Sunday, September 20, 2015

What Is Tcpcrypt?

Tcpcrypt is a transport layer communication encryption protocol. Unlike SSL or TLS, it is implemented as a TCP extension. And it can be used with any other authentication mechanism like passwords or certificates.

Tcpcrypt provides an opportunistic encryption. Both the parties in communication must support this extension. If either of the party fails to do that, the protocol will fall back to normal unencrypted TCP connection.

Unlike TLS, tcpcrypt does not do any authentication by itself. But it passes a unique session Id to the application, which can be further used for authentication. With tcpcrypt any authentication mechanism including passwords can be used.

How is tcpcrypt different from SSL/TLS?

Tcpcrypt enforces TCP timestamps and adds its own options to TCP packets. It adds 36 bytes per packet to normal TCP packets. This addition of data has an overhead, but if the internet connection is faster than 64 kbps, the additional data overhead does not make significant difference.

Compared to SSL/TLS, tcpcrypt has lower performance impact. In tcpcrypt, cryptographic primitives are used in such a way that it reduces the load in the server side. A single server serves multiple clients, so the performance improvement becomes much significant.

Where is tcpcrypt implemented?

Currently its userspace implementation is considered experimental. But once tcpcrypt becomes a standard, Operating Systems are expected to have built-in tcpcrypt support, making the userspace implementation unnecessary.

The first draft of tcpcrypt was published in 2010, and it is still in experimental phase. Hope it will become a widely used standard soon!

No comments:

Post a Comment