rfc9150xml2.original.xml   rfc9150.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2104 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R <!DOCTYPE rfc [
FC.2104.xml"> <!ENTITY nbsp "&#160;">
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R <!ENTITY zwsp "&#8203;">
FC.2119.xml"> <!ENTITY nbhy "&#8209;">
<!ENTITY RFC4492 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R <!ENTITY wj "&#8288;">
FC.4492.xml"> ]>
<!ENTITY RFC5246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.5246.xml"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-camwinget-tls-ts1
<!ENTITY RFC6234 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R 3-macciphersuites-12" number="9150" ipr="trust200902" obsoletes="" updates="" su
FC.6234.xml"> bmissionType="independent" category="info" xml:lang="en" tocInclude="true" tocDe
<!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R pth="2" symRefs="true" sortRefs="true" version="3">
FC.8174.xml">
<!ENTITY RFC8446 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC <!-- xml2rfc v2v3 conversion 3.8.0 -->
.8446.xml">
<!ENTITY RFC4868 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.4868.xml">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- OPTIONS, known as processing instructions (PIs) go here. -->
<!-- For a complete list and description of PIs,
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable PIs that most I-Ds might want to use. -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC): -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="2"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references: -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space:
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start eacddh main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of popular PIs -->
<rfc category="info" docName="draft-camwinget-tls-ts13-macciphersuites-12" ipr="
trust200902">
<front> <front>
<title abbrev="MAC-only Ciphers">TLS 1.3 Authentication and Integrity only C <title abbrev="HMAC-Only Ciphers">TLS 1.3 Authentication and Integrity-Only
ipher Suites</title> Cipher Suites</title>
<seriesInfo name="RFC" value="9150"/>
<author fullname="Nancy Cam-Winget" initials="N" surname="Cam-Winget"> <author fullname="Nancy Cam-Winget" initials="N" surname="Cam-Winget">
<organization>Cisco Systems</organization> <organization>Cisco Systems</organization>
<address> <address>
<postal> <postal>
<street>3550 Cisco Way </street> <street>3550 Cisco Way</street>
<city>San Jose</city> <city>San Jose</city>
<country>USA</country> <country>United States of America</country>
<code>95134</code> <code>95134</code>
<region>CA</region> <region>CA</region>
</postal> </postal>
<email>ncamwing@cisco.com</email> <email>ncamwing@cisco.com</email>
</address> </address>
</author> </author>
<author fullname="Jack Visoky" initials="J" surname="Visoky"> <author fullname="Jack Visoky" initials="J" surname="Visoky">
<organization>ODVA</organization> <organization>ODVA</organization>
<address> <address>
<postal> <postal>
<street>1 Allen Bradley Dr </street> <street>1 Allen Bradley Dr</street>
<city>Mayfield Heights</city> <city>Mayfield Heights</city>
<code>44124</code> <code>44124</code>
<country>USA</country> <country>United States of America</country>
<region>OH</region> <region>OH</region>
</postal> </postal>
<email>jmvisoky@ra.rockwell.com</email> <email>jmvisoky@ra.rockwell.com</email>
</address> </address>
</author> </author>
<date year="2022" month="January"/>
<date/>
<area>Security</area> <area>Security</area>
<workgroup>TLS</workgroup> <workgroup>TLS</workgroup>
<!-- <keyword/> -->
<!-- <keyword/> --> <keyword>HMAC</keyword>
<!-- <keyword/> --> <keyword>IoT</keyword>
<!-- <keyword/> --> <keyword>constrained devices</keyword>
<abstract> <abstract>
<t>This document defines the use of HMAC-only cipher suites for TLS 1.3, whi <t>This document defines the use of cipher suites for TLS 1.3 based on Has
ch provides server and optionally mutual authentication and data authenticity, b hed Message Authentication Code (HMAC). Using these cipher suites provides serv
ut not data confidentiality. Cipher suites with these properties are not of gene er and, optionally, mutual authentication and data authenticity, but not data co
ral applicability, but there are use cases, specifically in Internet of Things ( nfidentiality.
IoT) and constrained environments, that do not require confidentiality of exchan Cipher suites with these properties are not of general applicability, but there
ged messages while still requiring integrity protection, server authentication, are use cases, specifically in Internet of Things (IoT) and constrained environ
and optional client authentication. This document gives examples of such use cas ments, that do not require confidentiality of exchanged messages while still req
es, with the caveat that prior to using these integrity-only cipher suites, a th uiring integrity protection, server authentication, and optional client authenti
reat model for the situation at hand is needed, and a threat analysis must be pe cation. This document gives examples of such use cases, with the caveat that pri
rformed within that model to determine whether the use of integrity-only cipher or to using these integrity-only cipher suites, a threat model for the situation
suites is appropriate. The approach described in this document is not endorsed b at hand is needed, and a threat analysis must be performed within that model to
y the IETF and does not have IETF consensus, but is presented here to enable int determine whether the use of integrity-only cipher suites is appropriate. The a
eroperable implementation of a reduced security mechanism that provides authenti pproach described in this document is not endorsed by the IETF and does not have
cation and message integrity without supporting confidentiality.</t> IETF consensus, but it is presented here to enable interoperable implementation
of a reduced-security mechanism that provides authentication and message integr
ity without supporting confidentiality.</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section numbered="true" toc="default">
<section title="Introduction"> <name>Introduction</name>
<t>There are several use cases in which communications privacy is not st <t>There are several use cases in which communications privacy is not stri
rictly needed, although authenticity of the communications transport is still ve ctly needed, although authenticity of the communications transport is still very
ry important. For example, within the Industrial Automation space there could be important. For example, within the industrial automation space, there could be
TCP or UDP communications which command a robotic arm to move a certain distanc TCP or UDP communications that command a robotic arm to move a certain distance
e at a certain speed. Without authenticity guarantees, an attacker could modify at a certain speed. Without authenticity guarantees, an attacker could modify th
the packets to change the movement of the robotic arm, potentially causing physi e packets to change the movement of the robotic arm, potentially causing physica
cal damage. However, the motion control commands are not always considered to be l damage. However, the motion control commands are not always considered to be s
sensitive information and thus there is no requirement to provide confidentiali ensitive information, and thus there is no requirement to provide confidentialit
ty. Another Internet of Things (IoT) example with no strong requirement for conf y. Another Internet of Things (IoT) example with no strong requirement for confi
identiality is the reporting of weather information; however, message authentici dentiality is the reporting of weather information; however, message authenticit
ty is required to ensure integrity of the message.</t> y is required to ensure integrity of the message.</t>
<t>There is no requirement to encrypt messages in environments where the <t>There is no requirement to encrypt messages in environments where the i
information is not confidential; such as when there is no intellectual property nformation is not confidential, such as when there is no intellectual property a
associated with the processes, or where the threat model does not indicate any ssociated with the processes, or where the threat model does not indicate any ou
outsider attacks (such as in a closed system). Note however, this situation will tsider attacks (such as in a closed system). Note, however, that this situation
not apply equally to all use cases (for example, a robotic arm might be used in will not apply equally to all use cases (for example, in one case a robotic arm
one case for a process that does not involve any intellectual property, but in might be used for a process that does not involve any intellectual property but
another case used in a different process that does contain intellectual property in another case might be used in a different process that does contain intellect
). Therefore, it is important that a user or system developer carefully examine ual property). Therefore, it is important that a user or system developer carefu
both the sensitivity of the data and the system threat model to determine the ne lly examine both the sensitivity of the data and the system threat model to dete
ed for encryption before deploying equipment and security protections.</t> rmine the need for encryption before deploying equipment and security protection
<t>Besides having a strong need for authenticity and no need for conf s.</t>
identiality, many of these systems also have a strong requirement for low latenc <t>Besides having a strong need for authenticity and no need for confident
y. Furthermore, several classes of IoT device (industrial or otherwise) have lim iality, many of these systems also have a strong requirement for low latency. Fu
ited processing capability. However, these IoT systems still gain great benefit rthermore, several classes of IoT devices (industrial or otherwise) have limited
from leveraging TLS 1.3 for secure communications. Given the reduced need for co processing capability. However, these IoT systems still gain great benefit from
nfidentiality, TLS 1.3 <xref target="RFC8446"/> cipher suites that maintain data leveraging TLS 1.3 for secure communications. Given the reduced need for confid
integrity without confidentiality are described in this document. These cipher entiality, TLS 1.3 cipher suites <xref target="RFC8446" format="default"/> that
suites are not meant for general use as they do not meet the confidentiality and maintain data integrity without confidentiality are described in this document.
privacy goals of TLS. They should only be used in cases where confidentiality a These cipher suites are not meant for general use, as they do not meet the confi
nd privacy is not a concern and there are constraints on using cipher suites tha dentiality and privacy goals of TLS. They should only be used in cases where con
t provide the full set of security properties. The approach described in this do fidentiality and privacy are not a concern and there are constraints on using ci
cument is not endorsed by the IETF and does not have IETF consensus, but is pres pher suites that provide the full set of security properties. The approach descr
ented here to enable interoperable implementation of a reduced security mechanis ibed in this document is not endorsed by the IETF and does not have IETF consens
m that provides authentication and message integrity with supporting confidentia us, but it is presented here to enable interoperable implementation of a reduced
lity. </t> -security mechanism that provides authentication and message integrity with supp
orting confidentiality. </t>
</section> </section>
<section numbered="true" toc="default">
<section title="Terminology"> <name>Terminology</name>
<t>This document adopts the conventions for normative language to pr <t>This document adopts the conventions for normative language to provide
ovide clarity of instructions to the implementer. The key words "MUST", "MUST NO clarity of instructions to the implementer.
T", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MA The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
Y", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>",
<xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they app "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>",
ear in all capitals, as shown here. </t> "<bcp14>SHOULD NOT</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document
are to be interpreted as described in BCP&nbsp;14
<xref target="RFC2119"/> <xref target="RFC8174"/> when, and only
when, they appear in all capitals, as shown here.</t>
</section> </section>
<section numbered="true" toc="default">
<name>Applicability Statement</name>
<t>The two cipher suites defined in this document, which are based on Hash
ed Message Authentication Code (HMAC) SHAs <xref target="RFC6234" format="defaul
t"/>, are intended for a small limited set of applications where confidentiality
requirements are relaxed and the need to minimize the number of cryptographic a
lgorithms is prioritized. This section describes some of those applicable use ca
ses. </t>
<t>Use cases in the industrial automation industry, while requiring data i
ntegrity, often do not require confidential communications. Mainly, data communi
cated to unmanned machines to execute repetitive
tasks does not convey private information. For example, there could
be a system with a robotic arm that paints the body of a car. This equipment is
used within a car manufacturing plant and is just
one piece of equipment in a multi-step manufacturing pro
cess. The movements of this robotic arm are likely not a trade secret or sensiti
ve intellectual property, although some portions of the manufacturing of the car
might very well contain sensitive intellectual property.
Even the mixture for the paint itself might be confidential, but the mixing is
done by a completely different piece of equipment and therefore communication to
/from that equipment can be encrypted without requiring the communication to/fro
m the robotic arm to be encrypted.
Modern manufacturing often has segmented equipment with
different levels of risk related to intellectual property, although nearly every
communication interaction has strong data authenticity requirements. </t>
<t>Another use case that is closely related is that of fine-grained time u
pdates. Motion systems often rely on time synchronization to ensure proper execu
tion. Time updates are essentially public; there is no threat from an attacker k
nowing the time update information. This should make intuitive sense to those no
t familiar with these applications; rarely if ever does time information present
a serious attack surface dealing with privacy. However, the authenticity is sti
ll quite important. The consequences of maliciously modified time data can vary
from mere denial of service to actual physical damage, depending on the particul
ar situation and attacker capability. As these time synchronization updates are
very fine-grained, it is again important for latency to be very low.</t>
<t>A third use case deals with data related to alarms. Industrial control
sensing equipment can be configured to send alarm information when it meets cert
ain conditions -- for example, temperature goes above or below a given threshold
. Oftentimes, this data is used to detect certain out-of-tolerance conditions, a
llowing an operator or automated system to take corrective action. Once again, i
n many systems the reading of this data doesn't grant the attacker information t
hat can be exploited; it is generally just information regarding the physical st
ate of the system. At the same time, being able to modify this data would allow
an attacker to either trigger alarms falsely or cover up evidence of an attack t
hat might allow for detection of their malicious activity. Furthermore, sensors
are often low-powered devices that might struggle to process encrypted and authe
nticated data. These sensors might be very cost sensitive such that there is not
enough processing power for data encryption. Sending data that is just authenti
cated but not encrypted eases the burden placed on these devices yet still allow
s the data to be protected against any tampering threats. A user can always choo
se to pay more for a sensor with encryption capability, but for some, data authe
nticity will be sufficient. </t>
<t>A fourth use case considers the protection of commands in the railway i
ndustry. In railway control systems, no confidentiality requirements are applied
for the command exchange between an interlocking controller and a railway equip
ment controller (for instance, a railway point controller of a tram track where
the position of the controlled point is publicly available).
However, protecting the integrity and authenticity of those commands
is vital; otherwise, an adversary could change the target position of the point
by modifying the commands, which consequently could lead to the derailment of a
passing train.
Furthermore, requirements for providing flight-data recording of the
safety-related network traffic can only be fulfilled through using authenticity-
only ciphers as, typically, the recording is used by a third party responsible f
or the analysis after an accident. The analysis requires such third party to ext
ract the safety-related commands from the recording.
</t>
<t>The fifth use case deals with data related to civil aviation airplanes
and ground communication. Pilots can send and receive messages to/from ground co
ntrol, such as airplane route-of-flight updates, weather information, controller
and pilot communication, and airline back-office communication. Similarly, the
Air Traffic Control (ATC) service uses air-to-ground communication to receive th
e surveillance data that relies on (is dependent on) downlink reports from an ai
rplane's avionics. This communication occurs automatically in accordance with co
ntracts established between the ATC ground system and the airplane's avionics. R
eports can be sent whenever specific events occur or specific time intervals are
reached. In many systems, the reading of this data doesn't grant the attacker i
nformation that can be exploited; it is generally just information regarding the
states of the airplane, controller pilot communication, meteorological informat
ion, etc. At the same time, being able to modify this data would allow an attack
er to either put aircraft in the wrong flight trajectory or provide false inform
ation to ground control that might delay flights, damage property, or harm life.
Sending data that is not encrypted but is authenticated allows the data to be p
rotected against any tampering threats. Data authenticity is sufficient for the
air traffic, weather, and surveillance information exchanges between airplanes a
nd the ground systems. </t>
<t> The above use cases describe the requirements where confidentiality is
not needed and/or interferes with other requirements. Some of these use cases a
re based on devices that come with a small runtime memory footprint and reduced
processing power; therefore, the need to minimize the number of cryptographic al
gorithms used is a priority. Despite this, it is noted that memory, performance,
and processing power implications of any given algorithm or set of algorithms a
re highly dependent on hardware and software architecture. Therefore, although t
hese cipher suites may provide performance benefits, they will not necessarily p
rovide these benefits in all cases on all platforms. Furthermore, in some use ca
ses, third-party inspection of data is specifically needed, which is also suppor
ted through the lack of confidentiality mechanisms. </t>
</section>
<section numbered="true" toc="default">
<name>Cryptographic Negotiation Using Integrity-Only Cipher Suites</name>
<t>The cryptographic negotiation as specified in <xref target="RFC8446" se
ctionFormat="comma" section="4.1.1"/> remains the same, with the inclusion of th
e following cipher suites: </t>
<section title="Applicability Statement"> <ul empty="true" indent="3">
<t>The two HMAC SHA <xref target="RFC6234"/> based cipher suites defined <li>TLS_SHA256_SHA256 {0xC0,0xB4}</li>
in this document are intended for a small limited set of applications where con <li>TLS_SHA384_SHA384 {0xC0,0xB5}</li>
fidentiality requirements are relaxed and the need to minimize the number of cry </ul>
ptographic algorithms is prioritized. This section describes some of those appli <t>
cable use cases. </t> As defined in <xref target="RFC8446" format="default"/>, TLS 1.3 cip
her suites denote the Authenticated Encryption with Associated Data (AEAD) algor
<t>Use cases in the industrial automation industry, while requiring data ithm for record protection and the hash algorithm to use with the HMAC-based Key
integrity, often do not require confidential communications. Mainly, informatio Derivation Function (HKDF). The cipher suites provided by this document are def
n communicated to unmanned machines to execute repetitive ined in a similar way, but they use the HMAC authentication tag to model the AEA
tasks does not convey private information. For example, there could D interface, as only an HMAC is provided for record protection (without encrypti
be a system with a robotic arm that paints the body of a car. This equipment is on). These cipher suites allow the use of SHA-256 or SHA-384 as the HMAC for dat
used within a car manufacturing plant, and is just a integrity protection as well as its use for the HKDF. The authentication mecha
one piece of equipment in a multi-step manufacturing proc nisms remain unchanged with the intent to only update the cipher suites to relax
ess. The movements of this robotic arm are likely not a trade secret or sensitiv the need for confidentiality.</t>
e intellectual property, although some portions of the manufacturing of the car <t> Given that these cipher suites do not support confidentiality, they <b
might very well contain sensitive intellectual property. cp14>MUST NOT</bcp14> be used with authentication and key exchange methods that
Even the mixture for the paint itself might be confidential, but the mixing is d rely on confidentiality. </t>
one by a completely different piece of equipment and therefore communication to/ </section>
from that equipment can be encrypted without requiring the communication to/from <section numbered="true" toc="default">
the robotic arm to be encrypted. <name>Record Payload Protection for Integrity-Only Cipher Suites</name>
Modern manufacturing often has segmented equipment with d <t>Record payload protection as defined in <xref target="RFC8446" format="
ifferent levels of risk on intellectual property, although nearly every communic default"/> is retained in modified form when integrity-only cipher suites are us
ation interaction has strong data authenticity requirements. </t> ed. Note that due to the purposeful use of hash algorithms, instead of AEAD algo
rithms, confidentiality protection of the record payload is not provided.
<t>Another use case which is closely related is that of fine-grained tim This section describes the mapping of record payload structures when
e updates. Motion systems often rely on time synchronization to ensure proper ex integrity-only cipher suites are employed. </t>
ecution. Time updates are essentially public; there is no threat from an attacke <t> Given that there is no encryption to be done at the record layer, the
r knowing the time update information. This should make intuitive sense to those operations "Protect" and "Unprotect" take the place of "AEAD-Encrypt" and "AEAD-
not familiar with these applications; rarely if ever does time information pres Decrypt" <xref target="RFC8446" format="default"/>, respectively.</t>
ent a serious attack surface dealing with privacy. However, the authenticity is <t> As integrity protection is provided over the full record, the encrypte
still quite important. The consequences of maliciously modified time data can va d_record in the TLSCiphertext along with the additional_data input to protected_
ry from mere denial of service to actual physical damage, depending on the parti data (termed AEADEncrypted data in <xref target="RFC8446" format="default"/>) as
cular situation and attacker capability. As these time synchronization updates a defined in <xref target="RFC8446" sectionFormat="of" section="5.2"/> remain the
re very fine-grained, it is again important for latency to be very low.</t> same.
<t>A third use case deals with data related to alarms. Industrial contro
l sensing equipment can be configured to send alarm information when it meets ce
rtain conditions, for example, temperature goes above or below a given threshold
. Often times this data is used to detect certain out-of-tolerance conditions, a
llowing an operator or automated system to take corrective action. Once again, i
n many systems the reading of this data doesn't grant the attacker information t
hat can be exploited, it is generally just information regarding the physical st
ate of the system. At the same time, being able to modify this data would allow
an attacker to either trigger alarms falsely or to cover up evidence of an attac
k that might allow for detection of their malicious activity. Furthermore, senso
rs are often low powered devices that might struggle to process encrypted and au
thenticated data. These sensors might be very cost sensitive such that there is
not enough processing power for data encryption. Sending data that is just authe
nticated but not encrypted eases the burden placed on these devices, yet still a
llows the data to be protected against any tampering threats. A user can always
choose to pay more for a sensor with encryption capability, but for some, data a
uthenticity will be sufficient. </t>
<t>A fourth use case considers the protection of commands in the railway
industry. In railway control systems, no confidentiality requirements are appli
ed for the command exchange between an interlocking controller and a railway equ
ipment controller (for instance, a railway point controller of a tram track wher
e the position of the controlled point is publicly available).
However, protecting integrity and authenticity of those commands is
vital, otherwise, an adversary could change the target position of the point by
modifying the commands, which consequently could lead to the derailment of a pas
sing train.
Furthermore, requirements for providing blackbox recording of the sa
fety related network traffic can only be fulfilled through using authenticity-on
ly ciphers, to be able to provide the safety related commands to a third party,
which is responsible for the analysis after an accident.</t>
<t>The fifth use case deals with data related to civil aviation airplane
s and ground communication. Pilots can send and receive messages to/from ground
control such as airplane route-of-flight update, weather information, controller
and pilot communication, and airline back office communication. Similarly, the
Aviation Traffic Control (ATC) use air to ground communication to receive the su
rveillance data that relies on (is dependent on) downlink reports from an airpla
ne's avionics. This communication occurs automatically in accordance with contra
cts established between the ATC ground system and the airplane's avionics. Repor
ts can be sent whenever specific events occur, or specific time intervals are re
ached. In many systems the reading of this data doesn't grant the attacker infor
mation that can be exploited, it is generally just information regarding the air
plane states, controller pilot communication, meteorological information etc. At
the same time, being able to modify this data would allow an attacker to either
put aircraft in the wrong flight trajectory or to provide false information to
ground control that might delay flights and damage properties or harm life. Send
ing data that is not encrypted but is authenticated, allows the data to be prote
cted against any tampering threats. Data authenticity is sufficient for the air
traffic, weather and surveillance information exchange between airplanes and the
ground systems. </t>
<t> The above use cases describe the requirements where confidentiality
is not needed and/or interferes with other requirements. Some of these use cases
are based on devices that come with a small runtime memory footprint and reduce
d processing power therefore the need to minimize the number of cryptographic al
gorithms used is a priority. Despite this, it is noted that memory, performance,
and processing power implications of any given algorithm or set of algorithms i
s highly dependent on hardware and software architecture. Therefore, although th
ese cipher suites may provide performance benefits, they will not necessarily pr
ovide these benefits in all cases on all platforms. Furthermore, in some use cas
es third party inspection of data is specifically needed, which is also supporte
d through the lack of confidentiality mechanisms. </t>
</section>
<section title="Cryptographic Negotiation Using Integrity only Cipher Suites
">
<t>The cryptographic negotiation as specified in <xref target="RFC8446"/>
Section 4.1.1 remains the same, with the inclusion of the following cipher suit
es: </t>
<!--
<t>This document defines the following cipher suites for use in TLS 1.3:
</t>
-->
<t> <list style='hanging'>
<t hangText='TLS_SHA256_SHA256'> {0xC0, 0xB4}</t>
<t hangText='TLS_SHA384_SHA384'> {0xC0, 0xB5}</t>
</list> </t>
<t>
As defined in <xref target="RFC8446"/>, TLS 1.3 cipher suites denote
the AEAD algorithm for record protection and the hash algorithm to use with the
HKDF. These cipher suites are defined in a similar way, but using the HMAC auth
entication tag to model the AEAD interface, as only an HMAC is provided for reco
rd protection (without encryption). These cipher suites allow the use of SHA-256
or SHA-384 as the Hashed Message Authentication Code (HMAC) for data integrity
protection as well as its use for HMAC-based Key Derivation Function (HKDF). The
authentication mechanisms remain unchanged with the intent to only update the c
ipher suites to relax the need for confidentiality.</t>
<t> Given that these cipher suites do not support confidentiality, they M
UST NOT be used with authentication and key exchange methods that rely on confid
entiality. </t>
</section>
<section title="Record Payload Protection for Integrity only Cipher Suites">
<t> The record payload protection as defined in <xref target="RFC8446"/>
is retained in modified form when integrity only cipher suites are used. Note t
hat due to the purposeful use of hash algorithms, instead of AEAD algorithms, th
e confidentiality protection of the record payload is not provided.
This section describes the mapping of record payload structures when
integrity only cipher suites are employed. </t>
<t> Given that there is no encryption to be done at the record la
yer, the operations "Protect" and "Unprotect" take the place of "AEAD-Encrypt" a
nd "AEAD-Decrypt", respectively, as referenced in <xref target="RFC8446"/> </t>
<t> As integrity protection is provided over the full record, the encryp
ted_record in the TLSCiphertext along with the additional_data input to protecte
d_data (termed AEADEncrypted data in <xref target="RFC8446"/>) as defined in Sec
tion 5.2 of <xref target="RFC8446"/> remain the same.
The TLSCiphertext.length for the integrity cipher suites will be: </ t> The TLSCiphertext.length for the integrity cipher suites will be: </ t>
<t> <list style='hanging'> <artwork name="" type="ascii-art" align="left" alt=""><![CDATA[
<t hangText='TLS_SHA256_SHA256:'> TLSCiphertext.length = TLSPlaint TLS_SHA256_SHA256:
ext.length + 1 (type field) + length_of_padding + 32 (HMAC) = TLSInnerPlaintext_ TLSCiphertext.length = TLSInnerPlaintext_length + 32
length + 32 (HMAC) </t>
<t hangText='TLS_SHA384_SHA384:'> TLSCiphertext.length = TLSPlaint
ext.length + 1 (type field) + length_of_padding + 48 (HMAC) = TLSInnerPlaintext_
length + 48 (HMAC) </t>
</list> </t>
<t> Note that TLSInnerPlaintext_length is not defined as an expli
cit field in <xref target="RFC8446"/>; this refers to the length of the encoded
TLSInnterPlaintext structure </t>
<t> The resulting protected_record is the concatenation of the TLSInnerP
laintext with the resulting HMAC. Note this analogous to the "encrypted_record"
of <xref target="RFC8446"/>, although it is referred to as a "protected_record"
because of the lack of confidentiality via encryption. With this mapping, the re
cord validation order as defined in Section 5.2 of <xref target="RFC8446"/> rema
ins the same. That is, encrypted_record field of TLSCiphertext is set to: </t>
<t> encrypted_record = TLS13-HMAC-Protected = TLSInnerPlaintext || HMAC(
write_key, nonce || additional_data || TLSInnerPlaintext) </t>
<t> Here "nonce" refers to the per-record nonce described in sect
ion 5.3 of <xref target="RFC8446"/>.</t>
<t> For DTLS 1.3, the DTLSCiphertext is set to:</t>
<t> encrypted_record = DTLS13-HMAC-Protected = DTLSInnerPlaintext ||
HMAC(write_key, nonce || additional_data || DTLSInnerPlaintext) </t>
<t> The DTLS "nonce" refers to the per-record nonce described in sec
tion 4.2.2 of <xref target="DTLS13"/>.</t>
<t> The Protect and Unprotect operations provide the integrity protectio
n using HMAC SHA-256 or HMAC SHA-384 as described in <xref target="RFC6234"/>.</
t>
<t> Due to the lack of encryption of the plaintext, record padding does
not provide any obfuscation as to the plaintext size, although it can be optiona
lly included.</t>
</section>
<section title="Key Schedule when using Integrity only Cipher Suites">
<t> The key derivation process for Integrity only Cipher Suites remains
the same as defined in <xref target="RFC8446"/>. The only difference is that the
keys used to protect the tunnel apply to the negotiated HMAC SHA-256 or HMAC SH
A-384 ciphers. Note that the traffic key material (client_write_key, client_writ
e_iv, server_write_key and server_write_iv) MUST be calculated as per RFC 8446,
section 7.3. The key lengths and IVs for these cipher suites are according to th
e hash output lengths. In other words, the following key lengths and IV lengths
SHALL be: </t>
<texttable>
<ttcol align='left'>Cipher Suite</ttcol>
<ttcol align='left'>Key Length</ttcol>
<ttcol align='left'>IV Length</ttcol>
<c>TLS_SHA256_SHA256</c>
<c>32 Bytes</c>
<c>32 Bytes</c>
<c>TLS_SHA384_SHA384</c>
<c>48 Bytes</c>
<c>48 Bytes</c>
</texttable>
</section>
<section title="Error Alerts"> TLS_SHA384_SHA384:
<t>The error alerts as defined by <xref target="RFC8446"/> remains the s TLSCiphertext.length = TLSInnerPlaintext_length + 48
ame, in particular: </t> ]]></artwork>
<t> bad_record_mac: This alert can also occur for a record whose mess <t> Note that TLSInnerPlaintext_length is not defined as an explicit field
age authentication code can not be validated. Since these cipher suites do not i in <xref target="RFC8446" format="default"/>; this refers to the length of the
nvolve record encryption this alert will only occur when the HMAC fails to verif encoded TLSInnerPlaintext structure.</t>
y. </t> <t> The resulting protected_record is the concatenation of the TLSInnerPla
<t> decrypt_error: This alert as described in <xref target="RFC8446"/> Se intext with the resulting HMAC. Note that this is analogous to the "encrypted_re
ction 6.2 occurs when the signature or message authentication code can not be va cord" as defined in <xref target="RFC8446" format="default"/>, although it is re
lidated. Note that this error is only sent during the handshake, not for an erro ferred to as a "protected_record" because of the lack of confidentiality via enc
r in validating record HMACs. </t> ryption. With this mapping, the record validation order as defined in <xref targ
et="RFC8446" sectionFormat="of" section="5.2"/> remains the same. That is, the e
ncrypted_record field of TLSCiphertext is set to: </t>
<artwork name="" type="ascii-art" align="left" alt=""><![CDATA[
encrypted_record = TLS13-HMAC-Protected = TLSInnerPlaintext ||
HMAC(write_key, nonce || additional_data || TLSInnerPlaintext)
]]></artwork>
<t>Here, "nonce" refers to the per-record nonce described in <xref target=
"RFC8446" sectionFormat="of" section="5.3"/>.</t>
<t> For DTLS 1.3, the DTLSCiphertext is set to:</t>
<artwork name="" type="ascii-art" align="left" alt=""><![CDATA[
encrypted_record = DTLS13-HMAC-Protected = DTLSInnerPlaintext ||
HMAC(write_key, nonce || additional_data || DTLSInnerPlaintext)
]]></artwork>
<t> The DTLS "nonce" refers to the per-record nonce described in <xref tar
get="RFC9147" sectionFormat="of" section="4.2.2"/>.</t>
<t> The Protect and Unprotect operations provide the integrity protection
using HMAC SHA-256 or HMAC SHA-384 as described in <xref target="RFC6234" format
="default"/>.</t>
<t> Due to the lack of encryption of the plaintext, record padding does no
t provide any obfuscation as to the plaintext size, although it can be optionall
y included.</t>
</section> </section>
<section numbered="true" toc="default">
<section anchor="IANA" title="IANA Considerations"> <name>Key Schedule when Using Integrity-Only Cipher Suites</name>
<t> IANA has granted registration the following specifically for this d <t> The key derivation process for integrity-only cipher suites remains th
ocument within the TLS Cipher Suites Registry:</t> e same as that defined in <xref target="RFC8446" format="default"/>. The only di
<t> TLS_SHA256_SHA256 {0xC0, 0xB4} cipher suite and TLS_SHA384_SHA384 {0 fference is that the keys used to protect the tunnel apply to the negotiated HMA
xC0, 0xB5} cipher suite. </t> C SHA-256 or HMAC SHA-384 ciphers. Note that the traffic key material (client_wr
<t> Note that both of these cipher suites are registered with the DTLS-O ite_key, client_write_iv, server_write_key, and server_write_iv) <bcp14>MUST</bc
K column set to Y and the Recommended column set to N </t> p14> be calculated as per <xref target="RFC8446" sectionFormat="comma" section="
<t>No further IANA action is requested by this document. </t> 7.3"/>. The key lengths and Initialization Vectors (IVs) for these cipher suites
are according to the hash output lengths. In other words, the following key len
gths and IV lengths <bcp14>SHALL</bcp14> be: </t>
<table align="center">
<thead>
<tr>
<th align="left">Cipher Suite</th>
<th align="left">Key Length</th>
<th align="left">IV Length</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">TLS_SHA256_SHA256</td>
<td align="left">32 Bytes</td>
<td align="left">32 Bytes</td>
</tr>
<tr>
<td align="left">TLS_SHA384_SHA384</td>
<td align="left">48 Bytes</td>
<td align="left">48 Bytes</td>
</tr>
</tbody>
</table>
</section>
<section numbered="true" toc="default">
<name>Error Alerts</name>
<t>The error alerts as defined by <xref target="RFC8446" format="default"/
> remain the same; in particular: </t>
<dl newline="false" spacing="normal">
<dt>bad_record_mac:</dt><dd>This alert can also occur for a record whose m
essage authentication code cannot be validated. Since these cipher suites do not
involve record encryption, this alert will only occur when the HMAC fails to ve
rify.</dd>
<dt>decrypt_error:</dt><dd>This alert, as described in <xref target="RFC84
46" sectionFormat="comma" section="6.2"/>, occurs when the signature or message
authentication code cannot be validated. Note that this error is only sent durin
g the handshake, not for an error in validating record HMACs.</dd>
</dl>
</section> </section>
<section anchor="IANA" numbered="true" toc="default">
<name>IANA Considerations</name>
<t>IANA has registered the following cipher suites, defined by this docume
nt, in the "TLS Cipher Suites" registry:</t>
<section anchor="Security" title="Security and Privacy Considerations"> <table anchor="iana_table">
<t>In general, except for confidentiality and privacy, the security cons <thead>
iderations detailed in <xref target="RFC8446"/> and in <xref target="RFC5246"/> <tr>
apply to this document. Furthermore, as the cipher suites described in this docu <th>Value</th>
ment do not provide any confidentiality, it is important that they only be used <th>Description</th>
in cases where there are no confidentiality or privacy requirements and concerns <th>DTLS-OK</th>
; and the runtime memory requirements can accommodate support for authenticity-o <th>Recommended</th>
nly cryptographic constructs.</t> </tr>
<t>With the lack of data encryption specified in this specification, no </thead>
confidentiality or privacy is provided for the data transported via the TLS sess <tbody>
ion. That is, the record layer is not encrypted when using these cipher suite, a <tr>
nd the handshake also is not encrypted. To highlight the loss of privacy, the in <td>0xC0,0xB4</td>
formation carried in the TLS handshake, which includes both the Server and Clien <td>TLS_SHA256_SHA256</td>
t certificates, while integrity protected, will be sent unencrypted. Similarly, <td>Y</td>
other TLS extensions that may be carried in the Server's EncryptedExtensions mes <td>N</td>
sage will only be integrity protected without provisions for confidentiality. Fu </tr>
rthermore, with this lack of confidentiality, any private PSK data MUST NOT be s <tr>
ent in the handshake while using these cipher suites. However, as PSKs may be lo <td>0xC0,0xB5</td>
aded externally, these cipher suites can be used with the 0-RTT handshake define <td>TLS_SHA384_SHA384</td>
d in <xref target="RFC8446"/>, with the same security implications discussed the <td>Y</td>
re applied. </t> <td>N</td>
<t>Application protocols which build on TLS or DTLS for protection (e.g. </tr>
HTTP) may have implicit assumptions of data confidentiality. Any assumption of </tbody>
data confidentiality is invalidated by the use of these cipher suites, as no dat </table>
a confidentiality is provided. This applies to any data sent over the applicatio
n-data channel (e.g. bearer tokens in HTTP), as data requiring confidentiality M
UST NOT be sent using these cipher suites.</t>
<t> Limits on key usage for AEAD-based ciphers are described in
<xref target="RFC8446"/>. However, as the cipher suites discussed here are not A
EAD, those same limits do not apply. The general security properties of HMACs di
scussed in <xref target="RFC2104"/> and <xref target="BCK1"/> apply. Additional
ly, security considerations on the algorithm's strength based on the HMAC key le
ngth and trunction length further described in <xref target="RFC4868"/> also app
ly. Until further cryptanalysis demonstrate limitations on key usage for HMACs,
general practice for key usage recommends that implementations place limits on t
he lifetime of the HMAC keys and invoke a key update as described in <xref targe
t="RFC8446"/> prior to reaching this limit. </t>
<t>DTLS 1.3 defines a mechanism for encrypting the DTLS record se
quence numbers. However, as these cipher suites do not utilize encryption, the r
ecord sequence numbers are sent unencrypted. That is, the procedure for DTLS rec
ord sequence number protection is to apply no protection for these cipher suites
. </t>
<t>Given the lack of confidentiality, these cipher suites MUST NO
T be enabled by default. As these cipher suites are meant to serve the IoT marke
t, it is important that any IoT endpoint that uses them be explicitly configured
with a policy of non-confidential communications. </t>
</section> </section>
<section anchor="Security" numbered="true" toc="default">
<section anchor="Acknowledgements" title="Acknowledgements"> <name>Security and Privacy Considerations</name>
<t>The authors would like to acknowledge the work done by Industrial Commu <t>In general, except for confidentiality and privacy, the security consid
nications Standards Groups (such as ODVA) as the motivation for this document. W erations detailed in <xref target="RFC8446" format="default"/> and <xref target=
e would also like to thank Steffen Fries for providing a fourth use case and Mad "RFC5246" format="default"/> apply to this document. Furthermore, as the cipher
hu Niraula for a fifth use case. In addition, we are grateful for the advice and suites described in this document do not provide any confidentiality, it is impo
feedback from Joe Salowey, Blake Anderson, David McGrew, Clement Zeller, and Pe rtant that they only be used in cases where there are no confidentiality or priv
ter Wu.</t> acy requirements and concerns; the runtime memory requirements can accommodate s
upport for authenticity-only cryptographic constructs.</t>
<t>With the lack of data encryption specified in this specification, no co
nfidentiality or privacy is provided for the data transported via the TLS sessio
n. That is, the record layer is not encrypted when using these cipher suites, no
r is the handshake. To highlight the loss of privacy, the information carried in
the TLS handshake, which includes both the server and client certificates, whil
e integrity protected, will be sent unencrypted. Similarly, other TLS extensions
that may be carried in the server's EncryptedExtensions message will only be in
tegrity protected without provisions for confidentiality. Furthermore, with this
lack of confidentiality, any private Pre-Shared Key (PSK) data <bcp14>MUST NOT<
/bcp14> be sent in the handshake while using these cipher suites. However, as PS
Ks may be loaded externally, these cipher suites can be used with the 0-RTT hand
shake defined in <xref target="RFC8446" format="default"/>, with the same securi
ty implications discussed therein applied. </t>
<t>Application protocols that build on TLS or DTLS for protection (e.g., H
TTP) may have implicit assumptions of data confidentiality. Any assumption of da
ta confidentiality is invalidated by the use of these cipher suites, as no data
confidentiality is provided. This applies to any data sent over the application-
data channel (e.g., bearer tokens in HTTP), as data requiring confidentiality <b
cp14>MUST NOT</bcp14> be sent using these cipher suites.</t>
<t> Limits on key usage for AEAD-based ciphers are described in <xref tar
get="RFC8446" format="default"/>. However, as the cipher suites discussed here a
re not AEAD, those same limits do not apply. The general security properties of
HMACs discussed in <xref target="RFC2104" format="default"/> and <xref target="B
CK1" format="default"/> apply. Additionally, security considerations on the alg
orithm's strength based on the HMAC key length and truncation length further des
cribed in <xref target="RFC4868" format="default"/> also apply. Until further cr
yptanalysis demonstrates limitations on key usage for HMACs, general practice fo
r key usage recommends that implementations place limits on the lifetime of the
HMAC keys and invoke a key update as described in <xref target="RFC8446" format=
"default"/> prior to reaching this limit. </t>
<t>DTLS 1.3 defines a mechanism for encrypting the DTLS record sequence nu
mbers. However, as these cipher suites do not utilize encryption, the record seq
uence numbers are sent unencrypted. That is, the procedure for DTLS record seque
nce number protection is to apply no protection for these cipher suites. </t>
<t>Given the lack of confidentiality, these cipher suites <bcp14>MUST NOT<
/bcp14> be enabled by default. As these cipher suites are meant to serve the IoT
market, it is important that any IoT endpoint that uses them be explicitly conf
igured with a policy of non-confidential communications. </t>
</section> </section>
</middle> </middle>
<back> <back>
<references title="Normative References">
&RFC2104; <displayreference target="RFC9147" to="DTLS13"/>
&RFC2119;
&RFC6234; <references>
&RFC8174; <name>References</name>
&RFC8446; <references>
&RFC4868; <name>Normative References</name>
<reference anchor="DTLS13"> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<front> FC.2104.xml"/>
<title>https://tools.ietf.org/id/draft-ietf-tls-dtls13-38.txt< <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
/title> FC.2119.xml"/>
<author> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<organization>IETF Internet Drafts editor</organization> FC.6234.xml"/>
</author> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<date year=""></date> FC.8174.xml"/>
</front> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
</reference> FC.8446.xml"/>
<reference anchor="BCK1" target="https://cseweb.ucsd.edu/~mihir/papers/kmd5. <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
pdf"> FC.4868.xml"/>
<!-- draft-ietf-tls-dtls13-43 (citation string is "DTLS13") -->
<reference anchor='RFC9147' target="https://www.rfc-editor.org/info/rfc9147">
<front>
<title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
<author initials='E' surname='Rescorla' fullname='Eric Rescorla'>
<organization />
</author>
<author initials='H' surname='Tschofenig' fullname='Hannes Tschofenig'>
<organization />
</author>
<author initials='N' surname='Modadugu' fullname='Nagendra Modadugu'>
<organization />
</author>
<date year='2022' month='January' />
</front>
<seriesInfo name="RFC" value="9147"/>
<seriesInfo name="DOI" value="10.17487/RFC9147"/>
</reference>
<reference anchor="BCK1" target="https://link.springer.com/chapter/10.10
07/3-540-68697-5_1">
<front> <front>
<title>Keyed Hash Functions and Message Authentication</title> <title>Keying Hash Functions for Message Authentication</title>
<author initials="M." surname="Bellare"> <author initials="M." surname="Bellare">
<organization/> <organization/>
</author> </author>
<author initials="R." surname="Canetti"> <author initials="R." surname="Canetti">
<organization/> <organization/>
</author> </author>
<author initials="H." surname="Krawczyk"> <author initials="H." surname="Krawczyk">
<organization/> <organization/>
</author> </author>
<date year=""></date> <date year="1996"/>
</front> </front>
</reference> <seriesInfo name="DOI" value="10.1007/3-540-68697-5_1"/>
</reference>
</references>
<references>
<name>Informative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.5246.xml"/>
</references>
</references> </references>
<references title="Informative Reference"> <section anchor="Acknowledgements" numbered="false" toc="default">
&RFC5246; <name>Acknowledgements</name>
</references> <t>The authors would like to acknowledge the work done by Industrial Commu
nications Standards Groups (such as ODVA) as the motivation for this document. W
e would also like to thank <contact fullname="Steffen Fries"/> for providing a f
ourth use case and <contact fullname="Madhu Niraula"/> for a fifth use case. In
addition, we are grateful for the advice and feedback from <contact fullname="Jo
e Salowey"/>, <contact fullname="Blake Anderson"/>, <contact fullname="David McG
rew"/>, <contact fullname="Clement Zeller"/>, and <contact fullname="Peter Wu"/>
.</t>
</section>
</back> </back>
</rfc> </rfc>
 End of changes. 22 change blocks. 
428 lines changed or deleted 464 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/