanged environments, that do not require confidentiality of exchanged
messages while still requiring integrity protection, server messages while still requiring integrity protection, server
authentication, and optional client authentication. This document authentication, and optional client authentication. This document
gives examples of such use cases, with the caveat that prior to using gives examples of such use cases, with the caveat that prior to using
these integrity-only cipher suites, a threat model for the situation these integrity-only cipher suites, a threat model for the situation
at hand is needed, and a threat analysis must be performed within at hand is needed, and a threat analysis must be performed within
that model to determine whether the use of integrity-only cipher that model to determine whether the use of integrity-only cipher
suites is appropriate. The approach described in this document is suites is appropriate. The approach described in this document is
not endorsed by the IETF and does not have IETF consensus, but is not endorsed by the IETF and does not have IETF consensus, but it is
presented here to enable interoperable implementation of a reduced presented here to enable interoperable implementation of a reduced-
security mechanism that provides authentication and message integrity security mechanism that provides authentication and message integrity
without supporting confidentiality. without supporting confidentiality.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This is a contribution to the RFC Series, independently of any other
and may be updated, replaced, or obsoleted by other documents at any RFC stream. The RFC Editor has chosen to publish this document at
time. It is inappropriate to use Internet-Drafts as reference its discretion and makes no statement about its value for
material or to cite them other than as "work in progress." implementation or deployment. Documents approved for publication by
the RFC Editor are not candidates for any level of Internet Standard;
see Section 2 of RFC 7841.
This Internet-Draft will expire on December 19, 2021. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9150.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document.
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology
3. Applicability Statement . . . . . . . . . . . . . . . . . . . 3 3. Applicability Statement
4. Cryptographic Negotiation Using Integrity only Cipher Suites 6 4. Cryptographic Negotiation Using Integrity-Only Cipher Suites
5. Record Payload Protection for Integrity only Cipher Suites . 6 5. Record Payload Protection for Integrity-Only Cipher Suites
6. Key Schedule when using Integrity only Cipher Suites . . . . 8 6. Key Schedule when Using Integrity-Only Cipher Suites
7. Error Alerts . . . . . . . . . . . . . . . . . . . . . . . . 8 7. Error Alerts
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 8. IANA Considerations
9. Security and Privacy Considerations . . . . . . . . . . . . . 9 9. Security and Privacy Considerations
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 10. References
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 10.1. Normative References
11.1. Normative References . . . . . . . . . . . . . . . . . . 10 10.2. Informative References
11.2. Informative Reference . . . . . . . . . . . . . . . . . 11 Acknowledgements
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses
1. Introduction 1. Introduction
There are several use cases in which communications privacy is not There are several use cases in which communications privacy is not
strictly needed, although authenticity of the communications strictly needed, although authenticity of the communications
transport is still very important. For example, within the transport is still very important. For example, within the
Industrial Automation space there could be TCP or UDP communications industrial automation space, there could be TCP or UDP communications
which command a robotic arm to move a certain distance at a certain that command a robotic arm to move a certain distance at a certain
speed. Without authenticity guarantees, an attacker could modify the speed. Without authenticity guarantees, an attacker could modify the
packets to change the movement of the robotic arm, potentially packets to change the movement of the robotic arm, potentially
causing physical damage. However, the motion control commands are causing physical damage. However, the motion control commands are
not always considered to be sensitive information and thus there is not always considered to be sensitive information, and thus there is
no requirement to provide confidentiality. Another Internet of no requirement to provide confidentiality. Another Internet of
Things (IoT) example with no strong requirement for confidentiality Things (IoT) example with no strong requirement for confidentiality
is the reporting of weather information; however, message is the reporting of weather information; however, message
authenticity is required to ensure integrity of the message. authenticity is required to ensure integrity of the message.
There is no requirement to encrypt messages in environments where the There is no requirement to encrypt messages in environments where the
information is not confidential; such as when there is no information is not confidential, such as when there is no
intellectual property associated with the processes, or where the intellectual property associated with the processes, or where the
threat model does not indicate any outsider attacks (such as in a threat model does not indicate any outsider attacks (such as in a
closed system). Note however, this situation will not apply equally closed system). Note, however, that this situation will not apply
to all use cases (for example, a robotic arm might be used in one equally to all use cases (for example, in one case a robotic arm
case for a process that does not involve any intellectual property, might be used for a process that does not involve any intellectual
but in another case used in a different process that does contain property but in another case might be used in a different process
intellectual property). Therefore, it is important that a user or that does contain intellectual property). Therefore, it is important
system developer carefully examine both the sensitivity of the data that a user or system developer carefully examine both the
and the system threat model to determine the need for encryption sensitivity of the data and the system threat model to determine the
before deploying equipment and security protections. need for encryption before deploying equipment and security
protections.
Besides having a strong need for authenticity and no need for Besides having a strong need for authenticity and no need for
confidentiality, many of these systems also have a strong requirement confidentiality, many of these systems also have a strong requirement
for low latency. Furthermore, several classes of IoT device for low latency. Furthermore, several classes of IoT devices
(industrial or otherwise) have limited processing capability. (industrial or otherwise) have limited processing capability.
However, these IoT systems still gain great benefit from leveraging However, these IoT systems still gain great benefit from leveraging
TLS 1.3 for secure communications. Given the reduced need for TLS 1.3 for secure communications. Given the reduced need for
confidentiality, TLS 1.3 [RFC8446] cipher suites that maintain data confidentiality, TLS 1.3 cipher suites [RFC8446] that maintain data
integrity without confidentiality are described in this document. integrity without confidentiality are described in this document.
These cipher suites are not meant for general use as they do not meet These cipher suites are not meant for general use, as they do not
the confidentiality and privacy goals of TLS. They should only be meet the confidentiality and privacy goals of TLS. They should only
used in cases where confidentiality and privacy is not a concern and be used in cases where confidentiality and privacy are not a concern
there are constraints on using cipher suites that provide the full and there are constraints on using cipher suites that provide the
set of security properties. The approach described in this document full set of security properties. The approach described in this
is not endorsed by the IETF and does not have IETF consensus, but is document is not endorsed by the IETF and does not have IETF
presented here to enable interoperable implementation of a reduced consensus, but it is presented here to enable interoperable
security mechanism that provides authentication and message integrity implementation of a reduced-security mechanism that provides
with supporting confidentiality. authentication and message integrity with supporting confidentiality.
2. Terminology 2. Terminology
This document adopts the conventions for normative language to This document adopts the conventions for normative language to
provide clarity of instructions to the implementer. The key words provide clarity of instructions to the implementer. The key words
"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL"
are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] in this document are to be interpreted as described in BCP 14
when, and only when, they appear in all capitals, as shown here. [RFC2119] [RFC8174] when, and only when, they appear in all capitals,
as shown here.
3. Applicability Statement 3. Applicability Statement
The two HMAC SHA [RFC6234] based cipher suites defined in this The two cipher suites defined in this document, which are based on
document are intended for a small limited set of applications where Hashed Message Authentication Code (HMAC) SHAs [RFC6234], are
intended for a small limited set of applications where
confidentiality requirements are relaxed and the need to minimize the confidentiality requirements are relaxed and the need to minimize the
number of cryptographic algorithms is prioritized. This section number of cryptographic algorithms is prioritized. This section
describes some of those applicable use cases. describes some of those applicable use cases.
Use cases in the industrial automation industry, while requiring data Use cases in the industrial automation industry, while requiring data
integrity, often do not require confidential communications. Mainly, integrity, often do not require confidential communications. Mainly,
information communicated to unmanned machines to execute repetitive data communicated to unmanned machines to execute repetitive tasks
tasks does not convey private information. For example, there could does not convey private information. For example, there could be a
be a system with a robotic arm that paints the body of a car. This system with a robotic arm that paints the body of a car. This
equipment is used within a car manufacturing plant, and is just one equipment is used within a car manufacturing plant and is just one
piece of equipment in a multi-step manufacturing process. The piece of equipment in a multi-step manufacturing process. The
movements of this robotic arm are likely not a trade secret or movements of this robotic arm are likely not a trade secret or
sensitive intellectual property, although some portions of the sensitive intellectual property, although some portions of the
manufacturing of the car might very well contain sensitive manufacturing of the car might very well contain sensitive
intellectual property. Even the mixture for the paint itself might intellectual property. Even the mixture for the paint itself might
be confidential, but the mixing is done by a completely different be confidential, but the mixing is done by a completely different
piece of equipment and therefore communication to/from that equipment piece of equipment and therefore communication to/from that equipment
can be encrypted without requiring the communication to/from the can be encrypted without requiring the communication to/from the
robotic arm to be encrypted. Modern manufacturing often has robotic arm to be encrypted. Modern manufacturing often has
segmented equipment with different levels of risk on intellectual segmented equipment with different levels of risk related to
property, although nearly every communication interaction has strong intellectual property, although nearly every communication
data authenticity requirements. interaction has strong data authenticity requirements.
Another use case which is closely related is that of fine-grained Another use case that is closely related is that of fine-grained time
time updates. Motion systems often rely on time synchronization to updates. Motion systems often rely on time synchronization to ensure
ensure proper execution. Time updates are essentially public; there proper execution. Time updates are essentially public; there is no
is no threat from an attacker knowing the time update information. threat from an attacker knowing the time update information. This
This should make intuitive sense to those not familiar with these should make intuitive sense to those not familiar with these
applications; rarely if ever does time information present a serious applications; rarely if ever does time information present a serious
attack surface dealing with privacy. However, the authenticity is attack surface dealing with privacy. However, the authenticity is
still quite important. The consequences of maliciously modified time still quite important. The consequences of maliciously modified time
data can vary from mere denial of service to actual physical damage, data can vary from mere denial of service to actual physical damage,
depending on the particular situation and attacker capability. As depending on the particular situation and attacker capability. As
these time synchronization updates are very fine-grained, it is again these time synchronization updates are very fine-grained, it is again
important for latency to be very low. important for latency to be very low.
A third use case deals with data related to alarms. Industrial A third use case deals with data related to alarms. Industrial
control sensing equipment can be configured to send alarm information control sensing equipment can be configured to send alarm information
when it meets certain conditions, for example, temperature goes above when it meets certain conditions -- for example, temperature goes
or below a given threshold. Often times this data is used to detect above or below a given threshold. Oftentimes, this data is used to
certain out-of-tolerance conditions, allowing an operator or detect certain out-of-tolerance conditions, allowing an operator or
automated system to take corrective action. Once again, in many automated system to take corrective action. Once again, in many
systems the reading of this data doesn't grant the attacker systems the reading of this data doesn't grant the attacker
information that can be exploited, it is generally just information information that can be exploited; it is generally just information
regarding the physical state of the system. At the same time, being regarding the physical state of the system. At the same time, being
able to modify this data would allow an attacker to either trigger able to modify this data would allow an attacker to either trigger
alarms falsely or to cover up evidence of an attack that might allow alarms falsely or cover up evidence of an attack that might allow for
for detection of their malicious activity. Furthermore, sensors are detection of their malicious activity. Furthermore, sensors are
often low powered devices that might struggle to process encrypted often low-powered devices that might struggle to process encrypted
and authenticated data. These sensors might be very cost sensitive and authenticated data. These sensors might be very cost sensitive
such that there is not enough processing power for data encryption. such that there is not enough processing power for data encryption.
Sending data that is just authenticated but not encrypted eases the Sending data that is just authenticated but not encrypted eases the
burden placed on these devices, yet still allows the data to be burden placed on these devices yet still allows the data to be
protected against any tampering threats. A user can always choose to protected against any tampering threats. A user can always choose to
pay more for a sensor with encryption capability, but for some, data pay more for a sensor with encryption capability, but for some, data
authenticity will be sufficient. authenticity will be sufficient.
A fourth use case considers the protection of commands in the railway A fourth use case considers the protection of commands in the railway
industry. In railway control systems, no confidentiality industry. In railway control systems, no confidentiality
requirements are applied for the command exchange between an requirements are applied for the command exchange between an
interlocking controller and a railway equipment controller (for interlocking controller and a railway equipment controller (for
instance, a railway point controller of a tram track where the instance, a railway point controller of a tram track where the
position of the controlled point is publicly available). However, position of the controlled point is publicly available). However,
protecting integrity and authenticity of those commands is vital, protecting the integrity and authenticity of those commands is vital;
otherwise, an adversary could change the target position of the point otherwise, an adversary could change the target position of the point
by modifying the commands, which consequently could lead to the by modifying the commands, which consequently could lead to the
derailment of a passing train. Furthermore, requirements for derailment of a passing train. Furthermore, requirements for
providing blackbox recording of the safety related network traffic providing flight-data recording of the safety-related network traffic
can only be fulfilled through using authenticity-only ciphers, to be can only be fulfilled through using authenticity-only ciphers as,
able to provide the safety related commands to a third party, which typically, the recording is used by a third party responsible for the
is responsible for the analysis after an accident. analysis after an accident. The analysis requires such third party
to extract the safety-related commands from the recording.
The fifth use case deals with data related to civil aviation The fifth use case deals with data related to civil aviation
airplanes and ground communication. Pilots can send and receive airplanes and ground communication. Pilots can send and receive
messages to/from ground control such as airplane route-of-flight messages to/from ground control, such as airplane route-of-flight
update, weather information, controller and pilot communication, and updates, weather information, controller and pilot communication, and
airline back office communication. Similarly, the Aviation Traffic airline back-office communication. Similarly, the Air Traffic
Control (ATC) use air to ground communication to receive the Control (ATC) service uses air-to-ground communication to receive the
surveillance data that relies on (is dependent on) downlink reports surveillance data that relies on (is dependent on) downlink reports
from an airplane's avionics. This communication occurs automatically from an airplane's avionics. This communication occurs automatically
in accordance with contracts established between the ATC ground in accordance with contracts established between the ATC ground
system and the airplane's avionics. Reports can be sent whenever system and the airplane's avionics. Reports can be sent whenever
specific events occur, or specific time intervals are reached. In specific events occur or specific time intervals are reached. In
many systems the reading of this data doesn't grant the attacker many systems, the reading of this data doesn't grant the attacker
information that can be exploited, it is generally just information information that can be exploited; it is generally just information
regarding the airplane states, controller pilot communication, regarding the states of the airplane, controller pilot communication,
meteorological information etc. At the same time, being able to meteorological information, etc. At the same time, being able to
modify this data would allow an attacker to either put aircraft in modify this data would allow an attacker to either put aircraft in
the wrong flight trajectory or to provide false information to ground the wrong flight trajectory or provide false information to ground
control that might delay flights and damage properties or harm life. control that might delay flights, damage property, or harm life.
Sending data that is not encrypted but is authenticated, allows the Sending data that is not encrypted but is authenticated allows the
data to be protected against any tampering threats. Data data to be protected against any tampering threats. Data
authenticity is sufficient for the air traffic, weather and authenticity is sufficient for the air traffic, weather, and
surveillance information exchange between airplanes and the ground surveillance information exchanges between airplanes and the ground
systems. systems.
The above use cases describe the requirements where confidentiality The above use cases describe the requirements where confidentiality
is not needed and/or interferes with other requirements. Some of is not needed and/or interferes with other requirements. Some of
these use cases are based on devices that come with a small runtime these use cases are based on devices that come with a small runtime
memory footprint and reduced processing power therefore the need to memory footprint and reduced processing power; therefore, the need to
minimize the number of cryptographic algorithms used is a priority. minimize the number of cryptographic algorithms used is a priority.
Despite this, it is noted that memory, performance, and processing Despite this, it is noted that memory, performance, and processing
power implications of any given algorithm or set of algorithms is power implications of any given algorithm or set of algorithms are
highly dependent on hardware and software architecture. Therefore, highly dependent on hardware and software architecture. Therefore,
although these cipher suites may provide performance benefits, they although these cipher suites may provide performance benefits, they
will not necessarily provide these benefits in all cases on all will not necessarily provide these benefits in all cases on all
platforms. Furthermore, in some use cases third party inspection of platforms. Furthermore, in some use cases, third-party inspection of
data is specifically needed, which is also supported through the lack data is specifically needed, which is also supported through the lack
of confidentiality mechanisms. of confidentiality mechanisms.
4. Cryptographic Negotiation Using Integrity only Cipher Suites 4. Cryptographic Negotiation Using Integrity-Only Cipher Suites
The cryptographic negotiation as specified in [RFC8446] Section 4.1.1 The cryptographic negotiation as specified in [RFC8446],
remains the same, with the inclusion of the following cipher suites: Section 4.1.1 remains the same, with the inclusion of the following
cipher suites:
TLS_SHA256_SHA256 {0xC0, 0xB4} TLS_SHA256_SHA256 {0xC0,0xB4}
TLS_SHA384_SHA384 {0xC0, 0xB5} TLS_SHA384_SHA384 {0xC0,0xB5}
As defined in [RFC8446], TLS 1.3 cipher suites denote the AEAD As defined in [RFC8446], TLS 1.3 cipher suites denote the
algorithm for record protection and the hash algorithm to use with Authenticated Encryption with Associated Data (AEAD) algorithm for
the HKDF. These cipher suites are defined in a similar way, but record protection and the hash algorithm to use with the HMAC-based
using the HMAC authentication tag to model the AEAD interface, as Key Derivation Function (HKDF). The cipher suites provided by this
only an HMAC is provided for record protection (without encryption). document are defined in a similar way, but they use the HMAC
These cipher suites allow the use of SHA-256 or SHA-384 as the Hashed authentication tag to model the AEAD interface, as only an HMAC is
Message Authentication Code (HMAC) for data integrity protection as provided for record protection (without encryption). These cipher
well as its use for HMAC-based Key Derivation Function (HKDF). The suites allow the use of SHA-256 or SHA-384 as the HMAC for data
integrity protection as well as its use for the HKDF. The
authentication mechanisms remain unchanged with the intent to only authentication mechanisms remain unchanged with the intent to only
update the cipher suites to relax the need for confidentiality. update the cipher suites to relax the need for confidentiality.
Given that these cipher suites do not support confidentiality, they Given that these cipher suites do not support confidentiality, they
MUST NOT be used with authentication and key exchange methods that MUST NOT be used with authentication and key exchange methods that
rely on confidentiality. rely on confidentiality.
5. Record Payload Protection for Integrity only Cipher Suites 5. Record Payload Protection for Integrity-Only Cipher Suites
The record payload protection as defined in [RFC8446] is retained in Record payload protection as defined in [RFC8446] is retained in
modified form when integrity only cipher suites are used. Note that modified form when integrity-only cipher suites are used. Note that
due to the purposeful use of hash algorithms, instead of AEAD due to the purposeful use of hash algorithms, instead of AEAD
algorithms, the confidentiality protection of the record payload is algorithms, confidentiality protection of the record payload is not
not provided. This section describes the mapping of record payload provided. This section describes the mapping of record payload
structures when integrity only cipher suites are employed. structures when integrity-only cipher suites are employed.
Given that there is no encryption to be done at the record layer, the Given that there is no encryption to be done at the record layer, the
operations "Protect" and "Unprotect" take the place of "AEAD-Encrypt" operations "Protect" and "Unprotect" take the place of "AEAD-Encrypt"
and "AEAD-Decrypt", respectively, as referenced in [RFC8446] and "AEAD-Decrypt" [RFC8446], respectively.
As integrity protection is provided over the full record, the As integrity protection is provided over the full record, the
encrypted_record in the TLSCiphertext along with the additional_data encrypted_record in the TLSCiphertext along with the additional_data
input to protected_data (termed AEADEncrypted data in [RFC8446]) as input to protected_data (termed AEADEncrypted data in [RFC8446]) as
defined in Section 5.2 of [RFC8446] remain the same. The defined in Section 5.2 of [RFC8446] remain the same. The
TLSCiphertext.length for the integrity cipher suites will be: TLSCiphertext.length for the integrity cipher suites will be:
TLS_SHA256_SHA256: TLSCiphertext.length = TLSPlaintext.length + 1 TLS_SHA256_SHA256:
(type field) + length_of_padding + 32 (HMAC) = TLSCiphertext.length = TLSInnerPlaintext_length + 32
TLSInnerPlaintext_length + 32 (HMAC)
TLS_SHA384_SHA384: TLSCiphertext.length = TLSPlaintext.length + 1 TLS_SHA384_SHA384:
(type field) + length_of_padding + 48 (HMAC) = TLSCiphertext.length = TLSInnerPlaintext_length + 48
TLSInnerPlaintext_length + 48 (HMAC)
Note that TLSInnerPlaintext_length is not defined as an explicit Note that TLSInnerPlaintext_length is not defined as an explicit
field in [RFC8446]; this refers to the length of the encoded field in [RFC8446]; this refers to the length of the encoded
TLSInnterPlaintext structure TLSInnerPlaintext structure.
The resulting protected_record is the concatenation of the The resulting protected_record is the concatenation of the
TLSInnerPlaintext with the resulting HMAC. Note this analogous to TLSInnerPlaintext with the resulting HMAC. Note that this is
the "encrypted_record" of [RFC8446], although it is referred to as a analogous to the "encrypted_record" as defined in [RFC8446], although
"protected_record" because of the lack of confidentiality via it is referred to as a "protected_record" because of the lack of
encryption. With this mapping, the record validation order as confidentiality via encryption. With this mapping, the record
defined in Section 5.2 of [RFC8446] remains the same. That is, validation order as defined in Section 5.2 of [RFC8446] remains the
encrypted_record field of TLSCiphertext is set to: same. That is, the encrypted_record field of TLSCiphertext is set
to:
encrypted_record = TLS13-HMAC-Protected = TLSInnerPlaintext || encrypted_record = TLS13-HMAC-Protected = TLSInnerPlaintext ||
HMAC(write_key, nonce || additional_data || TLSInnerPlaintext) HMAC(write_key, nonce || additional_data || TLSInnerPlaintext)
Here "nonce" refers to the per-record nonce described in section 5.3 Here, "nonce" refers to the per-record nonce described in Section 5.3
of [RFC8446]. of [RFC8446].
For DTLS 1.3, the DTLSCiphertext is set to: For DTLS 1.3, the DTLSCiphertext is set to:
encrypted_record = DTLS13-HMAC-Protected = DTLSInnerPlaintext || encrypted_record = DTLS13-HMAC-Protected = DTLSInnerPlaintext ||
HMAC(write_key, nonce || additional_data || DTLSInnerPlaintext) HMAC(write_key, nonce || additional_data || DTLSInnerPlaintext)
The DTLS "nonce" refers to the per-record nonce described in section The DTLS "nonce" refers to the per-record nonce described in
4.2.2 of [DTLS13]. Section 4.2.2 of [DTLS13].
The Protect and Unprotect operations provide the integrity protection The Protect and Unprotect operations provide the integrity protection
using HMAC SHA-256 or HMAC SHA-384 as described in [RFC6234]. using HMAC SHA-256 or HMAC SHA-384 as described in [RFC6234].
Due to the lack of encryption of the plaintext, record padding does Due to the lack of encryption of the plaintext, record padding does
not provide any obfuscation as to the plaintext size, although it can not provide any obfuscation as to the plaintext size, although it can
be optionally included. be optionally included.
6. Key Schedule when using Integrity only Cipher Suites 6. Key Schedule when Using Integrity-Only Cipher Suites
The key derivation process for Integrity only Cipher Suites remains The key derivation process for integrity-only cipher suites remains
the same as defined in [RFC8446]. The only difference is that the the same as that defined in [RFC8446]. The only difference is that
keys used to protect the tunnel apply to the negotiated HMAC SHA-256 the keys used to protect the tunnel apply to the negotiated HMAC
or HMAC SHA-384 ciphers. Note that the traffic key material SHA-256 or HMAC SHA-384 ciphers. Note that the traffic key material
(client_write_key, client_write_iv, server_write_key and (client_write_key, client_write_iv, server_write_key, and
server_write_iv) MUST be calculated as per RFC 8446, section 7.3. server_write_iv) MUST be calculated as per [RFC8446], Section 7.3.
The key lengths and IVs for these cipher suites are according to the The key lengths and Initialization Vectors (IVs) for these cipher
hash output lengths. In other words, the following key lengths and suites are according to the hash output lengths. In other words, the
IV lengths SHALL be: following key lengths and IV lengths SHALL be:
+-------------------+------------+-----------+ +===================+============+===========+
| Cipher Suite | Key Length | IV Length | | Cipher Suite | Key Length | IV Length |
+-------------------+------------+-----------+ +===================+============+===========+
| TLS_SHA256_SHA256 | 32 Bytes | 32 Bytes | | TLS_SHA256_SHA256 | 32 Bytes | 32 Bytes |
+-------------------+------------+-----------+
| TLS_SHA384_SHA384 | 48 Bytes | 48 Bytes | | TLS_SHA384_SHA384 | 48 Bytes | 48 Bytes |
+-------------------+------------+-----------+ +-------------------+------------+-----------+
Table 1
7. Error Alerts 7. Error Alerts
The error alerts as defined by [RFC8446] remains the same, in The error alerts as defined by [RFC8446] remain the same; in
particular: particular:
bad_record_mac: This alert can also occur for a record whose message bad_record_mac: This alert can also occur for a record whose message
authentication code can not be validated. Since these cipher suites authentication code cannot be validated. Since these cipher
do not involve record encryption this alert will only occur when the suites do not involve record encryption, this alert will only
HMAC fails to verify. occur when the HMAC fails to verify.
decrypt_error: This alert as described in [RFC8446] Section 6.2 decrypt_error: This alert, as described in [RFC8446], Section 6.2,
occurs when the signature or message authentication code can not be occurs when the signature or message authentication code cannot be
validated. Note that this error is only sent during the handshake, validated. Note that this error is only sent during the
not for an error in validating record HMACs. handshake, not for an error in validating record HMACs.
8. IANA Considerations 8. IANA Considerations
IANA has granted registration the following specifically for this IANA has registered the following cipher suites, defined by this
document within the TLS Cipher Suites Registry: document, in the "TLS Cipher Suites" registry:
TLS_SHA256_SHA256 {0xC0, 0xB4} cipher suite and TLS_SHA384_SHA384
{0xC0, 0xB5} cipher suite.
Note that both of these cipher suites are registered with the DTLS-OK +===========+===================+=========+=============+
column set to Y and the Recommended column set to N | Value | Description | DTLS-OK | Recommended |
+===========+===================+=========+=============+
| 0xC0,0xB4 | TLS_SHA256_SHA256 | Y | N |
+-----------+-------------------+---------+-------------+
| 0xC0,0xB5 | TLS_SHA384_SHA384 | Y | N |
+-----------+-------------------+---------+-------------+
No further IANA action is requested by this document. Table 2
9. Security and Privacy Considerations 9. Security and Privacy Considerations
In general, except for confidentiality and privacy, the security In general, except for confidentiality and privacy, the security
considerations detailed in [RFC8446] and in [RFC5246] apply to this considerations detailed in [RFC8446] and [RFC5246] apply to this
document. Furthermore, as the cipher suites described in this document. Furthermore, as the cipher suites described in this
document do not provide any confidentiality, it is important that document do not provide any confidentiality, it is important that
they only be used in cases where there are no confidentiality or they only be used in cases where there are no confidentiality or
privacy requirements and concerns; and the runtime memory privacy requirements and concerns; the runtime memory requirements
requirements can accommodate support for authenticity-only can accommodate support for authenticity-only cryptographic
cryptographic constructs. constructs.
With the lack of data encryption specified in this specification, no With the lack of data encryption specified in this specification, no
confidentiality or privacy is provided for the data transported via confidentiality or privacy is provided for the data transported via
the TLS session. That is, the record layer is not encrypted when the TLS session. That is, the record layer is not encrypted when
using these cipher suite, and the handshake also is not encrypted. using these cipher suites, nor is the handshake. To highlight the
To highlight the loss of privacy, the information carried in the TLS loss of privacy, the information carried in the TLS handshake, which
handshake, which includes both the Server and Client certificates, includes both the server and client certificates, while integrity
while integrity protected, will be sent unencrypted. Similarly, protected, will be sent unencrypted. Similarly, other TLS extensions
other TLS extensions that may be carried in the Server's that may be carried in the server's EncryptedExtensions message will
EncryptedExtensions message will only be integrity protected without only be integrity protected without provisions for confidentiality.
provisions for confidentiality. Furthermore, with this lack of Furthermore, with this lack of confidentiality, any private Pre-
confidentiality, any private PSK data MUST NOT be sent in the Shared Key (PSK) data MUST NOT be sent in the handshake while using
handshake while using these cipher suites. However, as PSKs may be these cipher suites. However, as PSKs may be loaded externally,
loaded externally, these cipher suites can be used with the 0-RTT these cipher suites can be used with the 0-RTT handshake defined in
handshake defined in [RFC8446], with the same security implications [RFC8446], with the same security implications discussed therein
discussed there applied. applied.
Application protocols which build on TLS or DTLS for protection (e.g. Application protocols that build on TLS or DTLS for protection (e.g.,
HTTP) may have implicit assumptions of data confidentiality. Any HTTP) may have implicit assumptions of data confidentiality. Any
assumption of data confidentiality is invalidated by the use of these assumption of data confidentiality is invalidated by the use of these
cipher suites, as no data confidentiality is provided. This applies cipher suites, as no data confidentiality is provided. This applies
to any data sent over the application-data channel (e.g. bearer to any data sent over the application-data channel (e.g., bearer
tokens in HTTP), as data requiring confidentiality MUST NOT be sent tokens in HTTP), as data requiring confidentiality MUST NOT be sent
using these cipher suites. using these cipher suites.
Limits on key usage for AEAD-based ciphers are described in Limits on key usage for AEAD-based ciphers are described in
[RFC8446]. However, as the cipher suites discussed here are not [RFC8446]. However, as the cipher suites discussed here are not
AEAD, those same limits do not apply. The general security AEAD, those same limits do not apply. The general security
properties of HMACs discussed in [RFC2104] and [BCK1] apply. properties of HMACs discussed in [RFC2104] and [BCK1] apply.
Additionally, security considerations on the algorithm's strength Additionally, security considerations on the algorithm's strength
based on the HMAC key length and trunction length further described based on the HMAC key length and truncation length further described
in [RFC4868] also apply. Until further cryptanalysis demonstrate in [RFC4868] also apply. Until further cryptanalysis demonstrates
limitations on key usage for HMACs, general practice for key usage limitations on key usage for HMACs, general practice for key usage
recommends that implementations place limits on the lifetime of the recommends that implementations place limits on the lifetime of the
HMAC keys and invoke a key update as described in [RFC8446] prior to HMAC keys and invoke a key update as described in [RFC8446] prior to
reaching this limit. reaching this limit.
DTLS 1.3 defines a mechanism for encrypting the DTLS record sequence DTLS 1.3 defines a mechanism for encrypting the DTLS record sequence
numbers. However, as these cipher suites do not utilize encryption, numbers. However, as these cipher suites do not utilize encryption,
the record sequence numbers are sent unencrypted. That is, the the record sequence numbers are sent unencrypted. That is, the
procedure for DTLS record sequence number protection is to apply no procedure for DTLS record sequence number protection is to apply no
protection for these cipher suites. protection for these cipher suites.
Given the lack of confidentiality, these cipher suites MUST NOT be Given the lack of confidentiality, these cipher suites MUST NOT be
enabled by default. As these cipher suites are meant to serve the enabled by default. As these cipher suites are meant to serve the
IoT market, it is important that any IoT endpoint that uses them be IoT market, it is important that any IoT endpoint that uses them be
explicitly configured with a policy of non-confidential explicitly configured with a policy of non-confidential
communications. communications.
10. Acknowledgements 10. References
The authors would like to acknowledge the work done by Industrial
Communications Standards Groups (such as ODVA) as the motivation for
this document. We would also like to thank Steffen Fries for
providing a fourth use case and Madhu Niraula for a fifth use case.
In addition, we are grateful for the advice and feedback from Joe
Salowey, Blake Anderson, David McGrew, Clement Zeller, and Peter Wu.
11. References
11.1. Normative References 10.1. Normative References
[BCK1] Bellare, M., Canetti, R., and H. Krawczyk, "Keyed Hash [BCK1] Bellare, M., Canetti, R., and H. Krawczyk, "Keying Hash
Functions and Message Authentication", Functions for Message Authentication",
<https://cseweb.ucsd.edu/~mihir/papers/kmd5.pdf>. DOI 10.1007/3-540-68697-5_1, 1996,
<https://link.springer.com/
chapter/10.1007/3-540-68697-5_1>.
[DTLS13] IETF Internet Drafts editor, [DTLS13] Rescorla, E., Tschofenig, H., and N. Modadugu, "The
"https://tools.ietf.org/id/draft-ietf-tls-dtls13-38.txt". Datagram Transport Layer Security (DTLS) Protocol Version
1.3", RFC 9147, DOI 10.17487/RFC9147, January 2022,
<https://www.rfc-editor.org/info/rfc9147>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997, DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>. <https://www.rfc-editor.org/info/rfc2104>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 11, line 18 skipping to change at line 489
<https://www.rfc-editor.org/info/rfc6234>. <https://www.rfc-editor.org/info/rfc6234>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
11.2. Informative Reference 10.2. Informative References
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, (TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008, DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>. <https://www.rfc-editor.org/info/rfc5246>.
Acknowledgements
The authors would like to acknowledge the work done by Industrial
Communications Standards Groups (such as ODVA) as the motivation for
this document. We would also like to thank Steffen Fries for
providing a fourth use case and Madhu Niraula for a fifth use case.
In addition, we are grateful for the advice and feedback from Joe
Salowey, Blake Anderson, David McGrew, Clement Zeller, and Peter Wu.
Authors' Addresses Authors' Addresses
Nancy Cam-Winget Nancy Cam-Winget
Cisco Systems Cisco Systems
3550 Cisco Way 3550 Cisco Way
San Jose, CA 95134 San Jose, CA 95134
USA United States of America
Email: ncamwing@cisco.com Email: ncamwing@cisco.com
Jack Visoky Jack Visoky
ODVA ODVA
1 Allen Bradley Dr 1 Allen Bradley Dr
Mayfield Heights, OH 44124 Mayfield Heights, OH 44124
USA United States of America
Email: jmvisoky@ra.rockwell.com Email: jmvisoky@ra.rockwell.com
 End of changes. 78 change blocks. 
222 lines changed or deleted 233 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/