idnits 2.17.1 draft-camwinget-tls-ts13-macciphersuites-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet has text resembling RFC 2119 boilerplate text. -- The document date (July 8, 2019) is 1753 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 4634 (Obsoleted by RFC 6234) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TLS N. Cam-Winget 3 Internet-Draft Cisco Systems 4 Intended status: Informational J. Visoky 5 Expires: January 9, 2020 ODVA 6 July 8, 2019 8 TLS 1.3 Authentication and Integrity only Ciphersuites 9 draft-camwinget-tls-ts13-macciphersuites-04 11 Abstract 13 There are use cases, specifically in Internet of Things (IoT) and 14 constrained environments that do not require confidentiality, though 15 mutual authentication during tunnel establishment and message 16 integrity is still mandated. This document defines the use of HMAC 17 only as ciphersuites in TLS 1.3. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on January 9, 2020. 36 Copyright Notice 38 Copyright (c) 2019 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 3. Applicability Statement . . . . . . . . . . . . . . . . . . . 3 56 4. Using Integrity only Cipher Suites . . . . . . . . . . . . . 4 57 5. Record Payload Protection for Integrity only Cipher Suites . 5 58 6. Key Schedule when using Integrity only Cipher Suites . . . . 5 59 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 60 8. Security and Privacy Considerations . . . . . . . . . . . . . 6 61 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 62 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 63 10.1. Normative References . . . . . . . . . . . . . . . . . . 6 64 10.2. Informative Reference . . . . . . . . . . . . . . . . . 7 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 67 1. Introduction 69 There are several use cases in which communications privacy is not 70 strictly needed, although authenticity of the communications 71 transport is still very important. For example, within the 72 Industrial Automation space there could be TCP or UDP communications 73 which command a robotic arm to move a certain distance at a certain 74 speed. Without authenticity guarantees an attacker could modify the 75 packets to change the movement of the robotic arm, potentially 76 causing physical damage. However, the motion control commands are 77 not considered to be sensitive information and thus there is no 78 requirement to provide confidentiality. Another IoT example with no 79 strong requirement for confidentiality is the reporting of weather 80 information; however, message authenticity is required to ensure 81 integrity of the message.. 83 Besides having a strong need for authenticity and a weak need for 84 confidentiality, many of these systems also have serious latency 85 requirements. Furthermore, several IoT devices (industrial or 86 otherwise) have limited processing capability. However, these IoT 87 systems still gain great benefit from leveraging TLS 1.3 for secure 88 communications. Given the reduced need for confidentiality TLS 1.3 89 [RFC8446] cipher suites that maintain data integrity without 90 confidentiality are described in this document. 92 2. Terminology 94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 96 document are to be interpreted as described in BCP 14 [RFC2119] 97 [RFC8174] when, and only when, they appear in all capitals, as shown 98 here. 100 3. Applicability Statement 102 The ciphersuites defined in this document are intended for a small 103 limited set of applications where confidentiality requirements are 104 relaxed and the need to minimize the cryptographic algorithms are 105 prioritized. This section describes some of those applicable use 106 cases. 108 Use cases in the industrial automation industry, while requiring data 109 integrity, relax the confidential communications requirement. 110 Mainly, information communicated to unmanned machines to execute 111 repetitive tasks do not convey private information. For example, 112 there could be a system with a robotic arm that is doing high speed 113 pick-and-place of materials. The position synchronization data and 114 motion commands are required to have very low latency, as the process 115 needs to be done at high speed on a compute and memory constrained 116 device. However, information such as the position, speed, 117 acceleration of the robotic arm or other material in the system is 118 not confidential. That is, while an attacker can determine the 119 behavioral aspects and task of the device; no intellectual property 120 concerns or data privacy concerns exist for these communications. 121 However, data integrity is required as being able to modify this data 122 would be a threat that an attacker might seek to exploit with serious 123 consequences; the attacker could modify the motion information in 124 order to cause physical damage to the equipment. 126 Another use case which is closely related is that of fine grained 127 time updates. Motion systems often rely on time synchronization to 128 ensure proper execution. Time updates are essentially public, there 129 is no threat from an attacker knowing the time update information. 130 This should make intuitive sense to those not familiar with these 131 applications; rarely if ever does time information present a serious 132 attack surface dealing with privacy. However the authenticity is 133 still quite important. Modification of the data can at best lead to 134 a denial-of-service attack, although a more intelligent threat actor 135 might be able to cause actual physical damage. As these time 136 synchronization updates are very fine-grained, it is again important 137 for latency to be very low. 139 A third use case deals with Alarming data. Industrial control 140 sensing equipment can be configured to send alarm information when it 141 meets certain conditions. Often times this data is used to detect 142 certain out-of-tolerance conditions, allowing an operator or 143 automated system to take corrective action. Once again, in many 144 systems the reading of this data doesn't grant the attacker 145 information that can be exploited, it is generally just information 146 regarding the physical state of the system. At the same time, being 147 able to modify this data would allow an attacker to either trigger 148 alarms falsely or to cover up evidence of an attack that might allow 149 for detection of their malicious activity. Furthermore, sensors are 150 often low powered devices that might struggle to process encrypted 151 and authenticated data. Sending data that is just authenticated 152 significantly eases the burden placed on these devices, yet still 153 allows the data to be protected against any tampering threats. 155 A fourth use case considers the protection of commands in the railway 156 industry. In railway control systems, no confidentiality 157 requirements are applied for the command exchange between an 158 interlocking controller and a railway equipment controller (for 159 instance, a railway point controller of a tram track where the 160 position of the controlled point is publicly available). However, 161 protecting integrity of those commands is vital, otherwise, an 162 adversary could change the target position of the point by modifying 163 the commands, which consequently could lead to the derailment of a 164 passing train. Furthermore, requirements for providing blackbox 165 recording of the safety related network traffic can only be fulfilled 166 through using integrity only ciphers, to be able to provide the 167 safety related commands to a third party, which is responsible for 168 the analysis after an accident. 170 The above use cases describe the relaxed requirements to provide 171 confidentiality, and as these devices come with a small runtime 172 memory footprint and reduced processing power, the need to minimize 173 the number of cryptographic algorithms used is prioritized. 175 4. Using Integrity only Cipher Suites 177 This document defines the following cipher suites for use in TLS 1.3: 179 TLS_SHA256_SHA256 {0xC0, 0xB4} 181 TLS_SHA384_SHA384 {0xC0, 0xB5} 183 These cipher suites allow the use of SHA-256 or SHA-384 as the HMACs 184 for data integrity protection as well as its use for HKDF. The 185 authentication mechanisms remain unchanged with the intent to only 186 update the cipher suites to relax the need for confidentiality. 188 5. Record Payload Protection for Integrity only Cipher Suites 190 The record payload protection as defined in [RFC8446] can be retained 191 when integrity only cipher suites are used. This section describes 192 the mapping of record payload structures when integrity only cipher 193 suites are employed. 195 As integrity is provided with protection over the full record, the 196 encrypted_record in the TLSCiphertext along with the additional_data 197 input to AEADEncrypted as defined in Section 5.2 [RFC8446] remains 198 the same. The TLSCiphertext.length for the integrity cipher suites 199 will be: 201 TLS_SHA256_SHA256: TLSPlaintext.length + 32 203 TLS_SHA384_SHA384: TLSPlaintext.length + 48 205 The resulting encrypted_record is the concatenation of the 206 TLSPlaintext with the resulting HMAC. With this mapping, the decrypt 207 order as defined in Section 5.2 of [RFC8446] remains the same. That 208 is, the HMAC operation is of the form: 210 AEAD-Encrypt-HMAC(write_key, nonce, additional_data, plaintext) = 211 plaintext || HMAC(write_key, nonce || additional_data || plaintext) 213 The encrypt and decrypt operations provide the integrity protection 214 using HMAC SHA-256 or SHA-384 as described in [RFC4634]. 216 6. Key Schedule when using Integrity only Cipher Suites 218 The key derivation process for Integrity only Cipher Suites remains 219 the same as defined in [RFC8446]. The only difference is that the 220 keys used to protect the tunnel applies to the negotiated HMAC 221 SHA-256 or HMAC SHA-384 ciphers. 223 7. IANA Considerations 225 IANA has granted registration the following specifically for this 226 document: 228 TLS_SHA256_SHA256 {0xC0, 0xB4} cipher suite and TLS_SHA384_SHA384 229 {0xC0, 0xB5} cipher suite. 231 Note that both of these cipher suites are registered with the DTLS-OK 232 column set to Y and the Recommneded column set to N 234 8. Security and Privacy Considerations 236 In general, with the exception of confidentiality and privacy, the 237 security considerations detailed in [RFC8446] and in [RFC5246] apply 238 to this document. Furthermore, as the cipher suites described in 239 this document do not provide any confidentiality, it is important 240 that they only be used in cases where there are no confidentiality or 241 privacy requirements and concerns; and the runtime memory 242 requirements can accommodate support for more cryptographic 243 constructs. 245 With the lack of data encryption specified in this draft, no 246 confidentiality or privacy is provided for the data transported via 247 the TLS session. To highlight the loss of privacy, the information 248 carried in both the Server and Client certificates, while integrity 249 protected, will be sent unencrypted. Similarly, other TLS extensions 250 that may be carried in the Server's EncryptedExtensions message will 251 only be integrity protected without provisions for confidentiality. 253 Given the lack of confidentiality, it is of the utmost importance 254 that these cipher suites never be enabled by default. As these 255 cipher suites are meant to serve the IoT market, it is important that 256 any IoT endpoint that uses them be explicitly configured with a 257 policy of non-confidential communications. 259 9. Acknowledgements 261 The authors would like to acknowledge the work done by Industrial 262 Communications Standards Groups (such as ODVA) as the motivation for 263 this document. We would also like to thank Steffen Fries for 264 providing a fourth use case. In addition, we are grateful for the 265 advice and feedback from Joe Salowey, Blake Anderson and David 266 McGrew. 268 10. References 270 10.1. Normative References 272 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 273 Requirement Levels", BCP 14, RFC 2119, 274 DOI 10.17487/RFC2119, March 1997, 275 . 277 [RFC4634] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms 278 (SHA and HMAC-SHA)", RFC 4634, DOI 10.17487/RFC4634, July 279 2006, . 281 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 282 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 283 May 2017, . 285 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 286 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 287 . 289 10.2. Informative Reference 291 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 292 (TLS) Protocol Version 1.2", RFC 5246, 293 DOI 10.17487/RFC5246, August 2008, 294 . 296 Authors' Addresses 298 Nancy Cam-Winget 299 Cisco Systems 300 3550 Cisco Way 301 San Jose, CA 95134 302 USA 304 Email: ncamwing@cisco.com 306 Jack Visoky 307 ODVA 308 1 Allen Bradley Dr 309 Mayfield Heights, OH 44124 310 USA 312 Email: jmvisoky@ra.rockwell.com