The Secure TCP segment data is encrypted to keep it secure from the message eavesdropping attacks. However, the scope of the Secure TCP does not include the header confidentiality, and thus the TCP header is not encrypted and is delivered in the plain text.
The data confidentiality must be carried out with the data integrity. For the receiver to know if received segments are modified quickly, the data confidentiality is carried out before the data integrity, i.e.,
Segment = Plaintext header + Encrypted segment data + MAC(Encrypted segment)
In the case the block cipher method is used for encryption, the padding may be required to align the segment to the block size employed by the ciphers. The padding data is appended to the end of the TCP segment data, and the whole segment is encrypted. Therefore, the decryption procedure at the receiver entity must know its original size of the segment data. Accordingly, in the Secure TCP, the original data size is send to the receiver entity by means of the TOE mechanism, which details are described in the next section.