From 932fdc4f5f0eba1438950ce5bfac10d9a6acb6b1 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Mon, 11 Feb 2019 10:57:20 +1100 Subject: [PATCH] Work on key diversity --- draft-ietf-quic-tls.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 936d1bc00d..caff149b1e 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -1368,21 +1368,20 @@ In using TLS, the central key schedule of TLS is used. As a result of the TLS handshake messages being integrated into the calculation of secrets, the inclusion of the QUIC transport parameters extension ensures that handshake and 1-RTT keys are not the same as those that might be produced by a server running -TLS over TCP. However, 0-RTT keys only include the ClientHello message and -might therefore use the same secrets. To avoid the possibility of -cross-protocol key synchronization, additional measures are provided to improve -key separation. +TLS over TCP. To avoid the possibility of cross-protocol key synchronization, +additional measures are provided to improve key separation. The QUIC packet protection keys and IVs are derived using a different label than the equivalent keys in TLS. To preserve this separation, a new version of QUIC SHOULD define new labels for -key derivation for packet protection key and IV, plus the header -protection keys. +key derivation for packet protection key and IV, plus the header protection +keys. This version of QUIC uses the string "quic". Other versions can use a +version-specific label in place of that string. -The initial secrets also use a key that is specific to the negotiated QUIC -version. New QUIC versions SHOULD define a new salt value used in calculating -initial secrets. +The initial secrets use a key that is specific to the negotiated QUIC version. +New QUIC versions SHOULD define a new salt value used in calculating initial +secrets. # IANA Considerations