| draft-ietf-quic-tls-25.txt | draft-ietf-quic-tls-26.txt | |||
|---|---|---|---|---|
| QUIC M. Thomson, Ed. | QUIC M. Thomson, Ed. | |||
| Internet-Draft Mozilla | Internet-Draft Mozilla | |||
| Intended status: Standards Track S. Turner, Ed. | Intended status: Standards Track S. Turner, Ed. | |||
| Expires: 25 July 2020 sn3rd | Expires: 24 August 2020 sn3rd | |||
| 22 January 2020 | 21 February 2020 | |||
| Using TLS to Secure QUIC | Using TLS to Secure QUIC | |||
| draft-ietf-quic-tls-25 | draft-ietf-quic-tls-26 | |||
| Abstract | Abstract | |||
| This document describes how Transport Layer Security (TLS) is used to | This document describes how Transport Layer Security (TLS) is used to | |||
| secure QUIC. | secure QUIC. | |||
| Note to Readers | Note to Readers | |||
| Discussion of this draft takes place on the QUIC working group | Discussion of this draft takes place on the QUIC working group | |||
| mailing list (quic@ietf.org), which is archived at | mailing list (quic@ietf.org), which is archived at | |||
| skipping to change at page 1, line 44 ¶ | skipping to change at page 1, line 44 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 25 July 2020. | This Internet-Draft will expire on 24 August 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 3, line 26 ¶ | skipping to change at page 3, line 26 ¶ | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 37 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 37 | |||
| 9.1. Replay Attacks with 0-RTT . . . . . . . . . . . . . . . . 37 | 9.1. Replay Attacks with 0-RTT . . . . . . . . . . . . . . . . 37 | |||
| 9.2. Packet Reflection Attack Mitigation . . . . . . . . . . . 38 | 9.2. Packet Reflection Attack Mitigation . . . . . . . . . . . 38 | |||
| 9.3. Header Protection Analysis . . . . . . . . . . . . . . . 39 | 9.3. Header Protection Analysis . . . . . . . . . . . . . . . 39 | |||
| 9.4. Header Protection Timing Side-Channels . . . . . . . . . 39 | 9.4. Header Protection Timing Side-Channels . . . . . . . . . 39 | |||
| 9.5. Key Diversity . . . . . . . . . . . . . . . . . . . . . . 40 | 9.5. Key Diversity . . . . . . . . . . . . . . . . . . . . . . 40 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 41 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 41 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 42 | 11.2. Informative References . . . . . . . . . . . . . . . . . 42 | |||
| Appendix A. Sample Initial Packet Protection . . . . . . . . . . 43 | Appendix A. Sample Packet Protection . . . . . . . . . . . . . . 43 | |||
| A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 43 | A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 43 | |||
| A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 44 | A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 44 | |||
| A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 46 | A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 46 | |||
| A.4. Retry . . . . . . . . . . . . . . . . . . . . . . . . . . 47 | ||||
| Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 47 | Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 47 | |||
| B.1. Since draft-ietf-quic-tls-24 . . . . . . . . . . . . . . 47 | B.1. Since draft-ietf-quic-tls-25 . . . . . . . . . . . . . . 47 | |||
| B.2. Since draft-ietf-quic-tls-23 . . . . . . . . . . . . . . 47 | B.2. Since draft-ietf-quic-tls-24 . . . . . . . . . . . . . . 47 | |||
| B.3. Since draft-ietf-quic-tls-22 . . . . . . . . . . . . . . 48 | B.3. Since draft-ietf-quic-tls-23 . . . . . . . . . . . . . . 48 | |||
| B.4. Since draft-ietf-quic-tls-21 . . . . . . . . . . . . . . 48 | B.4. Since draft-ietf-quic-tls-22 . . . . . . . . . . . . . . 48 | |||
| B.5. Since draft-ietf-quic-tls-20 . . . . . . . . . . . . . . 48 | B.5. Since draft-ietf-quic-tls-21 . . . . . . . . . . . . . . 48 | |||
| B.6. Since draft-ietf-quic-tls-18 . . . . . . . . . . . . . . 48 | B.6. Since draft-ietf-quic-tls-20 . . . . . . . . . . . . . . 48 | |||
| B.7. Since draft-ietf-quic-tls-17 . . . . . . . . . . . . . . 48 | B.7. Since draft-ietf-quic-tls-18 . . . . . . . . . . . . . . 48 | |||
| B.8. Since draft-ietf-quic-tls-14 . . . . . . . . . . . . . . 48 | B.8. Since draft-ietf-quic-tls-17 . . . . . . . . . . . . . . 48 | |||
| B.9. Since draft-ietf-quic-tls-13 . . . . . . . . . . . . . . 49 | B.9. Since draft-ietf-quic-tls-14 . . . . . . . . . . . . . . 48 | |||
| B.10. Since draft-ietf-quic-tls-12 . . . . . . . . . . . . . . 49 | B.10. Since draft-ietf-quic-tls-13 . . . . . . . . . . . . . . 49 | |||
| B.11. Since draft-ietf-quic-tls-11 . . . . . . . . . . . . . . 49 | B.11. Since draft-ietf-quic-tls-12 . . . . . . . . . . . . . . 49 | |||
| B.12. Since draft-ietf-quic-tls-10 . . . . . . . . . . . . . . 49 | B.12. Since draft-ietf-quic-tls-11 . . . . . . . . . . . . . . 49 | |||
| B.13. Since draft-ietf-quic-tls-09 . . . . . . . . . . . . . . 49 | B.13. Since draft-ietf-quic-tls-10 . . . . . . . . . . . . . . 49 | |||
| B.14. Since draft-ietf-quic-tls-08 . . . . . . . . . . . . . . 49 | B.14. Since draft-ietf-quic-tls-09 . . . . . . . . . . . . . . 50 | |||
| B.15. Since draft-ietf-quic-tls-07 . . . . . . . . . . . . . . 50 | B.15. Since draft-ietf-quic-tls-08 . . . . . . . . . . . . . . 50 | |||
| B.16. Since draft-ietf-quic-tls-05 . . . . . . . . . . . . . . 50 | B.16. Since draft-ietf-quic-tls-07 . . . . . . . . . . . . . . 50 | |||
| B.17. Since draft-ietf-quic-tls-04 . . . . . . . . . . . . . . 50 | B.17. Since draft-ietf-quic-tls-05 . . . . . . . . . . . . . . 50 | |||
| B.18. Since draft-ietf-quic-tls-03 . . . . . . . . . . . . . . 50 | B.18. Since draft-ietf-quic-tls-04 . . . . . . . . . . . . . . 50 | |||
| B.19. Since draft-ietf-quic-tls-02 . . . . . . . . . . . . . . 50 | B.19. Since draft-ietf-quic-tls-03 . . . . . . . . . . . . . . 50 | |||
| B.20. Since draft-ietf-quic-tls-01 . . . . . . . . . . . . . . 50 | B.20. Since draft-ietf-quic-tls-02 . . . . . . . . . . . . . . 50 | |||
| B.21. Since draft-ietf-quic-tls-00 . . . . . . . . . . . . . . 50 | B.21. Since draft-ietf-quic-tls-01 . . . . . . . . . . . . . . 50 | |||
| B.22. Since draft-thomson-quic-tls-01 . . . . . . . . . . . . . 51 | B.22. Since draft-ietf-quic-tls-00 . . . . . . . . . . . . . . 51 | |||
| B.23. Since draft-thomson-quic-tls-01 . . . . . . . . . . . . . 51 | ||||
| Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 51 | Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 51 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 51 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 51 | |||
| 1. Introduction | 1. Introduction | |||
| This document describes how QUIC [QUIC-TRANSPORT] is secured using | This document describes how QUIC [QUIC-TRANSPORT] is secured using | |||
| TLS [TLS13]. | TLS [TLS13]. | |||
| TLS 1.3 provides critical latency improvements for connection | TLS 1.3 provides critical latency improvements for connection | |||
| establishment over previous versions. Absent packet loss, most new | establishment over previous versions. Absent packet loss, most new | |||
| skipping to change at page 9, line 23 ¶ | skipping to change at page 9, line 23 ¶ | |||
| MUST only be sent in packets at the 1-RTT encryption level. | MUST only be sent in packets at the 1-RTT encryption level. | |||
| * ACK frames MAY appear in packets of any encryption level other | * ACK frames MAY appear in packets of any encryption level other | |||
| than 0-RTT, but can only acknowledge packets which appeared in | than 0-RTT, but can only acknowledge packets which appeared in | |||
| that packet number space. | that packet number space. | |||
| * All other frame types MUST only be sent in the 0-RTT and 1-RTT | * All other frame types MUST only be sent in the 0-RTT and 1-RTT | |||
| levels. | levels. | |||
| Note that it is not possible to send the following frames in 0-RTT | Note that it is not possible to send the following frames in 0-RTT | |||
| for various reasons: ACK, CRYPTO, NEW_TOKEN, PATH_RESPONSE, and | for various reasons: ACK, CRYPTO, HANDSHAKE_DONE, NEW_TOKEN, | |||
| RETIRE_CONNECTION_ID. | PATH_RESPONSE, and RETIRE_CONNECTION_ID. | |||
| Because packets could be reordered on the wire, QUIC uses the packet | Because packets could be reordered on the wire, QUIC uses the packet | |||
| type to indicate which level a given packet was encrypted under, as | type to indicate which level a given packet was encrypted under, as | |||
| shown in Table 1. When multiple packets of different encryption | shown in Table 1. When multiple packets of different encryption | |||
| levels need to be sent, endpoints SHOULD use coalesced packets to | levels need to be sent, endpoints SHOULD use coalesced packets to | |||
| send them in the same UDP datagram. | send them in the same UDP datagram. | |||
| +---------------------+------------------+-----------+ | +---------------------+------------------+-----------+ | |||
| | Packet Type | Encryption Level | PN Space | | | Packet Type | Encryption Level | PN Space | | |||
| +=====================+==================+===========+ | +=====================+==================+===========+ | |||
| skipping to change at page 21, line 38 ¶ | skipping to change at page 21, line 38 ¶ | |||
| Destination Connection ID it uses in response to an Initial packet | Destination Connection ID it uses in response to an Initial packet | |||
| from the server. | from the server. | |||
| Note: The Destination Connection ID is of arbitrary length, and it | Note: The Destination Connection ID is of arbitrary length, and it | |||
| could be zero length if the server sends a Retry packet with a | could be zero length if the server sends a Retry packet with a | |||
| zero-length Source Connection ID field. In this case, the Initial | zero-length Source Connection ID field. In this case, the Initial | |||
| keys provide no assurance to the client that the server received | keys provide no assurance to the client that the server received | |||
| its packet; the client has to rely on the exchange that included | its packet; the client has to rely on the exchange that included | |||
| the Retry packet for that property. | the Retry packet for that property. | |||
| Appendix A contains test vectors for the initial packet encryption. | Appendix A contains test vectors for packet encryption. | |||
| 5.3. AEAD Usage | 5.3. AEAD Usage | |||
| The Authentication Encryption with Associated Data (AEAD) [AEAD] | The Authentication Encryption with Associated Data (AEAD) [AEAD] | |||
| function used for QUIC packet protection is the AEAD that is | function used for QUIC packet protection is the AEAD that is | |||
| negotiated for use with the TLS connection. For example, if TLS is | negotiated for use with the TLS connection. For example, if TLS is | |||
| using the TLS_AES_128_GCM_SHA256, the AEAD_AES_128_GCM function is | using the TLS_AES_128_GCM_SHA256, the AEAD_AES_128_GCM function is | |||
| used. | used. | |||
| Packets are protected prior to applying header protection | Packets are protected prior to applying header protection | |||
| skipping to change at page 41, line 43 ¶ | skipping to change at page 41, line 43 ¶ | |||
| Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, | Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, | |||
| July 2014, <https://www.rfc-editor.org/info/rfc7301>. | July 2014, <https://www.rfc-editor.org/info/rfc7301>. | |||
| [CHACHA] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | [CHACHA] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | |||
| Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, | Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, | |||
| <https://www.rfc-editor.org/info/rfc8439>. | <https://www.rfc-editor.org/info/rfc8439>. | |||
| [QUIC-RECOVERY] | [QUIC-RECOVERY] | |||
| Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection | Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection | |||
| and Congestion Control", Work in Progress, Internet-Draft, | and Congestion Control", Work in Progress, Internet-Draft, | |||
| draft-ietf-quic-recovery-25, 22 January 2020, | draft-ietf-quic-recovery-26, 21 February 2020, | |||
| <https://tools.ietf.org/html/draft-ietf-quic-recovery-25>. | <https://tools.ietf.org/html/draft-ietf-quic-recovery-26>. | |||
| [QUIC-TRANSPORT] | [QUIC-TRANSPORT] | |||
| Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | |||
| Multiplexed and Secure Transport", Work in Progress, | Multiplexed and Secure Transport", Work in Progress, | |||
| Internet-Draft, draft-ietf-quic-transport-25, 22 January | Internet-Draft, draft-ietf-quic-transport-26, 21 February | |||
| 2020, <https://tools.ietf.org/html/draft-ietf-quic- | 2020, <https://tools.ietf.org/html/draft-ietf-quic- | |||
| transport-25>. | transport-26>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| skipping to change at page 43, line 4 ¶ | skipping to change at page 43, line 4 ¶ | |||
| November 2014. | November 2014. | |||
| [NAN] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed: | [NAN] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed: | |||
| AEAD Revisited", DOI 10.1007/978-3-030-26948-7_9, Advances | AEAD Revisited", DOI 10.1007/978-3-030-26948-7_9, Advances | |||
| in Cryptology - CRYPTO 2019 pp. 235-265, 2019, | in Cryptology - CRYPTO 2019 pp. 235-265, 2019, | |||
| <https://doi.org/10.1007/978-3-030-26948-7_9>. | <https://doi.org/10.1007/978-3-030-26948-7_9>. | |||
| [QUIC-HTTP] | [QUIC-HTTP] | |||
| Bishop, M., Ed., "Hypertext Transfer Protocol Version 3 | Bishop, M., Ed., "Hypertext Transfer Protocol Version 3 | |||
| (HTTP/3)", Work in Progress, Internet-Draft, draft-ietf- | (HTTP/3)", Work in Progress, Internet-Draft, draft-ietf- | |||
| quic-http-25, 22 January 2020, | quic-http-26, 21 February 2020, | |||
| <https://tools.ietf.org/html/draft-ietf-quic-http-25>. | <https://tools.ietf.org/html/draft-ietf-quic-http-26>. | |||
| [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | |||
| DOI 10.17487/RFC2818, May 2000, | DOI 10.17487/RFC2818, May 2000, | |||
| <https://www.rfc-editor.org/info/rfc2818>. | <https://www.rfc-editor.org/info/rfc2818>. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <https://www.rfc-editor.org/info/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
| Appendix A. Sample Initial Packet Protection | Appendix A. Sample Packet Protection | |||
| This section shows examples of packet protection for Initial packets | This section shows examples of packet protection so that | |||
| so that implementations can be verified incrementally. These packets | implementations can be verified incrementally. Samples of Initial | |||
| use an 8-byte client-chosen Destination Connection ID of | packets from both client and server, plus a Retry packet are defined. | |||
| 0x8394c8f03e515708. Values for both server and client packet | These packets use an 8-byte client-chosen Destination Connection ID | |||
| protection are shown together with values in hexadecimal. | of 0x8394c8f03e515708. Some intermediate values are included. All | |||
| values are shown in hexadecimal. | ||||
| A.1. Keys | A.1. Keys | |||
| The labels generated by the HKDF-Expand-Label function are: | The labels generated by the HKDF-Expand-Label function are: | |||
| client in: 00200f746c73313320636c69656e7420696e00 | client in: 00200f746c73313320636c69656e7420696e00 | |||
| server in: 00200f746c7331332073657276657220696e00 | server in: 00200f746c7331332073657276657220696e00 | |||
| quic key: 00100e746c7331332071756963206b657900 | quic key: 00100e746c7331332071756963206b657900 | |||
| skipping to change at page 47, line 24 ¶ | skipping to change at page 47, line 24 ¶ | |||
| header = c9ff0000190008f067a5502a4262b5004074168b | header = c9ff0000190008f067a5502a4262b5004074168b | |||
| The final protected packet is then: | The final protected packet is then: | |||
| c9ff0000190008f067a5502a4262b500 4074168bf22b7002596f99ae67abf65a | c9ff0000190008f067a5502a4262b500 4074168bf22b7002596f99ae67abf65a | |||
| 5852f54f58c37c808682e2e40492d8a3 899fb04fc0afe9aabc8767b18a0aa493 | 5852f54f58c37c808682e2e40492d8a3 899fb04fc0afe9aabc8767b18a0aa493 | |||
| 537426373b48d502214dd856d63b78ce e37bc664b3fe86d487ac7a77c53038a3 | 537426373b48d502214dd856d63b78ce e37bc664b3fe86d487ac7a77c53038a3 | |||
| cd32f0b5004d9f5754c4f7f2d1f35cf3 f7116351c92b99c8ae5833225cb51855 | cd32f0b5004d9f5754c4f7f2d1f35cf3 f7116351c92b99c8ae5833225cb51855 | |||
| 20d61e68cf5f | 20d61e68cf5f | |||
| A.4. Retry | ||||
| This shows a Retry packet that might be sent in response to the | ||||
| Initial packet in Appendix A.2. The integrity check includes the | ||||
| client-chosen connection ID value of 0x8394c8f03e515708, but that | ||||
| value is not included in the final Retry packet: | ||||
| ffff0000190008f067a5502a4262b574 6f6b656e1e5ec5b014cbb1f0fd93df40 | ||||
| 48c446a6 | ||||
| Appendix B. Change Log | Appendix B. Change Log | |||
| *RFC Editor's Note:* Please remove this section prior to | *RFC Editor's Note:* Please remove this section prior to | |||
| publication of a final version of this document. | publication of a final version of this document. | |||
| Issue and pull request numbers are listed with a leading octothorp. | Issue and pull request numbers are listed with a leading octothorp. | |||
| B.1. Since draft-ietf-quic-tls-24 | B.1. Since draft-ietf-quic-tls-25 | |||
| * No changes | ||||
| B.2. Since draft-ietf-quic-tls-24 | ||||
| * Rewrite key updates (#3050) | * Rewrite key updates (#3050) | |||
| - Allow but don't recommend deferring key updates (#2792, #3263) | - Allow but don't recommend deferring key updates (#2792, #3263) | |||
| - More completely define received behavior (#2791) | - More completely define received behavior (#2791) | |||
| - Define the label used with HKDF-Expand-Label (#3054) | - Define the label used with HKDF-Expand-Label (#3054) | |||
| B.2. Since draft-ietf-quic-tls-23 | B.3. Since draft-ietf-quic-tls-23 | |||
| * Key update text update (#3050): | * Key update text update (#3050): | |||
| - Recommend constant-time key replacement (#2792) | - Recommend constant-time key replacement (#2792) | |||
| - Provide explicit labels for key update key derivation (#3054) | - Provide explicit labels for key update key derivation (#3054) | |||
| * Allow first Initial from a client to span multiple packets (#2928, | * Allow first Initial from a client to span multiple packets (#2928, | |||
| #3045) | #3045) | |||
| * PING can be sent at any encryption level (#3034, #3035) | * PING can be sent at any encryption level (#3034, #3035) | |||
| B.3. Since draft-ietf-quic-tls-22 | B.4. Since draft-ietf-quic-tls-22 | |||
| * Update the salt used for Initial secrets (#2887, #2980) | * Update the salt used for Initial secrets (#2887, #2980) | |||
| B.4. Since draft-ietf-quic-tls-21 | B.5. Since draft-ietf-quic-tls-21 | |||
| * No changes | * No changes | |||
| B.5. Since draft-ietf-quic-tls-20 | B.6. Since draft-ietf-quic-tls-20 | |||
| * Mandate the use of the QUIC transport parameters extension (#2528, | * Mandate the use of the QUIC transport parameters extension (#2528, | |||
| #2560) | #2560) | |||
| * Define handshake completion and confirmation; define clearer rules | * Define handshake completion and confirmation; define clearer rules | |||
| when it encryption keys should be discarded (#2214, #2267, #2673) | when it encryption keys should be discarded (#2214, #2267, #2673) | |||
| B.6. Since draft-ietf-quic-tls-18 | B.7. Since draft-ietf-quic-tls-18 | |||
| * Increased the set of permissible frames in 0-RTT (#2344, #2355) | * Increased the set of permissible frames in 0-RTT (#2344, #2355) | |||
| * Transport parameter extension is mandatory (#2528, #2560) | * Transport parameter extension is mandatory (#2528, #2560) | |||
| B.7. Since draft-ietf-quic-tls-17 | B.8. Since draft-ietf-quic-tls-17 | |||
| * Endpoints discard initial keys as soon as handshake keys are | * Endpoints discard initial keys as soon as handshake keys are | |||
| available (#1951, #2045) | available (#1951, #2045) | |||
| * Use of ALPN or equivalent is mandatory (#2263, #2284) | * Use of ALPN or equivalent is mandatory (#2263, #2284) | |||
| B.8. Since draft-ietf-quic-tls-14 | B.9. Since draft-ietf-quic-tls-14 | |||
| * Update the salt used for Initial secrets (#1970) | * Update the salt used for Initial secrets (#1970) | |||
| * Clarify that TLS_AES_128_CCM_8_SHA256 isn't supported (#2019) | * Clarify that TLS_AES_128_CCM_8_SHA256 isn't supported (#2019) | |||
| * Change header protection | * Change header protection | |||
| - Sample from a fixed offset (#1575, #2030) | - Sample from a fixed offset (#1575, #2030) | |||
| - Cover part of the first byte, including the key phase (#1322, | - Cover part of the first byte, including the key phase (#1322, | |||
| #2006) | #2006) | |||
| * TLS provides an AEAD and KDF function (#2046) | * TLS provides an AEAD and KDF function (#2046) | |||
| skipping to change at page 49, line 4 ¶ | skipping to change at page 49, line 16 ¶ | |||
| * Change header protection | * Change header protection | |||
| - Sample from a fixed offset (#1575, #2030) | - Sample from a fixed offset (#1575, #2030) | |||
| - Cover part of the first byte, including the key phase (#1322, | - Cover part of the first byte, including the key phase (#1322, | |||
| #2006) | #2006) | |||
| * TLS provides an AEAD and KDF function (#2046) | * TLS provides an AEAD and KDF function (#2046) | |||
| - Clarify that the TLS KDF is used with TLS (#1997) | - Clarify that the TLS KDF is used with TLS (#1997) | |||
| - Change the labels for calculation of QUIC keys (#1845, #1971, | - Change the labels for calculation of QUIC keys (#1845, #1971, | |||
| #1991) | #1991) | |||
| * Initial keys are discarded once Handshake keys are available | * Initial keys are discarded once Handshake keys are available | |||
| (#1951, #2045) | (#1951, #2045) | |||
| B.9. Since draft-ietf-quic-tls-13 | B.10. Since draft-ietf-quic-tls-13 | |||
| * Updated to TLS 1.3 final (#1660) | * Updated to TLS 1.3 final (#1660) | |||
| B.10. Since draft-ietf-quic-tls-12 | B.11. Since draft-ietf-quic-tls-12 | |||
| * Changes to integration of the TLS handshake (#829, #1018, #1094, | * Changes to integration of the TLS handshake (#829, #1018, #1094, | |||
| #1165, #1190, #1233, #1242, #1252, #1450) | #1165, #1190, #1233, #1242, #1252, #1450) | |||
| - The cryptographic handshake uses CRYPTO frames, not stream 0 | - The cryptographic handshake uses CRYPTO frames, not stream 0 | |||
| - QUIC packet protection is used in place of TLS record | - QUIC packet protection is used in place of TLS record | |||
| protection | protection | |||
| - Separate QUIC packet number spaces are used for the handshake | - Separate QUIC packet number spaces are used for the handshake | |||
| - Changed Retry to be independent of the cryptographic handshake | - Changed Retry to be independent of the cryptographic handshake | |||
| - Limit the use of HelloRetryRequest to address TLS needs (like | - Limit the use of HelloRetryRequest to address TLS needs (like | |||
| key shares) | key shares) | |||
| * Changed codepoint of TLS extension (#1395, #1402) | * Changed codepoint of TLS extension (#1395, #1402) | |||
| B.11. Since draft-ietf-quic-tls-11 | B.12. Since draft-ietf-quic-tls-11 | |||
| * Encrypted packet numbers. | * Encrypted packet numbers. | |||
| B.12. Since draft-ietf-quic-tls-10 | B.13. Since draft-ietf-quic-tls-10 | |||
| * No significant changes. | * No significant changes. | |||
| B.13. Since draft-ietf-quic-tls-09 | B.14. Since draft-ietf-quic-tls-09 | |||
| * Cleaned up key schedule and updated the salt used for handshake | * Cleaned up key schedule and updated the salt used for handshake | |||
| packet protection (#1077) | packet protection (#1077) | |||
| B.14. Since draft-ietf-quic-tls-08 | B.15. Since draft-ietf-quic-tls-08 | |||
| * Specify value for max_early_data_size to enable 0-RTT (#942) | * Specify value for max_early_data_size to enable 0-RTT (#942) | |||
| * Update key derivation function (#1003, #1004) | * Update key derivation function (#1003, #1004) | |||
| B.15. Since draft-ietf-quic-tls-07 | B.16. Since draft-ietf-quic-tls-07 | |||
| * Handshake errors can be reported with CONNECTION_CLOSE (#608, | * Handshake errors can be reported with CONNECTION_CLOSE (#608, | |||
| #891) | #891) | |||
| B.16. Since draft-ietf-quic-tls-05 | B.17. Since draft-ietf-quic-tls-05 | |||
| No significant changes. | No significant changes. | |||
| B.17. Since draft-ietf-quic-tls-04 | B.18. Since draft-ietf-quic-tls-04 | |||
| * Update labels used in HKDF-Expand-Label to match TLS 1.3 (#642) | * Update labels used in HKDF-Expand-Label to match TLS 1.3 (#642) | |||
| B.18. Since draft-ietf-quic-tls-03 | B.19. Since draft-ietf-quic-tls-03 | |||
| No significant changes. | No significant changes. | |||
| B.19. Since draft-ietf-quic-tls-02 | B.20. Since draft-ietf-quic-tls-02 | |||
| * Updates to match changes in transport draft | * Updates to match changes in transport draft | |||
| B.20. Since draft-ietf-quic-tls-01 | B.21. Since draft-ietf-quic-tls-01 | |||
| * Use TLS alerts to signal TLS errors (#272, #374) | * Use TLS alerts to signal TLS errors (#272, #374) | |||
| * Require ClientHello to fit in a single packet (#338) | * Require ClientHello to fit in a single packet (#338) | |||
| * The second client handshake flight is now sent in the clear (#262, | * The second client handshake flight is now sent in the clear (#262, | |||
| #337) | #337) | |||
| * The QUIC header is included as AEAD Associated Data (#226, #243, | * The QUIC header is included as AEAD Associated Data (#226, #243, | |||
| #302) | #302) | |||
| skipping to change at page 50, line 39 ¶ | skipping to change at page 51, line 4 ¶ | |||
| * Require ClientHello to fit in a single packet (#338) | * Require ClientHello to fit in a single packet (#338) | |||
| * The second client handshake flight is now sent in the clear (#262, | * The second client handshake flight is now sent in the clear (#262, | |||
| #337) | #337) | |||
| * The QUIC header is included as AEAD Associated Data (#226, #243, | * The QUIC header is included as AEAD Associated Data (#226, #243, | |||
| #302) | #302) | |||
| * Add interface necessary for client address validation (#275) | * Add interface necessary for client address validation (#275) | |||
| * Define peer authentication (#140) | * Define peer authentication (#140) | |||
| * Require at least TLS 1.3 (#138) | * Require at least TLS 1.3 (#138) | |||
| * Define transport parameters as a TLS extension (#122) | * Define transport parameters as a TLS extension (#122) | |||
| * Define handling for protected packets before the handshake | * Define handling for protected packets before the handshake | |||
| completes (#39) | completes (#39) | |||
| * Decouple QUIC version and ALPN (#12) | * Decouple QUIC version and ALPN (#12) | |||
| B.21. Since draft-ietf-quic-tls-00 | B.22. Since draft-ietf-quic-tls-00 | |||
| * Changed bit used to signal key phase | * Changed bit used to signal key phase | |||
| * Updated key phase markings during the handshake | * Updated key phase markings during the handshake | |||
| * Added TLS interface requirements section | * Added TLS interface requirements section | |||
| * Moved to use of TLS exporters for key derivation | * Moved to use of TLS exporters for key derivation | |||
| * Moved TLS error code definitions into this document | * Moved TLS error code definitions into this document | |||
| B.22. Since draft-thomson-quic-tls-01 | B.23. Since draft-thomson-quic-tls-01 | |||
| * Adopted as base for draft-ietf-quic-tls | * Adopted as base for draft-ietf-quic-tls | |||
| * Updated authors/editors list | * Updated authors/editors list | |||
| * Added status note | * Added status note | |||
| Contributors | Contributors | |||
| The IETF QUIC Working Group received an enormous amount of support | The IETF QUIC Working Group received an enormous amount of support | |||
| End of changes. 41 change blocks. | ||||
| 68 lines changed or deleted | 83 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||