| < draft-ietf-tls-tls13-27.txt | draft-ietf-tls-tls13-28.txt > | |||
|---|---|---|---|---|
| Network Working Group E. Rescorla | Network Working Group E. Rescorla | |||
| Internet-Draft RTFM, Inc. | Internet-Draft RTFM, Inc. | |||
| Obsoletes: 5077, 5246, 6961 (if March 18, 2018 | Obsoletes: 5077, 5246, 6961 (if March 20, 2018 | |||
| approved) | approved) | |||
| Updates: 4492, 5705, 6066 (if approved) | Updates: 4492, 5705, 6066 (if approved) | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: September 19, 2018 | Expires: September 21, 2018 | |||
| The Transport Layer Security (TLS) Protocol Version 1.3 | The Transport Layer Security (TLS) Protocol Version 1.3 | |||
| draft-ietf-tls-tls13-27 | draft-ietf-tls-tls13-28 | |||
| Abstract | Abstract | |||
| This document specifies version 1.3 of the Transport Layer Security | This document specifies version 1.3 of the Transport Layer Security | |||
| (TLS) protocol. TLS allows client/server applications to communicate | (TLS) protocol. TLS allows client/server applications to communicate | |||
| over the Internet in a way that is designed to prevent eavesdropping, | over the Internet in a way that is designed to prevent eavesdropping, | |||
| tampering, and message forgery. | tampering, and message forgery. | |||
| This document updates RFCs 4492, 5705, and 6066 and it obsoletes RFCs | This document updates RFCs 4492, 5705, and 6066 and it obsoletes RFCs | |||
| 5077, 5246, and 6961. This document also specifies new requirements | 5077, 5246, and 6961. This document also specifies new requirements | |||
| skipping to change at page 1, line 40 ¶ | skipping to change at page 1, line 40 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 19, 2018. | This Internet-Draft will expire on September 21, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 30 ¶ | skipping to change at page 2, line 30 ¶ | |||
| it for publication as an RFC or to translate it into languages other | it for publication as an RFC or to translate it into languages other | |||
| than English. | than English. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 6 | 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 6 | |||
| 1.2. Change Log . . . . . . . . . . . . . . . . . . . . . . . 7 | 1.2. Change Log . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 1.3. Major Differences from TLS 1.2 . . . . . . . . . . . . . 16 | 1.3. Major Differences from TLS 1.2 . . . . . . . . . . . . . 16 | |||
| 1.4. Updates Affecting TLS 1.2 . . . . . . . . . . . . . . . . 17 | 1.4. Updates Affecting TLS 1.2 . . . . . . . . . . . . . . . . 17 | |||
| 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 17 | 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 2.1. Incorrect DHE Share . . . . . . . . . . . . . . . . . . . 20 | 2.1. Incorrect DHE Share . . . . . . . . . . . . . . . . . . . 21 | |||
| 2.2. Resumption and Pre-Shared Key (PSK) . . . . . . . . . . . 21 | 2.2. Resumption and Pre-Shared Key (PSK) . . . . . . . . . . . 22 | |||
| 2.3. 0-RTT Data . . . . . . . . . . . . . . . . . . . . . . . 23 | 2.3. 0-RTT Data . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 3. Presentation Language . . . . . . . . . . . . . . . . . . . . 25 | 3. Presentation Language . . . . . . . . . . . . . . . . . . . . 26 | |||
| 3.1. Basic Block Size . . . . . . . . . . . . . . . . . . . . 25 | 3.1. Basic Block Size . . . . . . . . . . . . . . . . . . . . 26 | |||
| 3.2. Miscellaneous . . . . . . . . . . . . . . . . . . . . . . 25 | 3.2. Miscellaneous . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 3.3. Numbers . . . . . . . . . . . . . . . . . . . . . . . . . 26 | 3.3. Numbers . . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 3.4. Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 26 | 3.4. Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 3.5. Enumerateds . . . . . . . . . . . . . . . . . . . . . . . 27 | 3.5. Enumerateds . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 3.6. Constructed Types . . . . . . . . . . . . . . . . . . . . 28 | 3.6. Constructed Types . . . . . . . . . . . . . . . . . . . . 29 | |||
| 3.7. Constants . . . . . . . . . . . . . . . . . . . . . . . . 28 | 3.7. Constants . . . . . . . . . . . . . . . . . . . . . . . . 29 | |||
| 3.8. Variants . . . . . . . . . . . . . . . . . . . . . . . . 29 | 3.8. Variants . . . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 4. Handshake Protocol . . . . . . . . . . . . . . . . . . . . . 30 | 4. Handshake Protocol . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 4.1. Key Exchange Messages . . . . . . . . . . . . . . . . . . 31 | 4.1. Key Exchange Messages . . . . . . . . . . . . . . . . . . 32 | |||
| 4.1.1. Cryptographic Negotiation . . . . . . . . . . . . . . 31 | 4.1.1. Cryptographic Negotiation . . . . . . . . . . . . . . 32 | |||
| 4.1.2. Client Hello . . . . . . . . . . . . . . . . . . . . 32 | 4.1.2. Client Hello . . . . . . . . . . . . . . . . . . . . 33 | |||
| 4.1.3. Server Hello . . . . . . . . . . . . . . . . . . . . 35 | 4.1.3. Server Hello . . . . . . . . . . . . . . . . . . . . 36 | |||
| 4.1.4. Hello Retry Request . . . . . . . . . . . . . . . . . 37 | 4.1.4. Hello Retry Request . . . . . . . . . . . . . . . . . 38 | |||
| 4.2. Extensions . . . . . . . . . . . . . . . . . . . . . . . 39 | 4.2. Extensions . . . . . . . . . . . . . . . . . . . . . . . 40 | |||
| 4.2.1. Supported Versions . . . . . . . . . . . . . . . . . 42 | 4.2.1. Supported Versions . . . . . . . . . . . . . . . . . 43 | |||
| 4.2.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . 44 | 4.2.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 4.2.3. Signature Algorithms . . . . . . . . . . . . . . . . 45 | 4.2.3. Signature Algorithms . . . . . . . . . . . . . . . . 46 | |||
| 4.2.4. Certificate Authorities . . . . . . . . . . . . . . . 49 | 4.2.4. Certificate Authorities . . . . . . . . . . . . . . . 50 | |||
| 4.2.5. OID Filters . . . . . . . . . . . . . . . . . . . . . 49 | 4.2.5. OID Filters . . . . . . . . . . . . . . . . . . . . . 50 | |||
| 4.2.6. Post-Handshake Client Authentication . . . . . . . . 50 | 4.2.6. Post-Handshake Client Authentication . . . . . . . . 51 | |||
| 4.2.7. Negotiated Groups . . . . . . . . . . . . . . . . . . 51 | 4.2.7. Negotiated Groups . . . . . . . . . . . . . . . . . . 52 | |||
| 4.2.8. Key Share . . . . . . . . . . . . . . . . . . . . . . 52 | 4.2.8. Key Share . . . . . . . . . . . . . . . . . . . . . . 53 | |||
| 4.2.9. Pre-Shared Key Exchange Modes . . . . . . . . . . . . 55 | 4.2.9. Pre-Shared Key Exchange Modes . . . . . . . . . . . . 56 | |||
| 4.2.10. Early Data Indication . . . . . . . . . . . . . . . . 56 | 4.2.10. Early Data Indication . . . . . . . . . . . . . . . . 57 | |||
| 4.2.11. Pre-Shared Key Extension . . . . . . . . . . . . . . 59 | 4.2.11. Pre-Shared Key Extension . . . . . . . . . . . . . . 60 | |||
| 4.3. Server Parameters . . . . . . . . . . . . . . . . . . . . 62 | 4.3. Server Parameters . . . . . . . . . . . . . . . . . . . . 63 | |||
| 4.3.1. Encrypted Extensions . . . . . . . . . . . . . . . . 62 | 4.3.1. Encrypted Extensions . . . . . . . . . . . . . . . . 63 | |||
| 4.3.2. Certificate Request . . . . . . . . . . . . . . . . . 63 | 4.3.2. Certificate Request . . . . . . . . . . . . . . . . . 64 | |||
| 4.4. Authentication Messages . . . . . . . . . . . . . . . . . 64 | 4.4. Authentication Messages . . . . . . . . . . . . . . . . . 65 | |||
| 4.4.1. The Transcript Hash . . . . . . . . . . . . . . . . . 65 | 4.4.1. The Transcript Hash . . . . . . . . . . . . . . . . . 66 | |||
| 4.4.2. Certificate . . . . . . . . . . . . . . . . . . . . . 66 | 4.4.2. Certificate . . . . . . . . . . . . . . . . . . . . . 67 | |||
| 4.4.3. Certificate Verify . . . . . . . . . . . . . . . . . 71 | 4.4.3. Certificate Verify . . . . . . . . . . . . . . . . . 72 | |||
| 4.4.4. Finished . . . . . . . . . . . . . . . . . . . . . . 73 | 4.4.4. Finished . . . . . . . . . . . . . . . . . . . . . . 74 | |||
| 4.5. End of Early Data . . . . . . . . . . . . . . . . . . . . 74 | 4.5. End of Early Data . . . . . . . . . . . . . . . . . . . . 75 | |||
| 4.6. Post-Handshake Messages . . . . . . . . . . . . . . . . . 75 | 4.6. Post-Handshake Messages . . . . . . . . . . . . . . . . . 76 | |||
| 4.6.1. New Session Ticket Message . . . . . . . . . . . . . 75 | 4.6.1. New Session Ticket Message . . . . . . . . . . . . . 76 | |||
| 4.6.2. Post-Handshake Authentication . . . . . . . . . . . . 77 | 4.6.2. Post-Handshake Authentication . . . . . . . . . . . . 78 | |||
| 4.6.3. Key and IV Update . . . . . . . . . . . . . . . . . . 78 | 4.6.3. Key and IV Update . . . . . . . . . . . . . . . . . . 79 | |||
| 5. Record Protocol . . . . . . . . . . . . . . . . . . . . . . . 79 | 5. Record Protocol . . . . . . . . . . . . . . . . . . . . . . . 80 | |||
| 5.1. Record Layer . . . . . . . . . . . . . . . . . . . . . . 80 | 5.1. Record Layer . . . . . . . . . . . . . . . . . . . . . . 81 | |||
| 5.2. Record Payload Protection . . . . . . . . . . . . . . . . 82 | 5.2. Record Payload Protection . . . . . . . . . . . . . . . . 83 | |||
| 5.3. Per-Record Nonce . . . . . . . . . . . . . . . . . . . . 84 | 5.3. Per-Record Nonce . . . . . . . . . . . . . . . . . . . . 85 | |||
| 5.4. Record Padding . . . . . . . . . . . . . . . . . . . . . 85 | 5.4. Record Padding . . . . . . . . . . . . . . . . . . . . . 86 | |||
| 5.5. Limits on Key Usage . . . . . . . . . . . . . . . . . . . 86 | 5.5. Limits on Key Usage . . . . . . . . . . . . . . . . . . . 87 | |||
| 6. Alert Protocol . . . . . . . . . . . . . . . . . . . . . . . 86 | 6. Alert Protocol . . . . . . . . . . . . . . . . . . . . . . . 87 | |||
| 6.1. Closure Alerts . . . . . . . . . . . . . . . . . . . . . 88 | 6.1. Closure Alerts . . . . . . . . . . . . . . . . . . . . . 89 | |||
| 6.2. Error Alerts . . . . . . . . . . . . . . . . . . . . . . 89 | 6.2. Error Alerts . . . . . . . . . . . . . . . . . . . . . . 90 | |||
| 7. Cryptographic Computations . . . . . . . . . . . . . . . . . 92 | 7. Cryptographic Computations . . . . . . . . . . . . . . . . . 93 | |||
| 7.1. Key Schedule . . . . . . . . . . . . . . . . . . . . . . 92 | 7.1. Key Schedule . . . . . . . . . . . . . . . . . . . . . . 93 | |||
| 7.2. Updating Traffic Secrets . . . . . . . . . . . . . . . . 95 | 7.2. Updating Traffic Secrets . . . . . . . . . . . . . . . . 96 | |||
| 7.3. Traffic Key Calculation . . . . . . . . . . . . . . . . . 96 | 7.3. Traffic Key Calculation . . . . . . . . . . . . . . . . . 97 | |||
| 7.4. (EC)DHE Shared Secret Calculation . . . . . . . . . . . . 97 | 7.4. (EC)DHE Shared Secret Calculation . . . . . . . . . . . . 98 | |||
| 7.4.1. Finite Field Diffie-Hellman . . . . . . . . . . . . . 97 | 7.4.1. Finite Field Diffie-Hellman . . . . . . . . . . . . . 98 | |||
| 7.4.2. Elliptic Curve Diffie-Hellman . . . . . . . . . . . . 97 | 7.4.2. Elliptic Curve Diffie-Hellman . . . . . . . . . . . . 98 | |||
| 7.5. Exporters . . . . . . . . . . . . . . . . . . . . . . . . 98 | 7.5. Exporters . . . . . . . . . . . . . . . . . . . . . . . . 99 | |||
| 8. 0-RTT and Anti-Replay . . . . . . . . . . . . . . . . . . . . 98 | 8. 0-RTT and Anti-Replay . . . . . . . . . . . . . . . . . . . . 99 | |||
| 8.1. Single-Use Tickets . . . . . . . . . . . . . . . . . . . 100 | 8.1. Single-Use Tickets . . . . . . . . . . . . . . . . . . . 101 | |||
| 8.2. Client Hello Recording . . . . . . . . . . . . . . . . . 100 | 8.2. Client Hello Recording . . . . . . . . . . . . . . . . . 101 | |||
| 8.3. Freshness Checks . . . . . . . . . . . . . . . . . . . . 101 | 8.3. Freshness Checks . . . . . . . . . . . . . . . . . . . . 102 | |||
| 9. Compliance Requirements . . . . . . . . . . . . . . . . . . . 103 | 9. Compliance Requirements . . . . . . . . . . . . . . . . . . . 104 | |||
| 9.1. Mandatory-to-Implement Cipher Suites . . . . . . . . . . 103 | 9.1. Mandatory-to-Implement Cipher Suites . . . . . . . . . . 104 | |||
| 9.2. Mandatory-to-Implement Extensions . . . . . . . . . . . . 103 | 9.2. Mandatory-to-Implement Extensions . . . . . . . . . . . . 104 | |||
| 9.3. Protocol Invariants . . . . . . . . . . . . . . . . . . . 104 | 9.3. Protocol Invariants . . . . . . . . . . . . . . . . . . . 105 | |||
| 10. Security Considerations . . . . . . . . . . . . . . . . . . . 105 | 10. Security Considerations . . . . . . . . . . . . . . . . . . . 106 | |||
| 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 106 | 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 107 | |||
| 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 107 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 108 | |||
| 12.1. Normative References . . . . . . . . . . . . . . . . . . 107 | 12.1. Normative References . . . . . . . . . . . . . . . . . . 108 | |||
| 12.2. Informative References . . . . . . . . . . . . . . . . . 110 | 12.2. Informative References . . . . . . . . . . . . . . . . . 111 | |||
| Appendix A. State Machine . . . . . . . . . . . . . . . . . . . 118 | Appendix A. State Machine . . . . . . . . . . . . . . . . . . . 119 | |||
| A.1. Client . . . . . . . . . . . . . . . . . . . . . . . . . 118 | A.1. Client . . . . . . . . . . . . . . . . . . . . . . . . . 119 | |||
| A.2. Server . . . . . . . . . . . . . . . . . . . . . . . . . 119 | A.2. Server . . . . . . . . . . . . . . . . . . . . . . . . . 120 | |||
| Appendix B. Protocol Data Structures and Constant Values . . . . 119 | Appendix B. Protocol Data Structures and Constant Values . . . . 120 | |||
| B.1. Record Layer . . . . . . . . . . . . . . . . . . . . . . 120 | B.1. Record Layer . . . . . . . . . . . . . . . . . . . . . . 121 | |||
| B.2. Alert Messages . . . . . . . . . . . . . . . . . . . . . 120 | B.2. Alert Messages . . . . . . . . . . . . . . . . . . . . . 121 | |||
| B.3. Handshake Protocol . . . . . . . . . . . . . . . . . . . 122 | B.3. Handshake Protocol . . . . . . . . . . . . . . . . . . . 123 | |||
| B.3.1. Key Exchange Messages . . . . . . . . . . . . . . . . 122 | B.3.1. Key Exchange Messages . . . . . . . . . . . . . . . . 123 | |||
| B.3.2. Server Parameters Messages . . . . . . . . . . . . . 127 | B.3.2. Server Parameters Messages . . . . . . . . . . . . . 128 | |||
| B.3.3. Authentication Messages . . . . . . . . . . . . . . . 128 | B.3.3. Authentication Messages . . . . . . . . . . . . . . . 129 | |||
| B.3.4. Ticket Establishment . . . . . . . . . . . . . . . . 129 | B.3.4. Ticket Establishment . . . . . . . . . . . . . . . . 130 | |||
| B.3.5. Updating Keys . . . . . . . . . . . . . . . . . . . . 130 | B.3.5. Updating Keys . . . . . . . . . . . . . . . . . . . . 131 | |||
| B.4. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . 130 | B.4. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . 131 | |||
| Appendix C. Implementation Notes . . . . . . . . . . . . . . . . 131 | Appendix C. Implementation Notes . . . . . . . . . . . . . . . . 132 | |||
| C.1. Random Number Generation and Seeding . . . . . . . . . . 131 | C.1. Random Number Generation and Seeding . . . . . . . . . . 132 | |||
| C.2. Certificates and Authentication . . . . . . . . . . . . . 132 | C.2. Certificates and Authentication . . . . . . . . . . . . . 133 | |||
| C.3. Implementation Pitfalls . . . . . . . . . . . . . . . . . 132 | C.3. Implementation Pitfalls . . . . . . . . . . . . . . . . . 133 | |||
| C.4. Client Tracking Prevention . . . . . . . . . . . . . . . 133 | C.4. Client Tracking Prevention . . . . . . . . . . . . . . . 134 | |||
| C.5. Unauthenticated Operation . . . . . . . . . . . . . . . . 134 | C.5. Unauthenticated Operation . . . . . . . . . . . . . . . . 135 | |||
| Appendix D. Backward Compatibility . . . . . . . . . . . . . . . 134 | Appendix D. Backward Compatibility . . . . . . . . . . . . . . . 135 | |||
| D.1. Negotiating with an older server . . . . . . . . . . . . 135 | D.1. Negotiating with an older server . . . . . . . . . . . . 136 | |||
| D.2. Negotiating with an older client . . . . . . . . . . . . 136 | D.2. Negotiating with an older client . . . . . . . . . . . . 137 | |||
| D.3. 0-RTT backwards compatibility . . . . . . . . . . . . . . 136 | D.3. 0-RTT backwards compatibility . . . . . . . . . . . . . . 137 | |||
| D.4. Middlebox Compatibility Mode . . . . . . . . . . . . . . 136 | D.4. Middlebox Compatibility Mode . . . . . . . . . . . . . . 137 | |||
| D.5. Backwards Compatibility Security Restrictions . . . . . . 137 | D.5. Backwards Compatibility Security Restrictions . . . . . . 138 | |||
| Appendix E. Overview of Security Properties . . . . . . . . . . 138 | Appendix E. Overview of Security Properties . . . . . . . . . . 139 | |||
| E.1. Handshake . . . . . . . . . . . . . . . . . . . . . . . . 138 | E.1. Handshake . . . . . . . . . . . . . . . . . . . . . . . . 139 | |||
| E.1.1. Key Derivation and HKDF . . . . . . . . . . . . . . . 141 | E.1.1. Key Derivation and HKDF . . . . . . . . . . . . . . . 142 | |||
| E.1.2. Client Authentication . . . . . . . . . . . . . . . . 142 | E.1.2. Client Authentication . . . . . . . . . . . . . . . . 143 | |||
| E.1.3. 0-RTT . . . . . . . . . . . . . . . . . . . . . . . . 142 | E.1.3. 0-RTT . . . . . . . . . . . . . . . . . . . . . . . . 143 | |||
| E.1.4. Exporter Independence . . . . . . . . . . . . . . . . 142 | E.1.4. Exporter Independence . . . . . . . . . . . . . . . . 143 | |||
| E.1.5. Post-Compromise Security . . . . . . . . . . . . . . 143 | E.1.5. Post-Compromise Security . . . . . . . . . . . . . . 144 | |||
| E.1.6. External References . . . . . . . . . . . . . . . . . 143 | E.1.6. External References . . . . . . . . . . . . . . . . . 144 | |||
| E.2. Record Layer . . . . . . . . . . . . . . . . . . . . . . 143 | E.2. Record Layer . . . . . . . . . . . . . . . . . . . . . . 144 | |||
| E.2.1. External References . . . . . . . . . . . . . . . . . 144 | E.2.1. External References . . . . . . . . . . . . . . . . . 145 | |||
| E.3. Traffic Analysis . . . . . . . . . . . . . . . . . . . . 144 | E.3. Traffic Analysis . . . . . . . . . . . . . . . . . . . . 145 | |||
| E.4. Side Channel Attacks . . . . . . . . . . . . . . . . . . 145 | E.4. Side Channel Attacks . . . . . . . . . . . . . . . . . . 146 | |||
| E.5. Replay Attacks on 0-RTT . . . . . . . . . . . . . . . . . 146 | E.5. Replay Attacks on 0-RTT . . . . . . . . . . . . . . . . . 147 | |||
| E.5.1. Replay and Exporters . . . . . . . . . . . . . . . . 147 | E.5.1. Replay and Exporters . . . . . . . . . . . . . . . . 148 | |||
| E.6. Attacks on Static RSA . . . . . . . . . . . . . . . . . . 148 | E.6. PSK Identity Exposure . . . . . . . . . . . . . . . . . . 149 | |||
| Appendix F. Working Group Information . . . . . . . . . . . . . 148 | E.7. Attacks on Static RSA . . . . . . . . . . . . . . . . . . 149 | |||
| Appendix G. Contributors . . . . . . . . . . . . . . . . . . . . 148 | Appendix F. Working Group Information . . . . . . . . . . . . . 149 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 155 | Appendix G. Contributors . . . . . . . . . . . . . . . . . . . . 149 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 156 | ||||
| 1. Introduction | 1. Introduction | |||
| RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH The source for this | RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH The source for this | |||
| draft is maintained in GitHub. Suggested changes should be submitted | draft is maintained in GitHub. Suggested changes should be submitted | |||
| as pull requests at https://github.com/tlswg/tls13-spec. | as pull requests at https://github.com/tlswg/tls13-spec. | |||
| Instructions are on that page as well. Editorial changes can be | Instructions are on that page as well. Editorial changes can be | |||
| managed in GitHub, but any substantive change should be discussed on | managed in GitHub, but any substantive change should be discussed on | |||
| the TLS mailing list. | the TLS mailing list. | |||
| skipping to change at page 7, line 16 ¶ | skipping to change at page 7, line 16 ¶ | |||
| server: The endpoint which did not initiate the TLS connection. | server: The endpoint which did not initiate the TLS connection. | |||
| 1.2. Change Log | 1.2. Change Log | |||
| RFC EDITOR PLEASE DELETE THIS SECTION. | RFC EDITOR PLEASE DELETE THIS SECTION. | |||
| (*) indicates changes to the wire protocol which may require | (*) indicates changes to the wire protocol which may require | |||
| implementations to update. | implementations to update. | |||
| draft-28 | ||||
| Add a section on exposure of PSK identities. | ||||
| draft-27 | ||||
| - SHOULD->MUST for being able to process "supported_versions" | ||||
| without 0x0304. | ||||
| - Much editorial cleanup. | ||||
| draft-26 | draft-26 | |||
| - Clarify that you can't negotiate pre-TLS 1.3 with | - Clarify that you can't negotiate pre-TLS 1.3 with | |||
| supported_versions. | supported_versions. | |||
| draft-25 | draft-25 | |||
| - Add the header to additional data (*) | - Add the header to additional data (*) | |||
| - Minor clarifications. | - Minor clarifications. | |||
| skipping to change at page 15, line 40 ¶ | skipping to change at page 16, line 5 ¶ | |||
| - Merge in support for ECC from RFC 4492 but without explicit | - Merge in support for ECC from RFC 4492 but without explicit | |||
| curves. | curves. | |||
| - Remove the unnecessary length field from the AD input to AEAD | - Remove the unnecessary length field from the AD input to AEAD | |||
| ciphers. | ciphers. | |||
| - Rename {Client,Server}KeyExchange to {Client,Server}KeyShare. | - Rename {Client,Server}KeyExchange to {Client,Server}KeyShare. | |||
| - Add an explicit HelloRetryRequest to reject the client's. | - Add an explicit HelloRetryRequest to reject the client's. | |||
| draft-02 | ||||
| - Increment version number. | - Increment version number. | |||
| - Rework handshake to provide 1-RTT mode. | - Rework handshake to provide 1-RTT mode. | |||
| - Remove custom DHE groups. | - Remove custom DHE groups. | |||
| - Remove support for compression. | - Remove support for compression. | |||
| - Remove support for static RSA and DH key exchange. | - Remove support for static RSA and DH key exchange. | |||
| skipping to change at page 60, line 44 ¶ | skipping to change at page 61, line 44 ¶ | |||
| SHOULD simply be ignored. If no acceptable PSKs are found, the | SHOULD simply be ignored. If no acceptable PSKs are found, the | |||
| server SHOULD perform a non-PSK handshake if possible. If backwards | server SHOULD perform a non-PSK handshake if possible. If backwards | |||
| compatibility is important, client provided, externally established | compatibility is important, client provided, externally established | |||
| PSKs SHOULD influence cipher suite selection. | PSKs SHOULD influence cipher suite selection. | |||
| Prior to accepting PSK key establishment, the server MUST validate | Prior to accepting PSK key establishment, the server MUST validate | |||
| the corresponding binder value (see Section 4.2.11.2 below). If this | the corresponding binder value (see Section 4.2.11.2 below). If this | |||
| value is not present or does not validate, the server MUST abort the | value is not present or does not validate, the server MUST abort the | |||
| handshake. Servers SHOULD NOT attempt to validate multiple binders; | handshake. Servers SHOULD NOT attempt to validate multiple binders; | |||
| rather they SHOULD select a single PSK and validate solely the binder | rather they SHOULD select a single PSK and validate solely the binder | |||
| that corresponds to that PSK. See [Section 8.2] for the security | that corresponds to that PSK. See [Section 8.2] and [Appendix E.6] | |||
| rationale for this requirement. In order to accept PSK key | for the security rationale for this requirement. In order to accept | |||
| establishment, the server sends a "pre_shared_key" extension | PSK key establishment, the server sends a "pre_shared_key" extension | |||
| indicating the selected identity. | indicating the selected identity. | |||
| Clients MUST verify that the server's selected_identity is within the | Clients MUST verify that the server's selected_identity is within the | |||
| range supplied by the client, that the server selected a cipher suite | range supplied by the client, that the server selected a cipher suite | |||
| indicating a Hash associated with the PSK and that a server | indicating a Hash associated with the PSK and that a server | |||
| "key_share" extension is present if required by the ClientHello | "key_share" extension is present if required by the ClientHello | |||
| "psk_key_exchange_modes". If these values are not consistent the | "psk_key_exchange_modes". If these values are not consistent the | |||
| client MUST abort the handshake with an "illegal_parameter" alert. | client MUST abort the handshake with an "illegal_parameter" alert. | |||
| If the server supplies an "early_data" extension, the client MUST | If the server supplies an "early_data" extension, the client MUST | |||
| skipping to change at page 148, line 5 ¶ | skipping to change at page 149, line 5 ¶ | |||
| In particular, if these exporters are used as an authentication | In particular, if these exporters are used as an authentication | |||
| channel binding (e.g., by signing the output of the exporter) an | channel binding (e.g., by signing the output of the exporter) an | |||
| attacker who compromises the PSK can transplant authenticators | attacker who compromises the PSK can transplant authenticators | |||
| between connections without compromising the authentication key. | between connections without compromising the authentication key. | |||
| In addition, the early exporter SHOULD NOT be used to generate | In addition, the early exporter SHOULD NOT be used to generate | |||
| server-to-client encryption keys because that would entail the reuse | server-to-client encryption keys because that would entail the reuse | |||
| of those keys. This parallels the use of the early application | of those keys. This parallels the use of the early application | |||
| traffic keys only in the client-to-server direction. | traffic keys only in the client-to-server direction. | |||
| E.6. Attacks on Static RSA | E.6. PSK Identity Exposure | |||
| Because implementations respond to an invalid PSK binder by aborting | ||||
| the handshake, it may be possible for an attacker to verify whether a | ||||
| given PSK identity is valid. Specifically, if a server accepts both | ||||
| external PSK and certificate-based handshakes, a valid PSK identity | ||||
| will result in a failed handshake, whereas an invalid identity will | ||||
| just be skipped and result in a successful certificate handshake. | ||||
| Servers which solely support PSK handshakes may be able to resist | ||||
| this form of attack by treating the cases where there is no valid PSK | ||||
| identity and where there is an identity but it has an invalid binder | ||||
| identically. | ||||
| E.7. Attacks on Static RSA | ||||
| Although TLS 1.3 does not use RSA key transport and so is not | Although TLS 1.3 does not use RSA key transport and so is not | |||
| directly susceptible to Bleichenbacher-type attacks, if TLS 1.3 | directly susceptible to Bleichenbacher-type attacks, if TLS 1.3 | |||
| servers also support static RSA in the context of previous versions | servers also support static RSA in the context of previous versions | |||
| of TLS, then it may be possible to impersonate the server for TLS 1.3 | of TLS, then it may be possible to impersonate the server for TLS 1.3 | |||
| connections [JSS15]. TLS 1.3 implementations can prevent this attack | connections [JSS15]. TLS 1.3 implementations can prevent this attack | |||
| by disabling support for static RSA across all versions of TLS. In | by disabling support for static RSA across all versions of TLS. In | |||
| principle, implementations might also be able to separate | principle, implementations might also be able to separate | |||
| certificates with different keyUsage bits for static RSA decryption | certificates with different keyUsage bits for static RSA decryption | |||
| and RSA signature, but this technique relies on clients refusing to | and RSA signature, but this technique relies on clients refusing to | |||
| End of changes. 9 change blocks. | ||||
| 127 lines changed or deleted | 150 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||