draft-ietf-tls-tls13-27.txt   draft-ietf-tls-tls13-28.txt 
Network Working Group E. Rescorla Network Working Group E. Rescorla
Internet-Draft RTFM, Inc. Internet-Draft RTFM, Inc.
Obsoletes: 5077, 5246, 6961 (if March 18, 2018 Obsoletes: 5077, 5246, 6961 (if March 20, 2018
approved) approved)
Updates: 4492, 5705, 6066 (if approved) Updates: 4492, 5705, 6066 (if approved)
Intended status: Standards Track Intended status: Standards Track
Expires: September 19, 2018 Expires: September 21, 2018
The Transport Layer Security (TLS) Protocol Version 1.3 The Transport Layer Security (TLS) Protocol Version 1.3
draft-ietf-tls-tls13-27 draft-ietf-tls-tls13-28
Abstract Abstract
This document specifies version 1.3 of the Transport Layer Security This document specifies version 1.3 of the Transport Layer Security
(TLS) protocol. TLS allows client/server applications to communicate (TLS) protocol. TLS allows client/server applications to communicate
over the Internet in a way that is designed to prevent eavesdropping, over the Internet in a way that is designed to prevent eavesdropping,
tampering, and message forgery. tampering, and message forgery.
This document updates RFCs 4492, 5705, and 6066 and it obsoletes RFCs This document updates RFCs 4492, 5705, and 6066 and it obsoletes RFCs
5077, 5246, and 6961. This document also specifies new requirements 5077, 5246, and 6961. This document also specifies new requirements
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 19, 2018. This Internet-Draft will expire on September 21, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 30 skipping to change at page 2, line 30
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Conventions and Terminology . . . . . . . . . . . . . . . 6 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 6
1.2. Change Log . . . . . . . . . . . . . . . . . . . . . . . 7 1.2. Change Log . . . . . . . . . . . . . . . . . . . . . . . 7
1.3. Major Differences from TLS 1.2 . . . . . . . . . . . . . 16 1.3. Major Differences from TLS 1.2 . . . . . . . . . . . . . 16
1.4. Updates Affecting TLS 1.2 . . . . . . . . . . . . . . . . 17 1.4. Updates Affecting TLS 1.2 . . . . . . . . . . . . . . . . 17
2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 17 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 18
2.1. Incorrect DHE Share . . . . . . . . . . . . . . . . . . . 20 2.1. Incorrect DHE Share . . . . . . . . . . . . . . . . . . . 21
2.2. Resumption and Pre-Shared Key (PSK) . . . . . . . . . . . 21 2.2. Resumption and Pre-Shared Key (PSK) . . . . . . . . . . . 22
2.3. 0-RTT Data . . . . . . . . . . . . . . . . . . . . . . . 23 2.3. 0-RTT Data . . . . . . . . . . . . . . . . . . . . . . . 24
3. Presentation Language . . . . . . . . . . . . . . . . . . . . 25 3. Presentation Language . . . . . . . . . . . . . . . . . . . . 26
3.1. Basic Block Size . . . . . . . . . . . . . . . . . . . . 25 3.1. Basic Block Size . . . . . . . . . . . . . . . . . . . . 26
3.2. Miscellaneous . . . . . . . . . . . . . . . . . . . . . . 25 3.2. Miscellaneous . . . . . . . . . . . . . . . . . . . . . . 26
3.3. Numbers . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.3. Numbers . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.4. Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.4. Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.5. Enumerateds . . . . . . . . . . . . . . . . . . . . . . . 27 3.5. Enumerateds . . . . . . . . . . . . . . . . . . . . . . . 28
3.6. Constructed Types . . . . . . . . . . . . . . . . . . . . 28 3.6. Constructed Types . . . . . . . . . . . . . . . . . . . . 29
3.7. Constants . . . . . . . . . . . . . . . . . . . . . . . . 28 3.7. Constants . . . . . . . . . . . . . . . . . . . . . . . . 29
3.8. Variants . . . . . . . . . . . . . . . . . . . . . . . . 29 3.8. Variants . . . . . . . . . . . . . . . . . . . . . . . . 30
4. Handshake Protocol . . . . . . . . . . . . . . . . . . . . . 30 4. Handshake Protocol . . . . . . . . . . . . . . . . . . . . . 31
4.1. Key Exchange Messages . . . . . . . . . . . . . . . . . . 31 4.1. Key Exchange Messages . . . . . . . . . . . . . . . . . . 32
4.1.1. Cryptographic Negotiation . . . . . . . . . . . . . . 31 4.1.1. Cryptographic Negotiation . . . . . . . . . . . . . . 32
4.1.2. Client Hello . . . . . . . . . . . . . . . . . . . . 32 4.1.2. Client Hello . . . . . . . . . . . . . . . . . . . . 33
4.1.3. Server Hello . . . . . . . . . . . . . . . . . . . . 35 4.1.3. Server Hello . . . . . . . . . . . . . . . . . . . . 36
4.1.4. Hello Retry Request . . . . . . . . . . . . . . . . . 37 4.1.4. Hello Retry Request . . . . . . . . . . . . . . . . . 38
4.2. Extensions . . . . . . . . . . . . . . . . . . . . . . . 39 4.2. Extensions . . . . . . . . . . . . . . . . . . . . . . . 40
4.2.1. Supported Versions . . . . . . . . . . . . . . . . . 42 4.2.1. Supported Versions . . . . . . . . . . . . . . . . . 43
4.2.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . 44 4.2.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . 45
4.2.3. Signature Algorithms . . . . . . . . . . . . . . . . 45 4.2.3. Signature Algorithms . . . . . . . . . . . . . . . . 46
4.2.4. Certificate Authorities . . . . . . . . . . . . . . . 49 4.2.4. Certificate Authorities . . . . . . . . . . . . . . . 50
4.2.5. OID Filters . . . . . . . . . . . . . . . . . . . . . 49 4.2.5. OID Filters . . . . . . . . . . . . . . . . . . . . . 50
4.2.6. Post-Handshake Client Authentication . . . . . . . . 50 4.2.6. Post-Handshake Client Authentication . . . . . . . . 51
4.2.7. Negotiated Groups . . . . . . . . . . . . . . . . . . 51 4.2.7. Negotiated Groups . . . . . . . . . . . . . . . . . . 52
4.2.8. Key Share . . . . . . . . . . . . . . . . . . . . . . 52 4.2.8. Key Share . . . . . . . . . . . . . . . . . . . . . . 53
4.2.9. Pre-Shared Key Exchange Modes . . . . . . . . . . . . 55 4.2.9. Pre-Shared Key Exchange Modes . . . . . . . . . . . . 56
4.2.10. Early Data Indication . . . . . . . . . . . . . . . . 56 4.2.10. Early Data Indication . . . . . . . . . . . . . . . . 57
4.2.11. Pre-Shared Key Extension . . . . . . . . . . . . . . 59 4.2.11. Pre-Shared Key Extension . . . . . . . . . . . . . . 60
4.3. Server Parameters . . . . . . . . . . . . . . . . . . . . 62 4.3. Server Parameters . . . . . . . . . . . . . . . . . . . . 63
4.3.1. Encrypted Extensions . . . . . . . . . . . . . . . . 62 4.3.1. Encrypted Extensions . . . . . . . . . . . . . . . . 63
4.3.2. Certificate Request . . . . . . . . . . . . . . . . . 63 4.3.2. Certificate Request . . . . . . . . . . . . . . . . . 64
4.4. Authentication Messages . . . . . . . . . . . . . . . . . 64 4.4. Authentication Messages . . . . . . . . . . . . . . . . . 65
4.4.1. The Transcript Hash . . . . . . . . . . . . . . . . . 65 4.4.1. The Transcript Hash . . . . . . . . . . . . . . . . . 66
4.4.2. Certificate . . . . . . . . . . . . . . . . . . . . . 66 4.4.2. Certificate . . . . . . . . . . . . . . . . . . . . . 67
4.4.3. Certificate Verify . . . . . . . . . . . . . . . . . 71 4.4.3. Certificate Verify . . . . . . . . . . . . . . . . . 72
4.4.4. Finished . . . . . . . . . . . . . . . . . . . . . . 73 4.4.4. Finished . . . . . . . . . . . . . . . . . . . . . . 74
4.5. End of Early Data . . . . . . . . . . . . . . . . . . . . 74 4.5. End of Early Data . . . . . . . . . . . . . . . . . . . . 75
4.6. Post-Handshake Messages . . . . . . . . . . . . . . . . . 75 4.6. Post-Handshake Messages . . . . . . . . . . . . . . . . . 76
4.6.1. New Session Ticket Message . . . . . . . . . . . . . 75 4.6.1. New Session Ticket Message . . . . . . . . . . . . . 76
4.6.2. Post-Handshake Authentication . . . . . . . . . . . . 77 4.6.2. Post-Handshake Authentication . . . . . . . . . . . . 78
4.6.3. Key and IV Update . . . . . . . . . . . . . . . . . . 78 4.6.3. Key and IV Update . . . . . . . . . . . . . . . . . . 79
5. Record Protocol . . . . . . . . . . . . . . . . . . . . . . . 79 5. Record Protocol . . . . . . . . . . . . . . . . . . . . . . . 80
5.1. Record Layer . . . . . . . . . . . . . . . . . . . . . . 80 5.1. Record Layer . . . . . . . . . . . . . . . . . . . . . . 81
5.2. Record Payload Protection . . . . . . . . . . . . . . . . 82 5.2. Record Payload Protection . . . . . . . . . . . . . . . . 83
5.3. Per-Record Nonce . . . . . . . . . . . . . . . . . . . . 84 5.3. Per-Record Nonce . . . . . . . . . . . . . . . . . . . . 85
5.4. Record Padding . . . . . . . . . . . . . . . . . . . . . 85 5.4. Record Padding . . . . . . . . . . . . . . . . . . . . . 86
5.5. Limits on Key Usage . . . . . . . . . . . . . . . . . . . 86 5.5. Limits on Key Usage . . . . . . . . . . . . . . . . . . . 87
6. Alert Protocol . . . . . . . . . . . . . . . . . . . . . . . 86 6. Alert Protocol . . . . . . . . . . . . . . . . . . . . . . . 87
6.1. Closure Alerts . . . . . . . . . . . . . . . . . . . . . 88 6.1. Closure Alerts . . . . . . . . . . . . . . . . . . . . . 89
6.2. Error Alerts . . . . . . . . . . . . . . . . . . . . . . 89 6.2. Error Alerts . . . . . . . . . . . . . . . . . . . . . . 90
7. Cryptographic Computations . . . . . . . . . . . . . . . . . 92 7. Cryptographic Computations . . . . . . . . . . . . . . . . . 93
7.1. Key Schedule . . . . . . . . . . . . . . . . . . . . . . 92 7.1. Key Schedule . . . . . . . . . . . . . . . . . . . . . . 93
7.2. Updating Traffic Secrets . . . . . . . . . . . . . . . . 95 7.2. Updating Traffic Secrets . . . . . . . . . . . . . . . . 96
7.3. Traffic Key Calculation . . . . . . . . . . . . . . . . . 96 7.3. Traffic Key Calculation . . . . . . . . . . . . . . . . . 97
7.4. (EC)DHE Shared Secret Calculation . . . . . . . . . . . . 97 7.4. (EC)DHE Shared Secret Calculation . . . . . . . . . . . . 98
7.4.1. Finite Field Diffie-Hellman . . . . . . . . . . . . . 97 7.4.1. Finite Field Diffie-Hellman . . . . . . . . . . . . . 98
7.4.2. Elliptic Curve Diffie-Hellman . . . . . . . . . . . . 97 7.4.2. Elliptic Curve Diffie-Hellman . . . . . . . . . . . . 98
7.5. Exporters . . . . . . . . . . . . . . . . . . . . . . . . 98 7.5. Exporters . . . . . . . . . . . . . . . . . . . . . . . . 99
8. 0-RTT and Anti-Replay . . . . . . . . . . . . . . . . . . . . 98 8. 0-RTT and Anti-Replay . . . . . . . . . . . . . . . . . . . . 99
8.1. Single-Use Tickets . . . . . . . . . . . . . . . . . . . 100 8.1. Single-Use Tickets . . . . . . . . . . . . . . . . . . . 101
8.2. Client Hello Recording . . . . . . . . . . . . . . . . . 100 8.2. Client Hello Recording . . . . . . . . . . . . . . . . . 101
8.3. Freshness Checks . . . . . . . . . . . . . . . . . . . . 101 8.3. Freshness Checks . . . . . . . . . . . . . . . . . . . . 102
9. Compliance Requirements . . . . . . . . . . . . . . . . . . . 103 9. Compliance Requirements . . . . . . . . . . . . . . . . . . . 104
9.1. Mandatory-to-Implement Cipher Suites . . . . . . . . . . 103 9.1. Mandatory-to-Implement Cipher Suites . . . . . . . . . . 104
9.2. Mandatory-to-Implement Extensions . . . . . . . . . . . . 103 9.2. Mandatory-to-Implement Extensions . . . . . . . . . . . . 104
9.3. Protocol Invariants . . . . . . . . . . . . . . . . . . . 104 9.3. Protocol Invariants . . . . . . . . . . . . . . . . . . . 105
10. Security Considerations . . . . . . . . . . . . . . . . . . . 105 10. Security Considerations . . . . . . . . . . . . . . . . . . . 106
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 106 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 107
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 107 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 108
12.1. Normative References . . . . . . . . . . . . . . . . . . 107 12.1. Normative References . . . . . . . . . . . . . . . . . . 108
12.2. Informative References . . . . . . . . . . . . . . . . . 110 12.2. Informative References . . . . . . . . . . . . . . . . . 111
Appendix A. State Machine . . . . . . . . . . . . . . . . . . . 118 Appendix A. State Machine . . . . . . . . . . . . . . . . . . . 119
A.1. Client . . . . . . . . . . . . . . . . . . . . . . . . . 118 A.1. Client . . . . . . . . . . . . . . . . . . . . . . . . . 119
A.2. Server . . . . . . . . . . . . . . . . . . . . . . . . . 119 A.2. Server . . . . . . . . . . . . . . . . . . . . . . . . . 120
Appendix B. Protocol Data Structures and Constant Values . . . . 119 Appendix B. Protocol Data Structures and Constant Values . . . . 120
B.1. Record Layer . . . . . . . . . . . . . . . . . . . . . . 120 B.1. Record Layer . . . . . . . . . . . . . . . . . . . . . . 121
B.2. Alert Messages . . . . . . . . . . . . . . . . . . . . . 120 B.2. Alert Messages . . . . . . . . . . . . . . . . . . . . . 121
B.3. Handshake Protocol . . . . . . . . . . . . . . . . . . . 122 B.3. Handshake Protocol . . . . . . . . . . . . . . . . . . . 123
B.3.1. Key Exchange Messages . . . . . . . . . . . . . . . . 122 B.3.1. Key Exchange Messages . . . . . . . . . . . . . . . . 123
B.3.2. Server Parameters Messages . . . . . . . . . . . . . 127 B.3.2. Server Parameters Messages . . . . . . . . . . . . . 128
B.3.3. Authentication Messages . . . . . . . . . . . . . . . 128 B.3.3. Authentication Messages . . . . . . . . . . . . . . . 129
B.3.4. Ticket Establishment . . . . . . . . . . . . . . . . 129 B.3.4. Ticket Establishment . . . . . . . . . . . . . . . . 130
B.3.5. Updating Keys . . . . . . . . . . . . . . . . . . . . 130 B.3.5. Updating Keys . . . . . . . . . . . . . . . . . . . . 131
B.4. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . 130 B.4. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . 131
Appendix C. Implementation Notes . . . . . . . . . . . . . . . . 131 Appendix C. Implementation Notes . . . . . . . . . . . . . . . . 132
C.1. Random Number Generation and Seeding . . . . . . . . . . 131 C.1. Random Number Generation and Seeding . . . . . . . . . . 132
C.2. Certificates and Authentication . . . . . . . . . . . . . 132 C.2. Certificates and Authentication . . . . . . . . . . . . . 133
C.3. Implementation Pitfalls . . . . . . . . . . . . . . . . . 132 C.3. Implementation Pitfalls . . . . . . . . . . . . . . . . . 133
C.4. Client Tracking Prevention . . . . . . . . . . . . . . . 133 C.4. Client Tracking Prevention . . . . . . . . . . . . . . . 134
C.5. Unauthenticated Operation . . . . . . . . . . . . . . . . 134 C.5. Unauthenticated Operation . . . . . . . . . . . . . . . . 135
Appendix D. Backward Compatibility . . . . . . . . . . . . . . . 134 Appendix D. Backward Compatibility . . . . . . . . . . . . . . . 135
D.1. Negotiating with an older server . . . . . . . . . . . . 135 D.1. Negotiating with an older server . . . . . . . . . . . . 136
D.2. Negotiating with an older client . . . . . . . . . . . . 136 D.2. Negotiating with an older client . . . . . . . . . . . . 137
D.3. 0-RTT backwards compatibility . . . . . . . . . . . . . . 136 D.3. 0-RTT backwards compatibility . . . . . . . . . . . . . . 137
D.4. Middlebox Compatibility Mode . . . . . . . . . . . . . . 136 D.4. Middlebox Compatibility Mode . . . . . . . . . . . . . . 137
D.5. Backwards Compatibility Security Restrictions . . . . . . 137 D.5. Backwards Compatibility Security Restrictions . . . . . . 138
Appendix E. Overview of Security Properties . . . . . . . . . . 138 Appendix E. Overview of Security Properties . . . . . . . . . . 139
E.1. Handshake . . . . . . . . . . . . . . . . . . . . . . . . 138 E.1. Handshake . . . . . . . . . . . . . . . . . . . . . . . . 139
E.1.1. Key Derivation and HKDF . . . . . . . . . . . . . . . 141 E.1.1. Key Derivation and HKDF . . . . . . . . . . . . . . . 142
E.1.2. Client Authentication . . . . . . . . . . . . . . . . 142 E.1.2. Client Authentication . . . . . . . . . . . . . . . . 143
E.1.3. 0-RTT . . . . . . . . . . . . . . . . . . . . . . . . 142 E.1.3. 0-RTT . . . . . . . . . . . . . . . . . . . . . . . . 143
E.1.4. Exporter Independence . . . . . . . . . . . . . . . . 142 E.1.4. Exporter Independence . . . . . . . . . . . . . . . . 143
E.1.5. Post-Compromise Security . . . . . . . . . . . . . . 143 E.1.5. Post-Compromise Security . . . . . . . . . . . . . . 144
E.1.6. External References . . . . . . . . . . . . . . . . . 143 E.1.6. External References . . . . . . . . . . . . . . . . . 144
E.2. Record Layer . . . . . . . . . . . . . . . . . . . . . . 143 E.2. Record Layer . . . . . . . . . . . . . . . . . . . . . . 144
E.2.1. External References . . . . . . . . . . . . . . . . . 144 E.2.1. External References . . . . . . . . . . . . . . . . . 145
E.3. Traffic Analysis . . . . . . . . . . . . . . . . . . . . 144 E.3. Traffic Analysis . . . . . . . . . . . . . . . . . . . . 145
E.4. Side Channel Attacks . . . . . . . . . . . . . . . . . . 145 E.4. Side Channel Attacks . . . . . . . . . . . . . . . . . . 146
E.5. Replay Attacks on 0-RTT . . . . . . . . . . . . . . . . . 146 E.5. Replay Attacks on 0-RTT . . . . . . . . . . . . . . . . . 147
E.5.1. Replay and Exporters . . . . . . . . . . . . . . . . 147 E.5.1. Replay and Exporters . . . . . . . . . . . . . . . . 148
E.6. Attacks on Static RSA . . . . . . . . . . . . . . . . . . 148 E.6. PSK Identity Exposure . . . . . . . . . . . . . . . . . . 149
Appendix F. Working Group Information . . . . . . . . . . . . . 148 E.7. Attacks on Static RSA . . . . . . . . . . . . . . . . . . 149
Appendix G. Contributors . . . . . . . . . . . . . . . . . . . . 148 Appendix F. Working Group Information . . . . . . . . . . . . . 149
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 155 Appendix G. Contributors . . . . . . . . . . . . . . . . . . . . 149
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 156
1. Introduction 1. Introduction
RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH The source for this RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH The source for this
draft is maintained in GitHub. Suggested changes should be submitted draft is maintained in GitHub. Suggested changes should be submitted
as pull requests at https://github.com/tlswg/tls13-spec. as pull requests at https://github.com/tlswg/tls13-spec.
Instructions are on that page as well. Editorial changes can be Instructions are on that page as well. Editorial changes can be
managed in GitHub, but any substantive change should be discussed on managed in GitHub, but any substantive change should be discussed on
the TLS mailing list. the TLS mailing list.
skipping to change at page 7, line 16 skipping to change at page 7, line 16
server: The endpoint which did not initiate the TLS connection. server: The endpoint which did not initiate the TLS connection.
1.2. Change Log 1.2. Change Log
RFC EDITOR PLEASE DELETE THIS SECTION. RFC EDITOR PLEASE DELETE THIS SECTION.
(*) indicates changes to the wire protocol which may require (*) indicates changes to the wire protocol which may require
implementations to update. implementations to update.
draft-28
Add a section on exposure of PSK identities.
draft-27
- SHOULD->MUST for being able to process "supported_versions"
without 0x0304.
- Much editorial cleanup.
draft-26 draft-26
- Clarify that you can't negotiate pre-TLS 1.3 with - Clarify that you can't negotiate pre-TLS 1.3 with
supported_versions. supported_versions.
draft-25 draft-25
- Add the header to additional data (*) - Add the header to additional data (*)
- Minor clarifications. - Minor clarifications.
skipping to change at page 15, line 40 skipping to change at page 16, line 5
- Merge in support for ECC from RFC 4492 but without explicit - Merge in support for ECC from RFC 4492 but without explicit
curves. curves.
- Remove the unnecessary length field from the AD input to AEAD - Remove the unnecessary length field from the AD input to AEAD
ciphers. ciphers.
- Rename {Client,Server}KeyExchange to {Client,Server}KeyShare. - Rename {Client,Server}KeyExchange to {Client,Server}KeyShare.
- Add an explicit HelloRetryRequest to reject the client's. - Add an explicit HelloRetryRequest to reject the client's.
draft-02
- Increment version number. - Increment version number.
- Rework handshake to provide 1-RTT mode. - Rework handshake to provide 1-RTT mode.
- Remove custom DHE groups. - Remove custom DHE groups.
- Remove support for compression. - Remove support for compression.
- Remove support for static RSA and DH key exchange. - Remove support for static RSA and DH key exchange.
skipping to change at page 60, line 44 skipping to change at page 61, line 44
SHOULD simply be ignored. If no acceptable PSKs are found, the SHOULD simply be ignored. If no acceptable PSKs are found, the
server SHOULD perform a non-PSK handshake if possible. If backwards server SHOULD perform a non-PSK handshake if possible. If backwards
compatibility is important, client provided, externally established compatibility is important, client provided, externally established
PSKs SHOULD influence cipher suite selection. PSKs SHOULD influence cipher suite selection.
Prior to accepting PSK key establishment, the server MUST validate Prior to accepting PSK key establishment, the server MUST validate
the corresponding binder value (see Section 4.2.11.2 below). If this the corresponding binder value (see Section 4.2.11.2 below). If this
value is not present or does not validate, the server MUST abort the value is not present or does not validate, the server MUST abort the
handshake. Servers SHOULD NOT attempt to validate multiple binders; handshake. Servers SHOULD NOT attempt to validate multiple binders;
rather they SHOULD select a single PSK and validate solely the binder rather they SHOULD select a single PSK and validate solely the binder
that corresponds to that PSK. See [Section 8.2] for the security that corresponds to that PSK. See [Section 8.2] and [Appendix E.6]
rationale for this requirement. In order to accept PSK key for the security rationale for this requirement. In order to accept
establishment, the server sends a "pre_shared_key" extension PSK key establishment, the server sends a "pre_shared_key" extension
indicating the selected identity. indicating the selected identity.
Clients MUST verify that the server's selected_identity is within the Clients MUST verify that the server's selected_identity is within the
range supplied by the client, that the server selected a cipher suite range supplied by the client, that the server selected a cipher suite
indicating a Hash associated with the PSK and that a server indicating a Hash associated with the PSK and that a server
"key_share" extension is present if required by the ClientHello "key_share" extension is present if required by the ClientHello
"psk_key_exchange_modes". If these values are not consistent the "psk_key_exchange_modes". If these values are not consistent the
client MUST abort the handshake with an "illegal_parameter" alert. client MUST abort the handshake with an "illegal_parameter" alert.
If the server supplies an "early_data" extension, the client MUST If the server supplies an "early_data" extension, the client MUST
skipping to change at page 148, line 5 skipping to change at page 149, line 5
In particular, if these exporters are used as an authentication In particular, if these exporters are used as an authentication
channel binding (e.g., by signing the output of the exporter) an channel binding (e.g., by signing the output of the exporter) an
attacker who compromises the PSK can transplant authenticators attacker who compromises the PSK can transplant authenticators
between connections without compromising the authentication key. between connections without compromising the authentication key.
In addition, the early exporter SHOULD NOT be used to generate In addition, the early exporter SHOULD NOT be used to generate
server-to-client encryption keys because that would entail the reuse server-to-client encryption keys because that would entail the reuse
of those keys. This parallels the use of the early application of those keys. This parallels the use of the early application
traffic keys only in the client-to-server direction. traffic keys only in the client-to-server direction.
E.6. Attacks on Static RSA E.6. PSK Identity Exposure
Because implementations respond to an invalid PSK binder by aborting
the handshake, it may be possible for an attacker to verify whether a
given PSK identity is valid. Specifically, if a server accepts both
external PSK and certificate-based handshakes, a valid PSK identity
will result in a failed handshake, whereas an invalid identity will
just be skipped and result in a successful certificate handshake.
Servers which solely support PSK handshakes may be able to resist
this form of attack by treating the cases where there is no valid PSK
identity and where there is an identity but it has an invalid binder
identically.
E.7. Attacks on Static RSA
Although TLS 1.3 does not use RSA key transport and so is not Although TLS 1.3 does not use RSA key transport and so is not
directly susceptible to Bleichenbacher-type attacks, if TLS 1.3 directly susceptible to Bleichenbacher-type attacks, if TLS 1.3
servers also support static RSA in the context of previous versions servers also support static RSA in the context of previous versions
of TLS, then it may be possible to impersonate the server for TLS 1.3 of TLS, then it may be possible to impersonate the server for TLS 1.3
connections [JSS15]. TLS 1.3 implementations can prevent this attack connections [JSS15]. TLS 1.3 implementations can prevent this attack
by disabling support for static RSA across all versions of TLS. In by disabling support for static RSA across all versions of TLS. In
principle, implementations might also be able to separate principle, implementations might also be able to separate
certificates with different keyUsage bits for static RSA decryption certificates with different keyUsage bits for static RSA decryption
and RSA signature, but this technique relies on clients refusing to and RSA signature, but this technique relies on clients refusing to
 End of changes. 9 change blocks. 
127 lines changed or deleted 150 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/