The Secure TCP can choose several kinds of cipher methods used for the data integrity and confidentiality, and select various hash algorithms for the data integrity.
In the negotiation phase, the Secure TCP peer entities exchange a security service type that indicates both cipher methods and a hash algorithms. The security service type used in the Secure TCP is listed in the Table 1. Note that this type is not an index to express the strength of these methods.
A negotiation procedure is carried out as follows. A sender entity sends a list of types to a peer entity. The list order indicates the priority the sender wants to use. For example, in the case the sender sends ``421'', it wants to use MD5 and DES for its data integrity and DES (CFB 1byte) for its data confidentiality, as its first priority.
The receiver entity chooses one of the methods sender advertised in the list, and sends back to it. If the receiver can't pick any methods in the list, then it can give up the connection establishment or proceed with the classical TCP. In the case that SYN+ACK segment is sent back to the sender, the sender can also select whether it resets the connection and retry with other list of security method or go ahead with the classical TCP.
A example of the security service type is shown in Table 1. A symbol ``---'' indicates no methods. Type 0 shows providing no security service. Type 1 shows providing data integrity method only. Type 2, 3 and 4 show providing data integrity and data confidentiality methods. In order to put data confidentiality into practice, each different cipher methods is used in type 2, 3 and 4.
Table 1: Security Service Type