|Original author(s)||Andrea Bittau, Mike Hamburg, Mark Handley, David Mazières, Dan Boneh and Quinn Slack.|
|Type||communication encryption protocol|
In computer networking, tcpcrypt is a transport layer communication encryption protocol. Unlike prior protocols like TLS (SSL), tcpcrypt is implemented as a TCP extension. It was designed by a team of six security and networking experts: Andrea Bittau, Mike Hamburg, Mark Handley, David Mazières, Dan Boneh and Quinn Slack. Tcpcrypt has been published as an Internet Draft. Experimental user-space implementations are available for Linux, Mac OS X, FreeBSD and Windows. There is also a Linux kernel implementation.
Tcpcrypt provides opportunistic encryption — if either side does not support this extension, then the protocol falls back to regular unencrypted TCP. Tcpcrypt also provides encryption to any application using TCP, even ones that do not know about encryption. This enables incremental and seamless deployment.
Unlike TLS, tcpcrypt itself does not do any authentication, but passes a unique "session ID" down to the application; the application can then use this token for further authentication. This means that any authentication scheme can be used, including passwords or certificates. It also does a larger part of the public-key connection initiation on the client side, to reduce load on servers and mitigate DoS attacks.
Tcpcrypt enforces TCP timestamps and adds its own TCP options to each data packet, amounting to 36 bytes per packet. With a mean observed packet size for TCP packets of 471 bytes, this can lead to an overhead of 8% of useful bandwidth. This 36 bytes overhead may not be an issue for internet connections faster than 64kbs, but can be an issue for dial up internet users.
The current user space implementations are considered experimental and are reportedly unstable on some systems. It also does not support IPv6 yet, which is currently only supported by the Linux kernel version. It is expected that once tcpcrypt becomes a standard, operating systems will come with tcpcrypt support built-in, making the user space solution unnecessary.
- Andrea Bittau, et al. (2010-08-13). "The case for ubiquitous transport-level encryption". 19th USENIX Security Symposium.
- Michael Cooney (2010-07-19). "Is ubiquitous encryption technology on the horizon?". Network World.
- "tcpcrypt - About us". tcpcrypt.org.
- Bittau, A.; D. Boneh, M. Hamburg, M. Handley, D. Mazieres, Q. Slack (September 3, 2012). Cryptographic protection of TCP Streams (tcpcrypt). IETF. I-D draft-bittau-tcp-crypt-03. https://tools.ietf.org/html/draft-bittau-tcp-crypt-03.
- Jake Edge (2010-08-25). "Transport-level encryption with Tcpcrypt". LWN.net.
- "Sean McCreary and kc klaffy". "Trends in Wide Area IP Traffic Patterns A View from Ames Internet Exchange".
|This cryptography-related article is a stub. You can help Wikipedia by expanding it.|
|This computer networking article is a stub. You can help Wikipedia by expanding it.|