draft-ietf-quic-tls-32.txt   draft-ietf-quic-tls-latest.txt 
QUIC Working Group M. Thomson, Ed. QUIC Working Group M. Thomson, Ed.
Internet-Draft Mozilla Internet-Draft Mozilla
Intended status: Standards Track S. Turner, Ed. Intended status: Standards Track S. Turner, Ed.
Expires: April 23, 2021 sn3rd Expires: May 25, 2021 sn3rd
October 20, 2020 November 21, 2020
Using TLS to Secure QUIC Using TLS to Secure QUIC
draft-ietf-quic-tls-32 draft-ietf-quic-tls-latest
Abstract Abstract
This document describes how Transport Layer Security (TLS) is used to This document describes how Transport Layer Security (TLS) is used to
secure QUIC. secure QUIC.
Note to Readers Note to Readers
Discussion of this draft takes place on the QUIC working group Discussion of this draft takes place on the QUIC working group
mailing list (quic@ietf.org), which is archived at mailing list (quic@ietf.org), which is archived at
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 23, 2021. This Internet-Draft will expire on May 25, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 27 skipping to change at page 3, line 27
8.2. QUIC Transport Parameters Extension . . . . . . . . . . . 41 8.2. QUIC Transport Parameters Extension . . . . . . . . . . . 41
8.3. Removing the EndOfEarlyData Message . . . . . . . . . . . 41 8.3. Removing the EndOfEarlyData Message . . . . . . . . . . . 41
8.4. Prohibit TLS Middlebox Compatibility Mode . . . . . . . . 42 8.4. Prohibit TLS Middlebox Compatibility Mode . . . . . . . . 42
9. Security Considerations . . . . . . . . . . . . . . . . . . . 42 9. Security Considerations . . . . . . . . . . . . . . . . . . . 42
9.1. Session Linkability . . . . . . . . . . . . . . . . . . . 42 9.1. Session Linkability . . . . . . . . . . . . . . . . . . . 42
9.2. Replay Attacks with 0-RTT . . . . . . . . . . . . . . . . 42 9.2. Replay Attacks with 0-RTT . . . . . . . . . . . . . . . . 42
9.3. Packet Reflection Attack Mitigation . . . . . . . . . . . 43 9.3. Packet Reflection Attack Mitigation . . . . . . . . . . . 43
9.4. Header Protection Analysis . . . . . . . . . . . . . . . 44 9.4. Header Protection Analysis . . . . . . . . . . . . . . . 44
9.5. Header Protection Timing Side-Channels . . . . . . . . . 45 9.5. Header Protection Timing Side-Channels . . . . . . . . . 45
9.6. Key Diversity . . . . . . . . . . . . . . . . . . . . . . 45 9.6. Key Diversity . . . . . . . . . . . . . . . . . . . . . . 45
9.7. Randomness . . . . . . . . . . . . . . . . . . . . . . . 46
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 46 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 46
11.1. Normative References . . . . . . . . . . . . . . . . . . 46 11.1. Normative References . . . . . . . . . . . . . . . . . . 46
11.2. Informative References . . . . . . . . . . . . . . . . . 47 11.2. Informative References . . . . . . . . . . . . . . . . . 47
Appendix A. Sample Packet Protection . . . . . . . . . . . . . . 48 Appendix A. Sample Packet Protection . . . . . . . . . . . . . . 49
A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 49 A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 49
A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 50 A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 50
A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 52 A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 52
A.4. Retry . . . . . . . . . . . . . . . . . . . . . . . . . . 53 A.4. Retry . . . . . . . . . . . . . . . . . . . . . . . . . . 53
A.5. ChaCha20-Poly1305 Short Header Packet . . . . . . . . . . 53 A.5. ChaCha20-Poly1305 Short Header Packet . . . . . . . . . . 53
Appendix B. AEAD Algorithm Analysis . . . . . . . . . . . . . . 55 Appendix B. AEAD Algorithm Analysis . . . . . . . . . . . . . . 55
B.1. Analysis of AEAD_AES_128_GCM and AEAD_AES_256_GCM Usage B.1. Analysis of AEAD_AES_128_GCM and AEAD_AES_256_GCM Usage
Limits . . . . . . . . . . . . . . . . . . . . . . . . . 56 Limits . . . . . . . . . . . . . . . . . . . . . . . . . 56
B.1.1. Confidentiality Limit . . . . . . . . . . . . . . . . 56 B.1.1. Confidentiality Limit . . . . . . . . . . . . . . . . 56
B.1.2. Integrity Limit . . . . . . . . . . . . . . . . . . . 56 B.1.2. Integrity Limit . . . . . . . . . . . . . . . . . . . 56
skipping to change at page 46, line 15 skipping to change at page 46, line 15
To preserve this separation, a new version of QUIC SHOULD define new To preserve this separation, a new version of QUIC SHOULD define new
labels for key derivation for packet protection key and IV, plus the labels for key derivation for packet protection key and IV, plus the
header protection keys. This version of QUIC uses the string "quic". header protection keys. This version of QUIC uses the string "quic".
Other versions can use a version-specific label in place of that Other versions can use a version-specific label in place of that
string. string.
The initial secrets use a key that is specific to the negotiated QUIC The initial secrets use a key that is specific to the negotiated QUIC
version. New QUIC versions SHOULD define a new salt value used in version. New QUIC versions SHOULD define a new salt value used in
calculating initial secrets. calculating initial secrets.
9.7. Randomness
QUIC depends on endpoints being able to generate secure random
numbers, both directly for protocol values such as the connection ID,
and transitively via TLS. See [RFC4086] for guidance on secure
random number generation.
10. IANA Considerations 10. IANA Considerations
This document registers the quic_transport_parameters extension found This document registers the quic_transport_parameters extension found
in Section 8.2 in the TLS ExtensionType Values Registry in Section 8.2 in the TLS ExtensionType Values Registry
[TLS-REGISTRIES]. [TLS-REGISTRIES].
The Recommended column is to be marked Yes. The TLS 1.3 Column is to The Recommended column is to be marked Yes. The TLS 1.3 Column is to
include CH and EE. include CH and EE.
11. References 11. References
skipping to change at page 47, line 7 skipping to change at page 47, line 12
Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018,
<https://www.rfc-editor.org/info/rfc8439>. <https://www.rfc-editor.org/info/rfc8439>.
[HKDF] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand [HKDF] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
Key Derivation Function (HKDF)", RFC 5869, Key Derivation Function (HKDF)", RFC 5869,
DOI 10.17487/RFC5869, May 2010, DOI 10.17487/RFC5869, May 2010,
<https://www.rfc-editor.org/info/rfc5869>. <https://www.rfc-editor.org/info/rfc5869>.
[QUIC-RECOVERY] [QUIC-RECOVERY]
Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection
and Congestion Control", draft-ietf-quic-recovery-32 (work and Congestion Control", draft-ietf-quic-recovery-latest
in progress). (work in progress).
[QUIC-TRANSPORT] [QUIC-TRANSPORT]
Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", draft-ietf-quic- Multiplexed and Secure Transport", draft-ietf-quic-
transport-32 (work in progress). transport-latest (work in progress).
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC 4086,
DOI 10.17487/RFC4086, June 2005,
<https://www.rfc-editor.org/info/rfc4086>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[SHA] Dang, Q., "Secure Hash Standard", National Institute of [SHA] Dang, Q., "Secure Hash Standard", National Institute of
Standards and Technology report, Standards and Technology report,
DOI 10.6028/nist.fips.180-4, July 2015. DOI 10.6028/nist.fips.180-4, July 2015.
[TLS-REGISTRIES] [TLS-REGISTRIES]
Salowey, J. and S. Turner, "IANA Registry Updates for TLS Salowey, J. and S. Turner, "IANA Registry Updates for TLS
skipping to change at page 48, line 11 skipping to change at page 48, line 20
Jonsson, J., "On the Security of CTR + CBC-MAC", Selected Jonsson, J., "On the Security of CTR + CBC-MAC", Selected
Areas in Cryptography pp. 76-93, Areas in Cryptography pp. 76-93,
DOI 10.1007/3-540-36492-7_7, 2003. DOI 10.1007/3-540-36492-7_7, 2003.
[COMPRESS] [COMPRESS]
Ghedini, A. and V. Vasiliev, "TLS Certificate Ghedini, A. and V. Vasiliev, "TLS Certificate
Compression", draft-ietf-tls-certificate-compression-10 Compression", draft-ietf-tls-certificate-compression-10
(work in progress), January 2020. (work in progress), January 2020.
[GCM-MU] Hoang, V., Tessaro, S., and A. Thiruvengadam, "The Multi- [GCM-MU] Hoang, V., Tessaro, S., and A. Thiruvengadam, "The Multi-
user Security of GCM, Revisited", Proceedings of the 2018 user Security of GCM, Revisited: Tight Bounds for Nonce
ACM SIGSAC Conference on Computer and Randomization", Proceedings of the 2018 ACM SIGSAC
Communications Security, DOI 10.1145/3243734.3243816, Conference on Computer and Communications Security,
January 2018. DOI 10.1145/3243734.3243816, January 2018.
[HTTP2-TLS13] [HTTP2-TLS13]
Benjamin, D., "Using TLS 1.3 with HTTP/2", RFC 8740, Benjamin, D., "Using TLS 1.3 with HTTP/2", RFC 8740,
DOI 10.17487/RFC8740, February 2020, DOI 10.17487/RFC8740, February 2020,
<https://www.rfc-editor.org/info/rfc8740>. <https://www.rfc-editor.org/info/rfc8740>.
[IMC] Katz, J. and Y. Lindell, "Introduction to Modern [IMC] Katz, J. and Y. Lindell, "Introduction to Modern
Cryptography, Second Edition", ISBN 978-1466570269, Cryptography, Second Edition", ISBN 978-1466570269,
November 2014. November 2014.
[NAN] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed: [NAN] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed:
AEAD Revisited", Advances in Cryptology - CRYPTO 2019 pp. AEAD Revisited", Advances in Cryptology - CRYPTO 2019 pp.
235-265, DOI 10.1007/978-3-030-26948-7_9, 2019. 235-265, DOI 10.1007/978-3-030-26948-7_9, 2019.
[QUIC-HTTP] [QUIC-HTTP]
Bishop, M., Ed., "Hypertext Transfer Protocol Version 3 Bishop, M., Ed., "Hypertext Transfer Protocol Version 3
(HTTP/3)", draft-ietf-quic-http-32 (work in progress). (HTTP/3)", draft-ietf-quic-http-latest (work in progress).
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000, DOI 10.17487/RFC2818, May 2000,
<https://www.rfc-editor.org/info/rfc2818>. <https://www.rfc-editor.org/info/rfc2818>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>. <https://www.rfc-editor.org/info/rfc5280>.
skipping to change at page 49, line 4 skipping to change at page 49, line 15
[ROBUST] Fischlin, M., Guenther, F., and C. Janson, "Robust [ROBUST] Fischlin, M., Guenther, F., and C. Janson, "Robust
Channels: Handling Unreliable Networks in the Record Channels: Handling Unreliable Networks in the Record
Layers of QUIC and DTLS 1.3", May 2020, Layers of QUIC and DTLS 1.3", May 2020,
<https://eprint.iacr.org/2020/718>. <https://eprint.iacr.org/2020/718>.
Appendix A. Sample Packet Protection Appendix A. Sample Packet Protection
This section shows examples of packet protection so that This section shows examples of packet protection so that
implementations can be verified incrementally. Samples of Initial implementations can be verified incrementally. Samples of Initial
packets from both client and server, plus a Retry packet are defined. packets from both client and server, plus a Retry packet are defined.
These packets use an 8-byte client-chosen Destination Connection ID These packets use an 8-byte client-chosen Destination Connection ID
of 0x8394c8f03e515708. Some intermediate values are included. All of 0x8394c8f03e515708. Some intermediate values are included. All
values are shown in hexadecimal. values are shown in hexadecimal.
A.1. Keys A.1. Keys
The labels generated by the HKDF-Expand-Label function are: The labels generated during the execution of the HKDF-Expand-Label
function and given to the HKDF-Expand function in order to produce
its output are:
client in: 00200f746c73313320636c69656e7420696e00 client in: 00200f746c73313320636c69656e7420696e00
server in: 00200f746c7331332073657276657220696e00 server in: 00200f746c7331332073657276657220696e00
quic key: 00100e746c7331332071756963206b657900 quic key: 00100e746c7331332071756963206b657900
quic iv: 000c0d746c733133207175696320697600 quic iv: 000c0d746c733133207175696320697600
quic hp: 00100d746c733133207175696320687000 quic hp: 00100d746c733133207175696320687000
 End of changes. 13 change blocks. 
15 lines changed or deleted 29 lines changed or added

This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/