Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an appendix containing test vectors for "Initial". #1573

Closed
wants to merge 6 commits into from
Closed

Add an appendix containing test vectors for "Initial". #1573

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
965c05d
Add an appendix containing test vectors for "Initial".
rpaulo Jul 17, 2018
f33b308
Merge remote-tracking branch 'upstream/master' into test-vectors-initial
rpaulo Nov 20, 2018
14c807f
Fix a problem with the encoded labels.
rpaulo Nov 20, 2018
3d808de
Lint checks.
rpaulo Nov 20, 2018
4b3a58c
Merge remote-tracking branch 'upstream/master' into test-vectors-initial
rpaulo Dec 24, 2018
31ca6a6
Update sample vector to match draft 17.
rpaulo Dec 24, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 73 additions & 0 deletions draft-ietf-quic-tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -793,6 +793,9 @@ modifying the contents of handshake packets from future versions.
The HKDF-Expand-Label function defined in TLS 1.3 MUST be used for Initial
packets even where the TLS versions offered do not include TLS 1.3.

{{test-vectors-initial}} contains test vectors for the initial packet
encryption.

Note:

: The Destination Connection ID is of arbitrary length, and it could be zero
Expand Down Expand Up @@ -1391,6 +1394,76 @@ values in the following registries:

--- back

# Test Vectors for Initial Packet Encryption {#test-vectors-initial}

This section shows sample packet encryption secrets so
that implementations can be verified incrementally.

{{initial-secrets}} contains the salt used for Initial Packet
Encryption.
Using an Initial Destination Connection ID 0x8394c8f03e515708, the
derived 32 byte initial secret is:

~~~
44 96 d3 90 3d 3f 97 cc 5e 45 ac 57 90 dd c6 86
68 3c 7c 00 67 01 2b b0 9d 90 0c c2 18 32 d5 96
~~~

The labels generated by the HKDF-Expand-Label function are:

~~~
tls13 client in: 00 20 0f 74 6c 73 31 33 20 63 6c 69 65 6e 74 20
69 6e 00

tls13 server in: 00 20 0f 74 6c 73 31 33 20 73 65 72 76 65 72 20
69 6e 00

tls13 quic key: 00 10 0e 74 6c 73 31 33 20 71 75 69 63 20 6b 65
79 00

tls13 quic iv: 00 0c 0d 74 6c 73 31 33 20 71 75 69 63 20 69 76
00
tls13 quic hp: 00 10 0d 74 6c 73 31 33 20 71 75 69 63 20 68 70
00
~~~

The client initial secret is 32 bytes long:

~~~
8a 35 15 a1 4a e3 c3 1b 9c 2d 6d 5b c5 85 38 ca
5c d2 ba a1 19 08 71 43 e6 08 87 42 8d cb 52 f6
~~~

Using this secret, we get the following keys (16 bytes) and
initialization vector (12 bytes):

~~~
key: 98 b0 d7 e5 e7 a4 02 c6 7c 33 f3 50 fa 65 ea 54

hp key: 0e dd 98 2a 6a c5 27 f2 ed dc bb 73 48 de a5 d7

IV: 19 e9 43 87 80 5e b0 b4 6c 03 a7 88
~~~

The server initial secret is 32 bytes long:

~~~
47 b2 ea ea 6c 26 6e 32 c0 69 7a 9e 2a 89 8b df
5c 4f b3 e5 ac 34 f0 e5 49 bf 2c 58 58 1a 38 11
~~~

Using this secret, we get the following keys (16 bytes) and
initialization vector (12 bytes):

~~~
key: 9a 8b e9 02 a9 bd d9 1d 16 06 4c a1 18 04 5f b4

hp key: 94 b9 45 2d 2b 3c 7c 7f 6d a7 fd d8 59 35 37 fd

IV: 0a 82 08 6d 32 20 5b a2 22 41 d8 dc
~~~


Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, having something like that in the spec would be useful. We need an independent verification before publishing these values.

Also, having the PN key is fine, but we probably need a complete packet example to ensure that the nonce is properly extracted and the PN properly decrypted.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In fact, I think that it would be better to start with the test vector in EKR's message "PNE Test Vector" sent on the quic list on 7/18/2018.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@huitema my objective was to have the PN key in this section and then use it for PNE but this PR was just for initial test vectors. I agree we need independent verification before we publish.

# Change Log

> **RFC Editor's Note:** Please remove this section prior to publication of a
Expand Down