target = "https://www.rfc-editor.org/rfc/rfc9001#section-9.4" # 9.4. Header Protection Analysis # # [NAN] analyzes authenticated encryption algorithms that provide nonce # privacy, referred to as "Hide Nonce" (HN) transforms. The general # header protection construction in this document is one of those # algorithms (HN1). Header protection is applied after the packet # protection AEAD, sampling a set of bytes ("sample") from the AEAD # output and encrypting the header field using a pseudorandom function # (PRF) as follows: # # protected_field = field XOR PRF(hp_key, sample) # # The header protection variants in this document use a pseudorandom # permutation (PRP) in place of a generic PRF. However, since all PRPs # are also PRFs [IMC], these variants do not deviate from the HN1 # construction. # # As "hp_key" is distinct from the packet protection key, it follows # that header protection achieves AE2 security as defined in [NAN] and # therefore guarantees privacy of "field", the protected packet header. # Future header protection variants based on this construction MUST use # a PRF to ensure equivalent security guarantees. # # Use of the same key and ciphertext sample more than once risks # compromising header protection. Protecting two different headers # with the same key and ciphertext sample reveals the exclusive OR of # the protected fields. Assuming that the AEAD acts as a PRF, if L # bits are sampled, the odds of two ciphertext samples being identical # approach 2^(-L/2), that is, the birthday bound. For the algorithms # described in this document, that probability is one in 2^64. # # To prevent an attacker from modifying packet headers, the header is # transitively authenticated using packet protection; the entire packet # header is part of the authenticated additional data. Protected # fields that are falsified or modified can only be detected once the # packet protection is removed. [[spec]] level = "MUST" quote = ''' Future header protection variants based on this construction MUST use a PRF to ensure equivalent security guarantees. '''