You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-denis-ipcrypt.md
+48-48Lines changed: 48 additions & 48 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -153,23 +153,23 @@ This work directly addresses concerns raised in {{!RFC7624}} regarding confident
153
153
154
154
Organizations handling IP addresses face a critical dilemma: they must protect user privacy while maintaining operational capabilities. Generic encryption systems, though secure, are poorly suited for IP addresses - they expand data unpredictably, break compatibility with network tools, and operate too slowly for high-volume processing. The specialized methods in this specification resolve these conflicts through purpose-built cryptographic techniques:
155
155
156
-
- **Efficiency and Compactness:** All variants operate on exactly 128 bits, achieving single-block encryption speed critical for network-rate processing. Non-deterministic variants add only 8-16 bytes of tweak overhead versus potentially hundreds of bytes with generic encryption. This difference enables processing billions of addresses in real-time rather than requiring expensive batch operations.
156
+
- Efficiency and Compactness: All variants operate on exactly 128 bits, achieving single-block encryption speed critical for network-rate processing. Non-deterministic variants add only 8-16 bytes of tweak overhead versus potentially hundreds of bytes with generic encryption. This difference enables processing billions of addresses in real-time rather than requiring expensive batch operations.
157
157
158
-
- **High Usage Limits:** Non-deterministic variants safely handle massive volumes - approximately 4 billion operations for `ipcrypt-nd` and 18 quintillion for `ipcrypt-ndx` per key - without degrading security. Generic encryption often requires complex key rotation schemes at much lower thresholds.
158
+
- High Usage Limits: Non-deterministic variants safely handle massive volumes - approximately 4 billion operations for `ipcrypt-nd` and 18 quintillion for `ipcrypt-ndx` per key - without degrading security. Generic encryption often requires complex key rotation schemes at much lower thresholds.
159
159
160
-
- **Format Preservation (Deterministic):** The `ipcrypt-deterministic` variant produces valid IP addresses, not arbitrary ciphertext. This enables encrypted addresses to flow through existing network infrastructure, monitoring tools, and databases without modification (see {{format-preservation-and-limitations}}).
160
+
- Format Preservation (Deterministic): The `ipcrypt-deterministic` variant produces valid IP addresses, not arbitrary ciphertext. This enables encrypted addresses to flow through existing network infrastructure, monitoring tools, and databases without modification (see {{format-preservation-and-limitations}}).
161
161
162
-
- **Interoperability:** This specification ensures that encrypted IP addresses can be exchanged between different systems, vendors, and programming languages. All conforming implementations produce identical results, enabling seamless data exchange and avoiding vendor lock-in.
162
+
- Interoperability: This specification ensures that encrypted IP addresses can be exchanged between different systems, vendors, and programming languages. All conforming implementations produce identical results, enabling seamless data exchange and avoiding vendor lock-in.
163
163
164
164
These specialized encryption methods unlock several critical use cases:
165
165
166
-
- **Privacy Protection:** They prevent the exposure of sensitive user information to third parties in logs, analytics data, and network measurements ({{!RFC6973}}). Note that protection is specifically against parties without key access; the key holder retains full decryption capability.
166
+
- Privacy Protection: They prevent the exposure of sensitive user information to third parties in logs, analytics data, and network measurements ({{!RFC6973}}). Note that protection is specifically against parties without key access; the key holder retains full decryption capability.
167
167
168
-
- **Correlation Attack Resistance:** While deterministic encryption can reveal repeated inputs, the non-deterministic variants leverage random tweaks to hide patterns and enhance confidentiality (see {{non-deterministic-encryption}}).
168
+
- Correlation Attack Resistance: While deterministic encryption can reveal repeated inputs, the non-deterministic variants leverage random tweaks to hide patterns and enhance confidentiality (see {{non-deterministic-encryption}}).
169
169
170
-
- **Privacy-Preserving Analytics:** Encrypted IP addresses can be used directly for operations such as counting unique clients, rate limiting, or deduplication—without needing to reveal the original values to third-party processors. This approach addresses the anonymization requirements for DNS query data sharing outlined in {{RSSAC040}}, enabling research while protecting source IP privacy. Since network hierarchy and geographic relationships are not preserved by encryption, organizations requiring such metadata SHOULD extract and store it separately (e.g., country, ASN) rather than relying on the flawed practice of IP address truncation, which provides inconsistent privacy protection and irreversibly destroys information.
170
+
- Privacy-Preserving Analytics: Encrypted IP addresses can be used directly for operations such as counting unique clients, rate limiting, or deduplication—without needing to reveal the original values to third-party processors. This approach addresses the anonymization requirements for DNS query data sharing outlined in {{RSSAC040}}, enabling research while protecting source IP privacy. Since network hierarchy and geographic relationships are not preserved by encryption, organizations requiring such metadata SHOULD extract and store it separately (e.g., country, ASN) rather than relying on the flawed practice of IP address truncation, which provides inconsistent privacy protection and irreversibly destroys information.
171
171
172
-
- **Seamless Third-Party Integration:** Encrypted IPs can act as privacy-preserving identifiers when interacting with untrusted services, cloud providers, or external platforms.
172
+
- Seamless Third-Party Integration: Encrypted IPs can act as privacy-preserving identifiers when interacting with untrusted services, cloud providers, or external platforms.
173
173
174
174
For implementation guidelines and practical examples, see {{implementation-details}}.
175
175
@@ -187,12 +187,12 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
187
187
188
188
Throughout this document, the following terms and conventions apply:
189
189
190
-
- **IP Address:** An IPv4 or IPv6 address as defined in {{!RFC4291}}.
191
-
- **16-Byte Representation:** A fixed-length representation used for both IPv4 (via IPv4-mapped IPv6) and IPv6 addresses.
192
-
- **Tweak:** A non-secret, additional input to a tweakable block cipher that further randomizes the output.
193
-
- **Deterministic Encryption:** Encryption that always produces the same ciphertext for a given input and key.
194
-
- **Non-Deterministic Encryption:** Encryption that produces different ciphertexts for the same input due to the inclusion of a randomly sampled tweak.
195
-
- **(Input, Tweak) Collision:** A scenario where the same input is encrypted with the same tweak. This reveals that the input was repeated but not the input's value.
190
+
- IP Address: An IPv4 or IPv6 address as defined in {{!RFC4291}}.
191
+
- 16-Byte Representation: A fixed-length representation used for both IPv4 (via IPv4-mapped IPv6) and IPv6 addresses.
192
+
- Tweak: A non-secret, additional input to a tweakable block cipher that further randomizes the output.
193
+
- Deterministic Encryption: Encryption that always produces the same ciphertext for a given input and key.
194
+
- Non-Deterministic Encryption: Encryption that produces different ciphertexts for the same input due to the inclusion of a randomly sampled tweak.
195
+
- (Input, Tweak) Collision: A scenario where the same input is encrypted with the same tweak. This reveals that the input was repeated but not the input's value.
196
196
197
197
# IP Address Conversion
198
198
@@ -234,23 +234,23 @@ The conversion algorithm is as follows:
234
234
235
235
This specification defines two generic cryptographic constructions:
236
236
237
-
1. **128-bit Block Cipher Construction:**
237
+
1. 128-bit Block Cipher Construction:
238
238
- Used in deterministic encryption (see {{deterministic-encryption}})
- Used in non-deterministic encryption (see {{non-deterministic-encryption}})
244
244
- Accepts a key, a tweak, and a message
245
245
- The tweak must be uniformly random when generated
246
246
- Reuse of the same tweak on different inputs does not compromise confidentiality
247
247
248
248
Valid options for implementing a tweakable block cipher include, but are not limited to:
249
249
250
-
- **SKINNY** (see {{SKINNY}})
251
-
- **DEOXYS-BC** (see {{DEOXYS-BC}})
252
-
- **KIASU-BC** (see {{implementing-kiasu-bc}} for implementation details)
253
-
- **AES-XTS** (see {{ipcrypt-ndx}} for usage)
250
+
- SKINNY (see {{SKINNY}})
251
+
- DEOXYS-BC (see {{DEOXYS-BC}})
252
+
- KIASU-BC (see {{implementing-kiasu-bc}} for implementation details)
253
+
- AES-XTS (see {{ipcrypt-ndx}} for usage)
254
254
255
255
Implementers MUST choose a cipher that meets the required security properties and provides robust resistance against related-tweak and other cryptographic attacks.
256
256
@@ -383,8 +383,8 @@ The output of non-deterministic encryption is binary data. For applications that
383
383
384
384
This document defines two concrete instantiations:
385
385
386
-
- **`ipcrypt-nd`:** Uses the KIASU-BC tweakable block cipher with an 8-byte (64-bit) tweak. See {{KIASU-BC}} for details.
387
-
- **`ipcrypt-ndx`:** Uses the AES-XTS tweakable block cipher with a 16-byte (128-bit) tweak. See {{XTS-AES}} for background.
386
+
- `ipcrypt-nd`: Uses the KIASU-BC tweakable block cipher with an 8-byte (64-bit) tweak. See {{KIASU-BC}} for details.
387
+
- `ipcrypt-ndx`: Uses the AES-XTS tweakable block cipher with a 16-byte (128-bit) tweak. See {{XTS-AES}} for background.
388
388
389
389
In both cases, if a tweak is generated randomly, it MUST be uniformly random. Reusing the same randomly generated tweak on different inputs is acceptable from a confidentiality standpoint.
390
390
@@ -413,45 +413,45 @@ As with `ipcrypt-nd`, an `(input, tweak)` collision reveals repetition without c
413
413
414
414
Choosing the right mode depends on specific privacy requirements and operational constraints:
415
415
416
-
- **Deterministic (`ipcrypt-deterministic`):**
417
-
- **Output size:** 16 bytes (most compact)
418
-
- **Privacy:** Same IP always produces same ciphertext (allows correlation)
419
-
- **Use case:** When duplicate identification is needed or when format preservation is critical
420
-
- **Performance:** Fastest (single AES operation)
416
+
- Deterministic (`ipcrypt-deterministic`):
417
+
- Output size: 16 bytes (most compact)
418
+
- Privacy: Same IP always produces same ciphertext (allows correlation)
419
+
- Use case: When duplicate identification is needed or when format preservation is critical
- Privacy: Same IP produces different ciphertexts (prevents correlation)
431
+
- Use case: Maximum privacy protection when storage permits
432
+
- Collision resistance: Approximately 18 quintillion operations per key
433
433
434
434
## Alternatives to Random Tweaks {#alternatives-to-random-tweaks}
435
435
436
436
While this specification recommends the use of uniformly random tweaks for non-deterministic encryption, implementers may consider alternative approaches:
437
437
438
-
- **Monotonic Counter:** A counter could be used as a tweak, but this is difficult to maintain in distributed systems. If the counter is not encrypted and the tweakable block cipher is not secure against related-tweak attacks, this could enable correlation attacks.
438
+
- Monotonic Counter: A counter could be used as a tweak, but this is difficult to maintain in distributed systems. If the counter is not encrypted and the tweakable block cipher is not secure against related-tweak attacks, this could enable correlation attacks.
439
439
440
-
- **UUIDs:** UUIDs (such as UUIDv6 or UUIDv7) could be used as tweaks; however, these would reveal the original timestamp of the logged IP addresses, which may not be desirable from a privacy perspective.
440
+
- UUIDs: UUIDs (such as UUIDv6 or UUIDv7) could be used as tweaks; however, these would reveal the original timestamp of the logged IP addresses, which may not be desirable from a privacy perspective.
441
441
442
442
Although the birthday bound is a concern with random tweaks, the use of random tweaks remains the recommended and most practical approach, offering the best tradeoffs for most real-world use cases.
443
443
444
444
# Security Considerations
445
445
446
446
The methods specified in this document provide strong confidentiality guarantees but explicitly do not provide integrity protection. Understanding this distinction is critical for secure deployment:
447
447
448
-
**What these methods protect against:**
448
+
What these methods protect against:
449
449
450
450
- Unauthorized parties learning the original IP addresses (without the key)
451
451
- Statistical analysis revealing patterns in network traffic (non-deterministic modes)
452
452
- Brute-force attacks on the address space (128-bit security level)
453
453
454
-
**What these methods do NOT protect against:**
454
+
What these methods do NOT protect against:
455
455
456
456
- Active attackers modifying, reordering, or removing encrypted addresses
0 commit comments