Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protected pre-handshake packets #39

Merged
merged 5 commits into from Feb 6, 2017
Merged

Protected pre-handshake packets #39

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4835d74
Protected packets prior to handshake completion
martinthomson Nov 28, 2016
6b46c0b
Fixup a few gaffes
martinthomson Nov 28, 2016
32dfeab
Reflow
martinthomson Nov 28, 2016
efde873
Rewrite based on feedback from ekr
martinthomson Jan 9, 2017
8c288c2
Merge branch 'master' into protected_pre
martinthomson Jan 31, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
40 changes: 22 additions & 18 deletions draft-ietf-quic-tls.md
View file
Open in desktop
Expand Up @@ -837,24 +837,28 @@ be decrypted until all the server's handshake messages are received by the
client.


## Protected Frames Prior to Handshake Completion {#pre-handshake-protected}

Due to reordering and loss, 1-RTT protected packets might be received by an
endpoint before the final TLS handshake messages are received. These will not
be able to be decrypted, unless the missing handshake messages are the second
flight of handshake messages sent by the client.

Protected packets MAY be stored and later decrypted and used once the handshake
is complete. If packets are processed prior to completion of the handshake, an
attacker might use the willingness of an implementation to use these packets to
mount attacks.

Receiving and verifying the Finished message is critical in ensuring that the
TLS handshake has completely successfully. A server MUST NOT use 1-RTT
protected packets from the client if its response depends on client
authentication. A server MAY use 1-RTT protected packets from a client prior to
receiving and verifying the Finished message if it has accepted 0-RTT data and
it treats the out-of-order packets as though they only have 0-RTT protection.
## Receiving Out-of-Order Protected Frames {#pre-handshake-protected}

Due to reordering and loss, protected packets might be received by an endpoint
before the final TLS handshake messages are received. A client will be unable
to decrypt 1-RTT packets from the server, whereas a server will be able to
decrypt 1-RTT packets from the client.

Packets protected with 1-RTT keys MAY be stored and later decrypted and used
once the handshake is complete. A server MUST NOT use 1-RTT protected packets
before verifying either the client Finished message or - in the case that the
server has chosen to use a pre-shared key - the pre-shared key binder (see
Section 4.2.8 of {{!I-D.ietf-tls-tls13}}). Verifying these values provides the
server with an assurance that the ClientHello has not been modified.

A server could receive packets protected with 0-RTT keys prior to receiving a
TLS ClientHello. The server MAY retain these packets for later decryption in
anticipation of receiving a ClientHello.

Receiving and verifying the TLS Finished message is critical in ensuring the
integrity of the TLS handshake. A server MUST NOT use protected packets from
the client prior to verifying the client Finished message if its response
depends on client authentication.


# QUIC-Specific Additions to the TLS Handshake
Expand Down