TLS-DPA: An Identity-Bound Security Protocol for Traditional, Overlay, and Zero-Port Transports

TLS-DPA: An Identity-Bound Security Protocol for Traditional, Overlay, and Zero-Port Transports DPA R&D Ltd (https://www.dpa-cloud.co.uk)

b.fisher@dpa-cloud.co.uk https://orcid.org/0009-0004-4412-2269

Security TLS-DPA identity-centric zero-port handshake channel binding post-quantum hybrid KEM UZP UZPIF TLS-DPA is an experimental, identity-bound security protocol inspired by the design of TLS 1.3 ( ). It is intended to operate consistently across environments where conventional IP address and port semantics are weak, unstable, or intentionally absent, including zero-port transports such as UZP ( ). TLS-DPA generalises the handshake so it is not tied to server-side listeners, binds authentication to Service Identities rather than network coordinates, reduces metadata exposure to intermediaries (including rendezvous nodes in UZP fabrics), provides a unified hybrid-KEM post-quantum transition model ( ), and supports session continuity across overlay path changes (e.g., QUIC Connection IDs; ). This document is an Internet-Draft derived from internal research material solely to enable structured technical review, interoperability discussion, and disciplined specification development under the Internet-Draft process. It is a work-in-progress research artefact and does not constitute a standard, recommendation, or finished specification. The name TLS-DPA is used to label this research protocol and avoid confusion with the IETF TLS versioning and registry space. It is not presented as a new version of the IETF TLS protocol, and no IANA allocations are requested by this draft. Where this document provides numeric guidance (for example, replay windows, resumption behaviour, or profile parameters), the intent is to offer recommended bounds suitable for experimentation; profile-based behaviour and implementation discretion are explicitly expected within stated limits. The text aims to preserve a clear separation of normative and informative material. Requirement words are used only where protocol behaviour is intentionally specified, and the draft avoids implying standards-track status or mandatory implementation. This document is intended to support early peer review and international collaboration while retaining flexibility for substantial revision, experimental implementation, and validation. No patent grants or licensing commitments are implied beyond the IETF Trust provisions applicable to Internet-Drafts.

Scope and Status This Internet-Draft specifies TLS-DPA, an experimental security protocol intended for identity-first and topology-independent deployments, including rendezvous and zero-port fabrics. The goal is to support early review and implementation experiments; substantial revision is expected. TLS-DPA is designed for environments where conventional port-listening assumptions and IP:port-based identity binding do not hold. It is not a universal replacement, is not mandated outside its target environment, and is designed for experimentation and profile-driven deployments.

Introduction TLS 1.3 ( ) defines the current baseline for transport-layer security on the Internet. However, its usage patterns remain oriented around server-side listeners bound to IP address and port tuples, and many deployments treat these network coordinates as meaningful anchors for authentication and policy. TLS-DPA extends the design principles of TLS 1.3 to support:

operation over identity-first, topology-independent transports (for example UZP; );
authentication bound to Service Identities, rather than IP addresses and ports;
reduced metadata exposure to intermediaries, including rendezvous nodes in UZP fabrics;
hybrid classical/post-quantum KEM negotiation aligned with the NIST PQC process ( );
session continuity across transport or overlay path changes (for example QUIC Connection IDs; ).

The TLS-DPA wire image is intended to remain close to TLS 1.3, enabling reuse of existing implementation structure while adding explicit identity and transport binding into the handshake transcript and key schedule. TLS-DPA also aligns with zero-trust guidance (NIST SP 800-207 ) and identity-centric designs such as HIP .

Conventions and Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in and when, and only when, they appear in all capitals, as shown here. Terminology used throughout this document:

CID: Canonical Identity (a long-term public key hash).
EID: Ephemeral Identity (a session-level fingerprint).
UZP: Zero-port transport as defined by the companion UZP Internet-Draft ( ).
ZPIT: Zero-Port Interconnect Tunnel (a UZP fabric channel).
Pantheon: A policy/identity authority providing session grants and capability metadata.
Service Identity: The identity to which TLS-DPA authentication is bound (for example a DNS name, CID, EID, or a UZPIF selector).

Design Goals TLS-DPA is designed to:

decouple channel authentication from IP address and port topology;
provide identity-first naming independent of network routing;
support hybrid classical and post-quantum KEM negotiation aligned with NIST PQC guidance ( );
reduce metadata in early handshake flights;
bind channels to transport-level identifiers (for example UZP SessionIDs or QUIC Connection IDs; );
remain closely aligned with the structure of TLS 1.3 ( );
operate efficiently over UZP and UZPIF rendezvous fabrics ( , ).

Where this document specifies algorithms or parameter sets (for example hybrid KEM combinations), these are intended as recommended profiles and may evolve. Implementations may support additional profiles and apply implementation-defined choices within any explicit limits described in the relevant sections.

Overview of TLS-DPA TLS-DPA retains the basic architecture of TLS 1.3 ( ) but introduces:

transport-agnostic channel binding, via a dedicated extension that carries a transport identifier and class;
Service Identity negotiation and binding into the transcript;
mandatory transcript binding of identity and transport metadata;
PQ-ready hybrid KEM negotiation using an explicit parameter extension;
stable session resumption across topology or path changes.

TLS-DPA defines the handshake over an abstract TLS-DPA Channel. The channel only needs to provide:

ordered or reliably framed delivery;
a transport-level identifier (e.g., a TCP 4-tuple, QUIC Connection ID; , or a UZP SessionID);
uniqueness sufficient for transcript binding.

Transport-Agnostic Channel Model TLS-DPA treats the underlying transport as providing one or more channels:

TCP : traditional byte stream;
QUIC : stream over a QUIC connection, identified by QUIC Connection ID ( );
UZP : stream inside a ZPIT, identified by a UZP SessionID ( ).

The handshake binds to this transport using the tlsdpa_transport_binding extension (see ).

Identity Binding Model TLS-DPA authenticates peers using Service Identities, which may be:

DNS names (validated per RFC 6125).
UZP CIDs (canonical identities, derived from long-term public keys).
UZP EIDs (ephemeral, session-level identities).
UZPIF selectors resolved via Pantheon .

The Service Identity MUST be included in the handshake transcript and validated as described in Section . CIDs are intended to be stable over meaningful operational time-scales: changes in CID MUST be treated as key-rotation events and not as transient transport artefacts.

Post-Quantum Key Exchange Model TLS-DPA introduces unified hybrid-KEM negotiation via the tlsdpa_pq_kem_params extension. Supported KEM schemes include:

X25519 (classical ECDH).
Kyber768 (PQC KEM candidate).
A hybrid X25519+Kyber768 mode.

The key schedule incorporates PQ KEM inputs prior to traffic secret derivation, following general design principles for hybrid KEMs in the NIST PQC process .

Key Schedule Summary TLS-DPA modifies the TLS 1.3 key derivation to include:

Service Identity.
Transport Binding.
PQ KEM materials.

Exporter values MUST be bound to both identity and transport (Section ). At a high level, PQ hybrid KEM inputs augment the TLS 1.3 key schedule:

Hybrid shared secret extraction. This equation shows the hybrid extraction step that combines KEM and ECDH inputs. AEAD algorithms used with TLS-DPA MUST follow their specification-defined tag lengths. Tags MUST NOT be truncated below 96 bits, and 128-bit tags SHOULD be preferred where supported.

Extensions (Conversion note) The extension names and structures in this document are intended for experimentation. This draft does not request IANA allocations. Where appropriate, implementations may use private-use ranges or negotiated profiles.

tlsdpa_service_identity The tlsdpa_service_identity extension carries the Service Identity to which the TLS-DPA handshake is bound. For experimentation, this document uses an example private-use code point value (0xFE01); deployments MAY select alternative values by profile.

Service Identity extension structure (informative C-like syntax). ; } ServiceIdentity; enum { dns_name(0), uzp_cid(1), uzp_eid(2), uzpif_selector(3), (255) } ServiceIdentityType; ]]> This figure shows the fields carried in the Service Identity extension. The client MUST send exactly one Service Identity. The server MUST validate it according to its type (Section ).

tlsdpa_transport_binding The tlsdpa_transport_binding extension binds the handshake transcript to an underlying transport identifier and transport class. For experimentation, this document uses an example private-use code point value (0xFE02); deployments MAY select alternative values by profile.

Transport Binding extension structure (informative C-like syntax). ; uint8 transport_class; /* 0=TCP, 1=QUIC, 2=UZP */ opaque transport_params<0..256>; } TransportBinding; ]]> This figure shows the fields used to bind the handshake to a transport identifier and class. For UZP, transport_id MUST contain the UZP SessionID. For QUIC, it SHOULD contain the QUIC Connection ID .

tlsdpa_pq_kem_params The tlsdpa_pq_kem_params extension carries the list of acceptable KEM schemes and related profile parameters. For experimentation, this document uses an example private-use code point value (0xFE03); deployments MAY select alternative values by profile.

PQ KEM parameters extension structure (informative C-like syntax). ; } PQKemParams; enum { x25519(0), kyber768(1), hybrid_x25519_kyber768(2), (255) } KEMScheme; ]]> This figure enumerates the acceptable KEM schemes and profile parameters. The client proposes a list of acceptable KEM schemes. The selected scheme feeds into the key schedule.

Transcript Hashing Rules New transcript components MUST be inserted as follows:

Transcript hashing with identity and transport binding (illustrative). This figure shows where the new identity and transport inputs are inserted into the transcript hash. Hash mismatches MUST abort the handshake with illegal_transport_binding or identity_mismatch (Section ).

Key Schedule and Exporters PQ hybrid KEM inputs augment the TLS 1.3 key schedule as:

Hybrid shared secret extraction (illustrative). This figure shows the shared secret input used for exporter derivation. Exporter keys MUST incorporate identity and transport bindings.

Exporter Binding Requirements TLS-DPA exporters MUST include:

Service Identity (SID).
Transport Binding (TB).
PQ KEM scheme identifier.
UZP SessionID (if transport_class = UZP).

Exporter Label Structure

Exporter label structure (illustrative). This figure shows the label composition that binds exporter output to identity and transport. where identity_type is from ServiceIdentityType, and transport_class is from TransportBinding.

Exporter Context Structure

ExporterContext structure (informative C-like syntax). This figure shows the exporter context fields derived from Service Identity, TransportBinding, and the selected KEM.

Example Exporter Computation

Example exporter computation (illustrative). This figure summarizes the exporter computation flow from shared secret to derived key.

Handshake Diagrams

Full UZP Flight Diagram Figure provides an illustrative end-to-end view of a TLS-DPA handshake relayed via a rendezvous node (RN) in a UZP fabric. The RN forwards handshake flights without decrypting them. Binding ensures the RN cannot replay or modify flows undetected.

TLS-DPA handshake relayed via an RN, with end-to-end protection over the ZPIT (illustrative). | | |--- CH1' (fwd) ---------->| | |<-- SH1: ServerHello(PQ, TB)| |<-- SH1' ----| |--- CH2: EncryptedExtensions --------->| | |--- CH2' ----------------->| | |<-- EE2/Cert/Finished -----| |<-- EE2'/Cert'/Finished'---------------| |<==== Finished / Encrypted App Data ===>| ]]> This figure traces the RN-relayed handshake flights while the endpoints retain end-to-end protection. Where:

SID: Service Identity.
TB: Transport Binding (UZP SessionID mandatory).
PQ: PQ KEM parameters.

Generalised TLS-DPA Flow Figure shows a generalised view of the handshake and the role of a transport layer that relays flights but does not decrypt them.

Generalised TLS-DPA handshake layers (illustrative). | | | |--- CH forwarded ------>| | |<-- ServerHello --------| |<-- ServerHello ---------------| | |--- EncryptedExtensions ------>| | |<-- Certificate, Finished ------------------------------| |--- Finished / Encrypted Application Data ------------->| ]]> This figure shows the transport relay separating TLS-DPA endpoints while preserving end-to-end security.

SID is carried in the ClientHello.
The transport layer relays flights but does not decrypt them.
End-to-end Finished confirms key schedule integrity.

Service Identity Validation

DNS DNS-based identities MUST be validated according to .

UZP CID The CID MUST equal BLAKE3-256(server_longterm_public_key).

UZP EID The EID MUST match the server-presented ephemeral identity for this session.

UZPIF Selector UZPIF selectors MUST be resolved via Pantheon or local cached mappings consistent with Pantheon policy .

Failure Handling If any validation fails, the implementation MUST abort the handshake with an appropriate alert (Section ):

identity_mismatch;
illegal_transport_binding;
pq_required.

New Alerts TLS-DPA defines the following experimental alert descriptions for use in deployments and interoperability testing. The numeric values shown are illustrative and are not requested for IANA allocation by this draft.

Experimental alert descriptions (illustrative C-like syntax). This figure lists the experimental alert codes defined by TLS-DPA.

Applicability to UZP / UZPIF TLS-DPA maps naturally to UZP by binding:

tlsdpa_service_identity -> UZP CID/EID.
tlsdpa_transport_binding -> UZP SessionID.
PQ capability and fallback -> Pantheon Grants.

UZP's multi-step rendezvous and authentication model and provides:

stronger pre-TLS identity establishment;
reduced man-in-the-middle risk;
deterministic channel binding for TLS-DPA.

Early Data (0-RTT) Over UZP:

early data is transmitted inside a ZPIT;
replay protection uses CID/EID and Pantheon Grant metadata;
early data MUST NOT be used if Pantheon Grants specify "no-replay".

RN Replay Detection The RN MUST maintain a sliding replay cache keyed on:

Replay cache key tuple (illustrative). This figure shows the tuple the RN uses to index replay state. Entries MUST be retained for at least twice the maximum ZPIT propagation delay. Longer retention is permitted. If a duplicate early-flight tuple is observed, the RN MUST drop it silently.

Endpoint Replay Detection Endpoints MUST track GrantNonce values associated with early data. For each:

Endpoint replay tuple (illustrative). This figure shows the endpoint tuple tracked to detect early data replay. If an identical tuple is received twice within the resumption window, the endpoint MUST abort with illegal_parameter.

GrantNonce Interaction Pantheon MUST issue a fresh GrantNonce per resumed or 0-RTT-enabled session. The nonce MUST be bound into the handshake transcript.

0-RTT over UZP Rebinds If the UZP SessionID changes during path migration, 0-RTT data MUST be rejected unless the new SessionID is verifiably linked to the previous one via Pantheon metadata.

Threat Model TLS-DPA is designed to defend against:

passive eavesdropping;
active man-in-the-middle;
downgrade attacks on both classical and PQ negotiation;
identity spoofing;
transport reattachment and rebinding attacks across overlays.

In UZP deployments, RN visibility is limited to flow identifiers and encrypted envelopes. No plaintext application data or Service Identity contents are exposed.

Operational Considerations

Middleboxes SHOULD NOT assume fixed IP/port semantics for TLS-DPA channels.
Monitoring SHOULD use exporter-based identity hooks rather than IP/port heuristics .
Session resumption MUST accommodate overlay rebinds (e.g., QUIC Connection IDs, UZP SessionIDs).
PQ keys and related metadata SHOULD be logged where required for compliance, in line with local policy.

Security Considerations TLS-DPA implementations MUST:

ensure identity and transport bindings are transcript-authentic;
authenticate PQ hybrid negotiation and detect downgrades;
suppress downgrade unless explicitly permitted by policy;
minimise metadata exposure, especially in early flights;
prevent unauthorised reattachment across transports or overlays.

The threat model for TLS-DPA is discussed in Section .

IANA Considerations This document does not request any IANA actions. The example code points used for extension_type values and alert descriptions in this document are intended for experimentation (for example in private-use or locally coordinated deployments). Any future request for code point allocation is out of scope for this draft.

Normative References Informative References UZP: Universal Zero-Port Transport Protocol Universal Zero-Port Interconnect Framework (UZPIF) Zero Trust Architecture NIST Post-Quantum Cryptography Standardization: Fourth Round Candidate Algorithms

Acknowledgements The author thanks colleagues and early reviewers for discussions on identity-first security, transport binding, and post-quantum transition models. Any errors or omissions remain the author's responsibility.