draft-ietf-quic-tls-12.txt   draft-ietf-quic-tls-latest.txt 
QUIC Working Group M. Thomson, Ed. QUIC Working Group M. Thomson, Ed.
Internet-Draft Mozilla Internet-Draft Mozilla
Intended status: Standards Track S. Turner, Ed. Intended status: Standards Track S. Turner, Ed.
Expires: November 23, 2018 sn3rd Expires: November 26, 2018 sn3rd
May 22, 2018 May 25, 2018
Using Transport Layer Security (TLS) to Secure QUIC Using Transport Layer Security (TLS) to Secure QUIC
draft-ietf-quic-tls-12 draft-ietf-quic-tls-latest
Abstract Abstract
This document describes how Transport Layer Security (TLS) is used to This document describes how Transport Layer Security (TLS) is used to
secure QUIC. secure QUIC.
Note to Readers Note to Readers
Discussion of this draft takes place on the QUIC working group Discussion of this draft takes place on the QUIC working group
mailing list (quic@ietf.org), which is archived at mailing list (quic@ietf.org), which is archived at
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 23, 2018. This Internet-Draft will expire on November 26, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 37 skipping to change at page 3, line 37
10. Security Considerations . . . . . . . . . . . . . . . . . . . 35 10. Security Considerations . . . . . . . . . . . . . . . . . . . 35
10.1. Packet Reflection Attack Mitigation . . . . . . . . . . 35 10.1. Packet Reflection Attack Mitigation . . . . . . . . . . 35
10.2. Peer Denial of Service . . . . . . . . . . . . . . . . . 35 10.2. Peer Denial of Service . . . . . . . . . . . . . . . . . 35
10.3. Packet Number Protection Analysis . . . . . . . . . . . 36 10.3. Packet Number Protection Analysis . . . . . . . . . . . 36
11. Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . 37 11. Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . 37
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 38 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 38
13.1. Normative References . . . . . . . . . . . . . . . . . . 38 13.1. Normative References . . . . . . . . . . . . . . . . . . 38
13.2. Informative References . . . . . . . . . . . . . . . . . 39 13.2. Informative References . . . . . . . . . . . . . . . . . 39
13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 40 13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 40 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 40
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 40 A.1. Since draft-ietf-quic-tls-10 . . . . . . . . . . . . . . 40
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 40 A.2. Since draft-ietf-quic-tls-09 . . . . . . . . . . . . . . 40
C.1. Since draft-ietf-quic-tls-10 . . . . . . . . . . . . . . 41 A.3. Since draft-ietf-quic-tls-08 . . . . . . . . . . . . . . 41
C.2. Since draft-ietf-quic-tls-09 . . . . . . . . . . . . . . 41 A.4. Since draft-ietf-quic-tls-07 . . . . . . . . . . . . . . 41
C.3. Since draft-ietf-quic-tls-08 . . . . . . . . . . . . . . 41 A.5. Since draft-ietf-quic-tls-05 . . . . . . . . . . . . . . 41
C.4. Since draft-ietf-quic-tls-07 . . . . . . . . . . . . . . 41 A.6. Since draft-ietf-quic-tls-04 . . . . . . . . . . . . . . 41
C.5. Since draft-ietf-quic-tls-05 . . . . . . . . . . . . . . 41 A.7. Since draft-ietf-quic-tls-03 . . . . . . . . . . . . . . 41
C.6. Since draft-ietf-quic-tls-04 . . . . . . . . . . . . . . 41 A.8. Since draft-ietf-quic-tls-02 . . . . . . . . . . . . . . 41
C.7. Since draft-ietf-quic-tls-03 . . . . . . . . . . . . . . 41 A.9. Since draft-ietf-quic-tls-01 . . . . . . . . . . . . . . 41
C.8. Since draft-ietf-quic-tls-02 . . . . . . . . . . . . . . 41 A.10. Since draft-ietf-quic-tls-00 . . . . . . . . . . . . . . 42
C.9. Since draft-ietf-quic-tls-01 . . . . . . . . . . . . . . 41 A.11. Since draft-thomson-quic-tls-01 . . . . . . . . . . . . . 42
C.10. Since draft-ietf-quic-tls-00 . . . . . . . . . . . . . . 42 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 42
C.11. Since draft-thomson-quic-tls-01 . . . . . . . . . . . . . 42 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42
1. Introduction 1. Introduction
This document describes how QUIC [QUIC-TRANSPORT] is secured using This document describes how QUIC [QUIC-TRANSPORT] is secured using
Transport Layer Security (TLS) version 1.3 [TLS13]. TLS 1.3 provides Transport Layer Security (TLS) version 1.3 [TLS13]. TLS 1.3 provides
critical latency improvements for connection establishment over critical latency improvements for connection establishment over
previous versions. Absent packet loss, most new connections can be previous versions. Absent packet loss, most new connections can be
established and secured within a single round trip; on subsequent established and secured within a single round trip; on subsequent
connections between the same client and server, the client can often connections between the same client and server, the client can often
skipping to change at page 21, line 42 skipping to change at page 21, line 42
Packet number protection is applied after packet protection is Packet number protection is applied after packet protection is
applied (see Section 5.4). The ciphertext of the packet is sampled applied (see Section 5.4). The ciphertext of the packet is sampled
and used as input to an encryption algorithm. and used as input to an encryption algorithm.
In sampling the packet ciphertext, the packet number length is In sampling the packet ciphertext, the packet number length is
assumed to be the smaller of the maximum possible packet number assumed to be the smaller of the maximum possible packet number
encoding (4 octets), or the size of the protected packet minus the encoding (4 octets), or the size of the protected packet minus the
minimum expansion for the AEAD. For example, the sampled ciphertext minimum expansion for the AEAD. For example, the sampled ciphertext
for a packet with a short header can be determined by: for a packet with a short header can be determined by:
"sample_offset = min(1 + connection_id_length + 4, packet_length - sample_offset = min(1 + connection_id_length + 4,
aead_expansion) sample = packet_length - aead_expansion)
packet[sample_offset..sample_offset+sample_length]" sample = packet[sample_offset..sample_offset+sample_length]
To ensure that this process does not sample the packet number, packet To ensure that this process does not sample the packet number, packet
number protection algorithms MUST NOT sample more ciphertext than the number protection algorithms MUST NOT sample more ciphertext than the
minimum expansion of the corresponding AEAD. minimum expansion of the corresponding AEAD.
Packet number protection is applied to the packet number encoded as Packet number protection is applied to the packet number encoded as
described in Section 4.8 of [QUIC-TRANSPORT]. Since the length of described in Section 4.8 of [QUIC-TRANSPORT]. Since the length of
the packet number is stored in the first octet of the encoded packet the packet number is stored in the first octet of the encoded packet
number, it may be necessary to progressively decrypt the packet number, it may be necessary to progressively decrypt the packet
number. number.
skipping to change at page 36, line 33 skipping to change at page 36, line 33
Packet number protection relies the packet protection AEAD being a Packet number protection relies the packet protection AEAD being a
pseudorandom function (PRF), which is not a property that AEAD pseudorandom function (PRF), which is not a property that AEAD
algorithms guarantee. Therefore, no strong assurances about the algorithms guarantee. Therefore, no strong assurances about the
general security of this mechanism can be shown in the general case. general security of this mechanism can be shown in the general case.
The AEAD algorithms described in this document are assumed to be The AEAD algorithms described in this document are assumed to be
PRFs. PRFs.
The packet number protection algorithms defined in this document take The packet number protection algorithms defined in this document take
the form: the form:
"encrypted_pn = packet_number XOR PRF(pn_key, sample)" encrypted_pn = packet_number XOR PRF(pn_key, sample)
This construction is secure against chosen plaintext attacks (IND- This construction is secure against chosen plaintext attacks (IND-
CPA) [IMC]. CPA) [IMC].
Use of the same key and ciphertext sample more than once risks Use of the same key and ciphertext sample more than once risks
compromising packet number protection. Protecting two different compromising packet number protection. Protecting two different
packet numbers with the same key and ciphertext sample reveals the packet numbers with the same key and ciphertext sample reveals the
exclusive OR of those packet numbers. Assuming that the AEAD acts as exclusive OR of those packet numbers. Assuming that the AEAD acts as
a PRF, if L bits are sampled, the odds of two ciphertext samples a PRF, if L bits are sampled, the odds of two ciphertext samples
being identical approach 2^(-L/2), that is, the birthday bound. For being identical approach 2^(-L/2), that is, the birthday bound. For
skipping to change at page 38, line 50 skipping to change at page 38, line 50
<https://www.rfc-editor.org/info/rfc7539>. <https://www.rfc-editor.org/info/rfc7539>.
[HKDF] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand [HKDF] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
Key Derivation Function (HKDF)", RFC 5869, Key Derivation Function (HKDF)", RFC 5869,
DOI 10.17487/RFC5869, May 2010, DOI 10.17487/RFC5869, May 2010,
<https://www.rfc-editor.org/info/rfc5869>. <https://www.rfc-editor.org/info/rfc5869>.
[QUIC-TRANSPORT] [QUIC-TRANSPORT]
Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", draft-ietf-quic- Multiplexed and Secure Transport", draft-ietf-quic-
transport-12 (work in progress). transport-latest (work in progress).
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
<https://www.rfc-editor.org/info/rfc5116>. <https://www.rfc-editor.org/info/rfc5116>.
skipping to change at page 39, line 49 skipping to change at page 39, line 49
Luykx, A. and K. Paterson, "Limits on Authenticated Luykx, A. and K. Paterson, "Limits on Authenticated
Encryption Use in TLS", March 2016, Encryption Use in TLS", March 2016,
<http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf>. <http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf>.
[IMC] Katz, J. and Y. Lindell, "Introduction to Modern [IMC] Katz, J. and Y. Lindell, "Introduction to Modern
Cryptography, Second Edition", ISBN 978-1466570269, Cryptography, Second Edition", ISBN 978-1466570269,
November 2014. November 2014.
[QUIC-HTTP] [QUIC-HTTP]
Bishop, M., Ed., "Hypertext Transfer Protocol (HTTP) over Bishop, M., Ed., "Hypertext Transfer Protocol (HTTP) over
QUIC", draft-ietf-quic-http-12 (work in progress). QUIC", draft-ietf-quic-http-latest (work in progress).
[QUIC-RECOVERY] [QUIC-RECOVERY]
Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection
and Congestion Control", draft-ietf-quic-recovery-12 (work and Congestion Control", draft-ietf-quic-recovery-latest
in progress). (work in progress).
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000, DOI 10.17487/RFC2818, May 2000,
<https://www.rfc-editor.org/info/rfc2818>. <https://www.rfc-editor.org/info/rfc2818>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>. <https://www.rfc-editor.org/info/rfc5280>.
skipping to change at page 40, line 33 skipping to change at page 40, line 33
<https://www.rfc-editor.org/info/rfc7924>. <https://www.rfc-editor.org/info/rfc7924>.
13.3. URIs 13.3. URIs
[1] https://mailarchive.ietf.org/arch/search/?email_list=quic [1] https://mailarchive.ietf.org/arch/search/?email_list=quic
[2] https://github.com/quicwg [2] https://github.com/quicwg
[3] https://github.com/quicwg/base-drafts/labels/-tls [3] https://github.com/quicwg/base-drafts/labels/-tls
Appendix A. Contributors Appendix A. Change Log
Ryan Hamilton was originally an author of this specification.
Appendix B. Acknowledgments
This document has benefited from input from Dragana Damjanovic,
Christian Huitema, Jana Iyengar, Adam Langley, Roberto Peon, Eric
Rescorla, Ian Swett, and many others.
Appendix C. Change Log
*RFC Editor's Note:* Please remove this section prior to *RFC Editor's Note:* Please remove this section prior to
publication of a final version of this document. publication of a final version of this document.
Issue and pull request numbers are listed with a leading octothorp. Issue and pull request numbers are listed with a leading octothorp.
C.1. Since draft-ietf-quic-tls-10 A.1. Since draft-ietf-quic-tls-10
o No significant changes. o No significant changes.
C.2. Since draft-ietf-quic-tls-09 A.2. Since draft-ietf-quic-tls-09
o Cleaned up key schedule and updated the salt used for handshake o Cleaned up key schedule and updated the salt used for handshake
packet protection (#1077) packet protection (#1077)
C.3. Since draft-ietf-quic-tls-08 A.3. Since draft-ietf-quic-tls-08
o Specify value for max_early_data_size to enable 0-RTT (#942) o Specify value for max_early_data_size to enable 0-RTT (#942)
o Update key derivation function (#1003, #1004) o Update key derivation function (#1003, #1004)
C.4. Since draft-ietf-quic-tls-07 A.4. Since draft-ietf-quic-tls-07
o Handshake errors can be reported with CONNECTION_CLOSE (#608, o Handshake errors can be reported with CONNECTION_CLOSE (#608,
#891) #891)
C.5. Since draft-ietf-quic-tls-05 A.5. Since draft-ietf-quic-tls-05
No significant changes. No significant changes.
C.6. Since draft-ietf-quic-tls-04 A.6. Since draft-ietf-quic-tls-04
o Update labels used in HKDF-Expand-Label to match TLS 1.3 (#642) o Update labels used in HKDF-Expand-Label to match TLS 1.3 (#642)
C.7. Since draft-ietf-quic-tls-03 A.7. Since draft-ietf-quic-tls-03
No significant changes. No significant changes.
C.8. Since draft-ietf-quic-tls-02 A.8. Since draft-ietf-quic-tls-02
o Updates to match changes in transport draft o Updates to match changes in transport draft
C.9. Since draft-ietf-quic-tls-01 A.9. Since draft-ietf-quic-tls-01
o Use TLS alerts to signal TLS errors (#272, #374) o Use TLS alerts to signal TLS errors (#272, #374)
o Require ClientHello to fit in a single packet (#338) o Require ClientHello to fit in a single packet (#338)
o The second client handshake flight is now sent in the clear (#262, o The second client handshake flight is now sent in the clear (#262,
#337) #337)
o The QUIC header is included as AEAD Associated Data (#226, #243, o The QUIC header is included as AEAD Associated Data (#226, #243,
#302) #302)
skipping to change at page 42, line 12 skipping to change at page 42, line 4
o The QUIC header is included as AEAD Associated Data (#226, #243, o The QUIC header is included as AEAD Associated Data (#226, #243,
#302) #302)
o Add interface necessary for client address validation (#275) o Add interface necessary for client address validation (#275)
o Define peer authentication (#140) o Define peer authentication (#140)
o Require at least TLS 1.3 (#138) o Require at least TLS 1.3 (#138)
o Define transport parameters as a TLS extension (#122) o Define transport parameters as a TLS extension (#122)
o Define handling for protected packets before the handshake o Define handling for protected packets before the handshake
completes (#39) completes (#39)
o Decouple QUIC version and ALPN (#12) o Decouple QUIC version and ALPN (#12)
C.10. Since draft-ietf-quic-tls-00 A.10. Since draft-ietf-quic-tls-00
o Changed bit used to signal key phase o Changed bit used to signal key phase
o Updated key phase markings during the handshake o Updated key phase markings during the handshake
o Added TLS interface requirements section o Added TLS interface requirements section
o Moved to use of TLS exporters for key derivation o Moved to use of TLS exporters for key derivation
o Moved TLS error code definitions into this document o Moved TLS error code definitions into this document
C.11. Since draft-thomson-quic-tls-01 A.11. Since draft-thomson-quic-tls-01
o Adopted as base for draft-ietf-quic-tls o Adopted as base for draft-ietf-quic-tls
o Updated authors/editors list o Updated authors/editors list
o Added status note o Added status note
Acknowledgments
This document has benefited from input from Dragana Damjanovic,
Christian Huitema, Jana Iyengar, Adam Langley, Roberto Peon, Eric
Rescorla, Ian Swett, and many others.
Contributors
Ryan Hamilton was originally an author of this specification.
Authors' Addresses Authors' Addresses
Martin Thomson (editor) Martin Thomson (editor)
Mozilla Mozilla
Email: martin.thomson@gmail.com Email: martin.thomson@gmail.com
Sean Turner (editor) Sean Turner (editor)
sn3rd sn3rd
 End of changes. 23 change blocks. 
49 lines changed or deleted 48 lines changed or added

This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/