rfc9001.original | rfc9001.txt | |||
---|---|---|---|---|
QUIC M. Thomson, Ed. | Internet Engineering Task Force (IETF) M. Thomson, Ed. | |||
Internet-Draft Mozilla | Request for Comments: 9001 Mozilla | |||
Intended status: Standards Track S. Turner, Ed. | Category: Standards Track S. Turner, Ed. | |||
Expires: 19 July 2021 sn3rd | ISSN: 2070-1721 sn3rd | |||
15 January 2021 | May 2021 | |||
Using TLS to Secure QUIC | Using TLS to Secure QUIC | |||
draft-ietf-quic-tls-34 | ||||
Abstract | Abstract | |||
This document describes how Transport Layer Security (TLS) is used to | This document describes how Transport Layer Security (TLS) is used to | |||
secure QUIC. | secure QUIC. | |||
Note to Readers | ||||
Discussion of this draft takes place on the QUIC working group | ||||
mailing list (quic@ietf.org), which is archived at | ||||
https://mailarchive.ietf.org/arch/search/?email_list=quic. | ||||
Working Group information can be found at https://github.com/quicwg; | ||||
source code and issues list for this draft can be found at | ||||
https://github.com/quicwg/base-drafts/labels/-tls. | ||||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
provisions of BCP 78 and BCP 79. | ||||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF). Note that other groups may also distribute | ||||
working documents as Internet-Drafts. The list of current Internet- | ||||
Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
Internet Standards is available in Section 2 of RFC 7841. | ||||
This Internet-Draft will expire on 19 July 2021. | Information about the current status of this document, any errata, | |||
and how to provide feedback on it may be obtained at | ||||
https://www.rfc-editor.org/info/rfc9001. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
extracted from this document must include Simplified BSD License text | to this document. Code Components extracted from this document must | |||
as described in Section 4.e of the Trust Legal Provisions and are | include Simplified BSD License text as described in Section 4.e of | |||
provided without warranty as described in the Simplified BSD License. | the Trust Legal Provisions and are provided without warranty as | |||
described in the Simplified BSD License. | ||||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction | |||
2. Notational Conventions . . . . . . . . . . . . . . . . . . . 4 | 2. Notational Conventions | |||
2.1. TLS Overview . . . . . . . . . . . . . . . . . . . . . . 5 | 2.1. TLS Overview | |||
3. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 7 | 3. Protocol Overview | |||
4. Carrying TLS Messages . . . . . . . . . . . . . . . . . . . . 8 | 4. Carrying TLS Messages | |||
4.1. Interface to TLS . . . . . . . . . . . . . . . . . . . . 9 | 4.1. Interface to TLS | |||
4.1.1. Handshake Complete . . . . . . . . . . . . . . . . . 10 | 4.1.1. Handshake Complete | |||
4.1.2. Handshake Confirmed . . . . . . . . . . . . . . . . . 10 | 4.1.2. Handshake Confirmed | |||
4.1.3. Sending and Receiving Handshake Messages . . . . . . 10 | 4.1.3. Sending and Receiving Handshake Messages | |||
4.1.4. Encryption Level Changes . . . . . . . . . . . . . . 12 | 4.1.4. Encryption Level Changes | |||
4.1.5. TLS Interface Summary . . . . . . . . . . . . . . . . 14 | 4.1.5. TLS Interface Summary | |||
4.2. TLS Version . . . . . . . . . . . . . . . . . . . . . . . 15 | 4.2. TLS Version | |||
4.3. ClientHello Size . . . . . . . . . . . . . . . . . . . . 15 | 4.3. ClientHello Size | |||
4.4. Peer Authentication . . . . . . . . . . . . . . . . . . . 16 | 4.4. Peer Authentication | |||
4.5. Session Resumption . . . . . . . . . . . . . . . . . . . 17 | 4.5. Session Resumption | |||
4.6. 0-RTT . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | 4.6. 0-RTT | |||
4.6.1. Enabling 0-RTT . . . . . . . . . . . . . . . . . . . 18 | 4.6.1. Enabling 0-RTT | |||
4.6.2. Accepting and Rejecting 0-RTT . . . . . . . . . . . . 19 | 4.6.2. Accepting and Rejecting 0-RTT | |||
4.6.3. Validating 0-RTT Configuration . . . . . . . . . . . 19 | 4.6.3. Validating 0-RTT Configuration | |||
4.7. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . 20 | 4.7. HelloRetryRequest | |||
4.8. TLS Errors . . . . . . . . . . . . . . . . . . . . . . . 20 | 4.8. TLS Errors | |||
4.9. Discarding Unused Keys . . . . . . . . . . . . . . . . . 20 | 4.9. Discarding Unused Keys | |||
4.9.1. Discarding Initial Keys . . . . . . . . . . . . . . . 21 | 4.9.1. Discarding Initial Keys | |||
4.9.2. Discarding Handshake Keys . . . . . . . . . . . . . . 21 | 4.9.2. Discarding Handshake Keys | |||
4.9.3. Discarding 0-RTT Keys . . . . . . . . . . . . . . . . 22 | 4.9.3. Discarding 0-RTT Keys | |||
5. Packet Protection . . . . . . . . . . . . . . . . . . . . . . 22 | 5. Packet Protection | |||
5.1. Packet Protection Keys . . . . . . . . . . . . . . . . . 23 | 5.1. Packet Protection Keys | |||
5.2. Initial Secrets . . . . . . . . . . . . . . . . . . . . . 23 | 5.2. Initial Secrets | |||
5.3. AEAD Usage . . . . . . . . . . . . . . . . . . . . . . . 25 | 5.3. AEAD Usage | |||
5.4. Header Protection . . . . . . . . . . . . . . . . . . . . 26 | 5.4. Header Protection | |||
5.4.1. Header Protection Application . . . . . . . . . . . . 26 | 5.4.1. Header Protection Application | |||
5.4.2. Header Protection Sample . . . . . . . . . . . . . . 28 | 5.4.2. Header Protection Sample | |||
5.4.3. AES-Based Header Protection . . . . . . . . . . . . . 30 | 5.4.3. AES-Based Header Protection | |||
5.4.4. ChaCha20-Based Header Protection . . . . . . . . . . 30 | 5.4.4. ChaCha20-Based Header Protection | |||
5.5. Receiving Protected Packets . . . . . . . . . . . . . . . 31 | 5.5. Receiving Protected Packets | |||
5.6. Use of 0-RTT Keys . . . . . . . . . . . . . . . . . . . . 31 | 5.6. Use of 0-RTT Keys | |||
5.7. Receiving Out-of-Order Protected Packets . . . . . . . . 32 | 5.7. Receiving Out-of-Order Protected Packets | |||
5.8. Retry Packet Integrity . . . . . . . . . . . . . . . . . 33 | 5.8. Retry Packet Integrity | |||
6. Key Update . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 6. Key Update | |||
6.1. Initiating a Key Update . . . . . . . . . . . . . . . . . 36 | 6.1. Initiating a Key Update | |||
6.2. Responding to a Key Update . . . . . . . . . . . . . . . 37 | 6.2. Responding to a Key Update | |||
6.3. Timing of Receive Key Generation . . . . . . . . . . . . 37 | 6.3. Timing of Receive Key Generation | |||
6.4. Sending with Updated Keys . . . . . . . . . . . . . . . . 38 | 6.4. Sending with Updated Keys | |||
6.5. Receiving with Different Keys . . . . . . . . . . . . . . 38 | 6.5. Receiving with Different Keys | |||
6.6. Limits on AEAD Usage . . . . . . . . . . . . . . . . . . 39 | 6.6. Limits on AEAD Usage | |||
6.7. Key Update Error Code . . . . . . . . . . . . . . . . . . 41 | 6.7. Key Update Error Code | |||
7. Security of Initial Messages . . . . . . . . . . . . . . . . 41 | 7. Security of Initial Messages | |||
8. QUIC-Specific Adjustments to the TLS Handshake . . . . . . . 41 | 8. QUIC-Specific Adjustments to the TLS Handshake | |||
8.1. Protocol Negotiation . . . . . . . . . . . . . . . . . . 42 | 8.1. Protocol Negotiation | |||
8.2. QUIC Transport Parameters Extension . . . . . . . . . . . 42 | 8.2. QUIC Transport Parameters Extension | |||
8.3. Removing the EndOfEarlyData Message . . . . . . . . . . . 43 | 8.3. Removing the EndOfEarlyData Message | |||
8.4. Prohibit TLS Middlebox Compatibility Mode . . . . . . . . 43 | 8.4. Prohibit TLS Middlebox Compatibility Mode | |||
9. Security Considerations . . . . . . . . . . . . . . . . . . . 44 | 9. Security Considerations | |||
9.1. Session Linkability . . . . . . . . . . . . . . . . . . . 44 | 9.1. Session Linkability | |||
9.2. Replay Attacks with 0-RTT . . . . . . . . . . . . . . . . 44 | 9.2. Replay Attacks with 0-RTT | |||
9.3. Packet Reflection Attack Mitigation . . . . . . . . . . . 45 | 9.3. Packet Reflection Attack Mitigation | |||
9.4. Header Protection Analysis . . . . . . . . . . . . . . . 45 | 9.4. Header Protection Analysis | |||
9.5. Header Protection Timing Side-Channels . . . . . . . . . 46 | 9.5. Header Protection Timing Side Channels | |||
9.6. Key Diversity . . . . . . . . . . . . . . . . . . . . . . 47 | 9.6. Key Diversity | |||
9.7. Randomness . . . . . . . . . . . . . . . . . . . . . . . 47 | 9.7. Randomness | |||
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 47 | 10. IANA Considerations | |||
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 48 | 11. References | |||
11.1. Normative References . . . . . . . . . . . . . . . . . . 48 | 11.1. Normative References | |||
11.2. Informative References . . . . . . . . . . . . . . . . . 49 | 11.2. Informative References | |||
Appendix A. Sample Packet Protection . . . . . . . . . . . . . . 51 | Appendix A. Sample Packet Protection | |||
A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 51 | A.1. Keys | |||
A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 52 | A.2. Client Initial | |||
A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 54 | A.3. Server Initial | |||
A.4. Retry . . . . . . . . . . . . . . . . . . . . . . . . . . 55 | A.4. Retry | |||
A.5. ChaCha20-Poly1305 Short Header Packet . . . . . . . . . . 55 | A.5. ChaCha20-Poly1305 Short Header Packet | |||
Appendix B. AEAD Algorithm Analysis . . . . . . . . . . . . . . 57 | Appendix B. AEAD Algorithm Analysis | |||
B.1. Analysis of AEAD_AES_128_GCM and AEAD_AES_256_GCM Usage | B.1. Analysis of AEAD_AES_128_GCM and AEAD_AES_256_GCM Usage | |||
Limits . . . . . . . . . . . . . . . . . . . . . . . . . 58 | Limits | |||
B.1.1. Confidentiality Limit . . . . . . . . . . . . . . . . 58 | B.1.1. Confidentiality Limit | |||
B.1.2. Integrity Limit . . . . . . . . . . . . . . . . . . . 58 | B.1.2. Integrity Limit | |||
B.2. Analysis of AEAD_AES_128_CCM Usage Limits . . . . . . . . 59 | B.2. Analysis of AEAD_AES_128_CCM Usage Limits | |||
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 60 | Contributors | |||
C.1. Since draft-ietf-quic-tls-32 . . . . . . . . . . . . . . 60 | Authors' Addresses | |||
C.2. Since draft-ietf-quic-tls-31 . . . . . . . . . . . . . . 60 | ||||
C.3. Since draft-ietf-quic-tls-30 . . . . . . . . . . . . . . 60 | ||||
C.4. Since draft-ietf-quic-tls-29 . . . . . . . . . . . . . . 60 | ||||
C.5. Since draft-ietf-quic-tls-28 . . . . . . . . . . . . . . 61 | ||||
C.6. Since draft-ietf-quic-tls-27 . . . . . . . . . . . . . . 61 | ||||
C.7. Since draft-ietf-quic-tls-26 . . . . . . . . . . . . . . 61 | ||||
C.8. Since draft-ietf-quic-tls-25 . . . . . . . . . . . . . . 61 | ||||
C.9. Since draft-ietf-quic-tls-24 . . . . . . . . . . . . . . 61 | ||||
C.10. Since draft-ietf-quic-tls-23 . . . . . . . . . . . . . . 61 | ||||
C.11. Since draft-ietf-quic-tls-22 . . . . . . . . . . . . . . 62 | ||||
C.12. Since draft-ietf-quic-tls-21 . . . . . . . . . . . . . . 62 | ||||
C.13. Since draft-ietf-quic-tls-20 . . . . . . . . . . . . . . 62 | ||||
C.14. Since draft-ietf-quic-tls-18 . . . . . . . . . . . . . . 62 | ||||
C.15. Since draft-ietf-quic-tls-17 . . . . . . . . . . . . . . 62 | ||||
C.16. Since draft-ietf-quic-tls-14 . . . . . . . . . . . . . . 62 | ||||
C.17. Since draft-ietf-quic-tls-13 . . . . . . . . . . . . . . 63 | ||||
C.18. Since draft-ietf-quic-tls-12 . . . . . . . . . . . . . . 63 | ||||
C.19. Since draft-ietf-quic-tls-11 . . . . . . . . . . . . . . 63 | ||||
C.20. Since draft-ietf-quic-tls-10 . . . . . . . . . . . . . . 63 | ||||
C.21. Since draft-ietf-quic-tls-09 . . . . . . . . . . . . . . 63 | ||||
C.22. Since draft-ietf-quic-tls-08 . . . . . . . . . . . . . . 63 | ||||
C.23. Since draft-ietf-quic-tls-07 . . . . . . . . . . . . . . 63 | ||||
C.24. Since draft-ietf-quic-tls-05 . . . . . . . . . . . . . . 64 | ||||
C.25. Since draft-ietf-quic-tls-04 . . . . . . . . . . . . . . 64 | ||||
C.26. Since draft-ietf-quic-tls-03 . . . . . . . . . . . . . . 64 | ||||
C.27. Since draft-ietf-quic-tls-02 . . . . . . . . . . . . . . 64 | ||||
C.28. Since draft-ietf-quic-tls-01 . . . . . . . . . . . . . . 64 | ||||
C.29. Since draft-ietf-quic-tls-00 . . . . . . . . . . . . . . 64 | ||||
C.30. Since draft-thomson-quic-tls-01 . . . . . . . . . . . . . 65 | ||||
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 65 | ||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 66 | ||||
1. Introduction | 1. Introduction | |||
This document describes how QUIC [QUIC-TRANSPORT] is secured using | This document describes how QUIC [QUIC-TRANSPORT] is secured using | |||
TLS [TLS13]. | TLS [TLS13]. | |||
TLS 1.3 provides critical latency improvements for connection | TLS 1.3 provides critical latency improvements for connection | |||
establishment over previous versions. Absent packet loss, most new | establishment over previous versions. Absent packet loss, most new | |||
connections can be established and secured within a single round | connections can be established and secured within a single round | |||
trip; on subsequent connections between the same client and server, | trip; on subsequent connections between the same client and server, | |||
the client can often send application data immediately, that is, | the client can often send application data immediately, that is, | |||
using a zero round trip setup. | using a zero round-trip setup. | |||
This document describes how TLS acts as a security component of QUIC. | This document describes how TLS acts as a security component of QUIC. | |||
2. Notational Conventions | 2. Notational Conventions | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
This document uses the terminology established in [QUIC-TRANSPORT]. | This document uses the terminology established in [QUIC-TRANSPORT]. | |||
For brevity, the acronym TLS is used to refer to TLS 1.3, though a | For brevity, the acronym TLS is used to refer to TLS 1.3, though a | |||
newer version could be used; see Section 4.2. | newer version could be used; see Section 4.2. | |||
2.1. TLS Overview | 2.1. TLS Overview | |||
TLS provides two endpoints with a way to establish a means of | TLS provides two endpoints with a way to establish a means of | |||
skipping to change at page 5, line 30 ¶ | skipping to change at line 174 ¶ | |||
Layer | Handshake | Alerts | Data | ... | | Layer | Handshake | Alerts | Data | ... | | |||
| | | | | | | | | | | | |||
+-------------+------------+--------------+---------+ | +-------------+------------+--------------+---------+ | |||
Record | | | Record | | | |||
Layer | Records | | Layer | Records | | |||
| | | | | | |||
+---------------------------------------------------+ | +---------------------------------------------------+ | |||
Figure 1: TLS Layers | Figure 1: TLS Layers | |||
Each Content layer message (e.g., Handshake, Alerts, and Application | Each content-layer message (e.g., handshake, alerts, and application | |||
Data) is carried as a series of typed TLS records by the Record | data) is carried as a series of typed TLS records by the record | |||
layer. Records are individually cryptographically protected and then | layer. Records are individually cryptographically protected and then | |||
transmitted over a reliable transport (typically TCP), which provides | transmitted over a reliable transport (typically TCP), which provides | |||
sequencing and guaranteed delivery. | sequencing and guaranteed delivery. | |||
The TLS authenticated key exchange occurs between two endpoints: | The TLS authenticated key exchange occurs between two endpoints: | |||
client and server. The client initiates the exchange and the server | client and server. The client initiates the exchange and the server | |||
responds. If the key exchange completes successfully, both client | responds. If the key exchange completes successfully, both client | |||
and server will agree on a secret. TLS supports both pre-shared key | and server will agree on a secret. TLS supports both pre-shared key | |||
(PSK) and Diffie-Hellman over either finite fields or elliptic curves | (PSK) and Diffie-Hellman over either finite fields or elliptic curves | |||
((EC)DHE) key exchanges. PSK is the basis for Early Data (0-RTT); | ((EC)DHE) key exchanges. PSK is the basis for Early Data (0-RTT); | |||
the latter provides forward secrecy (FS) when the (EC)DHE keys are | the latter provides forward secrecy (FS) when the (EC)DHE keys are | |||
destroyed. The two modes can also be combined, to provide forward | destroyed. The two modes can also be combined to provide forward | |||
secrecy while using the PSK for authentication. | secrecy while using the PSK for authentication. | |||
After completing the TLS handshake, the client will have learned and | After completing the TLS handshake, the client will have learned and | |||
authenticated an identity for the server and the server is optionally | authenticated an identity for the server, and the server is | |||
able to learn and authenticate an identity for the client. TLS | optionally able to learn and authenticate an identity for the client. | |||
supports X.509 [RFC5280] certificate-based authentication for both | TLS supports X.509 [RFC5280] certificate-based authentication for | |||
server and client. When PSK key exchange is used (as in resumption), | both server and client. When PSK key exchange is used (as in | |||
knowledge of the PSK serves to authenticate the peer. | resumption), knowledge of the PSK serves to authenticate the peer. | |||
The TLS key exchange is resistant to tampering by attackers and it | The TLS key exchange is resistant to tampering by attackers, and it | |||
produces shared secrets that cannot be controlled by either | produces shared secrets that cannot be controlled by either | |||
participating peer. | participating peer. | |||
TLS provides two basic handshake modes of interest to QUIC: | TLS provides two basic handshake modes of interest to QUIC: | |||
* A full 1-RTT handshake, in which the client is able to send | * A full 1-RTT handshake, in which the client is able to send | |||
Application Data after one round trip and the server immediately | application data after one round trip and the server immediately | |||
responds after receiving the first handshake message from the | responds after receiving the first handshake message from the | |||
client. | client. | |||
* A 0-RTT handshake, in which the client uses information it has | * A 0-RTT handshake, in which the client uses information it has | |||
previously learned about the server to send Application Data | previously learned about the server to send application data | |||
immediately. This Application Data can be replayed by an attacker | immediately. This application data can be replayed by an | |||
so 0-RTT is not suitable for carrying instructions that might | attacker, so 0-RTT is not suitable for carrying instructions that | |||
initiate any action that could cause unwanted effects if replayed. | might initiate any action that could cause unwanted effects if | |||
replayed. | ||||
A simplified TLS handshake with 0-RTT application data is shown in | A simplified TLS handshake with 0-RTT application data is shown in | |||
Figure 2. | Figure 2. | |||
Client Server | Client Server | |||
ClientHello | ClientHello | |||
(0-RTT Application Data) --------> | (0-RTT Application Data) --------> | |||
ServerHello | ServerHello | |||
{EncryptedExtensions} | {EncryptedExtensions} | |||
skipping to change at page 6, line 52 ¶ | skipping to change at line 245 ¶ | |||
Figure 2: TLS Handshake with 0-RTT | Figure 2: TLS Handshake with 0-RTT | |||
Figure 2 omits the EndOfEarlyData message, which is not used in QUIC; | Figure 2 omits the EndOfEarlyData message, which is not used in QUIC; | |||
see Section 8.3. Likewise, neither ChangeCipherSpec nor KeyUpdate | see Section 8.3. Likewise, neither ChangeCipherSpec nor KeyUpdate | |||
messages are used by QUIC. ChangeCipherSpec is redundant in TLS 1.3; | messages are used by QUIC. ChangeCipherSpec is redundant in TLS 1.3; | |||
see Section 8.4. QUIC has its own key update mechanism; see | see Section 8.4. QUIC has its own key update mechanism; see | |||
Section 6. | Section 6. | |||
Data is protected using a number of encryption levels: | Data is protected using a number of encryption levels: | |||
* Initial Keys | * Initial keys | |||
* Early Data (0-RTT) Keys | ||||
* Handshake Keys | * Early data (0-RTT) keys | |||
* Application Data (1-RTT) Keys | * Handshake keys | |||
Application Data may appear only in the Early Data and Application | * Application data (1-RTT) keys | |||
Data levels. Handshake and Alert messages may appear in any level. | ||||
Application data can only appear in the early data and application | ||||
data levels. Handshake and alert messages may appear in any level. | ||||
The 0-RTT handshake can be used if the client and server have | The 0-RTT handshake can be used if the client and server have | |||
previously communicated. In the 1-RTT handshake, the client is | previously communicated. In the 1-RTT handshake, the client is | |||
unable to send protected Application Data until it has received all | unable to send protected application data until it has received all | |||
of the Handshake messages sent by the server. | of the handshake messages sent by the server. | |||
3. Protocol Overview | 3. Protocol Overview | |||
QUIC [QUIC-TRANSPORT] assumes responsibility for the confidentiality | QUIC [QUIC-TRANSPORT] assumes responsibility for the confidentiality | |||
and integrity protection of packets. For this it uses keys derived | and integrity protection of packets. For this it uses keys derived | |||
from a TLS handshake [TLS13], but instead of carrying TLS records | from a TLS handshake [TLS13], but instead of carrying TLS records | |||
over QUIC (as with TCP), TLS Handshake and Alert messages are carried | over QUIC (as with TCP), TLS handshake and alert messages are carried | |||
directly over the QUIC transport, which takes over the | directly over the QUIC transport, which takes over the | |||
responsibilities of the TLS record layer, as shown in Figure 3. | responsibilities of the TLS record layer, as shown in Figure 3. | |||
+--------------+--------------+ +-------------+ | +--------------+--------------+ +-------------+ | |||
| TLS | TLS | | QUIC | | | TLS | TLS | | QUIC | | |||
| Handshake | Alerts | | Applications| | | Handshake | Alerts | | Applications| | |||
| | | | (h3, etc.) | | | | | | (h3, etc.) | | |||
+--------------+--------------+-+-------------+ | +--------------+--------------+-+-------------+ | |||
| | | | | | |||
| QUIC Transport | | | QUIC Transport | | |||
skipping to change at page 8, line 13 ¶ | skipping to change at line 302 ¶ | |||
and record layer provided by QUIC. | and record layer provided by QUIC. | |||
At a high level, there are two main interactions between the TLS and | At a high level, there are two main interactions between the TLS and | |||
QUIC components: | QUIC components: | |||
* The TLS component sends and receives messages via the QUIC | * The TLS component sends and receives messages via the QUIC | |||
component, with QUIC providing a reliable stream abstraction to | component, with QUIC providing a reliable stream abstraction to | |||
TLS. | TLS. | |||
* The TLS component provides a series of updates to the QUIC | * The TLS component provides a series of updates to the QUIC | |||
component, including (a) new packet protection keys to install (b) | component, including (a) new packet protection keys to install and | |||
state changes such as handshake completion, the server | (b) state changes such as handshake completion, the server | |||
certificate, etc. | certificate, etc. | |||
Figure 4 shows these interactions in more detail, with the QUIC | Figure 4 shows these interactions in more detail, with the QUIC | |||
packet protection being called out specially. | packet protection being called out specially. | |||
+------------+ +------------+ | +------------+ +------------+ | |||
| |<---- Handshake Messages ----->| | | | |<---- Handshake Messages ----->| | | |||
| |<- Validate 0-RTT parameters ->| | | | |<- Validate 0-RTT Parameters ->| | | |||
| |<--------- 0-RTT Keys ---------| | | | |<--------- 0-RTT Keys ---------| | | |||
| QUIC |<------- Handshake Keys -------| TLS | | | QUIC |<------- Handshake Keys -------| TLS | | |||
| |<--------- 1-RTT Keys ---------| | | | |<--------- 1-RTT Keys ---------| | | |||
| |<------- Handshake Done -------| | | | |<------- Handshake Done -------| | | |||
+------------+ +------------+ | +------------+ +------------+ | |||
| ^ | | ^ | |||
| Protect | Protected | | Protect | Protected | |||
v | Packet | v | Packet | |||
+------------+ | +------------+ | |||
| QUIC | | | QUIC | | |||
| Packet | | | Packet | | |||
| Protection | | | Protection | | |||
+------------+ | +------------+ | |||
Figure 4: QUIC and TLS Interactions | Figure 4: QUIC and TLS Interactions | |||
Unlike TLS over TCP, QUIC applications that want to send data do not | Unlike TLS over TCP, QUIC applications that want to send data do not | |||
send it through TLS "application_data" records. Rather, they send it | send it using TLS Application Data records. Rather, they send it as | |||
as QUIC STREAM frames or other frame types, which are then carried in | QUIC STREAM frames or other frame types, which are then carried in | |||
QUIC packets. | QUIC packets. | |||
4. Carrying TLS Messages | 4. Carrying TLS Messages | |||
QUIC carries TLS handshake data in CRYPTO frames, each of which | QUIC carries TLS handshake data in CRYPTO frames, each of which | |||
consists of a contiguous block of handshake data identified by an | consists of a contiguous block of handshake data identified by an | |||
offset and length. Those frames are packaged into QUIC packets and | offset and length. Those frames are packaged into QUIC packets and | |||
encrypted under the current encryption level. As with TLS over TCP, | encrypted under the current encryption level. As with TLS over TCP, | |||
once TLS handshake data has been delivered to QUIC, it is QUIC's | once TLS handshake data has been delivered to QUIC, it is QUIC's | |||
responsibility to deliver it reliably. Each chunk of data that is | responsibility to deliver it reliably. Each chunk of data that is | |||
skipping to change at page 9, line 22 ¶ | skipping to change at line 360 ¶ | |||
Because packets could be reordered on the wire, QUIC uses the packet | Because packets could be reordered on the wire, QUIC uses the packet | |||
type to indicate which keys were used to protect a given packet, as | type to indicate which keys were used to protect a given packet, as | |||
shown in Table 1. When packets of different types need to be sent, | shown in Table 1. When packets of different types need to be sent, | |||
endpoints SHOULD use coalesced packets to send them in the same UDP | endpoints SHOULD use coalesced packets to send them in the same UDP | |||
datagram. | datagram. | |||
+=====================+=================+==================+ | +=====================+=================+==================+ | |||
| Packet Type | Encryption Keys | PN Space | | | Packet Type | Encryption Keys | PN Space | | |||
+=====================+=================+==================+ | +=====================+=================+==================+ | |||
| Initial | Initial secrets | Initial | | | Initial | Initial secrets | Initial | | |||
+---------------------+-----------------+------------------+ | +=====================+-----------------+------------------+ | |||
| 0-RTT Protected | 0-RTT | Application data | | | 0-RTT Protected | 0-RTT | Application data | | |||
+---------------------+-----------------+------------------+ | +=====================+-----------------+------------------+ | |||
| Handshake | Handshake | Handshake | | | Handshake | Handshake | Handshake | | |||
+---------------------+-----------------+------------------+ | +=====================+-----------------+------------------+ | |||
| Retry | Retry | N/A | | | Retry | Retry | N/A | | |||
+---------------------+-----------------+------------------+ | +=====================+-----------------+------------------+ | |||
| Version Negotiation | N/A | N/A | | | Version Negotiation | N/A | N/A | | |||
+---------------------+-----------------+------------------+ | +=====================+-----------------+------------------+ | |||
| Short Header | 1-RTT | Application data | | | Short Header | 1-RTT | Application data | | |||
+---------------------+-----------------+------------------+ | +=====================+-----------------+------------------+ | |||
Table 1: Encryption Keys by Packet Type | Table 1: Encryption Keys by Packet Type | |||
Section 17 of [QUIC-TRANSPORT] shows how packets at the various | Section 17 of [QUIC-TRANSPORT] shows how packets at the various | |||
encryption levels fit into the handshake process. | encryption levels fit into the handshake process. | |||
4.1. Interface to TLS | 4.1. Interface to TLS | |||
As shown in Figure 4, the interface from QUIC to TLS consists of four | As shown in Figure 4, the interface from QUIC to TLS consists of four | |||
primary functions: | primary functions: | |||
* Sending and receiving handshake messages | * Sending and receiving handshake messages | |||
* Processing stored transport and application state from a resumed | * Processing stored transport and application state from a resumed | |||
session and determining if it is valid to generate or accept early | session and determining if it is valid to generate or accept 0-RTT | |||
data | data | |||
* Rekeying (both transmit and receive) | * Rekeying (both transmit and receive) | |||
* Handshake state updates | ||||
* Updating handshake state | ||||
Additional functions might be needed to configure TLS. In | Additional functions might be needed to configure TLS. In | |||
particular, QUIC and TLS need to agree on which is responsible for | particular, QUIC and TLS need to agree on which is responsible for | |||
validation of peer credentials, such as certificate validation | validation of peer credentials, such as certificate validation | |||
([RFC5280]). | [RFC5280]. | |||
4.1.1. Handshake Complete | 4.1.1. Handshake Complete | |||
In this document, the TLS handshake is considered complete when the | In this document, the TLS handshake is considered complete when the | |||
TLS stack has reported that the handshake is complete. This happens | TLS stack has reported that the handshake is complete. This happens | |||
when the TLS stack has both sent a Finished message and verified the | when the TLS stack has both sent a Finished message and verified the | |||
peer's Finished message. Verifying the peer's Finished provides the | peer's Finished message. Verifying the peer's Finished message | |||
endpoints with an assurance that previous handshake messages have not | provides the endpoints with an assurance that previous handshake | |||
been modified. Note that the handshake does not complete at both | messages have not been modified. Note that the handshake does not | |||
endpoints simultaneously. Consequently, any requirement that is | complete at both endpoints simultaneously. Consequently, any | |||
based on the completion of the handshake depends on the perspective | requirement that is based on the completion of the handshake depends | |||
of the endpoint in question. | on the perspective of the endpoint in question. | |||
4.1.2. Handshake Confirmed | 4.1.2. Handshake Confirmed | |||
In this document, the TLS handshake is considered confirmed at the | In this document, the TLS handshake is considered confirmed at the | |||
server when the handshake completes. The server MUST send a | server when the handshake completes. The server MUST send a | |||
HANDSHAKE_DONE frame as soon as the handshake is complete. At the | HANDSHAKE_DONE frame as soon as the handshake is complete. At the | |||
client, the handshake is considered confirmed when a HANDSHAKE_DONE | client, the handshake is considered confirmed when a HANDSHAKE_DONE | |||
frame is received. | frame is received. | |||
Additionally, a client MAY consider the handshake to be confirmed | Additionally, a client MAY consider the handshake to be confirmed | |||
when it receives an acknowledgment for a 1-RTT packet. This can be | when it receives an acknowledgment for a 1-RTT packet. This can be | |||
implemented by recording the lowest packet number sent with 1-RTT | implemented by recording the lowest packet number sent with 1-RTT | |||
keys, and comparing it to the Largest Acknowledged field in any | keys and comparing it to the Largest Acknowledged field in any | |||
received 1-RTT ACK frame: once the latter is greater than or equal to | received 1-RTT ACK frame: once the latter is greater than or equal to | |||
the former, the handshake is confirmed. | the former, the handshake is confirmed. | |||
4.1.3. Sending and Receiving Handshake Messages | 4.1.3. Sending and Receiving Handshake Messages | |||
In order to drive the handshake, TLS depends on being able to send | In order to drive the handshake, TLS depends on being able to send | |||
and receive handshake messages. There are two basic functions on | and receive handshake messages. There are two basic functions on | |||
this interface: one where QUIC requests handshake messages and one | this interface: one where QUIC requests handshake messages and one | |||
where QUIC provides bytes that comprise handshake messages. | where QUIC provides bytes that comprise handshake messages. | |||
Before starting the handshake QUIC provides TLS with the transport | Before starting the handshake, QUIC provides TLS with the transport | |||
parameters (see Section 8.2) that it wishes to carry. | parameters (see Section 8.2) that it wishes to carry. | |||
A QUIC client starts TLS by requesting TLS handshake bytes from TLS. | A QUIC client starts TLS by requesting TLS handshake bytes from TLS. | |||
The client acquires handshake bytes before sending its first packet. | The client acquires handshake bytes before sending its first packet. | |||
A QUIC server starts the process by providing TLS with the client's | A QUIC server starts the process by providing TLS with the client's | |||
handshake bytes. | handshake bytes. | |||
At any time, the TLS stack at an endpoint will have a current sending | At any time, the TLS stack at an endpoint will have a current sending | |||
encryption level and receiving encryption level. TLS encryption | encryption level and a receiving encryption level. TLS encryption | |||
levels determine the QUIC packet type and keys that are used for | levels determine the QUIC packet type and keys that are used for | |||
protecting data. | protecting data. | |||
Each encryption level is associated with a different sequence of | Each encryption level is associated with a different sequence of | |||
bytes, which is reliably transmitted to the peer in CRYPTO frames. | bytes, which is reliably transmitted to the peer in CRYPTO frames. | |||
When TLS provides handshake bytes to be sent, they are appended to | When TLS provides handshake bytes to be sent, they are appended to | |||
the handshake bytes for the current encryption level. The encryption | the handshake bytes for the current encryption level. The encryption | |||
level then determines the type of packet that the resulting CRYPTO | level then determines the type of packet that the resulting CRYPTO | |||
frame is carried in; see Table 1. | frame is carried in; see Table 1. | |||
skipping to change at page 12, line 27 ¶ | skipping to change at line 510 ¶ | |||
does not provide any means of flow control for CRYPTO frames; see | does not provide any means of flow control for CRYPTO frames; see | |||
Section 7.5 of [QUIC-TRANSPORT]. | Section 7.5 of [QUIC-TRANSPORT]. | |||
Once the TLS handshake is complete, this is indicated to QUIC along | Once the TLS handshake is complete, this is indicated to QUIC along | |||
with any final handshake bytes that TLS needs to send. At this | with any final handshake bytes that TLS needs to send. At this | |||
stage, the transport parameters that the peer advertised during the | stage, the transport parameters that the peer advertised during the | |||
handshake are authenticated; see Section 8.2. | handshake are authenticated; see Section 8.2. | |||
Once the handshake is complete, TLS becomes passive. TLS can still | Once the handshake is complete, TLS becomes passive. TLS can still | |||
receive data from its peer and respond in kind, but it will not need | receive data from its peer and respond in kind, but it will not need | |||
to send more data unless specifically requested - either by an | to send more data unless specifically requested -- either by an | |||
application or QUIC. One reason to send data is that the server | application or QUIC. One reason to send data is that the server | |||
might wish to provide additional or updated session tickets to a | might wish to provide additional or updated session tickets to a | |||
client. | client. | |||
When the handshake is complete, QUIC only needs to provide TLS with | When the handshake is complete, QUIC only needs to provide TLS with | |||
any data that arrives in CRYPTO streams. In the same manner that is | any data that arrives in CRYPTO streams. In the same manner that is | |||
used during the handshake, new data is requested from TLS after | used during the handshake, new data is requested from TLS after | |||
providing received data. | providing received data. | |||
4.1.4. Encryption Level Changes | 4.1.4. Encryption Level Changes | |||
skipping to change at page 13, line 9 ¶ | skipping to change at line 534 ¶ | |||
level are available. | level are available. | |||
The availability of new keys is always a result of providing inputs | The availability of new keys is always a result of providing inputs | |||
to TLS. TLS only provides new keys after being initialized (by a | to TLS. TLS only provides new keys after being initialized (by a | |||
client) or when provided with new handshake data. | client) or when provided with new handshake data. | |||
However, a TLS implementation could perform some of its processing | However, a TLS implementation could perform some of its processing | |||
asynchronously. In particular, the process of validating a | asynchronously. In particular, the process of validating a | |||
certificate can take some time. While waiting for TLS processing to | certificate can take some time. While waiting for TLS processing to | |||
complete, an endpoint SHOULD buffer received packets if they might be | complete, an endpoint SHOULD buffer received packets if they might be | |||
processed using keys that aren't yet available. These packets can be | processed using keys that are not yet available. These packets can | |||
processed once keys are provided by TLS. An endpoint SHOULD continue | be processed once keys are provided by TLS. An endpoint SHOULD | |||
to respond to packets that can be processed during this time. | continue to respond to packets that can be processed during this | |||
time. | ||||
After processing inputs, TLS might produce handshake bytes, keys for | After processing inputs, TLS might produce handshake bytes, keys for | |||
new encryption levels, or both. | new encryption levels, or both. | |||
TLS provides QUIC with three items as a new encryption level becomes | TLS provides QUIC with three items as a new encryption level becomes | |||
available: | available: | |||
* A secret | * A secret | |||
* An Authenticated Encryption with Associated Data (AEAD) function | * An Authenticated Encryption with Associated Data (AEAD) function | |||
skipping to change at page 13, line 50 ¶ | skipping to change at line 576 ¶ | |||
message is lost, the endpoint uses the Handshake encryption level to | message is lost, the endpoint uses the Handshake encryption level to | |||
retransmit the lost message. Reordering or loss of packets can mean | retransmit the lost message. Reordering or loss of packets can mean | |||
that QUIC will need to handle packets at multiple encryption levels. | that QUIC will need to handle packets at multiple encryption levels. | |||
During the handshake, this means potentially handling packets at | During the handshake, this means potentially handling packets at | |||
higher and lower encryption levels than the current encryption level | higher and lower encryption levels than the current encryption level | |||
used by TLS. | used by TLS. | |||
In particular, server implementations need to be able to read packets | In particular, server implementations need to be able to read packets | |||
at the Handshake encryption level at the same time as the 0-RTT | at the Handshake encryption level at the same time as the 0-RTT | |||
encryption level. A client could interleave ACK frames that are | encryption level. A client could interleave ACK frames that are | |||
protected with Handshake keys with 0-RTT data and the server needs to | protected with Handshake keys with 0-RTT data, and the server needs | |||
process those acknowledgments in order to detect lost Handshake | to process those acknowledgments in order to detect lost Handshake | |||
packets. | packets. | |||
QUIC also needs access to keys that might not ordinarily be available | QUIC also needs access to keys that might not ordinarily be available | |||
to a TLS implementation. For instance, a client might need to | to a TLS implementation. For instance, a client might need to | |||
acknowledge Handshake packets before it is ready to send CRYPTO | acknowledge Handshake packets before it is ready to send CRYPTO | |||
frames at that encryption level. TLS therefore needs to provide keys | frames at that encryption level. TLS therefore needs to provide keys | |||
to QUIC before it might produce them for its own use. | to QUIC before it might produce them for its own use. | |||
4.1.5. TLS Interface Summary | 4.1.5. TLS Interface Summary | |||
Figure 5 summarizes the exchange between QUIC and TLS for both client | Figure 5 summarizes the exchange between QUIC and TLS for both client | |||
and server. Solid arrows indicate packets that carry handshake data; | and server. Solid arrows indicate packets that carry handshake data; | |||
dashed arrows show where application data can be sent. Each arrow is | dashed arrows show where application data can be sent. Each arrow is | |||
tagged with the encryption level used for that transmission. | tagged with the encryption level used for that transmission. | |||
Client Server | Client Server | |||
====== ====== | ====== ====== | |||
Get Handshake | Get Handshake | |||
Initial -------------> | Initial -------------> | |||
Install tx 0-RTT Keys | Install tx 0-RTT keys | |||
0-RTT - - - - - - - -> | 0-RTT - - - - - - - -> | |||
Handshake Received | Handshake Received | |||
Get Handshake | Get Handshake | |||
<------------- Initial | <------------- Initial | |||
Install rx 0-RTT keys | Install rx 0-RTT keys | |||
Install Handshake keys | Install Handshake keys | |||
Get Handshake | Get Handshake | |||
<----------- Handshake | <----------- Handshake | |||
Install tx 1-RTT keys | Install tx 1-RTT keys | |||
skipping to change at page 15, line 24 ¶ | skipping to change at line 648 ¶ | |||
exchange. The exact process varies based on the structure of | exchange. The exact process varies based on the structure of | |||
endpoint implementations and the order in which packets arrive. | endpoint implementations and the order in which packets arrive. | |||
Implementations could use a different number of operations or execute | Implementations could use a different number of operations or execute | |||
them in other orders. | them in other orders. | |||
4.2. TLS Version | 4.2. TLS Version | |||
This document describes how TLS 1.3 [TLS13] is used with QUIC. | This document describes how TLS 1.3 [TLS13] is used with QUIC. | |||
In practice, the TLS handshake will negotiate a version of TLS to | In practice, the TLS handshake will negotiate a version of TLS to | |||
use. This could result in a newer version of TLS than 1.3 being | use. This could result in a version of TLS newer than 1.3 being | |||
negotiated if both endpoints support that version. This is | negotiated if both endpoints support that version. This is | |||
acceptable provided that the features of TLS 1.3 that are used by | acceptable provided that the features of TLS 1.3 that are used by | |||
QUIC are supported by the newer version. | QUIC are supported by the newer version. | |||
Clients MUST NOT offer TLS versions older than 1.3. A badly | Clients MUST NOT offer TLS versions older than 1.3. A badly | |||
configured TLS implementation could negotiate TLS 1.2 or another | configured TLS implementation could negotiate TLS 1.2 or another | |||
older version of TLS. An endpoint MUST terminate the connection if a | older version of TLS. An endpoint MUST terminate the connection if a | |||
version of TLS older than 1.3 is negotiated. | version of TLS older than 1.3 is negotiated. | |||
4.3. ClientHello Size | 4.3. ClientHello Size | |||
The first Initial packet from a client contains the start or all of | The first Initial packet from a client contains the start or all of | |||
its first cryptographic handshake message, which for TLS is the | its first cryptographic handshake message, which for TLS is the | |||
ClientHello. Servers might need to parse the entire ClientHello | ClientHello. Servers might need to parse the entire ClientHello | |||
(e.g., to access extensions such as Server Name Identification (SNI) | (e.g., to access extensions such as Server Name Identification (SNI) | |||
or Application Layer Protocol Negotiation (ALPN)) in order to decide | or Application-Layer Protocol Negotiation (ALPN)) in order to decide | |||
whether to accept the new incoming QUIC connection. If the | whether to accept the new incoming QUIC connection. If the | |||
ClientHello spans multiple Initial packets, such servers would need | ClientHello spans multiple Initial packets, such servers would need | |||
to buffer the first received fragments, which could consume excessive | to buffer the first received fragments, which could consume excessive | |||
resources if the client's address has not yet been validated. To | resources if the client's address has not yet been validated. To | |||
avoid this, servers MAY use the Retry feature (see Section 8.1 of | avoid this, servers MAY use the Retry feature (see Section 8.1 of | |||
[QUIC-TRANSPORT]) to only buffer partial ClientHello messages from | [QUIC-TRANSPORT]) to only buffer partial ClientHello messages from | |||
clients with a validated address. | clients with a validated address. | |||
QUIC packet and framing add at least 36 bytes of overhead to the | QUIC packet and framing add at least 36 bytes of overhead to the | |||
ClientHello message. That overhead increases if the client chooses a | ClientHello message. That overhead increases if the client chooses a | |||
source connection ID longer than zero bytes. Overheads also do not | Source Connection ID field longer than zero bytes. Overheads also do | |||
include the token or a destination connection ID longer than 8 bytes, | not include the token or a Destination Connection ID longer than 8 | |||
both of which might be required if a server sends a Retry packet. | bytes, both of which might be required if a server sends a Retry | |||
packet. | ||||
A typical TLS ClientHello can easily fit into a 1200-byte packet. | A typical TLS ClientHello can easily fit into a 1200-byte packet. | |||
However, in addition to the overheads added by QUIC, there are | However, in addition to the overheads added by QUIC, there are | |||
several variables that could cause this limit to be exceeded. Large | several variables that could cause this limit to be exceeded. Large | |||
session tickets, multiple or large key shares, and long lists of | session tickets, multiple or large key shares, and long lists of | |||
supported ciphers, signature algorithms, versions, QUIC transport | supported ciphers, signature algorithms, versions, QUIC transport | |||
parameters, and other negotiable parameters and extensions could | parameters, and other negotiable parameters and extensions could | |||
cause this message to grow. | cause this message to grow. | |||
For servers, in addition to connection IDs and tokens, the size of | For servers, in addition to connection IDs and tokens, the size of | |||
TLS session tickets can have an effect on a client's ability to | TLS session tickets can have an effect on a client's ability to | |||
connect efficiently. Minimizing the size of these values increases | connect efficiently. Minimizing the size of these values increases | |||
the probability that clients can use them and still fit their entire | the probability that clients can use them and still fit their entire | |||
ClientHello message in their first Initial packet. | ClientHello message in their first Initial packet. | |||
The TLS implementation does not need to ensure that the ClientHello | The TLS implementation does not need to ensure that the ClientHello | |||
is large enough to meet the requirements for QUIC packets. QUIC | is large enough to meet QUIC's requirements for datagrams that carry | |||
PADDING frames are added to increase the size of the packet as | Initial packets; see Section 14.1 of [QUIC-TRANSPORT]. QUIC | |||
necessary; see Section 14.1 of [QUIC-TRANSPORT]. | implementations use PADDING frames or packet coalescing to ensure | |||
that datagrams are large enough. | ||||
4.4. Peer Authentication | 4.4. Peer Authentication | |||
The requirements for authentication depend on the application | The requirements for authentication depend on the application | |||
protocol that is in use. TLS provides server authentication and | protocol that is in use. TLS provides server authentication and | |||
permits the server to request client authentication. | permits the server to request client authentication. | |||
A client MUST authenticate the identity of the server. This | A client MUST authenticate the identity of the server. This | |||
typically involves verification that the identity of the server is | typically involves verification that the identity of the server is | |||
included in a certificate and that the certificate is issued by a | included in a certificate and that the certificate is issued by a | |||
trusted entity (see for example [RFC2818]). | trusted entity (see for example [RFC2818]). | |||
Note: Where servers provide certificates for authentication, the | | Note: Where servers provide certificates for authentication, | |||
size of the certificate chain can consume a large number of bytes. | | the size of the certificate chain can consume a large number of | |||
Controlling the size of certificate chains is critical to | | bytes. Controlling the size of certificate chains is critical | |||
performance in QUIC as servers are limited to sending 3 bytes for | | to performance in QUIC as servers are limited to sending 3 | |||
every byte received prior to validating the client address; see | | bytes for every byte received prior to validating the client | |||
Section 8.1 of [QUIC-TRANSPORT]. The size of a certificate chain | | address; see Section 8.1 of [QUIC-TRANSPORT]. The size of a | |||
can be managed by limiting the number of names or extensions; | | certificate chain can be managed by limiting the number of | |||
using keys with small public key representations, like ECDSA; or | | names or extensions; using keys with small public key | |||
by using certificate compression [COMPRESS]. | | representations, like ECDSA; or by using certificate | |||
| compression [COMPRESS]. | ||||
A server MAY request that the client authenticate during the | A server MAY request that the client authenticate during the | |||
handshake. A server MAY refuse a connection if the client is unable | handshake. A server MAY refuse a connection if the client is unable | |||
to authenticate when requested. The requirements for client | to authenticate when requested. The requirements for client | |||
authentication vary based on application protocol and deployment. | authentication vary based on application protocol and deployment. | |||
A server MUST NOT use post-handshake client authentication (as | A server MUST NOT use post-handshake client authentication (as | |||
defined in Section 4.6.2 of [TLS13]), because the multiplexing | defined in Section 4.6.2 of [TLS13]) because the multiplexing offered | |||
offered by QUIC prevents clients from correlating the certificate | by QUIC prevents clients from correlating the certificate request | |||
request with the application-level event that triggered it (see | with the application-level event that triggered it (see | |||
[HTTP2-TLS13]). More specifically, servers MUST NOT send post- | [HTTP2-TLS13]). More specifically, servers MUST NOT send post- | |||
handshake TLS CertificateRequest messages and clients MUST treat | handshake TLS CertificateRequest messages, and clients MUST treat | |||
receipt of such messages as a connection error of type | receipt of such messages as a connection error of type | |||
PROTOCOL_VIOLATION. | PROTOCOL_VIOLATION. | |||
4.5. Session Resumption | 4.5. Session Resumption | |||
QUIC can use the session resumption feature of TLS 1.3. It does this | QUIC can use the session resumption feature of TLS 1.3. It does this | |||
by carrying NewSessionTicket messages in CRYPTO frames after the | by carrying NewSessionTicket messages in CRYPTO frames after the | |||
handshake is complete. Session resumption can be used to provide | handshake is complete. Session resumption can be used to provide | |||
0-RTT, and can also be used when 0-RTT is disabled. | 0-RTT and can also be used when 0-RTT is disabled. | |||
Endpoints that use session resumption might need to remember some | Endpoints that use session resumption might need to remember some | |||
information about the current connection when creating a resumed | information about the current connection when creating a resumed | |||
connection. TLS requires that some information be retained; see | connection. TLS requires that some information be retained; see | |||
Section 4.6.1 of [TLS13]. QUIC itself does not depend on any state | Section 4.6.1 of [TLS13]. QUIC itself does not depend on any state | |||
being retained when resuming a connection, unless 0-RTT is also used; | being retained when resuming a connection unless 0-RTT is also used; | |||
see Section 7.4.1 of [QUIC-TRANSPORT] and Section 4.6.1. Application | see Section 7.4.1 of [QUIC-TRANSPORT] and Section 4.6.1. Application | |||
protocols could depend on state that is retained between resumed | protocols could depend on state that is retained between resumed | |||
connections. | connections. | |||
Clients can store any state required for resumption along with the | Clients can store any state required for resumption along with the | |||
session ticket. Servers can use the session ticket to help carry | session ticket. Servers can use the session ticket to help carry | |||
state. | state. | |||
Session resumption allows servers to link activity on the original | Session resumption allows servers to link activity on the original | |||
connection with the resumed connection, which might be a privacy | connection with the resumed connection, which might be a privacy | |||
issue for clients. Clients can choose not to enable resumption to | issue for clients. Clients can choose not to enable resumption to | |||
avoid creating this correlation. Clients SHOULD NOT reuse tickets as | avoid creating this correlation. Clients SHOULD NOT reuse tickets as | |||
that allows entities other than the server to correlate connections; | that allows entities other than the server to correlate connections; | |||
see Section C.4 of [TLS13]. | see Appendix C.4 of [TLS13]. | |||
4.6. 0-RTT | 4.6. 0-RTT | |||
The 0-RTT feature in QUIC allows a client to send application data | The 0-RTT feature in QUIC allows a client to send application data | |||
before the handshake is complete. This is made possible by reusing | before the handshake is complete. This is made possible by reusing | |||
negotiated parameters from a previous connection. To enable this, | negotiated parameters from a previous connection. To enable this, | |||
0-RTT depends on the client remembering critical parameters and | 0-RTT depends on the client remembering critical parameters and | |||
providing the server with a TLS session ticket that allows the server | providing the server with a TLS session ticket that allows the server | |||
to recover the same information. | to recover the same information. | |||
skipping to change at page 18, line 25 ¶ | skipping to change at line 783 ¶ | |||
governed by [TLS13], QUIC transport parameters, the chosen | governed by [TLS13], QUIC transport parameters, the chosen | |||
application protocol, and any information the application protocol | application protocol, and any information the application protocol | |||
might need; see Section 4.6.3. This information determines how 0-RTT | might need; see Section 4.6.3. This information determines how 0-RTT | |||
packets and their contents are formed. | packets and their contents are formed. | |||
To ensure that the same information is available to both endpoints, | To ensure that the same information is available to both endpoints, | |||
all information used to establish 0-RTT comes from the same | all information used to establish 0-RTT comes from the same | |||
connection. Endpoints cannot selectively disregard information that | connection. Endpoints cannot selectively disregard information that | |||
might alter the sending or processing of 0-RTT. | might alter the sending or processing of 0-RTT. | |||
[TLS13] sets a limit of 7 days on the time between the original | [TLS13] sets a limit of seven days on the time between the original | |||
connection and any attempt to use 0-RTT. There are other constraints | connection and any attempt to use 0-RTT. There are other constraints | |||
on 0-RTT usage, notably those caused by the potential exposure to | on 0-RTT usage, notably those caused by the potential exposure to | |||
replay attack; see Section 9.2. | replay attack; see Section 9.2. | |||
4.6.1. Enabling 0-RTT | 4.6.1. Enabling 0-RTT | |||
The TLS "early_data" extension in the NewSessionTicket message is | The TLS early_data extension in the NewSessionTicket message is | |||
defined to convey (in the "max_early_data_size" parameter) the amount | defined to convey (in the max_early_data_size parameter) the amount | |||
of TLS 0-RTT data the server is willing to accept. QUIC does not use | of TLS 0-RTT data the server is willing to accept. QUIC does not use | |||
TLS 0-RTT data. QUIC uses 0-RTT packets to carry early data. | TLS early data. QUIC uses 0-RTT packets to carry early data. | |||
Accordingly, the "max_early_data_size" parameter is repurposed to | Accordingly, the max_early_data_size parameter is repurposed to hold | |||
hold a sentinel value 0xffffffff to indicate that the server is | a sentinel value 0xffffffff to indicate that the server is willing to | |||
willing to accept QUIC 0-RTT data; to indicate that the server does | accept QUIC 0-RTT data. To indicate that the server does not accept | |||
not accept 0-RTT data, the "early_data" extension is omitted from the | 0-RTT data, the early_data extension is omitted from the | |||
NewSessionTicket. The amount of data that the client can send in | NewSessionTicket. The amount of data that the client can send in | |||
QUIC 0-RTT is controlled by the initial_max_data transport parameter | QUIC 0-RTT is controlled by the initial_max_data transport parameter | |||
supplied by the server. | supplied by the server. | |||
Servers MUST NOT send the early_data extension with a | Servers MUST NOT send the early_data extension with a | |||
max_early_data_size field set to any value other than 0xffffffff. A | max_early_data_size field set to any value other than 0xffffffff. A | |||
client MUST treat receipt of a NewSessionTicket that contains an | client MUST treat receipt of a NewSessionTicket that contains an | |||
early_data extension with any other value as a connection error of | early_data extension with any other value as a connection error of | |||
type PROTOCOL_VIOLATION. | type PROTOCOL_VIOLATION. | |||
skipping to change at page 19, line 40 ¶ | skipping to change at line 843 ¶ | |||
application protocol, transport parameters, and any application | application protocol, transport parameters, and any application | |||
configuration. The client therefore MUST reset the state of all | configuration. The client therefore MUST reset the state of all | |||
streams, including application state bound to those streams. | streams, including application state bound to those streams. | |||
A client MAY reattempt 0-RTT if it receives a Retry or Version | A client MAY reattempt 0-RTT if it receives a Retry or Version | |||
Negotiation packet. These packets do not signify rejection of 0-RTT. | Negotiation packet. These packets do not signify rejection of 0-RTT. | |||
4.6.3. Validating 0-RTT Configuration | 4.6.3. Validating 0-RTT Configuration | |||
When a server receives a ClientHello with the early_data extension, | When a server receives a ClientHello with the early_data extension, | |||
it has to decide whether to accept or reject early data from the | it has to decide whether to accept or reject 0-RTT data from the | |||
client. Some of this decision is made by the TLS stack (e.g., | client. Some of this decision is made by the TLS stack (e.g., | |||
checking that the cipher suite being resumed was included in the | checking that the cipher suite being resumed was included in the | |||
ClientHello; see Section 4.2.10 of [TLS13]). Even when the TLS stack | ClientHello; see Section 4.2.10 of [TLS13]). Even when the TLS stack | |||
has no reason to reject early data, the QUIC stack or the application | has no reason to reject 0-RTT data, the QUIC stack or the application | |||
protocol using QUIC might reject early data because the configuration | protocol using QUIC might reject 0-RTT data because the configuration | |||
of the transport or application associated with the resumed session | of the transport or application associated with the resumed session | |||
is not compatible with the server's current configuration. | is not compatible with the server's current configuration. | |||
QUIC requires additional transport state to be associated with a | QUIC requires additional transport state to be associated with a | |||
0-RTT session ticket. One common way to implement this is using | 0-RTT session ticket. One common way to implement this is using | |||
stateless session tickets and storing this state in the session | stateless session tickets and storing this state in the session | |||
ticket. Application protocols that use QUIC might have similar | ticket. Application protocols that use QUIC might have similar | |||
requirements regarding associating or storing state. This associated | requirements regarding associating or storing state. This associated | |||
state is used for deciding whether early data must be rejected. For | state is used for deciding whether 0-RTT data must be rejected. For | |||
example, HTTP/3 ([QUIC-HTTP]) settings determine how early data from | example, HTTP/3 settings [QUIC-HTTP] determine how 0-RTT data from | |||
the client is interpreted. Other applications using QUIC could have | the client is interpreted. Other applications using QUIC could have | |||
different requirements for determining whether to accept or reject | different requirements for determining whether to accept or reject | |||
early data. | 0-RTT data. | |||
4.7. HelloRetryRequest | 4.7. HelloRetryRequest | |||
The HelloRetryRequest message (see Section 4.1.4 of [TLS13]) can be | The HelloRetryRequest message (see Section 4.1.4 of [TLS13]) can be | |||
used to request that a client provide new information, such as a key | used to request that a client provide new information, such as a key | |||
share, or to validate some characteristic of the client. From the | share, or to validate some characteristic of the client. From the | |||
perspective of QUIC, HelloRetryRequest is not differentiated from | perspective of QUIC, HelloRetryRequest is not differentiated from | |||
other cryptographic handshake messages that are carried in Initial | other cryptographic handshake messages that are carried in Initial | |||
packets. Although it is in principle possible to use this feature | packets. Although it is in principle possible to use this feature | |||
for address verification, QUIC implementations SHOULD instead use the | for address verification, QUIC implementations SHOULD instead use the | |||
Retry feature; see Section 8.1 of [QUIC-TRANSPORT]. | Retry feature; see Section 8.1 of [QUIC-TRANSPORT]. | |||
4.8. TLS Errors | 4.8. TLS Errors | |||
If TLS experiences an error, it generates an appropriate alert as | If TLS experiences an error, it generates an appropriate alert as | |||
defined in Section 6 of [TLS13]. | defined in Section 6 of [TLS13]. | |||
A TLS alert is converted into a QUIC connection error. The | A TLS alert is converted into a QUIC connection error. The | |||
AlertDescription value is added to 0x100 to produce a QUIC error code | AlertDescription value is added to 0x0100 to produce a QUIC error | |||
from the range reserved for CRYPTO_ERROR. The resulting value is | code from the range reserved for CRYPTO_ERROR; see Section 20.1 of | |||
sent in a QUIC CONNECTION_CLOSE frame of type 0x1c. | [QUIC-TRANSPORT]. The resulting value is sent in a QUIC | |||
CONNECTION_CLOSE frame of type 0x1c. | ||||
QUIC is only able to convey an alert level of "fatal". In TLS 1.3, | QUIC is only able to convey an alert level of "fatal". In TLS 1.3, | |||
the only existing uses for the "warning" level are to signal | the only existing uses for the "warning" level are to signal | |||
connection close; see Section 6.1 of [TLS13]. As QUIC provides | connection close; see Section 6.1 of [TLS13]. As QUIC provides | |||
alternative mechanisms for connection termination and the TLS | alternative mechanisms for connection termination and the TLS | |||
connection is only closed if an error is encountered, a QUIC endpoint | connection is only closed if an error is encountered, a QUIC endpoint | |||
MUST treat any alert from TLS as if it were at the "fatal" level. | MUST treat any alert from TLS as if it were at the "fatal" level. | |||
QUIC permits the use of a generic code in place of a specific error | QUIC permits the use of a generic code in place of a specific error | |||
code; see Section 11 of [QUIC-TRANSPORT]. For TLS alerts, this | code; see Section 11 of [QUIC-TRANSPORT]. For TLS alerts, this | |||
includes replacing any alert with a generic alert, such as | includes replacing any alert with a generic alert, such as | |||
handshake_failure (0x128 in QUIC). Endpoints MAY use a generic error | handshake_failure (0x0128 in QUIC). Endpoints MAY use a generic | |||
code to avoid possibly exposing confidential information. | error code to avoid possibly exposing confidential information. | |||
4.9. Discarding Unused Keys | 4.9. Discarding Unused Keys | |||
After QUIC has completed a move to a new encryption level, packet | After QUIC has completed a move to a new encryption level, packet | |||
protection keys for previous encryption levels can be discarded. | protection keys for previous encryption levels can be discarded. | |||
This occurs several times during the handshake, as well as when keys | This occurs several times during the handshake, as well as when keys | |||
are updated; see Section 6. | are updated; see Section 6. | |||
Packet protection keys are not discarded immediately when new keys | Packet protection keys are not discarded immediately when new keys | |||
are available. If packets from a lower encryption level contain | are available. If packets from a lower encryption level contain | |||
skipping to change at page 21, line 24 ¶ | skipping to change at line 924 ¶ | |||
An endpoint cannot discard keys for a given encryption level unless | An endpoint cannot discard keys for a given encryption level unless | |||
it has received all the cryptographic handshake messages from its | it has received all the cryptographic handshake messages from its | |||
peer at that encryption level and its peer has done the same. | peer at that encryption level and its peer has done the same. | |||
Different methods for determining this are provided for Initial keys | Different methods for determining this are provided for Initial keys | |||
(Section 4.9.1) and Handshake keys (Section 4.9.2). These methods do | (Section 4.9.1) and Handshake keys (Section 4.9.2). These methods do | |||
not prevent packets from being received or sent at that encryption | not prevent packets from being received or sent at that encryption | |||
level because a peer might not have received all the acknowledgments | level because a peer might not have received all the acknowledgments | |||
necessary. | necessary. | |||
Though an endpoint might retain older keys, new data MUST be sent at | Though an endpoint might retain older keys, new data MUST be sent at | |||
the highest currently-available encryption level. Only ACK frames | the highest currently available encryption level. Only ACK frames | |||
and retransmissions of data in CRYPTO frames are sent at a previous | and retransmissions of data in CRYPTO frames are sent at a previous | |||
encryption level. These packets MAY also include PADDING frames. | encryption level. These packets MAY also include PADDING frames. | |||
4.9.1. Discarding Initial Keys | 4.9.1. Discarding Initial Keys | |||
Packets protected with Initial secrets (Section 5.2) are not | Packets protected with Initial secrets (Section 5.2) are not | |||
authenticated, meaning that an attacker could spoof packets with the | authenticated, meaning that an attacker could spoof packets with the | |||
intent to disrupt a connection. To limit these attacks, Initial | intent to disrupt a connection. To limit these attacks, Initial | |||
packet protection keys are discarded more aggressively than other | packet protection keys are discarded more aggressively than other | |||
keys. | keys. | |||
skipping to change at page 21, line 49 ¶ | skipping to change at line 949 ¶ | |||
Thus, a client MUST discard Initial keys when it first sends a | Thus, a client MUST discard Initial keys when it first sends a | |||
Handshake packet and a server MUST discard Initial keys when it first | Handshake packet and a server MUST discard Initial keys when it first | |||
successfully processes a Handshake packet. Endpoints MUST NOT send | successfully processes a Handshake packet. Endpoints MUST NOT send | |||
Initial packets after this point. | Initial packets after this point. | |||
This results in abandoning loss recovery state for the Initial | This results in abandoning loss recovery state for the Initial | |||
encryption level and ignoring any outstanding Initial packets. | encryption level and ignoring any outstanding Initial packets. | |||
4.9.2. Discarding Handshake Keys | 4.9.2. Discarding Handshake Keys | |||
An endpoint MUST discard its handshake keys when the TLS handshake is | An endpoint MUST discard its Handshake keys when the TLS handshake is | |||
confirmed (Section 4.1.2). | confirmed (Section 4.1.2). | |||
4.9.3. Discarding 0-RTT Keys | 4.9.3. Discarding 0-RTT Keys | |||
0-RTT and 1-RTT packets share the same packet number space, and | 0-RTT and 1-RTT packets share the same packet number space, and | |||
clients do not send 0-RTT packets after sending a 1-RTT packet | clients do not send 0-RTT packets after sending a 1-RTT packet | |||
(Section 5.6). | (Section 5.6). | |||
Therefore, a client SHOULD discard 0-RTT keys as soon as it installs | Therefore, a client SHOULD discard 0-RTT keys as soon as it installs | |||
1-RTT keys, since they have no use after that moment. | 1-RTT keys as they have no use after that moment. | |||
Additionally, a server MAY discard 0-RTT keys as soon as it receives | Additionally, a server MAY discard 0-RTT keys as soon as it receives | |||
a 1-RTT packet. However, due to packet reordering, a 0-RTT packet | a 1-RTT packet. However, due to packet reordering, a 0-RTT packet | |||
could arrive after a 1-RTT packet. Servers MAY temporarily retain | could arrive after a 1-RTT packet. Servers MAY temporarily retain | |||
0-RTT keys to allow decrypting reordered packets without requiring | 0-RTT keys to allow decrypting reordered packets without requiring | |||
their contents to be retransmitted with 1-RTT keys. After receiving | their contents to be retransmitted with 1-RTT keys. After receiving | |||
a 1-RTT packet, servers MUST discard 0-RTT keys within a short time; | a 1-RTT packet, servers MUST discard 0-RTT keys within a short time; | |||
the RECOMMENDED time period is three times the Probe Timeout (PTO, | the RECOMMENDED time period is three times the Probe Timeout (PTO, | |||
see [QUIC-RECOVERY]). A server MAY discard 0-RTT keys earlier if it | see [QUIC-RECOVERY]). A server MAY discard 0-RTT keys earlier if it | |||
determines that it has received all 0-RTT packets, which can be done | determines that it has received all 0-RTT packets, which can be done | |||
skipping to change at page 23, line 19 ¶ | skipping to change at line 1015 ¶ | |||
Each encryption level has separate secret values for protection of | Each encryption level has separate secret values for protection of | |||
packets sent in each direction. These traffic secrets are derived by | packets sent in each direction. These traffic secrets are derived by | |||
TLS (see Section 7.1 of [TLS13]) and are used by QUIC for all | TLS (see Section 7.1 of [TLS13]) and are used by QUIC for all | |||
encryption levels except the Initial encryption level. The secrets | encryption levels except the Initial encryption level. The secrets | |||
for the Initial encryption level are computed based on the client's | for the Initial encryption level are computed based on the client's | |||
initial Destination Connection ID, as described in Section 5.2. | initial Destination Connection ID, as described in Section 5.2. | |||
The keys used for packet protection are computed from the TLS secrets | The keys used for packet protection are computed from the TLS secrets | |||
using the KDF provided by TLS. In TLS 1.3, the HKDF-Expand-Label | using the KDF provided by TLS. In TLS 1.3, the HKDF-Expand-Label | |||
function described in Section 7.1 of [TLS13] is used, using the hash | function described in Section 7.1 of [TLS13] is used with the hash | |||
function from the negotiated cipher suite. All uses of HKDF-Expand- | function from the negotiated cipher suite. All uses of HKDF-Expand- | |||
Label in QUIC use a zero-length Context. | Label in QUIC use a zero-length Context. | |||
Note that labels, which are described using strings, are encoded as | Note that labels, which are described using strings, are encoded as | |||
bytes using ASCII [ASCII] without quotes or any trailing NUL byte. | bytes using ASCII [ASCII] without quotes or any trailing NUL byte. | |||
Other versions of TLS MUST provide a similar function in order to be | Other versions of TLS MUST provide a similar function in order to be | |||
used with QUIC. | used with QUIC. | |||
The current encryption level secret and the label "quic key" are | The current encryption level secret and the label "quic key" are | |||
input to the KDF to produce the AEAD key; the label "quic iv" is used | input to the KDF to produce the AEAD key; the label "quic iv" is used | |||
to derive the Initialization Vector (IV); see Section 5.3. The | to derive the Initialization Vector (IV); see Section 5.3. The | |||
header protection key uses the "quic hp" label; see Section 5.4. | header protection key uses the "quic hp" label; see Section 5.4. | |||
Using these labels provides key separation between QUIC and TLS; see | Using these labels provides key separation between QUIC and TLS; see | |||
Section 9.6. | Section 9.6. | |||
Both "quic key" and "quic hp" are used to produce keys, so the Length | Both "quic key" and "quic hp" are used to produce keys, so the Length | |||
provided to HKDF-Expand-Label along with these labels is determined | provided to HKDF-Expand-Label along with these labels is determined | |||
by the size of keys in the AEAD or header protection algorithm. The | by the size of keys in the AEAD or header protection algorithm. The | |||
Length provided with "quic iv" is the minimum length of the AEAD | Length provided with "quic iv" is the minimum length of the AEAD | |||
nonce, or 8 bytes if that is larger; see [AEAD]. | nonce or 8 bytes if that is larger; see [AEAD]. | |||
The KDF used for initial secrets is always the HKDF-Expand-Label | The KDF used for initial secrets is always the HKDF-Expand-Label | |||
function from TLS 1.3; see Section 5.2. | function from TLS 1.3; see Section 5.2. | |||
5.2. Initial Secrets | 5.2. Initial Secrets | |||
Initial packets apply the packet protection process, but use a secret | Initial packets apply the packet protection process, but use a secret | |||
derived from the Destination Connection ID field from the client's | derived from the Destination Connection ID field from the client's | |||
first Initial packet. | first Initial packet. | |||
This secret is determined by using HKDF-Extract (see Section 2.2 of | This secret is determined by using HKDF-Extract (see Section 2.2 of | |||
[HKDF]) with a salt of 0x38762cf7f55934b34d179ae6a4c80cadccbb7f0a and | [HKDF]) with a salt of 0x38762cf7f55934b34d179ae6a4c80cadccbb7f0a and | |||
a IKM of the Destination Connection ID field. This produces an | the input keying material (IKM) of the Destination Connection ID | |||
intermediate pseudorandom key (PRK) that is used to derive two | field. This produces an intermediate pseudorandom key (PRK) that is | |||
separate secrets for sending and receiving. | used to derive two separate secrets for sending and receiving. | |||
The secret used by clients to construct Initial packets uses the PRK | The secret used by clients to construct Initial packets uses the PRK | |||
and the label "client in" as input to the HKDF-Expand-Label function | and the label "client in" as input to the HKDF-Expand-Label function | |||
from TLS [TLS13] to produce a 32-byte secret. Packets constructed by | from TLS [TLS13] to produce a 32-byte secret. Packets constructed by | |||
the server use the same process with the label "server in". The hash | the server use the same process with the label "server in". The hash | |||
function for HKDF when deriving initial secrets and keys is SHA-256 | function for HKDF when deriving initial secrets and keys is SHA-256 | |||
[SHA]. | [SHA]. | |||
This process in pseudocode is: | This process in pseudocode is: | |||
skipping to change at page 24, line 33 ¶ | skipping to change at line 1075 ¶ | |||
client_initial_secret = HKDF-Expand-Label(initial_secret, | client_initial_secret = HKDF-Expand-Label(initial_secret, | |||
"client in", "", | "client in", "", | |||
Hash.length) | Hash.length) | |||
server_initial_secret = HKDF-Expand-Label(initial_secret, | server_initial_secret = HKDF-Expand-Label(initial_secret, | |||
"server in", "", | "server in", "", | |||
Hash.length) | Hash.length) | |||
The connection ID used with HKDF-Expand-Label is the Destination | The connection ID used with HKDF-Expand-Label is the Destination | |||
Connection ID in the Initial packet sent by the client. This will be | Connection ID in the Initial packet sent by the client. This will be | |||
a randomly-selected value unless the client creates the Initial | a randomly selected value unless the client creates the Initial | |||
packet after receiving a Retry packet, where the Destination | packet after receiving a Retry packet, where the Destination | |||
Connection ID is selected by the server. | Connection ID is selected by the server. | |||
Future versions of QUIC SHOULD generate a new salt value, thus | Future versions of QUIC SHOULD generate a new salt value, thus | |||
ensuring that the keys are different for each version of QUIC. This | ensuring that the keys are different for each version of QUIC. This | |||
prevents a middlebox that recognizes only one version of QUIC from | prevents a middlebox that recognizes only one version of QUIC from | |||
seeing or modifying the contents of packets from future versions. | seeing or modifying the contents of packets from future versions. | |||
The HKDF-Expand-Label function defined in TLS 1.3 MUST be used for | The HKDF-Expand-Label function defined in TLS 1.3 MUST be used for | |||
Initial packets even where the TLS versions offered do not include | Initial packets even where the TLS versions offered do not include | |||
TLS 1.3. | TLS 1.3. | |||
The secrets used for constructing subsequent Initial packets change | The secrets used for constructing subsequent Initial packets change | |||
when a server sends a Retry packet, to use the connection ID value | when a server sends a Retry packet to use the connection ID value | |||
selected by the server. The secrets do not change when a client | selected by the server. The secrets do not change when a client | |||
changes the Destination Connection ID it uses in response to an | changes the Destination Connection ID it uses in response to an | |||
Initial packet from the server. | Initial packet from the server. | |||
Note: The Destination Connection ID field could be any length up to | | Note: The Destination Connection ID field could be any length | |||
20 bytes, including zero length if the server sends a Retry packet | | up to 20 bytes, including zero length if the server sends a | |||
with a zero-length Source Connection ID field. After a Retry, the | | Retry packet with a zero-length Source Connection ID field. | |||
Initial keys provide the client no assurance that the server | | After a Retry, the Initial keys provide the client no assurance | |||
received its packet, so the client has to rely on the exchange | | that the server received its packet, so the client has to rely | |||
that included the Retry packet to validate the server address; see | | on the exchange that included the Retry packet to validate the | |||
Section 8.1 of [QUIC-TRANSPORT]. | | server address; see Section 8.1 of [QUIC-TRANSPORT]. | |||
Appendix A contains sample Initial packets. | Appendix A contains sample Initial packets. | |||
5.3. AEAD Usage | 5.3. AEAD Usage | |||
The Authenticated Encryption with Associated Data (AEAD; see [AEAD]) | The Authenticated Encryption with Associated Data (AEAD) function | |||
function used for QUIC packet protection is the AEAD that is | (see [AEAD]) used for QUIC packet protection is the AEAD that is | |||
negotiated for use with the TLS connection. For example, if TLS is | negotiated for use with the TLS connection. For example, if TLS is | |||
using the TLS_AES_128_GCM_SHA256 cipher suite, the AEAD_AES_128_GCM | using the TLS_AES_128_GCM_SHA256 cipher suite, the AEAD_AES_128_GCM | |||
function is used. | function is used. | |||
QUIC can use any of the cipher suites defined in [TLS13] with the | QUIC can use any of the cipher suites defined in [TLS13] with the | |||
exception of TLS_AES_128_CCM_8_SHA256. A cipher suite MUST NOT be | exception of TLS_AES_128_CCM_8_SHA256. A cipher suite MUST NOT be | |||
negotiated unless a header protection scheme is defined for the | negotiated unless a header protection scheme is defined for the | |||
cipher suite. This document defines a header protection scheme for | cipher suite. This document defines a header protection scheme for | |||
all cipher suites defined in [TLS13] aside from | all cipher suites defined in [TLS13] aside from | |||
TLS_AES_128_CCM_8_SHA256. These cipher suites have a 16-byte | TLS_AES_128_CCM_8_SHA256. These cipher suites have a 16-byte | |||
authentication tag and produce an output 16 bytes larger than their | authentication tag and produce an output 16 bytes larger than their | |||
input. | input. | |||
Note: An endpoint MUST NOT reject a ClientHello that offers a cipher | An endpoint MUST NOT reject a ClientHello that offers a cipher suite | |||
suite that it does not support, or it would be impossible to | that it does not support, or it would be impossible to deploy a new | |||
deploy a new cipher suite. This also applies to | cipher suite. This also applies to TLS_AES_128_CCM_8_SHA256. | |||
TLS_AES_128_CCM_8_SHA256. | ||||
When constructing packets, the AEAD function is applied prior to | When constructing packets, the AEAD function is applied prior to | |||
applying header protection; see Section 5.4. The unprotected packet | applying header protection; see Section 5.4. The unprotected packet | |||
header is part of the associated data (A). When processing packets, | header is part of the associated data (A). When processing packets, | |||
an endpoint first removes the header protection. | an endpoint first removes the header protection. | |||
The key and IV for the packet are computed as described in | The key and IV for the packet are computed as described in | |||
Section 5.1. The nonce, N, is formed by combining the packet | Section 5.1. The nonce, N, is formed by combining the packet | |||
protection IV with the packet number. The 62 bits of the | protection IV with the packet number. The 62 bits of the | |||
reconstructed QUIC packet number in network byte order are left- | reconstructed QUIC packet number in network byte order are left- | |||
skipping to change at page 26, line 24 ¶ | skipping to change at line 1160 ¶ | |||
use. | use. | |||
5.4. Header Protection | 5.4. Header Protection | |||
Parts of QUIC packet headers, in particular the Packet Number field, | Parts of QUIC packet headers, in particular the Packet Number field, | |||
are protected using a key that is derived separately from the packet | are protected using a key that is derived separately from the packet | |||
protection key and IV. The key derived using the "quic hp" label is | protection key and IV. The key derived using the "quic hp" label is | |||
used to provide confidentiality protection for those fields that are | used to provide confidentiality protection for those fields that are | |||
not exposed to on-path elements. | not exposed to on-path elements. | |||
This protection applies to the least-significant bits of the first | This protection applies to the least significant bits of the first | |||
byte, plus the Packet Number field. The four least-significant bits | byte, plus the Packet Number field. The four least significant bits | |||
of the first byte are protected for packets with long headers; the | of the first byte are protected for packets with long headers; the | |||
five least significant bits of the first byte are protected for | five least significant bits of the first byte are protected for | |||
packets with short headers. For both header forms, this covers the | packets with short headers. For both header forms, this covers the | |||
reserved bits and the Packet Number Length field; the Key Phase bit | reserved bits and the Packet Number Length field; the Key Phase bit | |||
is also protected for packets with a short header. | is also protected for packets with a short header. | |||
The same header protection key is used for the duration of the | The same header protection key is used for the duration of the | |||
connection, with the value not changing after a key update (see | connection, with the value not changing after a key update (see | |||
Section 6). This allows header protection to be used to protect the | Section 6). This allows header protection to be used to protect the | |||
key phase. | key phase. | |||
skipping to change at page 27, line 15 ¶ | skipping to change at line 1194 ¶ | |||
The output of this algorithm is a 5-byte mask that is applied to the | The output of this algorithm is a 5-byte mask that is applied to the | |||
protected header fields using exclusive OR. The least significant | protected header fields using exclusive OR. The least significant | |||
bits of the first byte of the packet are masked by the least | bits of the first byte of the packet are masked by the least | |||
significant bits of the first mask byte, and the packet number is | significant bits of the first mask byte, and the packet number is | |||
masked with the remaining bytes. Any unused bytes of mask that might | masked with the remaining bytes. Any unused bytes of mask that might | |||
result from a shorter packet number encoding are unused. | result from a shorter packet number encoding are unused. | |||
Figure 6 shows a sample algorithm for applying header protection. | Figure 6 shows a sample algorithm for applying header protection. | |||
Removing header protection only differs in the order in which the | Removing header protection only differs in the order in which the | |||
packet number length (pn_length) is determined (here "^" is used to | packet number length (pn_length) is determined (here "^" is used to | |||
represent exclusive or). | represent exclusive OR). | |||
mask = header_protection(hp_key, sample) | mask = header_protection(hp_key, sample) | |||
pn_length = (packet[0] & 0x03) + 1 | pn_length = (packet[0] & 0x03) + 1 | |||
if (packet[0] & 0x80) == 0x80: | if (packet[0] & 0x80) == 0x80: | |||
# Long header: 4 bits masked | # Long header: 4 bits masked | |||
packet[0] ^= mask[0] & 0x0f | packet[0] ^= mask[0] & 0x0f | |||
else: | else: | |||
# Short header: 5 bits masked | # Short header: 5 bits masked | |||
packet[0] ^= mask[0] & 0x1f | packet[0] ^= mask[0] & 0x1f | |||
skipping to change at page 29, line 6 ¶ | skipping to change at line 1269 ¶ | |||
in [AEAD]), and AEAD_CHACHA20_POLY1305 (defined in [CHACHA]). Prior | in [AEAD]), and AEAD_CHACHA20_POLY1305 (defined in [CHACHA]). Prior | |||
to TLS selecting a cipher suite, AES header protection is used | to TLS selecting a cipher suite, AES header protection is used | |||
(Section 5.4.3), matching the AEAD_AES_128_GCM packet protection. | (Section 5.4.3), matching the AEAD_AES_128_GCM packet protection. | |||
5.4.2. Header Protection Sample | 5.4.2. Header Protection Sample | |||
The header protection algorithm uses both the header protection key | The header protection algorithm uses both the header protection key | |||
and a sample of the ciphertext from the packet Payload field. | and a sample of the ciphertext from the packet Payload field. | |||
The same number of bytes are always sampled, but an allowance needs | The same number of bytes are always sampled, but an allowance needs | |||
to be made for the endpoint removing protection, which will not know | to be made for the removal of protection by a receiving endpoint, | |||
the length of the Packet Number field. The sample of ciphertext is | which will not know the length of the Packet Number field. The | |||
taken starting from an offset of 4 bytes after the start of the | sample of ciphertext is taken starting from an offset of 4 bytes | |||
Packet Number field. That is, in sampling packet ciphertext for | after the start of the Packet Number field. That is, in sampling | |||
header protection, the Packet Number field is assumed to be 4 bytes | packet ciphertext for header protection, the Packet Number field is | |||
long (its maximum possible encoded length). | assumed to be 4 bytes long (its maximum possible encoded length). | |||
An endpoint MUST discard packets that are not long enough to contain | An endpoint MUST discard packets that are not long enough to contain | |||
a complete sample. | a complete sample. | |||
To ensure that sufficient data is available for sampling, packets are | To ensure that sufficient data is available for sampling, packets are | |||
padded so that the combined lengths of the encoded packet number and | padded so that the combined lengths of the encoded packet number and | |||
protected payload is at least 4 bytes longer than the sample required | protected payload is at least 4 bytes longer than the sample required | |||
for header protection. The cipher suites defined in [TLS13] - other | for header protection. The cipher suites defined in [TLS13] -- other | |||
than TLS_AES_128_CCM_8_SHA256, for which a header protection scheme | than TLS_AES_128_CCM_8_SHA256, for which a header protection scheme | |||
is not defined in this document - have 16-byte expansions and 16-byte | is not defined in this document -- have 16-byte expansions and | |||
header protection samples. This results in needing at least 3 bytes | 16-byte header protection samples. This results in needing at least | |||
of frames in the unprotected payload if the packet number is encoded | 3 bytes of frames in the unprotected payload if the packet number is | |||
on a single byte, or 2 bytes of frames for a 2-byte packet number | encoded on a single byte, or 2 bytes of frames for a 2-byte packet | |||
encoding. | number encoding. | |||
The sampled ciphertext can be determined by the following pseudocode: | The sampled ciphertext can be determined by the following pseudocode: | |||
# pn_offset is the start of the Packet Number field. | # pn_offset is the start of the Packet Number field. | |||
sample_offset = pn_offset + 4 | sample_offset = pn_offset + 4 | |||
sample = packet[sample_offset..sample_offset+sample_length] | sample = packet[sample_offset..sample_offset+sample_length] | |||
where the packet number offset of a short header packet can be | Where the packet number offset of a short header packet can be | |||
calculated as: | calculated as: | |||
pn_offset = 1 + len(connection_id) | pn_offset = 1 + len(connection_id) | |||
and the packet number offset of a long header packet can be | And the packet number offset of a long header packet can be | |||
calculated as: | calculated as: | |||
pn_offset = 7 + len(destination_connection_id) + | pn_offset = 7 + len(destination_connection_id) + | |||
len(source_connection_id) + | len(source_connection_id) + | |||
len(payload_length) | len(payload_length) | |||
if packet_type == Initial: | if packet_type == Initial: | |||
pn_offset += len(token_length) + | pn_offset += len(token_length) + | |||
len(token) | len(token) | |||
For example, for a packet with a short header, an 8-byte connection | For example, for a packet with a short header, an 8-byte connection | |||
ID, and protected with AEAD_AES_128_GCM, the sample takes bytes 13 to | ID, and protected with AEAD_AES_128_GCM, the sample takes bytes 13 to | |||
28 inclusive (using zero-based indexing). | 28 inclusive (using zero-based indexing). | |||
Multiple QUIC packets might be included in the same UDP datagram. | Multiple QUIC packets might be included in the same UDP datagram. | |||
Each packet is handled separately. | Each packet is handled separately. | |||
5.4.3. AES-Based Header Protection | 5.4.3. AES-Based Header Protection | |||
This section defines the packet protection algorithm for | This section defines the packet protection algorithm for | |||
AEAD_AES_128_GCM, AEAD_AES_128_CCM, and AEAD_AES_256_GCM. | AEAD_AES_128_GCM, AEAD_AES_128_CCM, and AEAD_AES_256_GCM. | |||
AEAD_AES_128_GCM and AEAD_AES_128_CCM use 128-bit AES in electronic | AEAD_AES_128_GCM and AEAD_AES_128_CCM use 128-bit AES in Electronic | |||
code-book (ECB) mode. AEAD_AES_256_GCM uses 256-bit AES in ECB mode. | Codebook (ECB) mode. AEAD_AES_256_GCM uses 256-bit AES in ECB mode. | |||
AES is defined in [AES]. | AES is defined in [AES]. | |||
This algorithm samples 16 bytes from the packet ciphertext. This | This algorithm samples 16 bytes from the packet ciphertext. This | |||
value is used as the input to AES-ECB. In pseudocode, the header | value is used as the input to AES-ECB. In pseudocode, the header | |||
protection function is defined as: | protection function is defined as: | |||
header_protection(hp_key, sample): | header_protection(hp_key, sample): | |||
mask = AES-ECB(hp_key, sample) | mask = AES-ECB(hp_key, sample) | |||
5.4.4. ChaCha20-Based Header Protection | 5.4.4. ChaCha20-Based Header Protection | |||
When AEAD_CHACHA20_POLY1305 is in use, header protection uses the raw | When AEAD_CHACHA20_POLY1305 is in use, header protection uses the raw | |||
ChaCha20 function as defined in Section 2.4 of [CHACHA]. This uses a | ChaCha20 function as defined in Section 2.4 of [CHACHA]. This uses a | |||
256-bit key and 16 bytes sampled from the packet protection output. | 256-bit key and 16 bytes sampled from the packet protection output. | |||
The first 4 bytes of the sampled ciphertext are the block counter. A | The first 4 bytes of the sampled ciphertext are the block counter. A | |||
ChaCha20 implementation could take a 32-bit integer in place of a | ChaCha20 implementation could take a 32-bit integer in place of a | |||
byte sequence, in which case the byte sequence is interpreted as a | byte sequence, in which case, the byte sequence is interpreted as a | |||
little-endian value. | little-endian value. | |||
The remaining 12 bytes are used as the nonce. A ChaCha20 | The remaining 12 bytes are used as the nonce. A ChaCha20 | |||
implementation might take an array of three 32-bit integers in place | implementation might take an array of three 32-bit integers in place | |||
of a byte sequence, in which case the nonce bytes are interpreted as | of a byte sequence, in which case, the nonce bytes are interpreted as | |||
a sequence of 32-bit little-endian integers. | a sequence of 32-bit little-endian integers. | |||
The encryption mask is produced by invoking ChaCha20 to protect 5 | The encryption mask is produced by invoking ChaCha20 to protect 5 | |||
zero bytes. In pseudocode, the header protection function is defined | zero bytes. In pseudocode, the header protection function is defined | |||
as: | as: | |||
header_protection(hp_key, sample): | header_protection(hp_key, sample): | |||
counter = sample[0..3] | counter = sample[0..3] | |||
nonce = sample[4..15] | nonce = sample[4..15] | |||
mask = ChaCha20(hp_key, counter, nonce, {0,0,0,0,0}) | mask = ChaCha20(hp_key, counter, nonce, {0,0,0,0,0}) | |||
5.5. Receiving Protected Packets | 5.5. Receiving Protected Packets | |||
Once an endpoint successfully receives a packet with a given packet | Once an endpoint successfully receives a packet with a given packet | |||
number, it MUST discard all packets in the same packet number space | number, it MUST discard all packets in the same packet number space | |||
with higher packet numbers if they cannot be successfully unprotected | with higher packet numbers if they cannot be successfully unprotected | |||
with either the same key, or - if there is a key update - a | with either the same key, or -- if there is a key update -- a | |||
subsequent packet protection key; see Section 6. Similarly, a packet | subsequent packet protection key; see Section 6. Similarly, a packet | |||
that appears to trigger a key update, but cannot be unprotected | that appears to trigger a key update but cannot be unprotected | |||
successfully MUST be discarded. | successfully MUST be discarded. | |||
Failure to unprotect a packet does not necessarily indicate the | Failure to unprotect a packet does not necessarily indicate the | |||
existence of a protocol error in a peer or an attack. The truncated | existence of a protocol error in a peer or an attack. The truncated | |||
packet number encoding used in QUIC can cause packet numbers to be | packet number encoding used in QUIC can cause packet numbers to be | |||
decoded incorrectly if they are delayed significantly. | decoded incorrectly if they are delayed significantly. | |||
5.6. Use of 0-RTT Keys | 5.6. Use of 0-RTT Keys | |||
If 0-RTT keys are available (see Section 4.6.1), the lack of replay | If 0-RTT keys are available (see Section 4.6.1), the lack of replay | |||
skipping to change at page 32, line 22 ¶ | skipping to change at line 1422 ¶ | |||
if it receives an indication that 0-RTT data has been rejected. | if it receives an indication that 0-RTT data has been rejected. | |||
A server MUST NOT use 0-RTT keys to protect packets; it uses 1-RTT | A server MUST NOT use 0-RTT keys to protect packets; it uses 1-RTT | |||
keys to protect acknowledgments of 0-RTT packets. A client MUST NOT | keys to protect acknowledgments of 0-RTT packets. A client MUST NOT | |||
attempt to decrypt 0-RTT packets it receives and instead MUST discard | attempt to decrypt 0-RTT packets it receives and instead MUST discard | |||
them. | them. | |||
Once a client has installed 1-RTT keys, it MUST NOT send any more | Once a client has installed 1-RTT keys, it MUST NOT send any more | |||
0-RTT packets. | 0-RTT packets. | |||
Note: 0-RTT data can be acknowledged by the server as it receives | | Note: 0-RTT data can be acknowledged by the server as it | |||
it, but any packets containing acknowledgments of 0-RTT data | | receives it, but any packets containing acknowledgments of | |||
cannot have packet protection removed by the client until the TLS | | 0-RTT data cannot have packet protection removed by the client | |||
handshake is complete. The 1-RTT keys necessary to remove packet | | until the TLS handshake is complete. The 1-RTT keys necessary | |||
protection cannot be derived until the client receives all server | | to remove packet protection cannot be derived until the client | |||
handshake messages. | | receives all server handshake messages. | |||
5.7. Receiving Out-of-Order Protected Packets | 5.7. Receiving Out-of-Order Protected Packets | |||
Due to reordering and loss, protected packets might be received by an | Due to reordering and loss, protected packets might be received by an | |||
endpoint before the final TLS handshake messages are received. A | endpoint before the final TLS handshake messages are received. A | |||
client will be unable to decrypt 1-RTT packets from the server, | client will be unable to decrypt 1-RTT packets from the server, | |||
whereas a server will be able to decrypt 1-RTT packets from the | whereas a server will be able to decrypt 1-RTT packets from the | |||
client. Endpoints in either role MUST NOT decrypt 1-RTT packets from | client. Endpoints in either role MUST NOT decrypt 1-RTT packets from | |||
their peer prior to completing the handshake. | their peer prior to completing the handshake. | |||
skipping to change at page 33, line 14 ¶ | skipping to change at line 1462 ¶ | |||
Therefore, the server's use of 1-RTT keys before the handshake is | Therefore, the server's use of 1-RTT keys before the handshake is | |||
complete is limited to sending data. A server MUST NOT process | complete is limited to sending data. A server MUST NOT process | |||
incoming 1-RTT protected packets before the TLS handshake is | incoming 1-RTT protected packets before the TLS handshake is | |||
complete. Because sending acknowledgments indicates that all frames | complete. Because sending acknowledgments indicates that all frames | |||
in a packet have been processed, a server cannot send acknowledgments | in a packet have been processed, a server cannot send acknowledgments | |||
for 1-RTT packets until the TLS handshake is complete. Received | for 1-RTT packets until the TLS handshake is complete. Received | |||
packets protected with 1-RTT keys MAY be stored and later decrypted | packets protected with 1-RTT keys MAY be stored and later decrypted | |||
and used once the handshake is complete. | and used once the handshake is complete. | |||
Note: TLS implementations might provide all 1-RTT secrets prior to | | Note: TLS implementations might provide all 1-RTT secrets prior | |||
handshake completion. Even where QUIC implementations have 1-RTT | | to handshake completion. Even where QUIC implementations have | |||
read keys, those keys are not to be used prior to completing the | | 1-RTT read keys, those keys are not to be used prior to | |||
handshake. | | completing the handshake. | |||
The requirement for the server to wait for the client Finished | The requirement for the server to wait for the client Finished | |||
message creates a dependency on that message being delivered. A | message creates a dependency on that message being delivered. A | |||
client can avoid the potential for head-of-line blocking that this | client can avoid the potential for head-of-line blocking that this | |||
implies by sending its 1-RTT packets coalesced with a Handshake | implies by sending its 1-RTT packets coalesced with a Handshake | |||
packet containing a copy of the CRYPTO frame that carries the | packet containing a copy of the CRYPTO frame that carries the | |||
Finished message, until one of the Handshake packets is acknowledged. | Finished message, until one of the Handshake packets is acknowledged. | |||
This enables immediate server processing for those packets. | This enables immediate server processing for those packets. | |||
A server could receive packets protected with 0-RTT keys prior to | A server could receive packets protected with 0-RTT keys prior to | |||
receiving a TLS ClientHello. The server MAY retain these packets for | receiving a TLS ClientHello. The server MAY retain these packets for | |||
later decryption in anticipation of receiving a ClientHello. | later decryption in anticipation of receiving a ClientHello. | |||
A client generally receives 1-RTT keys at the same time as the | A client generally receives 1-RTT keys at the same time as the | |||
handshake completes. Even if it has 1-RTT secrets, a client MUST NOT | handshake completes. Even if it has 1-RTT secrets, a client MUST NOT | |||
process incoming 1-RTT protected packets before the TLS handshake is | process incoming 1-RTT protected packets before the TLS handshake is | |||
complete. | complete. | |||
5.8. Retry Packet Integrity | 5.8. Retry Packet Integrity | |||
Retry packets (see the Retry Packet section of [QUIC-TRANSPORT]) | Retry packets (see Section 17.2.5 of [QUIC-TRANSPORT]) carry a Retry | |||
carry a Retry Integrity Tag that provides two properties: it allows | Integrity Tag that provides two properties: it allows the discarding | |||
discarding packets that have accidentally been corrupted by the | of packets that have accidentally been corrupted by the network, and | |||
network; only an entity that observes an Initial packet can send a | only an entity that observes an Initial packet can send a valid Retry | |||
valid Retry packet. | packet. | |||
The Retry Integrity Tag is a 128-bit field that is computed as the | The Retry Integrity Tag is a 128-bit field that is computed as the | |||
output of AEAD_AES_128_GCM ([AEAD]) used with the following inputs: | output of AEAD_AES_128_GCM [AEAD] used with the following inputs: | |||
* The secret key, K, is 128 bits equal to | * The secret key, K, is 128 bits equal to | |||
0xbe0c690b9f66575a1d766b54e368c84e. | 0xbe0c690b9f66575a1d766b54e368c84e. | |||
* The nonce, N, is 96 bits equal to 0x461599d35d632bf2239825bb. | * The nonce, N, is 96 bits equal to 0x461599d35d632bf2239825bb. | |||
* The plaintext, P, is empty. | * The plaintext, P, is empty. | |||
* The associated data, A, is the contents of the Retry Pseudo- | * The associated data, A, is the contents of the Retry Pseudo- | |||
Packet, as illustrated in Figure 8: | Packet, as illustrated in Figure 8: | |||
skipping to change at page 34, line 31 ¶ | skipping to change at line 1528 ¶ | |||
DCID Len (8), | DCID Len (8), | |||
Destination Connection ID (0..160), | Destination Connection ID (0..160), | |||
SCID Len (8), | SCID Len (8), | |||
Source Connection ID (0..160), | Source Connection ID (0..160), | |||
Retry Token (..), | Retry Token (..), | |||
} | } | |||
Figure 8: Retry Pseudo-Packet | Figure 8: Retry Pseudo-Packet | |||
The Retry Pseudo-Packet is not sent over the wire. It is computed by | The Retry Pseudo-Packet is not sent over the wire. It is computed by | |||
taking the transmitted Retry packet, removing the Retry Integrity Tag | taking the transmitted Retry packet, removing the Retry Integrity | |||
and prepending the two following fields: | Tag, and prepending the two following fields: | |||
ODCID Length: The ODCID Length field contains the length in bytes of | ODCID Length: The ODCID Length field contains the length in bytes of | |||
the Original Destination Connection ID field that follows it, | the Original Destination Connection ID field that follows it, | |||
encoded as an 8-bit unsigned integer. | encoded as an 8-bit unsigned integer. | |||
Original Destination Connection ID: The Original Destination | Original Destination Connection ID: The Original Destination | |||
Connection ID contains the value of the Destination Connection ID | Connection ID contains the value of the Destination Connection ID | |||
from the Initial packet that this Retry is in response to. The | from the Initial packet that this Retry is in response to. The | |||
length of this field is given in ODCID Length. The presence of | length of this field is given in ODCID Length. The presence of | |||
this field ensures that a valid Retry packet can only be sent by | this field ensures that a valid Retry packet can only be sent by | |||
skipping to change at page 35, line 22 ¶ | skipping to change at line 1564 ¶ | |||
the change. An endpoint that notices a changed Key Phase bit updates | the change. An endpoint that notices a changed Key Phase bit updates | |||
keys and decrypts the packet that contains the changed value. | keys and decrypts the packet that contains the changed value. | |||
Initiating a key update results in both endpoints updating keys. | Initiating a key update results in both endpoints updating keys. | |||
This differs from TLS where endpoints can update keys independently. | This differs from TLS where endpoints can update keys independently. | |||
This mechanism replaces the key update mechanism of TLS, which relies | This mechanism replaces the key update mechanism of TLS, which relies | |||
on KeyUpdate messages sent using 1-RTT encryption keys. Endpoints | on KeyUpdate messages sent using 1-RTT encryption keys. Endpoints | |||
MUST NOT send a TLS KeyUpdate message. Endpoints MUST treat the | MUST NOT send a TLS KeyUpdate message. Endpoints MUST treat the | |||
receipt of a TLS KeyUpdate message as a connection error of type | receipt of a TLS KeyUpdate message as a connection error of type | |||
0x10a, equivalent to a fatal TLS alert of unexpected_message; see | 0x010a, equivalent to a fatal TLS alert of unexpected_message; see | |||
Section 4.8. | Section 4.8. | |||
Figure 9 shows a key update process, where the initial set of keys | Figure 9 shows a key update process, where the initial set of keys | |||
used (identified with @M) are replaced by updated keys (identified | used (identified with @M) are replaced by updated keys (identified | |||
with @N). The value of the Key Phase bit is indicated in brackets | with @N). The value of the Key Phase bit is indicated in brackets | |||
[]. | []. | |||
Initiating Peer Responding Peer | Initiating Peer Responding Peer | |||
@M [0] QUIC Packets | @M [0] QUIC Packets | |||
skipping to change at page 36, line 31 ¶ | skipping to change at line 1620 ¶ | |||
The endpoint toggles the value of the Key Phase bit and uses the | The endpoint toggles the value of the Key Phase bit and uses the | |||
updated key and IV to protect all subsequent packets. | updated key and IV to protect all subsequent packets. | |||
An endpoint MUST NOT initiate a key update prior to having confirmed | An endpoint MUST NOT initiate a key update prior to having confirmed | |||
the handshake (Section 4.1.2). An endpoint MUST NOT initiate a | the handshake (Section 4.1.2). An endpoint MUST NOT initiate a | |||
subsequent key update unless it has received an acknowledgment for a | subsequent key update unless it has received an acknowledgment for a | |||
packet that was sent protected with keys from the current key phase. | packet that was sent protected with keys from the current key phase. | |||
This ensures that keys are available to both peers before another key | This ensures that keys are available to both peers before another key | |||
update can be initiated. This can be implemented by tracking the | update can be initiated. This can be implemented by tracking the | |||
lowest packet number sent with each key phase, and the highest | lowest packet number sent with each key phase and the highest | |||
acknowledged packet number in the 1-RTT space: once the latter is | acknowledged packet number in the 1-RTT space: once the latter is | |||
higher than or equal to the former, another key update can be | higher than or equal to the former, another key update can be | |||
initiated. | initiated. | |||
Note: Keys of packets other than the 1-RTT packets are never | | Note: Keys of packets other than the 1-RTT packets are never | |||
updated; their keys are derived solely from the TLS handshake | | updated; their keys are derived solely from the TLS handshake | |||
state. | | state. | |||
The endpoint that initiates a key update also updates the keys that | The endpoint that initiates a key update also updates the keys that | |||
it uses for receiving packets. These keys will be needed to process | it uses for receiving packets. These keys will be needed to process | |||
packets the peer sends after updating. | packets the peer sends after updating. | |||
An endpoint MUST retain old keys until it has successfully | An endpoint MUST retain old keys until it has successfully | |||
unprotected a packet sent using the new keys. An endpoint SHOULD | unprotected a packet sent using the new keys. An endpoint SHOULD | |||
retain old keys for some time after unprotecting a packet sent using | retain old keys for some time after unprotecting a packet sent using | |||
the new keys. Discarding old keys too early can cause delayed | the new keys. Discarding old keys too early can cause delayed | |||
packets to be discarded. Discarding packets will be interpreted as | packets to be discarded. Discarding packets will be interpreted as | |||
skipping to change at page 37, line 25 ¶ | skipping to change at line 1660 ¶ | |||
If a packet is successfully processed using the next key and IV, then | If a packet is successfully processed using the next key and IV, then | |||
the peer has initiated a key update. The endpoint MUST update its | the peer has initiated a key update. The endpoint MUST update its | |||
send keys to the corresponding key phase in response, as described in | send keys to the corresponding key phase in response, as described in | |||
Section 6.1. Sending keys MUST be updated before sending an | Section 6.1. Sending keys MUST be updated before sending an | |||
acknowledgment for the packet that was received with updated keys. | acknowledgment for the packet that was received with updated keys. | |||
By acknowledging the packet that triggered the key update in a packet | By acknowledging the packet that triggered the key update in a packet | |||
protected with the updated keys, the endpoint signals that the key | protected with the updated keys, the endpoint signals that the key | |||
update is complete. | update is complete. | |||
An endpoint can defer sending the packet or acknowledgment according | An endpoint can defer sending the packet or acknowledgment according | |||
to its normal packet sending behaviour; it is not necessary to | to its normal packet sending behavior; it is not necessary to | |||
immediately generate a packet in response to a key update. The next | immediately generate a packet in response to a key update. The next | |||
packet sent by the endpoint will use the updated keys. The next | packet sent by the endpoint will use the updated keys. The next | |||
packet that contains an acknowledgment will cause the key update to | packet that contains an acknowledgment will cause the key update to | |||
be completed. If an endpoint detects a second update before it has | be completed. If an endpoint detects a second update before it has | |||
sent any packets with updated keys containing an acknowledgment for | sent any packets with updated keys containing an acknowledgment for | |||
the packet that initiated the key update, it indicates that its peer | the packet that initiated the key update, it indicates that its peer | |||
has updated keys twice without awaiting confirmation. An endpoint | has updated keys twice without awaiting confirmation. An endpoint | |||
MAY treat such consecutive key updates as a connection error of type | MAY treat such consecutive key updates as a connection error of type | |||
KEY_UPDATE_ERROR. | KEY_UPDATE_ERROR. | |||
skipping to change at page 37, line 47 ¶ | skipping to change at line 1682 ¶ | |||
packet protected with old keys where any acknowledged packet was | packet protected with old keys where any acknowledged packet was | |||
protected with newer keys MAY treat that as a connection error of | protected with newer keys MAY treat that as a connection error of | |||
type KEY_UPDATE_ERROR. This indicates that a peer has received and | type KEY_UPDATE_ERROR. This indicates that a peer has received and | |||
acknowledged a packet that initiates a key update, but has not | acknowledged a packet that initiates a key update, but has not | |||
updated keys in response. | updated keys in response. | |||
6.3. Timing of Receive Key Generation | 6.3. Timing of Receive Key Generation | |||
Endpoints responding to an apparent key update MUST NOT generate a | Endpoints responding to an apparent key update MUST NOT generate a | |||
timing side-channel signal that might indicate that the Key Phase bit | timing side-channel signal that might indicate that the Key Phase bit | |||
was invalid (see Section 9.4). Endpoints can use dummy packet | was invalid (see Section 9.5). Endpoints can use randomized packet | |||
protection keys in place of discarded keys when key updates are not | protection keys in place of discarded keys when key updates are not | |||
yet permitted. Using dummy keys will generate no variation in the | yet permitted. Using randomized keys ensures that attempting to | |||
timing signal produced by attempting to remove packet protection, and | remove packet protection does not result in timing variations, and | |||
results in all packets with an invalid Key Phase bit being rejected. | results in packets with an invalid Key Phase bit being rejected. | |||
The process of creating new packet protection keys for receiving | The process of creating new packet protection keys for receiving | |||
packets could reveal that a key update has occurred. An endpoint MAY | packets could reveal that a key update has occurred. An endpoint MAY | |||
generate new keys as part of packet processing, but this creates a | generate new keys as part of packet processing, but this creates a | |||
timing signal that could be used by an attacker to learn when key | timing signal that could be used by an attacker to learn when key | |||
updates happen and thus leak the value of the Key Phase bit. | updates happen and thus leak the value of the Key Phase bit. | |||
Endpoints are generally expected to have current and next receive | Endpoints are generally expected to have current and next receive | |||
packet protection keys available. For a short period after a key | packet protection keys available. For a short period after a key | |||
update completes, up to the PTO, endpoints MAY defer generation of | update completes, up to the PTO, endpoints MAY defer generation of | |||
the next set of receive packet protection keys. This allows | the next set of receive packet protection keys. This allows | |||
endpoints to retain only two sets of receive keys; see Section 6.5. | endpoints to retain only two sets of receive keys; see Section 6.5. | |||
Once generated, the next set of packet protection keys SHOULD be | Once generated, the next set of packet protection keys SHOULD be | |||
retained, even if the packet that was received was subsequently | retained, even if the packet that was received was subsequently | |||
discarded. Packets containing apparent key updates are easy to forge | discarded. Packets containing apparent key updates are easy to | |||
and - while the process of key update does not require significant | forge, and while the process of key update does not require | |||
effort - triggering this process could be used by an attacker for | significant effort, triggering this process could be used by an | |||
DoS. | attacker for DoS. | |||
For this reason, endpoints MUST be able to retain two sets of packet | For this reason, endpoints MUST be able to retain two sets of packet | |||
protection keys for receiving packets: the current and the next. | protection keys for receiving packets: the current and the next. | |||
Retaining the previous keys in addition to these might improve | Retaining the previous keys in addition to these might improve | |||
performance, but this is not essential. | performance, but this is not essential. | |||
6.4. Sending with Updated Keys | 6.4. Sending with Updated Keys | |||
An endpoint never sends packets that are protected with old keys. | An endpoint never sends packets that are protected with old keys. | |||
Only the current keys are used. Keys used for protecting packets can | Only the current keys are used. Keys used for protecting packets can | |||
skipping to change at page 38, line 50 ¶ | skipping to change at line 1733 ¶ | |||
6.5. Receiving with Different Keys | 6.5. Receiving with Different Keys | |||
For receiving packets during a key update, packets protected with | For receiving packets during a key update, packets protected with | |||
older keys might arrive if they were delayed by the network. | older keys might arrive if they were delayed by the network. | |||
Retaining old packet protection keys allows these packets to be | Retaining old packet protection keys allows these packets to be | |||
successfully processed. | successfully processed. | |||
As packets protected with keys from the next key phase use the same | As packets protected with keys from the next key phase use the same | |||
Key Phase value as those protected with keys from the previous key | Key Phase value as those protected with keys from the previous key | |||
phase, it is necessary to distinguish between the two, if packets | phase, it is necessary to distinguish between the two if packets | |||
protected with old keys are to be processed. This can be done using | protected with old keys are to be processed. This can be done using | |||
packet numbers. A recovered packet number that is lower than any | packet numbers. A recovered packet number that is lower than any | |||
packet number from the current key phase uses the previous packet | packet number from the current key phase uses the previous packet | |||
protection keys; a recovered packet number that is higher than any | protection keys; a recovered packet number that is higher than any | |||
packet number from the current key phase requires the use of the next | packet number from the current key phase requires the use of the next | |||
packet protection keys. | packet protection keys. | |||
Some care is necessary to ensure that any process for selecting | Some care is necessary to ensure that any process for selecting | |||
between previous, current, and next packet protection keys does not | between previous, current, and next packet protection keys does not | |||
expose a timing side channel that might reveal which keys were used | expose a timing side channel that might reveal which keys were used | |||
skipping to change at page 39, line 23 ¶ | skipping to change at line 1755 ¶ | |||
Alternatively, endpoints can retain only two sets of packet | Alternatively, endpoints can retain only two sets of packet | |||
protection keys, swapping previous for next after enough time has | protection keys, swapping previous for next after enough time has | |||
passed to allow for reordering in the network. In this case, the Key | passed to allow for reordering in the network. In this case, the Key | |||
Phase bit alone can be used to select keys. | Phase bit alone can be used to select keys. | |||
An endpoint MAY allow a period of approximately the Probe Timeout | An endpoint MAY allow a period of approximately the Probe Timeout | |||
(PTO; see [QUIC-RECOVERY]) after promoting the next set of receive | (PTO; see [QUIC-RECOVERY]) after promoting the next set of receive | |||
keys to be current before it creates the subsequent set of packet | keys to be current before it creates the subsequent set of packet | |||
protection keys. These updated keys MAY replace the previous keys at | protection keys. These updated keys MAY replace the previous keys at | |||
that time. With the caveat that PTO is a subjective measure - that | that time. With the caveat that PTO is a subjective measure -- that | |||
is, a peer could have a different view of the RTT - this time is | is, a peer could have a different view of the RTT -- this time is | |||
expected to be long enough that any reordered packets would be | expected to be long enough that any reordered packets would be | |||
declared lost by a peer even if they were acknowledged and short | declared lost by a peer even if they were acknowledged and short | |||
enough to allow a peer to initiate further key updates. | enough to allow a peer to initiate further key updates. | |||
Endpoints need to allow for the possibility that a peer might not be | Endpoints need to allow for the possibility that a peer might not be | |||
able to decrypt packets that initiate a key update during the period | able to decrypt packets that initiate a key update during the period | |||
when the peer retains old keys. Endpoints SHOULD wait three times | when the peer retains old keys. Endpoints SHOULD wait three times | |||
the PTO before initiating a key update after receiving an | the PTO before initiating a key update after receiving an | |||
acknowledgment that confirms that the previous key update was | acknowledgment that confirms that the previous key update was | |||
received. Failing to allow sufficient time could lead to packets | received. Failing to allow sufficient time could lead to packets | |||
skipping to change at page 41, line 16 ¶ | skipping to change at line 1844 ¶ | |||
confidentiality and integrity limits; see Appendix B for details. | confidentiality and integrity limits; see Appendix B for details. | |||
Future analyses and specifications MAY relax confidentiality or | Future analyses and specifications MAY relax confidentiality or | |||
integrity limits for an AEAD. | integrity limits for an AEAD. | |||
Any TLS cipher suite that is specified for use with QUIC MUST define | Any TLS cipher suite that is specified for use with QUIC MUST define | |||
limits on the use of the associated AEAD function that preserves | limits on the use of the associated AEAD function that preserves | |||
margins for confidentiality and integrity. That is, limits MUST be | margins for confidentiality and integrity. That is, limits MUST be | |||
specified for the number of packets that can be authenticated and for | specified for the number of packets that can be authenticated and for | |||
the number of packets that can fail authentication. Providing a | the number of packets that can fail authentication. Providing a | |||
reference to any analysis upon which values are based - and any | reference to any analysis upon which values are based -- and any | |||
assumptions used in that analysis - allows limits to be adapted to | assumptions used in that analysis -- allows limits to be adapted to | |||
varying usage conditions. | varying usage conditions. | |||
6.7. Key Update Error Code | 6.7. Key Update Error Code | |||
The KEY_UPDATE_ERROR error code (0xe) is used to signal errors | The KEY_UPDATE_ERROR error code (0x0e) is used to signal errors | |||
related to key updates. | related to key updates. | |||
7. Security of Initial Messages | 7. Security of Initial Messages | |||
Initial packets are not protected with a secret key, so they are | Initial packets are not protected with a secret key, so they are | |||
subject to potential tampering by an attacker. QUIC provides | subject to potential tampering by an attacker. QUIC provides | |||
protection against attackers that cannot read packets, but does not | protection against attackers that cannot read packets but does not | |||
attempt to provide additional protection against attacks where the | attempt to provide additional protection against attacks where the | |||
attacker can observe and inject packets. Some forms of tampering -- | attacker can observe and inject packets. Some forms of tampering -- | |||
such as modifying the TLS messages themselves -- are detectable, but | such as modifying the TLS messages themselves -- are detectable, but | |||
some -- such as modifying ACKs -- are not. | some -- such as modifying ACKs -- are not. | |||
For example, an attacker could inject a packet containing an ACK | For example, an attacker could inject a packet containing an ACK | |||
frame that makes it appear that a packet had not been received or to | frame to make it appear that a packet had not been received or to | |||
create a false impression of the state of the connection (e.g., by | create a false impression of the state of the connection (e.g., by | |||
modifying the ACK Delay). Note that such a packet could cause a | modifying the ACK Delay). Note that such a packet could cause a | |||
legitimate packet to be dropped as a duplicate. Implementations | legitimate packet to be dropped as a duplicate. Implementations | |||
SHOULD use caution in relying on any data that is contained in | SHOULD use caution in relying on any data that is contained in | |||
Initial packets that is not otherwise authenticated. | Initial packets that is not otherwise authenticated. | |||
It is also possible for the attacker to tamper with data that is | It is also possible for the attacker to tamper with data that is | |||
carried in Handshake packets, but because that tampering requires | carried in Handshake packets, but because that sort of tampering | |||
modifying TLS handshake messages, that tampering will cause the TLS | requires modifying TLS handshake messages, any such tampering will | |||
handshake to fail. | cause the TLS handshake to fail. | |||
8. QUIC-Specific Adjustments to the TLS Handshake | 8. QUIC-Specific Adjustments to the TLS Handshake | |||
Certain aspects of the TLS handshake are different when used with | Certain aspects of the TLS handshake are different when used with | |||
QUIC. | QUIC. | |||
QUIC also requires additional features from TLS. In addition to | QUIC also requires additional features from TLS. In addition to | |||
negotiation of cryptographic parameters, the TLS handshake carries | negotiation of cryptographic parameters, the TLS handshake carries | |||
and authenticates values for QUIC transport parameters. | and authenticates values for QUIC transport parameters. | |||
8.1. Protocol Negotiation | 8.1. Protocol Negotiation | |||
QUIC requires that the cryptographic handshake provide authenticated | QUIC requires that the cryptographic handshake provide authenticated | |||
protocol negotiation. TLS uses Application Layer Protocol | protocol negotiation. TLS uses Application-Layer Protocol | |||
Negotiation ([ALPN]) to select an application protocol. Unless | Negotiation [ALPN] to select an application protocol. Unless another | |||
another mechanism is used for agreeing on an application protocol, | mechanism is used for agreeing on an application protocol, endpoints | |||
endpoints MUST use ALPN for this purpose. | MUST use ALPN for this purpose. | |||
When using ALPN, endpoints MUST immediately close a connection (see | When using ALPN, endpoints MUST immediately close a connection (see | |||
Section 10.2 of [QUIC-TRANSPORT]) with a no_application_protocol TLS | Section 10.2 of [QUIC-TRANSPORT]) with a no_application_protocol TLS | |||
alert (QUIC error code 0x178; see Section 4.8) if an application | alert (QUIC error code 0x0178; see Section 4.8) if an application | |||
protocol is not negotiated. While [ALPN] only specifies that servers | protocol is not negotiated. While [ALPN] only specifies that servers | |||
use this alert, QUIC clients MUST use error 0x178 to terminate a | use this alert, QUIC clients MUST use error 0x0178 to terminate a | |||
connection when ALPN negotiation fails. | connection when ALPN negotiation fails. | |||
An application protocol MAY restrict the QUIC versions that it can | An application protocol MAY restrict the QUIC versions that it can | |||
operate over. Servers MUST select an application protocol compatible | operate over. Servers MUST select an application protocol compatible | |||
with the QUIC version that the client has selected. The server MUST | with the QUIC version that the client has selected. The server MUST | |||
treat the inability to select a compatible application protocol as a | treat the inability to select a compatible application protocol as a | |||
connection error of type 0x178 (no_application_protocol). Similarly, | connection error of type 0x0178 (no_application_protocol). | |||
a client MUST treat the selection of an incompatible application | Similarly, a client MUST treat the selection of an incompatible | |||
protocol by a server as a connection error of type 0x178. | application protocol by a server as a connection error of type | |||
0x0178. | ||||
8.2. QUIC Transport Parameters Extension | 8.2. QUIC Transport Parameters Extension | |||
QUIC transport parameters are carried in a TLS extension. Different | QUIC transport parameters are carried in a TLS extension. Different | |||
versions of QUIC might define a different method for negotiating | versions of QUIC might define a different method for negotiating | |||
transport configuration. | transport configuration. | |||
Including transport parameters in the TLS handshake provides | Including transport parameters in the TLS handshake provides | |||
integrity protection for these values. | integrity protection for these values. | |||
skipping to change at page 43, line 5 ¶ | skipping to change at line 1931 ¶ | |||
The extension_data field of the quic_transport_parameters extension | The extension_data field of the quic_transport_parameters extension | |||
contains a value that is defined by the version of QUIC that is in | contains a value that is defined by the version of QUIC that is in | |||
use. | use. | |||
The quic_transport_parameters extension is carried in the ClientHello | The quic_transport_parameters extension is carried in the ClientHello | |||
and the EncryptedExtensions messages during the handshake. Endpoints | and the EncryptedExtensions messages during the handshake. Endpoints | |||
MUST send the quic_transport_parameters extension; endpoints that | MUST send the quic_transport_parameters extension; endpoints that | |||
receive ClientHello or EncryptedExtensions messages without the | receive ClientHello or EncryptedExtensions messages without the | |||
quic_transport_parameters extension MUST close the connection with an | quic_transport_parameters extension MUST close the connection with an | |||
error of type 0x16d (equivalent to a fatal TLS missing_extension | error of type 0x016d (equivalent to a fatal TLS missing_extension | |||
alert, see Section 4.8). | alert, see Section 4.8). | |||
Transport parameters become available prior to the completion of the | Transport parameters become available prior to the completion of the | |||
handshake. A server might use these values earlier than handshake | handshake. A server might use these values earlier than handshake | |||
completion. However, the value of transport parameters is not | completion. However, the value of transport parameters is not | |||
authenticated until the handshake completes, so any use of these | authenticated until the handshake completes, so any use of these | |||
parameters cannot depend on their authenticity. Any tampering with | parameters cannot depend on their authenticity. Any tampering with | |||
transport parameters will cause the handshake to fail. | transport parameters will cause the handshake to fail. | |||
Endpoints MUST NOT send this extension in a TLS connection that does | Endpoints MUST NOT send this extension in a TLS connection that does | |||
skipping to change at page 44, line 38 ¶ | skipping to change at line 2012 ¶ | |||
Endpoints MUST implement and use the replay protections described in | Endpoints MUST implement and use the replay protections described in | |||
[TLS13], however it is recognized that these protections are | [TLS13], however it is recognized that these protections are | |||
imperfect. Therefore, additional consideration of the risk of replay | imperfect. Therefore, additional consideration of the risk of replay | |||
is needed. | is needed. | |||
QUIC is not vulnerable to replay attack, except via the application | QUIC is not vulnerable to replay attack, except via the application | |||
protocol information it might carry. The management of QUIC protocol | protocol information it might carry. The management of QUIC protocol | |||
state based on the frame types defined in [QUIC-TRANSPORT] is not | state based on the frame types defined in [QUIC-TRANSPORT] is not | |||
vulnerable to replay. Processing of QUIC frames is idempotent and | vulnerable to replay. Processing of QUIC frames is idempotent and | |||
cannot result in invalid connection states if frames are replayed, | cannot result in invalid connection states if frames are replayed, | |||
reordered or lost. QUIC connections do not produce effects that last | reordered, or lost. QUIC connections do not produce effects that | |||
beyond the lifetime of the connection, except for those produced by | last beyond the lifetime of the connection, except for those produced | |||
the application protocol that QUIC serves. | by the application protocol that QUIC serves. | |||
Note: TLS session tickets and address validation tokens are used to | TLS session tickets and address validation tokens are used to carry | |||
carry QUIC configuration information between connections. | QUIC configuration information between connections, specifically, to | |||
Specifically, to enable a server to efficiently recover state that | enable a server to efficiently recover state that is used in | |||
is used in connection establishment and address validation. These | connection establishment and address validation. These MUST NOT be | |||
MUST NOT be used to communicate application semantics between | used to communicate application semantics between endpoints; clients | |||
endpoints; clients MUST treat them as opaque values. The | MUST treat them as opaque values. The potential for reuse of these | |||
potential for reuse of these tokens means that they require | tokens means that they require stronger protections against replay. | |||
stronger protections against replay. | ||||
A server that accepts 0-RTT on a connection incurs a higher cost than | A server that accepts 0-RTT on a connection incurs a higher cost than | |||
accepting a connection without 0-RTT. This includes higher | accepting a connection without 0-RTT. This includes higher | |||
processing and computation costs. Servers need to consider the | processing and computation costs. Servers need to consider the | |||
probability of replay and all associated costs when accepting 0-RTT. | probability of replay and all associated costs when accepting 0-RTT. | |||
Ultimately, the responsibility for managing the risks of replay | Ultimately, the responsibility for managing the risks of replay | |||
attacks with 0-RTT lies with an application protocol. An application | attacks with 0-RTT lies with an application protocol. An application | |||
protocol that uses QUIC MUST describe how the protocol uses 0-RTT and | protocol that uses QUIC MUST describe how the protocol uses 0-RTT and | |||
the measures that are employed to protect against replay attack. An | the measures that are employed to protect against replay attack. An | |||
analysis of replay risk needs to consider all QUIC protocol features | analysis of replay risk needs to consider all QUIC protocol features | |||
that carry application semantics. | that carry application semantics. | |||
Disabling 0-RTT entirely is the most effective defense against replay | Disabling 0-RTT entirely is the most effective defense against replay | |||
attack. | attack. | |||
QUIC extensions MUST describe how replay attacks affect their | QUIC extensions MUST either describe how replay attacks affect their | |||
operation, or prohibit their use in 0-RTT. Application protocols | operation or prohibit the use of the extension in 0-RTT. Application | |||
MUST either prohibit the use of extensions that carry application | protocols MUST either prohibit the use of extensions that carry | |||
semantics in 0-RTT or provide replay mitigation strategies. | application semantics in 0-RTT or provide replay mitigation | |||
strategies. | ||||
9.3. Packet Reflection Attack Mitigation | 9.3. Packet Reflection Attack Mitigation | |||
A small ClientHello that results in a large block of handshake | A small ClientHello that results in a large block of handshake | |||
messages from a server can be used in packet reflection attacks to | messages from a server can be used in packet reflection attacks to | |||
amplify the traffic generated by an attacker. | amplify the traffic generated by an attacker. | |||
QUIC includes three defenses against this attack. First, the packet | QUIC includes three defenses against this attack. First, the packet | |||
containing a ClientHello MUST be padded to a minimum size. Second, | containing a ClientHello MUST be padded to a minimum size. Second, | |||
if responding to an unverified source address, the server is | if responding to an unverified source address, the server is | |||
skipping to change at page 46, line 29 ¶ | skipping to change at line 2097 ¶ | |||
bits are sampled, the odds of two ciphertext samples being identical | bits are sampled, the odds of two ciphertext samples being identical | |||
approach 2^(-L/2), that is, the birthday bound. For the algorithms | approach 2^(-L/2), that is, the birthday bound. For the algorithms | |||
described in this document, that probability is one in 2^64. | described in this document, that probability is one in 2^64. | |||
To prevent an attacker from modifying packet headers, the header is | To prevent an attacker from modifying packet headers, the header is | |||
transitively authenticated using packet protection; the entire packet | transitively authenticated using packet protection; the entire packet | |||
header is part of the authenticated additional data. Protected | header is part of the authenticated additional data. Protected | |||
fields that are falsified or modified can only be detected once the | fields that are falsified or modified can only be detected once the | |||
packet protection is removed. | packet protection is removed. | |||
9.5. Header Protection Timing Side-Channels | 9.5. Header Protection Timing Side Channels | |||
An attacker could guess values for packet numbers or Key Phase and | An attacker could guess values for packet numbers or Key Phase and | |||
have an endpoint confirm guesses through timing side channels. | have an endpoint confirm guesses through timing side channels. | |||
Similarly, guesses for the packet number length can be tried and | Similarly, guesses for the packet number length can be tried and | |||
exposed. If the recipient of a packet discards packets with | exposed. If the recipient of a packet discards packets with | |||
duplicate packet numbers without attempting to remove packet | duplicate packet numbers without attempting to remove packet | |||
protection they could reveal through timing side-channels that the | protection, they could reveal through timing side channels that the | |||
packet number matches a received packet. For authentication to be | packet number matches a received packet. For authentication to be | |||
free from side-channels, the entire process of header protection | free from side channels, the entire process of header protection | |||
removal, packet number recovery, and packet protection removal MUST | removal, packet number recovery, and packet protection removal MUST | |||
be applied together without timing and other side-channels. | be applied together without timing and other side channels. | |||
For the sending of packets, construction and protection of packet | For the sending of packets, construction and protection of packet | |||
payloads and packet numbers MUST be free from side-channels that | payloads and packet numbers MUST be free from side channels that | |||
would reveal the packet number or its encoded size. | would reveal the packet number or its encoded size. | |||
During a key update, the time taken to generate new keys could reveal | During a key update, the time taken to generate new keys could reveal | |||
through timing side-channels that a key update has occurred. | through timing side channels that a key update has occurred. | |||
Alternatively, where an attacker injects packets this side-channel | Alternatively, where an attacker injects packets, this side channel | |||
could reveal the value of the Key Phase on injected packets. After | could reveal the value of the Key Phase on injected packets. After | |||
receiving a key update, an endpoint SHOULD generate and save the next | receiving a key update, an endpoint SHOULD generate and save the next | |||
set of receive packet protection keys, as described in Section 6.3. | set of receive packet protection keys, as described in Section 6.3. | |||
By generating new keys before a key update is received, receipt of | By generating new keys before a key update is received, receipt of | |||
packets will not create timing signals that leak the value of the Key | packets will not create timing signals that leak the value of the Key | |||
Phase. | Phase. | |||
This depends on not doing this key generation during packet | This depends on not doing this key generation during packet | |||
processing and it can require that endpoints maintain three sets of | processing, and it can require that endpoints maintain three sets of | |||
packet protection keys for receiving: for the previous key phase, for | packet protection keys for receiving: for the previous key phase, for | |||
the current key phase, and for the next key phase. Endpoints can | the current key phase, and for the next key phase. Endpoints can | |||
instead choose to defer generation of the next receive packet | instead choose to defer generation of the next receive packet | |||
protection keys until they discard old keys so that only two sets of | protection keys until they discard old keys so that only two sets of | |||
receive keys need to be retained at any point in time. | receive keys need to be retained at any point in time. | |||
9.6. Key Diversity | 9.6. Key Diversity | |||
In using TLS, the central key schedule of TLS is used. As a result | In using TLS, the central key schedule of TLS is used. As a result | |||
of the TLS handshake messages being integrated into the calculation | of the TLS handshake messages being integrated into the calculation | |||
of secrets, the inclusion of the QUIC transport parameters extension | of secrets, the inclusion of the QUIC transport parameters extension | |||
ensures that handshake and 1-RTT keys are not the same as those that | ensures that the handshake and 1-RTT keys are not the same as those | |||
might be produced by a server running TLS over TCP. To avoid the | that might be produced by a server running TLS over TCP. To avoid | |||
possibility of cross-protocol key synchronization, additional | the possibility of cross-protocol key synchronization, additional | |||
measures are provided to improve key separation. | measures are provided to improve key separation. | |||
The QUIC packet protection keys and IVs are derived using a different | The QUIC packet protection keys and IVs are derived using a different | |||
label than the equivalent keys in TLS. | label than the equivalent keys in TLS. | |||
To preserve this separation, a new version of QUIC SHOULD define new | To preserve this separation, a new version of QUIC SHOULD define new | |||
labels for key derivation for packet protection key and IV, plus the | labels for key derivation for packet protection key and IV, plus the | |||
header protection keys. This version of QUIC uses the string "quic". | header protection keys. This version of QUIC uses the string "quic". | |||
Other versions can use a version-specific label in place of that | Other versions can use a version-specific label in place of that | |||
string. | string. | |||
skipping to change at page 47, line 51 ¶ | skipping to change at line 2166 ¶ | |||
QUIC depends on endpoints being able to generate secure random | QUIC depends on endpoints being able to generate secure random | |||
numbers, both directly for protocol values such as the connection ID, | numbers, both directly for protocol values such as the connection ID, | |||
and transitively via TLS. See [RFC4086] for guidance on secure | and transitively via TLS. See [RFC4086] for guidance on secure | |||
random number generation. | random number generation. | |||
10. IANA Considerations | 10. IANA Considerations | |||
IANA has registered a codepoint of 57 (or 0x39) for the | IANA has registered a codepoint of 57 (or 0x39) for the | |||
quic_transport_parameters extension (defined in Section 8.2) in the | quic_transport_parameters extension (defined in Section 8.2) in the | |||
TLS ExtensionType Values Registry [TLS-REGISTRIES]. | "TLS ExtensionType Values" registry [TLS-REGISTRIES]. | |||
The Recommended column for this extension is marked Yes. The TLS 1.3 | The Recommended column for this extension is marked Yes. The TLS 1.3 | |||
Column includes CH and EE. | Column includes CH (ClientHello) and EE (EncryptedExtensions). | |||
+=======+===========================+=====+=============+===========+ | ||||
| Value | Extension Name | TLS | Recommended | Reference | | ||||
| | | 1.3 | | | | ||||
+=======+===========================+=====+=============+===========+ | ||||
| 57 | quic_transport_parameters | CH, | Y | This | | ||||
| | | EE | | document | | ||||
+-------+---------------------------+-----+-------------+-----------+ | ||||
Table 2: TLS ExtensionType Values Registry Entry | ||||
11. References | 11. References | |||
11.1. Normative References | 11.1. Normative References | |||
[AEAD] McGrew, D., "An Interface and Algorithms for Authenticated | [AEAD] McGrew, D., "An Interface and Algorithms for Authenticated | |||
Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, | Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, | |||
<https://www.rfc-editor.org/info/rfc5116>. | <https://www.rfc-editor.org/info/rfc5116>. | |||
[AES] "Advanced encryption standard (AES)", National Institute | [AES] "Advanced encryption standard (AES)", National Institute | |||
skipping to change at page 48, line 37 ¶ | skipping to change at line 2210 ¶ | |||
Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, | Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, | |||
<https://www.rfc-editor.org/info/rfc8439>. | <https://www.rfc-editor.org/info/rfc8439>. | |||
[HKDF] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand | [HKDF] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand | |||
Key Derivation Function (HKDF)", RFC 5869, | Key Derivation Function (HKDF)", RFC 5869, | |||
DOI 10.17487/RFC5869, May 2010, | DOI 10.17487/RFC5869, May 2010, | |||
<https://www.rfc-editor.org/info/rfc5869>. | <https://www.rfc-editor.org/info/rfc5869>. | |||
[QUIC-RECOVERY] | [QUIC-RECOVERY] | |||
Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection | Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection | |||
and Congestion Control", Work in Progress, Internet-Draft, | and Congestion Control", RFC 9002, DOI 10.17487/RFC9002, | |||
draft-ietf-quic-recovery-34, 15 January 2021, | May 2021, <https://www.rfc-editor.org/info/rfc9002>. | |||
<https://tools.ietf.org/html/draft-ietf-quic-recovery-34>. | ||||
[QUIC-TRANSPORT] | [QUIC-TRANSPORT] | |||
Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | |||
Multiplexed and Secure Transport", Work in Progress, | Multiplexed and Secure Transport", RFC 9000, | |||
Internet-Draft, draft-ietf-quic-transport-34, 15 January | DOI 10.17487/RFC9000, May 2021, | |||
2021, <https://tools.ietf.org/html/draft-ietf-quic- | <https://www.rfc-editor.org/info/rfc9000>. | |||
transport-34>. | ||||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | |||
"Randomness Requirements for Security", BCP 106, RFC 4086, | "Randomness Requirements for Security", BCP 106, RFC 4086, | |||
DOI 10.17487/RFC4086, June 2005, | DOI 10.17487/RFC4086, June 2005, | |||
<https://www.rfc-editor.org/info/rfc4086>. | <https://www.rfc-editor.org/info/rfc4086>. | |||
skipping to change at page 49, line 31 ¶ | skipping to change at line 2250 ¶ | |||
and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018, | and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018, | |||
<https://www.rfc-editor.org/info/rfc8447>. | <https://www.rfc-editor.org/info/rfc8447>. | |||
[TLS13] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [TLS13] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
<https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
11.2. Informative References | 11.2. Informative References | |||
[AEBounds] Luykx, A. and K. Paterson, "Limits on Authenticated | [AEBounds] Luykx, A. and K. Paterson, "Limits on Authenticated | |||
Encryption Use in TLS", 8 March 2016, | Encryption Use in TLS", 28 August 2017, | |||
<http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf>. | <https://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf>. | |||
[ASCII] Cerf, V., "ASCII format for network interchange", STD 80, | [ASCII] Cerf, V., "ASCII format for network interchange", STD 80, | |||
RFC 20, DOI 10.17487/RFC0020, October 1969, | RFC 20, DOI 10.17487/RFC0020, October 1969, | |||
<https://www.rfc-editor.org/info/rfc20>. | <https://www.rfc-editor.org/info/rfc20>. | |||
[CCM-ANALYSIS] | [CCM-ANALYSIS] | |||
Jonsson, J., "On the Security of CTR + CBC-MAC", Selected | Jonsson, J., "On the Security of CTR + CBC-MAC", Selected | |||
Areas in Cryptography pp. 76-93, | Areas in Cryptography, SAC 2002, Lecture Notes in Computer | |||
DOI 10.1007/3-540-36492-7_7, 2003, | Science, vol 2595, pp. 76-93, DOI 10.1007/3-540-36492-7_7, | |||
<https://doi.org/10.1007/3-540-36492-7_7>. | 2003, <https://doi.org/10.1007/3-540-36492-7_7>. | |||
[COMPRESS] Ghedini, A. and V. Vasiliev, "TLS Certificate | [COMPRESS] Ghedini, A. and V. Vasiliev, "TLS Certificate | |||
Compression", Work in Progress, Internet-Draft, draft- | Compression", RFC 8879, DOI 10.17487/RFC8879, December | |||
ietf-tls-certificate-compression-10, 6 January 2020, | 2020, <https://www.rfc-editor.org/info/rfc8879>. | |||
<http://www.ietf.org/internet-drafts/draft-ietf-tls- | ||||
certificate-compression-10.txt>. | ||||
[GCM-MU] Hoang, V., Tessaro, S., and A. Thiruvengadam, "The Multi- | [GCM-MU] Hoang, V., Tessaro, S., and A. Thiruvengadam, "The Multi- | |||
user Security of GCM, Revisited: Tight Bounds for Nonce | user Security of GCM, Revisited: Tight Bounds for Nonce | |||
Randomization", Proceedings of the 2018 ACM SIGSAC | Randomization", CCS '18: Proceedings of the 2018 ACM | |||
Conference on Computer and Communications Security, | SIGSAC Conference on Computer and Communications Security, | |||
DOI 10.1145/3243734.3243816, January 2018, | pp. 1429-1440, DOI 10.1145/3243734.3243816, 2018, | |||
<https://doi.org/10.1145/3243734.3243816>. | <https://doi.org/10.1145/3243734.3243816>. | |||
[HTTP-REPLAY] | [HTTP-REPLAY] | |||
Thomson, M., Nottingham, M., and W. Tarreau, "Using Early | Thomson, M., Nottingham, M., and W. Tarreau, "Using Early | |||
Data in HTTP", RFC 8470, DOI 10.17487/RFC8470, September | Data in HTTP", RFC 8470, DOI 10.17487/RFC8470, September | |||
2018, <https://www.rfc-editor.org/info/rfc8470>. | 2018, <https://www.rfc-editor.org/info/rfc8470>. | |||
[HTTP2-TLS13] | [HTTP2-TLS13] | |||
Benjamin, D., "Using TLS 1.3 with HTTP/2", RFC 8740, | Benjamin, D., "Using TLS 1.3 with HTTP/2", RFC 8740, | |||
DOI 10.17487/RFC8740, February 2020, | DOI 10.17487/RFC8740, February 2020, | |||
<https://www.rfc-editor.org/info/rfc8740>. | <https://www.rfc-editor.org/info/rfc8740>. | |||
[IMC] Katz, J. and Y. Lindell, "Introduction to Modern | [IMC] Katz, J. and Y. Lindell, "Introduction to Modern | |||
Cryptography, Second Edition", ISBN 978-1466570269, 6 | Cryptography, Second Edition", ISBN 978-1466570269, 6 | |||
November 2014. | November 2014. | |||
[NAN] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed: | [NAN] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed: | |||
AEAD Revisited", Advances in Cryptology - CRYPTO 2019 pp. | AEAD Revisited", Advances in Cryptology - CRYPTO 2019, | |||
235-265, DOI 10.1007/978-3-030-26948-7_9, 2019, | Lecture Notes in Computer Science, vol 11692, pp. 235-265, | |||
DOI 10.1007/978-3-030-26948-7_9, 2019, | ||||
<https://doi.org/10.1007/978-3-030-26948-7_9>. | <https://doi.org/10.1007/978-3-030-26948-7_9>. | |||
[QUIC-HTTP] | [QUIC-HTTP] | |||
Bishop, M., Ed., "Hypertext Transfer Protocol Version 3 | Bishop, M., Ed., "Hypertext Transfer Protocol Version 3 | |||
(HTTP/3)", Work in Progress, Internet-Draft, draft-ietf- | (HTTP/3)", Work in Progress, Internet-Draft, draft-ietf- | |||
quic-http-33, 15 January 2021, | quic-http, 2 February 2021, | |||
<https://tools.ietf.org/html/draft-ietf-quic-http-33>. | <https://tools.ietf.org/html/draft-ietf-quic-http>. | |||
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | |||
DOI 10.17487/RFC2818, May 2000, | DOI 10.17487/RFC2818, May 2000, | |||
<https://www.rfc-editor.org/info/rfc2818>. | <https://www.rfc-editor.org/info/rfc2818>. | |||
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
<https://www.rfc-editor.org/info/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
[ROBUST] Fischlin, M., Günther, F., and C. Janson, "Robust | [ROBUST] Fischlin, M., Günther, F., and C. Janson, "Robust | |||
Channels: Handling Unreliable Networks in the Record | Channels: Handling Unreliable Networks in the Record | |||
Layers of QUIC and DTLS 1.3", 16 May 2020, | Layers of QUIC and DTLS 1.3", 16 May 2020, | |||
<https://eprint.iacr.org/2020/718>. | <https://eprint.iacr.org/2020/718>. | |||
Appendix A. Sample Packet Protection | Appendix A. Sample Packet Protection | |||
This section shows examples of packet protection so that | This section shows examples of packet protection so that | |||
implementations can be verified incrementally. Samples of Initial | implementations can be verified incrementally. Samples of Initial | |||
packets from both client and server, plus a Retry packet are defined. | packets from both client and server plus a Retry packet are defined. | |||
These packets use an 8-byte client-chosen Destination Connection ID | These packets use an 8-byte client-chosen Destination Connection ID | |||
of 0x8394c8f03e515708. Some intermediate values are included. All | of 0x8394c8f03e515708. Some intermediate values are included. All | |||
values are shown in hexadecimal. | values are shown in hexadecimal. | |||
A.1. Keys | A.1. Keys | |||
The labels generated during the execution of the HKDF-Expand-Label | The labels generated during the execution of the HKDF-Expand-Label | |||
function (that is, HkdfLabel.label) and part of the value given to | function (that is, HkdfLabel.label) and part of the value given to | |||
the HKDF-Expand function in order to produce its output are: | the HKDF-Expand function in order to produce its output are: | |||
skipping to change at page 52, line 42 ¶ | skipping to change at line 2401 ¶ | |||
75300901100f088394c8f03e51570806 048000ffff | 75300901100f088394c8f03e51570806 048000ffff | |||
The unprotected header indicates a length of 1182 bytes: the 4-byte | The unprotected header indicates a length of 1182 bytes: the 4-byte | |||
packet number, 1162 bytes of frames, and the 16-byte authentication | packet number, 1162 bytes of frames, and the 16-byte authentication | |||
tag. The header includes the connection ID and a packet number of 2: | tag. The header includes the connection ID and a packet number of 2: | |||
c300000001088394c8f03e5157080000449e00000002 | c300000001088394c8f03e5157080000449e00000002 | |||
Protecting the payload produces output that is sampled for header | Protecting the payload produces output that is sampled for header | |||
protection. Because the header uses a 4-byte packet number encoding, | protection. Because the header uses a 4-byte packet number encoding, | |||
the first 16 bytes of the protected payload is sampled, then applied | the first 16 bytes of the protected payload is sampled and then | |||
to the header: | applied to the header as follows: | |||
sample = d1b1c98dd7689fb8ec11d242b123dc9b | sample = d1b1c98dd7689fb8ec11d242b123dc9b | |||
mask = AES-ECB(hp, sample)[0..4] | mask = AES-ECB(hp, sample)[0..4] | |||
= 437b9aec36 | = 437b9aec36 | |||
header[0] ^= mask[0] & 0x0f | header[0] ^= mask[0] & 0x0f | |||
= c0 | = c0 | |||
header[18..21] ^= mask[1..4] | header[18..21] ^= mask[1..4] | |||
= 7b9aec34 | = 7b9aec34 | |||
skipping to change at page 57, line 48 ¶ | skipping to change at line 2594 ¶ | |||
deployment patterns, whereas the 2^16 is the maximum possible size of | deployment patterns, whereas the 2^16 is the maximum possible size of | |||
a QUIC packet. Only endpoints that strictly limit packet size can | a QUIC packet. Only endpoints that strictly limit packet size can | |||
use the larger confidentiality and integrity limits that are derived | use the larger confidentiality and integrity limits that are derived | |||
using the smaller packet size. | using the smaller packet size. | |||
For AEAD_AES_128_GCM and AEAD_AES_256_GCM, the message length (l) is | For AEAD_AES_128_GCM and AEAD_AES_256_GCM, the message length (l) is | |||
the length of the associated data in blocks plus the length of the | the length of the associated data in blocks plus the length of the | |||
plaintext in blocks. | plaintext in blocks. | |||
For AEAD_AES_128_CCM, the total number of block cipher operations is | For AEAD_AES_128_CCM, the total number of block cipher operations is | |||
the sum of: the length of the associated data in blocks, the length | the sum of the following: the length of the associated data in | |||
of the ciphertext in blocks, the length of the plaintext in blocks, | blocks, the length of the ciphertext in blocks, the length of the | |||
plus 1. In this analysis, this is simplified to a value of twice the | plaintext in blocks, plus 1. In this analysis, this is simplified to | |||
length of the packet in blocks (that is, "2l = 2^8" for packets that | a value of twice the length of the packet in blocks (that is, "2l = | |||
are limited to 2^11 bytes, or "2l = 2^13" otherwise). This | 2^8" for packets that are limited to 2^11 bytes, or "2l = 2^13" | |||
simplification is based on the packet containing all of the | otherwise). This simplification is based on the packet containing | |||
associated data and ciphertext. This results in a 1 to 3 block | all of the associated data and ciphertext. This results in a one to | |||
overestimation of the number of operations per packet. | three block overestimation of the number of operations per packet. | |||
B.1. Analysis of AEAD_AES_128_GCM and AEAD_AES_256_GCM Usage Limits | B.1. Analysis of AEAD_AES_128_GCM and AEAD_AES_256_GCM Usage Limits | |||
[GCM-MU] specify concrete bounds for AEAD_AES_128_GCM and | [GCM-MU] specifies concrete bounds for AEAD_AES_128_GCM and | |||
AEAD_AES_256_GCM as used in TLS 1.3 and QUIC. This section documents | AEAD_AES_256_GCM as used in TLS 1.3 and QUIC. This section documents | |||
this analysis using several simplifying assumptions: | this analysis using several simplifying assumptions: | |||
* The number of ciphertext blocks an attacker uses in forgery | * The number of ciphertext blocks an attacker uses in forgery | |||
attempts is bounded by v * l, the number of forgery attempts and | attempts is bounded by v * l, which is the number of forgery | |||
the size of each packet (in blocks). | attempts multiplied by the size of each packet (in blocks). | |||
* The amount of offline work done by an attacker does not dominate | * The amount of offline work done by an attacker does not dominate | |||
other factors in the analysis. | other factors in the analysis. | |||
The bounds in [GCM-MU] are tighter and more complete than those used | The bounds in [GCM-MU] are tighter and more complete than those used | |||
in [AEBounds], which allows for larger limits than those described in | in [AEBounds], which allows for larger limits than those described in | |||
[TLS13]. | [TLS13]. | |||
B.1.1. Confidentiality Limit | B.1.1. Confidentiality Limit | |||
For confidentiality, Theorum (4.3) in [GCM-MU] establishes that - for | For confidentiality, Theorem (4.3) in [GCM-MU] establishes that, for | |||
a single user that does not repeat nonces - the dominant term in | a single user that does not repeat nonces, the dominant term in | |||
determining the distinguishing advantage between a real and random | determining the distinguishing advantage between a real and random | |||
AEAD algorithm gained by an attacker is: | AEAD algorithm gained by an attacker is: | |||
2 * (q * l)^2 / 2^n | 2 * (q * l)^2 / 2^n | |||
For a target advantage of 2^-57, this results in the relation: | For a target advantage of 2^-57, this results in the relation: | |||
q <= 2^35 / l | q <= 2^35 / l | |||
Thus, endpoints that do not send packets larger than 2^11 bytes | Thus, endpoints that do not send packets larger than 2^11 bytes | |||
cannot protect more than 2^28 packets in a single connection without | cannot protect more than 2^28 packets in a single connection without | |||
causing an attacker to gain an larger advantage than the target of | causing an attacker to gain a more significant advantage than the | |||
2^-57. The limit for endpoints that allow for the packet size to be | target of 2^-57. The limit for endpoints that allow for the packet | |||
as large as 2^16 is instead 2^23. | size to be as large as 2^16 is instead 2^23. | |||
B.1.2. Integrity Limit | B.1.2. Integrity Limit | |||
For integrity, Theorem (4.3) in [GCM-MU] establishes that an attacker | For integrity, Theorem (4.3) in [GCM-MU] establishes that an attacker | |||
gains an advantage in successfully forging a packet of no more than: | gains an advantage in successfully forging a packet of no more than | |||
the following: | ||||
(1 / 2^(8 * n)) + ((2 * v) / 2^(2 * n)) | (1 / 2^(8 * n)) + ((2 * v) / 2^(2 * n)) | |||
+ ((2 * o * v) / 2^(k + n)) + (n * (v + (v * l)) / 2^k) | + ((2 * o * v) / 2^(k + n)) + (n * (v + (v * l)) / 2^k) | |||
The goal is to limit this advantage to 2^-57. For AEAD_AES_128_GCM, | The goal is to limit this advantage to 2^-57. For AEAD_AES_128_GCM, | |||
the fourth term in this inequality dominates the rest, so the others | the fourth term in this inequality dominates the rest, so the others | |||
can be removed without significant effect on the result. This | can be removed without significant effect on the result. This | |||
produces the following approximation: | produces the following approximation: | |||
v <= 2^64 / l | v <= 2^64 / l | |||
skipping to change at page 59, line 39 ¶ | skipping to change at line 2682 ¶ | |||
AEAD_AES_128_CCM. However, any AEAD that is used with QUIC requires | AEAD_AES_128_CCM. However, any AEAD that is used with QUIC requires | |||
limits on use that ensure that both confidentiality and integrity are | limits on use that ensure that both confidentiality and integrity are | |||
preserved. This section documents that analysis. | preserved. This section documents that analysis. | |||
[CCM-ANALYSIS] is used as the basis of this analysis. The results of | [CCM-ANALYSIS] is used as the basis of this analysis. The results of | |||
that analysis are used to derive usage limits that are based on those | that analysis are used to derive usage limits that are based on those | |||
chosen in [TLS13]. | chosen in [TLS13]. | |||
For confidentiality, Theorem 2 in [CCM-ANALYSIS] establishes that an | For confidentiality, Theorem 2 in [CCM-ANALYSIS] establishes that an | |||
attacker gains a distinguishing advantage over an ideal pseudorandom | attacker gains a distinguishing advantage over an ideal pseudorandom | |||
permutation (PRP) of no more than: | permutation (PRP) of no more than the following: | |||
(2l * q)^2 / 2^n | (2l * q)^2 / 2^n | |||
The integrity limit in Theorem 1 in [CCM-ANALYSIS] provides an | The integrity limit in Theorem 1 in [CCM-ANALYSIS] provides an | |||
attacker a strictly higher advantage for the same number of messages. | attacker a strictly higher advantage for the same number of messages. | |||
As the targets for the confidentiality advantage and the integrity | As the targets for the confidentiality advantage and the integrity | |||
advantage are the same, only Theorem 1 needs to be considered. | advantage are the same, only Theorem 1 needs to be considered. | |||
Theorem 1 establishes that an attacker gains an advantage over an | Theorem 1 establishes that an attacker gains an advantage over an | |||
ideal PRP of no more than: | ideal PRP of no more than the following: | |||
v / 2^t + (2l * (v + q))^2 / 2^n | v / 2^t + (2l * (v + q))^2 / 2^n | |||
As "t" and "n" are both 128, the first term is negligible relative to | As "t" and "n" are both 128, the first term is negligible relative to | |||
the second, so that term can be removed without a significant effect | the second, so that term can be removed without a significant effect | |||
on the result. | on the result. | |||
This produces a relation that combines both encryption and decryption | This produces a relation that combines both encryption and decryption | |||
attempts with the same limit as that produced by the theorem for | attempts with the same limit as that produced by the theorem for | |||
confidentiality alone. For a target advantage of 2^-57, this results | confidentiality alone. For a target advantage of 2^-57, this results | |||
in: | in the following: | |||
v + q <= 2^34.5 / l | v + q <= 2^34.5 / l | |||
By setting "q = v", values for both confidentiality and integrity | By setting "q = v", values for both confidentiality and integrity | |||
limits can be produced. Endpoints that limit packets to 2^11 bytes | limits can be produced. Endpoints that limit packets to 2^11 bytes | |||
therefore have both confidentiality and integrity limits of 2^26.5 | therefore have both confidentiality and integrity limits of 2^26.5 | |||
packets. Endpoints that do not restrict packet size have a limit of | packets. Endpoints that do not restrict packet size have a limit of | |||
2^21.5. | 2^21.5. | |||
Appendix C. Change Log | ||||
*RFC Editor's Note:* Please remove this section prior to | ||||
publication of a final version of this document. | ||||
Issue and pull request numbers are listed with a leading octothorp. | ||||
C.1. Since draft-ietf-quic-tls-32 | ||||
* Added final values for Initial key derivation, Retry | ||||
authentication, and TLS extension type for the QUIC Transport | ||||
Parameters extension (#4431) (#4431) | ||||
* Corrected rules for handling of 0-RTT (#4393, #4394) | ||||
C.2. Since draft-ietf-quic-tls-31 | ||||
* Packet protection limits are based on maximum-sized packets; | ||||
improved analysis (#3701, #4175) | ||||
C.3. Since draft-ietf-quic-tls-30 | ||||
* Add a new error code for AEAD_LIMIT_REACHED code to avoid conflict | ||||
(#4087, #4088) | ||||
C.4. Since draft-ietf-quic-tls-29 | ||||
* Updated limits on packet protection (#3788, #3789) | ||||
* Allow for packet processing to continue while waiting for TLS to | ||||
provide keys (#3821, #3874) | ||||
C.5. Since draft-ietf-quic-tls-28 | ||||
* Defined limits on the number of packets that can be protected with | ||||
a single key and limits on the number of packets that can fail | ||||
authentication (#3619, #3620) | ||||
* Update Initial salt, Retry keys, and samples (#3711) | ||||
C.6. Since draft-ietf-quic-tls-27 | ||||
* Allowed CONNECTION_CLOSE in any packet number space, with | ||||
restrictions on use of the application-specific variant (#3430, | ||||
#3435, #3440) | ||||
* Prohibit the use of the compatibility mode from TLS 1.3 (#3594, | ||||
#3595) | ||||
C.7. Since draft-ietf-quic-tls-26 | ||||
* No changes | ||||
C.8. Since draft-ietf-quic-tls-25 | ||||
* No changes | ||||
C.9. Since draft-ietf-quic-tls-24 | ||||
* Rewrite key updates (#3050) | ||||
- Allow but don't recommend deferring key updates (#2792, #3263) | ||||
- More completely define received behavior (#2791) | ||||
- Define the label used with HKDF-Expand-Label (#3054) | ||||
C.10. Since draft-ietf-quic-tls-23 | ||||
* Key update text update (#3050): | ||||
- Recommend constant-time key replacement (#2792) | ||||
- Provide explicit labels for key update key derivation (#3054) | ||||
* Allow first Initial from a client to span multiple packets (#2928, | ||||
#3045) | ||||
* PING can be sent at any encryption level (#3034, #3035) | ||||
C.11. Since draft-ietf-quic-tls-22 | ||||
* Update the salt used for Initial secrets (#2887, #2980) | ||||
C.12. Since draft-ietf-quic-tls-21 | ||||
* No changes | ||||
C.13. Since draft-ietf-quic-tls-20 | ||||
* Mandate the use of the QUIC transport parameters extension (#2528, | ||||
#2560) | ||||
* Define handshake completion and confirmation; define clearer rules | ||||
when it encryption keys should be discarded (#2214, #2267, #2673) | ||||
C.14. Since draft-ietf-quic-tls-18 | ||||
* Increased the set of permissible frames in 0-RTT (#2344, #2355) | ||||
* Transport parameter extension is mandatory (#2528, #2560) | ||||
C.15. Since draft-ietf-quic-tls-17 | ||||
* Endpoints discard initial keys as soon as handshake keys are | ||||
available (#1951, #2045) | ||||
* Use of ALPN or equivalent is mandatory (#2263, #2284) | ||||
C.16. Since draft-ietf-quic-tls-14 | ||||
* Update the salt used for Initial secrets (#1970) | ||||
* Clarify that TLS_AES_128_CCM_8_SHA256 isn't supported (#2019) | ||||
* Change header protection | ||||
- Sample from a fixed offset (#1575, #2030) | ||||
- Cover part of the first byte, including the key phase (#1322, | ||||
#2006) | ||||
* TLS provides an AEAD and KDF function (#2046) | ||||
- Clarify that the TLS KDF is used with TLS (#1997) | ||||
- Change the labels for calculation of QUIC keys (#1845, #1971, | ||||
#1991) | ||||
* Initial keys are discarded once Handshake keys are available | ||||
(#1951, #2045) | ||||
C.17. Since draft-ietf-quic-tls-13 | ||||
* Updated to TLS 1.3 final (#1660) | ||||
C.18. Since draft-ietf-quic-tls-12 | ||||
* Changes to integration of the TLS handshake (#829, #1018, #1094, | ||||
#1165, #1190, #1233, #1242, #1252, #1450) | ||||
- The cryptographic handshake uses CRYPTO frames, not stream 0 | ||||
- QUIC packet protection is used in place of TLS record | ||||
protection | ||||
- Separate QUIC packet number spaces are used for the handshake | ||||
- Changed Retry to be independent of the cryptographic handshake | ||||
- Limit the use of HelloRetryRequest to address TLS needs (like | ||||
key shares) | ||||
* Changed codepoint of TLS extension (#1395, #1402) | ||||
C.19. Since draft-ietf-quic-tls-11 | ||||
* Encrypted packet numbers. | ||||
C.20. Since draft-ietf-quic-tls-10 | ||||
* No significant changes. | ||||
C.21. Since draft-ietf-quic-tls-09 | ||||
* Cleaned up key schedule and updated the salt used for handshake | ||||
packet protection (#1077) | ||||
C.22. Since draft-ietf-quic-tls-08 | ||||
* Specify value for max_early_data_size to enable 0-RTT (#942) | ||||
* Update key derivation function (#1003, #1004) | ||||
C.23. Since draft-ietf-quic-tls-07 | ||||
* Handshake errors can be reported with CONNECTION_CLOSE (#608, | ||||
#891) | ||||
C.24. Since draft-ietf-quic-tls-05 | ||||
No significant changes. | ||||
C.25. Since draft-ietf-quic-tls-04 | ||||
* Update labels used in HKDF-Expand-Label to match TLS 1.3 (#642) | ||||
C.26. Since draft-ietf-quic-tls-03 | ||||
No significant changes. | ||||
C.27. Since draft-ietf-quic-tls-02 | ||||
* Updates to match changes in transport draft | ||||
C.28. Since draft-ietf-quic-tls-01 | ||||
* Use TLS alerts to signal TLS errors (#272, #374) | ||||
* Require ClientHello to fit in a single packet (#338) | ||||
* The second client handshake flight is now sent in the clear (#262, | ||||
#337) | ||||
* The QUIC header is included as AEAD Associated Data (#226, #243, | ||||
#302) | ||||
* Add interface necessary for client address validation (#275) | ||||
* Define peer authentication (#140) | ||||
* Require at least TLS 1.3 (#138) | ||||
* Define transport parameters as a TLS extension (#122) | ||||
* Define handling for protected packets before the handshake | ||||
completes (#39) | ||||
* Decouple QUIC version and ALPN (#12) | ||||
C.29. Since draft-ietf-quic-tls-00 | ||||
* Changed bit used to signal key phase | ||||
* Updated key phase markings during the handshake | ||||
* Added TLS interface requirements section | ||||
* Moved to use of TLS exporters for key derivation | ||||
* Moved TLS error code definitions into this document | ||||
C.30. Since draft-thomson-quic-tls-01 | ||||
* Adopted as base for draft-ietf-quic-tls | ||||
* Updated authors/editors list | ||||
* Added status note | ||||
Contributors | Contributors | |||
The IETF QUIC Working Group received an enormous amount of support | The IETF QUIC Working Group received an enormous amount of support | |||
from many people. The following people provided substantive | from many people. The following people provided substantive | |||
contributions to this document: | contributions to this document: | |||
* Adam Langley | * Adam Langley | |||
* Alessandro Ghedini | * Alessandro Ghedini | |||
* Christian Huitema | * Christian Huitema | |||
* Christopher Wood | * Christopher Wood | |||
* David Schinazi | * David Schinazi | |||
* Dragana Damjanovic | * Dragana Damjanovic | |||
* Eric Rescorla | * Eric Rescorla | |||
* Felix Günther | ||||
* Felix Guenther | ||||
* Ian Swett | * Ian Swett | |||
* Jana Iyengar | * Jana Iyengar | |||
* 奥 一穂 (Kazuho Oku) | * 奥 一穂 (Kazuho Oku) | |||
* Marten Seemann | * Marten Seemann | |||
* Martin Duke | * Martin Duke | |||
* Mike Bishop | * Mike Bishop | |||
* Mikkel Fahnøe Jørgensen | * Mikkel Fahnøe Jørgensen | |||
* Nick Banks | * Nick Banks | |||
* Nick Harper | * Nick Harper | |||
* Roberto Peon | * Roberto Peon | |||
* Rui Paulo | * Rui Paulo | |||
* Ryan Hamilton | * Ryan Hamilton | |||
* Victor Vasiliev | * Victor Vasiliev | |||
Authors' Addresses | Authors' Addresses | |||
Martin Thomson (editor) | Martin Thomson (editor) | |||
Mozilla | Mozilla | |||
Email: mt@lowentropy.net | Email: mt@lowentropy.net | |||
Sean Turner (editor) | Sean Turner (editor) | |||
End of changes. 162 change blocks. | ||||
674 lines changed or deleted | 389 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |