<?xml version="1.0"encoding="US-ASCII"?>encoding="UTF-8"?> <!DOCTYPE rfcSYSTEM "rfc2629.dtd"[ <!ENTITYRFC2104 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2104.xml">nbsp " "> <!ENTITYRFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">zwsp "​"> <!ENTITYRFC4492 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4492.xml">nbhy "‑"> <!ENTITYRFC5246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml"> <!ENTITY RFC6234 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6234.xml"> <!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml"> <!ENTITY RFC8446 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8446.xml"> <!ENTITY RFC4868 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4868.xml">wj "⁠"> ]><?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- OPTIONS, known as processing instructions (PIs) go here. --> <!-- For a complete list and description of PIs, please see http://xml.resource.org/authoring/README.html. --> <!-- Below are generally applicable PIs that most I-Ds might want to use. --> <?rfc strict="yes" ?> <!-- give errors regarding ID-nits and DTD validation --> <!-- control the table of contents (ToC): --> <?rfc toc="yes"?> <!-- generate a ToC --> <?rfc tocdepth="2"?> <!-- the number of levels of subsections in ToC. default: 3 --> <!-- control references: --> <?rfc symrefs="yes"?> <!-- use symbolic references tags, i.e, [RFC2119] instead of [1] --> <?rfc sortrefs="yes" ?> <!-- sort the reference entries alphabetically --> <!-- control vertical white space: (using these PIs as follows is recommended by the RFC Editor) --> <?rfc compact="yes" ?> <!-- do not start eacddh main section on a new page --> <?rfc subcompact="no" ?> <!-- keep one blank line between list items --> <!-- end of popular PIs --><rfccategory="info"xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-camwinget-tls-ts13-macciphersuites-12"ipr="trust200902">number="9150" ipr="trust200902" obsoletes="" updates="" submissionType="independent" category="info" xml:lang="en" tocInclude="true" tocDepth="2" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 3.8.0 --> <front> <titleabbrev="MAC-onlyabbrev="HMAC-Only Ciphers">TLS 1.3 Authentication andIntegrity onlyIntegrity-Only Cipher Suites</title> <seriesInfo name="RFC" value="9150"/> <author fullname="Nancy Cam-Winget" initials="N" surname="Cam-Winget"> <organization>Cisco Systems</organization> <address> <postal> <street>3550 CiscoWay </street>Way</street> <city>San Jose</city><country>USA</country><country>United States of America</country> <code>95134</code> <region>CA</region> </postal> <email>ncamwing@cisco.com</email> </address> </author> <author fullname="Jack Visoky" initials="J" surname="Visoky"> <organization>ODVA</organization> <address> <postal> <street>1 Allen BradleyDr </street>Dr</street> <city>Mayfield Heights</city> <code>44124</code><country>USA</country><country>United States of America</country> <region>OH</region> </postal> <email>jmvisoky@ra.rockwell.com</email> </address> </author><date/><date year="2022" month="January"/> <area>Security</area> <workgroup>TLS</workgroup><!-- <keyword/> --> <!-- <keyword/> --> <!-- <keyword/> --> <!-- <keyword/> --><keyword>HMAC</keyword> <keyword>IoT</keyword> <keyword>constrained devices</keyword> <abstract> <t>This document defines the use ofHMAC-onlycipher suites for TLS1.3, which1.3 based on Hashed Message Authentication Code (HMAC). Using these cipher suites provides serverand optionallyand, optionally, mutual authentication and data authenticity, but not data confidentiality. Cipher suites with these properties are not of general applicability, but there are use cases, specifically in Internet of Things (IoT) and constrained environments, that do not require confidentiality of exchanged messages while still requiring integrity protection, server authentication, and optional client authentication. This document gives examples of such use cases, with the caveat that prior to using these integrity-only cipher suites, a threat model for the situation at hand is needed, and a threat analysis must be performed within that model to determine whether the use of integrity-only cipher suites is appropriate. The approach described in this document is not endorsed by the IETF and does not have IETF consensus, but it is presented here to enable interoperable implementation of areduced securityreduced-security mechanism that provides authentication and message integrity without supporting confidentiality.</t> </abstract> </front> <middle> <sectiontitle="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>There are several use cases in which communications privacy is not strictly needed, although authenticity of the communications transport is still very important. For example, within theIndustrial Automation spaceindustrial automation space, there could be TCP or UDP communicationswhichthat command a robotic arm to move a certain distance at a certain speed. Without authenticity guarantees, an attacker could modify the packets to change the movement of the robotic arm, potentially causing physical damage. However, the motion control commands are not always considered to be sensitiveinformationinformation, and thus there is no requirement to provide confidentiality. Another Internet of Things (IoT) example with no strong requirement for confidentiality is the reporting of weather information; however, message authenticity is required to ensure integrity of the message.</t> <t>There is no requirement to encrypt messages in environments where the information is notconfidential;confidential, such as when there is no intellectual property associated with the processes, or where the threat model does not indicate any outsider attacks (such as in a closed system).NoteNote, however, that this situation will not apply equally to all use cases (for example, in one case a robotic arm might be usedin one casefor a process that does not involve any intellectualproperty,property but in another case might be used in a different process that does contain intellectual property). Therefore, it is important that a user or system developer carefully examine both the sensitivity of the data and the system threat model to determine the need for encryption before deploying equipment and security protections.</t> <t>Besides having a strong need for authenticity and no need for confidentiality, many of these systems also have a strong requirement for low latency. Furthermore, several classes of IoTdevicedevices (industrial or otherwise) have limited processing capability. However, these IoT systems still gain great benefit from leveraging TLS 1.3 for secure communications. Given the reduced need for confidentiality, TLS 1.3<xref target="RFC8446"/>cipher suites <xref target="RFC8446" format="default"/> that maintain data integrity without confidentiality are described in this document. These cipher suites are not meant for generaluseuse, as they do not meet the confidentiality and privacy goals of TLS. They should only be used in cases where confidentiality and privacyisare not a concern and there are constraints on using cipher suites that provide the full set of security properties. The approach described in this document is not endorsed by the IETF and does not have IETF consensus, but it is presented here to enable interoperable implementation of areduced securityreduced-security mechanism that provides authentication and message integrity with supporting confidentiality. </t> </section> <sectiontitle="Terminology">numbered="true" toc="default"> <name>Terminology</name> <t>This document adopts the conventions for normative language to provide clarity of instructions to the implementer. The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere. </t>here.</t> </section> <sectiontitle="Applicability Statement">numbered="true" toc="default"> <name>Applicability Statement</name> <t>The twoHMAC SHA <xref target="RFC6234"/> basedcipher suites defined in thisdocumentdocument, which are based on Hashed Message Authentication Code (HMAC) SHAs <xref target="RFC6234" format="default"/>, are intended for a small limited set of applications where confidentiality requirements are relaxed and the need to minimize the number of cryptographic algorithms is prioritized. This section describes some of those applicable use cases. </t> <t>Use cases in the industrial automation industry, while requiring data integrity, often do not require confidential communications. Mainly,informationdata communicated to unmanned machines to execute repetitive tasks does not convey private information. For example, there could be a system with a robotic arm that paints the body of a car. This equipment is used within a car manufacturingplant,plant and is just one piece of equipment in a multi-step manufacturing process. The movements of this robotic arm are likely not a trade secret or sensitive intellectual property, although some portions of the manufacturing of the car might very well contain sensitive intellectual property. Even the mixture for the paint itself might be confidential, but the mixing is done by a completely different piece of equipment and therefore communication to/from that equipment can be encrypted without requiring the communication to/from the robotic arm to be encrypted. Modern manufacturing often has segmented equipment with different levels of riskonrelated to intellectual property, although nearly every communication interaction has strong data authenticity requirements. </t> <t>Another use casewhichthat is closely related is that of fine-grained time updates. Motion systems often rely on time synchronization to ensure proper execution. Time updates are essentially public; there is no threat from an attacker knowing the time update information. This should make intuitive sense to those not familiar with these applications; rarely if ever does time information present a serious attack surface dealing with privacy. However, the authenticity is still quite important. The consequences of maliciously modified time data can vary from mere denial of service to actual physical damage, depending on the particular situation and attacker capability. As these time synchronization updates are very fine-grained, it is again important for latency to be very low.</t> <t>A third use case deals with data related to alarms. Industrial control sensing equipment can be configured to send alarm information when it meets certainconditions,conditions -- for example, temperature goes above or below a given threshold.Often timesOftentimes, this data is used to detect certain out-of-tolerance conditions, allowing an operator or automated system to take corrective action. Once again, in many systems the reading of this data doesn't grant the attacker information that can beexploited,exploited; it is generally just information regarding the physical state of the system. At the same time, being able to modify this data would allow an attacker to either trigger alarms falsely ortocover up evidence of an attack that might allow for detection of their malicious activity. Furthermore, sensors are oftenlow poweredlow-powered devices that might struggle to process encrypted and authenticated data. These sensors might be very cost sensitive such that there is not enough processing power for data encryption. Sending data that is just authenticated but not encrypted eases the burden placed on thesedevices,devices yet still allows the data to be protected against any tampering threats. A user can always choose to pay more for a sensor with encryption capability, but for some, data authenticity will be sufficient. </t> <t>A fourth use case considers the protection of commands in the railway industry. In railway control systems, no confidentiality requirements are applied for the command exchange between an interlocking controller and a railway equipment controller (for instance, a railway point controller of a tram track where the position of the controlled point is publicly available). However, protecting the integrity and authenticity of those commands isvital,vital; otherwise, an adversary could change the target position of the point by modifying the commands, which consequently could lead to the derailment of a passing train. Furthermore, requirements for providingblackboxflight-data recording of thesafety relatedsafety-related network traffic can only be fulfilled through using authenticity-onlyciphers, to be able to provideciphers as, typically, thesafety related commands torecording is used by a thirdparty, which isparty responsible for the analysis after anaccident.</t>accident. The analysis requires such third party to extract the safety-related commands from the recording. </t> <t>The fifth use case deals with data related to civil aviation airplanes and ground communication. Pilots can send and receive messages to/from groundcontrolcontrol, such as airplane route-of-flightupdate,updates, weather information, controller and pilot communication, and airlineback officeback-office communication. Similarly, theAviationAir Traffic Control (ATC)use air to groundservice uses air-to-ground communication to receive the surveillance data that relies on (is dependent on) downlink reports from an airplane's avionics. This communication occurs automatically in accordance with contracts established between the ATC ground system and the airplane's avionics. Reports can be sent whenever specific eventsoccur,occur or specific time intervals are reached. In manysystemssystems, the reading of this data doesn't grant the attacker information that can beexploited,exploited; it is generally just information regarding theairplane states,states of the airplane, controller pilot communication, meteorologicalinformationinformation, etc. At the same time, being able to modify this data would allow an attacker to either put aircraft in the wrong flight trajectory ortoprovide false information to ground control that might delayflights andflights, damagepropertiesproperty, or harm life. Sending data that is not encrypted but isauthenticated,authenticated allows the data to be protected against any tampering threats. Data authenticity is sufficient for the air traffic,weatherweather, and surveillance informationexchangeexchanges between airplanes and the ground systems. </t> <t> The above use cases describe the requirements where confidentiality is not needed and/or interferes with other requirements. Some of these use cases are based on devices that come with a small runtime memory footprint and reduced processingpower thereforepower; therefore, the need to minimize the number of cryptographic algorithms used is a priority. Despite this, it is noted that memory, performance, and processing power implications of any given algorithm or set of algorithmsisare highly dependent on hardware and software architecture. Therefore, although these cipher suites may provide performance benefits, they will not necessarily provide these benefits in all cases on all platforms. Furthermore, in some usecases third partycases, third-party inspection of data is specifically needed, which is also supported through the lack of confidentiality mechanisms. </t> </section> <sectiontitle="Cryptographicnumbered="true" toc="default"> <name>Cryptographic Negotiation UsingIntegrity onlyIntegrity-Only CipherSuites">Suites</name> <t>The cryptographic negotiation as specified in <xreftarget="RFC8446"/> Section 4.1.1target="RFC8446" sectionFormat="comma" section="4.1.1"/> remains the same, with the inclusion of the following cipher suites: </t><!-- <t>This document defines the following cipher suites for use in TLS 1.3: </t> --> <t> <list style='hanging'> <t hangText='TLS_SHA256_SHA256'> {0xC0, 0xB4}</t> <t hangText='TLS_SHA384_SHA384'> {0xC0, 0xB5}</t> </list> </t><ul empty="true" indent="3"> <li>TLS_SHA256_SHA256 {0xC0,0xB4}</li> <li>TLS_SHA384_SHA384 {0xC0,0xB5}</li> </ul> <t> As defined in <xreftarget="RFC8446"/>,target="RFC8446" format="default"/>, TLS 1.3 cipher suites denote theAEADAuthenticated Encryption with Associated Data (AEAD) algorithm for record protection and the hash algorithm to use with theHKDF. TheseHMAC-based Key Derivation Function (HKDF). The cipher suites provided by this document are defined in a similar way, butusingthey use the HMAC authentication tag to model the AEAD interface, as only an HMAC is provided for record protection (without encryption). These cipher suites allow the use of SHA-256 or SHA-384 as theHashed Message Authentication Code (HMAC)HMAC for data integrity protection as well as its use forHMAC-based Key Derivation Function (HKDF).the HKDF. The authentication mechanisms remain unchanged with the intent to only update the cipher suites to relax the need for confidentiality.</t> <t> Given that these cipher suites do not support confidentiality, theyMUST NOT<bcp14>MUST NOT</bcp14> be used with authentication and key exchange methods that rely on confidentiality. </t> </section> <sectiontitle="Recordnumbered="true" toc="default"> <name>Record Payload Protection forIntegrity onlyIntegrity-Only CipherSuites"> <t> The recordSuites</name> <t>Record payload protection as defined in <xreftarget="RFC8446"/>target="RFC8446" format="default"/> is retained in modified form whenintegrity onlyintegrity-only cipher suites are used. Note that due to the purposeful use of hash algorithms, instead of AEAD algorithms,theconfidentiality protection of the record payload is not provided. This section describes the mapping of record payload structures whenintegrity onlyintegrity-only cipher suites are employed. </t> <t> Given that there is no encryption to be done at the record layer, the operations "Protect" and "Unprotect" take the place of "AEAD-Encrypt" and"AEAD-Decrypt", respectively, as referenced in"AEAD-Decrypt" <xreftarget="RFC8446"/> </t>target="RFC8446" format="default"/>, respectively.</t> <t> As integrity protection is provided over the full record, the encrypted_record in the TLSCiphertext along with the additional_data input to protected_data (termed AEADEncrypted data in <xreftarget="RFC8446"/>)target="RFC8446" format="default"/>) as defined inSection 5.2 of<xreftarget="RFC8446"/>target="RFC8446" sectionFormat="of" section="5.2"/> remain the same. The TLSCiphertext.length for the integrity cipher suites will be: </t><t> <list style='hanging'> <t hangText='TLS_SHA256_SHA256:'><artwork name="" type="ascii-art" align="left" alt=""><![CDATA[ TLS_SHA256_SHA256: TLSCiphertext.length =TLSPlaintext.length + 1 (type field) + length_of_padding + 32 (HMAC) =TLSInnerPlaintext_length + 32(HMAC) </t> <t hangText='TLS_SHA384_SHA384:'>TLS_SHA384_SHA384: TLSCiphertext.length =TLSPlaintext.length + 1 (type field) + length_of_padding + 48 (HMAC) =TLSInnerPlaintext_length + 48(HMAC) </t> </list> </t>]]></artwork> <t> Note that TLSInnerPlaintext_length is not defined as an explicit field in <xreftarget="RFC8446"/>;target="RFC8446" format="default"/>; this refers to the length of the encodedTLSInnterPlaintext structure </t>TLSInnerPlaintext structure.</t> <t> The resulting protected_record is the concatenation of the TLSInnerPlaintext with the resulting HMAC. Note that this is analogous to the "encrypted_record"ofas defined in <xreftarget="RFC8446"/>,target="RFC8446" format="default"/>, although it is referred to as a "protected_record" because of the lack of confidentiality via encryption. With this mapping, the record validation order as defined inSection 5.2 of<xreftarget="RFC8446"/>target="RFC8446" sectionFormat="of" section="5.2"/> remains the same. That is, the encrypted_record field of TLSCiphertext is set to: </t><t><artwork name="" type="ascii-art" align="left" alt=""><![CDATA[ encrypted_record = TLS13-HMAC-Protected = TLSInnerPlaintext || HMAC(write_key, nonce || additional_data || TLSInnerPlaintext)</t> <t> Here]]></artwork> <t>Here, "nonce" refers to the per-record nonce described insection 5.3 of<xreftarget="RFC8446"/>.</t>target="RFC8446" sectionFormat="of" section="5.3"/>.</t> <t> For DTLS 1.3, the DTLSCiphertext is set to:</t><t><artwork name="" type="ascii-art" align="left" alt=""><![CDATA[ encrypted_record = DTLS13-HMAC-Protected = DTLSInnerPlaintext || HMAC(write_key, nonce || additional_data || DTLSInnerPlaintext)</t>]]></artwork> <t> The DTLS "nonce" refers to the per-record nonce described insection 4.2.2 of<xreftarget="DTLS13"/>.</t>target="RFC9147" sectionFormat="of" section="4.2.2"/>.</t> <t> The Protect and Unprotect operations provide the integrity protection using HMAC SHA-256 or HMAC SHA-384 as described in <xreftarget="RFC6234"/>.</t>target="RFC6234" format="default"/>.</t> <t> Due to the lack of encryption of the plaintext, record padding does not provide any obfuscation as to the plaintext size, although it can be optionally included.</t> </section> <sectiontitle="Keynumbered="true" toc="default"> <name>Key Schedule whenusing Integrity onlyUsing Integrity-Only CipherSuites">Suites</name> <t> The key derivation process forIntegrity only Cipher Suitesintegrity-only cipher suites remains the same as that defined in <xreftarget="RFC8446"/>.target="RFC8446" format="default"/>. The only difference is that the keys used to protect the tunnel apply to the negotiated HMAC SHA-256 or HMAC SHA-384 ciphers. Note that the traffic key material (client_write_key, client_write_iv,server_write_keyserver_write_key, and server_write_iv)MUST<bcp14>MUST</bcp14> be calculated as perRFC 8446, section 7.3.<xref target="RFC8446" sectionFormat="comma" section="7.3"/>. The key lengths andIVsInitialization Vectors (IVs) for these cipher suites are according to the hash output lengths. In other words, the following key lengths and IV lengthsSHALL<bcp14>SHALL</bcp14> be: </t><texttable> <ttcol align='left'>Cipher Suite</ttcol> <ttcol align='left'>Key Length</ttcol> <ttcol align='left'>IV Length</ttcol> <c>TLS_SHA256_SHA256</c> <c>32 Bytes</c> <c>32 Bytes</c> <c>TLS_SHA384_SHA384</c> <c>48 Bytes</c> <c>48 Bytes</c> </texttable><table align="center"> <thead> <tr> <th align="left">Cipher Suite</th> <th align="left">Key Length</th> <th align="left">IV Length</th> </tr> </thead> <tbody> <tr> <td align="left">TLS_SHA256_SHA256</td> <td align="left">32 Bytes</td> <td align="left">32 Bytes</td> </tr> <tr> <td align="left">TLS_SHA384_SHA384</td> <td align="left">48 Bytes</td> <td align="left">48 Bytes</td> </tr> </tbody> </table> </section> <sectiontitle="Error Alerts">numbered="true" toc="default"> <name>Error Alerts</name> <t>The error alerts as defined by <xreftarget="RFC8446"/> remainstarget="RFC8446" format="default"/> remain thesame,same; in particular: </t><t> bad_record_mac: This<dl newline="false" spacing="normal"> <dt>bad_record_mac:</dt><dd>This alert can also occur for a record whose message authentication codecan notcannot be validated. Since these cipher suites do not involve recordencryptionencryption, this alert will only occur when the HMAC fails toverify. </t> <t> decrypt_error: This alertverify.</dd> <dt>decrypt_error:</dt><dd>This alert, as described in <xreftarget="RFC8446"/> Section 6.2target="RFC8446" sectionFormat="comma" section="6.2"/>, occurs when the signature or message authentication codecan notcannot be validated. Note that this error is only sent during the handshake, not for an error in validating recordHMACs. </t>HMACs.</dd> </dl> </section> <section anchor="IANA"title="IANA Considerations"> <t> IANAnumbered="true" toc="default"> <name>IANA Considerations</name> <t>IANA hasgranted registrationregistered the followingspecifically for this document within the TLS Cipher Suites Registry:</t> <t> TLS_SHA256_SHA256 {0xC0, 0xB4} cipher suite and TLS_SHA384_SHA384 {0xC0, 0xB5} cipher suite. </t> <t> Note that both of theseciphersuites are registered with the DTLS-OK column set to Y and the Recommended column set to N </t> <t>No further IANA action is requestedsuites, defined by thisdocument. </t>document, in the "TLS Cipher Suites" registry:</t> <table anchor="iana_table"> <thead> <tr> <th>Value</th> <th>Description</th> <th>DTLS-OK</th> <th>Recommended</th> </tr> </thead> <tbody> <tr> <td>0xC0,0xB4</td> <td>TLS_SHA256_SHA256</td> <td>Y</td> <td>N</td> </tr> <tr> <td>0xC0,0xB5</td> <td>TLS_SHA384_SHA384</td> <td>Y</td> <td>N</td> </tr> </tbody> </table> </section> <section anchor="Security"title="Securitynumbered="true" toc="default"> <name>Security and PrivacyConsiderations">Considerations</name> <t>In general, except for confidentiality and privacy, the security considerations detailed in <xreftarget="RFC8446"/>target="RFC8446" format="default"/> andin<xreftarget="RFC5246"/>target="RFC5246" format="default"/> apply to this document. Furthermore, as the cipher suites described in this document do not provide any confidentiality, it is important that they only be used in cases where there are no confidentiality or privacy requirements and concerns;andthe runtime memory requirements can accommodate support for authenticity-only cryptographic constructs.</t> <t>With the lack of data encryption specified in this specification, no confidentiality or privacy is provided for the data transported via the TLS session. That is, the record layer is not encrypted when using these ciphersuite, and the handshake alsosuites, nor isnot encrypted.the handshake. To highlight the loss of privacy, the information carried in the TLS handshake, which includes both theServerserver andClientclient certificates, while integrity protected, will be sent unencrypted. Similarly, other TLS extensions that may be carried in theServer'sserver's EncryptedExtensions message will only be integrity protected without provisions for confidentiality. Furthermore, with this lack of confidentiality, any privatePSKPre-Shared Key (PSK) dataMUST NOT<bcp14>MUST NOT</bcp14> be sent in the handshake while using these cipher suites. However, as PSKs may be loaded externally, these cipher suites can be used with the 0-RTT handshake defined in <xreftarget="RFC8446"/>,target="RFC8446" format="default"/>, with the same security implications discussedtheretherein applied. </t> <t>Application protocolswhichthat build on TLS or DTLS for protection(e.g.(e.g., HTTP) may have implicit assumptions of data confidentiality. Any assumption of data confidentiality is invalidated by the use of these cipher suites, as no data confidentiality is provided. This applies to any data sent over the application-data channel(e.g.(e.g., bearer tokens in HTTP), as data requiring confidentialityMUST NOT<bcp14>MUST NOT</bcp14> be sent using these cipher suites.</t> <t> Limits on key usage for AEAD-based ciphers are described in <xreftarget="RFC8446"/>.target="RFC8446" format="default"/>. However, as the cipher suites discussed here are not AEAD, those same limits do not apply. The general security properties of HMACs discussed in <xreftarget="RFC2104"/>target="RFC2104" format="default"/> and <xreftarget="BCK1"/>target="BCK1" format="default"/> apply. Additionally, security considerations on the algorithm's strength based on the HMAC key length andtrunctiontruncation length further described in <xreftarget="RFC4868"/>target="RFC4868" format="default"/> also apply. Until further cryptanalysisdemonstratedemonstrates limitations on key usage for HMACs, general practice for key usage recommends that implementations place limits on the lifetime of the HMAC keys and invoke a key update as described in <xreftarget="RFC8446"/>target="RFC8446" format="default"/> prior to reaching this limit. </t> <t>DTLS 1.3 defines a mechanism for encrypting the DTLS record sequence numbers. However, as these cipher suites do not utilize encryption, the record sequence numbers are sent unencrypted. That is, the procedure for DTLS record sequence number protection is to apply no protection for these cipher suites. </t> <t>Given the lack of confidentiality, these cipher suitesMUST NOT<bcp14>MUST NOT</bcp14> be enabled by default. As these cipher suites are meant to serve the IoT market, it is important that any IoT endpoint that uses them be explicitly configured with a policy of non-confidential communications. </t> </section> </middle> <back> <displayreference target="RFC9147" to="DTLS13"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2104.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6234.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4868.xml"/> <!-- draft-ietf-tls-dtls13-43 (citation string is "DTLS13") --> <reference anchor='RFC9147' target="https://www.rfc-editor.org/info/rfc9147"> <front> <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title> <author initials='E' surname='Rescorla' fullname='Eric Rescorla'> <organization /> </author> <author initials='H' surname='Tschofenig' fullname='Hannes Tschofenig'> <organization /> </author> <author initials='N' surname='Modadugu' fullname='Nagendra Modadugu'> <organization /> </author> <date year='2022' month='January' /> </front> <seriesInfo name="RFC" value="9147"/> <seriesInfo name="DOI" value="10.17487/RFC9147"/> </reference> <reference anchor="BCK1" target="https://link.springer.com/chapter/10.1007/3-540-68697-5_1"> <front> <title>Keying Hash Functions for Message Authentication</title> <author initials="M." surname="Bellare"> <organization/> </author> <author initials="R." surname="Canetti"> <organization/> </author> <author initials="H." surname="Krawczyk"> <organization/> </author> <date year="1996"/> </front> <seriesInfo name="DOI" value="10.1007/3-540-68697-5_1"/> </reference> </references> <references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5246.xml"/> </references> </references> <section anchor="Acknowledgements"title="Acknowledgements">numbered="false" toc="default"> <name>Acknowledgements</name> <t>The authors would like to acknowledge the work done by Industrial Communications Standards Groups (such as ODVA) as the motivation for this document. We would also like to thankSteffen Fries<contact fullname="Steffen Fries"/> for providing a fourth use case andMadhu Niraula<contact fullname="Madhu Niraula"/> for a fifth use case. In addition, we are grateful for the advice and feedback fromJoe Salowey, Blake Anderson, David McGrew, Clement Zeller, and Peter Wu.</t><contact fullname="Joe Salowey"/>, <contact fullname="Blake Anderson"/>, <contact fullname="David McGrew"/>, <contact fullname="Clement Zeller"/>, and <contact fullname="Peter Wu"/>.</t> </section></middle> <back> <references title="Normative References"> &RFC2104; &RFC2119; &RFC6234; &RFC8174; &RFC8446; &RFC4868; <reference anchor="DTLS13"> <front> <title>https://tools.ietf.org/id/draft-ietf-tls-dtls13-38.txt</title> <author> <organization>IETF Internet Drafts editor</organization> </author> <date year=""></date> </front> </reference> <reference anchor="BCK1" target="https://cseweb.ucsd.edu/~mihir/papers/kmd5.pdf"> <front> <title>Keyed Hash Functions and Message Authentication</title> <author initials="M." surname="Bellare"> <organization/> </author> <author initials="R." surname="Canetti"> <organization/> </author> <author initials="H." surname="Krawczyk"> <organization/> </author> <date year=""></date> </front> </reference> </references> <references title="Informative Reference"> &RFC5246; </references></back> </rfc>