From 32061951eb08fa84252d69690963fceb26a640c7 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 6 Jan 2021 16:29:43 +1100 Subject: [PATCH 1/3] Define Context and Length inputs to HKDF-Expand-Label Closes #4489. --- draft-ietf-quic-tls.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 43ed620134..3cfc2d0015 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -926,9 +926,13 @@ based on the client's initial Destination Connection ID, as described in The keys used for packet protection are computed from the TLS secrets using the KDF provided by TLS. In TLS 1.3, the HKDF-Expand-Label function described in Section 7.1 of {{!TLS13}} is used, using the hash function from the negotiated -cipher suite. Note that labels, which are described using strings, are encoded +cipher suite. All uses of HKDF-Expand-Label in QUIC use a zero-length Context. + +Note that labels, which are described using strings, are encoded as bytes using ASCII {{?ASCII=RFC0020}} without quotes or any trailing NUL -byte. Other versions of TLS MUST provide a similar function in order to be +byte. + +Other versions of TLS MUST provide a similar function in order to be used with QUIC. The current encryption level secret and the label "quic key" are input to the @@ -937,6 +941,12 @@ Initialization Vector (IV); see {{aead}}. The header protection key uses the "quic hp" label; see {{header-protect}}. Using these labels provides key separation between QUIC and TLS; see {{key-diversity}}. +Both "quic key" and "quic hp" are used to produce keys, so the Length provided +to HKDF-Expand-Label along with these labels is determined by the size of keys +in the AEAD or header protection algorithm. The Length provided with "quic iv" +is the length of the AEAD nonce, specifically N_MAX, though the value of N_MIN +is the same for the AEAD algorithms that can be used; see {{!AEAD}}. + The KDF used for initial secrets is always the HKDF-Expand-Label function from TLS 1.3; see {{initial-secrets}}. From e1d596a0055c13d85e41777e0934190b7a150c74 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Thu, 7 Jan 2021 11:31:44 +1100 Subject: [PATCH 2/3] Switch to N_MIN --- draft-ietf-quic-tls.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 3cfc2d0015..151ee8d884 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -944,8 +944,8 @@ separation between QUIC and TLS; see {{key-diversity}}. Both "quic key" and "quic hp" are used to produce keys, so the Length provided to HKDF-Expand-Label along with these labels is determined by the size of keys in the AEAD or header protection algorithm. The Length provided with "quic iv" -is the length of the AEAD nonce, specifically N_MAX, though the value of N_MIN -is the same for the AEAD algorithms that can be used; see {{!AEAD}}. +is the length of the AEAD nonce, specifically N_MIN, though the value of N_MAX +is the same for the AEAD algorithms defined here; see {{!AEAD}}. The KDF used for initial secrets is always the HKDF-Expand-Label function from TLS 1.3; see {{initial-secrets}}. From dff7c81de71c9e2a33b416086522784610eabca9 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Thu, 7 Jan 2021 18:17:01 +1100 Subject: [PATCH 3/3] Kazuho convinced me. --- draft-ietf-quic-tls.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 151ee8d884..7710aae959 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -944,8 +944,8 @@ separation between QUIC and TLS; see {{key-diversity}}. Both "quic key" and "quic hp" are used to produce keys, so the Length provided to HKDF-Expand-Label along with these labels is determined by the size of keys in the AEAD or header protection algorithm. The Length provided with "quic iv" -is the length of the AEAD nonce, specifically N_MIN, though the value of N_MAX -is the same for the AEAD algorithms defined here; see {{!AEAD}}. +is the minimum length of the AEAD nonce, or 8 bytes if that is larger; see +{{!AEAD}}. The KDF used for initial secrets is always the HKDF-Expand-Label function from TLS 1.3; see {{initial-secrets}}.