draft-ietf-httpbis-encryption-encoding-07.txt   draft-ietf-httpbis-encryption-encoding-latest.txt 
HTTP Working Group M. Thomson HTTP Working Group M. Thomson
Internet-Draft Mozilla Internet-Draft Mozilla
Intended status: Standards Track February 13, 2017 Intended status: Standards Track February 21, 2017
Expires: August 17, 2017 Expires: August 25, 2017
Encrypted Content-Encoding for HTTP Encrypted Content-Encoding for HTTP
draft-ietf-httpbis-encryption-encoding-07 draft-ietf-httpbis-encryption-encoding-latest
Abstract Abstract
This memo introduces a content coding for HTTP that allows message This memo introduces a content coding for HTTP that allows message
payloads to be encrypted. payloads to be encrypted.
Note to Readers Note to Readers
Discussion of this draft takes place on the HTTP working group Discussion of this draft takes place on the HTTP working group
mailing list (ietf-http-wg@w3.org), which is archived at mailing list (ietf-http-wg@w3.org), which is archived at
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 17, 2017. This Internet-Draft will expire on August 25, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 27 skipping to change at page 4, line 27
The "aes128gcm" content coding uses a fixed record size. The final The "aes128gcm" content coding uses a fixed record size. The final
encoding consists of a header (see Section 2.1) and zero or more encoding consists of a header (see Section 2.1) and zero or more
fixed size encrypted records; the final record can be smaller than fixed size encrypted records; the final record can be smaller than
the record size. the record size.
The record size determines the length of each portion of plaintext The record size determines the length of each portion of plaintext
that is enciphered. The record size ("rs") is included in the that is enciphered. The record size ("rs") is included in the
content coding header (see Section 2.1). content coding header (see Section 2.1).
+-----------+ content +-----------+ content
| data | any length up to rs-17 octets | data | any length up to rs-17 octets
+-----------+ +-----------+
| |
v v
+-----------+-----+ add a delimiter octet (0x01 or 0x02) +-----------+-----+ add a delimiter octet (0x01 or 0x02)
| data | pad | the 0x00-valued octets to rs-16 | data | pad | then 0x00-valued octets to rs-16
+-----------+-----+ (or less on the last record) +-----------+-----+ (or less on the last record)
| |
v v
+--------------------+ encrypt with AEAD_AES_128_GCM; +--------------------+ encrypt with AEAD_AES_128_GCM;
| ciphertext | final size is rs; | ciphertext | final size is rs;
+--------------------+ the last record can be smaller +--------------------+ the last record can be smaller
AEAD_AES_128_GCM produces ciphertext 16 octets longer than its input AEAD_AES_128_GCM produces ciphertext 16 octets longer than its input
plaintext. Therefore, the unencrypted content of each record is plaintext. Therefore, the unencrypted content of each record is
shorter than the record size by 16 octets. Valid records always shorter than the record size by 16 octets. Valid records always
contain at least a padding delimiter octet and a 16 octet contain at least a padding delimiter octet and a 16 octet
authentication tag. authentication tag.
Each record contains a single padding delimiter octet followed by any Each record contains a single padding delimiter octet followed by any
number of zero octets. The last record uses a padding delimiter number of zero octets. The last record uses a padding delimiter
octet set to the value 2, all other records have a padding delimiter octet set to the value 2, all other records have a padding delimiter
octet value of 1. A decrypter MUST fail if the unencrypted content octet value of 1.
of a record is all zero-valued. A decrypter MUST fail if the last
record contains a padding delimiter with a value other than 2; a On decryption, the padding delimiter is the last non-zero valued
decrypter MUST fail if any record other than the last contains a octet of the record. A decrypter MUST fail if the record contains no
padding delimiter with a value other than 1. non-zero octet. A decrypter MUST fail if the last record contains a
padding delimiter with a value other than 2 or if any record other
than the last contains a padding delimiter with a value other than 1.
The nonce for each record is a 96-bit value constructed from the The nonce for each record is a 96-bit value constructed from the
record sequence number and the input keying material. Nonce record sequence number and the input keying material. Nonce
derivation is covered in Section 2.3. derivation is covered in Section 2.3.
The additional data passed to each invocation of AEAD_AES_128_GCM is The additional data passed to each invocation of AEAD_AES_128_GCM is
a zero-length octet sequence. a zero-length octet sequence.
A consequence of this record structure is that range requests A consequence of this record structure is that range requests
[RFC7233] and random access to encrypted payload bodies are possible [RFC7233] and random access to encrypted payload bodies are possible
skipping to change at page 12, line 22 skipping to change at page 12, line 22
o Name: aes128gcm o Name: aes128gcm
o Description: AES-GCM encryption with a 128-bit content encryption o Description: AES-GCM encryption with a 128-bit content encryption
key key
o Reference: this specification o Reference: this specification
6. References 6. References
6.1. Normative References 6.1. Normative References
[FIPS180-4] [FIPS180-4]
Department of Commerce, National Institute of Standards National Institute of Standards and Technology, U.S.
and Technology, U., "NIST FIPS 180-4, Secure Hash Department of Commerce, "NIST FIPS 180-4, Secure Hash
Standard", March 2012, <http://csrc.nist.gov/publications/ Standard", DOI 10.6028/NIST.FIPS.180-4, August 2015, <http
fips/fips180-4/fips-180-4.pdf>. ://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
RFC2119, March 1997, RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629,
November 2003, <http://www.rfc-editor.org/info/rfc3629>. November 2003, <http://www.rfc-editor.org/info/rfc3629>.
skipping to change at page 14, line 6 skipping to change at page 14, line 6
<http://www.rfc-editor.org/info/rfc7516>. <http://www.rfc-editor.org/info/rfc7516>.
[RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
Transfer Protocol Version 2 (HTTP/2)", RFC 7540, Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
DOI 10.17487/RFC7540, May 2015, DOI 10.17487/RFC7540, May 2015,
<http://www.rfc-editor.org/info/rfc7540>. <http://www.rfc-editor.org/info/rfc7540>.
[XMLENC] Eastlake, D., Reagle, J., Hirsch, F., Roessler, T., [XMLENC] Eastlake, D., Reagle, J., Hirsch, F., Roessler, T.,
Imamura, T., Dillaway, B., Simon, E., Yiu, K., and M. Imamura, T., Dillaway, B., Simon, E., Yiu, K., and M.
Nystroem, "XML Encryption Syntax and Processing", W3C Nystroem, "XML Encryption Syntax and Processing", W3C
Recommendation REC-xmlenc-core1-20130411 , January 2013, Recommendation REC-xmlenc-core1-20130411, January 2013,
<https://www.w3.org/TR/2013/REC-xmlenc-core1-20130411>. <https://www.w3.org/TR/2013/REC-xmlenc-core1-20130411>.
Appendix A. JWE Mapping Appendix A. JWE Mapping
The "aes128gcm" content coding can be considered as a sequence of The "aes128gcm" content coding can be considered as a sequence of
JSON Web Encryption (JWE) objects [RFC7516], each corresponding to a JSON Web Encryption (JWE) objects [RFC7516], each corresponding to a
single fixed size record that includes trailing padding. The single fixed size record that includes trailing padding. The
following transformations are applied to a JWE object that might be following transformations are applied to a JWE object that might be
expressed using the JWE Compact Serialization: expressed using the JWE Compact Serialization:
 End of changes. 8 change blocks. 
19 lines changed or deleted 21 lines changed or added

This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/