[Search] [pdf|bibtex] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 10 11 12           Informational
TLS                                                        N. Cam-Winget
Internet-Draft                                             Cisco Systems
Intended status: Informational                                 J. Visoky
Expires: November 7, 2021                                           ODVA
                                                             May 6, 2021


        TLS 1.3 Authentication and Integrity only Cipher Suites
              draft-camwinget-tls-ts13-macciphersuites-11

Abstract

   There are use cases, specifically in Internet of Things (IoT) and
   constrained environments that do not require confidentiality, though
   message integrity for all communications and at least server, if not
   mutual authentication during tunnel establishment, are both still
   mandated.  This document gives examples of such use cases, although a
   threat model is necessary to determine whether or not a given
   situation falls into this category of use cases.  In order to serve
   these use cases, this document defines the use of HMAC-only cipher
   suites for TLS 1.3, which provides server and optionally mutual
   authentication and data authenticity, but not data confidentiality.
   The approach described in this document is not endorsed by the IETF
   and does not have IETF consensus, but is presented here to enable
   interoperable implementation of a reduced security mechanism that
   provides authentication and message integrity without supporting
   confidentiality.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on November 7, 2021.







Cam-Winget & Visoky     Expires November 7, 2021                [Page 1]


Internet-Draft                 IoT Ciphers                      May 2021


Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Applicability Statement . . . . . . . . . . . . . . . . . . .   3
   4.  Cryptographic Negotiation Using Integrity only Cipher Suites    6
   5.  Record Payload Protection for Integrity only Cipher Suites  .   6
   6.  Key Schedule when using Integrity only Cipher Suites  . . . .   7
   7.  Error Alerts  . . . . . . . . . . . . . . . . . . . . . . . .   8
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   9.  Security and Privacy Considerations . . . . . . . . . . . . .   8
   10. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   9
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     11.1.  Normative References . . . . . . . . . . . . . . . . . .   9
     11.2.  Informative Reference  . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  10

1.  Introduction

   There are several use cases in which communications privacy is not
   strictly needed, although authenticity of the communications
   transport is still very important.  For example, within the
   Industrial Automation space there could be TCP or UDP communications
   which command a robotic arm to move a certain distance at a certain
   speed.  Without authenticity guarantees, an attacker could modify the
   packets to change the movement of the robotic arm, potentially
   causing physical damage.  However, the motion control commands are
   not always considered to be sensitive information and thus there is
   no requirement to provide confidentiality.  Another Internet of
   Things (IoT) example with no strong requirement for confidentiality
   is the reporting of weather information; however, message
   authenticity is required to ensure integrity of the message.




Cam-Winget & Visoky     Expires November 7, 2021                [Page 2]


Internet-Draft                 IoT Ciphers                      May 2021


   There is no requirement to encrypt messages in environments where the
   information is not confidential; such as when there is no
   intellectual property associated with the processes, or where the
   threat model does not indicate any outsider attacks (such as in a
   closed system).  Note however, this situation will not apply equally
   to all use cases (for example, a robotic arm might be used in one
   case for a process that does not involve any intellectual property,
   but in another case that does).  Therefore, it is important that a
   user or system developer carefully examine both the sensitivity of
   the data and the system threat model to determine the need for
   encryption before deploying equipment

   Besides having a strong need for authenticity and no need for
   confidentiality, many of these systems also have a strong requirement
   for low latency.  Furthermore, several classes of IoT device
   (industrial or otherwise) have limited processing capability.
   However, these IoT systems still gain great benefit from leveraging
   TLS 1.3 for secure communications.  Given the reduced need for
   confidentiality, TLS 1.3 [RFC8446] cipher suites that maintain data
   integrity without confidentiality are described in this document.
   These ciphersuites are not meant for general use as they do not meet
   the confidentiality and privacy goals of TLS.  They should only be
   used in cases where confidentiality and privacy is not a concern and
   there are constraints on using ciphersuites that provide the full set
   of security properties.  The approach described in this document is
   not endorsed by the IETF and does not have IETF consensus, but is
   presented here to enable interoperable implementation of a reduced
   security mechanism that provides authentication and message integrity
   with supporting confidentiality.

2.  Terminology

   Although this document is not an IETF Standards Track publication it
   adopts the conventions for normative language to provide clarity of
   instructions to the implementer.  The key words "MUST", "MUST NOT",
   "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
   "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
   interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only
   when, they appear in all capitals, as shown here.

3.  Applicability Statement

   The two HMAC SHA [RFC6234] based cipher suites referenced in this
   document are intended for a small limited set of applications where
   confidentiality requirements are relaxed and the need to minimize the
   cryptographic algorithms are prioritized.  This section describes
   some of those applicable use cases.




Cam-Winget & Visoky     Expires November 7, 2021                [Page 3]


Internet-Draft                 IoT Ciphers                      May 2021


   Use cases in the industrial automation industry, while requiring data
   integrity, often do not require confidential communications.  Mainly,
   information communicated to unmanned machines to execute repetitive
   tasks does not convey private information.  For example, there could
   be a system with a robotic arm that paints the body of a car.  This
   equipment is used within a car manufacturing plant, and is just one
   piece of equipment in a multi-step manufacturing process.  The
   movements of this robotic arm are likely not a trade secret or
   sensitive intellectual property, although some portions of the
   manufacturing of the car might very well contain sensitive
   intellectual property.  Even the mixture for the paint itself might
   be confidential, but the mixing is done by a completely different
   piece of equipment and therefore communication to/from that equipment
   can be encrypted without requiring the communication to/from the
   robotic arm to be encrypted.  Modern manufacturing often has
   segmented equipment with different levels of risk on intellectual
   property, although nearly every communication interaction has strong
   data authenticity requirements.

   Another use case which is closely related is that of fine grained
   time updates.  Motion systems often rely on time synchronization to
   ensure proper execution.  Time updates are essentially public, there
   is no threat from an attacker knowing the time update information.
   This should make intuitive sense to those not familiar with these
   applications; rarely if ever does time information present a serious
   attack surface dealing with privacy.  However, the authenticity is
   still quite important.  Modification of the data can at best lead to
   a denial-of-service attack, although a more intelligent threat actor
   might be able to cause actual physical damage.  As these time
   synchronization updates are very fine-grained, it is again important
   for latency to be very low.

   A third use case deals with data related to alarms.  Industrial
   control sensing equipment can be configured to send alarm information
   when it meets certain conditions, for example, temperature goes above
   or below a given threshold.  Often times this data is used to detect
   certain out-of-tolerance conditions, allowing an operator or
   automated system to take corrective action.  Once again, in many
   systems the reading of this data doesn't grant the attacker
   information that can be exploited, it is generally just information
   regarding the physical state of the system.  At the same time, being
   able to modify this data would allow an attacker to either trigger
   alarms falsely or to cover up evidence of an attack that might allow
   for detection of their malicious activity.  Furthermore, sensors are
   often low powered devices that might struggle to process encrypted
   and authenticated data.  These sensors might be very cost sensitive
   such that there is not enough processing power for data encryption.
   Sending data that is just authenticated but not encrypted



Cam-Winget & Visoky     Expires November 7, 2021                [Page 4]


Internet-Draft                 IoT Ciphers                      May 2021


   significantly eases the burden placed on these devices, yet still
   allows the data to be protected against any tampering threats.  A
   user can always chose to pay more for a sensor with encryption
   capability, but for some, data authenticity will be sufficient.

   A fourth use case considers the protection of commands in the railway
   industry.  In railway control systems, no confidentiality
   requirements are applied for the command exchange between an
   interlocking controller and a railway equipment controller (for
   instance, a railway point controller of a tram track where the
   position of the controlled point is publicly available).  However,
   protecting integrity of those commands is vital, otherwise, an
   adversary could change the target position of the point by modifying
   the commands, which consequently could lead to the derailment of a
   passing train.  Furthermore, requirements for providing blackbox
   recording of the safety related network traffic can only be fulfilled
   through using integrity only ciphers, to be able to provide the
   safety related commands to a third party, which is responsible for
   the analysis after an accident.

   The fifth use case deals with data related to civil aviation
   airplanes and ground communication.  Pilots can send and receive
   messages to/from ground such as airplane route-of-flight update,
   weather information, controller and pilot communication, and airline
   back office communication.  Similarly, the Air Traffic Control
   Centers (ATC) use air to ground communication to receive the
   surveillance data that relies on (is dependent on) downlink reports
   from an airplane's avionics that occur automatically in accordance
   with contracts established between the ATC ground system and the
   airplane's avionics.  Reports can be sent whenever specific events
   occur, or specific time intervals are reached.  In many systems the
   reading of this data doesn't grant the attacker information that can
   be exploited, it is generally just information regarding the airplane
   states, controller pilot communication, meteorological information
   etc.  At the same time, being able to modify this data would allow an
   attacker to either put aircraft in the wrong flight trajectory or to
   provide false information to ground that might delay flight and
   damage properties or harm life.  Sending data that is not encrypted
   but is authenticated, allows the data to be protected against any
   tampering threats.  Data authenticity is sufficient for the air
   traffic, weather and surveillance information exchange between
   airplanes and the ground systems.

   The above use cases describe the relaxed requirements to not provide
   confidentiality, and as these devices come with a small runtime
   memory footprint and reduced processing power, the need to minimize
   the number of cryptographic algorithms used is prioritized.  Despite
   this, it is noted that memory, performance, and processing power



Cam-Winget & Visoky     Expires November 7, 2021                [Page 5]


Internet-Draft                 IoT Ciphers                      May 2021


   implications of any given algorithm or set of algorithms is highly
   dependent on hardware and software architecture.  Therefore, although
   these cipher suites may provide performance benefits, they will not
   necessarily provide these benefits in all cases on all platforms.
   Furthermore, in some use cases third party inspection of data is
   specifically needed, which is also supported through the lack of
   confidentiality mechanisms.

4.  Cryptographic Negotiation Using Integrity only Cipher Suites

   The cryptographic negotiation as specified in [RFC8446] Section 4.1.1
   remains the same, with the inclusion of the following cipher suites:

   TLS_SHA256_SHA256  {0xC0, 0xB4}

   TLS_SHA384_SHA384  {0xC0, 0xB5}

   These cipher suites allow the use of SHA-256 or SHA-384 as the HMACs
   for data integrity protection as well as its use for Hashed Message
   Authentication Code (HMAC)-based Key Derivation Function (HKDF).  The
   authentication mechanisms remain unchanged with the intent to only
   update the cipher suites to relax the need for confidentiality.

   Given that these cipher suites do not support confidentiality, they
   MUST NOT be used with authentication and key exchange methods that
   rely on confidentiality.

5.  Record Payload Protection for Integrity only Cipher Suites

   The record payload protection as defined in [RFC8446] can be retained
   when integrity only cipher suites are used.  Note that due to the
   purposeful use of hash algorithms, instead of AEAD algorithms, the
   confidentiality protection of the record payload cannot be provided.
   This section describes the mapping of record payload structures when
   integrity only cipher suites are employed.

   Given that there is no encryption to be done at the record layer, the
   operations "Protect" and "Unprotect" take the place of "AEAD-Encrypt"
   and "AEAD-Decrypt", respectively, as referenced in [RFC8446]

   As integrity is provided with protection over the full record, the
   encrypted_record in the TLSCiphertext along with the additional_data
   input to protected_data (termed AEADEncrypted data in [RFC8446]) as
   defined in Section 5.2 of [RFC8446] remains the same.  The
   TLSCiphertext.length for the integrity cipher suites will be:






Cam-Winget & Visoky     Expires November 7, 2021                [Page 6]


Internet-Draft                 IoT Ciphers                      May 2021


   TLS_SHA256_SHA256:  TLSCiphertext.length = TLSPlaintext.length + 1
      (type field) + length_of_padding + 32 (HMAC) =
      TLSInnerPlaintext_length + 32 (HMAC)

   TLS_SHA384_SHA384:  TLSCiphertext.length = TLSPlaintext.length + 1
      (type field) + length_of_padding + 48 (HMAC) =
      TLSInnerPlaintext_length + 48 (HMAC)

   Note that TLSInnerPlaintext_length is not defined as an explicit
   field in [RFC8446], this refers to the length of the
   TLSInnterPlaintext structure

   The resulting protected_record is the concatenation of the
   TLSInnerPlaintext with the resulting HMAC.  With this mapping, the
   record validation order as defined in Section 5.2 of [RFC8446]
   remains the same.  That is, encrypted_record field of TLSCiphertext
   is set to:

   TLSCiphertext = TLS13-HMAC-Protected = TLSInnerPlaintext ||
   HMAC(write_key, nonce || additional_data || TLSInnerPlaintext)

   Here "nonce" refers to the per-record nonce described in section 5.3
   of [RFC8446].

   For DTLS 1.3, the DTLSCiphertext is set to:

   DTLSCiphertext = DTLS13-HMAC-Protected = DTLSInnerPlaintext ||
   HMAC(write_key, nonce || additional_data || DTLSInnerPlaintext)

   The DTLS "nonce" refers to the per-record nonce described in section
   4.2.2 of [DTLS13].

   The Protect and Unprotect operations provide the integrity protection
   using HMAC SHA-256 or HMAC SHA-384 as described in [RFC6234].

   Due to the lack of encryption of the plaintext, record padding is not
   needed, although it can be optionally included.

6.  Key Schedule when using Integrity only Cipher Suites

   The key derivation process for Integrity only Cipher Suites remains
   the same as defined in [RFC8446].  The only difference is that the
   keys used to protect the tunnel apply to the negotiated HMAC SHA-256
   or HMAC SHA-384 ciphers.  Note that the traffic key material
   (client_write_key, client_write_iv, server_write_key and
   server_write_iv) MUST be calculated as per RFC 8446, section 7.3.
   The key lengths and IVs for these cipher suites are according to the




Cam-Winget & Visoky     Expires November 7, 2021                [Page 7]


Internet-Draft                 IoT Ciphers                      May 2021


   hash lengths.  In other words, the following key lengths and IV
   lengths SHALL be:

              +-------------------+------------+-----------+
              | Cipher Suite      | Key Length | IV Length |
              +-------------------+------------+-----------+
              | TLS_SHA256_SHA256 | 32 Bytes   | 32 Bytes  |
              | TLS_SHA384_SHA384 | 48 Bytes   | 48 Bytes  |
              +-------------------+------------+-----------+

7.  Error Alerts

   The error alerts as defined by [RFC8446] remains the same, in
   particular:

   bad_record_mac: This alert can also occur for a record whose message
   authentication code can not be validated.  Since these cipher suites
   do not involve record encryption this alert will only occur when the
   HMAC fails to verify.

   decrypt_error: This alert as described in [RFC8446] Section 6.2
   occurs when the signature or message authentication code can not be
   validated.

8.  IANA Considerations

   IANA has granted registration the following specifically for this
   document within the TLS Cipher Suites Registry:

   TLS_SHA256_SHA256 {0xC0, 0xB4} cipher suite and TLS_SHA384_SHA384
   {0xC0, 0xB5} cipher suite.

   Note that both of these cipher suites are registered with the DTLS-OK
   column set to Y and the Recommended column set to N

   No further IANA action is requested by this document.

9.  Security and Privacy Considerations

   In general, with the exception of confidentiality and privacy, the
   security considerations detailed in [RFC8446] and in [RFC5246] apply
   to this document.  Furthermore, as the cipher suites described in
   this document do not provide any confidentiality, it is important
   that they only be used in cases where there are no confidentiality or
   privacy requirements and concerns; and the runtime memory
   requirements can accommodate support for more cryptographic
   constructs.




Cam-Winget & Visoky     Expires November 7, 2021                [Page 8]


Internet-Draft                 IoT Ciphers                      May 2021


   With the lack of data encryption specified in this draft, no
   confidentiality or privacy is provided for the data transported via
   the TLS session.  That is, the record layer is not encrypted when
   using these cipher suite, and the handshake also is not encrypted.
   To highlight the loss of privacy, the information carried in the TLS
   handshake, which includes both the Server and Client certificates,
   while integrity protected, will be sent unencrypted.  Similarly,
   other TLS extensions that may be carried in the Server's
   EncryptedExtensions message will only be integrity protected without
   provisions for confidentiality.  Furthermore, with this lack of
   confidentiality, any private PSK data MUST NOT be sent in the
   handshake while using these cipher suites.

   Given the lack of confidentiality, these cipher suites MUST NOT be
   enabled by default.  As these cipher suites are meant to serve the
   IoT market, it is important that any IoT endpoint that uses them be
   explicitly configured with a policy of non-confidential
   communications.

10.  Acknowledgements

   The authors would like to acknowledge the work done by Industrial
   Communications Standards Groups (such as ODVA) as the motivation for
   this document.  We would also like to thank Steffen Fries for
   providing a fourth use case.  In addition, we are grateful for the
   advice and feedback from Joe Salowey, Blake Anderson, David McGrew,
   Clement Zeller, and Peter Wu.

11.  References

11.1.  Normative References

   [DTLS13]   IETF Internet Drafts editor,
              "https://tools.ietf.org/id/draft-ietf-tls-dtls13-38.txt".

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC6234]  Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
              (SHA and SHA-based HMAC and HKDF)", RFC 6234,
              DOI 10.17487/RFC6234, May 2011,
              <https://www.rfc-editor.org/info/rfc6234>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.



Cam-Winget & Visoky     Expires November 7, 2021                [Page 9]


Internet-Draft                 IoT Ciphers                      May 2021


   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.

11.2.  Informative Reference

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246,
              DOI 10.17487/RFC5246, August 2008,
              <https://www.rfc-editor.org/info/rfc5246>.

Authors' Addresses

   Nancy Cam-Winget
   Cisco Systems
   3550 Cisco Way
   San Jose, CA  95134
   USA

   Email: ncamwing@cisco.com


   Jack Visoky
   ODVA
   1 Allen Bradley Dr
   Mayfield Heights, OH  44124
   USA

   Email: jmvisoky@ra.rockwell.com






















Cam-Winget & Visoky     Expires November 7, 2021               [Page 10]