draft-ietf-tls-cached-info-06.txt   draft-ietf-tls-cached-info-07.txt 
INTERNET-DRAFT S. Santesson (3xA Security) INTERNET-DRAFT S. Santesson (3xA Security)
Intended Status: Proposed Standard Intended Status: Proposed Standard
Expires: October 1, 2010 March 30, 2010 Expires: October 1, 2010 March 30, 2010
Transport Layer Security (TLS) Cached Information Extension Transport Layer Security (TLS) Cached Information Extension
<draft-ietf-tls-cached-info-06.txt> <draft-ietf-tls-cached-info-07.txt>
Abstract Abstract
This document defines a Transport Layer Security (TLS) extension for This document defines a Transport Layer Security (TLS) extension for
cached information. This extension allows the TLS client to inform a cached information. This extension allows the TLS client to inform a
server of cached information from previous TLS sessions, allowing the server of cached information from previous TLS sessions, allowing the
server to omit sending cached static information to the client during server to omit sending cached static information to the client during
the TLS handshake protocol exchange. the TLS handshake protocol exchange.
Status of this Memo Status of this Memo
skipping to change at page 2, line 25 skipping to change at page 2, line 25
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Cached Information Extension . . . . . . . . . . . . . . . . . 4 2. Cached Information Extension . . . . . . . . . . . . . . . . . 4
4. Extension Exchange . . . . . . . . . . . . . . . . . . . . . . 5 3. Extension Exchange . . . . . . . . . . . . . . . . . . . . . . 5
4.1. Reconnaissance . . . . . . . . . . . . . . . . . . . . . . 5 3.1. Reconnaissance . . . . . . . . . . . . . . . . . . . . . . 5
4.2. Cached Information . . . . . . . . . . . . . . . . . . . . 5 3.2. Cached Information . . . . . . . . . . . . . . . . . . . . 5
5. Data Substitution . . . . . . . . . . . . . . . . . . . . . . . 6 4. Data Substitution . . . . . . . . . . . . . . . . . . . . . . . 6
5.1. Data Substitution Syntax for certificate_chain . . . . . . 6 4.1. Data Substitution Syntax for certificate_chain . . . . . . 6
5.2. Data Substitution Syntax for trusted_cas . . . . . . . . . 7 4.2. Data Substitution Syntax for trusted_cas . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 8
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8
9. Normative References . . . . . . . . . . . . . . . . . . . . . 8 8. Normative References . . . . . . . . . . . . . . . . . . . . . 9
Annex A - 64 bit FNV-1a digest . . . . . . . . . . . . . . . . . 10 Annex A - 64 bit FNV-1a digest . . . . . . . . . . . . . . . . . 10
A.1. Definition (Normative) . . . . . . . . . . . . . . . . . 10 A.1. Definition (Normative) . . . . . . . . . . . . . . . . . 10
A.2 Example code (Informative) . . . . . . . . . . . . . . . 11 A.2 Java code sample (Informative) . . . . . . . . . . . . . 11
A.3. Digest samples (Informative) . . . . . . . . . . . . . . 12 A.3. C code sample (Informative) . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 A.4. Digest samples (Informative) . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
TLS handshakes often include fairly static information such as server TLS handshakes often include fairly static information such as server
certificate and a list of trusted Certification Authorities (CAs). certificate and a list of trusted Certification Authorities (CAs).
Static information such as a server certificate can be of Static information such as a server certificate can be of
considerable size. This is the case in particular if the server considerable size. This is the case in particular if the server
certificate is bundled with a complete certificate path, including certificate is bundled with a complete certificate path, including
all intermediary certificates up to the trust anchor public key. all intermediary certificates up to the trust anchor public key.
skipping to change at page 5, line 7 skipping to change at page 5, line 7
certificate_list element of a server side Certificate message, certificate_list element of a server side Certificate message,
excluding the three length bytes of the certificate_list vector. excluding the three length bytes of the certificate_list vector.
When CachedInformationType identifies trusted_cas, then digest_value When CachedInformationType identifies trusted_cas, then digest_value
MUST include a digest calculated over the certificate_authorities MUST include a digest calculated over the certificate_authorities
element of a server side CertificateRequest message, excluding the element of a server side CertificateRequest message, excluding the
two length bytes of the certificate_authorities vector. two length bytes of the certificate_authorities vector.
Other specifications MAY define more CachedInformationType types. Other specifications MAY define more CachedInformationType types.
4. Extension Exchange 3. Extension Exchange
4.1. Reconnaissance 3.1. Reconnaissance
A client MAY include an empty cached_information extension (with A client MAY include an empty cached_information extension (with
empty extension_data field) in its (extended) client hello to query empty extension_data field) in its (extended) client hello to query
whether the server supports cached information. whether the server supports cached information.
A server indicates that it supports cached information in handshakes A server indicates that it supports cached information in handshakes
according to section 4.2. by including a cached_information extension according to section 3.2. by including a cached_information extension
in its (extended) server hello. in its (extended) server hello.
4.2. Cached Information 3.2. Cached Information
Clients MAY specify cached information from previous handshakes by Clients MAY specify cached information from previous handshakes by
including a "cached_information" extension in the (extended) client including a "cached_information" extension in the (extended) client
hello, which contains at least one cached object (CachedObject) for hello, which contains at least one cached object (CachedObject) for
each present object type (CachedInformationType), as specified in each present object type (CachedInformationType), as specified in
section 2. Clients MAY need the ability to cache different values section 2. Clients MAY need the ability to cache different values
depending on other information in the Client Hello that modify what depending on other information in the Client Hello that modify what
values the server uses, in particular the Server Name Indication values the server uses, in particular the Server Name Indication
[RFC4366] value. Clients sending a non-empty cached_information [RFC4366] value. Clients sending a non-empty cached_information
extension MUST provide a 64 bit (8 byte) digest_value for each cached extension MUST provide a 64 bit (8 byte) digest_value for each cached
skipping to change at page 6, line 9 skipping to change at page 6, line 9
o A CachedObject with an empty digest_value indicates that the o A CachedObject with an empty digest_value indicates that the
server supports caching of the specified object type server supports caching of the specified object type
(CachedInformationType), but does not specify any digest values (CachedInformationType), but does not specify any digest values
it will accept. it will accept.
o A present non-empty digest_value indicates that the server will o A present non-empty digest_value indicates that the server will
honor caching of objects of the specified type that matches the honor caching of objects of the specified type that matches the
present digest value. present digest value.
5. Data Substitution 4. Data Substitution
Following a successful exchange of "cached_information" extensions, Following a successful exchange of "cached_information" extensions,
the server may substitute data objects in the handshake exchange with the server may substitute data objects in the handshake exchange with
a matching digest_value representing a matching object type. received a matching digest_value representing a matching object type. received
from the client in its client hello. from the client in its client hello.
The handshake protocol will proceed using the cached data as if it The handshake protocol will proceed using the cached data as if it
was provided in the handshake protocol. The Finished message will was provided in the handshake protocol. The Finished message will
however be calculated over the actual data exchanged in the handshake however be calculated over the actual data exchanged in the handshake
protocol. That is, the Finished message will be calculated over the protocol. That is, the Finished message will be calculated over the
skipping to change at page 6, line 31 skipping to change at page 6, line 31
objects that were omitted from transmission. objects that were omitted from transmission.
Each CachedInformationType MUST specify how actual data is replaced Each CachedInformationType MUST specify how actual data is replaced
by a digest in a way that does not violate the defined syntax of by a digest in a way that does not violate the defined syntax of
existing handshake messages. the data exchange syntax for existing handshake messages. the data exchange syntax for
certificate_chain(1) and trusted_cas(2) are provided below. certificate_chain(1) and trusted_cas(2) are provided below.
The server MUST NOT provide more than one digest value as The server MUST NOT provide more than one digest value as
substitution for the cached data. substitution for the cached data.
5.1. Data Substitution Syntax for certificate_chain 4.1. Data Substitution Syntax for certificate_chain
When a digest for an object of type certificate_chain is provided in When a digest for an object of type certificate_chain is provided in
the client hello, the server MAY substitute the cached data with a the client hello, the server MAY substitute the cached data with a
matching digest value received from the client by expanding the matching digest value received from the client by expanding the
Certificate handshake message as follows. Certificate handshake message as follows.
Original handshake message syntax defined in RFC 5246 [RFC5246]: Original handshake message syntax defined in RFC 5246 [RFC5246]:
opaque ASN.1Cert<1..2^24-1>; opaque ASN.1Cert<1..2^24-1>;
skipping to change at page 7, line 14 skipping to change at page 7, line 14
Substitution syntax is defined by expanding the definition of the Substitution syntax is defined by expanding the definition of the
opaque ASN.1Cert structure: opaque ASN.1Cert structure:
DigestInfo ASN.1Cert<1..2^24-1>; DigestInfo ASN.1Cert<1..2^24-1>;
struct { struct {
opaque digest_value<0..8>; opaque digest_value<0..8>;
} DigestInfo; } DigestInfo;
5.2. Data Substitution Syntax for trusted_cas 4.2. Data Substitution Syntax for trusted_cas
When a digest for an object of type trusted_cas is provided in the When a digest for an object of type trusted_cas is provided in the
client hello, the server MAY substitute the cached data with a client hello, the server MAY substitute the cached data with a
matching digest value received from the client by expanding the matching digest value received from the client by expanding the
CertificateRequest handshake message as follows. CertificateRequest handshake message as follows.
Original handshake message syntax defined in RFC 5246 [RFC5246]: Original handshake message syntax defined in RFC 5246 [RFC5246]:
opaque DistinguishedName<1..2^16-1>; opaque DistinguishedName<1..2^16-1>;
skipping to change at page 8, line 5 skipping to change at page 8, line 5
The substitution syntax is defined by expanding the definition of the The substitution syntax is defined by expanding the definition of the
opaque DistinguishedName structure: opaque DistinguishedName structure:
DigestInfo DistinguishedName<1..2^16-1>; DigestInfo DistinguishedName<1..2^16-1>;
struct { struct {
opaque digest_value<0..8>; opaque digest_value<0..8>;
} DigestInfo; } DigestInfo;
6. Security Considerations 5. Security Considerations
The digest algorithm used in this specification is required to have The digest algorithm used in this specification is required to have
reasonable random properties in order to provide reasonably unique reasonable random properties in order to provide reasonably unique
identifiers. There is no requirement that this digest algorithm must identifiers. There is no requirement that this digest algorithm must
have strong collision resistance. A non unique digest may at most have strong collision resistance. A non unique digest may at most
lead to a failed TLS handshake followed by a new attempt without the lead to a failed TLS handshake followed by a new attempt without the
cached information extension. There are no identified security cached information extension. There are no identified security
threats that require the selected digest algorithm to have strong threats that require the selected digest algorithm to have strong
collision resistance. collision resistance.
7. IANA Considerations 6. IANA Considerations
1) Create an entry, cached_information(TBD), in the existing registry 1) Create an entry, cached_information(TBD), in the existing registry
for ExtensionType (defined in RFC 5246 [RFC5246]). for ExtensionType (defined in RFC 5246 [RFC5246]).
2) Establish a registry for TLS CachedInformationType values. The 2) Establish a registry for TLS CachedInformationType values. The
first entries in the registry are certificate_chain(1) and first entries in the registry are certificate_chain(1) and
trusted_cas(2). TLS CachedInformationType values in the inclusive trusted_cas(2). TLS CachedInformationType values in the inclusive
range 0-63 (decimal) are assigned via RFC 5226 [RFC5226] Standards range 0-63 (decimal) are assigned via RFC 5226 [RFC5226] Standards
Action. Values from the inclusive range 64-223 (decimal) are Action. Values from the inclusive range 64-223 (decimal) are
assigned via RFC 5226 Specification Required. Values from the assigned via RFC 5226 Specification Required. Values from the
inclusive range 224-255 (decimal) are reserved for RFC 5226 inclusive range 224-255 (decimal) are reserved for RFC 5226
Private Use. Private Use.
8. Acknowledgements 7. Acknowledgements
The author acknowledge input from many members of the TLS working The author acknowledge input from many members of the TLS working
group, Martin Rex for extensive review and input and Marsh Ray for group, Martin Rex for extensive review and input, Marsh Ray and Simon
testing and providing digest samples. Josefsson for coding and test vectors.
9. Normative References 8. Normative References
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997 Requirement Levels", BCP 14, RFC 2119, March 1997
[RFC5226] T. Narten, H. Alvestrand, "Guidelines for Writing an IANA [RFC5226] T. Narten, H. Alvestrand, "Guidelines for Writing an IANA
Considerations Section in RFCs", RFC 5226, May 2008 Considerations Section in RFCs", RFC 5226, May 2008
[RFC5246] T. Dierks, E. Rescorla, "The Transport Layer Security [RFC5246] T. Dierks, E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008 (TLS) Protocol Version 1.2", RFC 5246, August 2008
skipping to change at page 11, line 5 skipping to change at page 11, line 5
o The FNV_prime is the 64-bit FNV prime value: 1099511628211. o The FNV_prime is the 64-bit FNV prime value: 1099511628211.
o The multiply function (indicated by the '*' symbol) returns the o The multiply function (indicated by the '*' symbol) returns the
lower 64-bits of the product. lower 64-bits of the product.
o The XOR is an 8-bit operation that modifies only the lower 8-bits o The XOR is an 8-bit operation that modifies only the lower 8-bits
of the digest value. of the digest value.
o The digest value returned is an 64-bit unsigned integer. o The digest value returned is an 64-bit unsigned integer.
A.2 Example code (Informative) A.2 Java code sample (Informative)
/** /**
* Java example code implementing FNV-1a according to Annex A * Java code sample, implementing 64 bit FNV-1a
* By Stefan Santesson
*/ */
import java.math.BigInteger; import java.math.BigInteger;
public class FNV { public class FNV {
static public BigInteger getFNV1a64Digest (String inpString) { static public BigInteger getFNV1a64Digest (String inpString) {
BigInteger m = new BigInteger("2").pow(64); BigInteger m = new BigInteger("2").pow(64);
BigInteger fnvPrime = new BigInteger("1099511628211"); BigInteger fnvPrime = new BigInteger("1099511628211");
skipping to change at page 12, line 5 skipping to change at page 12, line 5
digest = digest.xor(BigInteger.valueOf( digest = digest.xor(BigInteger.valueOf(
(int) inpString.charAt(i))); (int) inpString.charAt(i)));
digest = digest.multiply(fnvPrime).mod(m); digest = digest.multiply(fnvPrime).mod(m);
} }
return (digest); return (digest);
} }
} }
A.3. Digest samples (Informative) A.3. C code sample (Informative)
Digest samples for 64 bit FNV-1a according to A.1. fnv1a64.h:
#ifndef FNV1A64_H
#define FNV1A64_H
#include <string.h> /* For size_t */
#include <stdint.h> /* For uint64_t */
extern uint64_t fnv1a64 (const uint8_t *buffer, size_t len);
#endif
fnv1a64.c:
/* fnv1a.c -- Implementation of the FNV-1A non-cryptographic
* hash function.
* By Simon Josefsson <simon@josefsson.org> on 2010-03-30.
*/
#include "fnv1a64.h"
#define FNV1A64_OFFSET_BASIS 14695981039346656037ULL
#define FNV1A64_PRIME 1099511628211ULL
uint64_t
fnv1a64 (const uint8_t *buffer, size_t len)
{
uint64_t hash;
size_t i;
hash = FNV1A64_OFFSET_BASIS;
for (i = 0; i < len; i++)
{
hash = hash ^ buffer[i];
hash = hash * FNV1A64_PRIME;
}
return hash;
}
A.4. Digest samples (Informative)
Digest samples for 64 bit FNV-1a
For input data: For input data:
null ("") null ("")
0 bytes 0 bytes
Digest is: CB F2 9C E4 84 22 23 25 Digest is: CB F2 9C E4 84 22 23 25
For input data: For input data:
hex: 61 ("a") hex: 61 ("a")
1 byte 1 byte
 End of changes. 19 change blocks. 
31 lines changed or deleted 75 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/