The negotiation procedure in the Secure TCP must provide functions to exchange keys for data encryption. However, as described in section 4, the procedure takes place in the three-way handshake phase. Thus, the SYN, SYN+ACK and the ACK segment in the phase must carry the extra data for the Secure TCP functions.
Furthermore, the sender must send the original segment data size to its receiver to use the data confidentiality discussed above. In order to implement these requirements with the minimum changes in the classical TCP, we propose TCP option extension called TOE. The details of the TOE are as follows,
In the classical TCP specification, the maximum length of the TCP option is only 40 octets. However, since the typical size of encryption keys in the public-key cryptography is more than 512 bits (64 octets), these keys cannot be delivered in the TCP option field in the classical TCP. In this case, the sender sets the TOE bit in the TCP header, and appends the TOE data to the top of the TCP segment data. To indicate the length of the TOE data in the segment, the urgent pointer field in the TCP header is used. Therefore, the receiver checks if the the TOE bit is set. In the case the bit set, the receiver gets TOE data from the top of the TCP segment data with using the length information in the urgent pointer field, and proceed for further processing. The format of the TOE data is described in the later section.