Using TLS to Secure QUIC
draft-ietf-quic-tls-24

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 9001.
Authors Martin Thomson , Sean Turner
Last updated 2019-11-03 (Latest revision 2019-09-11)
Replaces draft-thomson-quic-tls
RFC stream Internet Engineering Task Force (IETF)
Formats
txt htmlized pdf bibtex bibxml
Reviews
OPSDIR Last Call review (of -32) by Sarah Banks Ready
SECDIR Last Call review (of -32) by Radia Perlman Has nits
GENART Last Call review (of -32) by Gyan Mishra Ready
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Became RFC 9001 (Proposed Standard)
Consensus boilerplate Yes
Telechat date (None)
Responsible AD (None)
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits Search email archive
draft-ietf-quic-tls-24 
Internet-Draft          Using TLS to Secure QUIC           November 2019

A.2.  Client Initial

   The client sends an Initial packet.  The unprotected payload of this
   packet contains the following CRYPTO frame, plus enough PADDING
   frames to make a 1162 byte payload:

   060040c4010000c003036660261ff947 cea49cce6cfad687f457cf1b14531ba1
   4131a0e8f309a1d0b9c4000006130113 031302010000910000000b0009000006
   736572766572ff01000100000a001400 12001d00170018001901000101010201
   03010400230000003300260024001d00 204cfdfcd178b784bf328cae793b136f
   2aedce005ff183d7bb14952072366470 37002b0003020304000d0020001e0403
   05030603020308040805080604010501 060102010402050206020202002d0002
   0101001c00024001

   The unprotected header includes the connection ID and a 4 byte packet
   number encoding for a packet number of 2:

   c3ff000017088394c8f03e5157080000449e00000002

   Protecting the payload produces output that is sampled for header
   protection.  Because the header uses a 4 byte packet number encoding,
   the first 16 bytes of the protected payload is sampled, then applied
   to the header:

   sample = 535064a4268a0d9d7b1c9d250ae35516

   mask = AES-ECB(hp, sample)[0..4]
        = 833b343aaa

   header[0] ^= mask[0] & 0x0f
        = c0
   header[17..20] ^= mask[1..4]
        = 3b343aa8
   header = c0ff000017088394c8f03e5157080000449e3b343aa8

   The resulting protected packet is:

Thomson & Turner           Expires May 7, 2020                 [Page 43]
Internet-Draft          Using TLS to Secure QUIC           November 2019

   c0ff000017088394c8f03e5157080000 449e3b343aa8535064a4268a0d9d7b1c
   9d250ae355162276e9b1e3011ef6bbc0 ab48ad5bcc2681e953857ca62becd752
   4daac473e68d7405fbba4e9ee616c870 38bdbe908c06d9605d9ac49030359eec
   b1d05a14e117db8cede2bb09d0dbbfee 271cb374d8f10abec82d0f59a1dee29f
   e95638ed8dd41da07487468791b719c5 5c46968eb3b54680037102a28e53dc1d
   12903db0af5821794b41c4a93357fa59 ce69cfe7f6bdfa629eef78616447e1d6
   11c4baf71bf33febcb03137c2c75d253 17d3e13b684370f668411c0f00304b50
   1c8fd422bd9b9ad81d643b20da89ca05 25d24d2b142041cae0af205092e43008
   0cd8559ea4c5c6e4fa3f66082b7d303e 52ce0162baa958532b0bbc2bc785681f
   cf37485dff6595e01e739c8ac9efba31 b985d5f656cc092432d781db95221724
   87641c4d3ab8ece01e39bc85b1543661 4775a98ba8fa12d46f9b35e2a55eb72d
   7f85181a366663387ddc20551807e007 673bd7e26bf9b29b5ab10a1ca87cbb7a
   d97e99eb66959c2a9bc3cbde4707ff77 20b110fa95354674e395812e47a0ae53
   b464dcb2d1f345df360dc227270c7506 76f6724eb479f0d2fbb6124429990457
   ac6c9167f40aab739998f38b9eccb24f d47c8410131bf65a52af841275d5b3d1
   880b197df2b5dea3e6de56ebce3ffb6e 9277a82082f8d9677a6767089b671ebd
   244c214f0bde95c2beb02cd1172d58bd f39dce56ff68eb35ab39b49b4eac7c81
   5ea60451d6e6ab82119118df02a58684 4a9ffe162ba006d0669ef57668cab38b
   62f71a2523a084852cd1d079b3658dc2 f3e87949b550bab3e177cfc49ed190df
   f0630e43077c30de8f6ae081537f1e83 da537da980afa668e7b7fb25301cf741
   524be3c49884b42821f17552fbd1931a 813017b6b6590a41ea18b6ba49cd48a4
   40bd9a3346a7623fb4ba34a3ee571e3c 731f35a7a3cf25b551a680fa68763507
   b7fde3aaf023c50b9d22da6876ba337e b5e9dd9ec3daf970242b6c5aab3aa4b2
   96ad8b9f6832f686ef70fa938b31b4e5 ddd7364442d3ea72e73d668fb0937796
   f462923a81a47e1cee7426ff6d922126 9b5a62ec03d6ec94d12606cb485560ba
   b574816009e96504249385bb61a819be 04f62c2066214d8360a2022beb316240
   b6c7d78bbe56c13082e0ca272661210a bf020bf3b5783f1426436cf9ff418405
   93a5d0638d32fc51c5c65ff291a3a7a5 2fd6775e623a4439cc08dd25582febc9
   44ef92d8dbd329c91de3e9c9582e41f1 7f3d186f104ad3f90995116c682a2a14
   a3b4b1f547c335f0be710fc9fc03e0e5 87b8cda31ce65b969878a4ad4283e6d5
   b0373f43da86e9e0ffe1ae0fddd35162 55bd74566f36a38703d5f34249ded1f6
   6b3d9b45b9af2ccfefe984e13376b1b2 c6404aa48c8026132343da3f3a33659e
   c1b3e95080540b28b7f3fcd35fa5d843 b579a84c089121a60d8c1754915c344e
   eaf45a9bf27dc0c1e784161691220913 13eb0e87555abd706626e557fc36a04f
   cd191a58829104d6075c5594f627ca50 6bf181daec940f4a4f3af0074eee89da
   acde6758312622d4fa675b39f728e062 d2bee680d8f41a597c262648bb18bcfc
   13c8b3d97b1a77b2ac3af745d61a34cc 4709865bac824a94bb19058015e4e42d
   c9be6c7803567321829dd85853396269

A.3.  Server Initial

   The server sends the following payload in response, including an ACK
   frame, a CRYPTO frame, and no PADDING frames:

   0d0000000018410a020000560303eefc e7f7b37ba1d1632e96677825ddf73988
   cfc79825df566dc5430b9a045a120013 0100002e00330024001d00209d3c940d
   89690b84d08a60993c144eca684d1081 287c834d5311bcf32bb9da1a002b0002
   0304

Thomson & Turner           Expires May 7, 2020                 [Page 44]
Internet-Draft          Using TLS to Secure QUIC           November 2019

   The header from the server includes a new connection ID and a 2-byte
   packet number encoding for a packet number of 1:

   c1ff0000170008f067a5502a4262b50040740001

   As a result, after protection, the header protection sample is taken
   starting from the third protected octet:

   sample = 7002596f99ae67abf65a5852f54f58c3
   mask   = 38168a0c25
   header = c9ff0000170008f067a5502a4262b5004074168b

   The final protected packet is then:

   c9ff0000170008f067a5502a4262b500 4074168bf22b7002596f99ae67abf65a
   5852f54f58c37c808682e2e40492d8a3 899fb04fc0afe9aabc8767b18a0aa493
   537426373b48d502214dd856d63b78ce e37bc664b3fe86d487ac7a77c53038a3
   cd32f0b5004d9f5754c4f7f2d1f35cf3 f7116351c92b9cf9bb6d091ddfc8b32d
   432348a2c413

Appendix B.  Change Log

      *RFC Editor's Note:* Please remove this section prior to
      publication of a final version of this document.

   Issue and pull request numbers are listed with a leading octothorp.

B.1.  Since draft-ietf-quic-tls-23

   o  Key update text update (#3050):

      *  Recommend constant-time key replacement (#2792)

      *  Provide explicit labels for key update key derivation (#3054)

   o  Allow first Initial from a client to span multiple packets (#2928,
      #3045)

   o  PING can be sent at any encryption level (#3034, #3035)

B.2.  Since draft-ietf-quic-tls-22

   o  Update the salt used for Initial secrets (#2887, #2980)

Thomson & Turner           Expires May 7, 2020                 [Page 45]
Internet-Draft          Using TLS to Secure QUIC           November 2019

B.3.  Since draft-ietf-quic-tls-21

   o  No changes

B.4.  Since draft-ietf-quic-tls-20

   o  Mandate the use of the QUIC transport parameters extension (#2528,
      #2560)

   o  Define handshake completion and confirmation; define clearer rules
      when it encryption keys should be discarded (#2214, #2267, #2673)

B.5.  Since draft-ietf-quic-tls-18

   o  Increased the set of permissible frames in 0-RTT (#2344, #2355)

   o  Transport parameter extension is mandatory (#2528, #2560)

B.6.  Since draft-ietf-quic-tls-17

   o  Endpoints discard initial keys as soon as handshake keys are
      available (#1951, #2045)

   o  Use of ALPN or equivalent is mandatory (#2263, #2284)

B.7.  Since draft-ietf-quic-tls-14

   o  Update the salt used for Initial secrets (#1970)

   o  Clarify that TLS_AES_128_CCM_8_SHA256 isn't supported (#2019)

   o  Change header protection

      *  Sample from a fixed offset (#1575, #2030)

      *  Cover part of the first byte, including the key phase (#1322,
         #2006)

   o  TLS provides an AEAD and KDF function (#2046)

      *  Clarify that the TLS KDF is used with TLS (#1997)

      *  Change the labels for calculation of QUIC keys (#1845, #1971,
         #1991)

   o  Initial keys are discarded once Handshake keys are available
      (#1951, #2045)

Thomson & Turner           Expires May 7, 2020                 [Page 46]
Internet-Draft          Using TLS to Secure QUIC           November 2019

B.8.  Since draft-ietf-quic-tls-13

   o  Updated to TLS 1.3 final (#1660)

B.9.  Since draft-ietf-quic-tls-12

   o  Changes to integration of the TLS handshake (#829, #1018, #1094,
      #1165, #1190, #1233, #1242, #1252, #1450)

      *  The cryptographic handshake uses CRYPTO frames, not stream 0

      *  QUIC packet protection is used in place of TLS record
         protection

      *  Separate QUIC packet number spaces are used for the handshake

      *  Changed Retry to be independent of the cryptographic handshake

      *  Limit the use of HelloRetryRequest to address TLS needs (like
         key shares)

   o  Changed codepoint of TLS extension (#1395, #1402)

B.10.  Since draft-ietf-quic-tls-11

   o  Encrypted packet numbers.

B.11.  Since draft-ietf-quic-tls-10

   o  No significant changes.

B.12.  Since draft-ietf-quic-tls-09

   o  Cleaned up key schedule and updated the salt used for handshake
      packet protection (#1077)

B.13.  Since draft-ietf-quic-tls-08

   o  Specify value for max_early_data_size to enable 0-RTT (#942)

   o  Update key derivation function (#1003, #1004)

B.14.  Since draft-ietf-quic-tls-07

   o  Handshake errors can be reported with CONNECTION_CLOSE (#608,
      #891)

Thomson & Turner           Expires May 7, 2020                 [Page 47]
Internet-Draft          Using TLS to Secure QUIC           November 2019

B.15.  Since draft-ietf-quic-tls-05

   No significant changes.

B.16.  Since draft-ietf-quic-tls-04

   o  Update labels used in HKDF-Expand-Label to match TLS 1.3 (#642)

B.17.  Since draft-ietf-quic-tls-03

   No significant changes.

B.18.  Since draft-ietf-quic-tls-02

   o  Updates to match changes in transport draft

B.19.  Since draft-ietf-quic-tls-01

   o  Use TLS alerts to signal TLS errors (#272, #374)

   o  Require ClientHello to fit in a single packet (#338)

   o  The second client handshake flight is now sent in the clear (#262,
      #337)

   o  The QUIC header is included as AEAD Associated Data (#226, #243,
      #302)

   o  Add interface necessary for client address validation (#275)

   o  Define peer authentication (#140)

   o  Require at least TLS 1.3 (#138)

   o  Define transport parameters as a TLS extension (#122)

   o  Define handling for protected packets before the handshake
      completes (#39)

   o  Decouple QUIC version and ALPN (#12)

B.20.  Since draft-ietf-quic-tls-00

   o  Changed bit used to signal key phase

   o  Updated key phase markings during the handshake

   o  Added TLS interface requirements section

Thomson & Turner           Expires May 7, 2020                 [Page 48]
Internet-Draft          Using TLS to Secure QUIC           November 2019

   o  Moved to use of TLS exporters for key derivation

   o  Moved TLS error code definitions into this document

B.21.  Since draft-thomson-quic-tls-01

   o  Adopted as base for draft-ietf-quic-tls

   o  Updated authors/editors list

   o  Added status note

Acknowledgments

   This document has benefited from input from Dragana Damjanovic,
   Christian Huitema, Jana Iyengar, Adam Langley, Roberto Peon, Eric
   Rescorla, Ian Swett, and many others.

Contributors

   Ryan Hamilton was originally an author of this specification.

Authors' Addresses

   Martin Thomson (editor)
   Mozilla

   Email: mt@lowentropy.net

   Sean Turner (editor)
   sn3rd

   Email: sean@sn3rd.com

Thomson & Turner           Expires May 7, 2020                 [Page 49]