Network Working Group D. McGrew
Internet-Draft J. Foley
Intended status: Standards Track J. Salowey
Expires: April 24, 2014 Cisco Systems
October 21, 2013
Using Authenticated Encryption with Replay prOtection (AERO) in Datagram
Transport Layer Security (DTLS)
draft-mcgrew-dtls-aero-00.txt
Abstract
Datagram Transport Layer Security (DTLS) is a communication security
protocol that is attractive for use in constrained environments, in
which it is important to minimize the data expansion added by the
security protocol, and to support multicast security . Authenticated
Encryption with Replay prOtection (AERO) is a cryptographic technique
that is well suited for use in DTLS, especially in these scenarios:
it has minimal data expansion, avoids the need to manage implicit
state, works well with multiple receivers and multiple senders, and
provides strong misuse resistance. This document describes how AERO
can be used in DTLS.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 24, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
McGrew, et al. Expires April 24, 2014 [Page 1]
Internet-Draft DTLS-AERO October 2013
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Conventions used in this document . . . . . . . . . . . . 3
1.2. Document History . . . . . . . . . . . . . . . . . . . . . 3
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Using AERO in DTLS . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Multicast . . . . . . . . . . . . . . . . . . . . . . . . 6
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
5. Security considerations . . . . . . . . . . . . . . . . . . . 9
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.1. Normative references . . . . . . . . . . . . . . . . . . . 10
6.2. Informative references . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
McGrew, et al. Expires April 24, 2014 [Page 2]
Internet-Draft DTLS-AERO October 2013
1. Introduction
It is challenging to provide communication security in constrained
environments. Datagram Transport Layer Security (DTLS) [RFC6347] has
emerged as a communication security protocol of choice for such
environments; for instance, a binding of DTLS to the Constrained
Application Protocol (CoAP) [I-D.ietf-core-coap] has been defined,
and it appears that a profile of DTLS will be "reasonably
implementable" on constrained devices [DICE]. One important
constraint is bandwidth, which is often a scarce resource in wireless
environments, most especially when the transmitter or receiver is
battery-powered. This motivates the use of cryptographic transforms
that minimize the size of the data overhead, that is, the additional
bytes that must be communicated in order to add confidentiality,
message authentication, and replay protection to each message.
There is also interest in using DTLS for protecting multicast
messages, which are commonplace in the Internet of Things
environments [I-D.keoh-tls-multicast-security]. Standards work is
underway to consider the use of DTLS record layer for this purpose
[DICE] (though work on key management has not yet been chartered).
For multicast applications, it is important to use cryptographic
mechanisms that can easily and securely work with multiple receivers
and with multiple senders.
In addition to meeting the needs identified above, cryptographic
transforms should be robust against implementation failure and
misuse, and should not rely on implicit state, which is problematic
to synchronize, especially when there are multiple senders and
receivers.
1.1. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
1.2. Document History
This section describes the evolution of this document as an Internet
Draft, and it should be removed by the RFC Editor prior to
publication as an RFC.
This is the initial version of this note. As it uses a cryptographic
technique that was published recently, it may evolve over time as
that technique is reviewed and experience is gained in its usage.
Thus, while we encourage the implementation of this note as the best
way to obtain experience with these techniques, also expect that
McGrew, et al. Expires April 24, 2014 [Page 3]
Internet-Draft DTLS-AERO October 2013
there may be changes to this specification over time.
McGrew, et al. Expires April 24, 2014 [Page 4]
Internet-Draft DTLS-AERO October 2013
2. Background
Authenticated Encryption with Replay prOtection (AERO)
[I-D.mcgrew-aero] is a cryptographic technique that provides all of
the essential security services needed by a communication security
protocol. It is a stateful and self-synchronizing authenticated
encryption method that provides protection from replay attacks as a
side benefit. Replay protection and authentication are provided
through a single mechanism, in which a sequence number is encrypted
along with a plaintext message. If the ciphertext message is not
tampered with, then this sequence number will be recovered by the
decrypter, and verified to be valid. If the ciphertext message is a
replay of an earlier message, then the decrypter will detect this
fact from the recovered sequence number. If the ciphertext message
is tampered with, or is crafted as a forgery, this fact will be
apparent to the decrypter because the value that should be a valid
sequence number is instead a pseudorandom value.
McGrew, et al. Expires April 24, 2014 [Page 5]
Internet-Draft DTLS-AERO October 2013
3. Using AERO in DTLS
AERO is an authenticated encryption mechanism, and it can be used
through the standard AEAD interface [RFC5116], as defined in Section
3.6 of [I-D.mcgrew-aero]. TLS version 1.2 defines how to use an AEAD
method through the that interface, via the TLS GenericAEADCipher (see
Section 6.2.3.3. of [RFC5246]). This note follows these earlier
specifications, except where otherwise noted.
When AERO is used in DTLS, SecurityParameters.record_iv_length is
equal to zero, since AERO algorithms do not require the use of a
nonce or initialization vector. Thus, the nonce_explicit field in
the GenericAEADCipher structure has a length of zero.
The AEAD key and plaintext are as specified in Section 6.2.3.3. of
[RFC5246].
The AEAD associated data is denoted as additional_data and is
computed as
additional_data = TLSCompressed.type + TLSCompressed.version +
TLSCompressed.length;
where "+" denotes concatenation. The seq_num field is omitted from
the additional_data because its authentication is not needed, since
AERO detects replay attacks.
In DTLS version 1.3, the epoch and sequence_number fields MUST be
omitted from the DTLSPlaintext. In DTLS version 1.2, those fields
MUST be present.
Rationale: With AERO, the epoch and sequence_number fields are not
needed. Omitting those fields enables each message sent to save
eight bytes of overhead, a value that is significant for some
applications, and it makes the on-the-wire data format identical
to that of TLS does, which could simplify implementations. We
specify this omission for version 1.3, but not the earlier
version, in order to avoid overloading the earlier version with
complexity. By omitting the seq_num from the additional_data
computation, we enable an AERO implementation to work the same way
for both versions 1.2 and 1.3 of DTLS, providing compatibility.
3.1. Multicast
DTLS-AERO is suitable for use in one-to-many scenarios such as those
described in [I-D.keoh-tls-multicast-security]. In order to use
DTLS-AERO it for many-to-many scenarios, in which more than one
entity is using a single key for encryption, it would be necessary to
McGrew, et al. Expires April 24, 2014 [Page 6]
Internet-Draft DTLS-AERO October 2013
modify the definition of DTLS in such a way that each receiver could
unambiguously identify each sender. This could be done by having a
receiver use the source IP address and source port of the packet that
carried the DTLS record, or by adding a new field to DTLS that works
like the Synchronization Source (SSRC) identifier field in the Real-
time Transport Protocol [RFC3550]. In either case, the fields that
are used to identify the sender should be part of the authenticated
data. We emphasize that the change needs to be made to DTLS, and not
to AERO, which is inherently capable of handling scenarios in which
there are multiple devices performing encryption with a single key.
McGrew, et al. Expires April 24, 2014 [Page 7]
Internet-Draft DTLS-AERO October 2013
4. IANA Considerations
There are no requests to IANA at this time.
A future version of this note will specify DTLS ciphersuites that
make use of AERO.
McGrew, et al. Expires April 24, 2014 [Page 8]
Internet-Draft DTLS-AERO October 2013
5. Security considerations
The security considerations of AERO are discussed in Section 11 of
[I-D.mcgrew-aero].
AERO works well in multiple-receiver scenarios, and it provides
automatic (re)synchronization of replay protection state between the
sender and receivers, including "late joiners" to the secure session.
It also works well for multiple-sender scenarios. These topics are
discussed in Sections 3.5, 6, and 11.4 of [I-D.mcgrew-aero].
AERO is robust against misuse, which is especially valuable in
virtual machine environments and in devices that may be subject to
tampering.
McGrew, et al. Expires April 24, 2014 [Page 9]
Internet-Draft DTLS-AERO October 2013
6. References
6.1. Normative references
[I-D.keoh-tls-multicast-security]
Keoh, S., Kumar, S., and E. Dijk, "DTLS-based Multicast
Security for Low-Power and Lossy Networks (LLNs)",
draft-keoh-tls-multicast-security-00 (work in progress),
October 2012.
[I-D.mcgrew-aero]
McGrew, D. and J. Foley, "Authenticated Encryption with
Replay prOtection (AERO)", draft-mcgrew-aero-00 (work in
progress), October 2013.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, January 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, January 2012.
6.2. Informative references
[DICE] IETF DICE Working Group, "Datagram TLS in Constrained
Environments (DICE) Charter", WG Charter,
2013 http://www.ietf.org/proceedings/87/dice.html.
[I-D.ietf-core-coap]
Shelby, Z., Hartke, K., and C. Bormann, "Constrained
Application Protocol (CoAP)", draft-ietf-core-coap-18
(work in progress), June 2013.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, July 2003.
McGrew, et al. Expires April 24, 2014 [Page 10]
Internet-Draft DTLS-AERO October 2013
Authors' Addresses
David McGrew
Cisco Systems
13600 Dulles Technology Drive
Herndon, VA 20171
US
Email: mcgrew@cisco.com
URI: http://www.mindspring.com/~dmcgrew/dam.htm
John Foley
Cisco Systems
7025-2 Kit Creek Road
Research Triangle Park, NC 14987
US
Email: foleyj@cisco.com
Joe Salowey
Cisco Systems
Email: jsalowey@cisco.com
McGrew, et al. Expires April 24, 2014 [Page 11]