idnits 2.17.1 draft-birrane-dtn-bpsec-interop-cs-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 22, 2018) is 2013 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'AES-GCM' == Outdated reference: A later version (-31) exists of draft-ietf-dtn-bpbis-10 == Outdated reference: A later version (-27) exists of draft-ietf-dtn-bpsec-06 ** Downref: Normative reference to an Informational RFC: RFC 2104 ** Obsolete normative reference: RFC 4634 (Obsoleted by RFC 6234) ** Obsolete normative reference: RFC 7049 (Obsoleted by RFC 8949) ** Obsolete normative reference: RFC 8152 (Obsoleted by RFC 9052, RFC 9053) Summary: 5 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Delay-Tolerant Networking E. Birrane 3 Internet-Draft JHU/APL 4 Intended status: Standards Track October 22, 2018 5 Expires: April 25, 2019 7 BPSec Interoperability Cipher Suites 8 draft-birrane-dtn-bpsec-interop-cs-03 10 Abstract 12 This document defines a set of integrity and confidentiality cipher 13 suites suitable for testing the interoperability of Bundle Protocol 14 Security (BPSec) implementations. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at https://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on April 25, 2019. 33 Copyright Notice 35 Copyright (c) 2018 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (https://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 51 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 52 3. Cipher Suite BIB-HMAC256-SHA256 . . . . . . . . . . . . . . . 3 53 3.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 54 3.2. Key Considerations . . . . . . . . . . . . . . . . . . . 3 55 3.3. Canonicalization Algorithms . . . . . . . . . . . . . . . 3 56 3.4. Cipher Suite Parameter Definitions . . . . . . . . . . . 3 57 3.5. Security Result Definitions . . . . . . . . . . . . . . . 4 58 4. Cipher Suite BCB-AES-GCM-256 . . . . . . . . . . . . . . . . 4 59 4.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 4 60 4.2. Key Considerations . . . . . . . . . . . . . . . . . . . 4 61 4.3. Canonicalization Algorithms . . . . . . . . . . . . . . . 5 62 4.4. Processing . . . . . . . . . . . . . . . . . . . . . . . 5 63 4.4.1. Encryption . . . . . . . . . . . . . . . . . . . . . 5 64 4.4.2. Decryption . . . . . . . . . . . . . . . . . . . . . 5 65 4.5. Cipher Suite Parameter Definitions . . . . . . . . . . . 6 66 4.6. Security Result Definitions . . . . . . . . . . . . . . . 6 67 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 68 5.1. Bundle Block Types . . . . . . . . . . . . . . . . . . . 7 69 6. Normative References . . . . . . . . . . . . . . . . . . . . 7 70 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 8 71 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 73 1. Introduction 75 The Bundle Protocol Security (BPSec) [I-D.ietf-dtn-bpsec] 76 specification provides inter-bundle integrity and confidentiality 77 features for networks deploying the Bundle Protocol (BP) 78 [I-D.ietf-dtn-bpbis]. BPSec defines a set of BP extension blocks to 79 carry cipher suite results and associated meta-data, but does not 80 define a common set of supported cipher suites. This document 81 extends BPSec and defines an integrity cipher suite and a 82 confidentiality cipher suite suitable for populating BPSec Block 83 Integrity Blocks (BIBs) and Block Confidentiality Blocks (BCBs), 84 respectively. 86 This purpose of the cipher suites described in this document is 87 twofold. First, these suites should be used to test the 88 interoperability of BPSec implementations. Second, this 89 specification can serve as a template to be followed by other BPSec 90 cipher suite authors. 92 The intent of these cipher suite definitions is to provide a 93 mechanism for interoperability testing. There is no claim that these 94 cipher suites are suitable for operational deployment in any 95 particular networking scenario. Further, there is no requirement 96 that these cipher suites be used in any operational network 97 deployments. 99 These cipher suites generate information that MUST be encoded using 100 the CBOR specification documented in [RFC7049]. 102 2. Requirements Language 104 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 105 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 106 "OPTIONAL" in this document are to be interpreted as described in 107 [RFC2119]. 109 3. Cipher Suite BIB-HMAC256-SHA256 111 3.1. Overview 113 This integrity cipher suite provides a signed hash over the security 114 target based on the use of the SHA-256 message digest algorithm 115 [RFC4634] combined with HMAC [RFC2104] with a 256 bit truncation 116 length. This formulation is based on the HMAC 256/256 algorithm 117 defined in [RFC8152] Table 7: HMAC Algorithm Values. 119 The BIB-HMAC256-SHA256 cipher suite has a Cipher Suite ID of 0x1. 121 3.2. Key Considerations 123 Keys used with this specification MUST be symmetric and 256 bits in 124 length. 126 This cipher suite provides no requirements on the configuration or 127 management of keys. 129 3.3. Canonicalization Algorithms 131 BIB-HMAC256-SHA256 uses the standard canonicalization algorithms 132 defined in [I-D.ietf-dtn-bpsec] and operates over all of the block- 133 type-specific data fields for the security target. This cipher suite 134 does not include hashing over other parts of the target block header, 135 such as the block type code, block number, block processing control 136 flags, or any CRC information. 138 3.4. Cipher Suite Parameter Definitions 140 BIB-HMAC256-SHA256 defines the following cipher suite parameters. 142 BIB-HMAC256-SHA256 Parameters 144 +------+------+--------+--------------------------------------------+ 145 | Parm | Parm | CBOR | Description | 146 | Id | Name | Type | | 147 +------+------+--------+--------------------------------------------+ 148 | 1 | Key | byte | Material encoded or protected by the key | 149 | | | string | management system and used to transport an | 150 | | | | ephemeral key protected by a long-term | 151 | | | | key. | 152 +------+------+--------+--------------------------------------------+ 154 Table 1 156 3.5. Security Result Definitions 158 BIB-HMAC256-SHA256 defines the following security results. 160 BIB-HMAC256-SHA256 Security Results 162 +-----------+-------------+-------------+---------------------------+ 163 | Result Id | Result Name | CBOR Type | Description | 164 +-----------+-------------+-------------+---------------------------+ 165 | 1 | Tag | byte string | The tag produced by HMAC. | 166 +-----------+-------------+-------------+---------------------------+ 168 Table 2 170 4. Cipher Suite BCB-AES-GCM-256 172 4.1. Overview 174 This confidentiality cipher suite provides cipher-text to replace the 175 plain-text block-type-specific data fields of its target block. BCB- 176 AES-GCM-256 uses the Advanced Encryption Standard (AES) cipher 177 operating in Galois/Counter Mode (GCM) [AES-GCM]. This formulation 178 is based on the A256GCM algorithm defined in [RFC8152] Table 9: 179 Algorithm Value for AES-GCM. 181 The BCB-AES-GCM-256 cipher suite has a Cipher Suite ID of 0x02. 183 This cipher suite does modify the size of the target block. 185 4.2. Key Considerations 187 Keys used with this specification MUST be symmetric and 256 bits in 188 length. 190 This cipher suite provides no requirements on the configuration or 191 management of keys. 193 4.3. Canonicalization Algorithms 195 BCB-AES-GCM-256 uses the standard canonicalization algorithms defined 196 in [I-D.ietf-dtn-bpsec] and operates over all of the block-type- 197 specific data fields for the security target. This cipher suite does 198 not include hashing over other parts of the target block header, such 199 as the block type code, block number, block processing control flags, 200 or any CRC information. 202 4.4. Processing 204 4.4.1. Encryption 206 When encrypting, the BCB-AES-GCM-256 cipher treats the catenation of 207 the target block's block-type-specific data fields as a single set of 208 plain-text. 210 Cipher-text, once calculated, is stored as a CBOR byte string 211 replacing the value of the target block's block-type-specific data. 212 Because the plain-text and cipher-text will have the same length, the 213 CBOR byte string encoding will have the same encoding of the byte 214 string type and length. This allows the replacement of plain-text 215 with cipher-text without any additional consideration of block-type- 216 specific data field processing. 218 4.4.2. Decryption 220 When decrypting, the target block's block-type-specific field is 221 verified to be only a CBOR byte string. If this is not the case the 222 decryption is treated as failed and processed in accordance with 223 local security policy. Otherwise, the byte string and key 224 information is passed to the cipher for decryption. 226 If the cipher-text fails to authenticate, or if there are other 227 problems in the decryption (such as the creation of invalid CBOR 228 plain-text) then the decryption MUST be treated as failed and 229 processed in accordance with local security policy. 231 If the decryption succeeds, the resultant plain-text MUST replace the 232 cipher-text in the target-block. 234 4.5. Cipher Suite Parameter Definitions 236 BCB-AES-GCM-256 defines the following cipher suite parameters. It 237 should be noted in this specification there is no additional 238 authenticated data passed in to the AES-GCM cipher. The plain-text 239 is the only data input and MUST be the entire data contents of the 240 target block. Because replaying an IV in counter mode voids the 241 confidentiality of all messages encryption with said IV, this cipher 242 suite also requires a unique IV for every encryption performed with 243 the same key. This means the same key and IV combination must never 244 be used more than once. 246 BCB-AES-GCM-256 Parameters 248 +------+----------------+--------+----------------------------------+ 249 | Parm | Parm Name | CBOR | Description | 250 | Id | | Type | | 251 +------+----------------+--------+----------------------------------+ 252 | 1 | Key | byte | Material encoded or protected by | 253 | | | string | the key management system and | 254 | | | | used to transport an ephemeral | 255 | | | | key protected by a long-term | 256 | | | | key. | 257 | 2 | Initialization | byte | The initialization vector. A | 258 | | Vector | string | random value between 8-16 bytes. | 259 | | | | 12 bytes is recommended. | 260 +------+----------------+--------+----------------------------------+ 262 Table 3 264 4.6. Security Result Definitions 266 BCB-AES-GCM-256 defines the following security results. It should be 267 noted that cipher text is not a security result as the resultant 268 cipher text is stored in the target block. When operating in GCM 269 mode, AES produces cipher text of the same size as its plain text 270 and, therefore, no security results are necessary to capture padding 271 information. 273 BCB-AES-GCM-256 Security Results 275 +--------+----------------+--------+--------------------------------+ 276 | Result | Result Name | CBOR | Description | 277 | Id | | Type | | 278 +--------+----------------+--------+--------------------------------+ 279 | 1 | Authentication | byte | Output from the AES-GCM | 280 | | Tag | string | cipher. This value (prior to | 281 | | | | CBOR encoding) MUST be 16 | 282 | | | | bytes long. | 283 +--------+----------------+--------+--------------------------------+ 285 Table 4 287 5. IANA Considerations 289 5.1. Bundle Block Types 291 This specification allocates two block types from the "BPSec Cipher 292 Suite IDs" registry defined in [I-D.ietf-dtn-bpsec]. 294 Additional BPSec Cipher Suite IDs: 296 +-------+--------------------+---------------+ 297 | Value | Description | Reference | 298 +-------+--------------------+---------------+ 299 | 1 | BIB-HMAC256-SHA256 | This document | 300 | 2 | BCB-AES-GCM-256 | This document | 301 +-------+--------------------+---------------+ 303 Table 5 305 6. Normative References 307 [AES-GCM] Dworkin, M., "NIST Special Publication 800-38D: 308 Recommendation for Block Cipher Modes of Operation: 309 Galois/Counter Mode (GCM) and GMAC.", November 2007. 311 [I-D.ietf-dtn-bpbis] 312 Burleigh, S., Fall, K., and E. Birrane, "Bundle Protocol 313 Version 7", draft-ietf-dtn-bpbis-10 (work in progress), 314 November 2017. 316 [I-D.ietf-dtn-bpsec] 317 Birrane, E. and K. McKeever, "Bundle Protocol Security 318 Specification", draft-ietf-dtn-bpsec-06 (work in 319 progress), October 2017. 321 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 322 Hashing for Message Authentication", RFC 2104, 323 DOI 10.17487/RFC2104, February 1997, 324 . 326 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 327 Requirement Levels", BCP 14, RFC 2119, 328 DOI 10.17487/RFC2119, March 1997, 329 . 331 [RFC4634] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms 332 (SHA and HMAC-SHA)", RFC 4634, DOI 10.17487/RFC4634, July 333 2006, . 335 [RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object 336 Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, 337 October 2013, . 339 [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", 340 RFC 8152, DOI 10.17487/RFC8152, July 2017, 341 . 343 Appendix A. Acknowledgements 345 The following participants contributed useful analysis of this 346 specification: Prathibha Rama of the Johns Hopkins University Applied 347 Physics Laboratory. 349 Author's Address 351 Edward J. Birrane, III 352 The Johns Hopkins University Applied Physics Laboratory 353 11100 Johns Hopkins Rd. 354 Laurel, MD 20723 355 US 357 Phone: +1 443 778 7423 358 Email: Edward.Birrane@jhuapl.edu