@@ -1168,89 +1168,232 @@ anticipation of receiving a ClientHello.
11681168
11691169# Key Update
11701170
1171- Once the handshake is confirmed, it is possible to update the keys. The
1172- KEY_PHASE bit in the short header is used to indicate whether key updates
1173- have occurred. The KEY_PHASE bit is initially set to 0 and then inverted
1174- with each key update.
1171+ Once the 1-RTT keys are established and confirmed, it is possible to update the
1172+ keys used to protect packets.
11751173
1176- The KEY_PHASE bit allows a recipient to detect a change in keying material
1177- without necessarily needing to receive the first packet that triggered the
1178- change. An endpoint that notices a changed KEY_PHASE bit can update keys and
1179- decrypt the packet that contains the changed bit.
1174+ The Key Phase bit indicates which packet protection keys are used to protect the
1175+ packet. The Key Phase bit is initially set to 0 for the first set of 1-RTT
1176+ packets and toggled to signal each subsequent key update.
1177+
1178+ The Key Phase bit allows a recipient to detect a change in keying material
1179+ without needing to receive the first packet that triggered the change. An
1180+ endpoint that notices a changed Key Phase bit updates keys and decrypts the
1181+ packet that contains the changed value.
11801182
11811183This mechanism replaces the TLS KeyUpdate message. Endpoints MUST NOT send a
11821184TLS KeyUpdate message. Endpoints MUST treat the receipt of a TLS KeyUpdate
11831185message as a connection error of type 0x10a, equivalent to a fatal TLS alert of
11841186unexpected_message (see {{tls-errors}}).
11851187
1186- An endpoint MUST NOT initiate the first key update until the handshake is
1187- confirmed ({{handshake-confirmed}}). An endpoint MUST NOT initiate a subsequent
1188- key update until it has received an acknowledgment for a packet sent at the
1189- current KEY_PHASE. This can be implemented by tracking the lowest packet
1190- number sent with each KEY_PHASE, and the highest acknowledged packet number
1191- in the 1-RTT space : once the latter is higher than or equal to the former,
1192- another key update can be initiated.
1193-
1194- Endpoints MAY limit the number of keys they retain to two sets for removing
1195- packet protection and one set for protecting packets. Older keys can be
1196- discarded. Updating keys multiple times rapidly can cause packets to be
1197- effectively lost if packets are significantly reordered. Therefore, an
1198- endpoint SHOULD NOT initiate a key update for some time after it has last
1199- updated keys; the RECOMMENDED time period is three times the PTO. This avoids
1200- valid reordered packets being dropped by the peer as a result of the peer
1201- discarding older keys.
1202-
1203- A receiving endpoint detects an update when the KEY_PHASE bit does not match
1204- what it is expecting. It creates a new secret (see Section 7.2 of {{!TLS13}})
1205- and the corresponding read key and IV using the KDF function provided by TLS.
1206- The header protection key is not updated.
1207-
1208- If the packet can be decrypted and authenticated using the updated key and IV,
1209- then the keys the endpoint uses for packet protection are also updated. The
1210- next packet sent by the endpoint MUST then use the new keys. Once an endpoint
1211- has sent a packet encrypted with a given key phase, it MUST NOT send a packet
1212- encrypted with an older key phase.
1213-
1214- An endpoint does not always need to send packets when it detects that its peer
1215- has updated keys. The next packet that it sends will simply use the new keys.
1216- If an endpoint detects a second update before it has sent any packets with
1217- updated keys, it indicates that its peer has updated keys twice without awaiting
1218- a reciprocal update. An endpoint MUST treat consecutive key updates as a fatal
1219- error and abort the connection.
1220-
1221- An endpoint SHOULD retain old keys for a period of no more than three times the
1222- PTO. After this period, old keys and their corresponding secrets SHOULD be
1223- discarded. Retaining keys allow endpoints to process packets that were sent
1224- with old keys and delayed in the network. Packets with higher packet numbers
1225- always use the updated keys and MUST NOT be decrypted with old keys.
1226-
1227- This ensures that once the handshake is complete, packets with the same
1228- KEY_PHASE will have the same packet protection keys, unless there are multiple
1229- key updates in a short time frame succession and significant packet reordering.
1188+ {{ex-key-update}} shows a key update process, with keys used identified with @M
1189+ cannot be used until the endpoint has received and successfully decrypted a and
1190+ @N. The value of Key Phase bit is indicated in brackets \[]..
12301191
12311192~~~
12321193 Initiating Peer Responding Peer
12331194
1234- @M QUIC Frames
1235- New Keys -> @N
1236- @N QUIC Frames
1195+ @M [0] QUIC Packets
1196+
1197+ ... Update to @N
1198+ @N [1] QUIC Packets
12371199 -------->
1238- QUIC Frames @M
1239- New Keys -> @N
1240- QUIC Frames @N
1200+ Update to @N ...
1201+ QUIC Packets [1] @N
1202+ <--------
1203+ QUIC Packets [1] @N
1204+ containing ACK
12411205 <--------
1206+ ... Key Update Permitted
1207+
1208+ @N [1] QUIC Packets
1209+ containing ACK for @N packets
1210+ -------->
1211+ Key Update Permitted ...
12421212~~~
12431213{: # ex-key-update title="Key Update"}
12441214
1245- A packet that triggers a key update could arrive after the receiving endpoint
1246- successfully processed a packet with a higher packet number. This is only
1247- possible if there is a key compromise and an attack, or if the peer is
1248- incorrectly reverting to use of old keys. Because the latter cannot be
1249- differentiated from an attack, an endpoint MUST immediately terminate the
1250- connection if it detects this condition.
12511215
1252- In deciding when to update keys, endpoints MUST NOT exceed the limits for use of
1253- specific keys, as described in Section 5.5 of {{!TLS13}}.
1216+ # # Initiating a Key Update {#key-update-initiate}
1217+
1218+ Endpoints maintain separate read and write secrets for packet protection. An
1219+ endpoint initiates a key update by updating its packet protection write secret
1220+ and using that to protect new packets. The endpoint creates a new write secret
1221+ from the existing write secret as performed in Section 7.2 of {{!TLS13}}. This
1222+ uses the KDF function provided by TLS with a label of "quic ku". The
1223+ corresponding key and IV are created from that secret as defined in
1224+ {{protection-keys}}. The header protection key is not updated.
1225+
1226+
1227+ The endpoint toggles the value of the Key Phase bit and uses the updated key and
1228+ IV to protect all subsequent packets.
1229+
1230+ An endpoint MUST NOT initiate a key update prior to having received an
1231+ acknowledgment for a packet that it sent protected with keys from the current
1232+ key phase. This ensures that keys are available to both peers before another
1233+ can be initiated.
1234+
1235+ Note :
1236+
1237+ : Changes in keys from Initial to Handshake and from Handshake to 1-RTT don't
1238+ use this key update process. Key changes during the handshake are driven
1239+ solely by changes in the TLS handshake state.
1240+
1241+ The endpoint that initiates a key update also updates the keys that it uses for
1242+ receiving packets. These keys will be needed to process packets the peer sends
1243+ after updating.
1244+
1245+ An endpoint SHOULD retain old keys so that packets sent by its peer prior to
1246+ receiving the key update can be processed. Discarding old keys too early can
1247+ cause delayed packets to be discarded. Discarding packets will be interpreted
1248+ as packet loss by the peer and could adversely affect performance.
1249+
1250+
1251+ # # Responding to a Key Update
1252+
1253+ Once an endpoint has acknowledged a packet in the current key phase, a peer is
1254+ permitted to initiate a key update. If a packet is received with a key phase
1255+ that differs from the value the endpoint used to protect the last packet it
1256+ sent, the endpoint uses the next packet protection keys for reading and the
1257+ corresponding key and IV; see {{receive-key-generation}} for considerations
1258+ about generating these keys.
1259+
1260+ An endpoint uses the same key derivation process as its peer uses to generate
1261+ keys for receiving.
1262+
1263+ If a packet is successfully processed using the next key and IV, then the peer
1264+ has initiated a key update. The endpoint MUST updates its send keys to the
1265+ corresponding key phase in response, as described in {{key-update-initiate}}.
1266+ By acknowledging the packet that triggered the key update in a packet protected
1267+ with the updated keys, the endpoint will ultimately signal that the key update
1268+ is complete.
1269+
1270+ An endpoint can defer sending the packet or acknowledgement according to its
1271+ normal packet sending behaviour; it is not necessary to immediately generate a
1272+ packet in response to a key update. The next packet sent by the endpoint will
1273+ use the updated keys. The next packet that contains an acknowledgement will
1274+ cause the key update to be completed. If an endpoint detects a second update
1275+ before it has sent any packets with updated keys or an acknowledgement for the
1276+ packet that initiated the key update, it indicates that its peer has updated
1277+ keys twice without awaiting confirmation. An endpoint MAY treat consecutive key
1278+ updates as a connection error of type KEY_UPDATE_ERROR.
1279+
1280+ An endpoint that receives an acknowledgement that is carried in a packet
1281+ protected with old keys where any acknowledged packet was protected with newer
1282+ keys MAY treat that as a connection error of type KEY_UPDATE_ERROR. This
1283+ indicates that a peer has received and acknowledged a packet that initiates a
1284+ key update, but has not updated keys in response.
1285+
1286+
1287+ # # Timing of Receive Key Generation {#receive-key-generation}
1288+
1289+ Endpoints responding to an apparent key update MUST NOT generate a timing
1290+ side-channel signal that might indicate that the Key Phase bit was invalid (see
1291+ {{header-protect-analysis}}). Endpoints can use dummy packet protection keys in
1292+ place of discarded keys when key updates are not permitted; using dummy keys
1293+ will generate no variation in the timing signal produced by attempting to remove
1294+ packet protection, but all packets with an invalid Key Phase bit will be
1295+ rejected.
1296+
1297+ The process of creating new packet protection keys for receiving packets could
1298+ reveal that a key update has occurred. An endpoint MAY perform this process as
1299+ part of packet processing, but this creates a timing signal that can be used by
1300+ an attacker to learn when key updates happen and thus the value of the Key Phase
1301+ bit in certain packets. Endpoints SHOULD instead defer the creation of the next
1302+ set of packet protection keys until some time after a key update completes, up
1303+ to three times the PTO; see {{old-keys-recv}}.
1304+
1305+ Once generated, the next set of packet protection keys SHOULD be retained, even
1306+ if the packet that was received was subsequently discarded. Packets containing
1307+ apparent key updates are easy to forge and - while the process of key update
1308+ does not require significant effort - triggering this process could be used by
1309+ an attacker for DoS.
1310+
1311+ For this reason, endpoints MUST be able to retain two sets of packet protection
1312+ keys for receiving packets : the current and the next. Retaining the previous
1313+ keys in addition to these might improve performance, but this is not essential.
1314+
1315+ The time taken to generate new keys could reveal through timing side channels
1316+ that a key update has occurred, or where an attacker injects packets, be used to
1317+ reveal the value of the Key Phase on injected packets. After receiving a key
1318+ update, an endpoint SHOULD generate and save the next set of packet protection
1319+ keys. After new keys are available, receipt of packets will not create timing
1320+ signals about the value of the Key Phase.
1321+
1322+ This depends on not doing this generating during packet processing and it can
1323+ require that endpoints maintain three sets of packet protection keys for
1324+ receiving : for the previous key phase, for the current key phase, and for the
1325+ next key phase. Endpoints MAY choose to defer generation of the next packet
1326+ protection keys until they discard old keys so that only two sets of receive
1327+ keys need to be retained at any point in time.
1328+
1329+
1330+ # # Sending with Updated Keys {#old-keys-send}
1331+
1332+ An endpoint always sends packets that are protected with the newest keys. Keys
1333+ used for adding packet protection can be discarded immediately after switching
1334+ to newer keys.
1335+
1336+ Packets with higher packet numbers MUST be protected with either the same or
1337+ newer packet protection keys than packets with lower packet numbers. An
1338+ endpoint that successfully removes protection with old keys when newer keys were
1339+ used for packets with lower packet numbers MUST treat this as a connection error
1340+ of type KEY_UPDATE_ERROR.
1341+
1342+
1343+ # # Receiving with Different Keys {#old-keys-recv}
1344+
1345+ For receiving packets during a key update, packets protected with older keys
1346+ might arrive if they were delayed by the network. Retaining old packet
1347+ protection keys allows these packets to be successfully processed.
1348+
1349+ As packet protected with keys from the next key phase use the same Key Phase
1350+ value as those protected with keys from the previous key phase, it can be
1351+ necessary to distinguish between the two. This can be done using packet
1352+ numbers. A recovered packet number that is lower than any packet number from
1353+ the current key phase uses the previous packet protection keys; a recovered
1354+ packet number that is higher than any packet number from the current key phase
1355+ requires the use of the next packet protection keys.
1356+
1357+ Some care is necessary to ensure that any process for selecting between
1358+ previous, current, and next packet protection keys does not expose a timing side
1359+ channel that might reveal which keys were used to remove packet protection.
1360+
1361+ Alternatively, endpoints can retain only two sets of packet protection keys,
1362+ swapping previous for next after enough time has passed to allow for reordering
1363+ in the network. In this case, the Key Phase bit alone can be used to select
1364+ keys.
1365+
1366+ An endpoint SHOULD allow a period between one and two times the Probe Timeout
1367+ (PTO; see {{QUIC-RECOVERY}}) after a key update before it creates the next set
1368+ of packet protection keys. These MAY replace the previous keys at that time.
1369+ With the caveat that PTO is a subjective measure - that is, a peer could have a
1370+ different view of the RTT - this time is expected to be long enough that any
1371+ reordered packets would be declared lost by a peer even if they were
1372+ acknowledged and short enough to allow for subsequent key updates.
1373+
1374+ Endpoints SHOULD allow for the possibility that a peer is not able to handle a
1375+ key update during this period by allowing three times the PTO after receiving an
1376+ acknowledgment that signals that the key update is complete and initiating
1377+ another. Failing to allow sufficient time could lead to packets being
1378+ discarded.
1379+
1380+ An endpoint SHOULD retain old read keys for a period of no more than three times
1381+ the current PTO. After this period, old read keys and their corresponding
1382+ secrets SHOULD be discarded.
1383+
1384+
1385+ # # Key Update Frequency
1386+
1387+ Key updates MUST be initiated before usage limits on packet protection keys are
1388+ exceeded. For the cipher suites mentioned in this document, the limits in
1389+ Section 5.5 of {{!TLS13}} apply. Other cipher suites MUST define usage limits
1390+ in order to be used with QUIC.
1391+
1392+
1393+ # # Key Update Error Code {#key-update-error}
1394+
1395+ The KEY_UPDATE_ERROR error code (0xE) is used to signal errors related to key
1396+ updates.
12541397
12551398
12561399# Security of Initial Messages
@@ -1460,15 +1603,15 @@ authenticated using packet protection; the entire packet header is part of the
14601603authenticated additional data. Protected fields that are falsified or modified
14611604can only be detected once the packet protection is removed.
14621605
1463- An attacker could guess values for packet numbers and have an endpoint confirm
1464- guesses through timing side channels. Similarly, guesses for the packet number
1465- length can be trialed and exposed. If the recipient of a packet discards
1466- packets with duplicate packet numbers without attempting to remove packet
1467- protection they could reveal through timing side-channels that the packet number
1468- matches a received packet. For authentication to be free from side-channels,
1469- the entire process of header protection removal, packet number recovery, and
1470- packet protection removal MUST be applied together without timing and other
1471- side-channels.
1606+ An attacker could guess values for packet numbers or Key Phase and have an
1607+ endpoint confirm guesses through timing side channels. Similarly, guesses for
1608+ the packet number length can be trialed and exposed. If the recipient of a
1609+ packet discards packets with duplicate packet numbers without attempting to
1610+ remove packet protection they could reveal through timing side-channels that the
1611+ packet number matches a received packet. For authentication to be free from
1612+ side-channels, the entire process of header protection removal, packet number
1613+ recovery, and packet protection removal MUST be applied together without timing
1614+ and other side-channels.
14721615
14731616For the sending of packets, construction and protection of packet payloads and
14741617packet numbers MUST be free from side-channels that would reveal the packet
@@ -1507,6 +1650,9 @@ values in the following registries:
15071650 Recommended column is to be marked Yes. The TLS 1.3 Column is to include CH
15081651 and EE.
15091652
1653+ * QUIC Error Codes Registry {{QUIC-TRANSPORT}} - IANA is to register the
1654+ KEY_UPDATE_ERROR (0xE), as described in {{key-update-error}}.
1655+
15101656
15111657--- back
15121658
0 commit comments