Delay-Tolerant Networking | E. Birrane |
Internet-Draft | JHU/APL |
Intended status: Standards Track | October 22, 2018 |
Expires: April 25, 2019 |
BPSec Interoperability Cipher Suites
draft-birrane-dtn-bpsec-interop-cs-03
This document defines a set of integrity and confidentiality cipher suites suitable for testing the interoperability of Bundle Protocol Security (BPSec) implementations.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 25, 2019.
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The Bundle Protocol Security (BPSec) [I-D.ietf-dtn-bpsec] specification provides inter-bundle integrity and confidentiality features for networks deploying the Bundle Protocol (BP) [I-D.ietf-dtn-bpbis]. BPSec defines a set of BP extension blocks to carry cipher suite results and associated meta-data, but does not define a common set of supported cipher suites. This document extends BPSec and defines an integrity cipher suite and a confidentiality cipher suite suitable for populating BPSec Block Integrity Blocks (BIBs) and Block Confidentiality Blocks (BCBs), respectively.
This purpose of the cipher suites described in this document is twofold. First, these suites should be used to test the interoperability of BPSec implementations. Second, this specification can serve as a template to be followed by other BPSec cipher suite authors.
The intent of these cipher suite definitions is to provide a mechanism for interoperability testing. There is no claim that these cipher suites are suitable for operational deployment in any particular networking scenario. Further, there is no requirement that these cipher suites be used in any operational network deployments.
These cipher suites generate information that MUST be encoded using the CBOR specification documented in [RFC7049].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
This integrity cipher suite provides a signed hash over the security target based on the use of the SHA-256 message digest algorithm [RFC4634] combined with HMAC [RFC2104] with a 256 bit truncation length. This formulation is based on the HMAC 256/256 algorithm defined in [RFC8152] Table 7: HMAC Algorithm Values.
The BIB-HMAC256-SHA256 cipher suite has a Cipher Suite ID of 0x1.
Keys used with this specification MUST be symmetric and 256 bits in length.
This cipher suite provides no requirements on the configuration or management of keys.
BIB-HMAC256-SHA256 uses the standard canonicalization algorithms defined in [I-D.ietf-dtn-bpsec] and operates over all of the block-type-specific data fields for the security target. This cipher suite does not include hashing over other parts of the target block header, such as the block type code, block number, block processing control flags, or any CRC information.
BIB-HMAC256-SHA256 defines the following cipher suite parameters.
BIB-HMAC256-SHA256 Parameters
Parm Id | Parm Name | CBOR Type | Description |
---|---|---|---|
1 | Key | byte string | Material encoded or protected by the key management system and used to transport an ephemeral key protected by a long-term key. |
BIB-HMAC256-SHA256 defines the following security results.
BIB-HMAC256-SHA256 Security Results
Result Id | Result Name | CBOR Type | Description |
---|---|---|---|
1 | Tag | byte string | The tag produced by HMAC. |
This confidentiality cipher suite provides cipher-text to replace the plain-text block-type-specific data fields of its target block. BCB-AES-GCM-256 uses the Advanced Encryption Standard (AES) cipher operating in Galois/Counter Mode (GCM) [AES-GCM]. This formulation is based on the A256GCM algorithm defined in [RFC8152] Table 9: Algorithm Value for AES-GCM.
The BCB-AES-GCM-256 cipher suite has a Cipher Suite ID of 0x02.
This cipher suite does modify the size of the target block.
Keys used with this specification MUST be symmetric and 256 bits in length.
This cipher suite provides no requirements on the configuration or management of keys.
BCB-AES-GCM-256 uses the standard canonicalization algorithms defined in [I-D.ietf-dtn-bpsec] and operates over all of the block-type-specific data fields for the security target. This cipher suite does not include hashing over other parts of the target block header, such as the block type code, block number, block processing control flags, or any CRC information.
When encrypting, the BCB-AES-GCM-256 cipher treats the catenation of the target block's block-type-specific data fields as a single set of plain-text.
Cipher-text, once calculated, is stored as a CBOR byte string replacing the value of the target block's block-type-specific data. Because the plain-text and cipher-text will have the same length, the CBOR byte string encoding will have the same encoding of the byte string type and length. This allows the replacement of plain-text with cipher-text without any additional consideration of block-type-specific data field processing.
When decrypting, the target block's block-type-specific field is verified to be only a CBOR byte string. If this is not the case the decryption is treated as failed and processed in accordance with local security policy. Otherwise, the byte string and key information is passed to the cipher for decryption.
If the cipher-text fails to authenticate, or if there are other problems in the decryption (such as the creation of invalid CBOR plain-text) then the decryption MUST be treated as failed and processed in accordance with local security policy.
If the decryption succeeds, the resultant plain-text MUST replace the cipher-text in the target-block.
BCB-AES-GCM-256 defines the following cipher suite parameters. It should be noted in this specification there is no additional authenticated data passed in to the AES-GCM cipher. The plain-text is the only data input and MUST be the entire data contents of the target block. Because replaying an IV in counter mode voids the confidentiality of all messages encryption with said IV, this cipher suite also requires a unique IV for every encryption performed with the same key. This means the same key and IV combination must never be used more than once.
BCB-AES-GCM-256 Parameters
Parm Id | Parm Name | CBOR Type | Description |
---|---|---|---|
1 | Key | byte string | Material encoded or protected by the key management system and used to transport an ephemeral key protected by a long-term key. |
2 | Initialization Vector | byte string | The initialization vector. A random value between 8-16 bytes. 12 bytes is recommended. |
BCB-AES-GCM-256 defines the following security results. It should be noted that cipher text is not a security result as the resultant cipher text is stored in the target block. When operating in GCM mode, AES produces cipher text of the same size as its plain text and, therefore, no security results are necessary to capture padding information.
BCB-AES-GCM-256 Security Results
Result Id | Result Name | CBOR Type | Description |
---|---|---|---|
1 | Authentication Tag | byte string | Output from the AES-GCM cipher. This value (prior to CBOR encoding) MUST be 16 bytes long. |
This specification allocates two block types from the "BPSec Cipher Suite IDs" registry defined in [I-D.ietf-dtn-bpsec].
Additional BPSec Cipher Suite IDs:
Value | Description | Reference |
---|---|---|
1 | BIB-HMAC256-SHA256 | This document |
2 | BCB-AES-GCM-256 | This document |
The following participants contributed useful analysis of this specification: Prathibha Rama of the Johns Hopkins University Applied Physics Laboratory.