Internet Draft December 1996 (Expires June 1997) M. Sabin, Consultant R. Monsour, Hi/fn Inc. C. Allen, Consensus Development LZS Compression Transform for TLS Protocol Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." To learn the current status of any Internet-Draft, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). Abstract This memo proposes a compression method for the TLS protocol based on the LZS compression algorithm. The method can be used to compress the contents of a TLS record. The compression method proposed here is stateless, meaning that a record can be decompressed independently of any other record. Compression is performed prior to the encryption operation, which has the side benefit of reducing the amount of data that must be encrypted. Acknowledgments The LZS details presented here are similar to those in "PPP Stac LZS Compression Protocol," by R. Friend and W. A. Simpson [RFC-1974]. Table of Contents 1. Introduction 2. Format of Compressed Fragment Sabin, et al [Page 1] INTERNET DRAFT LZS Compression for TLS December 1996 3. Compression Procedure 4. Decompression Procedure 5. Security Considerations 6. References 7. Author's Addresses 8. Appendix: Compression Efficiency versus Fragment Size 1. Introduction Encrypted data is random in nature and not compressible. When the TLS protocol [TLS] transmits encrypted records, compression methods used at lower protocol layers -- e.g., PPP compression [RFC-1962] -- no longer work. If both compression and encryption are desired, compression must be performed first. Accordingly, the TLS protocol provides a mechanism for including compression prior to encryption. A side benefit of compressing the data first is that the amount of data which must be encrypted is reduced. In some implementations, compression is done in hardware and encryption is done in software, and this can represent a significant reduction in software overhead. This memo proposes a compression method for the TLS protocol based on the LZS compression algorithm. The method is stateless, meaning that the contents of a TLS record can be decompressed independently of any other record. 1.1 Background of LZS Compression The LZS algorithm is a lossless compression method that uses a sliding window of 2,048 bytes. During compression, redundant sequences of data are replaced with tokens that represent those sequences. During decompression, the original sequences are substituted for the tokens, in such a way that the original data is exactly recovered. LZS differs from lossy schemes, such as those often used for video compression, that do not exactly reproduce the original data. Details of LZS formatting can be found in [ANSI94]. The efficiency of the LZS algorithm depends on the degree of redundancy in the original data. A typical compression ratio is 2:1. LZS achieves a compression ratio of 2.34:1 on the University of Calgary Text Compression Corpus [Calgary]. 1.2 Licensing Hi/fn Inc. holds patents on the LZS algorithm. Source and object code licenses for LZS are available on a non-discriminatory basis. Sabin, et al [Page 2] INTERNET DRAFT LZS Compression for TLS December 1996 Hardware implementations are also available. For more information, contact Hi/fn at the address listed with the authors' addresses. 1.3 Requirements Terminology In this document, the words that are used to define the significance of each particular requirement are usually capitalized. These words are: - MUST: This word, or the adjective "REQUIRED," means that the item is an absolute requirement of the specification. - SHOULD: This word, or the adjective "RECOMMENDED," means that there might exist valid reasons in particular circumstances to ignore this item, but the full implications should be understood and the case carefully weighed before taking a different course. - MAY: This word, or the adjective "OPTIONAL," means that the item is truly optional. One vendor might choose to include the item because of a particular marketplace requirement or because it enhances the product, while another vendor might omit the item. 2. Format of Compressed Fragment The input to the compression function is a TLSPlaintext.fragment. The output of the function is a TLSCompressed.fragment. The format of the TLSCompressed.fragment is as follows: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | CC | | +-+-+-+-+-+-+-+-+ | | | | Fragment Data (compressed or uncompressed) | | | | +-+-+-+-+-+-+-+-| | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2.1 Compression Control The Compression Control (CC) field is a single, bit-mapped byte. The bits are numbered 7 (most significant) to 0 (least significant). The following bits are defined: Sabin, et al [Page 3] INTERNET DRAFT LZS Compression for TLS December 1996 - COMPRESSED (bit 7) This bit is set to 1 to indicate the fragment is compressed. It is cleared to 0 to indicate the fragment is not compressed. - HIST_RESET (bit 6) This bit is set to 1 to indicate that the compression history was reset prior to processing this fragment. It is cleared to 0 to indicate the compression history was not reset. In order to make the compression function stateless between records, the sender MUST reset the compression history prior to processing each fragment. Thus, the HIST_RESET bit MUST be set to 1 in every fragment. (The HIST_RESET bit is defined here for upwards compatibility with future methods that may allow statefulness.) The sender MUST flush the compressor at the end of each compressed fragment. Flushing means that all data going into the compressor is included in the output, i.e., no data is held back in the hope of achieving better compression. Flushing is necessary to prevent a record's data from spilling over into a later record. 2.2 Fragment Data The Fragment Data field contains the data of TLSPlaintext.fragment, in either compressed or uncompressed form. The value of the COMPRESSED bit of the CC field is set accordingly. The Fragment Data field is an integral number of bytes in length. 3. Compression Procedure The compression procedure consists of the following steps: i) The sender resets the compression history and sets the HIST_RESET bit of the CC field to 1. ii) The sender decides whether or not to compress the fragment. - If the sender chooses to compress the fragment, the LZS algorithm is applied. The resulting compressed data is formatted according to [ANSI94]. The COMPRESSED bit of the CC field is set to 1. Sabin, et al [Page 4] INTERNET DRAFT LZS Compression for TLS December 1996 - If the sender chooses not to compress the fragment, the COMPRESSED bit of the CC field is set to 0. iii) The CC field and Fragment Data field are concatenated. An implementation SHOULD monitor the results of the fragment compression operation and reject the operation if it results in expansion. In such a case, the uncompressed fragment SHOULD be transmitted with the COMPRESSED bit set to 1. 4. Decompression Procedure The decompression procedure consists of the following steps: i) The receiver checks the HIST_RESET bit of the CC field. If HIST_RESET = 1, the decompression history is reset. If HIST_RESET = 0, a TLS error alert of type "decompression_failure" is declared. ii) The receiver checks the COMPRESSED bit of the CC field. If COMPRESSED = 1, the LZS decompression algorithm is applied to the fragment data. If COMPRESSED = 0, decompression is not applied. iii) The CC field is removed, leaving only the Fragment Data field. 5. Security Considerations Security issues are not discussed in this memo. 6. References [ANSI94] American National Standards Institute, Inc., "Data Compression Method for Information Systems," ANSI X3.241-1994, August 1994. [Calgary] Text Compression Corpus, University of Calgary, available at ftp://ftp.cpsc.ucalgary.ca/pub/projects/text.compression.corpus. [RFC-1962] D. Rand, "The PPP Compression Control Protocol (CCP)," RFC-1962, June 1996. [RFC-1974] R. Friend and W. A. Simpson, "PPP Stac LZS Compression Protocol," RFC-1974, August 1996. [TLS] A. Frier, P. Karlton, P. Kocher, and T. Dierks, "The TLS Protocol Version 1.0," work in progress, available at Sabin, et al [Page 5] INTERNET DRAFT LZS Compression for TLS December 1996 ftp://ds.internic.net/draft-ietf-tls-protocol.00.txt, November 1996. 7. Authors' Addresses Michael Sabin 883 Mango Avenue Sunnyvale, CA 94087 Email: mike.sabin@worldnet.att.net Robert Monsour Hi/fn Inc. 12636 High Bluff Drive San Diego, CA 92130 Email: rmonsour@earthlink.net Christopher Allen Consensus Development Corporation 1563 Solano Avenue #355 Berkeley, CA 94707-2116 Email: christophera@consensus.com 8. Appendix: Compression Efficiency versus Fragment Size The following table offers some guidance on the compression efficiency that can be achieved as a function of fragment size. Each entry in the table shows the compression ratio that was achieved when the proposed method was applied to a test file using fragments of a specified size. The test file was the University of Calgary Text Compression Corpus [Calgary]. The length of the file prior to compression was 3,278,000 bytes. When the entire file was compressed as a single fragment, a compression ratio of 2.34 resulted. Fragment size,| 64 128 256 512 1024 2048 4096 8192 16384 bytes | --------------|---------------------------------------------------- Compression |1.18 1.28 1.43 1.58 1.74 1.91 2.04 2.11 2.14 ratio | Sabin, et al [Page 6]