]> Additional Security Algorithms For Use With TCP-AO HPE
USA ronald.bonica@hpe.com
HPE
USA tony.li@tony.li
Transport TCPM Working Group TCP-AO RFC5926 specifies cryptographic algorithms for TCP-AO. It explains how to use KDF_HMAC_SHA1 and KDF_AES_128_CMAC as KDFs. It also explains how to use HMAC-SHA-1-96 and AES-128-CMAC-96 as MAC algorithms. This document specifies several new KDFs and MAC algorithms for TCP-AO. The KDFs and MAC algorithms specified in this document use stronger cryptography.
Introduction TCP end-points use the TCP Authentication Option (TCP-AO) to authenticate segments. TCP-AO relies upon:
  • A Master Key Tuple (MKT)
  • A Key Derivation Function (KDF)
  • A Message Authentication Code (MAC) algorithm
TCP-AO systems are configured with one or more MKTs for each connection that they protect. When a connection is associated with multiple MKTs, TCP-AO can rotate among them during the course of a TCP session. This facilitates dynamic key change and authentication algorithm agility. An MKT includes:
  • Two MKT identifiers, one used for sending and one used for receiving
  • A connection identifier (i.e., a TCP socket pair)
  • A master key (i.e., a shared secret)
  • A KDF
  • A MAC algorithm
  • A flag indicating whether TCP options other than TCP-AO are authenticated
The KDF generates a traffic key. Its inputs are:
  • A pseudorandom function (PRF) used to generate the traffic key
  • The master key
  • Context (i.e., A binary string containing information related to the connection)
  • Output length (i.e., the length of the traffic key, in bits)
The MAC algorithm produces a MAC. It is defined by:
  • The KDF algorithm used to generate the traffic key
  • The length of the traffic key, in bits
  • The length of the MAC, in bits
The following are inputs to the MAC Algorithm:
  • traffic key
  • message
TCP-AO systems include the MAC in the TCP-AO. They use the MAC to authenticate segments. specifies cryptographic algorithms for TCP-AO. It explains how to use KDF_HMAC_SHA1 and KDF_AES_128_CMAC as KDFs. It also explains how to use HMAC-SHA-1-96 and AES-128-CMAC-96 as MAC algorithms. This document specifies several new KDFs and MAC algorithms for TCP-AO. The KDFs and MAC algorithms defined in this document use stronger cryptography. According to , "Applications of HMAC can choose to truncate the output of HMAC by outputting the t leftmost bits of the HMAC computation for some parameter t". The algorithms described in this document truncate the output of HMAC to 128 bits (i.e., 16 bytes). Therefore, when they are encoded in TCP-AO, the TCP-AO consumes 20 bytes.
Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 when, and only when, they appear in all capitals, as shown here.
Updates to RFC 5926
Concrete KDFs
KDF_HMAC_SHA256 For KDF_HMAC_SHA256:
  • PRF for KDF_alg: HMAC-SHA256
  • Use: HMAC-SHA256(Key, Input).
  • Input: ( i || Label || Context || Output_Length)
  • Key: Master_Key, configured by user, and passed to the KDF
  • Output_Length: 256 bits
  • Result: Traffic_Key, used in the MAC function by TCP-AO
KDF_HMAC_SHA384 For KDF_HMAC_SHA384:
  • PRF for KDF_alg: HMAC-SHA384
  • Use: HMAC-SHA384(Key, Input).
  • Input: ( i || Label || Context || Output_Length)
  • Key: Master_Key, configured by user, and passed to the KDF
  • Output_Length: 384 bits
  • Result: Traffic_Key, used in the MAC function by TCP-AO
KDF_HMAC_SHA512 For KDF_HMAC_SHA512:
  • PRF for KDF_alg: HMAC-SHA512
  • Use: HMAC-SHA512(Key, Input).
  • Input: ( i || Label || Context || Output_Length)
  • Key: Master_Key, configured by user, and passed to the KDF
  • Output_Length: 512 bits
  • Result: Traffic_Key, used in the MAC function by TCP-AO
KDF_HMAC_SHA3-256 For KDF_HMAC_SHA3-256:
  • PRF for KDF_alg: HMAC-SHA3-256
  • Use: HMAC-SHA3-256(Key, Input).
  • Input: ( i || Label || Context || Output_Length)
  • Key: Master_Key, configured by user, and passed to the KDF
  • Output_Length: 256 bits
  • Result: Traffic_Key, used in the MAC function by TCP-AO
KDF_HMAC_SHA3-384 For KDF_HMAC_SHA3-384:
  • PRF for KDF_alg: HMAC-SHA3-384
  • Use: HMAC-SHA3-384(Key, Input).
  • Input: ( i || Label || Context || Output_Length)
  • Key: Master_Key, configured by user, and passed to the KDF
  • Output_Length: 384 bits
  • Result: Traffic_Key, used in the MAC function by TCP-AO
KDF_HMAC_SHA3-512 For KDF_HMAC_SHA3-512:
  • PRF for KDF_alg: HMAC-SHA3-512
  • Use: HMAC-SHA3-512(Key, Input).
  • Input: ( i || Label || Context || Output_Length)
  • Key: Master_Key, configured by user, and passed to the KDF
  • Output_Length: 512 bits
  • Result: Traffic_Key, used in the MAC function by TCP-AO
MAC Algorithms The following subsections should be added to Section 3.2 of .
The Use of HMAC-SHA256-128 By definition, HMAC requires a cryptographic hash function. SHA256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA256-128 are:
  • KDF_Alg: KDF_HMAC_SHA256
  • Key_Length: 256 bits.
  • MAC_Length: 128 bits.
For:
  • MAC = MAC_alg (Traffic_Key, Message)
HMAC-SHA256-128 for TCP-AO has the following values:
  • MAC_alg: HMAC-SHA256
  • Traffic_Key: Variable; the result of the KDF.
  • Message: The message to be authenticated, as specified in , Section 5.1.
The Use of HMAC-SHA384-128 By definition, HMAC requires a cryptographic hash function. SHA384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA384-128 are:
  • KDF_Alg: KDF_HMAC_SHA384
  • Key_Length: 384 bits.
  • MAC_Length: 128 bits.
For:
  • MAC = MAC_alg (Traffic_Key, Message)
HMAC-SHA384-128 for TCP-AO has the following values:
  • MAC_alg: HMAC-SHA384
  • Traffic_Key: Variable; the result of the KDF.
  • Message: The message to be authenticated, as specified in , Section 5.1.
The Use of HMAC-SHA512-128 By definition, HMAC requires a cryptographic hash function. SHA512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA512-128 are:
  • KDF_Alg: KDF_HMAC_SHA512
  • Key_Length: 512 bits.
  • MAC_Length: 128 bits.
For:
  • MAC = MAC_alg (Traffic_Key, Message)
HMAC-SHA512-128 for TCP-AO has the following values:
  • MAC_alg: HMAC-SHA512
  • Traffic_Key: Variable; the result of the KDF.
  • Message: The message to be authenticated, as specified in , Section 5.1.
The Use of HMAC-SHA3-256-128 By definition, HMAC requires a cryptographic hash function. SHA3-256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-256-128 are:
  • KDF_Alg: KDF_HMAC_SHA3-256.
  • Key_Length: 256 bits.
  • MAC_Length: 128 bits.
For:
  • MAC = MAC_alg (Traffic_Key, Message)
HMAC-SHA3-256-128 for TCP-AO has the following values:
  • MAC_alg: HMAC-SHA3-256.
  • Traffic_Key: Variable; the result of the KDF.
  • Message: The message to be authenticated, as specified in , Section 5.1.
The Use of HMAC-SHA3-384-128 By definition, HMAC requires a cryptographic hash function. SHA3-384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-384-128 are:
  • KDF_Alg: KDF_HMAC_SHA3-384.
  • Key_Length: 384 bits.
  • MAC_Length: 128 bits.
For:
  • MAC = MAC_alg (Traffic_Key, Message)
HMAC-SHA3-384-128 for TCP-AO has the following values:
  • MAC_alg: HMAC-SHA3-384.
  • Traffic_Key: Variable; the result of the KDF.
  • Message: The message to be authenticated, as specified in , Section 5.1.
The Use of HMAC-SHA3-512-128 By definition, HMAC requires a cryptographic hash function. SHA3-512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-512-128 are:
  • KDF_Alg: KDF_HMAC_SHA3-512.
  • Key_Length: 512 bits.
  • MAC_Length: 128 bits.
For:
  • MAC = MAC_alg (Traffic_Key, Message)
HMAC-SHA3-512-128 for TCP-AO has the following values:
  • MAC_alg: HMAC-SHA3-512.
  • Traffic_Key: Variable; the result of the KDF.
  • Message: The message to be authenticated, as specified in , Section 5.1.
Security Considerations According to , "Applications of HMAC can choose to truncate the output of HMAC by outputting the t leftmost bits of the HMAC computation for some parameter t". The algorithms described in this document truncate the output of HMAC to 128 bits (i.e., 16 bytes). Therefore, when they are encoded in TCP-AO, the TCP-AO consumes 20 bytes. continues, "We recommend that the output length t be not less than half the length of the hash output (to match the birthday attack bound) and not less than 80 bits (a suitable lower bound on the number of bits that need to be predicted by an attacker). In this document, only the following MAC algorithms comply with that recommendation:
  • HMAC-SHA256-128
  • HMAC-SHA3-256-128
IANA Considerations IANA is requested to add the following entries to the "Cryptographic Algorithms for TCP-AO Registration" (https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-parameters-3). IANA Actions
Algorithm Reference
SHA256-128 This Document
SHA384-128 This Document
SHA512-128 This Document
SHA3-256-128 This Document
SHA3-384-128 This Document
SHA3-512-128 This Document
Acknowledgements Thanks to Lars Eggert, Gorry Fairhurst, C.M. Heard, Russ Housley, John Mattsson, Yoshifumi Nishida, Joe Touch, Michael Tuxen, and Magnus Westerlund for their review and comments.
Normative References HMAC: Keyed-Hashing for Message Authentication This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for the Internet Key Exchange Protocol (IKE) Some implementations of IP Security (IPsec) may want to use a pseudo-random function (PRF) based on the Advanced Encryption Standard (AES). This memo describes such an algorithm, called AES-CMAC-PRF-128. It supports fixed and variable key sizes. [STANDARDS-TRACK] The TCP Authentication Option This document specifies the TCP Authentication Option (TCP-AO), which obsoletes the TCP MD5 Signature option of RFC 2385 (TCP MD5). TCP-AO specifies the use of stronger Message Authentication Codes (MACs), protects against replays even for long-lived TCP connections, and provides more details on the association of security with TCP connections than TCP MD5. TCP-AO is compatible with either a static Master Key Tuple (MKT) configuration or an external, out-of-band MKT management mechanism; in either case, TCP-AO also protects connections when using the same MKT across repeated instances of a connection, using traffic keys derived from the MKT, and coordinates MKT changes between endpoints. The result is intended to support current infrastructure uses of TCP MD5, such as to protect long-lived connections (as used, e.g., in BGP and LDP), and to support a larger set of MACs with minimal other system and operational changes. TCP-AO uses a different option identifier than TCP MD5, even though TCP-AO and TCP MD5 are never permitted to be used simultaneously. TCP-AO supports IPv6, and is fully compatible with the proposed requirements for the replacement of TCP MD5. [STANDARDS-TRACK] Cryptographic Algorithms for the TCP Authentication Option (TCP-AO) The TCP Authentication Option (TCP-AO) relies on security algorithms to provide authentication between two end-points. There are many such algorithms available, and two TCP-AO systems cannot interoperate unless they are using the same algorithms. This document specifies the algorithms and attributes that can be used in TCP-AO's current manual keying mechanism and provides the interface for future message authentication codes (MACs). [STANDARDS-TRACK] Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Secure hash standard National Institute of Standards and Technology (U.S.) Advanced Encryption Standard (AES) National Institute of Standards and Technology (U.S.) SHA-3 standard :: permutation-based hash and extendable-output functions National Institute of Standards and Technology (U.S.) Recommendation for block cipher modes of operation :: the CMAC mode for authentication National Institute of Standards and Technology