]> HPE

USA ronald.bonica@hpe.com

HPE

USA tony.li@tony.li

Transport TCPM Working Group TCP-AO RFC5926 specifies cryptographic algorithms for TCP-AO. It explains how to use KDF_HMAC_SHA1 and KDF_AES_128_CMAC as KDFs. It also explains how to use HMAC-SHA-1-96 and AES-128-CMAC-96 as MAC algorithms. This document specifies several new KDFs and MAC algorithms for TCP-AO. The KDFs and MAC algorithms specified in this document are based upon more recent, stronger cryptography.

Introduction TCP end-points use the TCP Authentication Option (TCP-AO) to authenticate segments. TCP-AO relies upon:

• A Master Key Tuple (MKT)
• A Key Derivation Function (KDF)
• A Message Authentication Code (MAC) algorithm

TCP-AO systems are configured with one or more MKTs for each connection that they protect. When a connection is associated with multiple MKTs, TCP-AO can rotate among them during the course of a TCP session. This facilitates dynamic key change and authentication algorithm agility. An MKT includes:

• Two MKT identifiers, one used for sending and one used for receiving
• A connection identifier (i.e., a TCP socket pair)
• A master key (i.e., a shared secret)
• A KDF
• A MAC algorithm
• A flag indicating whether TCP options other than TCP-AO are authenticated

The KDF generates a traffic key. Its inputs are:

• A pseudorandom function (PRF) used to generate the traffic key
• The master key
• Context (i.e., A binary string containing information related to the connection)
• Output length (i.e., the length of the traffic key, in bits)

The MAC algorithm produces a MAC. It is defined by:

• The KDF algorithm used to generate the traffic key
• The length of the traffic key, in bits
• The length of the MAC, in bits

The following are inputs to the MAC Algorithm:

• traffic key
• message

TCP-AO systems include the MAC in the TCP-AO. They use the MAC to authenticate segments. specifies cryptographic algorithms for TCP-AO. It explains how to use KDF_HMAC_SHA1 and KDF_AES_128_CMAC as KDFs. It also explains how to use HMAC-SHA-1-96 and AES-128-CMAC-96 as MAC algorithms. This document specifies several new KDFs and MAC algorithms for TCP-AO. The KDFs and MAC algorithms defined in this document are based upon more recent, stronger cryptography. The MAC algorithms described in of this document are not truncated. They yield MACs ranging from 256 to 512 bits (i.e., 32 to 64 bytes). Therefore, when they are encoded in a TCP-AO, the TCP-AO ranges from 36 to 68 bytes. The MAC algorithms described in of this document are truncated to 128 bits (i.e., 16 bytes). Therefore, when they are encoded in TCP-AO, the TCP-AO consumes 20 bytes. The TCP-AO is encoded in the TCP Options field. The TCP Options field is frequently required to carry multiple options, including the TCP-AO. Currently, the TCP-Options field cannot exceed 40 bytes. However, TCP Extended Options removes this limitation. Therefore, many of the MAC algorithms described in this document can only be used on systems that support TCP Extended Options or some other mechanism that extends the TCP Options field.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 when, and only when, they appear in all capitals, as shown here.

Updates to RFC 5926

Concrete KDFs

KDF_HMAC_SHA224 For KDF_HMAC_SHA224:

• PRF for KDF_alg: HMAC-SHA224
• Use: HMAC-SHA224(Key, Input).
• Input: ( i || Label || Context || Output_Length)
• Key: Master_Key, configured by user, and passed to the KDF
• Output_Length: 224 bits
• Result: Traffic_Key, used in the MAC function by TCP-AO

KDF_HMAC_SHA256 For KDF_HMAC_SHA256:

• PRF for KDF_alg: HMAC-SHA256
• Use: HMAC-SHA256(Key, Input).
• Input: ( i || Label || Context || Output_Length)
• Key: Master_Key, configured by user, and passed to the KDF
• Output_Length: 256 bits
• Result: Traffic_Key, used in the MAC function by TCP-AO

KDF_HMAC_SHA384 For KDF_HMAC_SHA384:

• PRF for KDF_alg: HMAC-SHA384
• Use: HMAC-SHA384(Key, Input).
• Input: ( i || Label || Context || Output_Length)
• Key: Master_Key, configured by user, and passed to the KDF
• Output_Length: 384 bits
• Result: Traffic_Key, used in the MAC function by TCP-AO

KDF_HMAC_SHA512 For KDF_HMAC_SHA512:

• PRF for KDF_alg: HMAC-SHA512
• Use: HMAC-SHA512(Key, Input).
• Input: ( i || Label || Context || Output_Length)
• Key: Master_Key, configured by user, and passed to the KDF
• Output_Length: 224 bits
• Result: Traffic_Key, used in the MAC function by TCP-AO

KDF_HMAC_SHA3-224 For KDF_HMAC_SHA3-224:

• PRF for KDF_alg: HMAC-SHA3-224
• Use: HMAC-SHA3-224(Key, Input).
• Input: ( i || Label || Context || Output_Length)
• Key: Master_Key, configured by user, and passed to the KDF
• Output_Length: 224 bits
• Result: Traffic_Key, used in the MAC function by TCP-AO

KDF_HMAC_SHA3-256 For KDF_HMAC_SHA3-256:

• PRF for KDF_alg: HMAC-SHA3-256
• Use: HMAC-SHA3-256(Key, Input).
• Input: ( i || Label || Context || Output_Length)
• Key: Master_Key, configured by user, and passed to the KDF
• Output_Length: 256 bits
• Result: Traffic_Key, used in the MAC function by TCP-AO

KDF_HMAC_SHA3-384 For KDF_HMAC_SHA3-384:

• PRF for KDF_alg: HMAC-SHA3-384
• Use: HMAC-SHA3-384(Key, Input).
• Input: ( i || Label || Context || Output_Length)
• Key: Master_Key, configured by user, and passed to the KDF
• Output_Length: 384 bits
• Result: Traffic_Key, used in the MAC function by TCP-AO

KDF_HMAC_SHA3-512 For KDF_HMAC_SHA3-512:

• PRF for KDF_alg: HMAC-SHA3-512
• Use: HMAC-SHA3-512(Key, Input).
• Input: ( i || Label || Context || Output_Length)
• Key: Master_Key, configured by user, and passed to the KDF
• Output_Length: 512 bits
• Result: Traffic_Key, used in the MAC function by TCP-AO

Non-truncated MAC Algorithms The following subsections should be added to Section 3.2 of .

The Use of HMAC-SHA224 By definition, HMAC requires a cryptographic hash function. SHA224 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA224 are:

• KDF_Alg: KDF_HMAC_SHA224.
• Key_Length: 224 bits.
• MAC_Length: 224 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA224 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA224.
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

The Use of HMAC-SHA256 By definition, HMAC requires a cryptographic hash function. SHA256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA256 are:

• KDF_Alg: KDF_HMAC_SHA256
• Key_Length: 256 bits.
• MAC_Length: 256 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA256 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA256
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

The Use of HMAC-SHA384 By definition, HMAC requires a cryptographic hash function. SHA384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA384 are:

• KDF_Alg: KDF_HMAC_SHA384
• Key_Length: 384 bits.
• MAC_Length: 384 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA384 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA384
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

The Use of HMAC-SHA512 By definition, HMAC requires a cryptographic hash function. SHA512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA512 are:

• KDF_Alg: KDF_HMAC_SHA512
• Key_Length: 512 bits.
• MAC_Length: 512 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA512 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA512
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

The Use of HMAC-SHA3-224 By definition, HMAC requires a cryptographic hash function. SHA3-224 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-224 are:

• KDF_Alg: KDF_HMAC_SHA3-224.
• Key_Length: 224 bits.
• MAC_Length: 224 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-224 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA3-224.
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

The Use of HMAC-SHA3-256 By definition, HMAC requires a cryptographic hash function. SHA3-256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-256 are:

• KDF_Alg: KDF_HMAC_SHA3-256.
• Key_Length: 256 bits.
• MAC_Length: 256 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-256 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA3-256.
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

The Use of HMAC-SHA3-384 By definition, HMAC requires a cryptographic hash function. SHA3-384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-384 are:

• KDF_Alg: KDF_HMAC_SHA3-384.
• Key_Length: 384 bits.
• MAC_Length: 384 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-384 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA3-384.
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

The Use of HMAC-SHA3-512 By definition, HMAC requires a cryptographic hash function. SHA3-512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-224 are:

• KDF_Alg: KDF_HMAC_SHA3-512.
• Key_Length: 512 bits.
• MAC_Length: 512 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-512 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA3-512.
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

Truncated MAC Algorithms The following subsections should be added to Section 3.2 of .

The Use of HMAC-SHA224-128 By definition, HMAC requires a cryptographic hash function. SHA224 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA224-128 are:

• KDF_Alg: KDF_HMAC_SHA224.
• Key_Length: 224 bits.
• MAC_Length: 128 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA224-128 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA224.
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

The Use of HMAC-SHA256-128 By definition, HMAC requires a cryptographic hash function. SHA256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA256-128 are:

• KDF_Alg: KDF_HMAC_SHA256
• Key_Length: 256 bits.
• MAC_Length: 128 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA256-128 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA256
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

The Use of HMAC-SHA384-128 By definition, HMAC requires a cryptographic hash function. SHA384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA384-128 are:

• KDF_Alg: KDF_HMAC_SHA384
• Key_Length: 384 bits.
• MAC_Length: 128 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA384-128 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA384
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

The Use of HMAC-SHA512-128 By definition, HMAC requires a cryptographic hash function. SHA512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA512-128 are:

• KDF_Alg: KDF_HMAC_SHA512
• Key_Length: 512 bits.
• MAC_Length: 128 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA512-128 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA512
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

The Use of HMAC-SHA3-224-128 By definition, HMAC requires a cryptographic hash function. SHA3-224 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-224-128 are:

• KDF_Alg: KDF_HMAC_SHA3-224.
• Key_Length: 224 bits.
• MAC_Length: 128 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-224-128 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA3-224.
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

The Use of HMAC-SHA3-256-128 By definition, HMAC requires a cryptographic hash function. SHA3-256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-256-128 are:

• KDF_Alg: KDF_HMAC_SHA3-256.
• Key_Length: 256 bits.
• MAC_Length: 128 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-256-128 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA3-256.
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

The Use of HMAC-SHA3-384-128 By definition, HMAC requires a cryptographic hash function. SHA3-384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-384-128 are:

• KDF_Alg: KDF_HMAC_SHA3-384.
• Key_Length: 384 bits.
• MAC_Length: 128 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-384-128 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA3-384.
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

The Use of HMAC-SHA3-512-128 By definition, HMAC requires a cryptographic hash function. SHA3-512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-224-128 are:

• KDF_Alg: KDF_HMAC_SHA3-512.
• Key_Length: 512 bits.
• MAC_Length: 128 bits.

For:

• MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-512-128 for TCP-AO has the following values:

• MAC_alg: HMAC-SHA3-512.
• Traffic_Key: Variable; the result of the KDF.
• Message: The message to be authenticated, as specified in , Section 5.1.

Security Considerations TBD

IANA Considerations IANA is requested to add the following entries to the "Cryptographic Algorithms for TCP-AO Registration" (https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-parameters-3). IANA Actions

Algorithm	Reference
SHA224	This Document
SHA256	This Document
SHA384	This Document
SHA512	This Document
SHA3-224	This Document
SHA3-256	This Document
SHA3-384	This Document
SHA3-512	This Document
SHA224-128	This Document
SHA256-128	This Document
SHA384-128	This Document
SHA512-128	This Document
SHA3-224-128	This Document
SHA3-256-128	This Document
SHA3-384-128	This Document
SHA3-512-128	This Document

Acknowledgements TBD

Normative References This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Some implementations of IP Security (IPsec) may want to use a pseudo-random function (PRF) based on the Advanced Encryption Standard (AES). This memo describes such an algorithm, called AES-CMAC-PRF-128. It supports fixed and variable key sizes. [STANDARDS-TRACK] This document specifies the TCP Authentication Option (TCP-AO), which obsoletes the TCP MD5 Signature option of RFC 2385 (TCP MD5). TCP-AO specifies the use of stronger Message Authentication Codes (MACs), protects against replays even for long-lived TCP connections, and provides more details on the association of security with TCP connections than TCP MD5. TCP-AO is compatible with either a static Master Key Tuple (MKT) configuration or an external, out-of-band MKT management mechanism; in either case, TCP-AO also protects connections when using the same MKT across repeated instances of a connection, using traffic keys derived from the MKT, and coordinates MKT changes between endpoints. The result is intended to support current infrastructure uses of TCP MD5, such as to protect long-lived connections (as used, e.g., in BGP and LDP), and to support a larger set of MACs with minimal other system and operational changes. TCP-AO uses a different option identifier than TCP MD5, even though TCP-AO and TCP MD5 are never permitted to be used simultaneously. TCP-AO supports IPv6, and is fully compatible with the proposed requirements for the replacement of TCP MD5. [STANDARDS-TRACK] The TCP Authentication Option (TCP-AO) relies on security algorithms to provide authentication between two end-points. There are many such algorithms available, and two TCP-AO systems cannot interoperate unless they are using the same algorithms. This document specifies the algorithms and attributes that can be used in TCP-AO's current manual keying mechanism and provides the interface for future message authentication codes (MACs). [STANDARDS-TRACK] RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. HPE HPE The TCP header can accommodates 40 octets of TCP options. However, modern applications may require more than 40 octets of TCP Options. Therefore, this document describes an experiment that extends the TCP Options field. If this experiment is successful, it will demonstrate that the extension procedures described herein are implementable and deployable. It will also demonstrate that they maintain backwards compatibility. National Institute of Standards and Technology (U.S.) National Institute of Standards and Technology (U.S.) National Institute of Standards and Technology (U.S.) National Institute of Standards and Technology