| draft-ietf-quic-tls-29.txt | draft-ietf-quic-tls-latest.txt | |||
|---|---|---|---|---|
| QUIC Working Group M. Thomson, Ed. | QUIC Working Group M. Thomson, Ed. | |||
| Internet-Draft Mozilla | Internet-Draft Mozilla | |||
| Intended status: Standards Track S. Turner, Ed. | Intended status: Standards Track S. Turner, Ed. | |||
| Expires: December 11, 2020 sn3rd | Expires: January 14, 2021 sn3rd | |||
| June 9, 2020 | July 13, 2020 | |||
| Using TLS to Secure QUIC | Using TLS to Secure QUIC | |||
| draft-ietf-quic-tls-29 | draft-ietf-quic-tls-latest | |||
| Abstract | Abstract | |||
| This document describes how Transport Layer Security (TLS) is used to | This document describes how Transport Layer Security (TLS) is used to | |||
| secure QUIC. | secure QUIC. | |||
| Note to Readers | Note to Readers | |||
| Discussion of this draft takes place on the QUIC working group | Discussion of this draft takes place on the QUIC working group | |||
| mailing list (quic@ietf.org [1]), which is archived at | mailing list (quic@ietf.org [1]), which is archived at | |||
| skipping to change at page 1, line 42 ¶ | skipping to change at page 1, line 42 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 11, 2020. | This Internet-Draft will expire on January 14, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 29 ¶ | skipping to change at page 2, line 29 ¶ | |||
| 2.1. TLS Overview . . . . . . . . . . . . . . . . . . . . . . 5 | 2.1. TLS Overview . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 7 | 3. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. Carrying TLS Messages . . . . . . . . . . . . . . . . . . . . 8 | 4. Carrying TLS Messages . . . . . . . . . . . . . . . . . . . . 8 | |||
| 4.1. Interface to TLS . . . . . . . . . . . . . . . . . . . . 10 | 4.1. Interface to TLS . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.1.1. Handshake Complete . . . . . . . . . . . . . . . . . 10 | 4.1.1. Handshake Complete . . . . . . . . . . . . . . . . . 10 | |||
| 4.1.2. Handshake Confirmed . . . . . . . . . . . . . . . . . 11 | 4.1.2. Handshake Confirmed . . . . . . . . . . . . . . . . . 11 | |||
| 4.1.3. Sending and Receiving Handshake Messages . . . . . . 11 | 4.1.3. Sending and Receiving Handshake Messages . . . . . . 11 | |||
| 4.1.4. Encryption Level Changes . . . . . . . . . . . . . . 13 | 4.1.4. Encryption Level Changes . . . . . . . . . . . . . . 13 | |||
| 4.1.5. TLS Interface Summary . . . . . . . . . . . . . . . . 14 | 4.1.5. TLS Interface Summary . . . . . . . . . . . . . . . . 14 | |||
| 4.2. TLS Version . . . . . . . . . . . . . . . . . . . . . . . 15 | 4.2. TLS Version . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 4.3. ClientHello Size . . . . . . . . . . . . . . . . . . . . 15 | 4.3. ClientHello Size . . . . . . . . . . . . . . . . . . . . 16 | |||
| 4.4. Peer Authentication . . . . . . . . . . . . . . . . . . . 16 | 4.4. Peer Authentication . . . . . . . . . . . . . . . . . . . 17 | |||
| 4.5. Session Resumption . . . . . . . . . . . . . . . . . . . 16 | 4.5. Session Resumption . . . . . . . . . . . . . . . . . . . 17 | |||
| 4.6. Enabling 0-RTT . . . . . . . . . . . . . . . . . . . . . 17 | 4.6. Enabling 0-RTT . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 4.7. Accepting and Rejecting 0-RTT . . . . . . . . . . . . . . 17 | 4.7. Accepting and Rejecting 0-RTT . . . . . . . . . . . . . . 18 | |||
| 4.8. Validating 0-RTT Configuration . . . . . . . . . . . . . 18 | 4.8. Validating 0-RTT Configuration . . . . . . . . . . . . . 19 | |||
| 4.9. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . 18 | 4.9. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . 19 | |||
| 4.10. TLS Errors . . . . . . . . . . . . . . . . . . . . . . . 18 | 4.10. TLS Errors . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 4.11. Discarding Unused Keys . . . . . . . . . . . . . . . . . 19 | 4.11. Discarding Unused Keys . . . . . . . . . . . . . . . . . 20 | |||
| 4.11.1. Discarding Initial Keys . . . . . . . . . . . . . . 19 | 4.11.1. Discarding Initial Keys . . . . . . . . . . . . . . 20 | |||
| 4.11.2. Discarding Handshake Keys . . . . . . . . . . . . . 20 | 4.11.2. Discarding Handshake Keys . . . . . . . . . . . . . 21 | |||
| 4.11.3. Discarding 0-RTT Keys . . . . . . . . . . . . . . . 20 | 4.11.3. Discarding 0-RTT Keys . . . . . . . . . . . . . . . 21 | |||
| 5. Packet Protection . . . . . . . . . . . . . . . . . . . . . . 20 | 5. Packet Protection . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 5.1. Packet Protection Keys . . . . . . . . . . . . . . . . . 20 | 5.1. Packet Protection Keys . . . . . . . . . . . . . . . . . 21 | |||
| 5.2. Initial Secrets . . . . . . . . . . . . . . . . . . . . . 21 | 5.2. Initial Secrets . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 5.3. AEAD Usage . . . . . . . . . . . . . . . . . . . . . . . 22 | 5.3. AEAD Usage . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 5.4. Header Protection . . . . . . . . . . . . . . . . . . . . 23 | 5.4. Header Protection . . . . . . . . . . . . . . . . . . . . 24 | |||
| 5.4.1. Header Protection Application . . . . . . . . . . . . 24 | 5.4.1. Header Protection Application . . . . . . . . . . . . 25 | |||
| 5.4.2. Header Protection Sample . . . . . . . . . . . . . . 26 | 5.4.2. Header Protection Sample . . . . . . . . . . . . . . 27 | |||
| 5.4.3. AES-Based Header Protection . . . . . . . . . . . . . 27 | 5.4.3. AES-Based Header Protection . . . . . . . . . . . . . 28 | |||
| 5.4.4. ChaCha20-Based Header Protection . . . . . . . . . . 27 | 5.4.4. ChaCha20-Based Header Protection . . . . . . . . . . 28 | |||
| 5.5. Receiving Protected Packets . . . . . . . . . . . . . . . 27 | 5.5. Receiving Protected Packets . . . . . . . . . . . . . . . 28 | |||
| 5.6. Use of 0-RTT Keys . . . . . . . . . . . . . . . . . . . . 28 | 5.6. Use of 0-RTT Keys . . . . . . . . . . . . . . . . . . . . 29 | |||
| 5.7. Receiving Out-of-Order Protected Frames . . . . . . . . . 28 | 5.7. Receiving Out-of-Order Protected Frames . . . . . . . . . 29 | |||
| 5.8. Retry Packet Integrity . . . . . . . . . . . . . . . . . 29 | 5.8. Retry Packet Integrity . . . . . . . . . . . . . . . . . 30 | |||
| 6. Key Update . . . . . . . . . . . . . . . . . . . . . . . . . 31 | 6. Key Update . . . . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| 6.1. Initiating a Key Update . . . . . . . . . . . . . . . . . 32 | 6.1. Initiating a Key Update . . . . . . . . . . . . . . . . . 33 | |||
| 6.2. Responding to a Key Update . . . . . . . . . . . . . . . 33 | 6.2. Responding to a Key Update . . . . . . . . . . . . . . . 34 | |||
| 6.3. Timing of Receive Key Generation . . . . . . . . . . . . 33 | 6.3. Timing of Receive Key Generation . . . . . . . . . . . . 34 | |||
| 6.4. Sending with Updated Keys . . . . . . . . . . . . . . . . 34 | 6.4. Sending with Updated Keys . . . . . . . . . . . . . . . . 35 | |||
| 6.5. Receiving with Different Keys . . . . . . . . . . . . . . 34 | 6.5. Receiving with Different Keys . . . . . . . . . . . . . . 35 | |||
| 6.6. Minimum Key Update Frequency . . . . . . . . . . . . . . 35 | 6.6. Minimum Key Update Frequency . . . . . . . . . . . . . . 36 | |||
| 6.7. Key Update Error Code . . . . . . . . . . . . . . . . . . 36 | 6.7. Key Update Error Code . . . . . . . . . . . . . . . . . . 37 | |||
| 7. Security of Initial Messages . . . . . . . . . . . . . . . . 37 | 7. Security of Initial Messages . . . . . . . . . . . . . . . . 38 | |||
| 8. QUIC-Specific Adjustments to the TLS Handshake . . . . . . . 37 | 8. QUIC-Specific Adjustments to the TLS Handshake . . . . . . . 38 | |||
| 8.1. Protocol Negotiation . . . . . . . . . . . . . . . . . . 37 | 8.1. Protocol Negotiation . . . . . . . . . . . . . . . . . . 38 | |||
| 8.2. QUIC Transport Parameters Extension . . . . . . . . . . . 38 | 8.2. QUIC Transport Parameters Extension . . . . . . . . . . . 39 | |||
| 8.3. Removing the EndOfEarlyData Message . . . . . . . . . . . 38 | 8.3. Removing the EndOfEarlyData Message . . . . . . . . . . . 39 | |||
| 8.4. Prohibit TLS Middlebox Compatibility Mode . . . . . . . . 39 | 8.4. Prohibit TLS Middlebox Compatibility Mode . . . . . . . . 40 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 39 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 40 | |||
| 9.1. Session Linkability . . . . . . . . . . . . . . . . . . . 39 | 9.1. Session Linkability . . . . . . . . . . . . . . . . . . . 40 | |||
| 9.2. Replay Attacks with 0-RTT . . . . . . . . . . . . . . . . 39 | 9.2. Replay Attacks with 0-RTT . . . . . . . . . . . . . . . . 40 | |||
| 9.3. Packet Reflection Attack Mitigation . . . . . . . . . . . 40 | 9.3. Packet Reflection Attack Mitigation . . . . . . . . . . . 41 | |||
| 9.4. Header Protection Analysis . . . . . . . . . . . . . . . 41 | 9.4. Header Protection Analysis . . . . . . . . . . . . . . . 42 | |||
| 9.5. Header Protection Timing Side-Channels . . . . . . . . . 41 | 9.5. Header Protection Timing Side-Channels . . . . . . . . . 42 | |||
| 9.6. Key Diversity . . . . . . . . . . . . . . . . . . . . . . 42 | 9.6. Key Diversity . . . . . . . . . . . . . . . . . . . . . . 43 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 43 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 44 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 44 | 11.2. Informative References . . . . . . . . . . . . . . . . . 45 | |||
| 11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 45 | 11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 46 | |||
| Appendix A. Sample Packet Protection . . . . . . . . . . . . . . 45 | Appendix A. Sample Packet Protection . . . . . . . . . . . . . . 46 | |||
| A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 45 | A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 46 | |||
| A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 46 | A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 47 | |||
| A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 48 | A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 49 | |||
| A.4. Retry . . . . . . . . . . . . . . . . . . . . . . . . . . 49 | A.4. Retry . . . . . . . . . . . . . . . . . . . . . . . . . . 50 | |||
| A.5. ChaCha20-Poly1305 Short Header Packet . . . . . . . . . . 49 | A.5. ChaCha20-Poly1305 Short Header Packet . . . . . . . . . . 50 | |||
| Appendix B. Analysis of Limits on AEAD_AES_128_CCM Usage . . . . 51 | Appendix B. Analysis of Limits on AEAD_AES_128_CCM Usage . . . . 52 | |||
| B.1. Confidentiality Limits . . . . . . . . . . . . . . . . . 52 | B.1. Confidentiality Limits . . . . . . . . . . . . . . . . . 53 | |||
| B.2. Integrity Limits . . . . . . . . . . . . . . . . . . . . 52 | B.2. Integrity Limits . . . . . . . . . . . . . . . . . . . . 53 | |||
| Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 52 | Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 53 | |||
| C.1. Since draft-ietf-quic-tls-28 . . . . . . . . . . . . . . 53 | C.1. Since draft-ietf-quic-tls-28 . . . . . . . . . . . . . . 54 | |||
| C.2. Since draft-ietf-quic-tls-27 . . . . . . . . . . . . . . 53 | C.2. Since draft-ietf-quic-tls-27 . . . . . . . . . . . . . . 54 | |||
| C.3. Since draft-ietf-quic-tls-26 . . . . . . . . . . . . . . 53 | C.3. Since draft-ietf-quic-tls-26 . . . . . . . . . . . . . . 54 | |||
| C.4. Since draft-ietf-quic-tls-25 . . . . . . . . . . . . . . 53 | C.4. Since draft-ietf-quic-tls-25 . . . . . . . . . . . . . . 54 | |||
| C.5. Since draft-ietf-quic-tls-24 . . . . . . . . . . . . . . 53 | C.5. Since draft-ietf-quic-tls-24 . . . . . . . . . . . . . . 54 | |||
| C.6. Since draft-ietf-quic-tls-23 . . . . . . . . . . . . . . 53 | C.6. Since draft-ietf-quic-tls-23 . . . . . . . . . . . . . . 54 | |||
| C.7. Since draft-ietf-quic-tls-22 . . . . . . . . . . . . . . 54 | C.7. Since draft-ietf-quic-tls-22 . . . . . . . . . . . . . . 55 | |||
| C.8. Since draft-ietf-quic-tls-21 . . . . . . . . . . . . . . 54 | C.8. Since draft-ietf-quic-tls-21 . . . . . . . . . . . . . . 55 | |||
| C.9. Since draft-ietf-quic-tls-20 . . . . . . . . . . . . . . 54 | C.9. Since draft-ietf-quic-tls-20 . . . . . . . . . . . . . . 55 | |||
| C.10. Since draft-ietf-quic-tls-18 . . . . . . . . . . . . . . 54 | C.10. Since draft-ietf-quic-tls-18 . . . . . . . . . . . . . . 55 | |||
| C.11. Since draft-ietf-quic-tls-17 . . . . . . . . . . . . . . 54 | C.11. Since draft-ietf-quic-tls-17 . . . . . . . . . . . . . . 55 | |||
| C.12. Since draft-ietf-quic-tls-14 . . . . . . . . . . . . . . 54 | C.12. Since draft-ietf-quic-tls-14 . . . . . . . . . . . . . . 55 | |||
| C.13. Since draft-ietf-quic-tls-13 . . . . . . . . . . . . . . 55 | C.13. Since draft-ietf-quic-tls-13 . . . . . . . . . . . . . . 56 | |||
| C.14. Since draft-ietf-quic-tls-12 . . . . . . . . . . . . . . 55 | C.14. Since draft-ietf-quic-tls-12 . . . . . . . . . . . . . . 56 | |||
| C.15. Since draft-ietf-quic-tls-11 . . . . . . . . . . . . . . 55 | C.15. Since draft-ietf-quic-tls-11 . . . . . . . . . . . . . . 56 | |||
| C.16. Since draft-ietf-quic-tls-10 . . . . . . . . . . . . . . 55 | C.16. Since draft-ietf-quic-tls-10 . . . . . . . . . . . . . . 56 | |||
| C.17. Since draft-ietf-quic-tls-09 . . . . . . . . . . . . . . 55 | C.17. Since draft-ietf-quic-tls-09 . . . . . . . . . . . . . . 56 | |||
| C.18. Since draft-ietf-quic-tls-08 . . . . . . . . . . . . . . 55 | C.18. Since draft-ietf-quic-tls-08 . . . . . . . . . . . . . . 56 | |||
| C.19. Since draft-ietf-quic-tls-07 . . . . . . . . . . . . . . 56 | C.19. Since draft-ietf-quic-tls-07 . . . . . . . . . . . . . . 57 | |||
| C.20. Since draft-ietf-quic-tls-05 . . . . . . . . . . . . . . 56 | C.20. Since draft-ietf-quic-tls-05 . . . . . . . . . . . . . . 57 | |||
| C.21. Since draft-ietf-quic-tls-04 . . . . . . . . . . . . . . 56 | C.21. Since draft-ietf-quic-tls-04 . . . . . . . . . . . . . . 57 | |||
| C.22. Since draft-ietf-quic-tls-03 . . . . . . . . . . . . . . 56 | C.22. Since draft-ietf-quic-tls-03 . . . . . . . . . . . . . . 57 | |||
| C.23. Since draft-ietf-quic-tls-02 . . . . . . . . . . . . . . 56 | C.23. Since draft-ietf-quic-tls-02 . . . . . . . . . . . . . . 57 | |||
| C.24. Since draft-ietf-quic-tls-01 . . . . . . . . . . . . . . 56 | C.24. Since draft-ietf-quic-tls-01 . . . . . . . . . . . . . . 57 | |||
| C.25. Since draft-ietf-quic-tls-00 . . . . . . . . . . . . . . 57 | C.25. Since draft-ietf-quic-tls-00 . . . . . . . . . . . . . . 58 | |||
| C.26. Since draft-thomson-quic-tls-01 . . . . . . . . . . . . . 57 | C.26. Since draft-thomson-quic-tls-01 . . . . . . . . . . . . . 58 | |||
| Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 57 | Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 58 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 59 | |||
| 1. Introduction | 1. Introduction | |||
| This document describes how QUIC [QUIC-TRANSPORT] is secured using | This document describes how QUIC [QUIC-TRANSPORT] is secured using | |||
| TLS [TLS13]. | TLS [TLS13]. | |||
| TLS 1.3 provides critical latency improvements for connection | TLS 1.3 provides critical latency improvements for connection | |||
| establishment over previous versions. Absent packet loss, most new | establishment over previous versions. Absent packet loss, most new | |||
| connections can be established and secured within a single round | connections can be established and secured within a single round | |||
| trip; on subsequent connections between the same client and server, | trip; on subsequent connections between the same client and server, | |||
| skipping to change at page 11, line 23 ¶ | skipping to change at page 11, line 23 ¶ | |||
| recording the lowest packet number sent with 1-RTT keys, and | recording the lowest packet number sent with 1-RTT keys, and | |||
| comparing it to the Largest Acknowledged field in any received 1-RTT | comparing it to the Largest Acknowledged field in any received 1-RTT | |||
| ACK frame: once the latter is greater than or equal to the former, | ACK frame: once the latter is greater than or equal to the former, | |||
| the handshake is confirmed. | the handshake is confirmed. | |||
| 4.1.3. Sending and Receiving Handshake Messages | 4.1.3. Sending and Receiving Handshake Messages | |||
| In order to drive the handshake, TLS depends on being able to send | In order to drive the handshake, TLS depends on being able to send | |||
| and receive handshake messages. There are two basic functions on | and receive handshake messages. There are two basic functions on | |||
| this interface: one where QUIC requests handshake messages and one | this interface: one where QUIC requests handshake messages and one | |||
| where QUIC provides handshake packets. | where QUIC provides bytes that comprise handshake messages. | |||
| Before starting the handshake QUIC provides TLS with the transport | Before starting the handshake QUIC provides TLS with the transport | |||
| parameters (see Section 8.2) that it wishes to carry. | parameters (see Section 8.2) that it wishes to carry. | |||
| A QUIC client starts TLS by requesting TLS handshake bytes from TLS. | A QUIC client starts TLS by requesting TLS handshake bytes from TLS. | |||
| The client acquires handshake bytes before sending its first packet. | The client acquires handshake bytes before sending its first packet. | |||
| A QUIC server starts the process by providing TLS with the client's | A QUIC server starts the process by providing TLS with the client's | |||
| handshake bytes. | handshake bytes. | |||
| At any time, the TLS stack at an endpoint will have a current sending | At any time, the TLS stack at an endpoint will have a current sending | |||
| encryption level and receiving encryption level. Encryption levels | encryption level and receiving encryption level. Encryption levels | |||
| determine the packet type and keys that are used for protecting data. | determine the packet type and keys that are used for protecting data. | |||
| Each encryption level is associated with a different sequence of | Each encryption level is associated with a different sequence of | |||
| bytes, which is reliably transmitted to the peer in CRYPTO frames. | bytes, which is reliably transmitted to the peer in CRYPTO frames. | |||
| When TLS provides handshake bytes to be sent, they are appended to | When TLS provides handshake bytes to be sent, they are appended to | |||
| the current flow. Any packet that includes the CRYPTO frame is | the handshake bytes for the current encryption level. The encryption | |||
| protected using keys from the corresponding encryption level. Four | level then determines the type of packet that the resulting CRYPTO | |||
| encryption levels are used, producing keys for Initial, 0-RTT, | frame is carried in; see Table 1. | |||
| Four encryption levels are used, producing keys for Initial, 0-RTT, | ||||
| Handshake, and 1-RTT packets. CRYPTO frames are carried in just | Handshake, and 1-RTT packets. CRYPTO frames are carried in just | |||
| three of these levels, omitting the 0-RTT level. These four levels | three of these levels, omitting the 0-RTT level. These four levels | |||
| correspond to three packet number spaces: Initial and Handshake | correspond to three packet number spaces: Initial and Handshake | |||
| encrypted packets use their own separate spaces; 0-RTT and 1-RTT | encrypted packets use their own separate spaces; 0-RTT and 1-RTT | |||
| packets use the application data packet number space. | packets use the application data packet number space. | |||
| QUIC takes the unprotected content of TLS handshake records as the | QUIC takes the unprotected content of TLS handshake records as the | |||
| content of CRYPTO frames. TLS record protection is not used by QUIC. | content of CRYPTO frames. TLS record protection is not used by QUIC. | |||
| QUIC assembles CRYPTO frames into QUIC packets, which are protected | QUIC assembles CRYPTO frames into QUIC packets, which are protected | |||
| using QUIC packet protection. | using QUIC packet protection. | |||
| QUIC is only capable of conveying TLS handshake records in CRYPTO | QUIC is only capable of conveying TLS handshake records in CRYPTO | |||
| frames. TLS alerts are turned into QUIC CONNECTION_CLOSE error | frames. TLS alerts are turned into QUIC CONNECTION_CLOSE error | |||
| codes; see Section 4.10. TLS application data and other message | codes; see Section 4.10. TLS application data and other message | |||
| types cannot be carried by QUIC at any encryption level and is an | types cannot be carried by QUIC at any encryption level and is an | |||
| error if they are received from the TLS stack. | error if they are received from the TLS stack. | |||
| When an endpoint receives a QUIC packet containing a CRYPTO frame | When an endpoint receives a QUIC packet containing a CRYPTO frame | |||
| from the network, it proceeds as follows: | from the network, it proceeds as follows: | |||
| o If the packet was in the TLS receiving encryption level, sequence | o If the packet uses the current TLS receiving encryption level, | |||
| the data into the input flow as usual. As with STREAM frames, the | sequence the data into the input flow as usual. As with STREAM | |||
| offset is used to find the proper location in the data sequence. | frames, the offset is used to find the proper location in the data | |||
| If the result of this process is that new data is available, then | sequence. If the result of this process is that new data is | |||
| it is delivered to TLS in order. | available, then it is delivered to TLS in order. | |||
| o If the packet is from a previously installed encryption level, it | o If the packet is from a previously installed encryption level, it | |||
| MUST NOT contain data which extends past the end of previously | MUST NOT contain data which extends past the end of previously | |||
| received data in that flow. Implementations MUST treat any | received data in that flow. Implementations MUST treat any | |||
| violations of this requirement as a connection error of type | violations of this requirement as a connection error of type | |||
| PROTOCOL_VIOLATION. | PROTOCOL_VIOLATION. | |||
| o If the packet is from a new encryption level, it is saved for | o If the packet is from a new encryption level, it is saved for | |||
| later processing by TLS. Once TLS moves to receiving from this | later processing by TLS. Once TLS moves to receiving from this | |||
| encryption level, saved data can be provided. When providing data | encryption level, saved data can be provided to TLS. When | |||
| from any new encryption level to TLS, if there is data from a | providing data from any new encryption level to TLS, if there is | |||
| previous encryption level that TLS has not consumed, this MUST be | data from a previous encryption level that TLS has not consumed, | |||
| treated as a connection error of type PROTOCOL_VIOLATION. | this MUST be treated as a connection error of type | |||
| PROTOCOL_VIOLATION. | ||||
| Each time that TLS is provided with new data, new handshake bytes are | Each time that TLS is provided with new data, new handshake bytes are | |||
| requested from TLS. TLS might not provide any bytes if the handshake | requested from TLS. TLS might not provide any bytes if the handshake | |||
| messages it has received are incomplete or it has no data to send. | messages it has received are incomplete or it has no data to send. | |||
| The content of CRYPTO frames might either be processed incrementally | ||||
| by TLS or buffered until complete messages or flights are available. | ||||
| TLS is responsible for buffering handshake bytes that have arrived in | ||||
| order. QUIC is responsible for buffering handshake bytes that arrive | ||||
| out of order or for encryption levels that are not yet ready. QUIC | ||||
| does not provide any means of flow control for CRYPTO frames; see | ||||
| Section 7.5 of [QUIC-TRANSPORT]. | ||||
| Once the TLS handshake is complete, this is indicated to QUIC along | Once the TLS handshake is complete, this is indicated to QUIC along | |||
| with any final handshake bytes that TLS needs to send. TLS also | with any final handshake bytes that TLS needs to send. TLS also | |||
| provides QUIC with the transport parameters that the peer advertised | provides QUIC with the transport parameters that the peer advertised | |||
| during the handshake. | during the handshake. | |||
| Once the handshake is complete, TLS becomes passive. TLS can still | Once the handshake is complete, TLS becomes passive. TLS can still | |||
| receive data from its peer and respond in kind, but it will not need | receive data from its peer and respond in kind, but it will not need | |||
| to send more data unless specifically requested - either by an | to send more data unless specifically requested - either by an | |||
| application or QUIC. One reason to send data is that the server | application or QUIC. One reason to send data is that the server | |||
| might wish to provide additional or updated session tickets to a | might wish to provide additional or updated session tickets to a | |||
| skipping to change at page 14, line 14 ¶ | skipping to change at page 14, line 25 ¶ | |||
| QUIC also needs access to keys that might not ordinarily be available | QUIC also needs access to keys that might not ordinarily be available | |||
| to a TLS implementation. For instance, a client might need to | to a TLS implementation. For instance, a client might need to | |||
| acknowledge Handshake packets before it is ready to send CRYPTO | acknowledge Handshake packets before it is ready to send CRYPTO | |||
| frames at that encryption level. TLS therefore needs to provide keys | frames at that encryption level. TLS therefore needs to provide keys | |||
| to QUIC before it might produce them for its own use. | to QUIC before it might produce them for its own use. | |||
| 4.1.5. TLS Interface Summary | 4.1.5. TLS Interface Summary | |||
| Figure 5 summarizes the exchange between QUIC and TLS for both client | Figure 5 summarizes the exchange between QUIC and TLS for both client | |||
| and server. Each arrow is tagged with the encryption level used for | and server. Solid arrows indicate packets that carry handshake data; | |||
| that transmission. | dashed arrows show where application data can be sent. Each arrow is | |||
| tagged with the encryption level used for that transmission. | ||||
| Client Server | Client Server | |||
| ====== ====== | ||||
| Get Handshake | Get Handshake | |||
| Initial -------------> | Initial -------------> | |||
| Handshake Received | ||||
| Install tx 0-RTT Keys | Install tx 0-RTT Keys | |||
| 0-RTT ---------------> | 0-RTT - - - - - - - -> | |||
| Handshake Received | ||||
| Get Handshake | Get Handshake | |||
| <------------- Initial | <------------- Initial | |||
| Handshake Received | ||||
| Install Handshake keys | ||||
| Install rx 0-RTT keys | Install rx 0-RTT keys | |||
| Install Handshake keys | Install Handshake keys | |||
| Get Handshake | Get Handshake | |||
| <----------- Handshake | <----------- Handshake | |||
| Handshake Received | ||||
| Install tx 1-RTT keys | Install tx 1-RTT keys | |||
| <--------------- 1-RTT | <- - - - - - - - 1-RTT | |||
| Handshake Received (Initial) | ||||
| Install Handshake keys | ||||
| Handshake Received (Handshake) | ||||
| Get Handshake | Get Handshake | |||
| Handshake Complete | ||||
| Handshake -----------> | Handshake -----------> | |||
| Handshake Complete | ||||
| Install 1-RTT keys | ||||
| 1-RTT - - - - - - - -> | ||||
| Handshake Received | Handshake Received | |||
| Install rx 1-RTT keys | ||||
| Handshake Complete | Handshake Complete | |||
| Install 1-RTT keys | Install rx 1-RTT keys | |||
| 1-RTT ---------------> | ||||
| Get Handshake | ||||
| <--------------- 1-RTT | ||||
| Handshake Received | ||||
| Figure 5: Interaction Summary between QUIC and TLS | Figure 5: Interaction Summary between QUIC and TLS | |||
| Figure 5 shows the multiple packets that form a single "flight" of | Figure 5 shows the multiple packets that form a single "flight" of | |||
| messages being processed individually, to show what incoming messages | messages being processed individually, to show what incoming messages | |||
| trigger different actions. New handshake messages are requested | trigger different actions. New handshake messages are requested | |||
| after all incoming packets have been processed. This process might | after incoming packets have been processed. This process varies | |||
| vary depending on how QUIC implementations and the packets they | based on the structure of endpoint implementations and the order in | |||
| receive are structured. | which packets arrive; this is intended to illustrate the steps | |||
| involved in a single handshake exchange. | ||||
| 4.2. TLS Version | 4.2. TLS Version | |||
| This document describes how TLS 1.3 [TLS13] is used with QUIC. | This document describes how TLS 1.3 [TLS13] is used with QUIC. | |||
| In practice, the TLS handshake will negotiate a version of TLS to | In practice, the TLS handshake will negotiate a version of TLS to | |||
| use. This could result in a newer version of TLS than 1.3 being | use. This could result in a newer version of TLS than 1.3 being | |||
| negotiated if both endpoints support that version. This is | negotiated if both endpoints support that version. This is | |||
| acceptable provided that the features of TLS 1.3 that are used by | acceptable provided that the features of TLS 1.3 that are used by | |||
| QUIC are supported by the newer version. | QUIC are supported by the newer version. | |||
| A badly configured TLS implementation could negotiate TLS 1.2 or | Clients MUST NOT offer TLS versions older than 1.3. A badly | |||
| another older version of TLS. An endpoint MUST terminate the | configured TLS implementation could negotiate TLS 1.2 or another | |||
| connection if a version of TLS older than 1.3 is negotiated. | older version of TLS. An endpoint MUST terminate the connection if a | |||
| version of TLS older than 1.3 is negotiated. | ||||
| 4.3. ClientHello Size | 4.3. ClientHello Size | |||
| The first Initial packet from a client contains the start or all of | The first Initial packet from a client contains the start or all of | |||
| its first cryptographic handshake message, which for TLS is the | its first cryptographic handshake message, which for TLS is the | |||
| ClientHello. Servers might need to parse the entire ClientHello | ClientHello. Servers might need to parse the entire ClientHello | |||
| (e.g., to access extensions such as Server Name Identification (SNI) | (e.g., to access extensions such as Server Name Identification (SNI) | |||
| or Application Layer Protocol Negotiation (ALPN)) in order to decide | or Application Layer Protocol Negotiation (ALPN)) in order to decide | |||
| whether to accept the new incoming QUIC connection. If the | whether to accept the new incoming QUIC connection. If the | |||
| ClientHello spans multiple Initial packets, such servers would need | ClientHello spans multiple Initial packets, such servers would need | |||
| skipping to change at page 16, line 23 ¶ | skipping to change at page 17, line 16 ¶ | |||
| The requirements for authentication depend on the application | The requirements for authentication depend on the application | |||
| protocol that is in use. TLS provides server authentication and | protocol that is in use. TLS provides server authentication and | |||
| permits the server to request client authentication. | permits the server to request client authentication. | |||
| A client MUST authenticate the identity of the server. This | A client MUST authenticate the identity of the server. This | |||
| typically involves verification that the identity of the server is | typically involves verification that the identity of the server is | |||
| included in a certificate and that the certificate is issued by a | included in a certificate and that the certificate is issued by a | |||
| trusted entity (see for example [RFC2818]). | trusted entity (see for example [RFC2818]). | |||
| Note: Where servers provide certificates for authentication, the | ||||
| size of the certificate chain can consume a large number of bytes. | ||||
| Controlling the size of certificate chains is critical to | ||||
| performance in QUIC as servers are limited to sending 3 bytes for | ||||
| every byte received prior to validating the client address; see | ||||
| Section 8.1 of [QUIC-TRANSPORT]. The size of a certificate chain | ||||
| can be managed by limiting the number of names or extensions; | ||||
| using keys with small public key representations, like ECDSA; or | ||||
| by using certificate compression [COMPRESS]. | ||||
| A server MAY request that the client authenticate during the | A server MAY request that the client authenticate during the | |||
| handshake. A server MAY refuse a connection if the client is unable | handshake. A server MAY refuse a connection if the client is unable | |||
| to authenticate when requested. The requirements for client | to authenticate when requested. The requirements for client | |||
| authentication vary based on application protocol and deployment. | authentication vary based on application protocol and deployment. | |||
| A server MUST NOT use post-handshake client authentication (as | A server MUST NOT use post-handshake client authentication (as | |||
| defined in Section 4.6.2 of [TLS13]), because the multiplexing | defined in Section 4.6.2 of [TLS13]), because the multiplexing | |||
| offered by QUIC prevents clients from correlating the certificate | offered by QUIC prevents clients from correlating the certificate | |||
| request with the application-level event that triggered it (see | request with the application-level event that triggered it (see | |||
| [HTTP2-TLS13]). More specifically, servers MUST NOT send post- | [HTTP2-TLS13]). More specifically, servers MUST NOT send post- | |||
| skipping to change at page 23, line 39 ¶ | skipping to change at page 24, line 44 ¶ | |||
| Some AEAD functions have limits for how many packets can be encrypted | Some AEAD functions have limits for how many packets can be encrypted | |||
| under the same key and IV (see for example [AEBounds]). This might | under the same key and IV (see for example [AEBounds]). This might | |||
| be lower than the packet number limit. An endpoint MUST initiate a | be lower than the packet number limit. An endpoint MUST initiate a | |||
| key update (Section 6) prior to exceeding any limit set for the AEAD | key update (Section 6) prior to exceeding any limit set for the AEAD | |||
| that is in use. | that is in use. | |||
| 5.4. Header Protection | 5.4. Header Protection | |||
| Parts of QUIC packet headers, in particular the Packet Number field, | Parts of QUIC packet headers, in particular the Packet Number field, | |||
| are protected using a key that is derived separate to the packet | are protected using a key that is derived separately from the packet | |||
| protection key and IV. The key derived using the "quic hp" label is | protection key and IV. The key derived using the "quic hp" label is | |||
| used to provide confidentiality protection for those fields that are | used to provide confidentiality protection for those fields that are | |||
| not exposed to on-path elements. | not exposed to on-path elements. | |||
| This protection applies to the least-significant bits of the first | This protection applies to the least-significant bits of the first | |||
| byte, plus the Packet Number field. The four least-significant bits | byte, plus the Packet Number field. The four least-significant bits | |||
| of the first byte are protected for packets with long headers; the | of the first byte are protected for packets with long headers; the | |||
| five least significant bits of the first byte are protected for | five least significant bits of the first byte are protected for | |||
| packets with short headers. For both header forms, this covers the | packets with short headers. For both header forms, this covers the | |||
| reserved bits and the Packet Number Length field; the Key Phase bit | reserved bits and the Packet Number Length field; the Key Phase bit | |||
| skipping to change at page 43, line 45 ¶ | skipping to change at page 44, line 45 ¶ | |||
| "Transport Layer Security (TLS) Application-Layer Protocol | "Transport Layer Security (TLS) Application-Layer Protocol | |||
| Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, | Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, | |||
| July 2014, <https://www.rfc-editor.org/info/rfc7301>. | July 2014, <https://www.rfc-editor.org/info/rfc7301>. | |||
| [CHACHA] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | [CHACHA] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | |||
| Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, | Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, | |||
| <https://www.rfc-editor.org/info/rfc8439>. | <https://www.rfc-editor.org/info/rfc8439>. | |||
| [QUIC-RECOVERY] | [QUIC-RECOVERY] | |||
| Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection | Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection | |||
| and Congestion Control", draft-ietf-quic-recovery-29 (work | and Congestion Control", draft-ietf-quic-recovery-latest | |||
| in progress). | (work in progress). | |||
| [QUIC-TRANSPORT] | [QUIC-TRANSPORT] | |||
| Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | |||
| Multiplexed and Secure Transport", draft-ietf-quic- | Multiplexed and Secure Transport", draft-ietf-quic- | |||
| transport-29 (work in progress). | transport-latest (work in progress). | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| skipping to change at page 44, line 39 ¶ | skipping to change at page 45, line 39 ¶ | |||
| [AEBounds] | [AEBounds] | |||
| Luykx, A. and K. Paterson, "Limits on Authenticated | Luykx, A. and K. Paterson, "Limits on Authenticated | |||
| Encryption Use in TLS", March 2016, | Encryption Use in TLS", March 2016, | |||
| <http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf>. | <http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf>. | |||
| [CCM-ANALYSIS] | [CCM-ANALYSIS] | |||
| Jonsson, J., "On the Security of CTR + CBC-MAC", Selected | Jonsson, J., "On the Security of CTR + CBC-MAC", Selected | |||
| Areas in Cryptography pp. 76-93, | Areas in Cryptography pp. 76-93, | |||
| DOI 10.1007/3-540-36492-7_7, 2003. | DOI 10.1007/3-540-36492-7_7, 2003. | |||
| [COMPRESS] | ||||
| Ghedini, A. and V. Vasiliev, "TLS Certificate | ||||
| Compression", draft-ietf-tls-certificate-compression-10 | ||||
| (work in progress), January 2020. | ||||
| [HTTP2-TLS13] | [HTTP2-TLS13] | |||
| Benjamin, D., "Using TLS 1.3 with HTTP/2", RFC 8740, | Benjamin, D., "Using TLS 1.3 with HTTP/2", RFC 8740, | |||
| DOI 10.17487/RFC8740, February 2020, | DOI 10.17487/RFC8740, February 2020, | |||
| <https://www.rfc-editor.org/info/rfc8740>. | <https://www.rfc-editor.org/info/rfc8740>. | |||
| [IMC] Katz, J. and Y. Lindell, "Introduction to Modern | [IMC] Katz, J. and Y. Lindell, "Introduction to Modern | |||
| Cryptography, Second Edition", ISBN 978-1466570269, | Cryptography, Second Edition", ISBN 978-1466570269, | |||
| November 2014. | November 2014. | |||
| [NAN] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed: | [NAN] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed: | |||
| AEAD Revisited", Advances in Cryptology - CRYPTO 2019 pp. | AEAD Revisited", Advances in Cryptology - CRYPTO 2019 pp. | |||
| 235-265, DOI 10.1007/978-3-030-26948-7_9, 2019. | 235-265, DOI 10.1007/978-3-030-26948-7_9, 2019. | |||
| [QUIC-HTTP] | [QUIC-HTTP] | |||
| Bishop, M., Ed., "Hypertext Transfer Protocol Version 3 | Bishop, M., Ed., "Hypertext Transfer Protocol Version 3 | |||
| (HTTP/3)", draft-ietf-quic-http-29 (work in progress). | (HTTP/3)", draft-ietf-quic-http-latest (work in progress). | |||
| [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | |||
| DOI 10.17487/RFC2818, May 2000, | DOI 10.17487/RFC2818, May 2000, | |||
| <https://www.rfc-editor.org/info/rfc2818>. | <https://www.rfc-editor.org/info/rfc2818>. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <https://www.rfc-editor.org/info/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
| [ROBUST] Fischlin, M., Guenther, F., and C. Janson, "Robust | [ROBUST] Fischlin, M., Guenther, F., and C. Janson, "Robust | |||
| Channels: Handling Unreliable Networks in the Record | Channels: Handling Unreliable Networks in the Record | |||
| Layers of QUIC and DTLS", February 2020, | Layers of QUIC and DTLS 1.3", May 2020, | |||
| <https://www.felixguenther.info/docs/ | <https://eprint.iacr.org/2020/718>. | |||
| QUIPS2020_RobustChannels.pdf>. | ||||
| 11.3. URIs | 11.3. URIs | |||
| [1] mailto:quic@ietf.org | [1] mailto:quic@ietf.org | |||
| Appendix A. Sample Packet Protection | Appendix A. Sample Packet Protection | |||
| This section shows examples of packet protection so that | This section shows examples of packet protection so that | |||
| implementations can be verified incrementally. Samples of Initial | implementations can be verified incrementally. Samples of Initial | |||
| packets from both client and server, plus a Retry packet are defined. | packets from both client and server, plus a Retry packet are defined. | |||
| skipping to change at page 47, line 5 ¶ | skipping to change at page 48, line 5 ¶ | |||
| hp = HKDF-Expand-Label(server_initial_secret, "quic hp", _, 16) | hp = HKDF-Expand-Label(server_initial_secret, "quic hp", _, 16) | |||
| = c0c499a65a60024a18a250974ea01dfa | = c0c499a65a60024a18a250974ea01dfa | |||
| A.2. Client Initial | A.2. Client Initial | |||
| The client sends an Initial packet. The unprotected payload of this | The client sends an Initial packet. The unprotected payload of this | |||
| packet contains the following CRYPTO frame, plus enough PADDING | packet contains the following CRYPTO frame, plus enough PADDING | |||
| frames to make a 1162 byte payload: | frames to make a 1162 byte payload: | |||
| 060040c4010000c003036660261ff947 cea49cce6cfad687f457cf1b14531ba1 | 060040f1010000ed0303ebf8fa56f129 39b9584a3896472ec40bb863cfd3e868 | |||
| 4131a0e8f309a1d0b9c4000006130113 031302010000910000000b0009000006 | 04fe3a47f06a2b69484c000004130113 02010000c000000010000e00000b6578 | |||
| 736572766572ff01000100000a001400 12001d00170018001901000101010201 | 616d706c652e636f6dff01000100000a 00080006001d00170018001000070005 | |||
| 03010400230000003300260024001d00 204cfdfcd178b784bf328cae793b136f | 04616c706e0005000501000000000033 00260024001d00209370b2c9caa47fba | |||
| 2aedce005ff183d7bb14952072366470 37002b0003020304000d0020001e0403 | baf4559fedba753de171fa71f50f1ce1 5d43e994ec74d748002b000302030400 | |||
| 05030603020308040805080604010501 060102010402050206020202002d0002 | 0d0010000e0403050306030203080408 050806002d00020101001c00024001ff | |||
| 0101001c00024001 | a500320408ffffffffffffffff050480 00ffff07048000ffff08011001048000 | |||
| 75300901100f088394c8f03e51570806 048000ffff | ||||
| The unprotected header includes the connection ID and a 4 byte packet | The unprotected header includes the connection ID and a 4 byte packet | |||
| number encoding for a packet number of 2: | number encoding for a packet number of 2: | |||
| c3ff00001d088394c8f03e5157080000449e00000002 | c3ff00001d088394c8f03e5157080000449e00000002 | |||
| Protecting the payload produces output that is sampled for header | Protecting the payload produces output that is sampled for header | |||
| protection. Because the header uses a 4 byte packet number encoding, | protection. Because the header uses a 4 byte packet number encoding, | |||
| the first 16 bytes of the protected payload is sampled, then applied | the first 16 bytes of the protected payload is sampled, then applied | |||
| to the header: | to the header: | |||
| sample = fb66bc5f93032b7ddd89fe0ff15d9c4f | sample = fb66bc6a93032b50dd8973972d149421 | |||
| mask = AES-ECB(hp, sample)[0..4] | mask = AES-ECB(hp, sample)[0..4] | |||
| = d64a952459 | = 1e9cdb9909 | |||
| header[0] ^= mask[0] & 0x0f | header[0] ^= mask[0] & 0x0f | |||
| = c5 | = cd | |||
| header[18..21] ^= mask[1..4] | header[18..21] ^= mask[1..4] | |||
| = 4a95245b | = 9cdb990b | |||
| header = c5ff00001d088394c8f03e5157080000449e4a95245b | header = cdff00001d088394c8f03e5157080000449e9cdb990b | |||
| The resulting protected packet is: | The resulting protected packet is: | |||
| c5ff00001d088394c8f03e5157080000 449e4a95245bfb66bc5f93032b7ddd89 | cdff00001d088394c8f03e5157080000 449e9cdb990bfb66bc6a93032b50dd89 | |||
| fe0ff15d9c4f7050fccdb71c1cd80512 d4431643a53aafa1b0b518b44968b18b | 73972d149421874d3849e3708d71354e a33bcdc356f3ea6e2a1a1bd7c3d14003 | |||
| 8d3e7a4d04c30b3ed9410325b2abb2da fb1c12f8b70479eb8df98abcaf95dd8f | 8d3e784d04c30a2cdb40c32523aba2da fe1c1bf3d27a6be38fe38ae033fbb071 | |||
| 3d1c78660fbc719f88b23c8aef6771f3 d50e10fdfb4c9d92386d44481b6c52d5 | 3c1c73661bb6639795b42b97f77068ea d51f11fbf9489af2501d09481e6c64d4 | |||
| 9e5538d3d3942de9f13a7f8b702dc317 24180da9df22714d01003fc5e3d165c9 | b8551cd3cea70d830ce2aeeec789ef55 1a7fbe36b3f7e1549a9f8d8e153b3fac | |||
| 50e630b8540fbd81c9df0ee63f949970 26c4f2e1887a2def79050ac2d86ba318 | 3fb7b7812c9ed7c20b4be190ebd89956 26e7f0fc887925ec6f0606c5d36aa81b | |||
| e0b3adc4c5aa18bcf63c7cf8e85f5692 49813a2236a7e72269447cd1c755e451 | ebb7aacdc4a31bb5f23d55faef5c5190 5783384f375a43235b5c742c78ab1bae | |||
| f5e77470eb3de64c8849d29282069802 9cfa18e5d66176fe6e5ba4ed18026f90 | 0a188b75efbde6b3774ed61282f9670a 9dea19e1566103ce675ab4e21081fb58 | |||
| 900a5b4980e2f58e39151d5cd685b109 29636d4f02e7fad2a5a458249f5c0298 | 60340a1e88e4f10e39eae25cd685b109 29636d4f02e7fad2a5a458249f5c0298 | |||
| a6d53acbe41a7fc83fa7cc01973f7a74 d1237a51974e097636b6203997f921d0 | a6d53acbe41a7fc83fa7cc01973f7a74 d1237a51974e097636b6203997f921d0 | |||
| 7bc1940a6f2d0de9f5a11432946159ed 6cc21df65c4ddd1115f86427259a196c | 7bc1940a6f2d0de9f5a11432946159ed 6cc21df65c4ddd1115f86427259a196c | |||
| 7148b25b6478b0dc7766e1c4d1b1f515 9f90eabc61636226244642ee148b464c | 7148b25b6478b0dc7766e1c4d1b1f515 9f90eabc61636226244642ee148b464c | |||
| 9e619ee50a5e3ddc836227cad938987c 4ea3c1fa7c75bbf88d89e9ada642b2b8 | 9e619ee50a5e3ddc836227cad938987c 4ea3c1fa7c75bbf88d89e9ada642b2b8 | |||
| 8fe8107b7ea375b1b64889a4e9e5c38a 1c896ce275a5658d250e2d76e1ed3a34 | 8fe8107b7ea375b1b64889a4e9e5c38a 1c896ce275a5658d250e2d76e1ed3a34 | |||
| ce7e3a3f383d0c996d0bed106c2899ca 6fc263ef0455e74bb6ac1640ea7bfedc | ce7e3a3f383d0c996d0bed106c2899ca 6fc263ef0455e74bb6ac1640ea7bfedc | |||
| 59f03fee0e1725ea150ff4d69a7660c5 542119c71de270ae7c3ecfd1af2c4ce5 | 59f03fee0e1725ea150ff4d69a7660c5 542119c71de270ae7c3ecfd1af2c4ce5 | |||
| 51986949cc34a66b3e216bfe18b347e6 c05fd050f85912db303a8f054ec23e38 | 51986949cc34a66b3e216bfe18b347e6 c05fd050f85912db303a8f054ec23e38 | |||
| f44d1c725ab641ae929fecc8e3cefa56 19df4231f5b4c009fa0c0bbc60bc75f7 | f44d1c725ab641ae929fecc8e3cefa56 19df4231f5b4c009fa0c0bbc60bc75f7 | |||
| 6d06ef154fc8577077d9d6a1d2bd9bf0 81dc783ece60111bea7da9e5a9748069 | 6d06ef154fc8577077d9d6a1d2bd9bf0 81dc783ece60111bea7da9e5a9748069 | |||
| skipping to change at page 48, line 42 ¶ | skipping to change at page 49, line 42 ¶ | |||
| 1da2304d6a0fd5d07d08372202369661 59bef3cf904d722324dd852513df39ae | 1da2304d6a0fd5d07d08372202369661 59bef3cf904d722324dd852513df39ae | |||
| 030d8173908da6364786d3c1bfcb19ea 77a63b25f1e7fc661def480c5d00d444 | 030d8173908da6364786d3c1bfcb19ea 77a63b25f1e7fc661def480c5d00d444 | |||
| 56269ebd84efd8e3a8b2c257eec76060 682848cbf5194bc99e49ee75e4d0d254 | 56269ebd84efd8e3a8b2c257eec76060 682848cbf5194bc99e49ee75e4d0d254 | |||
| bad4bfd74970c30e44b65511d4ad0e6e c7398e08e01307eeeea14e46ccd87cf3 | bad4bfd74970c30e44b65511d4ad0e6e c7398e08e01307eeeea14e46ccd87cf3 | |||
| 6b285221254d8fc6a6765c524ded0085 dca5bd688ddf722e2c0faf9d0fb2ce7a | 6b285221254d8fc6a6765c524ded0085 dca5bd688ddf722e2c0faf9d0fb2ce7a | |||
| 0c3f2cee19ca0ffba461ca8dc5d2c817 8b0762cf67135558494d2a96f1a139f0 | 0c3f2cee19ca0ffba461ca8dc5d2c817 8b0762cf67135558494d2a96f1a139f0 | |||
| edb42d2af89a9c9122b07acbc29e5e72 2df8615c343702491098478a389c9872 | edb42d2af89a9c9122b07acbc29e5e72 2df8615c343702491098478a389c9872 | |||
| a10b0c9875125e257c7bfdf27eef4060 bd3d00f4c14fd3e3496c38d3c5d1a566 | a10b0c9875125e257c7bfdf27eef4060 bd3d00f4c14fd3e3496c38d3c5d1a566 | |||
| 8c39350effbc2d16ca17be4ce29f02ed 969504dda2a8c6b9ff919e693ee79e09 | 8c39350effbc2d16ca17be4ce29f02ed 969504dda2a8c6b9ff919e693ee79e09 | |||
| 089316e7d1d89ec099db3b2b268725d8 88536a4b8bf9aee8fb43e82a4d919d48 | 089316e7d1d89ec099db3b2b268725d8 88536a4b8bf9aee8fb43e82a4d919d48 | |||
| 43b1ca70a2d8d3f725ead1391377dcc0 | 1802771a449b30f3fa2289852607b660 | |||
| A.3. Server Initial | A.3. Server Initial | |||
| The server sends the following payload in response, including an ACK | The server sends the following payload in response, including an ACK | |||
| frame, a CRYPTO frame, and no PADDING frames: | frame, a CRYPTO frame, and no PADDING frames: | |||
| 0d0000000018410a020000560303eefc e7f7b37ba1d1632e96677825ddf73988 | 02000000000600405a020000560303ee fce7f7b37ba1d1632e96677825ddf739 | |||
| cfc79825df566dc5430b9a045a120013 0100002e00330024001d00209d3c940d | 88cfc79825df566dc5430b9a045a1200 130100002e00330024001d00209d3c94 | |||
| 89690b84d08a60993c144eca684d1081 287c834d5311bcf32bb9da1a002b0002 | 0d89690b84d08a60993c144eca684d10 81287c834d5311bcf32bb9da1a002b00 | |||
| 0304 | 020304 | |||
| The header from the server includes a new connection ID and a 2-byte | The header from the server includes a new connection ID and a 2-byte | |||
| packet number encoding for a packet number of 1: | packet number encoding for a packet number of 1: | |||
| c1ff00001d0008f067a5502a4262b50040740001 | c1ff00001d0008f067a5502a4262b50040740001 | |||
| As a result, after protection, the header protection sample is taken | As a result, after protection, the header protection sample is taken | |||
| starting from the third protected octet: | starting from the third protected octet: | |||
| sample = 823a5d3a1207c86ee49132824f046524 | sample = 823a5d3a1207c86ee49132824f046524 | |||
| mask = abaaf34fdc | mask = abaaf34fdc | |||
| header = caff00001d0008f067a5502a4262b5004074aaf2 | header = caff00001d0008f067a5502a4262b5004074aaf2 | |||
| The final protected packet is then: | The final protected packet is then: | |||
| caff00001d0008f067a5502a4262b500 4074aaf2f007823a5d3a1207c86ee491 | c7ff00001d0008f067a5502a4262b500 4075fb12ff07823a5d24534d906ce4c7 | |||
| 32824f0465243d082d868b107a38092b c80528664cbf9456ebf27673fb5fa506 | 6782a2167e3479c0f7f6395dc2c91676 302fe6d70bb7cbeb117b4ddb7d173498 | |||
| 1ab573c9f001b81da028a00d52ab00b1 5bebaa70640e106cf2acd043e9c6b441 | 44fd61dae200b8338e1b932976b61d91 e64a02e9e0ee72e3a6f63aba4ceeeec5 | |||
| 1c0a79637134d8993701fe779e58c2fe 753d14b0564021565ea92e57bc6faf56 | be2f24f2d86027572943533846caa13e 6f163fb257473dcca25396e88724f1e5 | |||
| dfc7a40870e6 | d964dedee9b633 | |||
| A.4. Retry | A.4. Retry | |||
| This shows a Retry packet that might be sent in response to the | This shows a Retry packet that might be sent in response to the | |||
| Initial packet in Appendix A.2. The integrity check includes the | Initial packet in Appendix A.2. The integrity check includes the | |||
| client-chosen connection ID value of 0x8394c8f03e515708, but that | client-chosen connection ID value of 0x8394c8f03e515708, but that | |||
| value is not included in the final Retry packet: | value is not included in the final Retry packet: | |||
| ffff00001d0008f067a5502a4262b574 6f6b656ed16926d81f6f9ca2953a8aa4 | ffff00001d0008f067a5502a4262b574 6f6b656ed16926d81f6f9ca2953a8aa4 | |||
| 575e1e49 | 575e1e49 | |||
| skipping to change at page 53, line 11 ¶ | skipping to change at page 54, line 11 ¶ | |||
| publication of a final version of this document. | publication of a final version of this document. | |||
| Issue and pull request numbers are listed with a leading octothorp. | Issue and pull request numbers are listed with a leading octothorp. | |||
| C.1. Since draft-ietf-quic-tls-28 | C.1. Since draft-ietf-quic-tls-28 | |||
| o Defined limits on the number of packets that can be protected with | o Defined limits on the number of packets that can be protected with | |||
| a single key and limits on the number of packets that can fail | a single key and limits on the number of packets that can fail | |||
| authentication (#3619, #3620) | authentication (#3619, #3620) | |||
| o Update Initial salt, Retry keys, and samples (#3711) | ||||
| C.2. Since draft-ietf-quic-tls-27 | C.2. Since draft-ietf-quic-tls-27 | |||
| o Allowed CONNECTION_CLOSE in any packet number space, with | o Allowed CONNECTION_CLOSE in any packet number space, with | |||
| restrictions on use of the application-specific variant (#3430, | restrictions on use of the application-specific variant (#3430, | |||
| #3435, #3440) | #3435, #3440) | |||
| o Prohibit the use of the compatibility mode from TLS 1.3 (#3594, | o Prohibit the use of the compatibility mode from TLS 1.3 (#3594, | |||
| #3595) | #3595) | |||
| C.3. Since draft-ietf-quic-tls-26 | C.3. Since draft-ietf-quic-tls-26 | |||
| End of changes. 40 change blocks. | ||||
| 166 lines changed or deleted | 199 lines changed or added | |||
This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||