Tcpcrypt
   HOME

TheInfoList



Click Here for Items Related To - Tcpcrypt
OR:
Tcpcrypt on:   [Wikipedia]   [Google]   [Amazon]

In computer networking, tcpcrypt is a transport layer communication encryption protocol. Unlike prior protocols like
TLS TLS may refer to: Computing * Transport Layer Security, a cryptographic protocol for secure computer network communication * Thread level speculation, an optimisation on multiprocessor CPUs * Thread-local storage, a mechanism for allocating vari ...
(SSL), tcpcrypt is implemented as a
TCP TCP may refer to: Science and technology * Transformer coupled plasma * Tool Center Point, see Robot end effector Computing * Transmission Control Protocol, a fundamental Internet standard * Telephony control protocol, a Bluetooth communication s ...
extension. It was designed by a team of six security and networking experts: Andrea Bittau, Mike Hamburg,
Mark Handley Mark Handley is a playwright and screenwriter. In 1977, he and his wife moved to the Pacific Northwest where they lived in isolation in a log cabin that they built themselves. He is best known for his play ''Idioglossia An idioglossia (from ...
, David Mazières, Dan Boneh and Quinn Slack. Tcpcrypt has been published as an Internet Draft. Experimental
user-space A modern computer operating system usually segregates virtual memory into user space and kernel space. Primarily, this separation serves to provide memory protection and hardware protection from malicious or errant software behaviour. Kern ...
implementations are available for Linux, Mac OS X, FreeBSD and Windows. There is also a
Linux kernel The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ope ...
implementation. The TCPINC (TCP Increased Security) working group was formed in June 2014 by IETF to work on standardizing security extensions in the TCP protocol. In May 2019 the working group released and as an experimental standard for Tcpcrypt.


Description

Tcpcrypt provides opportunistic encryption — if either side does not support this extension, then the protocol falls back to regular unencrypted TCP. Tcpcrypt also provides encryption to any application using TCP, even ones that do not know about encryption. This enables incremental and seamless deployment. Unlike TLS, tcpcrypt itself does not do any authentication, but passes a unique "session ID" down to the application; the application can then use this token for further authentication. This means that any authentication scheme can be used, including passwords or certificates. It also does a larger part of the public-key connection initiation on the client side, to reduce load on servers and mitigate DoS attacks.


History

The first draft of the protocol specification was published in July 2010, with reference implementations following in August. However, after initial meetings in IETF, proponents of the protocol failed to gain traction for standardization and the project went dormant in 2011. In 2013 and 2014, following
Edward Snowden Edward Joseph Snowden (born June 21, 1983) is an American and naturalized Russian former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and su ...
's
Global surveillance disclosures Global means of or referring to a globe and may also refer to: Entertainment * ''Global'' (Paul van Dyk album), 2003 * ''Global'' (Bunji Garlin album), 2007 * ''Global'' (Humanoid album), 1989 * ''Global'' (Todd Rundgren album), 2015 * Bruno ...
about the NSA and agencies of other governments, IETF took a strong stance for protecting Internet users against surveillance. This aligns with tcpcrypt's goals of ubiquitous transparent encryption, which revived interest in standardization of the protocol. An official IETF
mailing list A mailing list is a collection of names and addresses used by an individual or an organization to send material to multiple recipients. The term is often extended to include the people subscribed to such a list, so the group of subscribers is re ...
was created for tcpcrypt in March 2014, followed by the formation of the TCPINC (TCP Increased Security) working group in June and a new version of the draft specification.


Performance

Tcpcrypt enforces TCP timestamps and adds its own TCP options to each data packet, amounting to 36 bytes per packet compared to plain TCP. With a mean observed packet size for TCP packets of 471 bytes, this can lead to an overhead of 8% of useful bandwidth. This 36 bytes overhead may not be an issue for internet connections faster than 64kbs, but can be an issue for dial up internet users. Compared to
TLS/SSL Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
, tcpcrypt is designed to have a lower performance impact. In part this is because tcpcrypt does not have built-in authentication, which can be implemented by the application itself. Cryptography primitives are used in such a way to reduce load on the server side, because a single server usually has to provide services for far more clients than reverse.


Implementations

The current user space implementations are considered experimental and are reportedly unstable on some systems. It also does not support IPv6 yet, which is currently only supported by the Linux kernel version. It is expected that once tcpcrypt becomes a standard, operating systems will come with tcpcrypt support built-in, making the user space solution unnecessary.


See also

* DTLS * IPsec * Obfuscated TCP – an earlier failed proposal for opportunistic TCP encryption


References


External links


tcpcrypt.org

TCPINC Working Group Charter at IETF

Slides from USENIX 2010 presentation, explaining basics of tcpcrypt
{{VPN Transmission Control Protocol Internet security Cryptographic protocols