]> Additional Security Algorithms For Use With TCP-AO HPE
USA ronald.bonica@hpe.com
HPE
USA tony.li@tony.li
Transport TCPM Working Group TCP-AO RFC5926 specifies cryptographic algorithms for TCP-AO. It explains how to use KDF_HMAC_SHA1 and KDF_AES_128_CMAC as KDFs. It also explains how to use HMAC-SHA-1-96 and AES-128-CMAC-96 as MAC algorithms. This document specifies several new KDFs and MAC algorithms for TCP-AO. The KDFs and MAC algorithms specified in this document use stronger cryptography.
Introduction TCP end-points use the TCP Authentication Option (TCP-AO) to authenticate segments. TCP-AO relies upon:
  • A Master Key Tuple (MKT)
  • A Key Derivation Function (KDF)
  • A Message Authentication Code (MAC) algorithm
TCP-AO systems are configured with one or more MKTs for each connection that they protect. When a connection is associated with multiple MKTs, TCP-AO can rotate among them during the course of a TCP session. This facilitates dynamic key change and authentication algorithm agility. An MKT includes:
  • Two MKT identifiers, one used for sending and one used for receiving
  • A connection identifier (i.e., a TCP socket pair)
  • A master key (i.e., a shared secret)
  • A KDF
  • A MAC algorithm
  • A flag indicating whether TCP options other than TCP-AO are authenticated
The KDF generates a traffic key. Its inputs are:
  • A pseudorandom function (PRF) used to generate the traffic key
  • The master key
  • Context (i.e., A binary string containing information related to the connection)
  • Output length (i.e., the length of the traffic key, in bits)
The MAC algorithm produces a MAC. It is defined by:
  • The KDF algorithm used to generate the traffic key
  • The length of the traffic key, in bits
  • The length of the MAC, in bits
The following are inputs to the MAC Algorithm:
  • traffic key
  • message
TCP-AO systems include the MAC in the TCP-AO. They use the MAC to authenticate segments. specifies cryptographic algorithms for TCP-AO. It explains how to use KDF_HMAC_SHA1 and KDF_AES_128_CMAC as KDFs. It also explains how to use HMAC-SHA-1-96 and AES-128-CMAC-96 as MAC algorithms. This document specifies several new KDFs and MAC algorithms for TCP-AO. The KDFs and MAC algorithms defined in this document use stronger cryptography. The MAC algorithms described this document yield MACs ranging from 256 to 512 bits (i.e., 32 to 64 bytes). Therefore, when they are encoded in a TCP-AO, the TCP-AO ranges from 36 to 68 bytes. The TCP-AO is encoded in the TCP Options field. The TCP Options field is frequently required to carry multiple options, including the TCP-AO. Currently, the TCP-Options field cannot exceed 40 bytes. However, TCP Extended Options removes this limitation. Therefore, the MAC algorithms described in this document can only be used on systems that support TCP Extended Options or some other mechanism that extends the TCP Options field.
Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 when, and only when, they appear in all capitals, as shown here.
Updates to RFC 5926
Concrete KDFs
KDF_HMAC_SHA256 For KDF_HMAC_SHA256:
  • PRF for KDF_alg: HMAC-SHA256
  • Use: HMAC-SHA256(Key, Input).
  • Input: ( i || Label || Context || Output_Length)
  • Key: Master_Key, configured by user, and passed to the KDF
  • Output_Length: 256 bits
  • Result: Traffic_Key, used in the MAC function by TCP-AO
KDF_HMAC_SHA384 For KDF_HMAC_SHA384:
  • PRF for KDF_alg: HMAC-SHA384
  • Use: HMAC-SHA384(Key, Input).
  • Input: ( i || Label || Context || Output_Length)
  • Key: Master_Key, configured by user, and passed to the KDF
  • Output_Length: 384 bits
  • Result: Traffic_Key, used in the MAC function by TCP-AO
KDF_HMAC_SHA512 For KDF_HMAC_SHA512:
  • PRF for KDF_alg: HMAC-SHA512
  • Use: HMAC-SHA512(Key, Input).
  • Input: ( i || Label || Context || Output_Length)
  • Key: Master_Key, configured by user, and passed to the KDF
  • Output_Length: 224 bits
  • Result: Traffic_Key, used in the MAC function by TCP-AO
KDF_HMAC_SHA3-256 For KDF_HMAC_SHA3-256:
  • PRF for KDF_alg: HMAC-SHA3-256
  • Use: HMAC-SHA3-256(Key, Input).
  • Input: ( i || Label || Context || Output_Length)
  • Key: Master_Key, configured by user, and passed to the KDF
  • Output_Length: 256 bits
  • Result: Traffic_Key, used in the MAC function by TCP-AO
KDF_HMAC_SHA3-384 For KDF_HMAC_SHA3-384:
  • PRF for KDF_alg: HMAC-SHA3-384
  • Use: HMAC-SHA3-384(Key, Input).
  • Input: ( i || Label || Context || Output_Length)
  • Key: Master_Key, configured by user, and passed to the KDF
  • Output_Length: 384 bits
  • Result: Traffic_Key, used in the MAC function by TCP-AO
KDF_HMAC_SHA3-512 For KDF_HMAC_SHA3-512:
  • PRF for KDF_alg: HMAC-SHA3-512
  • Use: HMAC-SHA3-512(Key, Input).
  • Input: ( i || Label || Context || Output_Length)
  • Key: Master_Key, configured by user, and passed to the KDF
  • Output_Length: 512 bits
  • Result: Traffic_Key, used in the MAC function by TCP-AO
MAC Algorithms
The Use of HMAC-SHA256 By definition, HMAC requires a cryptographic hash function. SHA256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA256 are:
  • KDF_Alg: KDF_HMAC_SHA256
  • Key_Length: 256 bits.
  • MAC_Length: 256 bits.
For:
  • MAC = MAC_alg (Traffic_Key, Message)
HMAC-SHA256 for TCP-AO has the following values:
  • MAC_alg: HMAC-SHA256
  • Traffic_Key: Variable; the result of the KDF.
  • Message: The message to be authenticated, as specified in , Section 5.1.
The Use of HMAC-SHA384 By definition, HMAC requires a cryptographic hash function. SHA384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA384 are:
  • KDF_Alg: KDF_HMAC_SHA384
  • Key_Length: 384 bits.
  • MAC_Length: 384 bits.
For:
  • MAC = MAC_alg (Traffic_Key, Message)
HMAC-SHA384 for TCP-AO has the following values:
  • MAC_alg: HMAC-SHA384
  • Traffic_Key: Variable; the result of the KDF.
  • Message: The message to be authenticated, as specified in , Section 5.1.
The Use of HMAC-SHA512 By definition, HMAC requires a cryptographic hash function. SHA512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA512 are:
  • KDF_Alg: KDF_HMAC_SHA512
  • Key_Length: 512 bits.
  • MAC_Length: 512 bits.
For:
  • MAC = MAC_alg (Traffic_Key, Message)
HMAC-SHA512 for TCP-AO has the following values:
  • MAC_alg: HMAC-SHA512
  • Traffic_Key: Variable; the result of the KDF.
  • Message: The message to be authenticated, as specified in , Section 5.1.
The Use of HMAC-SHA3-256 By definition, HMAC requires a cryptographic hash function. SHA3-256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-256 are:
  • KDF_Alg: KDF_HMAC_SHA3-256.
  • Key_Length: 256 bits.
  • MAC_Length: 256 bits.
For:
  • MAC = MAC_alg (Traffic_Key, Message)
HMAC-SHA3-256 for TCP-AO has the following values:
  • MAC_alg: HMAC-SHA3-256.
  • Traffic_Key: Variable; the result of the KDF.
  • Message: The message to be authenticated, as specified in , Section 5.1.
The Use of HMAC-SHA3-384 By definition, HMAC requires a cryptographic hash function. SHA3-384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-384 are:
  • KDF_Alg: KDF_HMAC_SHA3-384.
  • Key_Length: 384 bits.
  • MAC_Length: 384 bits.
For:
  • MAC = MAC_alg (Traffic_Key, Message)
HMAC-SHA3-384 for TCP-AO has the following values:
  • MAC_alg: HMAC-SHA3-384.
  • Traffic_Key: Variable; the result of the KDF.
  • Message: The message to be authenticated, as specified in , Section 5.1.
The Use of HMAC-SHA3-512 By definition, HMAC requires a cryptographic hash function. SHA3-512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-224 are:
  • KDF_Alg: KDF_HMAC_SHA3-512.
  • Key_Length: 512 bits.
  • MAC_Length: 512 bits.
For:
  • MAC = MAC_alg (Traffic_Key, Message)
HMAC-SHA3-512 for TCP-AO has the following values:
  • MAC_alg: HMAC-SHA3-512.
  • Traffic_Key: Variable; the result of the KDF.
  • Message: The message to be authenticated, as specified in , Section 5.1.
Security Considerations This document inherits all of the security considerations of the TCP-AO .
IANA Considerations IANA is requested to add the following entries to the "Cryptographic Algorithms for TCP-AO Registration" (https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-parameters-3). IANA Actions
Algorithm Reference
SHA256 This Document
SHA384 This Document
SHA512 This Document
SHA3-256 This Document
SHA3-384 This Document
SHA3-512 This Document
Acknowledgements Thanks to Lars Eggert, Gorry Fairhurst, C.M. Heard, Russ Housley, John Mattsson, Yoshifumi Nishida, Joe Touch, Michael Tuxen, and Magnus Westerlund for their review and comments.
Normative References HMAC: Keyed-Hashing for Message Authentication This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for the Internet Key Exchange Protocol (IKE) Some implementations of IP Security (IPsec) may want to use a pseudo-random function (PRF) based on the Advanced Encryption Standard (AES). This memo describes such an algorithm, called AES-CMAC-PRF-128. It supports fixed and variable key sizes. [STANDARDS-TRACK] The TCP Authentication Option This document specifies the TCP Authentication Option (TCP-AO), which obsoletes the TCP MD5 Signature option of RFC 2385 (TCP MD5). TCP-AO specifies the use of stronger Message Authentication Codes (MACs), protects against replays even for long-lived TCP connections, and provides more details on the association of security with TCP connections than TCP MD5. TCP-AO is compatible with either a static Master Key Tuple (MKT) configuration or an external, out-of-band MKT management mechanism; in either case, TCP-AO also protects connections when using the same MKT across repeated instances of a connection, using traffic keys derived from the MKT, and coordinates MKT changes between endpoints. The result is intended to support current infrastructure uses of TCP MD5, such as to protect long-lived connections (as used, e.g., in BGP and LDP), and to support a larger set of MACs with minimal other system and operational changes. TCP-AO uses a different option identifier than TCP MD5, even though TCP-AO and TCP MD5 are never permitted to be used simultaneously. TCP-AO supports IPv6, and is fully compatible with the proposed requirements for the replacement of TCP MD5. [STANDARDS-TRACK] Cryptographic Algorithms for the TCP Authentication Option (TCP-AO) The TCP Authentication Option (TCP-AO) relies on security algorithms to provide authentication between two end-points. There are many such algorithms available, and two TCP-AO systems cannot interoperate unless they are using the same algorithms. This document specifies the algorithms and attributes that can be used in TCP-AO's current manual keying mechanism and provides the interface for future message authentication codes (MACs). [STANDARDS-TRACK] Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. TCP Extended Options HPE HPE The TCP header can accommodates 40 octets of TCP options. However, modern applications may require more than 40 octets of TCP Options. Therefore, this document describes an experiment that extends the TCP Options field. If this experiment is successful, it will demonstrate that the extension procedures described herein are implementable and deployable. It will also demonstrate that they maintain backwards compatibility. Secure hash standard National Institute of Standards and Technology (U.S.) Advanced Encryption Standard (AES) National Institute of Standards and Technology (U.S.) SHA-3 standard :: permutation-based hash and extendable-output functions National Institute of Standards and Technology (U.S.) Recommendation for block cipher modes of operation :: the CMAC mode for authentication National Institute of Standards and Technology