Encrypted Content-Encoding for HTTP
RFC 8188
Document Type RFC - Proposed Standard (June 2017; Errata)
Author Martin Thomson 
Last updated 2020-01-21
Replaces draft-thomson-http-encryption
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Reviews
SECDIR Last Call Review (of -08): Ready
GENART Last Call Review (of -08): Ready
OPSDIR Last Call Review (of -08): Ready
Stream WG state Submitted to IESG for Publication
Document shepherd Mark Nottingham
Shepherd write-up Show (last changed 2017-03-02)
IESG IESG state RFC 8188 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Alexey Melnikov
Send notices to "Mark Nottingham" <mnot@mnot.net>
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
Email authors Email WG IPR 1 References Referenced by Nits 
Internet Engineering Task Force (IETF)                        M. Thomson
Request for Comments: 8188                                       Mozilla
Category: Standards Track                                      June 2017
ISSN: 2070-1721

                  Encrypted Content-Encoding for HTTP

Abstract

   This memo introduces a content coding for HTTP that allows message
   payloads to be encrypted.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc8188.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Thomson                      Standards Track                    [Page 1]
RFC 8188                 HTTP Encryption Coding                June 2017

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
   2.  The "aes128gcm" HTTP Content Coding . . . . . . . . . . . . .   3
     2.1.  Encryption Content-Coding Header  . . . . . . . . . . . .   5
     2.2.  Content-Encryption Key Derivation . . . . . . . . . . . .   6
     2.3.  Nonce Derivation  . . . . . . . . . . . . . . . . . . . .   6
   3.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .   7
     3.1.  Encryption of a Response  . . . . . . . . . . . . . . . .   7
     3.2.  Encryption with Multiple Records  . . . . . . . . . . . .   8
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
     4.1.  Automatic Decryption  . . . . . . . . . . . . . . . . . .   9
     4.2.  Message Truncation  . . . . . . . . . . . . . . . . . . .   9
     4.3.  Key and Nonce Reuse . . . . . . . . . . . . . . . . . . .   9
     4.4.  Data Encryption Limits  . . . . . . . . . . . . . . . . .  10
     4.5.  Content Integrity . . . . . . . . . . . . . . . . . . . .  10
     4.6.  Leaking Information in Header Fields  . . . . . . . . . .  10
     4.7.  Poisoning Storage . . . . . . . . . . . . . . . . . . . .  11
     4.8.  Sizing and Timing Attacks . . . . . . . . . . . . . . . .  11
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  12
     5.1.  The "aes128gcm" HTTP Content Coding . . . . . . . . . . .  12
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  12
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .  12
     6.2.  Informative References  . . . . . . . . . . . . . . . . .  13
   Appendix A.  JWE Mapping  . . . . . . . . . . . . . . . . . . . .  15
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  16
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  16

1.  Introduction

   It is sometimes desirable to encrypt the contents of an HTTP message
   (request or response) so that when the payload is stored (e.g., with
   an HTTP PUT), only someone with the appropriate key can read it.

   For example, it might be necessary to store a file on a server
   without exposing its contents to that server.  Furthermore, that same
   file could be replicated to other servers (to make it more resistant
   to server or network failure), downloaded by clients (to make it
   available offline), etc., without exposing its contents.

   These uses are not met by the use of Transport Layer Security (TLS)
   [RFC5246], since it only encrypts the channel between the client and
   server.

   This document specifies a content coding (see Section 3.1.2 of
   [RFC7231]) for HTTP to serve these and other use cases.

Thomson                      Standards Track                    [Page 2]
RFC 8188                 HTTP Encryption Coding                June 2017

   This content coding is not a direct adaptation of message-based
   encryption formats -- such as those that are described by [RFC4880],
   [RFC5652], [RFC7516], and [XMLENC].  Those formats are not suited to
   stream processing, which is necessary for HTTP.  The format described
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools