| draft-ietf-quic-tls-22.txt | draft-ietf-quic-tls-latest.txt | |||
|---|---|---|---|---|
| QUIC Working Group M. Thomson, Ed. | QUIC Working Group M. Thomson, Ed. | |||
| Internet-Draft Mozilla | Internet-Draft Mozilla | |||
| Intended status: Standards Track S. Turner, Ed. | Intended status: Standards Track S. Turner, Ed. | |||
| Expires: January 10, 2020 sn3rd | Expires: February 25, 2020 sn3rd | |||
| July 9, 2019 | August 24, 2019 | |||
| Using TLS to Secure QUIC | Using TLS to Secure QUIC | |||
| draft-ietf-quic-tls-22 | draft-ietf-quic-tls-latest | |||
| Abstract | Abstract | |||
| This document describes how Transport Layer Security (TLS) is used to | This document describes how Transport Layer Security (TLS) is used to | |||
| secure QUIC. | secure QUIC. | |||
| Note to Readers | Note to Readers | |||
| Discussion of this draft takes place on the QUIC working group | Discussion of this draft takes place on the QUIC working group | |||
| mailing list (quic@ietf.org), which is archived at | mailing list (quic@ietf.org), which is archived at | |||
| skipping to change at page 1, line 42 ¶ | skipping to change at page 1, line 42 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 10, 2020. | This Internet-Draft will expire on February 25, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 32 ¶ | skipping to change at page 2, line 32 ¶ | |||
| 4.1. Interface to TLS . . . . . . . . . . . . . . . . . . . . 9 | 4.1. Interface to TLS . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.1.1. Handshake Complete . . . . . . . . . . . . . . . . . 10 | 4.1.1. Handshake Complete . . . . . . . . . . . . . . . . . 10 | |||
| 4.1.2. Handshake Confirmed . . . . . . . . . . . . . . . . . 10 | 4.1.2. Handshake Confirmed . . . . . . . . . . . . . . . . . 10 | |||
| 4.1.3. Sending and Receiving Handshake Messages . . . . . . 10 | 4.1.3. Sending and Receiving Handshake Messages . . . . . . 10 | |||
| 4.1.4. Encryption Level Changes . . . . . . . . . . . . . . 12 | 4.1.4. Encryption Level Changes . . . . . . . . . . . . . . 12 | |||
| 4.1.5. TLS Interface Summary . . . . . . . . . . . . . . . . 13 | 4.1.5. TLS Interface Summary . . . . . . . . . . . . . . . . 13 | |||
| 4.2. TLS Version . . . . . . . . . . . . . . . . . . . . . . . 13 | 4.2. TLS Version . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4.3. ClientHello Size . . . . . . . . . . . . . . . . . . . . 14 | 4.3. ClientHello Size . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.4. Peer Authentication . . . . . . . . . . . . . . . . . . . 14 | 4.4. Peer Authentication . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.5. Enabling 0-RTT . . . . . . . . . . . . . . . . . . . . . 15 | 4.5. Enabling 0-RTT . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 4.6. Rejecting 0-RTT . . . . . . . . . . . . . . . . . . . . . 15 | 4.6. Accepting and Rejecting 0-RTT . . . . . . . . . . . . . . 15 | |||
| 4.7. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . 15 | 4.7. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . 16 | |||
| 4.8. TLS Errors . . . . . . . . . . . . . . . . . . . . . . . 16 | 4.8. TLS Errors . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 4.9. Discarding Unused Keys . . . . . . . . . . . . . . . . . 16 | 4.9. Discarding Unused Keys . . . . . . . . . . . . . . . . . 16 | |||
| 4.9.1. Discarding Initial Keys . . . . . . . . . . . . . . . 17 | 4.9.1. Discarding Initial Keys . . . . . . . . . . . . . . . 17 | |||
| 4.9.2. Discarding Handshake Keys . . . . . . . . . . . . . . 17 | 4.9.2. Discarding Handshake Keys . . . . . . . . . . . . . . 17 | |||
| 4.9.3. Discarding 0-RTT Keys . . . . . . . . . . . . . . . . 17 | 4.9.3. Discarding 0-RTT Keys . . . . . . . . . . . . . . . . 18 | |||
| 5. Packet Protection . . . . . . . . . . . . . . . . . . . . . . 18 | 5. Packet Protection . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 5.1. Packet Protection Keys . . . . . . . . . . . . . . . . . 18 | 5.1. Packet Protection Keys . . . . . . . . . . . . . . . . . 18 | |||
| 5.2. Initial Secrets . . . . . . . . . . . . . . . . . . . . . 18 | 5.2. Initial Secrets . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 5.3. AEAD Usage . . . . . . . . . . . . . . . . . . . . . . . 19 | 5.3. AEAD Usage . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 5.4. Header Protection . . . . . . . . . . . . . . . . . . . . 21 | 5.4. Header Protection . . . . . . . . . . . . . . . . . . . . 21 | |||
| 5.4.1. Header Protection Application . . . . . . . . . . . . 21 | 5.4.1. Header Protection Application . . . . . . . . . . . . 21 | |||
| 5.4.2. Header Protection Sample . . . . . . . . . . . . . . 23 | 5.4.2. Header Protection Sample . . . . . . . . . . . . . . 23 | |||
| 5.4.3. AES-Based Header Protection . . . . . . . . . . . . . 24 | 5.4.3. AES-Based Header Protection . . . . . . . . . . . . . 24 | |||
| 5.4.4. ChaCha20-Based Header Protection . . . . . . . . . . 24 | 5.4.4. ChaCha20-Based Header Protection . . . . . . . . . . 24 | |||
| 5.5. Receiving Protected Packets . . . . . . . . . . . . . . . 24 | 5.5. Receiving Protected Packets . . . . . . . . . . . . . . . 24 | |||
| 5.6. Use of 0-RTT Keys . . . . . . . . . . . . . . . . . . . . 25 | 5.6. Use of 0-RTT Keys . . . . . . . . . . . . . . . . . . . . 25 | |||
| 5.7. Receiving Out-of-Order Protected Frames . . . . . . . . . 25 | 5.7. Receiving Out-of-Order Protected Frames . . . . . . . . . 25 | |||
| 6. Key Update . . . . . . . . . . . . . . . . . . . . . . . . . 26 | 6. Key Update . . . . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 7. Security of Initial Messages . . . . . . . . . . . . . . . . 28 | 7. Security of Initial Messages . . . . . . . . . . . . . . . . 28 | |||
| 8. QUIC-Specific Additions to the TLS Handshake . . . . . . . . 29 | 8. QUIC-Specific Additions to the TLS Handshake . . . . . . . . 29 | |||
| 8.1. Protocol Negotiation . . . . . . . . . . . . . . . . . . 29 | 8.1. Protocol Negotiation . . . . . . . . . . . . . . . . . . 29 | |||
| 8.2. QUIC Transport Parameters Extension . . . . . . . . . . . 29 | 8.2. QUIC Transport Parameters Extension . . . . . . . . . . . 29 | |||
| 8.3. Removing the EndOfEarlyData Message . . . . . . . . . . . 30 | 8.3. Removing the EndOfEarlyData Message . . . . . . . . . . . 30 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 30 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 30 | |||
| 9.1. Replay Attacks with 0-RTT . . . . . . . . . . . . . . . . 31 | 9.1. Replay Attacks with 0-RTT . . . . . . . . . . . . . . . . 31 | |||
| 9.2. Packet Reflection Attack Mitigation . . . . . . . . . . . 32 | 9.2. Packet Reflection Attack Mitigation . . . . . . . . . . . 32 | |||
| 9.3. Peer Denial of Service . . . . . . . . . . . . . . . . . 32 | 9.3. Header Protection Analysis . . . . . . . . . . . . . . . 32 | |||
| 9.4. Header Protection Analysis . . . . . . . . . . . . . . . 32 | 9.4. Key Diversity . . . . . . . . . . . . . . . . . . . . . . 33 | |||
| 9.5. Key Diversity . . . . . . . . . . . . . . . . . . . . . . 33 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 | ||||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 34 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 34 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 35 | 11.2. Informative References . . . . . . . . . . . . . . . . . 35 | |||
| 11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | 11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 35 | |||
| Appendix A. Sample Initial Packet Protection . . . . . . . . . . 36 | Appendix A. Sample Initial Packet Protection . . . . . . . . . . 35 | |||
| A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 37 | A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 37 | |||
| A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 39 | A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 38 | |||
| Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 40 | Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 39 | |||
| B.1. Since draft-ietf-quic-tls-21 . . . . . . . . . . . . . . 40 | B.1. Since draft-ietf-quic-tls-22 . . . . . . . . . . . . . . 39 | |||
| B.2. Since draft-ietf-quic-tls-20 . . . . . . . . . . . . . . 40 | B.2. Since draft-ietf-quic-tls-21 . . . . . . . . . . . . . . 39 | |||
| B.3. Since draft-ietf-quic-tls-18 . . . . . . . . . . . . . . 40 | B.3. Since draft-ietf-quic-tls-20 . . . . . . . . . . . . . . 39 | |||
| B.4. Since draft-ietf-quic-tls-17 . . . . . . . . . . . . . . 41 | B.4. Since draft-ietf-quic-tls-18 . . . . . . . . . . . . . . 40 | |||
| B.5. Since draft-ietf-quic-tls-14 . . . . . . . . . . . . . . 41 | B.5. Since draft-ietf-quic-tls-17 . . . . . . . . . . . . . . 40 | |||
| B.6. Since draft-ietf-quic-tls-13 . . . . . . . . . . . . . . 41 | B.6. Since draft-ietf-quic-tls-14 . . . . . . . . . . . . . . 40 | |||
| B.7. Since draft-ietf-quic-tls-12 . . . . . . . . . . . . . . 41 | B.7. Since draft-ietf-quic-tls-13 . . . . . . . . . . . . . . 40 | |||
| B.8. Since draft-ietf-quic-tls-11 . . . . . . . . . . . . . . 42 | B.8. Since draft-ietf-quic-tls-12 . . . . . . . . . . . . . . 40 | |||
| B.9. Since draft-ietf-quic-tls-10 . . . . . . . . . . . . . . 42 | B.9. Since draft-ietf-quic-tls-11 . . . . . . . . . . . . . . 41 | |||
| B.10. Since draft-ietf-quic-tls-09 . . . . . . . . . . . . . . 42 | B.10. Since draft-ietf-quic-tls-10 . . . . . . . . . . . . . . 41 | |||
| B.11. Since draft-ietf-quic-tls-08 . . . . . . . . . . . . . . 42 | B.11. Since draft-ietf-quic-tls-09 . . . . . . . . . . . . . . 41 | |||
| B.12. Since draft-ietf-quic-tls-07 . . . . . . . . . . . . . . 42 | B.12. Since draft-ietf-quic-tls-08 . . . . . . . . . . . . . . 41 | |||
| B.13. Since draft-ietf-quic-tls-05 . . . . . . . . . . . . . . 42 | B.13. Since draft-ietf-quic-tls-07 . . . . . . . . . . . . . . 41 | |||
| B.14. Since draft-ietf-quic-tls-04 . . . . . . . . . . . . . . 42 | B.14. Since draft-ietf-quic-tls-05 . . . . . . . . . . . . . . 41 | |||
| B.15. Since draft-ietf-quic-tls-03 . . . . . . . . . . . . . . 42 | B.15. Since draft-ietf-quic-tls-04 . . . . . . . . . . . . . . 41 | |||
| B.16. Since draft-ietf-quic-tls-02 . . . . . . . . . . . . . . 42 | B.16. Since draft-ietf-quic-tls-03 . . . . . . . . . . . . . . 42 | |||
| B.17. Since draft-ietf-quic-tls-01 . . . . . . . . . . . . . . 43 | B.17. Since draft-ietf-quic-tls-02 . . . . . . . . . . . . . . 42 | |||
| B.18. Since draft-ietf-quic-tls-00 . . . . . . . . . . . . . . 43 | B.18. Since draft-ietf-quic-tls-01 . . . . . . . . . . . . . . 42 | |||
| B.19. Since draft-thomson-quic-tls-01 . . . . . . . . . . . . . 43 | B.19. Since draft-ietf-quic-tls-00 . . . . . . . . . . . . . . 42 | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 44 | B.20. Since draft-thomson-quic-tls-01 . . . . . . . . . . . . . 43 | |||
| Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 44 | Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 43 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 | Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 43 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 43 | ||||
| 1. Introduction | 1. Introduction | |||
| This document describes how QUIC [QUIC-TRANSPORT] is secured using | This document describes how QUIC [QUIC-TRANSPORT] is secured using | |||
| TLS [TLS13]. | TLS [TLS13]. | |||
| TLS 1.3 provides critical latency improvements for connection | TLS 1.3 provides critical latency improvements for connection | |||
| establishment over previous versions. Absent packet loss, most new | establishment over previous versions. Absent packet loss, most new | |||
| connections can be established and secured within a single round | connections can be established and secured within a single round | |||
| trip; on subsequent connections between the same client and server, | trip; on subsequent connections between the same client and server, | |||
| skipping to change at page 8, line 25 ¶ | skipping to change at page 8, line 25 ¶ | |||
| +------------+ | +------------+ | |||
| | QUIC | | | QUIC | | |||
| | Packet | | | Packet | | |||
| | Protection | | | Protection | | |||
| +------------+ | +------------+ | |||
| Figure 2: QUIC and TLS Interactions | Figure 2: QUIC and TLS Interactions | |||
| Unlike TLS over TCP, QUIC applications which want to send data do not | Unlike TLS over TCP, QUIC applications which want to send data do not | |||
| send it through TLS "application_data" records. Rather, they send it | send it through TLS "application_data" records. Rather, they send it | |||
| as QUIC STREAM frames which are then carried in QUIC packets. | as QUIC STREAM frames or other frame types which are then carried in | |||
| QUIC packets. | ||||
| 4. Carrying TLS Messages | 4. Carrying TLS Messages | |||
| QUIC carries TLS handshake data in CRYPTO frames, each of which | QUIC carries TLS handshake data in CRYPTO frames, each of which | |||
| consists of a contiguous block of handshake data identified by an | consists of a contiguous block of handshake data identified by an | |||
| offset and length. Those frames are packaged into QUIC packets and | offset and length. Those frames are packaged into QUIC packets and | |||
| encrypted under the current TLS encryption level. As with TLS over | encrypted under the current TLS encryption level. As with TLS over | |||
| TCP, once TLS handshake data has been delivered to QUIC, it is QUIC's | TCP, once TLS handshake data has been delivered to QUIC, it is QUIC's | |||
| responsibility to deliver it reliably. Each chunk of data that is | responsibility to deliver it reliably. Each chunk of data that is | |||
| produced by TLS is associated with the set of keys that TLS is | produced by TLS is associated with the set of keys that TLS is | |||
| skipping to change at page 15, line 29 ¶ | skipping to change at page 15, line 29 ¶ | |||
| In order to be usable for 0-RTT, TLS MUST provide a NewSessionTicket | In order to be usable for 0-RTT, TLS MUST provide a NewSessionTicket | |||
| message that contains the "early_data" extension with a | message that contains the "early_data" extension with a | |||
| max_early_data_size of 0xffffffff; the amount of data which the | max_early_data_size of 0xffffffff; the amount of data which the | |||
| client can send in 0-RTT is controlled by the "initial_max_data" | client can send in 0-RTT is controlled by the "initial_max_data" | |||
| transport parameter supplied by the server. A client MUST treat | transport parameter supplied by the server. A client MUST treat | |||
| receipt of a NewSessionTicket that contains an "early_data" extension | receipt of a NewSessionTicket that contains an "early_data" extension | |||
| with any other value as a connection error of type | with any other value as a connection error of type | |||
| PROTOCOL_VIOLATION. | PROTOCOL_VIOLATION. | |||
| 4.6. Rejecting 0-RTT | A client that wishes to send 0-RTT packets uses the "early_data" | |||
| extension in the ClientHello message of a subsequent handshake (see | ||||
| Section 4.2.10 of [TLS13]). It then sends the application data in | ||||
| 0-RTT packets. | ||||
| A server rejects 0-RTT by rejecting 0-RTT at the TLS layer. This | Early data within the TLS connection MUST NOT be used. As it is for | |||
| also prevents QUIC from sending 0-RTT data. A server will always | other TLS application data, a server MUST treat receiving early data | |||
| reject 0-RTT if it sends a TLS HelloRetryRequest. | on the TLS connection as a connection error of type | |||
| PROTOCOL_VIOLATION. | ||||
| 4.6. Accepting and Rejecting 0-RTT | ||||
| A server accepts 0-RTT by sending an early_data extension in the | ||||
| EncryptedExtensions (see Section 4.2.10 of [TLS13]). The server then | ||||
| processes and acknowledges the 0-RTT packets that it receives. | ||||
| A server rejects 0-RTT by sending the EncryptedExtensions without an | ||||
| early_data extension. A server will always reject 0-RTT if it sends | ||||
| a TLS HelloRetryRequest. When rejecting 0-RTT, a server MUST NOT | ||||
| process any 0-RTT packets, even if it could. When 0-RTT was | ||||
| rejected, a client SHOULD treat receipt of an acknowledgement for a | ||||
| 0-RTT packet as a connection error of type PROTOCOL_VIOLATION, if it | ||||
| is able to detect the condition. | ||||
| When 0-RTT is rejected, all connection characteristics that the | When 0-RTT is rejected, all connection characteristics that the | |||
| client assumed might be incorrect. This includes the choice of | client assumed might be incorrect. This includes the choice of | |||
| application protocol, transport parameters, and any application | application protocol, transport parameters, and any application | |||
| configuration. The client therefore MUST reset the state of all | configuration. The client therefore MUST reset the state of all | |||
| streams, including application state bound to those streams. | streams, including application state bound to those streams. | |||
| A client MAY attempt to send 0-RTT again if it receives a Retry or | A client MAY attempt to send 0-RTT again if it receives a Retry or | |||
| Version Negotiation packet. These packets do not signify rejection | Version Negotiation packet. These packets do not signify rejection | |||
| of 0-RTT. | of 0-RTT. | |||
| skipping to change at page 18, line 34 ¶ | skipping to change at page 18, line 52 ¶ | |||
| The keys used for packet protection are computed from the TLS secrets | The keys used for packet protection are computed from the TLS secrets | |||
| using the KDF provided by TLS. In TLS 1.3, the HKDF-Expand-Label | using the KDF provided by TLS. In TLS 1.3, the HKDF-Expand-Label | |||
| function described in Section 7.1 of [TLS13] is used, using the hash | function described in Section 7.1 of [TLS13] is used, using the hash | |||
| function from the negotiated cipher suite. Other versions of TLS | function from the negotiated cipher suite. Other versions of TLS | |||
| MUST provide a similar function in order to be used with QUIC. | MUST provide a similar function in order to be used with QUIC. | |||
| The current encryption level secret and the label "quic key" are | The current encryption level secret and the label "quic key" are | |||
| input to the KDF to produce the AEAD key; the label "quic iv" is used | input to the KDF to produce the AEAD key; the label "quic iv" is used | |||
| to derive the IV; see Section 5.3. The header protection key uses | to derive the IV; see Section 5.3. The header protection key uses | |||
| the "quic hp" label; see Section 5.4. Using these labels provides | the "quic hp" label; see Section 5.4. Using these labels provides | |||
| key separation between QUIC and TLS; see Section 9.5. | key separation between QUIC and TLS; see Section 9.4. | |||
| The KDF used for initial secrets is always the HKDF-Expand-Label | The KDF used for initial secrets is always the HKDF-Expand-Label | |||
| function from TLS 1.3 (see Section 5.2). | function from TLS 1.3 (see Section 5.2). | |||
| 5.2. Initial Secrets | 5.2. Initial Secrets | |||
| Initial packets are protected with a secret derived from the | Initial packets are protected with a secret derived from the | |||
| Destination Connection ID field from the client's first Initial | Destination Connection ID field from the client's first Initial | |||
| packet of the connection. Specifically: | packet of the connection. Specifically: | |||
| initial_salt = 0x7fbcdb0e7c66bbe9193a96cd21519ebd7a02644a | initial_salt = 0xc3eef712c72ebb5a11a7d2432bb46365bef9f502 | |||
| initial_secret = HKDF-Extract(initial_salt, | initial_secret = HKDF-Extract(initial_salt, | |||
| client_dst_connection_id) | client_dst_connection_id) | |||
| client_initial_secret = HKDF-Expand-Label(initial_secret, | client_initial_secret = HKDF-Expand-Label(initial_secret, | |||
| "client in", "", | "client in", "", | |||
| Hash.length) | Hash.length) | |||
| server_initial_secret = HKDF-Expand-Label(initial_secret, | server_initial_secret = HKDF-Expand-Label(initial_secret, | |||
| "server in", "", | "server in", "", | |||
| Hash.length) | Hash.length) | |||
| skipping to change at page 24, line 5 ¶ | skipping to change at page 24, line 5 ¶ | |||
| sample = packet[sample_offset..sample_offset+sample_length] | sample = packet[sample_offset..sample_offset+sample_length] | |||
| For example, for a packet with a short header, an 8 byte connection | For example, for a packet with a short header, an 8 byte connection | |||
| ID, and protected with AEAD_AES_128_GCM, the sample takes bytes 13 to | ID, and protected with AEAD_AES_128_GCM, the sample takes bytes 13 to | |||
| 28 inclusive (using zero-based indexing). | 28 inclusive (using zero-based indexing). | |||
| A packet with a long header is sampled in the same way, noting that | A packet with a long header is sampled in the same way, noting that | |||
| multiple QUIC packets might be included in the same UDP datagram and | multiple QUIC packets might be included in the same UDP datagram and | |||
| that each one is handled separately. | that each one is handled separately. | |||
| sample_offset = 6 + len(destination_connection_id) + | sample_offset = 7 + len(destination_connection_id) + | |||
| len(source_connection_id) + | len(source_connection_id) + | |||
| len(payload_length) + 4 | len(payload_length) + 4 | |||
| if packet_type == Initial: | if packet_type == Initial: | |||
| sample_offset += len(token_length) + | sample_offset += len(token_length) + | |||
| len(token) | len(token) | |||
| sample = packet[sample_offset..sample_offset+sample_length] | sample = packet[sample_offset..sample_offset+sample_length] | |||
| 5.4.3. AES-Based Header Protection | 5.4.3. AES-Based Header Protection | |||
| skipping to change at page 29, line 15 ¶ | skipping to change at page 29, line 15 ¶ | |||
| Initial packets that is not otherwise authenticated. | Initial packets that is not otherwise authenticated. | |||
| It is also possible for the attacker to tamper with data that is | It is also possible for the attacker to tamper with data that is | |||
| carried in Handshake packets, but because that tampering requires | carried in Handshake packets, but because that tampering requires | |||
| modifying TLS handshake messages, that tampering will cause the TLS | modifying TLS handshake messages, that tampering will cause the TLS | |||
| handshake to fail. | handshake to fail. | |||
| 8. QUIC-Specific Additions to the TLS Handshake | 8. QUIC-Specific Additions to the TLS Handshake | |||
| QUIC uses the TLS handshake for more than just negotiation of | QUIC uses the TLS handshake for more than just negotiation of | |||
| cryptographic parameters. The TLS handshake validates protocol | cryptographic parameters. The TLS handshake provides preliminary | |||
| version selection, provides preliminary values for QUIC transport | values for QUIC transport parameters and allows a server to perform | |||
| parameters, and allows a server to perform return routeability checks | return routability checks on clients. | |||
| on clients. | ||||
| 8.1. Protocol Negotiation | 8.1. Protocol Negotiation | |||
| QUIC requires that the cryptographic handshake provide authenticated | QUIC requires that the cryptographic handshake provide authenticated | |||
| protocol negotiation. TLS uses Application Layer Protocol | protocol negotiation. TLS uses Application Layer Protocol | |||
| Negotiation (ALPN) [RFC7301] to select an application protocol. | Negotiation (ALPN) [RFC7301] to select an application protocol. | |||
| Unless another mechanism is used for agreeing on an application | Unless another mechanism is used for agreeing on an application | |||
| protocol, endpoints MUST use ALPN for this purpose. When using ALPN, | protocol, endpoints MUST use ALPN for this purpose. When using ALPN, | |||
| endpoints MUST immediately close a connection (see Section 10.3 in | endpoints MUST immediately close a connection (see Section 10.3 in | |||
| [QUIC-TRANSPORT]) if an application protocol is not negotiated with a | [QUIC-TRANSPORT]) if an application protocol is not negotiated with a | |||
| skipping to change at page 32, line 20 ¶ | skipping to change at page 32, line 20 ¶ | |||
| QUIC includes three defenses against this attack. First, the packet | QUIC includes three defenses against this attack. First, the packet | |||
| containing a ClientHello MUST be padded to a minimum size. Second, | containing a ClientHello MUST be padded to a minimum size. Second, | |||
| if responding to an unverified source address, the server is | if responding to an unverified source address, the server is | |||
| forbidden to send more than three UDP datagrams in its first flight | forbidden to send more than three UDP datagrams in its first flight | |||
| (see Section 8.1 of [QUIC-TRANSPORT]). Finally, because | (see Section 8.1 of [QUIC-TRANSPORT]). Finally, because | |||
| acknowledgements of Handshake packets are authenticated, a blind | acknowledgements of Handshake packets are authenticated, a blind | |||
| attacker cannot forge them. Put together, these defenses limit the | attacker cannot forge them. Put together, these defenses limit the | |||
| level of amplification. | level of amplification. | |||
| 9.3. Peer Denial of Service | 9.3. Header Protection Analysis | |||
| QUIC, TLS, and HTTP/2 all contain messages that have legitimate uses | ||||
| in some contexts, but that can be abused to cause a peer to expend | ||||
| processing resources without having any observable impact on the | ||||
| state of the connection. If processing is disproportionately large | ||||
| in comparison to the observable effects on bandwidth or state, then | ||||
| this could allow a malicious peer to exhaust processing capacity | ||||
| without consequence. | ||||
| While there are legitimate uses for some redundant packets, | ||||
| implementations SHOULD track redundant packets and treat excessive | ||||
| volumes of any non-productive packets as indicative of an attack. | ||||
| 9.4. Header Protection Analysis | ||||
| Header protection relies on the packet protection AEAD being a | Header protection relies on the packet protection AEAD being a | |||
| pseudorandom function (PRF), which is not a property that AEAD | pseudorandom function (PRF), which is not a property that AEAD | |||
| algorithms guarantee. Therefore, no strong assurances about the | algorithms guarantee. Therefore, no strong assurances about the | |||
| general security of this mechanism can be shown in the general case. | general security of this mechanism can be shown in the general case. | |||
| The AEAD algorithms described in this document are assumed to be | The AEAD algorithms described in this document are assumed to be | |||
| PRFs. | PRFs. | |||
| The header protection algorithms defined in this document take the | The header protection algorithms defined in this document take the | |||
| form: | form: | |||
| skipping to change at page 33, line 34 ¶ | skipping to change at page 33, line 20 ¶ | |||
| reveal through timing side-channels that the packet number matches a | reveal through timing side-channels that the packet number matches a | |||
| received packet. For authentication to be free from side-channels, | received packet. For authentication to be free from side-channels, | |||
| the entire process of header protection removal, packet number | the entire process of header protection removal, packet number | |||
| recovery, and packet protection removal MUST be applied together | recovery, and packet protection removal MUST be applied together | |||
| without timing and other side-channels. | without timing and other side-channels. | |||
| For the sending of packets, construction and protection of packet | For the sending of packets, construction and protection of packet | |||
| payloads and packet numbers MUST be free from side-channels that | payloads and packet numbers MUST be free from side-channels that | |||
| would reveal the packet number or its encoded size. | would reveal the packet number or its encoded size. | |||
| 9.5. Key Diversity | 9.4. Key Diversity | |||
| In using TLS, the central key schedule of TLS is used. As a result | In using TLS, the central key schedule of TLS is used. As a result | |||
| of the TLS handshake messages being integrated into the calculation | of the TLS handshake messages being integrated into the calculation | |||
| of secrets, the inclusion of the QUIC transport parameters extension | of secrets, the inclusion of the QUIC transport parameters extension | |||
| ensures that handshake and 1-RTT keys are not the same as those that | ensures that handshake and 1-RTT keys are not the same as those that | |||
| might be produced by a server running TLS over TCP. To avoid the | might be produced by a server running TLS over TCP. To avoid the | |||
| possibility of cross-protocol key synchronization, additional | possibility of cross-protocol key synchronization, additional | |||
| measures are provided to improve key separation. | measures are provided to improve key separation. | |||
| The QUIC packet protection keys and IVs are derived using a different | The QUIC packet protection keys and IVs are derived using a different | |||
| skipping to change at page 34, line 37 ¶ | skipping to change at page 34, line 23 ¶ | |||
| [AES] "Advanced encryption standard (AES)", National Institute | [AES] "Advanced encryption standard (AES)", National Institute | |||
| of Standards and Technology report, | of Standards and Technology report, | |||
| DOI 10.6028/nist.fips.197, November 2001. | DOI 10.6028/nist.fips.197, November 2001. | |||
| [CHACHA] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | [CHACHA] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | |||
| Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, | Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, | |||
| <https://www.rfc-editor.org/info/rfc8439>. | <https://www.rfc-editor.org/info/rfc8439>. | |||
| [QUIC-RECOVERY] | [QUIC-RECOVERY] | |||
| Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection | Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection | |||
| and Congestion Control", draft-ietf-quic-recovery-22 (work | and Congestion Control", draft-ietf-quic-recovery-latest | |||
| in progress). | (work in progress). | |||
| [QUIC-TRANSPORT] | [QUIC-TRANSPORT] | |||
| Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | |||
| Multiplexed and Secure Transport", draft-ietf-quic- | Multiplexed and Secure Transport", draft-ietf-quic- | |||
| transport-22 (work in progress). | transport-latest (work in progress). | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan, | [RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan, | |||
| "Transport Layer Security (TLS) Application-Layer Protocol | "Transport Layer Security (TLS) Application-Layer Protocol | |||
| Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, | Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, | |||
| July 2014, <https://www.rfc-editor.org/info/rfc7301>. | July 2014, <https://www.rfc-editor.org/info/rfc7301>. | |||
| skipping to change at page 35, line 40 ¶ | skipping to change at page 35, line 22 ¶ | |||
| Luykx, A. and K. Paterson, "Limits on Authenticated | Luykx, A. and K. Paterson, "Limits on Authenticated | |||
| Encryption Use in TLS", March 2016, | Encryption Use in TLS", March 2016, | |||
| <http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf>. | <http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf>. | |||
| [IMC] Katz, J. and Y. Lindell, "Introduction to Modern | [IMC] Katz, J. and Y. Lindell, "Introduction to Modern | |||
| Cryptography, Second Edition", ISBN 978-1466570269, | Cryptography, Second Edition", ISBN 978-1466570269, | |||
| November 2014. | November 2014. | |||
| [QUIC-HTTP] | [QUIC-HTTP] | |||
| Bishop, M., Ed., "Hypertext Transfer Protocol (HTTP) over | Bishop, M., Ed., "Hypertext Transfer Protocol (HTTP) over | |||
| QUIC", draft-ietf-quic-http-22 (work in progress). | QUIC", draft-ietf-quic-http-latest (work in progress). | |||
| [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | |||
| DOI 10.17487/RFC2818, May 2000, | DOI 10.17487/RFC2818, May 2000, | |||
| <https://www.rfc-editor.org/info/rfc2818>. | <https://www.rfc-editor.org/info/rfc2818>. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <https://www.rfc-editor.org/info/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
| skipping to change at page 36, line 38 ¶ | skipping to change at page 36, line 22 ¶ | |||
| quic key: 00100e746c7331332071756963206b657900 | quic key: 00100e746c7331332071756963206b657900 | |||
| quic iv: 000c0d746c733133207175696320697600 | quic iv: 000c0d746c733133207175696320697600 | |||
| quic hp: 00100d746c733133207175696320687000 | quic hp: 00100d746c733133207175696320687000 | |||
| The initial secret is common: | The initial secret is common: | |||
| initial_secret = HKDF-Extract(initial_salt, cid) | initial_secret = HKDF-Extract(initial_salt, cid) | |||
| = 4496d3903d3f97cc5e45ac5790ddc686 | = 524e374c6da8cf8b496f4bcb69678350 | |||
| 683c7c0067012bb09d900cc21832d596 | 7aafee6198b202b4bc823ebf7514a423 | |||
| The secrets for protecting client packets are: | The secrets for protecting client packets are: | |||
| client_initial_secret | client_initial_secret | |||
| = HKDF-Expand-Label(initial_secret, "client in", _, 32) | = HKDF-Expand-Label(initial_secret, "client in", _, 32) | |||
| = 8a3515a14ae3c31b9c2d6d5bc58538ca | = fda3953aecc040e48b34e27ef87de3a6 | |||
| 5cd2baa119087143e60887428dcb52f6 | 098ecf0e38b7e032c5c57bcbd5975b84 | |||
| key = HKDF-Expand-Label(client_initial_secret, "quic key", _, 16) | key = HKDF-Expand-Label(client_initial_secret, "quic key", _, 16) | |||
| = 98b0d7e5e7a402c67c33f350fa65ea54 | = af7fd7efebd21878ff66811248983694 | |||
| iv = HKDF-Expand-Label(client_initial_secret, "quic iv", _, 12) | iv = HKDF-Expand-Label(client_initial_secret, "quic iv", _, 12) | |||
| = 19e94387805eb0b46c03a788 | = 8681359410a70bb9c92f0420 | |||
| hp = HKDF-Expand-Label(client_initial_secret, "quic hp", _, 16) | hp = HKDF-Expand-Label(client_initial_secret, "quic hp", _, 16) | |||
| = 0edd982a6ac527f2eddcbb7348dea5d7 | = a980b8b4fb7d9fbc13e814c23164253d | |||
| The secrets for protecting server packets are: | The secrets for protecting server packets are: | |||
| server_initial_secret | server_initial_secret | |||
| = HKDF-Expand-Label(initial_secret, "server in", _, 32) | = HKDF-Expand-Label(initial_secret, "server in", _, 32) | |||
| = 47b2eaea6c266e32c0697a9e2a898bdf | = 554366b81912ff90be41f17e80222130 | |||
| 5c4fb3e5ac34f0e549bf2c58581a3811 | 90ab17d8149179bcadf222f29ff2ddd5 | |||
| key = HKDF-Expand-Label(server_initial_secret, "quic key", _, 16) | key = HKDF-Expand-Label(server_initial_secret, "quic key", _, 16) | |||
| = 9a8be902a9bdd91d16064ca118045fb4 | = 5d51da9ee897a21b2659ccc7e5bfa577 | |||
| iv = HKDF-Expand-Label(server_initial_secret, "quic iv", _, 12) | iv = HKDF-Expand-Label(server_initial_secret, "quic iv", _, 12) | |||
| = 0a82086d32205ba22241d8dc | = 5e5ae651fd1e8495af13508b | |||
| hp = HKDF-Expand-Label(server_initial_secret, "quic hp", _, 16) | hp = HKDF-Expand-Label(server_initial_secret, "quic hp", _, 16) | |||
| = 94b9452d2b3c7c7f6da7fdd8593537fd | = a8ed82e6664f865aedf6106943f95fb8 | |||
| A.2. Client Initial | A.2. Client Initial | |||
| The client sends an Initial packet. The unprotected payload of this | The client sends an Initial packet. The unprotected payload of this | |||
| packet contains the following CRYPTO frame, plus enough PADDING | packet contains the following CRYPTO frame, plus enough PADDING | |||
| frames to make an 1163 byte payload: | frames to make an 1163 byte payload: | |||
| 060040c4010000c003036660261ff947 cea49cce6cfad687f457cf1b14531ba1 | 060040c4010000c003036660261ff947 cea49cce6cfad687f457cf1b14531ba1 | |||
| 4131a0e8f309a1d0b9c4000006130113 031302010000910000000b0009000006 | 4131a0e8f309a1d0b9c4000006130113 031302010000910000000b0009000006 | |||
| 736572766572ff01000100000a001400 12001d00170018001901000101010201 | 736572766572ff01000100000a001400 12001d00170018001901000101010201 | |||
| 03010400230000003300260024001d00 204cfdfcd178b784bf328cae793b136f | 03010400230000003300260024001d00 204cfdfcd178b784bf328cae793b136f | |||
| 2aedce005ff183d7bb14952072366470 37002b0003020304000d0020001e0403 | 2aedce005ff183d7bb14952072366470 37002b0003020304000d0020001e0403 | |||
| 05030603020308040805080604010501 060102010402050206020202002d0002 | 05030603020308040805080604010501 060102010402050206020202002d0002 | |||
| 0101001c00024001 | 0101001c00024001 | |||
| The unprotected header includes the connection ID and a 4 byte packet | The unprotected header includes the connection ID and a 4 byte packet | |||
| number encoding for a packet number of 2: | number encoding for a packet number of 2: | |||
| c3ff000015508394c8f03e51570800449f00000002 | c3ff000017088394c8f03e5157080000449e00000002 | |||
| Protecting the payload produces output that is sampled for header | Protecting the payload produces output that is sampled for header | |||
| protection. Because the header uses a 4 byte packet number encoding, | protection. Because the header uses a 4 byte packet number encoding, | |||
| the first 16 bytes of the protected payload is sampled, then applied | the first 16 bytes of the protected payload is sampled, then applied | |||
| to the header: | to the header: | |||
| sample = 65f354ebb400418b614f73765009c016 | sample = 535064a4268a0d9d7b1c9d250ae35516 | |||
| mask = AES-ECB(hp, sample)[0..4] | mask = AES-ECB(hp, sample)[0..4] | |||
| = 519bd343ff | = 833b343aaa | |||
| header[0] ^= mask[0] & 0x0f | header[0] ^= mask[0] & 0x0f | |||
| = c2 | = c0 | |||
| header[17..20] ^= mask[1..4] | header[17..20] ^= mask[1..4] | |||
| = 9bd343fd | = 3b343aa8 | |||
| header = c2ff000015508394c8f03e51570800449f9bd343fd | header = c0ff000017088394c8f03e5157080000449e3b343aa8 | |||
| The resulting protected packet is: | The resulting protected packet is: | |||
| c2ff000015508394c8f03e5157080044 9f9bd343fd65f354ebb400418b614f73 | c0ff000017088394c8f03e5157080000 449e3b343aa8535064a4268a0d9d7b1c | |||
| 765009c0162d594777f9e6ddeb32fba3 865cffd7e26e3724d4997cdde8df34f8 | 9d250ae355162276e9b1e3011ef6bbc0 ab48ad5bcc2681e953857ca62becd752 | |||
| 868772fed2412d43046f44dc7c6adf5e e10da456d56c892c8f69594594e8dcab | 4daac473e68d7405fbba4e9ee616c870 38bdbe908c06d9605d9ac49030359eec | |||
| edb10d591130ca464588f2834eab931b 10feb963c1947a05f57062692c242248 | b1d05a14e117db8cede2bb09d0dbbfee 271cb374d8f10abec82d0f59a1dee29f | |||
| ad0133b31f6dcc585ba344ca5beb382f b619272e65dfccae59c08eb00b7d2a5b | e95638ed8dd41da07487468791b719c5 5c46968eb3b54680037102a28e53dc1d | |||
| bccd888582df1d1aee040aea76ab4dfd cae126791e71561b1f58312edb31c164 | 12903db0af5821794b41c4a93357fa59 ce69cfe7f6bdfa629eef78616447e1d6 | |||
| ff1341fd2820e2399946bad901e425da e58a9859ef1825e7d757a6291d9ba6ee | 11c4baf71bf33febcb03137c2c75d253 17d3e13b684370f668411c0f00304b50 | |||
| 1a8c836dc0027cd705bd2bc67f56bad0 024efaa3819cbb5d46cefdb7e0df3ad9 | 1c8fd422bd9b9ad81d643b20da89ca05 25d24d2b142041cae0af205092e43008 | |||
| 2b0689650e2b49ac29e6398bedc75554 1a3f3865bc4759bec74d721a28a0452c | 0cd8559ea4c5c6e4fa3f66082b7d303e 52ce0162baa958532b0bbc2bc785681f | |||
| 1260189e8e92f844c91b27a00fc5ed6d 14d8fceb5a848bea0a3208162c7a9578 | cf37485dff6595e01e739c8ac9efba31 b985d5f656cc092432d781db95221724 | |||
| 2fcf9a045b20b76710a2565372f25411 81030e4350e199e62fa4e2e0bba19ff6 | 87641c4d3ab8ece01e39bc85b1543661 4775a98ba8fa12d46f9b35e2a55eb72d | |||
| 6662ab8cc6815eeaa20b80d5f31c41e5 51f558d2c836a215ccff4e8afd2fec4b | 7f85181a366663387ddc20551807e007 673bd7e26bf9b29b5ab10a1ca87cbb7a | |||
| fcb9ea9d051d12162f1b14842489b69d 72a307d9144fced64fc4aa21ebd310f8 | d97e99eb66959c2a9bc3cbde4707ff77 20b110fa95354674e395812e47a0ae53 | |||
| 97cf00062e90dad5dbf04186622e6c12 96d388176585fdb395358ecfec4d95db | b464dcb2d1f345df360dc227270c7506 76f6724eb479f0d2fbb6124429990457 | |||
| 4429f4473a76210866fd180eaeb60da4 33500c74c00aef24d77eae81755faa03 | ac6c9167f40aab739998f38b9eccb24f d47c8410131bf65a52af841275d5b3d1 | |||
| e71a8879937b32d31be2ba51d41b5d7a 1fbb4d952b10dd2d6ec171a3187cf3f6 | 880b197df2b5dea3e6de56ebce3ffb6e 9277a82082f8d9677a6767089b671ebd | |||
| 4d520afad796e4188bc32d153241c083 f225b6e6b845ce9911bd3fe1eb4737b7 | 244c214f0bde95c2beb02cd1172d58bd f39dce56ff68eb35ab39b49b4eac7c81 | |||
| 1c8d55e3962871b73657b1e2cce368c7 400658d47cfd9290ed16cdc2a6e3e7dc | 5ea60451d6e6ab82119118df02a58684 4a9ffe162ba006d0669ef57668cab38b | |||
| ea77fb5c6459303a32d58f62969d8f46 70ce27f591c7a59cc3e7556eda4c58a3 | 62f71a2523a084852cd1d079b3658dc2 f3e87949b550bab3e177cfc49ed190df | |||
| 2e9f53fd7f9d60a9c05cd6238c71e3c8 2d2efabd3b5177670b8d595151d7eb44 | f0630e43077c30de8f6ae081537f1e83 da537da980afa668e7b7fb25301cf741 | |||
| aa401fe3b5b87bdb88dffb2bfb6d1d0d 8868a41ba96265ca7a68d06fc0b74bcc | 524be3c49884b42821f17552fbd1931a 813017b6b6590a41ea18b6ba49cd48a4 | |||
| ac55b038f8362b84d47f52744323d08b 46bfec8c421f991e1394938a546a7482 | 40bd9a3346a7623fb4ba34a3ee571e3c 731f35a7a3cf25b551a680fa68763507 | |||
| a17c72be109ea4b0c71abc7d9c0ac096 0327754e1043f18a32b9fb402fc33fdc | b7fde3aaf023c50b9d22da6876ba337e b5e9dd9ec3daf970242b6c5aab3aa4b2 | |||
| b6a0b4fdbbddbdf0d85779879e98ef21 1d104a5271f22823f16942cfa8ace68d | 96ad8b9f6832f686ef70fa938b31b4e5 ddd7364442d3ea72e73d668fb0937796 | |||
| 0c9e5b52297da9702d8f1de24bcd0628 4ac8aa1068fa21a82abbca7e7454b848 | f462923a81a47e1cee7426ff6d922126 9b5a62ec03d6ec94d12606cb485560ba | |||
| d7de8c3d43560541a362ff4f6be06c01 15e3a733bff44417da11ae668857bba2 | b574816009e96504249385bb61a819be 04f62c2066214d8360a2022beb316240 | |||
| c53ba17db8c100f1b5c7c9ea960d3f3d 3b9e77c16c31a222b498a7384e286b9b | b6c7d78bbe56c13082e0ca272661210a bf020bf3b5783f1426436cf9ff418405 | |||
| 7c45167d5703de715f9b06708403562d cff77fdf2793f94e294888cebe8da4ee | 93a5d0638d32fc51c5c65ff291a3a7a5 2fd6775e623a4439cc08dd25582febc9 | |||
| 88a53e38f2430addc161e8b2e2f2d405 41d10cda9a7aa518ac14d0195d8c2012 | 44ef92d8dbd329c91de3e9c9582e41f1 7f3d186f104ad3f90995116c682a2a14 | |||
| 0b4f1d47d6d0909e69c4a0e641b83c1a d4fff85af4751035bc5698b6141ecc3f | a3b4b1f547c335f0be710fc9fc03e0e5 87b8cda31ce65b969878a4ad4283e6d5 | |||
| bffcf2f55036880071ba118927400796 7f64468172854d140d229320d689f576 | b0373f43da86e9e0ffe1ae0fddd35162 55bd74566f36a38703d5f34249ded1f6 | |||
| 60f6c445e629d15ff2dcdff4b71a41ec 0c24bd2fd8f5ad13b2c3688e0fdb8dbc | 6b3d9b45b9af2ccfefe984e13376b1b2 c6404aa48c8026132343da3f3a33659e | |||
| ce42e6cf49cf60d022ccd5b19b4fd5d9 8dc10d9ce3a626851b1fdd23e1fa3a96 | c1b3e95080540b28b7f3fcd35fa5d843 b579a84c089121a60d8c1754915c344e | |||
| 1f9b0333ab8d632e48c944b82bdd9e80 0fa2b2b9e31e96aee54b40edaf6b79ec | eaf45a9bf27dc0c1e784161691220913 13eb0e87555abd706626e557fc36a04f | |||
| 211fdc95d95ef552aa532583d76a539e 988e416a0a10df2550cdeacafc3d61b0 | cd191a58829104d6075c5594f627ca50 6bf181daec940f4a4f3af0074eee89da | |||
| b0a79337960a0be8cf6169e4d55fa6e7 a9c2e8efabab3da008f5bcc38c1bbabd | acde6758312622d4fa675b39f728e062 d2bee680d8f41a597c262648bb18bcfc | |||
| b6c10368723da0ae83c4b1819ff54946 e7806458d80d7be2c867d46fe1f029c5 | 13c8b3d97b1a77b2ac3af745d61a34cc 4709865bac824a94bb19058015e4e42d | |||
| e952eb19ded16fabb19980480eb0fbcd | c9be6c7803567321829dd85853396269 | |||
| A.3. Server Initial | A.3. Server Initial | |||
| The server sends the following payload in response, including an ACK | The server sends the following payload in response, including an ACK | |||
| frame, a CRYPTO frame, and no PADDING frames: | frame, a CRYPTO frame, and no PADDING frames: | |||
| 0d0000000018410a020000560303eefc e7f7b37ba1d1632e96677825ddf73988 | 0d0000000018410a020000560303eefc e7f7b37ba1d1632e96677825ddf73988 | |||
| cfc79825df566dc5430b9a045a120013 0100002e00330024001d00209d3c940d | cfc79825df566dc5430b9a045a120013 0100002e00330024001d00209d3c940d | |||
| 89690b84d08a60993c144eca684d1081 287c834d5311bcf32bb9da1a002b0002 | 89690b84d08a60993c144eca684d1081 287c834d5311bcf32bb9da1a002b0002 | |||
| 0304 | 0304 | |||
| skipping to change at page 40, line 4 ¶ | skipping to change at page 39, line 9 ¶ | |||
| A.3. Server Initial | A.3. Server Initial | |||
| The server sends the following payload in response, including an ACK | The server sends the following payload in response, including an ACK | |||
| frame, a CRYPTO frame, and no PADDING frames: | frame, a CRYPTO frame, and no PADDING frames: | |||
| 0d0000000018410a020000560303eefc e7f7b37ba1d1632e96677825ddf73988 | 0d0000000018410a020000560303eefc e7f7b37ba1d1632e96677825ddf73988 | |||
| cfc79825df566dc5430b9a045a120013 0100002e00330024001d00209d3c940d | cfc79825df566dc5430b9a045a120013 0100002e00330024001d00209d3c940d | |||
| 89690b84d08a60993c144eca684d1081 287c834d5311bcf32bb9da1a002b0002 | 89690b84d08a60993c144eca684d1081 287c834d5311bcf32bb9da1a002b0002 | |||
| 0304 | 0304 | |||
| The header from the server includes a new connection ID and a 2-byte | The header from the server includes a new connection ID and a 2-byte | |||
| packet number encoding for a packet number of 1: | packet number encoding for a packet number of 1: | |||
| c1ff00001505f067a5502a4262b50040740001 | c1ff0000170008f067a5502a4262b50040740001 | |||
| As a result, after protection, the header protection sample is taken | As a result, after protection, the header protection sample is taken | |||
| starting from the third protected octet: | starting from the third protected octet: | |||
| sample = 6176fa3b713f272a9bf03ee28d3c8add | sample = 7002596f99ae67abf65a5852f54f58c3 | |||
| mask = 5bd74a846c | mask = 38168a0c25 | |||
| header = caff00001505f067a5502a4262b5004074d74b | header = c1ff0000170008f067a5502a4262b5004074168b | |||
| The final protected packet is then: | The final protected packet is then: | |||
| caff00001505f067a5502a4262b50040 74d74b7e486176fa3b713f272a9bf03e | c9ff0000170008f067a5502a4262b500 4074168bf22b7002596f99ae67abf65a | |||
| e28d3c8addb4e805b3a110b663122a75 eee93c9177ac6b7a6b548e15a7b8f884 | 5852f54f58c37c808682e2e40492d8a3 899fb04fc0afe9aabc8767b18a0aa493 | |||
| 65e9eab253a760779b2e6a2c574882b4 8d3a3eed696e50d04d5ec59af85261e4 | 537426373b48d502214dd856d63b78ce e37bc664b3fe86d487ac7a77c53038a3 | |||
| cdbe264bd65f2b076760c69beef23aa7 14c9a174d69034c09a2863e1e1863508 | cd32f0b5004d9f5754c4f7f2d1f35cf3 f7116351c92b9cf9bb6d091ddfc8b32d | |||
| 8d4afdeab9 | 432348a2c413 | |||
| Appendix B. Change Log | Appendix B. Change Log | |||
| *RFC Editor's Note:* Please remove this section prior to | *RFC Editor's Note:* Please remove this section prior to | |||
| publication of a final version of this document. | publication of a final version of this document. | |||
| Issue and pull request numbers are listed with a leading octothorp. | Issue and pull request numbers are listed with a leading octothorp. | |||
| B.1. Since draft-ietf-quic-tls-21 | B.1. Since draft-ietf-quic-tls-22 | |||
| o Update the salt used for Initial secrets (#2887, #2980) | ||||
| B.2. Since draft-ietf-quic-tls-21 | ||||
| o No changes | o No changes | |||
| B.2. Since draft-ietf-quic-tls-20 | B.3. Since draft-ietf-quic-tls-20 | |||
| o Mandate the use of the QUIC transport parameters extension (#2528, | o Mandate the use of the QUIC transport parameters extension (#2528, | |||
| #2560) | #2560) | |||
| o Define handshake completion and confirmation; define clearer rules | o Define handshake completion and confirmation; define clearer rules | |||
| when it encryption keys should be discarded (#2214, #2267, #2673) | when it encryption keys should be discarded (#2214, #2267, #2673) | |||
| B.3. Since draft-ietf-quic-tls-18 | B.4. Since draft-ietf-quic-tls-18 | |||
| o Increased the set of permissible frames in 0-RTT (#2344, #2355) | o Increased the set of permissible frames in 0-RTT (#2344, #2355) | |||
| o Transport parameter extension is mandatory (#2528, #2560) | o Transport parameter extension is mandatory (#2528, #2560) | |||
| B.4. Since draft-ietf-quic-tls-17 | B.5. Since draft-ietf-quic-tls-17 | |||
| o Endpoints discard initial keys as soon as handshake keys are | o Endpoints discard initial keys as soon as handshake keys are | |||
| available (#1951, #2045) | available (#1951, #2045) | |||
| o Use of ALPN or equivalent is mandatory (#2263, #2284) | o Use of ALPN or equivalent is mandatory (#2263, #2284) | |||
| B.5. Since draft-ietf-quic-tls-14 | B.6. Since draft-ietf-quic-tls-14 | |||
| o Update the salt used for Initial secrets (#1970) | o Update the salt used for Initial secrets (#1970) | |||
| o Clarify that TLS_AES_128_CCM_8_SHA256 isn't supported (#2019) | o Clarify that TLS_AES_128_CCM_8_SHA256 isn't supported (#2019) | |||
| o Change header protection | o Change header protection | |||
| * Sample from a fixed offset (#1575, #2030) | * Sample from a fixed offset (#1575, #2030) | |||
| * Cover part of the first byte, including the key phase (#1322, | * Cover part of the first byte, including the key phase (#1322, | |||
| skipping to change at page 41, line 35 ¶ | skipping to change at page 40, line 41 ¶ | |||
| o TLS provides an AEAD and KDF function (#2046) | o TLS provides an AEAD and KDF function (#2046) | |||
| * Clarify that the TLS KDF is used with TLS (#1997) | * Clarify that the TLS KDF is used with TLS (#1997) | |||
| * Change the labels for calculation of QUIC keys (#1845, #1971, | * Change the labels for calculation of QUIC keys (#1845, #1971, | |||
| #1991) | #1991) | |||
| o Initial keys are discarded once Handshake are avaialble (#1951, | o Initial keys are discarded once Handshake are avaialble (#1951, | |||
| #2045) | #2045) | |||
| B.6. Since draft-ietf-quic-tls-13 | B.7. Since draft-ietf-quic-tls-13 | |||
| o Updated to TLS 1.3 final (#1660) | o Updated to TLS 1.3 final (#1660) | |||
| B.7. Since draft-ietf-quic-tls-12 | B.8. Since draft-ietf-quic-tls-12 | |||
| o Changes to integration of the TLS handshake (#829, #1018, #1094, | o Changes to integration of the TLS handshake (#829, #1018, #1094, | |||
| #1165, #1190, #1233, #1242, #1252, #1450) | #1165, #1190, #1233, #1242, #1252, #1450) | |||
| * The cryptographic handshake uses CRYPTO frames, not stream 0 | * The cryptographic handshake uses CRYPTO frames, not stream 0 | |||
| * QUIC packet protection is used in place of TLS record | * QUIC packet protection is used in place of TLS record | |||
| protection | protection | |||
| * Separate QUIC packet number spaces are used for the handshake | * Separate QUIC packet number spaces are used for the handshake | |||
| * Changed Retry to be independent of the cryptographic handshake | * Changed Retry to be independent of the cryptographic handshake | |||
| * Limit the use of HelloRetryRequest to address TLS needs (like | * Limit the use of HelloRetryRequest to address TLS needs (like | |||
| key shares) | key shares) | |||
| o Changed codepoint of TLS extension (#1395, #1402) | o Changed codepoint of TLS extension (#1395, #1402) | |||
| B.8. Since draft-ietf-quic-tls-11 | B.9. Since draft-ietf-quic-tls-11 | |||
| o Encrypted packet numbers. | o Encrypted packet numbers. | |||
| B.9. Since draft-ietf-quic-tls-10 | B.10. Since draft-ietf-quic-tls-10 | |||
| o No significant changes. | o No significant changes. | |||
| B.10. Since draft-ietf-quic-tls-09 | B.11. Since draft-ietf-quic-tls-09 | |||
| o Cleaned up key schedule and updated the salt used for handshake | o Cleaned up key schedule and updated the salt used for handshake | |||
| packet protection (#1077) | packet protection (#1077) | |||
| B.11. Since draft-ietf-quic-tls-08 | B.12. Since draft-ietf-quic-tls-08 | |||
| o Specify value for max_early_data_size to enable 0-RTT (#942) | o Specify value for max_early_data_size to enable 0-RTT (#942) | |||
| o Update key derivation function (#1003, #1004) | o Update key derivation function (#1003, #1004) | |||
| B.12. Since draft-ietf-quic-tls-07 | B.13. Since draft-ietf-quic-tls-07 | |||
| o Handshake errors can be reported with CONNECTION_CLOSE (#608, | o Handshake errors can be reported with CONNECTION_CLOSE (#608, | |||
| #891) | #891) | |||
| B.13. Since draft-ietf-quic-tls-05 | B.14. Since draft-ietf-quic-tls-05 | |||
| No significant changes. | No significant changes. | |||
| B.14. Since draft-ietf-quic-tls-04 | B.15. Since draft-ietf-quic-tls-04 | |||
| o Update labels used in HKDF-Expand-Label to match TLS 1.3 (#642) | o Update labels used in HKDF-Expand-Label to match TLS 1.3 (#642) | |||
| B.15. Since draft-ietf-quic-tls-03 | B.16. Since draft-ietf-quic-tls-03 | |||
| No significant changes. | No significant changes. | |||
| B.16. Since draft-ietf-quic-tls-02 | B.17. Since draft-ietf-quic-tls-02 | |||
| o Updates to match changes in transport draft | o Updates to match changes in transport draft | |||
| B.17. Since draft-ietf-quic-tls-01 | B.18. Since draft-ietf-quic-tls-01 | |||
| o Use TLS alerts to signal TLS errors (#272, #374) | o Use TLS alerts to signal TLS errors (#272, #374) | |||
| o Require ClientHello to fit in a single packet (#338) | o Require ClientHello to fit in a single packet (#338) | |||
| o The second client handshake flight is now sent in the clear (#262, | o The second client handshake flight is now sent in the clear (#262, | |||
| #337) | #337) | |||
| o The QUIC header is included as AEAD Associated Data (#226, #243, | o The QUIC header is included as AEAD Associated Data (#226, #243, | |||
| #302) | #302) | |||
| skipping to change at page 43, line 30 ¶ | skipping to change at page 42, line 38 ¶ | |||
| o Require at least TLS 1.3 (#138) | o Require at least TLS 1.3 (#138) | |||
| o Define transport parameters as a TLS extension (#122) | o Define transport parameters as a TLS extension (#122) | |||
| o Define handling for protected packets before the handshake | o Define handling for protected packets before the handshake | |||
| completes (#39) | completes (#39) | |||
| o Decouple QUIC version and ALPN (#12) | o Decouple QUIC version and ALPN (#12) | |||
| B.18. Since draft-ietf-quic-tls-00 | B.19. Since draft-ietf-quic-tls-00 | |||
| o Changed bit used to signal key phase | o Changed bit used to signal key phase | |||
| o Updated key phase markings during the handshake | o Updated key phase markings during the handshake | |||
| o Added TLS interface requirements section | o Added TLS interface requirements section | |||
| o Moved to use of TLS exporters for key derivation | o Moved to use of TLS exporters for key derivation | |||
| o Moved TLS error code definitions into this document | o Moved TLS error code definitions into this document | |||
| B.19. Since draft-thomson-quic-tls-01 | B.20. Since draft-thomson-quic-tls-01 | |||
| o Adopted as base for draft-ietf-quic-tls | o Adopted as base for draft-ietf-quic-tls | |||
| o Updated authors/editors list | o Updated authors/editors list | |||
| o Added status note | o Added status note | |||
| Acknowledgments | Acknowledgments | |||
| This document has benefited from input from Dragana Damjanovic, | This document has benefited from input from Dragana Damjanovic, | |||
| End of changes. 61 change blocks. | ||||
| 157 lines changed or deleted | 166 lines changed or added | |||
This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||