Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No reading of 1-RTT before the handshake is complete #3224

Merged
merged 3 commits into from Dec 9, 2019
Merged

No reading of 1-RTT before the handshake is complete #3224

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b3defa9
No reading of 1-RTT before the handshake is complete
martinthomson Nov 12, 2019
e2ee0d4
Simplify
martinthomson Nov 12, 2019
459ef0f
Keep context
martinthomson Nov 19, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
33 changes: 21 additions & 12 deletions draft-ietf-quic-tls.md
View file
Open in desktop
Expand Up @@ -1173,25 +1173,34 @@ Note:
Due to reordering and loss, protected packets might be received by an endpoint
before the final TLS handshake messages are received. A client will be unable
to decrypt 1-RTT packets from the server, whereas a server will be able to
decrypt 1-RTT packets from the client.
decrypt 1-RTT packets from the client. Endpoints in either role MUST NOT
decrypt 1-RTT packets from their peer prior to completing the handshake.

Even though 1-RTT keys are available to a server after receiving the first
handshake messages from a client, it is missing assurances on the client state:

- The client is not authenticated, unless the server has chosen to use a
pre-shared key and validated the client's pre-shared key binder; see
Section 4.2.11 of {{!TLS13}}.
pre-shared key and validated the client's pre-shared key binder; see Section
4.2.11 of {{!TLS13}}.

- The client has not demonstrated liveness, unless a RETRY packet was used.

- Any received 0-RTT data that the server responds to might be due to a replay
attack.

Therefore, the server's use of 1-RTT keys is limited before the handshake is
complete. A server MUST NOT process data from incoming 1-RTT
protected packets before the TLS handshake is complete. Because
sending acknowledgments indicates that all frames in a packet have been
processed, a server cannot send acknowledgments for 1-RTT packets until the
TLS handshake is complete. Received packets protected with 1-RTT keys MAY be
stored and later decrypted and used once the handshake is complete.
attack.

Therefore, the server's use of 1-RTT keys MUST be limited to sending data before
the handshake is complete. A server MUST NOT process incoming 1-RTT protected
packets before the TLS handshake is complete. Because sending acknowledgments
indicates that all frames in a packet have been processed, a server cannot send
acknowledgments for 1-RTT packets until the TLS handshake is complete. Received
packets protected with 1-RTT keys MAY be stored and later decrypted and used
once the handshake is complete.

Note:

: TLS implementations might provide all 1-RTT secrets prior to handshake
completion. Even where QUIC implementations have 1-RTT read keys, those keys
cannot be used prior to completing the handshake.

The requirement for the server to wait for the client Finished message creates
a dependency on that message being delivered. A client can avoid the
Expand Down