| draft-ietf-quic-tls-32.txt | draft-ietf-quic-tls-latest.txt | |||
|---|---|---|---|---|
| QUIC Working Group M. Thomson, Ed. | QUIC Working Group M. Thomson, Ed. | |||
| Internet-Draft Mozilla | Internet-Draft Mozilla | |||
| Intended status: Standards Track S. Turner, Ed. | Intended status: Standards Track S. Turner, Ed. | |||
| Expires: April 23, 2021 sn3rd | Expires: May 25, 2021 sn3rd | |||
| October 20, 2020 | November 21, 2020 | |||
| Using TLS to Secure QUIC | Using TLS to Secure QUIC | |||
| draft-ietf-quic-tls-32 | draft-ietf-quic-tls-latest | |||
| Abstract | Abstract | |||
| This document describes how Transport Layer Security (TLS) is used to | This document describes how Transport Layer Security (TLS) is used to | |||
| secure QUIC. | secure QUIC. | |||
| Note to Readers | Note to Readers | |||
| Discussion of this draft takes place on the QUIC working group | Discussion of this draft takes place on the QUIC working group | |||
| mailing list (quic@ietf.org), which is archived at | mailing list (quic@ietf.org), which is archived at | |||
| skipping to change at page 1, line 42 ¶ | skipping to change at page 1, line 42 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 23, 2021. | This Internet-Draft will expire on May 25, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 27 ¶ | skipping to change at page 3, line 27 ¶ | |||
| 8.2. QUIC Transport Parameters Extension . . . . . . . . . . . 41 | 8.2. QUIC Transport Parameters Extension . . . . . . . . . . . 41 | |||
| 8.3. Removing the EndOfEarlyData Message . . . . . . . . . . . 41 | 8.3. Removing the EndOfEarlyData Message . . . . . . . . . . . 41 | |||
| 8.4. Prohibit TLS Middlebox Compatibility Mode . . . . . . . . 42 | 8.4. Prohibit TLS Middlebox Compatibility Mode . . . . . . . . 42 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 42 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 42 | |||
| 9.1. Session Linkability . . . . . . . . . . . . . . . . . . . 42 | 9.1. Session Linkability . . . . . . . . . . . . . . . . . . . 42 | |||
| 9.2. Replay Attacks with 0-RTT . . . . . . . . . . . . . . . . 42 | 9.2. Replay Attacks with 0-RTT . . . . . . . . . . . . . . . . 42 | |||
| 9.3. Packet Reflection Attack Mitigation . . . . . . . . . . . 43 | 9.3. Packet Reflection Attack Mitigation . . . . . . . . . . . 43 | |||
| 9.4. Header Protection Analysis . . . . . . . . . . . . . . . 44 | 9.4. Header Protection Analysis . . . . . . . . . . . . . . . 44 | |||
| 9.5. Header Protection Timing Side-Channels . . . . . . . . . 45 | 9.5. Header Protection Timing Side-Channels . . . . . . . . . 45 | |||
| 9.6. Key Diversity . . . . . . . . . . . . . . . . . . . . . . 45 | 9.6. Key Diversity . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 9.7. Randomness . . . . . . . . . . . . . . . . . . . . . . . 46 | ||||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 46 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 46 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 46 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 46 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 47 | 11.2. Informative References . . . . . . . . . . . . . . . . . 47 | |||
| Appendix A. Sample Packet Protection . . . . . . . . . . . . . . 48 | Appendix A. Sample Packet Protection . . . . . . . . . . . . . . 49 | |||
| A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 49 | A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 49 | |||
| A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 50 | A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 50 | |||
| A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 52 | A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 52 | |||
| A.4. Retry . . . . . . . . . . . . . . . . . . . . . . . . . . 53 | A.4. Retry . . . . . . . . . . . . . . . . . . . . . . . . . . 53 | |||
| A.5. ChaCha20-Poly1305 Short Header Packet . . . . . . . . . . 53 | A.5. ChaCha20-Poly1305 Short Header Packet . . . . . . . . . . 53 | |||
| Appendix B. AEAD Algorithm Analysis . . . . . . . . . . . . . . 55 | Appendix B. AEAD Algorithm Analysis . . . . . . . . . . . . . . 55 | |||
| B.1. Analysis of AEAD_AES_128_GCM and AEAD_AES_256_GCM Usage | B.1. Analysis of AEAD_AES_128_GCM and AEAD_AES_256_GCM Usage | |||
| Limits . . . . . . . . . . . . . . . . . . . . . . . . . 56 | Limits . . . . . . . . . . . . . . . . . . . . . . . . . 56 | |||
| B.1.1. Confidentiality Limit . . . . . . . . . . . . . . . . 56 | B.1.1. Confidentiality Limit . . . . . . . . . . . . . . . . 56 | |||
| B.1.2. Integrity Limit . . . . . . . . . . . . . . . . . . . 56 | B.1.2. Integrity Limit . . . . . . . . . . . . . . . . . . . 56 | |||
| skipping to change at page 46, line 15 ¶ | skipping to change at page 46, line 15 ¶ | |||
| To preserve this separation, a new version of QUIC SHOULD define new | To preserve this separation, a new version of QUIC SHOULD define new | |||
| labels for key derivation for packet protection key and IV, plus the | labels for key derivation for packet protection key and IV, plus the | |||
| header protection keys. This version of QUIC uses the string "quic". | header protection keys. This version of QUIC uses the string "quic". | |||
| Other versions can use a version-specific label in place of that | Other versions can use a version-specific label in place of that | |||
| string. | string. | |||
| The initial secrets use a key that is specific to the negotiated QUIC | The initial secrets use a key that is specific to the negotiated QUIC | |||
| version. New QUIC versions SHOULD define a new salt value used in | version. New QUIC versions SHOULD define a new salt value used in | |||
| calculating initial secrets. | calculating initial secrets. | |||
| 9.7. Randomness | ||||
| QUIC depends on endpoints being able to generate secure random | ||||
| numbers, both directly for protocol values such as the connection ID, | ||||
| and transitively via TLS. See [RFC4086] for guidance on secure | ||||
| random number generation. | ||||
| 10. IANA Considerations | 10. IANA Considerations | |||
| This document registers the quic_transport_parameters extension found | This document registers the quic_transport_parameters extension found | |||
| in Section 8.2 in the TLS ExtensionType Values Registry | in Section 8.2 in the TLS ExtensionType Values Registry | |||
| [TLS-REGISTRIES]. | [TLS-REGISTRIES]. | |||
| The Recommended column is to be marked Yes. The TLS 1.3 Column is to | The Recommended column is to be marked Yes. The TLS 1.3 Column is to | |||
| include CH and EE. | include CH and EE. | |||
| 11. References | 11. References | |||
| skipping to change at page 47, line 7 ¶ | skipping to change at page 47, line 12 ¶ | |||
| Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, | Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, | |||
| <https://www.rfc-editor.org/info/rfc8439>. | <https://www.rfc-editor.org/info/rfc8439>. | |||
| [HKDF] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand | [HKDF] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand | |||
| Key Derivation Function (HKDF)", RFC 5869, | Key Derivation Function (HKDF)", RFC 5869, | |||
| DOI 10.17487/RFC5869, May 2010, | DOI 10.17487/RFC5869, May 2010, | |||
| <https://www.rfc-editor.org/info/rfc5869>. | <https://www.rfc-editor.org/info/rfc5869>. | |||
| [QUIC-RECOVERY] | [QUIC-RECOVERY] | |||
| Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection | Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection | |||
| and Congestion Control", draft-ietf-quic-recovery-32 (work | and Congestion Control", draft-ietf-quic-recovery-latest | |||
| in progress). | (work in progress). | |||
| [QUIC-TRANSPORT] | [QUIC-TRANSPORT] | |||
| Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | |||
| Multiplexed and Secure Transport", draft-ietf-quic- | Multiplexed and Secure Transport", draft-ietf-quic- | |||
| transport-32 (work in progress). | transport-latest (work in progress). | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | ||||
| "Randomness Requirements for Security", BCP 106, RFC 4086, | ||||
| DOI 10.17487/RFC4086, June 2005, | ||||
| <https://www.rfc-editor.org/info/rfc4086>. | ||||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [SHA] Dang, Q., "Secure Hash Standard", National Institute of | [SHA] Dang, Q., "Secure Hash Standard", National Institute of | |||
| Standards and Technology report, | Standards and Technology report, | |||
| DOI 10.6028/nist.fips.180-4, July 2015. | DOI 10.6028/nist.fips.180-4, July 2015. | |||
| [TLS-REGISTRIES] | [TLS-REGISTRIES] | |||
| Salowey, J. and S. Turner, "IANA Registry Updates for TLS | Salowey, J. and S. Turner, "IANA Registry Updates for TLS | |||
| skipping to change at page 48, line 11 ¶ | skipping to change at page 48, line 20 ¶ | |||
| Jonsson, J., "On the Security of CTR + CBC-MAC", Selected | Jonsson, J., "On the Security of CTR + CBC-MAC", Selected | |||
| Areas in Cryptography pp. 76-93, | Areas in Cryptography pp. 76-93, | |||
| DOI 10.1007/3-540-36492-7_7, 2003. | DOI 10.1007/3-540-36492-7_7, 2003. | |||
| [COMPRESS] | [COMPRESS] | |||
| Ghedini, A. and V. Vasiliev, "TLS Certificate | Ghedini, A. and V. Vasiliev, "TLS Certificate | |||
| Compression", draft-ietf-tls-certificate-compression-10 | Compression", draft-ietf-tls-certificate-compression-10 | |||
| (work in progress), January 2020. | (work in progress), January 2020. | |||
| [GCM-MU] Hoang, V., Tessaro, S., and A. Thiruvengadam, "The Multi- | [GCM-MU] Hoang, V., Tessaro, S., and A. Thiruvengadam, "The Multi- | |||
| user Security of GCM, Revisited", Proceedings of the 2018 | user Security of GCM, Revisited: Tight Bounds for Nonce | |||
| ACM SIGSAC Conference on Computer and | Randomization", Proceedings of the 2018 ACM SIGSAC | |||
| Communications Security, DOI 10.1145/3243734.3243816, | Conference on Computer and Communications Security, | |||
| January 2018. | DOI 10.1145/3243734.3243816, January 2018. | |||
| [HTTP2-TLS13] | [HTTP2-TLS13] | |||
| Benjamin, D., "Using TLS 1.3 with HTTP/2", RFC 8740, | Benjamin, D., "Using TLS 1.3 with HTTP/2", RFC 8740, | |||
| DOI 10.17487/RFC8740, February 2020, | DOI 10.17487/RFC8740, February 2020, | |||
| <https://www.rfc-editor.org/info/rfc8740>. | <https://www.rfc-editor.org/info/rfc8740>. | |||
| [IMC] Katz, J. and Y. Lindell, "Introduction to Modern | [IMC] Katz, J. and Y. Lindell, "Introduction to Modern | |||
| Cryptography, Second Edition", ISBN 978-1466570269, | Cryptography, Second Edition", ISBN 978-1466570269, | |||
| November 2014. | November 2014. | |||
| [NAN] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed: | [NAN] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed: | |||
| AEAD Revisited", Advances in Cryptology - CRYPTO 2019 pp. | AEAD Revisited", Advances in Cryptology - CRYPTO 2019 pp. | |||
| 235-265, DOI 10.1007/978-3-030-26948-7_9, 2019. | 235-265, DOI 10.1007/978-3-030-26948-7_9, 2019. | |||
| [QUIC-HTTP] | [QUIC-HTTP] | |||
| Bishop, M., Ed., "Hypertext Transfer Protocol Version 3 | Bishop, M., Ed., "Hypertext Transfer Protocol Version 3 | |||
| (HTTP/3)", draft-ietf-quic-http-32 (work in progress). | (HTTP/3)", draft-ietf-quic-http-latest (work in progress). | |||
| [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | |||
| DOI 10.17487/RFC2818, May 2000, | DOI 10.17487/RFC2818, May 2000, | |||
| <https://www.rfc-editor.org/info/rfc2818>. | <https://www.rfc-editor.org/info/rfc2818>. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <https://www.rfc-editor.org/info/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
| skipping to change at page 49, line 4 ¶ | skipping to change at page 49, line 15 ¶ | |||
| [ROBUST] Fischlin, M., Guenther, F., and C. Janson, "Robust | [ROBUST] Fischlin, M., Guenther, F., and C. Janson, "Robust | |||
| Channels: Handling Unreliable Networks in the Record | Channels: Handling Unreliable Networks in the Record | |||
| Layers of QUIC and DTLS 1.3", May 2020, | Layers of QUIC and DTLS 1.3", May 2020, | |||
| <https://eprint.iacr.org/2020/718>. | <https://eprint.iacr.org/2020/718>. | |||
| Appendix A. Sample Packet Protection | Appendix A. Sample Packet Protection | |||
| This section shows examples of packet protection so that | This section shows examples of packet protection so that | |||
| implementations can be verified incrementally. Samples of Initial | implementations can be verified incrementally. Samples of Initial | |||
| packets from both client and server, plus a Retry packet are defined. | packets from both client and server, plus a Retry packet are defined. | |||
| These packets use an 8-byte client-chosen Destination Connection ID | These packets use an 8-byte client-chosen Destination Connection ID | |||
| of 0x8394c8f03e515708. Some intermediate values are included. All | of 0x8394c8f03e515708. Some intermediate values are included. All | |||
| values are shown in hexadecimal. | values are shown in hexadecimal. | |||
| A.1. Keys | A.1. Keys | |||
| The labels generated by the HKDF-Expand-Label function are: | The labels generated during the execution of the HKDF-Expand-Label | |||
| function and given to the HKDF-Expand function in order to produce | ||||
| its output are: | ||||
| client in: 00200f746c73313320636c69656e7420696e00 | client in: 00200f746c73313320636c69656e7420696e00 | |||
| server in: 00200f746c7331332073657276657220696e00 | server in: 00200f746c7331332073657276657220696e00 | |||
| quic key: 00100e746c7331332071756963206b657900 | quic key: 00100e746c7331332071756963206b657900 | |||
| quic iv: 000c0d746c733133207175696320697600 | quic iv: 000c0d746c733133207175696320697600 | |||
| quic hp: 00100d746c733133207175696320687000 | quic hp: 00100d746c733133207175696320687000 | |||
| End of changes. 13 change blocks. | ||||
| 15 lines changed or deleted | 29 lines changed or added | |||
This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||