File: rfc9150.html

package info (click to toggle)
doc-rfc 20230121-1
links: PTS, VCS
area: non-free
in suites: bookworm, forky, sid, trixie
size: 1,609,944 kB
file content (1624 lines) | stat: -rw-r--r-- 70,487 bytes
<!DOCTYPE html>
<html lang="en" class="RFC">
<head>
<meta charset="utf-8">
<meta content="Common,Latin" name="scripts">
<meta content="initial-scale=1.0" name="viewport">
<title>RFC 9150: TLS 1.3 Authentication and Integrity-Only Cipher Suites</title>
<meta content="Nancy Cam-Winget" name="author">
<meta content="Jack Visoky" name="author">
<meta content="
       This document defines the use of cipher suites for TLS 1.3 based on Hashed  Message Authentication Code (HMAC). Using these cipher suites provides server and, optionally, mutual authentication and data authenticity, but not data confidentiality.
 Cipher suites with these properties are not of general applicability, but there are use cases, specifically in Internet of Things (IoT) and constrained environments, that do not require confidentiality of exchanged messages while still requiring integrity protection, server authentication, and optional client authentication. This document gives examples of such use cases, with the caveat that prior to using these integrity-only cipher suites, a threat model for the situation at hand is needed, and a threat analysis must be performed within that model to determine whether the use of integrity-only cipher suites is appropriate. The approach described in this document is not endorsed by the IETF and does not have IETF consensus, but it is presented here to enable interoperable implementation of a reduced-security mechanism that provides authentication and message integrity without supporting confidentiality. 
    " name="description">
<meta content="xml2rfc 3.12.2" name="generator">
<meta content="HMAC" name="keyword">
<meta content="IoT" name="keyword">
<meta content="constrained devices" name="keyword">
<meta content="9150" name="rfc.number">
<!-- Generator version information:
  xml2rfc 3.12.2
    Python 3.6.15
    appdirs 1.4.4
    ConfigArgParse 1.4.1
    google-i18n-address 2.4.0
    html5lib 1.0.1
    intervaltree 3.0.2
    Jinja2 2.11.3
    kitchen 1.2.6
    lxml 4.4.2
    pycairo 1.15.1
    pycountry 19.8.18
    pyflakes 2.1.1
    PyYAML 5.4.1
    requests 2.24.0
    setuptools 40.5.0
    six 1.14.0
    WeasyPrint 52.5
-->
<link href="rfc9150.xml" rel="alternate" type="application/rfc+xml">
<link href="#copyright" rel="license">
<style type="text/css">/*

  NOTE: Changes at the bottom of this file overrides some earlier settings.

  Once the style has stabilized and has been adopted as an official RFC style,
  this can be consolidated so that style settings occur only in one place, but
  for now the contents of this file consists first of the initial CSS work as
  provided to the RFC Formatter (xml2rfc) work, followed by itemized and
  commented changes found necssary during the development of the v3
  formatters.

*/

/* fonts */
@import url('https://fonts.googleapis.com/css?family=Noto+Sans'); /* Sans-serif */
@import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
@import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */

@viewport {
  zoom: 1.0;
  width: extend-to-zoom;
}
@-ms-viewport {
  width: extend-to-zoom;
  zoom: 1.0;
}
/* general and mobile first */
html {
}
body {
  max-width: 90%;
  margin: 1.5em auto;
  color: #222;
  background-color: #fff;
  font-size: 14px;
  font-family: 'Noto Sans', Arial, Helvetica, sans-serif;
  line-height: 1.6;
  scroll-behavior: smooth;
}
.ears {
  display: none;
}

/* headings */
#title, h1, h2, h3, h4, h5, h6 {
  margin: 1em 0 0.5em;
  font-weight: bold;
  line-height: 1.3;
}
#title {
  clear: both;
  border-bottom: 1px solid #ddd;
  margin: 0 0 0.5em 0;
  padding: 1em 0 0.5em;
}
.author {
  padding-bottom: 4px;
}
h1 {
  font-size: 26px;
  margin: 1em 0;
}
h2 {
  font-size: 22px;
  margin-top: -20px;  /* provide offset for in-page anchors */
  padding-top: 33px;
}
h3 {
  font-size: 18px;
  margin-top: -36px;  /* provide offset for in-page anchors */
  padding-top: 42px;
}
h4 {
  font-size: 16px;
  margin-top: -36px;  /* provide offset for in-page anchors */
  padding-top: 42px;
}
h5, h6 {
  font-size: 14px;
}
#n-copyright-notice {
  border-bottom: 1px solid #ddd;
  padding-bottom: 1em;
  margin-bottom: 1em;
}
/* general structure */
p {
  padding: 0;
  margin: 0 0 1em 0;
  text-align: left;
}
div, span {
  position: relative;
}
div {
  margin: 0;
}
.alignRight.art-text {
  background-color: #f9f9f9;
  border: 1px solid #eee;
  border-radius: 3px;
  padding: 1em 1em 0;
  margin-bottom: 1.5em;
}
.alignRight.art-text pre {
  padding: 0;
}
.alignRight {
  margin: 1em 0;
}
.alignRight > *:first-child {
  border: none;
  margin: 0;
  float: right;
  clear: both;
}
.alignRight > *:nth-child(2) {
  clear: both;
  display: block;
  border: none;
}
svg {
  display: block;
}
.alignCenter.art-text {
  background-color: #f9f9f9;
  border: 1px solid #eee;
  border-radius: 3px;
  padding: 1em 1em 0;
  margin-bottom: 1.5em;
}
.alignCenter.art-text pre {
  padding: 0;
}
.alignCenter {
  margin: 1em 0;
}
.alignCenter > *:first-child {
  border: none;
  /* this isn't optimal, but it's an existence proof.  PrinceXML doesn't
     support flexbox yet.
  */
  display: table;
  margin: 0 auto;
}

/* lists */
ol, ul {
  padding: 0;
  margin: 0 0 1em 2em;
}
ol ol, ul ul, ol ul, ul ol {
  margin-left: 1em;
}
li {
  margin: 0 0 0.25em 0;
}
.ulCompact li {
  margin: 0;
}
ul.empty, .ulEmpty {
  list-style-type: none;
}
ul.empty li, .ulEmpty li {
  margin-top: 0.5em;
}
ul.ulBare, li.ulBare {
  margin-left: 0em !important;
}
ul.compact, .ulCompact,
ol.compact, .olCompact {
  line-height: 100%;
  margin: 0 0 0 2em;
}

/* definition lists */
dl {
}
dl > dt {
  float: left;
  margin-right: 1em;
}
/* 
dl.nohang > dt {
  float: none;
}
*/
dl > dd {
  margin-bottom: .8em;
  min-height: 1.3em;
}
dl.compact > dd, .dlCompact > dd {
  margin-bottom: 0em;
}
dl > dd > dl {
  margin-top: 0.5em;
  margin-bottom: 0em;
}

/* links */
a {
  text-decoration: none;
}
a[href] {
  color: #22e; /* Arlen: WCAG 2019 */
}
a[href]:hover {
  background-color: #f2f2f2;
}
figcaption a[href],
a[href].selfRef {
  color: #222;
}
/* XXX probably not this:
a.selfRef:hover {
  background-color: transparent;
  cursor: default;
} */

/* Figures */
tt, code, pre, code {
  background-color: #f9f9f9;
  font-family: 'Roboto Mono', monospace;
}
pre {
  border: 1px solid #eee;
  margin: 0;
  padding: 1em;
}
img {
  max-width: 100%;
}
figure {
  margin: 0;
}
figure blockquote {
  margin: 0.8em 0.4em 0.4em;
}
figcaption {
  font-style: italic;
  margin: 0 0 1em 0;
}
@media screen {
  pre {
    overflow-x: auto;
    max-width: 100%;
    max-width: calc(100% - 22px);
  }
}

/* aside, blockquote */
aside, blockquote {
  margin-left: 0;
  padding: 1.2em 2em;
}
blockquote {
  background-color: #f9f9f9;
  color: #111; /* Arlen: WCAG 2019 */
  border: 1px solid #ddd;
  border-radius: 3px;
  margin: 1em 0;
}
cite {
  display: block;
  text-align: right;
  font-style: italic;
}

/* tables */
table {
  width: 100%;
  margin: 0 0 1em;
  border-collapse: collapse;
  border: 1px solid #eee;
}
th, td {
  text-align: left;
  vertical-align: top;
  padding: 0.5em 0.75em;
}
th {
  text-align: left;
  background-color: #e9e9e9;
}
tr:nth-child(2n+1) > td {
  background-color: #f5f5f5;
}
table caption {
  font-style: italic;
  margin: 0;
  padding: 0;
  text-align: left;
}
table p {
  /* XXX to avoid bottom margin on table row signifiers. If paragraphs should
     be allowed within tables more generally, it would be far better to select on a class. */
  margin: 0;
}

/* pilcrow */
a.pilcrow {
  color: #666; /* Arlen: AHDJ 2019 */
  text-decoration: none;
  visibility: hidden;
  user-select: none;
  -ms-user-select: none;
  -o-user-select:none;
  -moz-user-select: none;
  -khtml-user-select: none;
  -webkit-user-select: none;
  -webkit-touch-callout: none;
}
@media screen {
  aside:hover > a.pilcrow,
  p:hover > a.pilcrow,
  blockquote:hover > a.pilcrow,
  div:hover > a.pilcrow,
  li:hover > a.pilcrow,
  pre:hover > a.pilcrow {
    visibility: visible;
  }
  a.pilcrow:hover {
    background-color: transparent;
  }
}

/* misc */
hr {
  border: 0;
  border-top: 1px solid #eee;
}
.bcp14 {
  font-variant: small-caps;
}

.role {
  font-variant: all-small-caps;
}

/* info block */
#identifiers {
  margin: 0;
  font-size: 0.9em;
}
#identifiers dt {
  width: 3em;
  clear: left;
}
#identifiers dd {
  float: left;
  margin-bottom: 0;
}
/* Fix PDF info block run off issue */
@media print {
  #identifiers dd {
    float: none;
  }
}
#identifiers .authors .author {
  display: inline-block;
  margin-right: 1.5em;
}
#identifiers .authors .org {
  font-style: italic;
}

/* The prepared/rendered info at the very bottom of the page */
.docInfo {
  color: #666; /* Arlen: WCAG 2019 */
  font-size: 0.9em;
  font-style: italic;
  margin-top: 2em;
}
.docInfo .prepared {
  float: left;
}
.docInfo .prepared {
  float: right;
}

/* table of contents */
#toc  {
  padding: 0.75em 0 2em 0;
  margin-bottom: 1em;
}
nav.toc ul {
  margin: 0 0.5em 0 0;
  padding: 0;
  list-style: none;
}
nav.toc li {
  line-height: 1.3em;
  margin: 0.75em 0;
  padding-left: 1.2em;
  text-indent: -1.2em;
}
/* references */
.references dt {
  text-align: right;
  font-weight: bold;
  min-width: 7em;
}
.references dd {
  margin-left: 8em;
  overflow: auto;
}

.refInstance {
  margin-bottom: 1.25em;
}

.references .ascii {
  margin-bottom: 0.25em;
}

/* index */
.index ul {
  margin: 0 0 0 1em;
  padding: 0;
  list-style: none;
}
.index ul ul {
  margin: 0;
}
.index li {
  margin: 0;
  text-indent: -2em;
  padding-left: 2em;
  padding-bottom: 5px;
}
.indexIndex {
  margin: 0.5em 0 1em;
}
.index a {
  font-weight: 700;
}
/* make the index two-column on all but the smallest screens */
@media (min-width: 600px) {
  .index ul {
    -moz-column-count: 2;
    -moz-column-gap: 20px;
  }
  .index ul ul {
    -moz-column-count: 1;
    -moz-column-gap: 0;
  }
}

/* authors */
address.vcard {
  font-style: normal;
  margin: 1em 0;
}

address.vcard .nameRole {
  font-weight: 700;
  margin-left: 0;
}
address.vcard .label {
  font-family: "Noto Sans",Arial,Helvetica,sans-serif;
  margin: 0.5em 0;
}
address.vcard .type {
  display: none;
}
.alternative-contact {
  margin: 1.5em 0 1em;
}
hr.addr {
  border-top: 1px dashed;
  margin: 0;
  color: #ddd;
  max-width: calc(100% - 16px);
}

/* temporary notes */
.rfcEditorRemove::before {
  position: absolute;
  top: 0.2em;
  right: 0.2em;
  padding: 0.2em;
  content: "The RFC Editor will remove this note";
  color: #9e2a00; /* Arlen: WCAG 2019 */
  background-color: #ffd; /* Arlen: WCAG 2019 */
}
.rfcEditorRemove {
  position: relative;
  padding-top: 1.8em;
  background-color: #ffd; /* Arlen: WCAG 2019 */
  border-radius: 3px;
}
.cref {
  background-color: #ffd; /* Arlen: WCAG 2019 */
  padding: 2px 4px;
}
.crefSource {
  font-style: italic;
}
/* alternative layout for smaller screens */
@media screen and (max-width: 1023px) {
  body {
    padding-top: 2em;
  }
  #title {
    padding: 1em 0;
  }
  h1 {
    font-size: 24px;
  }
  h2 {
    font-size: 20px;
    margin-top: -18px;  /* provide offset for in-page anchors */
    padding-top: 38px;
  }
  #identifiers dd {
    max-width: 60%;
  }
  #toc {
    position: fixed;
    z-index: 2;
    top: 0;
    right: 0;
    padding: 0;
    margin: 0;
    background-color: inherit;
    border-bottom: 1px solid #ccc;
  }
  #toc h2 {
    margin: -1px 0 0 0;
    padding: 4px 0 4px 6px;
    padding-right: 1em;
    min-width: 190px;
    font-size: 1.1em;
    text-align: right;
    background-color: #444;
    color: white;
    cursor: pointer;
  }
  #toc h2::before { /* css hamburger */
    float: right;
    position: relative;
    width: 1em;
    height: 1px;
    left: -164px;
    margin: 6px 0 0 0;
    background: white none repeat scroll 0 0;
    box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
    content: "";
  }
  #toc nav {
    display: none;
    padding: 0.5em 1em 1em;
    overflow: auto;
    height: calc(100vh - 48px);
    border-left: 1px solid #ddd;
  }
}

/* alternative layout for wide screens */
@media screen and (min-width: 1024px) {
  body {
    max-width: 724px;
    margin: 42px auto;
    padding-left: 1.5em;
    padding-right: 29em;
  }
  #toc {
    position: fixed;
    top: 42px;
    right: 42px;
    width: 25%;
    margin: 0;
    padding: 0 1em;
    z-index: 1;
  }
  #toc h2 {
    border-top: none;
    border-bottom: 1px solid #ddd;
    font-size: 1em;
    font-weight: normal;
    margin: 0;
    padding: 0.25em 1em 1em 0;
  }
  #toc nav {
    display: block;
    height: calc(90vh - 84px);
    bottom: 0;
    padding: 0.5em 0 0;
    overflow: auto;
  }
  img { /* future proofing */
    max-width: 100%;
    height: auto;
  }
}

/* pagination */
@media print {
  body {

    width: 100%;
  }
  p {
    orphans: 3;
    widows: 3;
  }
  #n-copyright-notice {
    border-bottom: none;
  }
  #toc, #n-introduction {
    page-break-before: always;
  }
  #toc {
    border-top: none;
    padding-top: 0;
  }
  figure, pre {
    page-break-inside: avoid;
  }
  figure {
    overflow: scroll;
  }
  h1, h2, h3, h4, h5, h6 {
    page-break-after: avoid;
  }
  h2+*, h3+*, h4+*, h5+*, h6+* {
    page-break-before: avoid;
  }
  pre {
    white-space: pre-wrap;
    word-wrap: break-word;
    font-size: 10pt;
  }
  table {
    border: 1px solid #ddd;
  }
  td {
    border-top: 1px solid #ddd;
  }
}

/* This is commented out here, as the string-set: doesn't
   pass W3C validation currently */
/*
.ears thead .left {
  string-set: ears-top-left content();
}

.ears thead .center {
  string-set: ears-top-center content();
}

.ears thead .right {
  string-set: ears-top-right content();
}

.ears tfoot .left {
  string-set: ears-bottom-left content();
}

.ears tfoot .center {
  string-set: ears-bottom-center content();
}

.ears tfoot .right {
  string-set: ears-bottom-right content();
}
*/

@page :first {
  padding-top: 0;
  @top-left {
    content: normal;
    border: none;
  }
  @top-center {
    content: normal;
    border: none;
  }
  @top-right {
    content: normal;
    border: none;
  }
}

@page {
  size: A4;
  margin-bottom: 45mm;
  padding-top: 20px;
  /* The follwing is commented out here, but set appropriately by in code, as
     the content depends on the document */
  /*
  @top-left {
    content: 'Internet-Draft';
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-left {
    content: string(ears-top-left);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-center {
    content: string(ears-top-center);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-right {
    content: string(ears-top-right);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @bottom-left {
    content: string(ears-bottom-left);
    vertical-align: top;
    border-top: solid 1px #ccc;
  }
  @bottom-center {
    content: string(ears-bottom-center);
    vertical-align: top;
    border-top: solid 1px #ccc;
  }
  @bottom-right {
      content: '[Page ' counter(page) ']';
      vertical-align: top;
      border-top: solid 1px #ccc;
  }
  */

}

/* Changes introduced to fix issues found during implementation */
/* Make sure links are clickable even if overlapped by following H* */
a {
  z-index: 2;
}
/* Separate body from document info even without intervening H1 */
section {
  clear: both;
}


/* Top align author divs, to avoid names without organization dropping level with org names */
.author {
  vertical-align: top;
}

/* Leave room in document info to show Internet-Draft on one line */
#identifiers dt {
  width: 8em;
}

/* Don't waste quite as much whitespace between label and value in doc info */
#identifiers dd {
  margin-left: 1em;
}

/* Give floating toc a background color (needed when it's a div inside section */
#toc {
  background-color: white;
}

/* Make the collapsed ToC header render white on gray also when it's a link */
@media screen and (max-width: 1023px) {
  #toc h2 a,
  #toc h2 a:link,
  #toc h2 a:focus,
  #toc h2 a:hover,
  #toc a.toplink,
  #toc a.toplink:hover {
    color: white;
    background-color: #444;
    text-decoration: none;
  }
}

/* Give the bottom of the ToC some whitespace */
@media screen and (min-width: 1024px) {
  #toc {
    padding: 0 0 1em 1em;
  }
}

/* Style section numbers with more space between number and title */
.section-number {
  padding-right: 0.5em;
}

/* prevent monospace from becoming overly large */
tt, code, pre, code {
  font-size: 95%;
}

/* Fix the height/width aspect for ascii art*/
pre.sourcecode,
.art-text pre {
  line-height: 1.12;
}


/* Add styling for a link in the ToC that points to the top of the document */
a.toplink {
  float: right;
  margin-right: 0.5em;
}

/* Fix the dl styling to match the RFC 7992 attributes */
dl > dt,
dl.dlParallel > dt {
  float: left;
  margin-right: 1em;
}
dl.dlNewline > dt {
  float: none;
}

/* Provide styling for table cell text alignment */
table td.text-left,
table th.text-left {
  text-align: left;
}
table td.text-center,
table th.text-center {
  text-align: center;
}
table td.text-right,
table th.text-right {
  text-align: right;
}

/* Make the alternative author contact informatio look less like just another
   author, and group it closer with the primary author contact information */
.alternative-contact {
  margin: 0.5em 0 0.25em 0;
}
address .non-ascii {
  margin: 0 0 0 2em;
}

/* With it being possible to set tables with alignment
  left, center, and right, { width: 100%; } does not make sense */
table {
  width: auto;
}

/* Avoid reference text that sits in a block with very wide left margin,
   because of a long floating dt label.*/
.references dd {
  overflow: visible;
}

/* Control caption placement */
caption {
  caption-side: bottom;
}

/* Limit the width of the author address vcard, so names in right-to-left
   script don't end up on the other side of the page. */

address.vcard {
  max-width: 30em;
  margin-right: auto;
}

/* For address alignment dependent on LTR or RTL scripts */
address div.left {
  text-align: left;
}
address div.right {
  text-align: right;
}

/* Provide table alignment support.  We can't use the alignX classes above
   since they do unwanted things with caption and other styling. */
table.right {
 margin-left: auto;
 margin-right: 0;
}
table.center {
 margin-left: auto;
 margin-right: auto;
}
table.left {
 margin-left: 0;
 margin-right: auto;
}

/* Give the table caption label the same styling as the figcaption */
caption a[href] {
  color: #222;
}

@media print {
  .toplink {
    display: none;
  }

  /* avoid overwriting the top border line with the ToC header */
  #toc {
    padding-top: 1px;
  }

  /* Avoid page breaks inside dl and author address entries */
  .vcard {
    page-break-inside: avoid;
  }

}
/* Tweak the bcp14 keyword presentation */
.bcp14 {
  font-variant: small-caps;
  font-weight: bold;
  font-size: 0.9em;
}
/* Tweak the invisible space above H* in order not to overlay links in text above */
 h2 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 31px;
 }
 h3 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 24px;
 }
 h4 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 24px;
 }
/* Float artwork pilcrow to the right */
@media screen {
  .artwork a.pilcrow {
    display: block;
    line-height: 0.7;
    margin-top: 0.15em;
  }
}
/* Make pilcrows on dd visible */
@media screen {
  dd:hover > a.pilcrow {
    visibility: visible;
  }
}
/* Make the placement of figcaption match that of a table's caption
   by removing the figure's added bottom margin */
.alignLeft.art-text,
.alignCenter.art-text,
.alignRight.art-text {
   margin-bottom: 0;
}
.alignLeft,
.alignCenter,
.alignRight {
  margin: 1em 0 0 0;
}
/* In print, the pilcrow won't show on hover, so prevent it from taking up space,
   possibly even requiring a new line */
@media print {
  a.pilcrow {
    display: none;
  }
}
/* Styling for the external metadata */
div#external-metadata {
  background-color: #eee;
  padding: 0.5em;
  margin-bottom: 0.5em;
  display: none;
}
div#internal-metadata {
  padding: 0.5em;                       /* to match the external-metadata padding */
}
/* Styling for title RFC Number */
h1#rfcnum {
  clear: both;
  margin: 0 0 -1em;
  padding: 1em 0 0 0;
}
/* Make .olPercent look the same as <ol><li> */
dl.olPercent > dd {
  margin-bottom: 0.25em;
  min-height: initial;
}
/* Give aside some styling to set it apart */
aside {
  border-left: 1px solid #ddd;
  margin: 1em 0 1em 2em;
  padding: 0.2em 2em;
}
aside > dl,
aside > ol,
aside > ul,
aside > table,
aside > p {
  margin-bottom: 0.5em;
}
/* Additional page break settings */
@media print {
  figcaption, table caption {
    page-break-before: avoid;
  }
}
/* Font size adjustments for print */
@media print {
  body  { font-size: 10pt;      line-height: normal; max-width: 96%; }
  h1    { font-size: 1.72em;    padding-top: 1.5em; } /* 1*1.2*1.2*1.2 */
  h2    { font-size: 1.44em;    padding-top: 1.5em; } /* 1*1.2*1.2 */
  h3    { font-size: 1.2em;     padding-top: 1.5em; } /* 1*1.2 */
  h4    { font-size: 1em;       padding-top: 1.5em; }
  h5, h6 { font-size: 1em;      margin: initial; padding: 0.5em 0 0.3em; }
}
/* Sourcecode margin in print, when there's no pilcrow */
@media print {
  .artwork,
  .sourcecode {
    margin-bottom: 1em;
  }
}
/* Avoid narrow tables forcing too narrow table captions, which may render badly */
table {
  min-width: 20em;
}
/* ol type a */
ol.type-a { list-style-type: lower-alpha; }
ol.type-A { list-style-type: upper-alpha; }
ol.type-i { list-style-type: lower-roman; }
ol.type-I { list-style-type: lower-roman; }
/* Apply the print table and row borders in general, on request from the RPC,
and increase the contrast between border and odd row background sligthtly */
table {
  border: 1px solid #ddd;
}
td {
  border-top: 1px solid #ddd;
}
tr:nth-child(2n+1) > td {
  background-color: #f8f8f8;
}
/* Use style rules to govern display of the TOC. */
@media screen and (max-width: 1023px) {
  #toc nav { display: none; }
  #toc.active nav { display: block; }
}
/* Add support for keepWithNext */
.keepWithNext {
  break-after: avoid-page;
  break-after: avoid-page;
}
/* Add support for keepWithPrevious */
.keepWithPrevious {
  break-before: avoid-page;
}
/* Change the approach to avoiding breaks inside artwork etc. */
figure, pre, table, .artwork, .sourcecode  {
  break-before: auto;
  break-after: auto;
}
/* Avoid breaks between <dt> and <dd> */
dl {
  break-before: auto;
  break-inside: auto;
}
dt {
  break-before: auto;
  break-after: avoid-page;
}
dd {
  break-before: avoid-page;
  break-after: auto;
  orphans: 3;
  widows: 3
}
span.break, dd.break {
  margin-bottom: 0;
  min-height: 0;
  break-before: auto;
  break-inside: auto;
  break-after: auto;
}
/* Undo break-before ToC */
@media print {
  #toc {
    break-before: auto;
  }
}
/* Text in compact lists should not get extra bottim margin space,
   since that would makes the list not compact */
ul.compact p, .ulCompact p,
ol.compact p, .olCompact p {
 margin: 0;
}
/* But the list as a whole needs the extra space at the end */
section ul.compact,
section .ulCompact,
section ol.compact,
section .olCompact {
  margin-bottom: 1em;                    /* same as p not within ul.compact etc. */
}
/* The tt and code background above interferes with for instance table cell
   backgrounds.  Changed to something a bit more selective. */
tt, code {
  background-color: transparent;
}
p tt, p code, li tt, li code {
  background-color: #f8f8f8;
}
/* Tweak the pre margin -- 0px doesn't come out well */
pre {
   margin-top: 0.5px;
}
/* Tweak the comact list text */
ul.compact, .ulCompact,
ol.compact, .olCompact,
dl.compact, .dlCompact {
  line-height: normal;
}
/* Don't add top margin for nested lists */
li > ul, li > ol, li > dl,
dd > ul, dd > ol, dd > dl,
dl > dd > dl {
  margin-top: initial;
}
/* Elements that should not be rendered on the same line as a <dt> */
/* This should match the element list in writer.text.TextWriter.render_dl() */
dd > div.artwork:first-child,
dd > aside:first-child,
dd > figure:first-child,
dd > ol:first-child,
dd > div:first-child > pre.sourcecode,
dd > table:first-child,
dd > ul:first-child {
  clear: left;
}
/* fix for weird browser behaviour when <dd/> is empty */
dt+dd:empty::before{
  content: "\00a0";
}
/* Make paragraph spacing inside <li> smaller than in body text, to fit better within the list */
li > p {
  margin-bottom: 0.5em
}
/* Don't let p margin spill out from inside list items */
li > p:last-of-type {
  margin-bottom: 0;
}
</style>
<link href="rfc-local.css" rel="stylesheet" type="text/css">
<link href="https://dx.doi.org/10.17487/rfc9150" rel="alternate">
  <link href="urn:issn:2070-1721" rel="alternate">
  <link href="https://datatracker.ietf.org/doc/draft-camwinget-tls-ts13-macciphersuites-12" rel="prev">
  </head>
<body>
<script src="https://www.rfc-editor.org/js/metadata.min.js"></script>
<table class="ears">
<thead><tr>
<td class="left">RFC 9150</td>
<td class="center">HMAC-Only Ciphers</td>
<td class="right">April 2022</td>
</tr></thead>
<tfoot><tr>
<td class="left">Cam-Winget &amp; Visoky</td>
<td class="center">Informational</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
<div id="external-metadata" class="document-information"></div>
<div id="internal-metadata" class="document-information">
<dl id="identifiers">
<dt class="label-stream">Stream:</dt>
<dd class="stream">Independent Submission</dd>
<dt class="label-rfc">RFC:</dt>
<dd class="rfc"><a href="https://www.rfc-editor.org/rfc/rfc9150" class="eref">9150</a></dd>
<dt class="label-category">Category:</dt>
<dd class="category">Informational</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2022-04" class="published">April 2022</time>
    </dd>
<dt class="label-issn">ISSN:</dt>
<dd class="issn">2070-1721</dd>
<dt class="label-authors">Authors:</dt>
<dd class="authors">
<div class="author">
      <div class="author-name">N. Cam-Winget</div>
<div class="org">Cisco Systems</div>
</div>
<div class="author">
      <div class="author-name">J. Visoky</div>
<div class="org">ODVA</div>
</div>
</dd>
</dl>
</div>
<h1 id="rfcnum">RFC 9150</h1>
<h1 id="title">TLS 1.3 Authentication and Integrity-Only Cipher Suites</h1>
<section id="section-abstract">
      <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
<p id="section-abstract-1">This document defines the use of cipher suites for TLS 1.3 based on Hashed  Message Authentication Code (HMAC). Using these cipher suites provides server and, optionally, mutual authentication and data authenticity, but not data confidentiality.
 Cipher suites with these properties are not of general applicability, but there are use cases, specifically in Internet of Things (IoT) and constrained environments, that do not require confidentiality of exchanged messages while still requiring integrity protection, server authentication, and optional client authentication. This document gives examples of such use cases, with the caveat that prior to using these integrity-only cipher suites, a threat model for the situation at hand is needed, and a threat analysis must be performed within that model to determine whether the use of integrity-only cipher suites is appropriate. The approach described in this document is not endorsed by the IETF and does not have IETF consensus, but it is presented here to enable interoperable implementation of a reduced-security mechanism that provides authentication and message integrity without supporting confidentiality.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
</section>
<div id="status-of-memo">
<section id="section-boilerplate.1">
        <h2 id="name-status-of-this-memo">
<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
        </h2>
<p id="section-boilerplate.1-1">
            This document is not an Internet Standards Track specification; it is
            published for informational purposes.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-2">
            This is a contribution to the RFC Series, independently of any
            other RFC stream.  The RFC Editor has chosen to publish this
            document at its discretion and makes no statement about its value
            for implementation or deployment.  Documents approved for
            publication by the RFC Editor are not candidates for any level of
            Internet Standard; see Section 2 of RFC 7841.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-3">
            Information about the current status of this document, any
            errata, and how to provide feedback on it may be obtained at
            <span><a href="https://www.rfc-editor.org/info/rfc9150">https://www.rfc-editor.org/info/rfc9150</a></span>.<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="copyright">
<section id="section-boilerplate.2">
        <h2 id="name-copyright-notice">
<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
        </h2>
<p id="section-boilerplate.2-1">
            Copyright (c) 2022 IETF Trust and the persons identified as the
            document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.2-2">
            This document is subject to BCP 78 and the IETF Trust's Legal
            Provisions Relating to IETF Documents
            (<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
            publication of this document. Please review these documents
            carefully, as they describe your rights and restrictions with
            respect to this document.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="toc">
<section id="section-toc.1">
        <a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
        </h2>
<nav class="toc"><ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1">
            <p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="xref">1</a>.  <a href="#name-introduction" class="xref">Introduction</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2">
            <p id="section-toc.1-1.2.1" class="keepWithNext"><a href="#section-2" class="xref">2</a>.  <a href="#name-terminology" class="xref">Terminology</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3">
            <p id="section-toc.1-1.3.1" class="keepWithNext"><a href="#section-3" class="xref">3</a>.  <a href="#name-applicability-statement" class="xref">Applicability Statement</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4">
            <p id="section-toc.1-1.4.1"><a href="#section-4" class="xref">4</a>.  <a href="#name-cryptographic-negotiation-u" class="xref">Cryptographic Negotiation Using Integrity-Only Cipher Suites</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5">
            <p id="section-toc.1-1.5.1"><a href="#section-5" class="xref">5</a>.  <a href="#name-record-payload-protection-f" class="xref">Record Payload Protection for Integrity-Only Cipher Suites</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6">
            <p id="section-toc.1-1.6.1"><a href="#section-6" class="xref">6</a>.  <a href="#name-key-schedule-when-using-int" class="xref">Key Schedule when Using Integrity-Only Cipher Suites</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7">
            <p id="section-toc.1-1.7.1"><a href="#section-7" class="xref">7</a>.  <a href="#name-error-alerts" class="xref">Error Alerts</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8">
            <p id="section-toc.1-1.8.1"><a href="#section-8" class="xref">8</a>.  <a href="#name-iana-considerations" class="xref">IANA Considerations</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9">
            <p id="section-toc.1-1.9.1"><a href="#section-9" class="xref">9</a>.  <a href="#name-security-and-privacy-consid" class="xref">Security and Privacy Considerations</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10">
            <p id="section-toc.1-1.10.1"><a href="#section-10" class="xref">10</a>. <a href="#name-references" class="xref">References</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.1">
                <p id="section-toc.1-1.10.2.1.1"><a href="#section-10.1" class="xref">10.1</a>.  <a href="#name-normative-references" class="xref">Normative References</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.2">
                <p id="section-toc.1-1.10.2.2.1"><a href="#section-10.2" class="xref">10.2</a>.  <a href="#name-informative-references" class="xref">Informative References</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11">
            <p id="section-toc.1-1.11.1"><a href="#appendix-A" class="xref"></a><a href="#name-acknowledgements" class="xref">Acknowledgements</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12">
            <p id="section-toc.1-1.12.1"><a href="#appendix-B" class="xref"></a><a href="#name-authors-addresses" class="xref">Authors' Addresses</a></p>
</li>
        </ul>
</nav>
</section>
</div>
<section id="section-1">
      <h2 id="name-introduction">
<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
      </h2>
<p id="section-1-1">There are several use cases in which communications privacy is not strictly needed, although authenticity of the communications transport is still very important. For example, within the industrial automation space, there could be TCP or UDP communications that command a robotic arm to move a certain distance at a certain speed. Without authenticity guarantees, an attacker could modify the packets to change the movement of the robotic arm, potentially causing physical damage. However, the motion control commands are not always considered to be sensitive information, and thus there is no requirement to provide confidentiality. Another Internet of Things (IoT) example with no strong requirement for confidentiality is the reporting of weather information; however, message authenticity is required to ensure integrity of the message.<a href="#section-1-1" class="pilcrow">¶</a></p>
<p id="section-1-2">There is no requirement to encrypt messages in environments where the information is not confidential, such as when there is no intellectual property associated with the processes, or where the threat model does not indicate any outsider attacks (such as in a closed system). Note, however, that this situation will not apply equally to all use cases (for example, in one case a robotic arm might be used for a process that does not involve any intellectual property but in another case might be used in a different process that does contain intellectual property). Therefore, it is important that a user or system developer carefully examine both the sensitivity of the data and the system threat model to determine the need for encryption before deploying equipment and security protections.<a href="#section-1-2" class="pilcrow">¶</a></p>
<p id="section-1-3">Besides having a strong need for authenticity and no need for confidentiality, many of these systems also have a strong requirement for low latency. Furthermore, several classes of IoT devices (industrial or otherwise) have limited processing capability. However, these IoT systems still gain great benefit from leveraging TLS 1.3 for secure communications. Given the reduced need for confidentiality, TLS 1.3 cipher suites <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span> that maintain data integrity without confidentiality are described in this document. These cipher suites are not meant for general use, as they do not meet the confidentiality and privacy goals of TLS. They should only be used in cases where confidentiality and privacy are not a concern and there are constraints on using cipher suites that provide the full set of security properties. The approach described in this document is not endorsed by the IETF and does not have IETF consensus, but it is presented here to enable interoperable implementation of a reduced-security mechanism that provides authentication and message integrity with supporting confidentiality.<a href="#section-1-3" class="pilcrow">¶</a></p>
</section>
<section id="section-2">
      <h2 id="name-terminology">
<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-terminology" class="section-name selfRef">Terminology</a>
      </h2>
<p id="section-2-1">This document adopts the conventions for normative language to provide 
      clarity of instructions to the implementer.
      The key words "<span class="bcp14">MUST</span>", "<span class="bcp14">MUST NOT</span>",
      "<span class="bcp14">REQUIRED</span>", "<span class="bcp14">SHALL</span>",
      "<span class="bcp14">SHALL NOT</span>", "<span class="bcp14">SHOULD</span>",
      "<span class="bcp14">SHOULD NOT</span>",
      "<span class="bcp14">RECOMMENDED</span>", "<span class="bcp14">NOT RECOMMENDED</span>",
      "<span class="bcp14">MAY</span>", and "<span class="bcp14">OPTIONAL</span>" in this document
      are to be interpreted as described in BCP 14
      <span>[<a href="#RFC2119" class="xref">RFC2119</a>]</span> <span>[<a href="#RFC8174" class="xref">RFC8174</a>]</span> when, and only
      when, they appear in all capitals, as shown here.<a href="#section-2-1" class="pilcrow">¶</a></p>
</section>
<section id="section-3">
      <h2 id="name-applicability-statement">
<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-applicability-statement" class="section-name selfRef">Applicability Statement</a>
      </h2>
<p id="section-3-1">The two cipher suites defined in this document, which are based on Hashed Message Authentication Code (HMAC) SHAs <span>[<a href="#RFC6234" class="xref">RFC6234</a>]</span>, are intended for a small limited set of applications where confidentiality requirements are relaxed and the need to minimize the number of cryptographic algorithms is prioritized. This section describes some of those applicable use cases.<a href="#section-3-1" class="pilcrow">¶</a></p>
<p id="section-3-2">Use cases in the industrial automation industry, while requiring data integrity, often do not require confidential communications. Mainly, data communicated to unmanned machines to execute repetitive
            tasks does not convey private information. For example, there could be a system with a robotic arm that paints the body of a car. This equipment is used within a car manufacturing plant and is just
                        one piece of equipment in a multi-step manufacturing process. The movements of this robotic arm are likely not a trade secret or sensitive intellectual property, although some portions of the manufacturing of the car
                        might very well contain sensitive intellectual property. Even the mixture for the paint itself might be confidential, but the mixing is done by a completely different piece of equipment and therefore communication to/from that equipment can be encrypted without requiring the communication to/from the robotic arm to be encrypted.
                        Modern manufacturing often has segmented equipment with different levels of risk related to intellectual property, although nearly every communication interaction has strong data authenticity requirements.<a href="#section-3-2" class="pilcrow">¶</a></p>
<p id="section-3-3">Another use case that is closely related is that of fine-grained time updates. Motion systems often rely on time synchronization to ensure proper execution. Time updates are essentially public; there is no threat from an attacker knowing the time update information. This should make intuitive sense to those not familiar with these applications; rarely if ever does time information present a serious attack surface dealing with privacy. However, the authenticity is still quite important. The consequences of maliciously modified time data can vary from mere denial of service to actual physical damage, depending on the particular situation and attacker capability. As these time synchronization updates are very fine-grained, it is again important for latency to be very low.<a href="#section-3-3" class="pilcrow">¶</a></p>
<p id="section-3-4">A third use case deals with data related to alarms. Industrial control sensing equipment can be configured to send alarm information when it meets certain conditions -- for example, temperature goes above or below a given threshold. Oftentimes, this data is used to detect certain out-of-tolerance conditions, allowing an operator or automated system to take corrective action. Once again, in many systems the reading of this data doesn't grant the attacker information that can be exploited; it is generally just information regarding the physical state of the system. At the same time, being able to modify this data would allow an attacker to either trigger alarms falsely or cover up evidence of an attack that might allow for detection of their malicious activity. Furthermore, sensors are often low-powered devices that might struggle to process encrypted and authenticated data. These sensors might be very cost sensitive such that there is not enough processing power for data encryption. Sending data that is just authenticated but not encrypted eases the burden placed on these devices yet still allows the data to be protected against any tampering threats. A user can always choose to pay more for a sensor with encryption capability, but for some, data authenticity will be sufficient.<a href="#section-3-4" class="pilcrow">¶</a></p>
<p id="section-3-5">A fourth use case considers the protection of commands in the railway industry. In railway control systems, no confidentiality requirements are applied for the command exchange between an interlocking controller and a railway equipment controller (for instance, a railway point controller of a tram track where the position of the controlled point is publicly available).
            However, protecting the integrity and authenticity of those commands is vital; otherwise, an adversary could change the target position of the point by modifying the commands, which consequently could lead to the derailment of a passing train.
            Furthermore, requirements for providing flight-data recording of the
safety-related network traffic can only be fulfilled through using authenticity-only ciphers as, typically, the recording is used by a third party responsible for the analysis after an accident. The analysis requires such third party to extract the safety-related commands from the recording.<a href="#section-3-5" class="pilcrow">¶</a></p>
<p id="section-3-6">The fifth use case deals with data related to civil aviation airplanes and ground communication. Pilots can send and receive messages to/from ground control, such as airplane route-of-flight updates, weather information, controller and pilot communication, and airline back-office communication. Similarly, the Air Traffic Control (ATC) service uses air-to-ground communication to receive the surveillance data that relies on (is dependent on) downlink reports from an airplane's avionics. This communication occurs automatically in accordance with contracts established between the ATC ground system and the airplane's avionics. Reports can be sent whenever specific events occur or specific time intervals are reached. In many systems, the reading of this data doesn't grant the attacker information that can be exploited; it is generally just information regarding the states of the airplane, controller pilot communication, meteorological information, etc. At the same time, being able to modify this data would allow an attacker to either put aircraft in the wrong flight trajectory or provide false information to ground control that might delay flights, damage property, or harm life. Sending data that is not encrypted but is authenticated allows the data to be protected against any tampering threats. Data authenticity is sufficient for the air traffic, weather, and surveillance information exchanges between airplanes and the ground systems.<a href="#section-3-6" class="pilcrow">¶</a></p>
<p id="section-3-7"> The above use cases describe the requirements where confidentiality is not needed and/or interferes with other requirements. Some of these use cases are based on devices that come with a small runtime memory footprint and reduced processing power; therefore, the need to minimize the number of cryptographic algorithms used is a priority. Despite this, it is noted that memory, performance, and processing power implications of any given algorithm or set of algorithms are highly dependent on hardware and software architecture. Therefore, although these cipher suites may provide performance benefits, they will not necessarily provide these benefits in all cases on all platforms. Furthermore, in some use cases, third-party inspection of data is specifically needed, which is also supported through the lack of confidentiality mechanisms.<a href="#section-3-7" class="pilcrow">¶</a></p>
</section>
<section id="section-4">
      <h2 id="name-cryptographic-negotiation-u">
<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-cryptographic-negotiation-u" class="section-name selfRef">Cryptographic Negotiation Using Integrity-Only Cipher Suites</a>
      </h2>
<p id="section-4-1">The cryptographic negotiation as specified in <span>[<a href="#RFC8446" class="xref">RFC8446</a>], <a href="https://www.rfc-editor.org/rfc/rfc8446#section-4.1.1" class="relref">Section 4.1.1</a></span> remains the same, with the inclusion of the following cipher suites:<a href="#section-4-1" class="pilcrow">¶</a></p>
<ul class="normal ulEmpty">
<li class="normal ulEmpty" id="section-4-2.1">TLS_SHA256_SHA256 {0xC0,0xB4}<a href="#section-4-2.1" class="pilcrow">¶</a>
</li>
        <li class="normal ulEmpty" id="section-4-2.2">TLS_SHA384_SHA384 {0xC0,0xB5}<a href="#section-4-2.2" class="pilcrow">¶</a>
</li>
      </ul>
<p id="section-4-3">
            As defined in <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span>, TLS 1.3 cipher suites denote the Authenticated Encryption with Associated Data (AEAD) algorithm for record protection and the hash algorithm to use with the HMAC-based Key Derivation Function (HKDF). The cipher suites provided by this document are defined in a similar way, but they use the HMAC authentication tag to model the AEAD interface, as only an HMAC is provided for record protection (without encryption). These cipher suites allow the use of SHA-256 or SHA-384 as the HMAC for data integrity protection as well as its use for the HKDF. The authentication mechanisms remain unchanged with the intent to only update the cipher suites to relax the need for confidentiality.<a href="#section-4-3" class="pilcrow">¶</a></p>
<p id="section-4-4"> Given that these cipher suites do not support confidentiality, they <span class="bcp14">MUST NOT</span> be used with authentication and key exchange methods that rely on confidentiality.<a href="#section-4-4" class="pilcrow">¶</a></p>
</section>
<section id="section-5">
      <h2 id="name-record-payload-protection-f">
<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-record-payload-protection-f" class="section-name selfRef">Record Payload Protection for Integrity-Only Cipher Suites</a>
      </h2>
<p id="section-5-1">Record payload protection as defined in <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span> is retained in modified form when integrity-only cipher suites are used. Note that due to the purposeful use of hash algorithms, instead of AEAD algorithms, confidentiality protection of the record payload is not provided.
            This section describes the mapping of record payload structures when integrity-only cipher suites are employed.<a href="#section-5-1" class="pilcrow">¶</a></p>
<p id="section-5-2"> Given that there is no encryption to be done at the record layer, the operations "Protect" and "Unprotect" take the place of "AEAD-Encrypt" and "AEAD-Decrypt" <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span>, respectively.<a href="#section-5-2" class="pilcrow">¶</a></p>
<p id="section-5-3"> As integrity protection is provided over the full record, the encrypted_record in the TLSCiphertext along with the additional_data input to protected_data (termed AEADEncrypted data in <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span>) as defined in <span><a href="https://www.rfc-editor.org/rfc/rfc8446#section-5.2" class="relref">Section 5.2</a> of [<a href="#RFC8446" class="xref">RFC8446</a>]</span> remain the same.
            The TLSCiphertext.length for the integrity cipher suites will be:<a href="#section-5-3" class="pilcrow">¶</a></p>
<div class="alignLeft art-text artwork" id="section-5-4">
<pre>
TLS_SHA256_SHA256:
   TLSCiphertext.length = TLSInnerPlaintext_length + 32

TLS_SHA384_SHA384:
   TLSCiphertext.length = TLSInnerPlaintext_length + 48
</pre><a href="#section-5-4" class="pilcrow">¶</a>
</div>
<p id="section-5-5"> Note that TLSInnerPlaintext_length is not defined as an explicit field in <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span>; this refers to the length of the encoded TLSInnerPlaintext structure.<a href="#section-5-5" class="pilcrow">¶</a></p>
<p id="section-5-6"> The resulting protected_record is the concatenation of the TLSInnerPlaintext with the resulting HMAC. Note that this is analogous to the "encrypted_record" as defined in <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span>, although it is referred to as a "protected_record" because of the lack of confidentiality via encryption. With this mapping, the record validation order as defined in <span><a href="https://www.rfc-editor.org/rfc/rfc8446#section-5.2" class="relref">Section 5.2</a> of [<a href="#RFC8446" class="xref">RFC8446</a>]</span> remains the same. That is, the encrypted_record field of TLSCiphertext is set to:<a href="#section-5-6" class="pilcrow">¶</a></p>
<div class="alignLeft art-text artwork" id="section-5-7">
<pre>
   encrypted_record = TLS13-HMAC-Protected = TLSInnerPlaintext ||
   HMAC(write_key, nonce || additional_data || TLSInnerPlaintext)
</pre><a href="#section-5-7" class="pilcrow">¶</a>
</div>
<p id="section-5-8">Here, "nonce" refers to the per-record nonce described in <span><a href="https://www.rfc-editor.org/rfc/rfc8446#section-5.3" class="relref">Section 5.3</a> of [<a href="#RFC8446" class="xref">RFC8446</a>]</span>.<a href="#section-5-8" class="pilcrow">¶</a></p>
<p id="section-5-9"> For DTLS 1.3, the DTLSCiphertext is set to:<a href="#section-5-9" class="pilcrow">¶</a></p>
<div class="alignLeft art-text artwork" id="section-5-10">
<pre>
   encrypted_record = DTLS13-HMAC-Protected = DTLSInnerPlaintext ||
   HMAC(write_key, nonce || additional_data || DTLSInnerPlaintext)
</pre><a href="#section-5-10" class="pilcrow">¶</a>
</div>
<p id="section-5-11"> The DTLS "nonce" refers to the per-record nonce described in <span><a href="https://www.rfc-editor.org/rfc/rfc9147#section-4.2.2" class="relref">Section 4.2.2</a> of [<a href="#RFC9147" class="xref">DTLS13</a>]</span>.<a href="#section-5-11" class="pilcrow">¶</a></p>
<p id="section-5-12"> The Protect and Unprotect operations provide the integrity protection using HMAC SHA-256 or HMAC SHA-384 as described in <span>[<a href="#RFC6234" class="xref">RFC6234</a>]</span>.<a href="#section-5-12" class="pilcrow">¶</a></p>
<p id="section-5-13"> Due to the lack of encryption of the plaintext, record padding does not provide any obfuscation as to the plaintext size, although it can be optionally included.<a href="#section-5-13" class="pilcrow">¶</a></p>
</section>
<section id="section-6">
      <h2 id="name-key-schedule-when-using-int">
<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-key-schedule-when-using-int" class="section-name selfRef">Key Schedule when Using Integrity-Only Cipher Suites</a>
      </h2>
<p id="section-6-1"> The key derivation process for integrity-only cipher suites remains the same as that defined in <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span>. The only difference is that the keys used to protect the tunnel apply to the negotiated HMAC SHA-256 or HMAC SHA-384 ciphers. Note that the traffic key material (client_write_key, client_write_iv, server_write_key, and server_write_iv) <span class="bcp14">MUST</span> be calculated as per <span>[<a href="#RFC8446" class="xref">RFC8446</a>], <a href="https://www.rfc-editor.org/rfc/rfc8446#section-7.3" class="relref">Section 7.3</a></span>. The key lengths and Initialization Vectors (IVs) for these cipher suites are according to the hash output lengths. In other words, the following key lengths and IV lengths <span class="bcp14">SHALL</span> be:<a href="#section-6-1" class="pilcrow">¶</a></p>
<table class="center" id="table-1">
        <caption><a href="#table-1" class="selfRef">Table 1</a></caption>
<thead>
          <tr>
            <th class="text-left" rowspan="1" colspan="1">Cipher Suite</th>
            <th class="text-left" rowspan="1" colspan="1">Key Length</th>
            <th class="text-left" rowspan="1" colspan="1">IV Length</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td class="text-left" rowspan="1" colspan="1">TLS_SHA256_SHA256</td>
            <td class="text-left" rowspan="1" colspan="1">32 Bytes</td>
            <td class="text-left" rowspan="1" colspan="1">32 Bytes</td>
          </tr>
          <tr>
            <td class="text-left" rowspan="1" colspan="1">TLS_SHA384_SHA384</td>
            <td class="text-left" rowspan="1" colspan="1">48 Bytes</td>
            <td class="text-left" rowspan="1" colspan="1">48 Bytes</td>
          </tr>
        </tbody>
      </table>
</section>
<section id="section-7">
      <h2 id="name-error-alerts">
<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-error-alerts" class="section-name selfRef">Error Alerts</a>
      </h2>
<p id="section-7-1">The error alerts as defined by <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span> remain the same; in particular:<a href="#section-7-1" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-7-2">
        <dt id="section-7-2.1">bad_record_mac:</dt>
        <dd style="margin-left: 1.5em" id="section-7-2.2">This alert can also occur for a record whose message authentication code cannot be validated. Since these cipher suites do not involve record encryption, this alert will only occur when the HMAC fails to verify.<a href="#section-7-2.2" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
<dt id="section-7-2.3">decrypt_error:</dt>
        <dd style="margin-left: 1.5em" id="section-7-2.4">This alert, as described in <span>[<a href="#RFC8446" class="xref">RFC8446</a>], <a href="https://www.rfc-editor.org/rfc/rfc8446#section-6.2" class="relref">Section 6.2</a></span>, occurs when the signature or message authentication code cannot be validated. Note that this error is only sent during the handshake, not for an error in validating record HMACs.<a href="#section-7-2.4" class="pilcrow">¶</a>
</dd>
      <dd class="break"></dd>
</dl>
</section>
<div id="IANA">
<section id="section-8">
      <h2 id="name-iana-considerations">
<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
      </h2>
<p id="section-8-1">IANA has registered the following cipher suites, defined by this document, in the "TLS Cipher Suites" registry:<a href="#section-8-1" class="pilcrow">¶</a></p>
<div id="iana_table">
<table class="center" id="table-2">
        <caption><a href="#table-2" class="selfRef">Table 2</a></caption>
<thead>
          <tr>
            <th class="text-left" rowspan="1" colspan="1">Value</th>
            <th class="text-left" rowspan="1" colspan="1">Description</th>
            <th class="text-left" rowspan="1" colspan="1">DTLS-OK</th>
            <th class="text-left" rowspan="1" colspan="1">Recommended</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td class="text-left" rowspan="1" colspan="1">0xC0,0xB4</td>
            <td class="text-left" rowspan="1" colspan="1">TLS_SHA256_SHA256</td>
            <td class="text-left" rowspan="1" colspan="1">Y</td>
            <td class="text-left" rowspan="1" colspan="1">N</td>
          </tr>
          <tr>
            <td class="text-left" rowspan="1" colspan="1">0xC0,0xB5</td>
            <td class="text-left" rowspan="1" colspan="1">TLS_SHA384_SHA384</td>
            <td class="text-left" rowspan="1" colspan="1">Y</td>
            <td class="text-left" rowspan="1" colspan="1">N</td>
          </tr>
        </tbody>
      </table>
</div>
</section>
</div>
<div id="Security">
<section id="section-9">
      <h2 id="name-security-and-privacy-consid">
<a href="#section-9" class="section-number selfRef">9. </a><a href="#name-security-and-privacy-consid" class="section-name selfRef">Security and Privacy Considerations</a>
      </h2>
<p id="section-9-1">In general, except for confidentiality and privacy, the security considerations detailed in <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span> and <span>[<a href="#RFC5246" class="xref">RFC5246</a>]</span> apply to this document. Furthermore, as the cipher suites described in this document do not provide any confidentiality, it is important that they only be used in cases where there are no confidentiality or privacy requirements and concerns; the runtime memory requirements can accommodate support for authenticity-only cryptographic constructs.<a href="#section-9-1" class="pilcrow">¶</a></p>
<p id="section-9-2">With the lack of data encryption specified in this specification, no confidentiality or privacy is provided for the data transported via the TLS session. That is, the record layer is not encrypted when using these cipher suites, nor is the handshake. To highlight the loss of privacy, the information carried in the TLS handshake, which includes both the server and client certificates, while integrity protected, will be sent unencrypted. Similarly, other TLS extensions that may be carried in the server's EncryptedExtensions message will only be integrity protected without provisions for confidentiality. Furthermore, with this lack of confidentiality, any private Pre-Shared Key (PSK) data <span class="bcp14">MUST NOT</span> be sent in the handshake while using these cipher suites. However, as PSKs may be loaded externally, these cipher suites can be used with the 0-RTT handshake defined in <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span>, with the same security implications discussed therein applied.<a href="#section-9-2" class="pilcrow">¶</a></p>
<p id="section-9-3">Application protocols that build on TLS or DTLS for protection (e.g., HTTP) may have implicit assumptions of data confidentiality. Any assumption of data confidentiality is invalidated by the use of these cipher suites, as no data confidentiality is provided. This applies to any data sent over the application-data channel (e.g., bearer tokens in HTTP), as data requiring confidentiality <span class="bcp14">MUST NOT</span> be sent using these cipher suites.<a href="#section-9-3" class="pilcrow">¶</a></p>
<p id="section-9-4">  Limits on key usage for AEAD-based ciphers are described in <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span>. However, as the cipher suites discussed here are not AEAD, those same limits do not apply. The general security properties of HMACs discussed in <span>[<a href="#RFC2104" class="xref">RFC2104</a>]</span> and <span>[<a href="#BCK1" class="xref">BCK1</a>]</span> apply.  Additionally, security considerations on the algorithm's strength based on the HMAC key length and truncation length further described in <span>[<a href="#RFC4868" class="xref">RFC4868</a>]</span> also apply. Until further cryptanalysis demonstrates limitations on key usage for HMACs, general practice for key usage recommends that implementations place limits on the lifetime of the HMAC keys and invoke a key update as described in <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span> prior to reaching this limit.<a href="#section-9-4" class="pilcrow">¶</a></p>
<p id="section-9-5">DTLS 1.3 defines a mechanism for encrypting the DTLS record sequence numbers. However, as these cipher suites do not utilize encryption, the record sequence numbers are sent unencrypted. That is, the procedure for DTLS record sequence number protection is to apply no protection for these cipher suites.<a href="#section-9-5" class="pilcrow">¶</a></p>
<p id="section-9-6">Given the lack of confidentiality, these cipher suites <span class="bcp14">MUST NOT</span> be enabled by default. As these cipher suites are meant to serve the IoT market, it is important that any IoT endpoint that uses them be explicitly configured with a policy of non-confidential communications.<a href="#section-9-6" class="pilcrow">¶</a></p>
</section>
</div>
<section id="section-10">
      <h2 id="name-references">
<a href="#section-10" class="section-number selfRef">10. </a><a href="#name-references" class="section-name selfRef">References</a>
      </h2>
<section id="section-10.1">
        <h3 id="name-normative-references">
<a href="#section-10.1" class="section-number selfRef">10.1. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
        </h3>
<dl class="references">
<dt id="BCK1">[BCK1]</dt>
        <dd>
<span class="refAuthor">Bellare, M.</span>, <span class="refAuthor">Canetti, R.</span>, and <span class="refAuthor">H. Krawczyk</span>, <span class="refTitle">"Keying Hash Functions for Message Authentication"</span>, <span class="seriesInfo">DOI 10.1007/3-540-68697-5_1</span>, <time datetime="1996" class="refDate">1996</time>, <span>&lt;<a href="https://link.springer.com/chapter/10.1007/3-540-68697-5_1">https://link.springer.com/chapter/10.1007/3-540-68697-5_1</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC9147">[DTLS13]</dt>
        <dd>
<span class="refAuthor">Rescorla, E.</span>, <span class="refAuthor">Tschofenig, H.</span>, and <span class="refAuthor">N. Modadugu</span>, <span class="refTitle">"The Datagram Transport Layer Security (DTLS) Protocol Version 1.3"</span>, <span class="seriesInfo">RFC 9147</span>, <span class="seriesInfo">DOI 10.17487/RFC9147</span>, <time datetime="2022-04" class="refDate">April 2022</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc9147">https://www.rfc-editor.org/info/rfc9147</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC2104">[RFC2104]</dt>
        <dd>
<span class="refAuthor">Krawczyk, H.</span>, <span class="refAuthor">Bellare, M.</span>, and <span class="refAuthor">R. Canetti</span>, <span class="refTitle">"HMAC: Keyed-Hashing for Message Authentication"</span>, <span class="seriesInfo">RFC 2104</span>, <span class="seriesInfo">DOI 10.17487/RFC2104</span>, <time datetime="1997-02" class="refDate">February 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2104">https://www.rfc-editor.org/info/rfc2104</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC2119">[RFC2119]</dt>
        <dd>
<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC4868">[RFC4868]</dt>
        <dd>
<span class="refAuthor">Kelly, S.</span> and <span class="refAuthor">S. Frankel</span>, <span class="refTitle">"Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec"</span>, <span class="seriesInfo">RFC 4868</span>, <span class="seriesInfo">DOI 10.17487/RFC4868</span>, <time datetime="2007-05" class="refDate">May 2007</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc4868">https://www.rfc-editor.org/info/rfc4868</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC6234">[RFC6234]</dt>
        <dd>
<span class="refAuthor">Eastlake 3rd, D.</span> and <span class="refAuthor">T. Hansen</span>, <span class="refTitle">"US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)"</span>, <span class="seriesInfo">RFC 6234</span>, <span class="seriesInfo">DOI 10.17487/RFC6234</span>, <time datetime="2011-05" class="refDate">May 2011</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc6234">https://www.rfc-editor.org/info/rfc6234</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8174">[RFC8174]</dt>
        <dd>
<span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 8174</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <time datetime="2017-05" class="refDate">May 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8174">https://www.rfc-editor.org/info/rfc8174</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8446">[RFC8446]</dt>
      <dd>
<span class="refAuthor">Rescorla, E.</span>, <span class="refTitle">"The Transport Layer Security (TLS) Protocol Version 1.3"</span>, <span class="seriesInfo">RFC 8446</span>, <span class="seriesInfo">DOI 10.17487/RFC8446</span>, <time datetime="2018-08" class="refDate">August 2018</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8446">https://www.rfc-editor.org/info/rfc8446</a>&gt;</span>. </dd>
<dd class="break"></dd>
</dl>
</section>
<section id="section-10.2">
        <h3 id="name-informative-references">
<a href="#section-10.2" class="section-number selfRef">10.2. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
        </h3>
<dl class="references">
<dt id="RFC5246">[RFC5246]</dt>
      <dd>
<span class="refAuthor">Dierks, T.</span> and <span class="refAuthor">E. Rescorla</span>, <span class="refTitle">"The Transport Layer Security (TLS) Protocol Version 1.2"</span>, <span class="seriesInfo">RFC 5246</span>, <span class="seriesInfo">DOI 10.17487/RFC5246</span>, <time datetime="2008-08" class="refDate">August 2008</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc5246">https://www.rfc-editor.org/info/rfc5246</a>&gt;</span>. </dd>
<dd class="break"></dd>
</dl>
</section>
</section>
<div id="Acknowledgements">
<section id="appendix-A">
      <h2 id="name-acknowledgements">
<a href="#name-acknowledgements" class="section-name selfRef">Acknowledgements</a>
      </h2>
<p id="appendix-A-1">The authors would like to acknowledge the work done by Industrial Communications Standards Groups (such as ODVA) as the motivation for this document. We would also like to thank <span class="contact-name">Steffen Fries</span> for providing a fourth use case and <span class="contact-name">Madhu Niraula</span> for a fifth use case. In addition, we are grateful for the advice and feedback from <span class="contact-name">Joe Salowey</span>, <span class="contact-name">Blake Anderson</span>, <span class="contact-name">David McGrew</span>, <span class="contact-name">Clement Zeller</span>, and <span class="contact-name">Peter Wu</span>.<a href="#appendix-A-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="authors-addresses">
<section id="appendix-B">
      <h2 id="name-authors-addresses">
<a href="#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
      </h2>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Nancy Cam-Winget</span></div>
<div dir="auto" class="left"><span class="org">Cisco Systems</span></div>
<div dir="auto" class="left"><span class="street-address">3550 Cisco Way</span></div>
<div dir="auto" class="left">
<span class="locality">San Jose</span>, <span class="region">CA</span> <span class="postal-code">95134</span>
</div>
<div dir="auto" class="left"><span class="country-name">United States of America</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:ncamwing@cisco.com" class="email">ncamwing@cisco.com</a>
</div>
</address>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Jack Visoky</span></div>
<div dir="auto" class="left"><span class="org">ODVA</span></div>
<div dir="auto" class="left"><span class="street-address">1 Allen Bradley Dr</span></div>
<div dir="auto" class="left">
<span class="locality">Mayfield Heights</span>, <span class="region">OH</span> <span class="postal-code">44124</span>
</div>
<div dir="auto" class="left"><span class="country-name">United States of America</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:jmvisoky@ra.rockwell.com" class="email">jmvisoky@ra.rockwell.com</a>
</div>
</address>
</section>
</div>
<script>const toc = document.getElementById("toc");
toc.querySelector("h2").addEventListener("click", e => {
  toc.classList.toggle("active");
});
toc.querySelector("nav").addEventListener("click", e => {
  toc.classList.remove("active");
});
</script>
</body>
</html>