| draft-ietf-tls-cached-info-18.txt | draft-ietf-tls-cached-info-19.txt | |||
|---|---|---|---|---|
| TLS S. Santesson | TLS S. Santesson | |||
| Internet-Draft 3xA Security AB | Internet-Draft 3xA Security AB | |||
| Intended status: Standards Track H. Tschofenig | Intended status: Standards Track H. Tschofenig | |||
| Expires: September 9, 2015 ARM Ltd. | Expires: September 24, 2015 ARM Ltd. | |||
| March 8, 2015 | March 23, 2015 | |||
| Transport Layer Security (TLS) Cached Information Extension | Transport Layer Security (TLS) Cached Information Extension | |||
| draft-ietf-tls-cached-info-18.txt | draft-ietf-tls-cached-info-19.txt | |||
| Abstract | Abstract | |||
| Transport Layer Security (TLS) handshakes often include fairly static | Transport Layer Security (TLS) handshakes often include fairly static | |||
| information, such as the server certificate and a list of trusted | information, such as the server certificate and a list of trusted | |||
| certification authorities (CAs). This information can be of | certification authorities (CAs). This information can be of | |||
| considerable size, particularly if the server certificate is bundled | considerable size, particularly if the server certificate is bundled | |||
| with a complete certificate chain (i.e., the certificates of | with a complete certificate chain (i.e., the certificates of | |||
| intermediate CAs up to the root CA). | intermediate CAs up to the root CA). | |||
| skipping to change at page 1, line 40 | skipping to change at page 1, line 40 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 9, 2015. | This Internet-Draft will expire on September 24, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 16 | skipping to change at page 2, line 16 | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Cached Information Extension . . . . . . . . . . . . . . . . 3 | 3. Cached Information Extension . . . . . . . . . . . . . . . . 3 | |||
| 4. Exchange Specification . . . . . . . . . . . . . . . . . . . 5 | 4. Exchange Specification . . . . . . . . . . . . . . . . . . . 4 | |||
| 4.1. Omitting the Server Certificate Message . . . . . . . . . 5 | 4.1. Server Certificate Message . . . . . . . . . . . . . . . 5 | |||
| 4.2. Omitting the CertificateRequest Message . . . . . . . . . 6 | 4.2. CertificateRequest Message . . . . . . . . . . . . . . . 6 | |||
| 4.3. Omitting the Certificate Status Information (OCSP | 5. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| Stapling and Multi OCSP Stapling) . . . . . . . . . . . . 7 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 5. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 7.1. New Entry to the TLS ExtensionType Registry . . . . . . . 9 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 7.2. New Registry for CachedInformationType . . . . . . . . . 9 | |||
| 7.1. New Entry to the TLS ExtensionType Registry . . . . . . . 10 | 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 7.2. New Registry for CachedInformationType . . . . . . . . . 10 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 10 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 9.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 12 | ||||
| Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . 12 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | ||||
| 1. Introduction | 1. Introduction | |||
| Reducing the amount of information exchanged during a Transport Layer | Reducing the amount of information exchanged during a Transport Layer | |||
| Security handshake to a minimum helps to improve performance in | Security handshake to a minimum helps to improve performance in | |||
| environments where devices are connected to a network with a low | environments where devices are connected to a network with a low | |||
| bandwidth, and lossy radio technology. With Internet of Things such | bandwidth, and lossy radio technology. With Internet of Things such | |||
| environments exist, for example, when devices use IEEE 802.15.4 or | environments exist, for example, when devices use IEEE 802.15.4 or | |||
| Bluetooth Smart. For more information about the challenges with | Bluetooth Smart. For more information about the challenges with | |||
| smart object deployments please see [RFC6574]. | smart object deployments please see [RFC6574]. | |||
| This specification defines a TLS extension that allows a client and a | This specification defines a TLS extension that allows a client and a | |||
| server to exclude transmission information cached in an earlier TLS | server to exclude transmission information cached in an earlier TLS | |||
| handshake. | handshake. | |||
| A typical example exchange may therefore look as follows. First, the | A typical example exchange may therefore look as follows. First, the | |||
| client and the server executes the usual TLS handshake. The client | client and the server executes the full TLS handshake. The client | |||
| may, for example, decide to cache the certificate provided by the | then caches the certificate provided by the server. When the TLS | |||
| server. When the TLS client connects to the TLS server some time in | client connects to the TLS server some time in the future, without | |||
| the future, without using session resumption, it then attaches the | using session resumption, it then attaches the cached_info extension | |||
| cached_info extension defined in this document to the client hello | defined in this document to the client hello message to indicate that | |||
| message to indicate that it had cached the certificate, and it | it had cached the certificate, and it provides the fingerprint of it. | |||
| provides the fingerprint of it. If the server's certificate has not | If the server's certificate has not changed then the TLS server does | |||
| changed then the TLS server does not need to send its' certificate | not need to send its' certificate and the corresponding certificate | |||
| and the corresponding certificate list again. In case information | chain again. In case information has changed, which can be seen from | |||
| has changed, which can be seen from the fingerprint provided by the | the fingerprint provided by the client, the certificate payload is | |||
| client, the certificate payload is transmitted to the client to allow | transmitted to the client to allow the client to update the cache. | |||
| the client to update the cache. | ||||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "MUST", "MUST NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "MUST", "MUST NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| This document refers to the TLS protocol but the description is | This document refers to the TLS protocol but the description is | |||
| equally applicable to DTLS as well. | equally applicable to DTLS as well. | |||
| skipping to change at page 3, line 34 | skipping to change at page 3, line 30 | |||
| This document defines a new extension type (cached_info(TBD)), which | This document defines a new extension type (cached_info(TBD)), which | |||
| is used in client hello and server hello messages. The extension | is used in client hello and server hello messages. The extension | |||
| type is specified as follows. | type is specified as follows. | |||
| enum { | enum { | |||
| cached_info(TBD), (65535) | cached_info(TBD), (65535) | |||
| } ExtensionType; | } ExtensionType; | |||
| The extension_data field of this extension, when included in the | The extension_data field of this extension, when included in the | |||
| client hello, MUST contain the CachedInformation structure. The | client hello, MUST contain the CachedInformation structure. The | |||
| client MUST NOT send multiple CachedObjects of the same | client MAY send multiple CachedObjects of the same | |||
| CachedInformationType. | CachedInformationType. This may, for example, be the case when the | |||
| client has cached multiple certificates from a server. | ||||
| enum { | enum { | |||
| cert(1), cert_req(2) (255) | cert(1), cert_req(2) (255) | |||
| } CachedInformationType; | } CachedInformationType; | |||
| struct { | struct { | |||
| select (type) { | select (type) { | |||
| case client: | case client: | |||
| CachedInformationType type; | CachedInformationType type; | |||
| opaque hash_value<1..255>; | opaque hash_value<1..255>; | |||
| skipping to change at page 4, line 39 | skipping to change at page 4, line 39 | |||
| For this type the message digest MUST be calculated using SHA-256 | For this type the message digest MUST be calculated using SHA-256 | |||
| [RFC4634]. | [RFC4634]. | |||
| Omitting the CertificateRequest Message | Omitting the CertificateRequest Message | |||
| With the type set to 'cert_req', the client MUST include the | With the type set to 'cert_req', the client MUST include the | |||
| message digest of the CertificateRequest message in the hash_value | message digest of the CertificateRequest message in the hash_value | |||
| field. For this type the message digest MUST be calculated using | field. For this type the message digest MUST be calculated using | |||
| SHA-256 [RFC4634]. | SHA-256 [RFC4634]. | |||
| Omitting the Certificate Status Information (OCSP Stapling and | ||||
| Multiple OCSP Stapling) Message | ||||
| With the type set to 'cert_status', the client MUST include the | ||||
| message digest of the CertificateStatus message in the hash_value | ||||
| field. For this type the message digest MUST be calculated using | ||||
| SHA-256 [RFC4634]. | ||||
| New types can be added following the policy described in the IANA | New types can be added following the policy described in the IANA | |||
| considerations section, see Section 7. Different message digest | considerations section, see Section 7. Different message digest | |||
| algorithms for use with these types can also be added by registering | algorithms for use with these types can also be added by registering | |||
| a new type that makes use of this updated message digest algorithm. | a new type that makes use of this updated message digest algorithm. | |||
| 4. Exchange Specification | 4. Exchange Specification | |||
| Clients supporting this extension MAY include the "cached_info" | Clients supporting this extension MAY include the "cached_info" | |||
| extension in the (extended) client hello. If the client includes the | extension in the (extended) client hello. If the client includes the | |||
| extension then it MUST contain one or more CachedObject attributes. | extension then it MUST contain one or more CachedObject attributes. | |||
| skipping to change at page 5, line 39 | skipping to change at page 5, line 29 | |||
| Note: If a server is part of a hosting environment then the client | Note: If a server is part of a hosting environment then the client | |||
| may have cached multiple data items for a single server. To allow | may have cached multiple data items for a single server. To allow | |||
| the client to select the appropriate information from the cache it is | the client to select the appropriate information from the cache it is | |||
| RECOMMENDED that the client utilizes the Server Name Indication | RECOMMENDED that the client utilizes the Server Name Indication | |||
| extension [RFC6066]. | extension [RFC6066]. | |||
| Following a successful exchange of the "cached_info" extension in the | Following a successful exchange of the "cached_info" extension in the | |||
| client and server hello, the server alters sending the corresponding | client and server hello, the server alters sending the corresponding | |||
| handshake message. How information is altered from the handshake | handshake message. How information is altered from the handshake | |||
| messages is defined in Section 4.1, Section 4.2 and Section 4.3 for | messages is defined in Section 4.1, and in Section 4.2 for the types | |||
| the types defined in this specification. | defined in this specification. | |||
| 4.1. Omitting the Server Certificate Message | 4.1. Server Certificate Message | |||
| When a ClientHello message contains the "cached_info" extension with | When a ClientHello message contains the "cached_info" extension with | |||
| a type set to 'cert' then the server MAY omit the Certificate message | a type set to 'cert' then the server MAY send the Certificate message | |||
| under the following conditions: | shown in Figure 2 under the following conditions: | |||
| The server software implements the "cached_info" extension defined | The server software implements the "cached_info" extension defined | |||
| in this specification. | in this specification. | |||
| The 'cert' cached info extension is enabled (for example, a policy | The 'cert' cached info extension is enabled (for example, a policy | |||
| allows the use of this extension). | allows the use of this extension). | |||
| The server compared the value in the hash_value field of the | The server compared the value in the hash_value field of the | |||
| client-provided "cached_info" extension with the fingerprint of | client-provided "cached_info" extension with the fingerprint of | |||
| the Certificate message it normally sends to clients. This check | the Certificate message it normally sends to clients. This check | |||
| ensures that the information cached by the client is current. | ensures that the information cached by the client is current. | |||
| The original Certificate handshake message syntax is defined in RFC | The original Certificate handshake message syntax is defined in RFC | |||
| 5246 [RFC5246] and has the following structure: | 5246 [RFC5246] and has the structure shown in Figure 1. | |||
| opaque ASN.1Cert<1..2^24-1>; | opaque ASN.1Cert<1..2^24-1>; | |||
| struct { | struct { | |||
| ASN.1Cert certificate_list<0..2^24-1>; | ASN.1Cert certificate_list<0..2^24-1>; | |||
| } Certificate; | } Certificate; | |||
| Certificate Message as defined in RFC 5246. | Figure 1: Certificate Message as defined in RFC 5246. | |||
| The new structure of the CertificateRequest message is shown in | ||||
| Figure 2. | ||||
| struct { | ||||
| opaque hash_value<1..255>; | ||||
| } CertificateRequest; | ||||
| Figure 2: Cached Info Certificate Message. | ||||
| The fingerprint MUST be computed as follows: hash_value:=SHA- | The fingerprint MUST be computed as follows: hash_value:=SHA- | |||
| 256(Certificate) | 256(Certificate) | |||
| Note that RFC 7250 [RFC7250] allows the certificate payload to | Note that RFC 7250 [RFC7250] allows the certificate payload to | |||
| contain only the SubjectPublicKeyInfo instead of the full information | contain only the SubjectPublicKeyInfo instead of the full information | |||
| typically found in a certificate. Hence, when this specification is | typically found in a certificate. Hence, when this specification is | |||
| used in combination with [RFC7250] and the negotiated certificate | used in combination with [RFC7250] and the negotiated certificate | |||
| type is a raw public key then the TLS server omits sending a | type is a raw public key then the TLS server omits sending a | |||
| Certificate payload that contains an ASN.1 Certificate structure with | Certificate payload that contains an ASN.1 Certificate structure with | |||
| the included SubjectPublicKeyInfo rather than the full certificate. | the included SubjectPublicKeyInfo rather than the full certificate. | |||
| As such, this extension is compatible with the raw public key | As such, this extension is compatible with the raw public key | |||
| extension defined in RFC 7250. | extension defined in RFC 7250. | |||
| 4.2. Omitting the CertificateRequest Message | 4.2. CertificateRequest Message | |||
| When a fingerprint for an object of type 'cert_req' is provided in | When a fingerprint for an object of type 'cert_req' is provided in | |||
| the client hello, the server MAY omit the CertificateRequest message | the client hello, the server MAY omit the CertificateRequest message | |||
| under the following conditions: | under the following conditions: | |||
| The server software implements the "cached_info" extension defined | The server software implements the "cached_info" extension defined | |||
| in this specification. | in this specification. | |||
| The 'cert_req' cached info extension is enabled (for example, a | The 'cert_req' cached info extension is enabled (for example, a | |||
| policy allows the use of this extension). | policy allows the use of this extension). | |||
| skipping to change at page 7, line 19 | skipping to change at page 7, line 19 | |||
| opaque DistinguishedName<1..2^16-1>; | opaque DistinguishedName<1..2^16-1>; | |||
| struct { | struct { | |||
| ClientCertificateType certificate_types<1..2^8-1>; | ClientCertificateType certificate_types<1..2^8-1>; | |||
| SignatureAndHashAlgorithm | SignatureAndHashAlgorithm | |||
| supported_signature_algorithms<2^16-1>; | supported_signature_algorithms<2^16-1>; | |||
| DistinguishedName certificate_authorities<0..2^16-1>; | DistinguishedName certificate_authorities<0..2^16-1>; | |||
| } CertificateRequest; | } CertificateRequest; | |||
| The fingerprint MUST be computed as follows: hash_value:=SHA- | Figure 3: CertificateRequest Message as defined in RFC 5246. | |||
| 256(CertificateRequest) | ||||
| 4.3. Omitting the Certificate Status Information (OCSP Stapling and | ||||
| Multi OCSP Stapling) | ||||
| When a fingerprint for an object of type 'cert_status' is provided in | ||||
| the client hello, the server MAY omit the CertificateStatus message | ||||
| under the following conditions: | ||||
| The server software implements the "cert_status" extension defined | ||||
| in this specification. | ||||
| The 'cert_status' cached info extension is enabled (for example, a | ||||
| policy allows the use of this extension). | ||||
| The server compared the value in the hash_value field of the | ||||
| client-provided "cached_info" extension with the fingerprint of | ||||
| the CertificateStatus message it normally sends to clients. This | ||||
| check ensures that the information cached by the client is | ||||
| current. | ||||
| Both client and server support the use of OCSP Stapling and/or | ||||
| Multiple OCSP Stapling, as defined in RFC 6066 [RFC6066] and in | ||||
| [RFC6961]. | ||||
| The CertificateStatus message syntax, defined in [RFC6961], has the | ||||
| following structure: | ||||
| struct { | The new structure of the CertificateRequest message is shown in | |||
| CertificateStatusType status_type; | Figure 4. | |||
| select (status_type) { | ||||
| case ocsp: OCSPResponse; | ||||
| case ocsp_multi: OCSPResponseList; | ||||
| } response; | ||||
| } CertificateStatus; | ||||
| opaque OCSPResponse<0..2^24-1>; | struct { | |||
| opaque hash_value<1..255>; | ||||
| } CertificateRequest; | ||||
| struct { | Figure 4: Cached Info CertificateRequest Message. | |||
| OCSPResponse ocsp_response_list<1..2^24-1>; | ||||
| } OCSPResponseList; | ||||
| The fingerprint MUST be computed as follows: hash_value:=SHA- | The fingerprint MUST be computed as follows: hash_value:=SHA- | |||
| 256(CertificateStatus) | 256(CertificateRequest) | |||
| 5. Example | 5. Example | |||
| Figure 1 illustrates an example exchange using the TLS cached info | Figure 5 illustrates an example exchange using the TLS cached info | |||
| extension. In the normal TLS handshake exchange shown in flow (A) | extension. In the normal TLS handshake exchange shown in flow (A) | |||
| the TLS server provides its certificate in the Certificate payload to | the TLS server provides its certificate in the Certificate payload to | |||
| the client, see step [1]. This allows the client to store the | the client, see step [1]. This allows the client to store the | |||
| certificate for future use. After some time the TLS client again | certificate for future use. After some time the TLS client again | |||
| interacts with the same TLS server and makes use of the TLS cached | interacts with the same TLS server and makes use of the TLS cached | |||
| info extension, as shown in flow (B). The TLS client indicates | info extension, as shown in flow (B). The TLS client indicates | |||
| support for this specification via the "cached_info" extension, see | support for this specification via the "cached_info" extension, see | |||
| [2], and indicates that it has stored the certificate from the | [2], and indicates that it has stored the certificate from the | |||
| earlier exchange (by indicating the 'cert' type). With [3] the TLS | earlier exchange (by indicating the 'cert' type). With [3] the TLS | |||
| server acknowledges the supports of the 'cert' type and by including | server acknowledges the supports of the 'cert' type and by including | |||
| the value in the server hello informs the client that the certificate | the value in the server hello informs the client that the content of | |||
| payload has been omitted. | the certificate payload contains the fingerprint of the certificate | |||
| instead of the RFC 5246-defined payload of the certificate message in | ||||
| message [4]. | ||||
| (A) Initial (full) Exchange | (A) Initial (full) Exchange | |||
| ClientHello -> | ClientHello -> | |||
| <- ServerHello | <- ServerHello | |||
| Certificate* // [1] | Certificate* // [1] | |||
| ServerKeyExchange* | ServerKeyExchange* | |||
| CertificateRequest* | CertificateRequest* | |||
| ServerHelloDone | ServerHelloDone | |||
| skipping to change at page 9, line 31 | skipping to change at page 8, line 31 | |||
| Finished | Finished | |||
| Application Data <-------> Application Data | Application Data <-------> Application Data | |||
| (B) TLS Cached Extension Usage | (B) TLS Cached Extension Usage | |||
| ClientHello | ClientHello | |||
| cached_info=(cert) -> // [2] | cached_info=(cert) -> // [2] | |||
| <- ServerHello | <- ServerHello | |||
| cached_info=(cert) [3] | cached_info=(cert) [3] | |||
| Certificate [4] | ||||
| ServerKeyExchange* | ServerKeyExchange* | |||
| ServerHelloDone | ServerHelloDone | |||
| ClientKeyExchange | ClientKeyExchange | |||
| CertificateVerify* | CertificateVerify* | |||
| [ChangeCipherSpec] | [ChangeCipherSpec] | |||
| Finished -> | Finished -> | |||
| <- [ChangeCipherSpec] | <- [ChangeCipherSpec] | |||
| Finished | Finished | |||
| Application Data <-------> Application Data | Application Data <-------> Application Data | |||
| Figure 1: Example Message Exchange | Figure 5: Example Message Exchange | |||
| 6. Security Considerations | 6. Security Considerations | |||
| This specification defines a mechanism to reference stored state | This specification defines a mechanism to reference stored state | |||
| using a fingerprint. Sending a fingerprint of cached information in | using a fingerprint. Sending a fingerprint of cached information in | |||
| an unencrypted handshake, as the client and server hello is, may | an unencrypted handshake, as the client and server hello is, may | |||
| allow an attacker or observer to correlate independent TLS exchanges. | allow an attacker or observer to correlate independent TLS exchanges. | |||
| While some information elements used in this specification, such as | While some information elements used in this specification, such as | |||
| server certificates, are public objects and usually do not contain | server certificates, are public objects and usually do not contain | |||
| sensitive information, other (not yet defined cached info types) may. | sensitive information, other (not yet defined cached info types) may. | |||
| Those who implement and deploy this specification should therefore | Those who implement and deploy this specification should therefore | |||
| make an informed decision whether the cached information is inline | make an informed decision whether the cached information is inline | |||
| with their security and privacy goals. In case of concerns, it is | with their security and privacy goals. In case of concerns, it is | |||
| advised to avoid sending the fingerprint of the data objects in | advised to avoid sending the fingerprint of the data objects in | |||
| clear. | clear. | |||
| The use of the cached info extension allows the server to obmit | The use of the cached info extension allows the server to obmit | |||
| skipping to change at page 10, line 45 | skipping to change at page 9, line 45 | |||
| 7.2. New Registry for CachedInformationType | 7.2. New Registry for CachedInformationType | |||
| IANA is requested to establish a registry for TLS | IANA is requested to establish a registry for TLS | |||
| CachedInformationType values. The first entries in the registry are | CachedInformationType values. The first entries in the registry are | |||
| o cert(1) | o cert(1) | |||
| o cert_req(2) | o cert_req(2) | |||
| o cert_status(3) | ||||
| The policy for adding new values to this registry, following the | The policy for adding new values to this registry, following the | |||
| terminology defined in RFC 5226 [RFC5226], is as follows: | terminology defined in RFC 5226 [RFC5226], is as follows: | |||
| o 0-63 (decimal): Standards Action | o 0-63 (decimal): Standards Action | |||
| o 64-223 (decimal): Specification Required | o 64-223 (decimal): Specification Required | |||
| o 224-255 (decimal): reserved for Private Use | o 224-255 (decimal): reserved for Private Use | |||
| 8. Acknowledgments | 8. Acknowledgments | |||
| skipping to change at page 11, line 32 | skipping to change at page 10, line 32 | |||
| Sean Turner and Joe Salowey, as well as the responsible security area | Sean Turner and Joe Salowey, as well as the responsible security area | |||
| director, Stephen Farrell, for their support. | director, Stephen Farrell, for their support. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3874] Housley, R., "A 224-bit One-way Hash Function: SHA-224", | ||||
| RFC 3874, September 2004. | ||||
| [RFC4634] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms | [RFC4634] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms | |||
| (SHA and HMAC-SHA)", RFC 4634, July 2006. | (SHA and HMAC-SHA)", RFC 4634, July 2006. | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: | [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: | |||
| Extension Definitions", RFC 6066, January 2011. | Extension Definitions", RFC 6066, January 2011. | |||
| [RFC6961] Pettersen, Y., "The Transport Layer Security (TLS) | ||||
| Multiple Certificate Status Request Extension", RFC 6961, | ||||
| June 2013. | ||||
| 9.2. Informative References | 9.2. Informative References | |||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | |||
| IANA Considerations Section in RFCs", BCP 26, RFC 5226, | IANA Considerations Section in RFCs", BCP 26, RFC 5226, | |||
| May 2008. | May 2008. | |||
| [RFC6574] Tschofenig, H. and J. Arkko, "Report from the Smart Object | [RFC6574] Tschofenig, H. and J. Arkko, "Report from the Smart Object | |||
| Workshop", RFC 6574, April 2012. | Workshop", RFC 6574, April 2012. | |||
| [RFC7250] Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S., and | [RFC7250] Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S., and | |||
| T. Kivinen, "Using Raw Public Keys in Transport Layer | T. Kivinen, "Using Raw Public Keys in Transport Layer | |||
| Security (TLS) and Datagram Transport Layer Security | Security (TLS) and Datagram Transport Layer Security | |||
| (DTLS)", RFC 7250, June 2014. | (DTLS)", RFC 7250, June 2014. | |||
| Appendix A. Example | ||||
| The Wireshark trace of an example TLS exchange shown in Figure 2 | ||||
| illustrates the use of an ECC-based ciphersuite with a 256 bit key. | ||||
| ECC allows for a small certificate size compared to RSA with | ||||
| equivalent security strength. The Certificate message provided by | ||||
| the server is with 557 bytes (including the record layer header) one | ||||
| of the largest message even though it only contains a single | ||||
| certificate (i.e., no intermediate CA certificates). The client- | ||||
| provided Certificate message has a length of 570 bytes (also | ||||
| including the record layer header). | ||||
| Client --> Server: | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Client Hello | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 121 | ||||
| Handshake Protocol: Client Hello | ||||
| Handshake Type: Client Hello (1) | ||||
| Length: 117 | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Random | ||||
| gmt_unix_time: Jan 14, 2015 12:43:58.000000000 CET | ||||
| random_bytes: c61b966bba2781c50b07c3278c43f5892b3d... | ||||
| Session ID Length: 0 | ||||
| Cipher Suites Length: 10 | ||||
| Cipher Suites (5 suites) | ||||
| Compression Methods Length: 1 | ||||
| Compression Methods (1 method) | ||||
| Extensions Length: 66 | ||||
| Extension: server_name | ||||
| Extension: signature_algorithms | ||||
| Extension: elliptic_curves | ||||
| Extension: ec_point_formats | ||||
| Client <-- Server: | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Server Hello | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 87 | ||||
| Handshake Protocol: Server Hello | ||||
| Handshake Type: Server Hello (2) | ||||
| Length: 83 | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Random | ||||
| gmt_unix_time: Jan 14, 2015 12:43:58.000000000 CET | ||||
| random_bytes: 82d3d09b44149d738b7002da4ff5a986fe11... | ||||
| Session ID Length: 32 | ||||
| Session ID: d069a74661088676b98db8346070278a7475b617a0... | ||||
| Cipher Suite: Unknown (0xc0ad) | ||||
| Compression Method: null (0) | ||||
| Extensions Length: 11 | ||||
| Extension: renegotiation_info | ||||
| Extension: ec_point_formats | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Certificate | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 557 | ||||
| Handshake Protocol: Certificate | ||||
| Handshake Type: Certificate (11) | ||||
| Length: 553 | ||||
| Certificates Length: 550 | ||||
| Certificates (550 bytes) | ||||
| Certificate Length: 547 | ||||
| Certificate (id-at-commonName=localhost, | ||||
| id-at-organizationName=PolarSSL,id-at-countryName=NL) | ||||
| signedCertificate | ||||
| algorithmIdentifier (iso.2.840.10045.4.3.2) | ||||
| Padding: 0 | ||||
| encrypted: 30650231009a2c5cd7a6dba2e5640df0b94ed... | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 215 | ||||
| Handshake Protocol: Server Key Exchange | ||||
| Handshake Type: Server Key Exchange (12) | ||||
| Length: 211 | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Certificate Request | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 78 | ||||
| Handshake Protocol: Certificate Request | ||||
| Handshake Type: Certificate Request (13) | ||||
| Length: 74 | ||||
| Certificate types count: 1 | ||||
| Certificate types (1 type) | ||||
| Signature Hash Algorithms Length: 2 | ||||
| Signature Hash Algorithms (1 algorithm) | ||||
| Distinguished Names Length: 66 | ||||
| Distinguished Names (66 bytes) | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 4 | ||||
| Handshake Protocol: Server Hello Done | ||||
| Handshake Type: Server Hello Done (14) | ||||
| Length: 0 | ||||
| Client --> Server: | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Certificate | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 570 | ||||
| Handshake Protocol: Certificate | ||||
| Handshake Type: Certificate (11) | ||||
| Length: 566 | ||||
| Certificates Length: 563 | ||||
| Certificates (563 bytes) | ||||
| Certificate Length: 560 | ||||
| Certificate (id-at-commonName=PolarSSL Test Client 2, | ||||
| id-at-organizationName=PolarSSL,id-at-countryName=NL) | ||||
| signedCertificate | ||||
| algorithmIdentifier (iso.2.840.10045.4.3.2) | ||||
| Padding: 0 | ||||
| encrypted: 306502304a650d7b2083a299b9a80ffc8dee8... | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 138 | ||||
| Handshake Protocol: Client Key Exchange | ||||
| Handshake Type: Client Key Exchange (16) | ||||
| Length: 134 | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Certificate Verify | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 80 | ||||
| Handshake Protocol: Certificate Verify | ||||
| Handshake Type: Certificate Verify (15) | ||||
| Length: 76 | ||||
| TLSv1.2 Record Layer: Change Cipher Spec Protocol | ||||
| Content Type: Change Cipher Spec (20) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 1 | ||||
| Change Cipher Spec Message | ||||
| TLSv1.2 Record Layer: Handshake Protocol: | ||||
| Encrypted Handshake Message (TLS Finished) | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 40 | ||||
| Handshake Protocol: Encrypted Handshake Message | ||||
| Client <-- Server: | ||||
| TLSv1.2 Record Layer: Change Cipher Spec Protocol | ||||
| Content Type: Change Cipher Spec (20) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 1 | ||||
| Change Cipher Spec Message | ||||
| TLSv1.2 Record Layer: Handshake Protocol | ||||
| Encrypted Handshake Message (TLS Finished) | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 40 | ||||
| Handshake Protocol: Encrypted Handshake Message | ||||
| Figure 2: Example TLS Exchange (without Cached Info Extension). | ||||
| The total size of the TLS exchange shown in Figure 2 is 1932 bytes | ||||
| whereas the exchange shown in Figure 3 reduces the size to 1323 bytes | ||||
| by omitting the Certificate and the CertificateRequest messages. As | ||||
| it can be seen, the use of the cached info extension leads to an on- | ||||
| the-wire improvement of more than 600 bytes. | ||||
| Client --> Server: | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Client Hello | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 121 + 21 | ||||
| Handshake Protocol: Client Hello | ||||
| Handshake Type: Client Hello (1) | ||||
| Length: 117 + 21 | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Random | ||||
| gmt_unix_time: Jan 14, 2015 12:43:58.000000000 CET | ||||
| random_bytes: c61b966bba2781c50b07c3278c43f5892b3d... | ||||
| Session ID Length: 0 | ||||
| Cipher Suites Length: 10 | ||||
| Cipher Suites (5 suites) | ||||
| Compression Methods Length: 1 | ||||
| Compression Methods (1 method) | ||||
| Extensions Length: 66 | ||||
| Extension: server_name | ||||
| Extension: signature_algorithms | ||||
| Extension: elliptic_curves | ||||
| Extension: ec_point_formats | ||||
| Extension: cached_info | ||||
| Client <-- Server: | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Server Hello | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 87 + 5 | ||||
| Handshake Protocol: Server Hello | ||||
| Handshake Type: Server Hello (2) | ||||
| Length: 83 + 5 | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Random | ||||
| gmt_unix_time: Jan 14, 2015 12:43:58.000000000 CET | ||||
| random_bytes: 82d3d09b44149d738b7002da4ff5a986fe11... | ||||
| Session ID Length: 32 | ||||
| Session ID: d069a74661088676b98db8346070278a7475b617a0... | ||||
| Cipher Suite: Unknown (0xc0ad) | ||||
| Compression Method: null (0) | ||||
| Extensions Length: 11 + 5 | ||||
| Extension: renegotiation_info | ||||
| Extension: ec_point_formats | ||||
| Extension: cached_info | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 215 | ||||
| Handshake Protocol: Server Key Exchange | ||||
| Handshake Type: Server Key Exchange (12) | ||||
| Length: 211 | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 4 | ||||
| Handshake Protocol: Server Hello Done | ||||
| Handshake Type: Server Hello Done (14) | ||||
| Length: 0 | ||||
| Client --> Server: | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Certificate | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 570 | ||||
| Handshake Protocol: Certificate | ||||
| Handshake Type: Certificate (11) | ||||
| Length: 566 | ||||
| Certificates Length: 563 | ||||
| Certificates (563 bytes) | ||||
| Certificate Length: 560 | ||||
| Certificate (id-at-commonName=PolarSSL Test Client 2, | ||||
| id-at-organizationName=PolarSSL,id-at-countryName=NL) | ||||
| signedCertificate | ||||
| algorithmIdentifier (iso.2.840.10045.4.3.2) | ||||
| Padding: 0 | ||||
| encrypted: 306502304a650d7b2083a299b9a80ffc8dee8... | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 138 | ||||
| Handshake Protocol: Client Key Exchange | ||||
| Handshake Type: Client Key Exchange (16) | ||||
| Length: 134 | ||||
| TLSv1.2 Record Layer: Handshake Protocol: Certificate Verify | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 80 | ||||
| Handshake Protocol: Certificate Verify | ||||
| Handshake Type: Certificate Verify (15) | ||||
| Length: 76 | ||||
| TLSv1.2 Record Layer: Change Cipher Spec Protocol | ||||
| Content Type: Change Cipher Spec (20) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 1 | ||||
| Change Cipher Spec Message | ||||
| TLSv1.2 Record Layer: Handshake Protocol: | ||||
| Encrypted Handshake Message (TLS Finished) | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 40 | ||||
| Handshake Protocol: Encrypted Handshake Message | ||||
| Client <-- Server: | ||||
| TLSv1.2 Record Layer: Change Cipher Spec Protocol | ||||
| Content Type: Change Cipher Spec (20) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 1 | ||||
| Change Cipher Spec Message | ||||
| TLSv1.2 Record Layer: Handshake Protocol | ||||
| Encrypted Handshake Message (TLS Finished) | ||||
| Content Type: Handshake (22) | ||||
| Version: TLS 1.2 (0x0303) | ||||
| Length: 40 | ||||
| Handshake Protocol: Encrypted Handshake Message | ||||
| Figure 3: Example TLS Exchange (with Cached Info Extension). | ||||
| Note: To accomplish further on-the-wire handshake size message | ||||
| reductions the Certificate message sent by the client can be reduced | ||||
| in size by using the Client Certificate URL extension. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Stefan Santesson | Stefan Santesson | |||
| 3xA Security AB | 3xA Security AB | |||
| Scheelev. 17 | Scheelev. 17 | |||
| Lund 223 70 | Lund 223 70 | |||
| Sweden | Sweden | |||
| Email: sts@aaa-sec.com | Email: sts@aaa-sec.com | |||
| Hannes Tschofenig | Hannes Tschofenig | |||
| ARM Ltd. | ARM Ltd. | |||
| Hall in Tirol 6060 | Hall in Tirol 6060 | |||
| Austria | Austria | |||
| Email: Hannes.tschofenig@gmx.net | Email: Hannes.tschofenig@gmx.net | |||
| URI: http://www.tschofenig.priv.at | URI: http://www.tschofenig.priv.at | |||
| End of changes. 28 change blocks. | ||||
| 411 lines changed or deleted | 64 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||