| draft-ietf-tls-cached-info-06.txt | draft-ietf-tls-cached-info-07.txt | |||
|---|---|---|---|---|
| INTERNET-DRAFT S. Santesson (3xA Security) | INTERNET-DRAFT S. Santesson (3xA Security) | |||
| Intended Status: Proposed Standard | Intended Status: Proposed Standard | |||
| Expires: October 1, 2010 March 30, 2010 | Expires: October 1, 2010 March 30, 2010 | |||
| Transport Layer Security (TLS) Cached Information Extension | Transport Layer Security (TLS) Cached Information Extension | |||
| <draft-ietf-tls-cached-info-06.txt> | <draft-ietf-tls-cached-info-07.txt> | |||
| Abstract | Abstract | |||
| This document defines a Transport Layer Security (TLS) extension for | This document defines a Transport Layer Security (TLS) extension for | |||
| cached information. This extension allows the TLS client to inform a | cached information. This extension allows the TLS client to inform a | |||
| server of cached information from previous TLS sessions, allowing the | server of cached information from previous TLS sessions, allowing the | |||
| server to omit sending cached static information to the client during | server to omit sending cached static information to the client during | |||
| the TLS handshake protocol exchange. | the TLS handshake protocol exchange. | |||
| Status of this Memo | Status of this Memo | |||
| skipping to change at page 2, line 25 | skipping to change at page 2, line 25 | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Cached Information Extension . . . . . . . . . . . . . . . . . 4 | 2. Cached Information Extension . . . . . . . . . . . . . . . . . 4 | |||
| 4. Extension Exchange . . . . . . . . . . . . . . . . . . . . . . 5 | 3. Extension Exchange . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.1. Reconnaissance . . . . . . . . . . . . . . . . . . . . . . 5 | 3.1. Reconnaissance . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.2. Cached Information . . . . . . . . . . . . . . . . . . . . 5 | 3.2. Cached Information . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Data Substitution . . . . . . . . . . . . . . . . . . . . . . . 6 | 4. Data Substitution . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.1. Data Substitution Syntax for certificate_chain . . . . . . 6 | 4.1. Data Substitution Syntax for certificate_chain . . . . . . 6 | |||
| 5.2. Data Substitution Syntax for trusted_cas . . . . . . . . . 7 | 4.2. Data Substitution Syntax for trusted_cas . . . . . . . . . 7 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 8 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 9. Normative References . . . . . . . . . . . . . . . . . . . . . 8 | 8. Normative References . . . . . . . . . . . . . . . . . . . . . 9 | |||
| Annex A - 64 bit FNV-1a digest . . . . . . . . . . . . . . . . . 10 | Annex A - 64 bit FNV-1a digest . . . . . . . . . . . . . . . . . 10 | |||
| A.1. Definition (Normative) . . . . . . . . . . . . . . . . . 10 | A.1. Definition (Normative) . . . . . . . . . . . . . . . . . 10 | |||
| A.2 Example code (Informative) . . . . . . . . . . . . . . . 11 | A.2 Java code sample (Informative) . . . . . . . . . . . . . 11 | |||
| A.3. Digest samples (Informative) . . . . . . . . . . . . . . 12 | A.3. C code sample (Informative) . . . . . . . . . . . . . . . 12 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | A.4. Digest samples (Informative) . . . . . . . . . . . . . . 13 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | ||||
| 1. Introduction | 1. Introduction | |||
| TLS handshakes often include fairly static information such as server | TLS handshakes often include fairly static information such as server | |||
| certificate and a list of trusted Certification Authorities (CAs). | certificate and a list of trusted Certification Authorities (CAs). | |||
| Static information such as a server certificate can be of | Static information such as a server certificate can be of | |||
| considerable size. This is the case in particular if the server | considerable size. This is the case in particular if the server | |||
| certificate is bundled with a complete certificate path, including | certificate is bundled with a complete certificate path, including | |||
| all intermediary certificates up to the trust anchor public key. | all intermediary certificates up to the trust anchor public key. | |||
| skipping to change at page 5, line 7 | skipping to change at page 5, line 7 | |||
| certificate_list element of a server side Certificate message, | certificate_list element of a server side Certificate message, | |||
| excluding the three length bytes of the certificate_list vector. | excluding the three length bytes of the certificate_list vector. | |||
| When CachedInformationType identifies trusted_cas, then digest_value | When CachedInformationType identifies trusted_cas, then digest_value | |||
| MUST include a digest calculated over the certificate_authorities | MUST include a digest calculated over the certificate_authorities | |||
| element of a server side CertificateRequest message, excluding the | element of a server side CertificateRequest message, excluding the | |||
| two length bytes of the certificate_authorities vector. | two length bytes of the certificate_authorities vector. | |||
| Other specifications MAY define more CachedInformationType types. | Other specifications MAY define more CachedInformationType types. | |||
| 4. Extension Exchange | 3. Extension Exchange | |||
| 4.1. Reconnaissance | 3.1. Reconnaissance | |||
| A client MAY include an empty cached_information extension (with | A client MAY include an empty cached_information extension (with | |||
| empty extension_data field) in its (extended) client hello to query | empty extension_data field) in its (extended) client hello to query | |||
| whether the server supports cached information. | whether the server supports cached information. | |||
| A server indicates that it supports cached information in handshakes | A server indicates that it supports cached information in handshakes | |||
| according to section 4.2. by including a cached_information extension | according to section 3.2. by including a cached_information extension | |||
| in its (extended) server hello. | in its (extended) server hello. | |||
| 4.2. Cached Information | 3.2. Cached Information | |||
| Clients MAY specify cached information from previous handshakes by | Clients MAY specify cached information from previous handshakes by | |||
| including a "cached_information" extension in the (extended) client | including a "cached_information" extension in the (extended) client | |||
| hello, which contains at least one cached object (CachedObject) for | hello, which contains at least one cached object (CachedObject) for | |||
| each present object type (CachedInformationType), as specified in | each present object type (CachedInformationType), as specified in | |||
| section 2. Clients MAY need the ability to cache different values | section 2. Clients MAY need the ability to cache different values | |||
| depending on other information in the Client Hello that modify what | depending on other information in the Client Hello that modify what | |||
| values the server uses, in particular the Server Name Indication | values the server uses, in particular the Server Name Indication | |||
| [RFC4366] value. Clients sending a non-empty cached_information | [RFC4366] value. Clients sending a non-empty cached_information | |||
| extension MUST provide a 64 bit (8 byte) digest_value for each cached | extension MUST provide a 64 bit (8 byte) digest_value for each cached | |||
| skipping to change at page 6, line 9 | skipping to change at page 6, line 9 | |||
| o A CachedObject with an empty digest_value indicates that the | o A CachedObject with an empty digest_value indicates that the | |||
| server supports caching of the specified object type | server supports caching of the specified object type | |||
| (CachedInformationType), but does not specify any digest values | (CachedInformationType), but does not specify any digest values | |||
| it will accept. | it will accept. | |||
| o A present non-empty digest_value indicates that the server will | o A present non-empty digest_value indicates that the server will | |||
| honor caching of objects of the specified type that matches the | honor caching of objects of the specified type that matches the | |||
| present digest value. | present digest value. | |||
| 5. Data Substitution | 4. Data Substitution | |||
| Following a successful exchange of "cached_information" extensions, | Following a successful exchange of "cached_information" extensions, | |||
| the server may substitute data objects in the handshake exchange with | the server may substitute data objects in the handshake exchange with | |||
| a matching digest_value representing a matching object type. received | a matching digest_value representing a matching object type. received | |||
| from the client in its client hello. | from the client in its client hello. | |||
| The handshake protocol will proceed using the cached data as if it | The handshake protocol will proceed using the cached data as if it | |||
| was provided in the handshake protocol. The Finished message will | was provided in the handshake protocol. The Finished message will | |||
| however be calculated over the actual data exchanged in the handshake | however be calculated over the actual data exchanged in the handshake | |||
| protocol. That is, the Finished message will be calculated over the | protocol. That is, the Finished message will be calculated over the | |||
| skipping to change at page 6, line 31 | skipping to change at page 6, line 31 | |||
| objects that were omitted from transmission. | objects that were omitted from transmission. | |||
| Each CachedInformationType MUST specify how actual data is replaced | Each CachedInformationType MUST specify how actual data is replaced | |||
| by a digest in a way that does not violate the defined syntax of | by a digest in a way that does not violate the defined syntax of | |||
| existing handshake messages. the data exchange syntax for | existing handshake messages. the data exchange syntax for | |||
| certificate_chain(1) and trusted_cas(2) are provided below. | certificate_chain(1) and trusted_cas(2) are provided below. | |||
| The server MUST NOT provide more than one digest value as | The server MUST NOT provide more than one digest value as | |||
| substitution for the cached data. | substitution for the cached data. | |||
| 5.1. Data Substitution Syntax for certificate_chain | 4.1. Data Substitution Syntax for certificate_chain | |||
| When a digest for an object of type certificate_chain is provided in | When a digest for an object of type certificate_chain is provided in | |||
| the client hello, the server MAY substitute the cached data with a | the client hello, the server MAY substitute the cached data with a | |||
| matching digest value received from the client by expanding the | matching digest value received from the client by expanding the | |||
| Certificate handshake message as follows. | Certificate handshake message as follows. | |||
| Original handshake message syntax defined in RFC 5246 [RFC5246]: | Original handshake message syntax defined in RFC 5246 [RFC5246]: | |||
| opaque ASN.1Cert<1..2^24-1>; | opaque ASN.1Cert<1..2^24-1>; | |||
| skipping to change at page 7, line 14 | skipping to change at page 7, line 14 | |||
| Substitution syntax is defined by expanding the definition of the | Substitution syntax is defined by expanding the definition of the | |||
| opaque ASN.1Cert structure: | opaque ASN.1Cert structure: | |||
| DigestInfo ASN.1Cert<1..2^24-1>; | DigestInfo ASN.1Cert<1..2^24-1>; | |||
| struct { | struct { | |||
| opaque digest_value<0..8>; | opaque digest_value<0..8>; | |||
| } DigestInfo; | } DigestInfo; | |||
| 5.2. Data Substitution Syntax for trusted_cas | 4.2. Data Substitution Syntax for trusted_cas | |||
| When a digest for an object of type trusted_cas is provided in the | When a digest for an object of type trusted_cas is provided in the | |||
| client hello, the server MAY substitute the cached data with a | client hello, the server MAY substitute the cached data with a | |||
| matching digest value received from the client by expanding the | matching digest value received from the client by expanding the | |||
| CertificateRequest handshake message as follows. | CertificateRequest handshake message as follows. | |||
| Original handshake message syntax defined in RFC 5246 [RFC5246]: | Original handshake message syntax defined in RFC 5246 [RFC5246]: | |||
| opaque DistinguishedName<1..2^16-1>; | opaque DistinguishedName<1..2^16-1>; | |||
| skipping to change at page 8, line 5 | skipping to change at page 8, line 5 | |||
| The substitution syntax is defined by expanding the definition of the | The substitution syntax is defined by expanding the definition of the | |||
| opaque DistinguishedName structure: | opaque DistinguishedName structure: | |||
| DigestInfo DistinguishedName<1..2^16-1>; | DigestInfo DistinguishedName<1..2^16-1>; | |||
| struct { | struct { | |||
| opaque digest_value<0..8>; | opaque digest_value<0..8>; | |||
| } DigestInfo; | } DigestInfo; | |||
| 6. Security Considerations | 5. Security Considerations | |||
| The digest algorithm used in this specification is required to have | The digest algorithm used in this specification is required to have | |||
| reasonable random properties in order to provide reasonably unique | reasonable random properties in order to provide reasonably unique | |||
| identifiers. There is no requirement that this digest algorithm must | identifiers. There is no requirement that this digest algorithm must | |||
| have strong collision resistance. A non unique digest may at most | have strong collision resistance. A non unique digest may at most | |||
| lead to a failed TLS handshake followed by a new attempt without the | lead to a failed TLS handshake followed by a new attempt without the | |||
| cached information extension. There are no identified security | cached information extension. There are no identified security | |||
| threats that require the selected digest algorithm to have strong | threats that require the selected digest algorithm to have strong | |||
| collision resistance. | collision resistance. | |||
| 7. IANA Considerations | 6. IANA Considerations | |||
| 1) Create an entry, cached_information(TBD), in the existing registry | 1) Create an entry, cached_information(TBD), in the existing registry | |||
| for ExtensionType (defined in RFC 5246 [RFC5246]). | for ExtensionType (defined in RFC 5246 [RFC5246]). | |||
| 2) Establish a registry for TLS CachedInformationType values. The | 2) Establish a registry for TLS CachedInformationType values. The | |||
| first entries in the registry are certificate_chain(1) and | first entries in the registry are certificate_chain(1) and | |||
| trusted_cas(2). TLS CachedInformationType values in the inclusive | trusted_cas(2). TLS CachedInformationType values in the inclusive | |||
| range 0-63 (decimal) are assigned via RFC 5226 [RFC5226] Standards | range 0-63 (decimal) are assigned via RFC 5226 [RFC5226] Standards | |||
| Action. Values from the inclusive range 64-223 (decimal) are | Action. Values from the inclusive range 64-223 (decimal) are | |||
| assigned via RFC 5226 Specification Required. Values from the | assigned via RFC 5226 Specification Required. Values from the | |||
| inclusive range 224-255 (decimal) are reserved for RFC 5226 | inclusive range 224-255 (decimal) are reserved for RFC 5226 | |||
| Private Use. | Private Use. | |||
| 8. Acknowledgements | 7. Acknowledgements | |||
| The author acknowledge input from many members of the TLS working | The author acknowledge input from many members of the TLS working | |||
| group, Martin Rex for extensive review and input and Marsh Ray for | group, Martin Rex for extensive review and input, Marsh Ray and Simon | |||
| testing and providing digest samples. | Josefsson for coding and test vectors. | |||
| 9. Normative References | 8. Normative References | |||
| [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate | [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997 | Requirement Levels", BCP 14, RFC 2119, March 1997 | |||
| [RFC5226] T. Narten, H. Alvestrand, "Guidelines for Writing an IANA | [RFC5226] T. Narten, H. Alvestrand, "Guidelines for Writing an IANA | |||
| Considerations Section in RFCs", RFC 5226, May 2008 | Considerations Section in RFCs", RFC 5226, May 2008 | |||
| [RFC5246] T. Dierks, E. Rescorla, "The Transport Layer Security | [RFC5246] T. Dierks, E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008 | (TLS) Protocol Version 1.2", RFC 5246, August 2008 | |||
| skipping to change at page 11, line 5 | skipping to change at page 11, line 5 | |||
| o The FNV_prime is the 64-bit FNV prime value: 1099511628211. | o The FNV_prime is the 64-bit FNV prime value: 1099511628211. | |||
| o The multiply function (indicated by the '*' symbol) returns the | o The multiply function (indicated by the '*' symbol) returns the | |||
| lower 64-bits of the product. | lower 64-bits of the product. | |||
| o The XOR is an 8-bit operation that modifies only the lower 8-bits | o The XOR is an 8-bit operation that modifies only the lower 8-bits | |||
| of the digest value. | of the digest value. | |||
| o The digest value returned is an 64-bit unsigned integer. | o The digest value returned is an 64-bit unsigned integer. | |||
| A.2 Example code (Informative) | A.2 Java code sample (Informative) | |||
| /** | /** | |||
| * Java example code implementing FNV-1a according to Annex A | * Java code sample, implementing 64 bit FNV-1a | |||
| * By Stefan Santesson | ||||
| */ | */ | |||
| import java.math.BigInteger; | import java.math.BigInteger; | |||
| public class FNV { | public class FNV { | |||
| static public BigInteger getFNV1a64Digest (String inpString) { | static public BigInteger getFNV1a64Digest (String inpString) { | |||
| BigInteger m = new BigInteger("2").pow(64); | BigInteger m = new BigInteger("2").pow(64); | |||
| BigInteger fnvPrime = new BigInteger("1099511628211"); | BigInteger fnvPrime = new BigInteger("1099511628211"); | |||
| skipping to change at page 12, line 5 | skipping to change at page 12, line 5 | |||
| digest = digest.xor(BigInteger.valueOf( | digest = digest.xor(BigInteger.valueOf( | |||
| (int) inpString.charAt(i))); | (int) inpString.charAt(i))); | |||
| digest = digest.multiply(fnvPrime).mod(m); | digest = digest.multiply(fnvPrime).mod(m); | |||
| } | } | |||
| return (digest); | return (digest); | |||
| } | } | |||
| } | } | |||
| A.3. Digest samples (Informative) | A.3. C code sample (Informative) | |||
| Digest samples for 64 bit FNV-1a according to A.1. | fnv1a64.h: | |||
| #ifndef FNV1A64_H | ||||
| #define FNV1A64_H | ||||
| #include <string.h> /* For size_t */ | ||||
| #include <stdint.h> /* For uint64_t */ | ||||
| extern uint64_t fnv1a64 (const uint8_t *buffer, size_t len); | ||||
| #endif | ||||
| fnv1a64.c: | ||||
| /* fnv1a.c -- Implementation of the FNV-1A non-cryptographic | ||||
| * hash function. | ||||
| * By Simon Josefsson <simon@josefsson.org> on 2010-03-30. | ||||
| */ | ||||
| #include "fnv1a64.h" | ||||
| #define FNV1A64_OFFSET_BASIS 14695981039346656037ULL | ||||
| #define FNV1A64_PRIME 1099511628211ULL | ||||
| uint64_t | ||||
| fnv1a64 (const uint8_t *buffer, size_t len) | ||||
| { | ||||
| uint64_t hash; | ||||
| size_t i; | ||||
| hash = FNV1A64_OFFSET_BASIS; | ||||
| for (i = 0; i < len; i++) | ||||
| { | ||||
| hash = hash ^ buffer[i]; | ||||
| hash = hash * FNV1A64_PRIME; | ||||
| } | ||||
| return hash; | ||||
| } | ||||
| A.4. Digest samples (Informative) | ||||
| Digest samples for 64 bit FNV-1a | ||||
| For input data: | For input data: | |||
| null ("") | null ("") | |||
| 0 bytes | 0 bytes | |||
| Digest is: CB F2 9C E4 84 22 23 25 | Digest is: CB F2 9C E4 84 22 23 25 | |||
| For input data: | For input data: | |||
| hex: 61 ("a") | hex: 61 ("a") | |||
| 1 byte | 1 byte | |||
| End of changes. 19 change blocks. | ||||
| 31 lines changed or deleted | 75 lines changed or added | |||
This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||