Tcpcrypt
Encyclopedia
In computer networking, tcpcrypt is a transport layer
communication encryption
protocol. Unlike prior protocols like TLS
(SSL), tcpcrypt is implemented as a TCP
extension. It was designed by a team of six security and networking experts: Andrea Bittau, Mike Hamburg, Mark Handley
, David Mazières, Dan Boneh
and Quinn Slack. Tcpcrypt has been published as an Internet Draft. Experimental user-space implementations are available for Linux, Mac OS X, FreeBSD and Windows. There is also a Linux kernel
implementation.
— if either side does not support this extension, then the protocol falls back to regular unencrypted TCP. Tcpcrypt also provides encryption to any application using TCP, even ones that do not know about encryption. This enables incremental and seamless deployment.
Unlike TLS, tcpcrypt itself does not do any authentication
, but passes a unique "session ID" down to the application; the application can then use this token for further authentication. This means that any authentication scheme can be used, including passwords or certificates
. It also does a larger part of the public-key connection initiation on the client side, to reduce load on servers and mitigate DoS attacks.
Tcpcrypt is still an experimental technology. The Microsoft Windows (Vista and Windows 7) versions (~1.0.0) are still known to be unstable.
Transport layer
In computer networking, the transport layer or layer 4 provides end-to-end communication services for applications within a layered architecture of network components and protocols...
communication encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
protocol. Unlike prior protocols like TLS
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
(SSL), tcpcrypt is implemented as a TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
extension. It was designed by a team of six security and networking experts: Andrea Bittau, Mike Hamburg, Mark Handley
Mark Handley (computer scientist)
Mark Handley is Professor of Networked Systems in the Department of Computer Science of University College London since 2003, where he leads the Networks Research Group...
, David Mazières, Dan Boneh
Dan Boneh
Dan Boneh is a Professor of Computer Science and Electrical Engineering atStanford University. He is a well-known researcher in the areas of applied cryptographyand computer security.-Education:...
and Quinn Slack. Tcpcrypt has been published as an Internet Draft. Experimental user-space implementations are available for Linux, Mac OS X, FreeBSD and Windows. There is also a Linux kernel
Linux kernel
The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
implementation.
Description
Tcpcrypt provides opportunistic encryptionOpportunistic encryption
Opportunistic Encryption refers to any system that, when connecting to another system, attempts to encrypt the communications channel otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two systems.Opportunistic encryption can be used to...
— if either side does not support this extension, then the protocol falls back to regular unencrypted TCP. Tcpcrypt also provides encryption to any application using TCP, even ones that do not know about encryption. This enables incremental and seamless deployment.
Unlike TLS, tcpcrypt itself does not do any authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
, but passes a unique "session ID" down to the application; the application can then use this token for further authentication. This means that any authentication scheme can be used, including passwords or certificates
Public key certificate
In cryptography, a public key certificate is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth...
. It also does a larger part of the public-key connection initiation on the client side, to reduce load on servers and mitigate DoS attacks.
Disadvantages
Tcpcrypt enforces TCP timestamps and adds its own TCP options to each data packet, amounting to 36 bytes per packet. With a mean observed packet size for TCP packets of 471 bytes, this can lead to an overhead of 8% of useful bandwidth.Tcpcrypt is still an experimental technology. The Microsoft Windows (Vista and Windows 7) versions (~1.0.0) are still known to be unstable.
See also
- Transport Layer SecurityTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
(TLS, also known as SSL) - IPsecIPsecInternet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
- Obfuscated TCPObfuscated TCPObfuscated TCP was a proposal for a transport layer protocol which implements opportunistic encryption over TCP. It was designed to prevent mass wiretapping and malicious corruption of TCP traffic on the internet, with lower implementation cost and complexity than TLS...
(an earlier failed proposal for opportunistic TCP encryption)