2.1.TLS Overview

TLS provides two endpoints with a way to establish a means of communication overan untrusted medium (that is, the Internet) that ensures that messages theyexchange cannot be observed, modified, or forged.¶

Internally, TLS is a layered protocol, with the structure shown inFigure 1.¶

          +-------------+------------+--------------+---------+Handshake |             |            |  Application |         |Layer     |  Handshake  |   Alerts   |     Data     |   ...   |          |             |            |              |         |          +-------------+------------+--------------+---------+Record    |                                                   |Layer     |                      Records                      |          |                                                   |          +---------------------------------------------------+

Each Handshake layer message (e.g., Handshake, Alerts, and Application Data) iscarried as a series of typed TLS records by the Record layer. Records areindividually cryptographically protected and then transmitted over a reliabletransport (typically TCP) which provides sequencing and guaranteed delivery.¶

The TLS authenticated key exchange occurs between two endpoints: client andserver. The client initiates the exchange and the server responds. If the keyexchange completes successfully, both client and server will agree on a secret.TLS supports both pre-shared key (PSK) and Diffie-Hellman over either finitefields or elliptic curves ((EC)DHE) key exchanges. PSK is the basis for 0-RTT;the latter provides perfect forward secrecy (PFS) when the (EC)DHE keys aredestroyed.¶

After completing the TLS handshake, the client will have learned andauthenticated an identity for the server and the server is optionally able tolearn and authenticate an identity for the client. TLS supports X.509[RFC5280] certificate-based authentication for both server and client.¶

The TLS key exchange is resistant to tampering by attackers and it producesshared secrets that cannot be controlled by either participating peer.¶

TLS provides two basic handshake modes of interest to QUIC:¶

• A full 1-RTT handshake in which the client is able to send Application Dataafter one round trip and the server immediately responds after receiving thefirst handshake message from the client.¶
• A 0-RTT handshake in which the client uses information it has previouslylearned about the server to send Application Data immediately. ThisApplication Data can be replayed by an attacker so it MUST NOT carry aself-contained trigger for any non-idempotent action.¶

A simplified TLS handshake with 0-RTT application data is shown inFigure 2.¶

    Client                                             Server    ClientHello   (0-RTT Application Data)  -------->                                                  ServerHello                                         {EncryptedExtensions}                                                    {Finished}                             <--------      [Application Data]   {Finished}                -------->   [Application Data]        <------->      [Application Data]    () Indicates messages protected by Early Data (0-RTT) Keys    {} Indicates messages protected using Handshake Keys    [] Indicates messages protected using Application Data       (1-RTT) Keys

Figure 2 omits the EndOfEarlyData message, which is not used in QUIC; seeSection 8.3. Likewise, neither ChangeCipherSpec nor KeyUpdate messages areused by QUIC. ChangeCipherSpec is redundant in TLS 1.3; seeSection 8.4.QUIC has its own key update mechanism; seeSection 6.¶

Data is protected using a number of encryption levels:¶

• Initial Keys¶
• Early Data (0-RTT) Keys¶
• Handshake Keys¶
• Application Data (1-RTT) Keys¶

Application Data may appear only in the Early Data and Application Datalevels. Handshake and Alert messages may appear in any level.¶

The 0-RTT handshake is only possible if the client and server have previouslycommunicated. In the 1-RTT handshake, the client is unable to send protectedApplication Data until it has received all of the Handshake messages sent by theserver.¶

4.1.Interface to TLS

As shown inFigure 4, the interface from QUIC to TLS consists of fourprimary functions:¶

• Sending and receiving handshake messages¶
• Processing stored transport and application state from a resumed sessionand determining if it is valid to accept early data¶
• Rekeying (both transmit and receive)¶
• Handshake state updates¶

Additional functions might be needed to configure TLS.¶

Client                                                    ServerGet Handshake                     Initial ------------->                                              Handshake ReceivedInstall tx 0-RTT Keys                     0-RTT --------------->                                                   Get Handshake                     <------------- InitialHandshake ReceivedInstall Handshake keys                                           Install rx 0-RTT keys                                          Install Handshake keys                                                   Get Handshake                     <----------- HandshakeHandshake Received                                           Install tx 1-RTT keys                     <--------------- 1-RTTGet HandshakeHandshake Complete                     Handshake ----------->                                              Handshake Received                                           Install rx 1-RTT keys                                              Handshake CompleteInstall 1-RTT keys                     1-RTT --------------->                                                   Get Handshake                     <--------------- 1-RTTHandshake Received

4.2.TLS Version

This document describes how TLS 1.3[TLS13] is used with QUIC.¶

In practice, the TLS handshake will negotiate a version of TLS to use. Thiscould result in a newer version of TLS than 1.3 being negotiated if bothendpoints support that version. This is acceptable provided that the featuresof TLS 1.3 that are used by QUIC are supported by the newer version.¶

A badly configured TLS implementation could negotiate TLS 1.2 or another olderversion of TLS. An endpoint MUST terminate the connection if a version of TLSolder than 1.3 is negotiated.¶

4.3.ClientHello Size

The first Initial packet from a client contains the start or all of its firstcryptographic handshake message, which for TLS is the ClientHello. Serversmight need to parse the entire ClientHello (e.g., to access extensions such asServer Name Identification (SNI) or Application Layer Protocol Negotiation(ALPN)) in order to decide whether to accept the new incoming QUIC connection.If the ClientHello spans multiple Initial packets, such servers would need tobuffer the first received fragments, which could consume excessive resources ifthe client's address has not yet been validated. To avoid this, servers MAYuse the Retry feature (see Section 8.1 of[QUIC-TRANSPORT]) to only bufferpartial ClientHello messages from clients with a validated address.¶

QUIC packet and framing add at least 36 bytes of overhead to the ClientHellomessage. That overhead increases if the client chooses a connection ID withoutzero length. Overheads also do not include the token or a connection ID longerthan 8 bytes, both of which might be required if a server sends a Retry packet.¶

A typical TLS ClientHello can easily fit into a 1200 byte packet. However, inaddition to the overheads added by QUIC, there are several variables that couldcause this limit to be exceeded. Large session tickets, multiple or large keyshares, and long lists of supported ciphers, signature algorithms, versions,QUIC transport parameters, and other negotiable parameters and extensions couldcause this message to grow.¶

For servers, in addition to connection IDs and tokens, the size of TLS sessiontickets can have an effect on a client's ability to connect efficiently.Minimizing the size of these values increases the probability that clients canuse them and still fit their ClientHello message in their first Initial packet.¶

The TLS implementation does not need to ensure that the ClientHello issufficiently large. QUIC PADDING frames are added to increase the size of thepacket as necessary.¶

4.4.Peer Authentication

The requirements for authentication depend on the application protocol that isin use. TLS provides server authentication and permits the server to requestclient authentication.¶

A client MUST authenticate the identity of the server. This typically involvesverification that the identity of the server is included in a certificate andthat the certificate is issued by a trusted entity (see for example[RFC2818]).¶

A server MAY request that the client authenticate during the handshake. A serverMAY refuse a connection if the client is unable to authenticate when requested.The requirements for client authentication vary based on application protocoland deployment.¶

A server MUST NOT use post-handshake client authentication (as defined inSection 4.6.2 of[TLS13]), because the multiplexing offered by QUIC preventsclients from correlating the certificate request with the application-levelevent that triggered it (see[HTTP2-TLS13]).More specifically, servers MUST NOT send post-handshake TLS CertificateRequestmessages and clients MUST treat receipt of such messages as a connection errorof type PROTOCOL_VIOLATION.¶

4.5.Session Resumption

QUIC can use the session resumption feature of TLS 1.3. It does this bycarrying NewSessionTicket messages in CRYPTO frames after the handshake iscomplete. Session resumption is the basis of 0-RTT, but can be used withoutalso enabling 0-RTT.¶

Endpoints that use session resumption might need to remember some informationabout the current connection when creating a resumed connection. TLS requiresthat some information be retained; see Section 4.6.1 of[TLS13]. QUIC itselfdoes not depend on any state being retained when resuming a connection, unless0-RTT is also used; seeSection 4.6 and Section 7.4.1 of[QUIC-TRANSPORT]. Application protocols could depend on state that isretained between resumed connections.¶

Clients can store any state required for resumption along with the sessionticket. Servers can use the session ticket to help carry state.¶

Session resumption allows servers to link activity on the original connectionwith the resumed connection, which might be a privacy issue for clients.Clients can choose not to enable resumption to avoid creating this correlation.Client SHOULD NOT reuse tickets as that allows entities other than the serverto correlate connections; see Section C.4 of[TLS13].¶

4.6.Enabling 0-RTT

To communicate their willingness to process 0-RTT data, servers send aNewSessionTicket message that contains the "early_data" extension with amax_early_data_size of 0xffffffff; the amount of data which the client can sendin 0-RTT is controlled by the "initial_max_data" transport parameter suppliedby the server. Servers MUST NOT send the "early_data" extension with amax_early_data_size set to any value other than 0xffffffff. A client MUSTtreat receipt of a NewSessionTicket that contains an "early_data" extensionwith any other value as a connection error of type PROTOCOL_VIOLATION.¶

A client that wishes to send 0-RTT packets uses the "early_data" extension inthe ClientHello message of a subsequent handshake (see Section 4.2.10 of[TLS13]). It then sends the application data in 0-RTT packets.¶

4.7.Accepting and Rejecting 0-RTT

A server accepts 0-RTT by sending an early_data extension in theEncryptedExtensions (see Section 4.2.10 of[TLS13]). The server thenprocesses and acknowledges the 0-RTT packets that it receives.¶

A server rejects 0-RTT by sending the EncryptedExtensions without an early_dataextension. A server will always reject 0-RTT if it sends a TLSHelloRetryRequest. When rejecting 0-RTT, a server MUST NOT process any 0-RTTpackets, even if it could. When 0-RTT was rejected, a client SHOULD treatreceipt of an acknowledgement for a 0-RTT packet as a connection error of typePROTOCOL_VIOLATION, if it is able to detect the condition.¶

When 0-RTT is rejected, all connection characteristics that the client assumedmight be incorrect. This includes the choice of application protocol, transportparameters, and any application configuration. The client therefore MUST resetthe state of all streams, including application state bound to those streams.¶

A client MAY attempt to send 0-RTT again if it receives a Retry or VersionNegotiation packet. These packets do not signify rejection of 0-RTT.¶

4.8.Validating 0-RTT Configuration

When a server receives a ClientHello with the "early_data" extension, it has todecide whether to accept or reject early data from the client. Some of thisdecision is made by the TLS stack (e.g., checking that the cipher suite beingresumed was included in the ClientHello; see Section 4.2.10 of[TLS13]). Evenwhen the TLS stack has no reason to reject early data, the QUIC stack or theapplication protocol using QUIC might reject early data because theconfiguration of the transport or application associated with the resumedsession is not compatible with the server's current configuration.¶

QUIC requires additional transport state to be associated with a 0-RTT sessionticket. One common way to implement this is using stateless session tickets andstoring this state in the session ticket. Application protocols that use QUICmight have similar requirements regarding associating or storing state. Thisassociated state is used for deciding whether early data must be rejected. Forexample, HTTP/3 ([QUIC-HTTP]) settings determine how early data from theclient is interpreted. Other applications using QUIC could have differentrequirements for determining whether to accept or reject early data.¶

4.9.HelloRetryRequest

In TLS over TCP, the HelloRetryRequest feature (see Section 4.1.4 of[TLS13]) can be used to correct a client's incorrect KeyShare extension aswell as for a stateless round-trip check. From the perspective of QUIC, thisjust looks like additional messages carried in Initial packets. Although it isin principle possible to use this feature for address verification in QUIC,QUIC implementations SHOULD instead use the Retry feature (see Section 8.1 of[QUIC-TRANSPORT]). HelloRetryRequest is still used to request key shares.¶

4.10.TLS Errors

If TLS experiences an error, it generates an appropriate alert as defined inSection 6 of[TLS13].¶

A TLS alert is converted into a QUIC connection error. The alert description isadded to 0x100 to produce a QUIC error code from the range reserved forCRYPTO_ERROR. The resulting value is sent in a QUIC CONNECTION_CLOSE frame oftype 0x1c.¶

The alert level of all TLS alerts is "fatal"; a TLS stack MUST NOT generatealerts at the "warning" level.¶

QUIC permits the use of a generic code in place of a specific error code; seeSection 11 of[QUIC-TRANSPORT]. For TLS alerts, this includes replacing anyalert with a generic alert, such as handshake_failure (0x128 in QUIC).Endpoints MAY use a generic error code to avoid possibly exposing confidentialinformation.¶

4.11.Discarding Unused Keys

After QUIC moves to a new encryption level, packet protection keys for previousencryption levels can be discarded. This occurs several times during thehandshake, as well as when keys are updated; seeSection 6.¶

Packet protection keys are not discarded immediately when new keys areavailable. If packets from a lower encryption level contain CRYPTO frames,frames that retransmit that data MUST be sent at the same encryption level.Similarly, an endpoint generates acknowledgements for packets at the sameencryption level as the packet being acknowledged. Thus, it is possible thatkeys for a lower encryption level are needed for a short time after keys for anewer encryption level are available.¶

An endpoint cannot discard keys for a given encryption level unless it has bothreceived and acknowledged all CRYPTO frames for that encryption level and whenall CRYPTO frames for that encryption level have been acknowledged by its peer.However, this does not guarantee that no further packets will need to bereceived or sent at that encryption level because a peer might not have receivedall the acknowledgements necessary to reach the same state.¶

Though an endpoint might retain older keys, new data MUST be sent at the highestcurrently-available encryption level. Only ACK frames and retransmissions ofdata in CRYPTO frames are sent at a previous encryption level. These packetsMAY also include PADDING frames.¶

5.1.Packet Protection Keys

QUIC derives packet protection keys in the same way that TLS derives recordprotection keys.¶

Each encryption level has separate secret values for protection of packets sentin each direction. These traffic secrets are derived by TLS (see Section 7.1 of[TLS13]) and are used by QUIC for all encryption levels except the Initialencryption level. The secrets for the Initial encryption level are computedbased on the client's initial Destination Connection ID, as described inSection 5.2.¶

The keys used for packet protection are computed from the TLS secrets using theKDF provided by TLS. In TLS 1.3, the HKDF-Expand-Label function described inSection 7.1 of[TLS13] is used, using the hash function from the negotiatedcipher suite. Other versions of TLS MUST provide a similar function in order tobe used with QUIC.¶

The current encryption level secret and the label "quic key" are input to theKDF to produce the AEAD key; the label "quic iv" is used to derive the IV; seeSection 5.3. The header protection key uses the "quic hp" label; seeSection 5.4. Using these labels provides key separation between QUICand TLS; seeSection 9.6.¶

The KDF used for initial secrets is always the HKDF-Expand-Label function fromTLS 1.3 (seeSection 5.2).¶

5.2.Initial Secrets

Initial packets are protected with a secret derived from the DestinationConnection ID field from the client's Initial packet. Specifically:¶

initial_salt = 0xafbfec289993d24c9e9786f19c6111e04390a899initial_secret = HKDF-Extract(initial_salt,                              client_dst_connection_id)client_initial_secret = HKDF-Expand-Label(initial_secret,                                          "client in", "",                                          Hash.length)server_initial_secret = HKDF-Expand-Label(initial_secret,                                          "server in", "",                                          Hash.length)

The hash function for HKDF when deriving initial secrets and keys is SHA-256[SHA].¶

The connection ID used with HKDF-Expand-Label is the Destination Connection IDin the Initial packet sent by the client. This will be a randomly-selectedvalue unless the client creates the Initial packet after receiving a Retrypacket, where the Destination Connection ID is selected by the server.¶

The value of initial_salt is a 20 byte sequence shown in the figure inhexadecimal notation. Future versions of QUIC SHOULD generate a new salt value,thus ensuring that the keys are different for each version of QUIC. Thisprevents a middlebox that only recognizes one version of QUIC from seeing ormodifying the contents of packets from future versions.¶

The HKDF-Expand-Label function defined in TLS 1.3 MUST be used for Initialpackets even where the TLS versions offered do not include TLS 1.3.¶

The secrets used for protecting Initial packets change when a server sends aRetry packet to use the connection ID value selected by the server. The secretsdo not change when a client changes the Destination Connection ID it uses inresponse to an Initial packet from the server.¶

Note:

The Destination Connection ID is of arbitrary length, and it could be zerolength if the server sends a Retry packet with a zero-length Source ConnectionID field. In this case, the Initial keys provide no assurance to the clientthat the server received its packet; the client has to rely on the exchangethat included the Retry packet for that property.¶

Appendix A contains test vectors for packet encryption.¶

5.3.AEAD Usage

The Authentication Encryption with Associated Data (AEAD)[AEAD] functionused for QUIC packet protection is the AEAD that is negotiated for use with theTLS connection. For example, if TLS is using the TLS_AES_128_GCM_SHA256, theAEAD_AES_128_GCM function is used.¶

Packets are protected prior to applying header protection (Section 5.4).The unprotected packet header is part of the associated data (A). When removingpacket protection, an endpoint first removes the header protection.¶

All QUIC packets other than Version Negotiation and Retry packets are protectedwith an AEAD algorithm[AEAD]. Prior to establishing a shared secret, packetsare protected with AEAD_AES_128_GCM and a key derived from the DestinationConnection ID in the client's first Initial packet (seeSection 5.2).This provides protection against off-path attackers and robustness against QUICversion unaware middleboxes, but not against on-path attackers.¶

QUIC can use any of the ciphersuites defined in[TLS13] with the exception ofTLS_AES_128_CCM_8_SHA256. A ciphersuite MUST NOT be negotiated unless a headerprotection scheme is defined for the ciphersuite. This document defines aheader protection scheme for all ciphersuites defined in[TLS13] aside fromTLS_AES_128_CCM_8_SHA256. These ciphersuites have a 16-byte authentication tagand produce an output 16 bytes larger than their input.¶

Note:

An endpoint MUST NOT reject a ClientHello that offers a ciphersuite that itdoes not support, or it would be impossible to deploy a new ciphersuite. Thisalso applies to TLS_AES_128_CCM_8_SHA256.¶

The key and IV for the packet are computed as described inSection 5.1.The nonce, N, is formed by combining the packet protection IV with the packetnumber. The 62 bits of the reconstructed QUIC packet number in network byteorder are left-padded with zeros to the size of the IV. The exclusive OR of thepadded packet number and the IV forms the AEAD nonce.¶

The associated data, A, for the AEAD is the contents of the QUIC header,starting from the flags byte in either the short or long header, up to andincluding the unprotected packet number.¶

The input plaintext, P, for the AEAD is the payload of the QUIC packet, asdescribed in[QUIC-TRANSPORT].¶

The output ciphertext, C, of the AEAD is transmitted in place of P.¶

Some AEAD functions have limits for how many packets can be encrypted under thesame key and IV (see for example[AEBounds]). This might be lower than thepacket number limit. An endpoint MUST initiate a key update (Section 6)prior to exceeding any limit set for the AEAD that is in use.¶

5.4.Header Protection

Parts of QUIC packet headers, in particular the Packet Number field, areprotected using a key that is derived separate to the packet protection key andIV. The key derived using the "quic hp" label is used to provideconfidentiality protection for those fields that are not exposed to on-pathelements.¶

This protection applies to the least-significant bits of the first byte, plusthe Packet Number field. The four least-significant bits of the first byte areprotected for packets with long headers; the five least significant bits of thefirst byte are protected for packets with short headers. For both header forms,this covers the reserved bits and the Packet Number Length field; the Key Phasebit is also protected for packets with a short header.¶

The same header protection key is used for the duration of the connection, withthe value not changing after a key update (seeSection 6). This allowsheader protection to be used to protect the key phase.¶

This process does not apply to Retry or Version Negotiation packets, which donot contain a protected payload or any of the fields that are protected by thisprocess.¶

mask = header_protection(hp_key, sample)pn_length = (packet[0] & 0x03) + 1if (packet[0] & 0x80) == 0x80:   # Long header: 4 bits masked   packet[0] ^= mask[0] & 0x0felse:   # Short header: 5 bits masked   packet[0] ^= mask[0] & 0x1f# pn_offset is the start of the Packet Number field.packet[pn_offset:pn_offset+pn_length] ^= mask[1:1+pn_length]

Initial Packet {  Header Form (1) = 1,  Fixed Bit (1) = 1,  Long Packet Type (2) = 0,  Reserved Bits (2),         # Protected  Packet Number Length (2),  # Protected  Version (32),  DCID Len (8),  Destination Connection ID (0..160),  SCID Len (8),  Source Connection ID (0..160),  Token Length (i),  Token (..),  Length (i),  Packet Number (8..32),     # Protected  Protected Payload (0..24), # Skipped Part  Protected Payload (128),   # Sampled Part  Protected Payload (..)     # Remainder}Short Header Packet {  Header Form (1) = 0,  Fixed Bit (1) = 1,  Spin Bit (1),  Reserved Bits (2),         # Protected  Key Phase (1),             # Protected  Packet Number Length (2),  # Protected  Destination Connection ID (0..160),  Packet Number (8..32),     # Protected  Protected Payload (0..24), # Skipped Part  Protected Payload (128),   # Sampled Part  Protected Payload (..),    # Remainder}

sample_offset = 1 + len(connection_id) + 4sample = packet[sample_offset..sample_offset+sample_length]

sample_offset = 7 + len(destination_connection_id) +                    len(source_connection_id) +                    len(payload_length) + 4if packet_type == Initial:    sample_offset += len(token_length) +                     len(token)sample = packet[sample_offset..sample_offset+sample_length]

mask = AES-ECB(hp_key, sample)

counter = sample[0..3]nonce = sample[4..15]mask = ChaCha20(hp_key, counter, nonce, {0,0,0,0,0})

5.5.Receiving Protected Packets

Once an endpoint successfully receives a packet with a given packet number, itMUST discard all packets in the same packet number space with higher packetnumbers if they cannot be successfully unprotected with either the same key, or- if there is a key update - the next packet protection key (seeSection 6). Similarly, a packet that appears to trigger a key update, butcannot be unprotected successfully MUST be discarded.¶

Failure to unprotect a packet does not necessarily indicate the existence of aprotocol error in a peer or an attack. The truncated packet number encodingused in QUIC can cause packet numbers to be decoded incorrectly if they aredelayed significantly.¶

5.6.Use of 0-RTT Keys

If 0-RTT keys are available (seeSection 4.6), the lack of replay protectionmeans that restrictions on their use are necessary to avoid replay attacks onthe protocol.¶

A client MUST only use 0-RTT keys to protect data that is idempotent. A clientMAY wish to apply additional restrictions on what data it sends prior to thecompletion of the TLS handshake. A client otherwise treats 0-RTT keys asequivalent to 1-RTT keys, except that it MUST NOT send ACKs with 0-RTT keys.¶

A client that receives an indication that its 0-RTT data has been accepted by aserver can send 0-RTT data until it receives all of the server's handshakemessages. A client SHOULD stop sending 0-RTT data if it receives an indicationthat 0-RTT data has been rejected.¶

A server MUST NOT use 0-RTT keys to protect packets; it uses 1-RTT keys toprotect acknowledgements of 0-RTT packets. A client MUST NOT attempt todecrypt 0-RTT packets it receives and instead MUST discard them.¶

Once a client has installed 1-RTT keys, it MUST NOT send any more 0-RTTpackets.¶

Note:

0-RTT data can be acknowledged by the server as it receives it, but anypackets containing acknowledgments of 0-RTT data cannot have packet protectionremoved by the client until the TLS handshake is complete. The 1-RTT keysnecessary to remove packet protection cannot be derived until the clientreceives all server handshake messages.¶

5.7.Receiving Out-of-Order Protected Frames

Due to reordering and loss, protected packets might be received by an endpointbefore the final TLS handshake messages are received. A client will be unableto decrypt 1-RTT packets from the server, whereas a server will be able todecrypt 1-RTT packets from the client. Endpoints in either role MUST NOTdecrypt 1-RTT packets from their peer prior to completing the handshake.¶

Even though 1-RTT keys are available to a server after receiving the firsthandshake messages from a client, it is missing assurances on the client state:¶

• The client is not authenticated, unless the server has chosen to use apre-shared key and validated the client's pre-shared key binder; see Section4.2.11 of[TLS13].¶
• The client has not demonstrated liveness, unless a RETRY packet was used.¶
• Any received 0-RTT data that the server responds to might be due to a replayattack.¶

Therefore, the server's use of 1-RTT keys MUST be limited to sending data beforethe handshake is complete. A server MUST NOT process incoming 1-RTT protectedpackets before the TLS handshake is complete. Because sending acknowledgmentsindicates that all frames in a packet have been processed, a server cannot sendacknowledgments for 1-RTT packets until the TLS handshake is complete. Receivedpackets protected with 1-RTT keys MAY be stored and later decrypted and usedonce the handshake is complete.¶

Note:

TLS implementations might provide all 1-RTT secrets prior to handshakecompletion. Even where QUIC implementations have 1-RTT read keys, those keyscannot be used prior to completing the handshake.¶

The requirement for the server to wait for the client Finished message createsa dependency on that message being delivered. A client can avoid thepotential for head-of-line blocking that this implies by sending its 1-RTTpackets coalesced with a handshake packet containing a copy of the CRYPTO framethat carries the Finished message, until one of the handshake packets isacknowledged. This enables immediate server processing for those packets.¶

A server could receive packets protected with 0-RTT keys prior to receiving aTLS ClientHello. The server MAY retain these packets for later decryption inanticipation of receiving a ClientHello.¶

5.8.Retry Packet Integrity

Retry packets (see the Retry Packet section of[QUIC-TRANSPORT]) carry aRetry Integrity Tag that provides two properties: it allows discardingpackets that have accidentally been corrupted by the network, and it diminishesoff-path attackers' ability to send valid Retry packets.¶

The Retry Integrity Tag is a 128-bit field that is computed as the output ofAEAD_AES_128_GCM[AEAD] used with the following inputs:¶

• The secret key, K, is 128 bits equal to 0xccce187ed09a09d05728155a6cb96be1.¶
• The nonce, N, is 96 bits equal to 0xe54930f97f2136f0530a8c1c.¶
• The plaintext, P, is empty.¶
• The associated data, A, is the contents of the Retry Pseudo-Packet, asillustrated inFigure 8:¶

The secret key and the nonce are values derived by calling HKDF-Expand-Labelusing 0x8b0d37eb8535022ebc8d76a207d80df22646ec06dc809642c30a8baa2baaff4c as thesecret, with labels being "quic key" and "quic iv" (Section 5.1).¶

Retry Pseudo-Packet {  ODCID Length (8),  Original Destination Connection ID (0..160),  Header Form (1) = 1,  Fixed Bit (1) = 1,  Long Packet Type (2) = 3,  Type-Specific Bits (4),  Version (32),  DCID Len (8),  Destination Connection ID (0..160),  SCID Len (8),  Retry Token (..),}

The Retry Pseudo-Packet is not sent over the wire. It is computed by takingthe transmitted Retry packet, removing the Retry Integrity Tag and prependingthe two following fields:¶

ODCID Length:

The ODCID Len contains the length in bytes of the Original DestinationConnection ID field that follows it, encoded as an 8-bit unsigned integer.¶

Original Destination Connection ID:

The Original Destination Connection ID contains the value of the DestinationConnection ID from the Initial packet that this Retry is in response to. Thelength of this field is given in ODCID Len. The presence of this fieldmitigates an off-path attacker's ability to inject a Retry packet.¶

6.1.Initiating a Key Update

Endpoints maintain separate read and write secrets for packet protection. Anendpoint initiates a key update by updating its packet protection write secretand using that to protect new packets. The endpoint creates a new write secretfrom the existing write secret as performed in Section 7.2 of[TLS13]. Thisuses the KDF function provided by TLS with a label of "quic ku". Thecorresponding key and IV are created from that secret as defined inSection 5.1. The header protection key is not updated.¶

For example, to update write keys with TLS 1.3, HKDF-Expand-Label is used as:¶

secret_<n+1> = HKDF-Expand-Label(secret_<n>, "quic ku",                                 "", Hash.length)

The endpoint toggles the value of the Key Phase bit and uses the updated key andIV to protect all subsequent packets.¶

An endpoint MUST NOT initiate a key update prior to having confirmed thehandshake (Section 4.1.2). An endpoint MUST NOT initiate a subsequentkey update prior unless it has received an acknowledgment for a packet that wassent protected with keys from the current key phase. This ensures that keys areavailable to both peers before another key update can be initiated. This can beimplemented by tracking the lowest packet number sent with each key phase, andthe highest acknowledged packet number in the 1-RTT space: once the latter ishigher than or equal to the former, another key update can be initiated.¶

Note:

Keys of packets other than the 1-RTT packets are never updated; their keys arederived solely from the TLS handshake state.¶

The endpoint that initiates a key update also updates the keys that it uses forreceiving packets. These keys will be needed to process packets the peer sendsafter updating.¶

An endpoint SHOULD retain old keys so that packets sent by its peer prior toreceiving the key update can be processed. Discarding old keys too early cancause delayed packets to be discarded. Discarding packets will be interpretedas packet loss by the peer and could adversely affect performance.¶

6.2.Responding to a Key Update

A peer is permitted to initiate a key update after receiving an acknowledgementof a packet in the current key phase. An endpoint detects a key update whenprocessing a packet with a key phase that differs from the value last used toprotect the last packet it sent. To process this packet, the endpoint uses thenext packet protection key and IV. SeeSection 6.3 forconsiderations about generating these keys.¶

If a packet is successfully processed using the next key and IV, then the peerhas initiated a key update. The endpoint MUST update its send keys to thecorresponding key phase in response, as described inSection 6.1.Sending keys MUST be updated before sending an acknowledgement for the packetthat was received with updated keys. By acknowledging the packet that triggeredthe key update in a packet protected with the updated keys, the endpoint signalsthat the key update is complete.¶

An endpoint can defer sending the packet or acknowledgement according to itsnormal packet sending behaviour; it is not necessary to immediately generate apacket in response to a key update. The next packet sent by the endpoint willuse the updated keys. The next packet that contains an acknowledgement willcause the key update to be completed. If an endpoint detects a second updatebefore it has sent any packets with updated keys containing anacknowledgement for the packet that initiated the key update, it indicates thatits peer has updated keys twice without awaiting confirmation. An endpoint MAYtreat consecutive key updates as a connection error of type KEY_UPDATE_ERROR.¶

An endpoint that receives an acknowledgement that is carried in a packetprotected with old keys where any acknowledged packet was protected with newerkeys MAY treat that as a connection error of type KEY_UPDATE_ERROR. Thisindicates that a peer has received and acknowledged a packet that initiates akey update, but has not updated keys in response.¶

6.3.Timing of Receive Key Generation

Endpoints responding to an apparent key update MUST NOT generate a timingside-channel signal that might indicate that the Key Phase bit was invalid (seeSection 9.4). Endpoints can use dummy packet protection keys inplace of discarded keys when key updates are not yet permitted. Using dummykeys will generate no variation in the timing signal produced by attempting toremove packet protection, and results in all packets with an invalid Key Phasebit being rejected.¶

The process of creating new packet protection keys for receiving packets couldreveal that a key update has occurred. An endpoint MAY perform this process aspart of packet processing, but this creates a timing signal that can be used byan attacker to learn when key updates happen and thus the value of the Key Phasebit in certain packets. Endpoints MAY instead defer the creation of the nextset of receive packet protection keys until some time after a key updatecompletes, up to three times the PTO; seeSection 6.5.¶

Once generated, the next set of packet protection keys SHOULD be retained, evenif the packet that was received was subsequently discarded. Packets containingapparent key updates are easy to forge and - while the process of key updatedoes not require significant effort - triggering this process could be used byan attacker for DoS.¶

For this reason, endpoints MUST be able to retain two sets of packet protectionkeys for receiving packets: the current and the next. Retaining the previouskeys in addition to these might improve performance, but this is not essential.¶

6.4.Sending with Updated Keys

An endpoint always sends packets that are protected with the newest keys. Keysused for packet protection can be discarded immediately after switching to newerkeys.¶

Packets with higher packet numbers MUST be protected with either the same ornewer packet protection keys than packets with lower packet numbers. Anendpoint that successfully removes protection with old keys when newer keys wereused for packets with lower packet numbers MUST treat this as a connection errorof type KEY_UPDATE_ERROR.¶

6.5.Receiving with Different Keys

For receiving packets during a key update, packets protected with older keysmight arrive if they were delayed by the network. Retaining old packetprotection keys allows these packets to be successfully processed.¶

As packets protected with keys from the next key phase use the same Key Phasevalue as those protected with keys from the previous key phase, it can benecessary to distinguish between the two. This can be done using packetnumbers. A recovered packet number that is lower than any packet number fromthe current key phase uses the previous packet protection keys; a recoveredpacket number that is higher than any packet number from the current key phaserequires the use of the next packet protection keys.¶

Some care is necessary to ensure that any process for selecting betweenprevious, current, and next packet protection keys does not expose a timing sidechannel that might reveal which keys were used to remove packet protection. SeeSection 9.5 for more information.¶

Alternatively, endpoints can retain only two sets of packet protection keys,swapping previous for next after enough time has passed to allow for reorderingin the network. In this case, the Key Phase bit alone can be used to selectkeys.¶

An endpoint MAY allow a period of approximately the Probe Timeout (PTO; see[QUIC-RECOVERY]) after a key update before it creates the next set of packetprotection keys. These updated keys MAY replace the previous keys at that time.With the caveat that PTO is a subjective measure - that is, a peer could have adifferent view of the RTT - this time is expected to be long enough that anyreordered packets would be declared lost by a peer even if they wereacknowledged and short enough to allow for subsequent key updates.¶

Endpoints need to allow for the possibility that a peer might not be able todecrypt packets that initiate a key update during the period when it retains oldkeys. Endpoints SHOULD wait three times the PTO before initiating a key updateafter receiving an acknowledgment that confirms that the previous key update wasreceived. Failing to allow sufficient time could lead to packets beingdiscarded.¶

An endpoint SHOULD retain old read keys for no more than three times the PTO.After this period, old read keys and their corresponding secrets SHOULD bediscarded.¶

6.6.Minimum Key Update Frequency

Key updates MUST be initiated before usage limits on packet protection keys areexceeded. For the cipher suites mentioned in this document, the limits inSection 5.5 of[TLS13] apply.[TLS13] does not specify a limit forAEAD_AES_128_CCM, but the analysis inAppendix B shows that a limit of 2^23packets can be used to obtain the same confidentiality protection as the limitsspecified in TLS.¶

The usage limits defined in TLS 1.3 exist for protection against attackson confidentiality and apply to successful applications of AEAD protection. Theintegrity protections in authenticated encryption also depend on limiting thenumber of attempts to forge packets. TLS achieves this by closing connectionsafter any record fails an authentication check. In comparison, QUIC ignores anypacket that cannot be authenticated, allowing multiple forgery attempts.¶

Endpoints MUST count the number of received packets that fail authentication foreach set of keys. If the number of packets that fail authentication with thesame key exceeds a limit that is specific to the AEAD in use, the endpoint MUSTstop using those keys. Endpoints MUST initiate a key update before reachingthis limit. If a key update is not possible, the endpoint MUST immediatelyclose the connection. Applying a limit reduces the probability that an attackeris able to successfully forge a packet; see[AEBounds] and[ROBUST].¶

Note:

Due to the way that header protection protects the Key Phase, packets that arediscarded are likely to have an even distribution of both Key Phase values.This means that packets that fail authentication will often use the packetprotection keys from the next key phase. It is therefore necessary to alsotrack the number of packets that fail authentication with the next set ofpacket protection keys. To avoid exhaustion of both sets of keys, it might benecessary to initiate two key updates in succession.¶

For AEAD_AES_128_GCM, AEAD_AES_256_GCM, and AEAD_CHACHA20_POLY1305, the limit onthe number of packets that fail authentication is 2^36. Note that the analysisin[AEBounds] supports a higher limit for the AEAD_AES_128_GCM andAEAD_AES_256_GCM, but this specification recommends a lower limit. ForAEAD_AES_128_CCM, the limit on the number of packets that fail authenticationis 2^23.5; seeAppendix B.¶

Note:

These limits were originally calculated using assumptions about thelimits on TLS record size. The maximum size of a TLS record is 2^14 bytes.In comparison, QUIC packets can be up to 2^16 bytes. However, it isexpected that QUIC packets will generally be smaller than TLS records.Where packets might be larger than 2^14 bytes in length, smaller limits mightbe needed.¶

Any TLS cipher suite that is specified for use with QUIC MUST define limits onthe use of the associated AEAD function that preserves margins forconfidentiality and integrity. That is, limits MUST be specified for the numberof packets that can be authenticated and for the number packets that can failauthentication. Providing a reference to any analysis upon which values arebased - and any assumptions used in that analysis - allows limits to be adaptedto varying usage conditions.¶

6.7.Key Update Error Code

The KEY_UPDATE_ERROR error code (0xE) is used to signal errors related to keyupdates.¶

8.1.Protocol Negotiation

QUIC requires that the cryptographic handshake provide authenticated protocolnegotiation. TLS uses Application Layer Protocol Negotiation (ALPN)[ALPN] to select an application protocol. Unless another mechanismis used for agreeing on an application protocol, endpoints MUST use ALPN forthis purpose.¶

When using ALPN, endpoints MUST immediately close a connection (see Section10.3 of[QUIC-TRANSPORT]) with a no_application_protocol TLS alert (QUIC errorcode 0x178; seeSection 4.10) if an application protocol is not negotiated.While[ALPN] only specifies that servers use this alert, QUIC clients MUSTuse error 0x178 to terminate a connection when ALPN negotiation fails.¶

An application protocol MAY restrict the QUIC versions that it can operate over.Servers MUST select an application protocol compatible with the QUIC versionthat the client has selected. The server MUST treat the inability to select acompatible application protocol as a connection error of type 0x178(no_application_protocol). Similarly, a client MUST treat the selection of anincompatible application protocol by a server as a connection error of type0x178.¶

8.2.QUIC Transport Parameters Extension

QUIC transport parameters are carried in a TLS extension. Different versions ofQUIC might define a different method for negotiating transport configuration.¶

Including transport parameters in the TLS handshake provides integrityprotection for these values.¶

   enum {      quic_transport_parameters(0xffa5), (65535)   } ExtensionType;

The extension_data field of the quic_transport_parameters extension contains avalue that is defined by the version of QUIC that is in use.¶

The quic_transport_parameters extension is carried in the ClientHello and theEncryptedExtensions messages during the handshake. Endpoints MUST send thequic_transport_parameters extension; endpoints that receive ClientHello orEncryptedExtensions messages without the quic_transport_parameters extensionMUST close the connection with an error of type 0x16d (equivalent to a fatal TLSmissing_extension alert, seeSection 4.10).¶

While the transport parameters are technically available prior to the completionof the handshake, they cannot be fully trusted until the handshake completes,and reliance on them should be minimized. However, any tampering with theparameters will cause the handshake to fail.¶

Endpoints MUST NOT send this extension in a TLS connection that does not useQUIC (such as the use of TLS with TCP defined in[TLS13]). A fatalunsupported_extension alert MUST be sent by an implementation that supports thisextension if the extension is received when the transport is not QUIC.¶

8.3.Removing the EndOfEarlyData Message

The TLS EndOfEarlyData message is not used with QUIC. QUIC does not rely onthis message to mark the end of 0-RTT data or to signal the change to Handshakekeys.¶

Clients MUST NOT send the EndOfEarlyData message. A server MUST treat receiptof a CRYPTO frame in a 0-RTT packet as a connection error of typePROTOCOL_VIOLATION.¶

As a result, EndOfEarlyData does not appear in the TLS handshake transcript.¶

8.4.Prohibit TLS Middlebox Compatibility Mode

Appendix D.4 of[TLS13] describes an alteration to the TLS 1.3 handshake asa workaround for bugs in some middleboxes. The TLS 1.3 middlebox compatibilitymode involves setting the legacy_session_id field to a 32-byte value in theClientHello and ServerHello, then sending a change_cipher_spec record. Bothfield and record carry no semantic content and are ignored.¶

This mode has no use in QUIC as it only applies to middleboxes that interferewith TLS over TCP. QUIC also provides no means to carry a change_cipher_specrecord. A client MUST NOT request the use of the TLS 1.3 compatibility mode. Aserver SHOULD treat the receipt of a TLS ClientHello with a non-emptylegacy_session_id field as a connection error of type PROTOCOL_VIOLATION.¶

9.1.Session Linkability

Use of TLS session tickets allows servers and possibly other entities tocorrelate connections made by the same client; seeSection 4.5 for details.¶

9.2.Replay Attacks with 0-RTT

As described in Section 8 of[TLS13], use of TLS early data comes with anexposure to replay attack. The use of 0-RTT in QUIC is similarly vulnerable toreplay attack.¶

Endpoints MUST implement and use the replay protections described in[TLS13],however it is recognized that these protections are imperfect. Therefore,additional consideration of the risk of replay is needed.¶

QUIC is not vulnerable to replay attack, except via the application protocolinformation it might carry. The management of QUIC protocol state based on theframe types defined in[QUIC-TRANSPORT] is not vulnerable to replay.Processing of QUIC frames is idempotent and cannot result in invalid connectionstates if frames are replayed, reordered or lost. QUIC connections do notproduce effects that last beyond the lifetime of the connection, except forthose produced by the application protocol that QUIC serves.¶

Note:

TLS session tickets and address validation tokens are used to carry QUICconfiguration information between connections. These MUST NOT be used tocarry application semantics. The potential for reuse of these tokens meansthat they require stronger protections against replay.¶

A server that accepts 0-RTT on a connection incurs a higher cost than acceptinga connection without 0-RTT. This includes higher processing and computationcosts. Servers need to consider the probability of replay and all associatedcosts when accepting 0-RTT.¶

Ultimately, the responsibility for managing the risks of replay attacks with0-RTT lies with an application protocol. An application protocol that uses QUICMUST describe how the protocol uses 0-RTT and the measures that are employed toprotect against replay attack. An analysis of replay risk needs to considerall QUIC protocol features that carry application semantics.¶

Disabling 0-RTT entirely is the most effective defense against replay attack.¶

QUIC extensions MUST describe how replay attacks affect their operation, orprohibit their use in 0-RTT. Application protocols MUST either prohibit the useof extensions that carry application semantics in 0-RTT or provide replaymitigation strategies.¶

9.3.Packet Reflection Attack Mitigation

A small ClientHello that results in a large block of handshake messages from aserver can be used in packet reflection attacks to amplify the traffic generatedby an attacker.¶

QUIC includes three defenses against this attack. First, the packet containing aClientHello MUST be padded to a minimum size. Second, if responding to anunverified source address, the server is forbidden to send more than three UDPdatagrams in its first flight (see Section 8.1 of[QUIC-TRANSPORT]). Finally,because acknowledgements of Handshake packets are authenticated, a blindattacker cannot forge them. Put together, these defenses limit the level ofamplification.¶

9.4.Header Protection Analysis

[NAN] analyzes authenticated encryptionalgorithms which provide nonce privacy, referred to as "Hide Nonce" (HN)transforms. The general header protection construction in this document isone of those algorithms (HN1). Header protection uses the output of the packetprotection AEAD to derivesample, and then encrypts the header field usinga pseudorandom function (PRF) as follows:¶

protected_field = field XOR PRF(hp_key, sample)

The header protection variants in this document use a pseudorandom permutation(PRP) in place of a generic PRF. However, since all PRPs are also PRFs[IMC],these variants do not deviate from the HN1 construction.¶

Ashp_key is distinct from the packet protection key, it follows that headerprotection achieves AE2 security as defined in[NAN] and therefore guaranteesprivacy offield, the protected packet header. Future header protectionvariants based on this construction MUST use a PRF to ensure equivalentsecurity guarantees.¶

Use of the same key and ciphertext sample more than once risks compromisingheader protection. Protecting two different headers with the same key andciphertext sample reveals the exclusive OR of the protected fields. Assumingthat the AEAD acts as a PRF, if L bits are sampled, the odds of two ciphertextsamples being identical approach 2^(-L/2), that is, the birthday bound. For thealgorithms described in this document, that probability is one in 2^64.¶

To prevent an attacker from modifying packet headers, the header is transitivelyauthenticated using packet protection; the entire packet header is part of theauthenticated additional data. Protected fields that are falsified or modifiedcan only be detected once the packet protection is removed.¶

9.5.Header Protection Timing Side-Channels

An attacker could guess values for packet numbers or Key Phase and have anendpoint confirm guesses through timing side channels. Similarly, guesses forthe packet number length can be trialed and exposed. If the recipient of apacket discards packets with duplicate packet numbers without attempting toremove packet protection they could reveal through timing side-channels that thepacket number matches a received packet. For authentication to be free fromside-channels, the entire process of header protection removal, packet numberrecovery, and packet protection removal MUST be applied together without timingand other side-channels.¶

For the sending of packets, construction and protection of packet payloads andpacket numbers MUST be free from side-channels that would reveal the packetnumber or its encoded size.¶

During a key update, the time taken to generate new keys could reveal throughtiming side-channels that a key update has occurred. Alternatively, where anattacker injects packets this side-channel could reveal the value of the KeyPhase on injected packets. After receiving a key update, an endpoint SHOULDgenerate and save the next set of receive packet protection keys, as describedinSection 6.3. By generating new keys before a key update isreceived, receipt of packets will not create timing signals that leak the valueof the Key Phase.¶

This depends on not doing this key generation during packet processing and itcan require that endpoints maintain three sets of packet protection keys forreceiving: for the previous key phase, for the current key phase, and for thenext key phase. Endpoints can instead choose to defer generation of the nextreceive packet protection keys until they discard old keys so that only two setsof receive keys need to be retained at any point in time.¶

9.6.Key Diversity

In using TLS, the central key schedule of TLS is used. As a result of the TLShandshake messages being integrated into the calculation of secrets, theinclusion of the QUIC transport parameters extension ensures that handshake and1-RTT keys are not the same as those that might be produced by a server runningTLS over TCP. To avoid the possibility of cross-protocol key synchronization,additional measures are provided to improve key separation.¶

The QUIC packet protection keys and IVs are derived using a different label thanthe equivalent keys in TLS.¶

To preserve this separation, a new version of QUIC SHOULD define new labels forkey derivation for packet protection key and IV, plus the header protectionkeys. This version of QUIC uses the string "quic". Other versions can use aversion-specific label in place of that string.¶

The initial secrets use a key that is specific to the negotiated QUIC version.New QUIC versions SHOULD define a new salt value used in calculating initialsecrets.¶

A.1.Keys

The labels generated by the HKDF-Expand-Label function are:¶

client in:

00200f746c73313320636c69656e7420696e00¶

server in:

00200f746c7331332073657276657220696e00¶

quic key:

00100e746c7331332071756963206b657900¶

quic iv:

000c0d746c733133207175696320697600¶

quic hp:

00100d746c733133207175696320687000¶

The initial secret is common:¶

initial_secret = HKDF-Extract(initial_salt, cid)    = 1e7e7764529715b1e0ddc8e9753c6157      6769605187793ed366f8bbf8c9e986eb

The secrets for protecting client packets are:¶

client_initial_secret    = HKDF-Expand-Label(initial_secret, "client in", _, 32)    = 0088119288f1d866733ceeed15ff9d50      902cf82952eee27e9d4d4918ea371d87key = HKDF-Expand-Label(client_initial_secret, "quic key", _, 16)    = 175257a31eb09dea9366d8bb79ad80baiv  = HKDF-Expand-Label(client_initial_secret, "quic iv", _, 12)    = 6b26114b9cba2b63a9e8dd4fhp  = HKDF-Expand-Label(client_initial_secret, "quic hp", _, 16)    = 9ddd12c994c0698b89374a9c077a3077

The secrets for protecting server packets are:¶

server_initial_secret    = HKDF-Expand-Label(initial_secret, "server in", _, 32)    = 006f881359244dd9ad1acf85f595bad6      7c13f9f5586f5e64e1acae1d9ea8f616key = HKDF-Expand-Label(server_initial_secret, "quic key", _, 16)    = 149d0b1662ab871fbe63c49b5e655a5div  = HKDF-Expand-Label(server_initial_secret, "quic iv", _, 12)    = bab2b12a4c76016ace47856dhp  = HKDF-Expand-Label(server_initial_secret, "quic hp", _, 16)    = c0c499a65a60024a18a250974ea01dfa

A.2.Client Initial

The client sends an Initial packet. The unprotected payload of this packetcontains the following CRYPTO frame, plus enough PADDING frames to make a 1162byte payload:¶

060040c4010000c003036660261ff947 cea49cce6cfad687f457cf1b14531ba14131a0e8f309a1d0b9c4000006130113 031302010000910000000b0009000006736572766572ff01000100000a001400 12001d0017001800190100010101020103010400230000003300260024001d00 204cfdfcd178b784bf328cae793b136f2aedce005ff183d7bb14952072366470 37002b0003020304000d0020001e040305030603020308040805080604010501 060102010402050206020202002d00020101001c00024001

The unprotected header includes the connection ID and a 4 byte packet numberencoding for a packet number of 2:¶

c3ff00001d088394c8f03e5157080000449e00000002

Protecting the payload produces output that is sampled for header protection.Because the header uses a 4 byte packet number encoding, the first 16 bytes ofthe protected payload is sampled, then applied to the header:¶

sample = fb66bc5f93032b7ddd89fe0ff15d9c4fmask = AES-ECB(hp, sample)[0..4]     = d64a952459header[0] ^= mask[0] & 0x0f     = c5header[18..21] ^= mask[1..4]     = 4a95245bheader = c5ff00001d088394c8f03e5157080000449e4a95245b

The resulting protected packet is:¶

c5ff00001d088394c8f03e5157080000 449e4a95245bfb66bc5f93032b7ddd89fe0ff15d9c4f7050fccdb71c1cd80512 d4431643a53aafa1b0b518b44968b18b8d3e7a4d04c30b3ed9410325b2abb2da fb1c12f8b70479eb8df98abcaf95dd8f3d1c78660fbc719f88b23c8aef6771f3 d50e10fdfb4c9d92386d44481b6c52d59e5538d3d3942de9f13a7f8b702dc317 24180da9df22714d01003fc5e3d165c950e630b8540fbd81c9df0ee63f949970 26c4f2e1887a2def79050ac2d86ba318e0b3adc4c5aa18bcf63c7cf8e85f5692 49813a2236a7e72269447cd1c755e451f5e77470eb3de64c8849d29282069802 9cfa18e5d66176fe6e5ba4ed18026f90900a5b4980e2f58e39151d5cd685b109 29636d4f02e7fad2a5a458249f5c0298a6d53acbe41a7fc83fa7cc01973f7a74 d1237a51974e097636b6203997f921d07bc1940a6f2d0de9f5a11432946159ed 6cc21df65c4ddd1115f86427259a196c7148b25b6478b0dc7766e1c4d1b1f515 9f90eabc61636226244642ee148b464c9e619ee50a5e3ddc836227cad938987c 4ea3c1fa7c75bbf88d89e9ada642b2b88fe8107b7ea375b1b64889a4e9e5c38a 1c896ce275a5658d250e2d76e1ed3a34ce7e3a3f383d0c996d0bed106c2899ca 6fc263ef0455e74bb6ac1640ea7bfedc59f03fee0e1725ea150ff4d69a7660c5 542119c71de270ae7c3ecfd1af2c4ce551986949cc34a66b3e216bfe18b347e6 c05fd050f85912db303a8f054ec23e38f44d1c725ab641ae929fecc8e3cefa56 19df4231f5b4c009fa0c0bbc60bc75f76d06ef154fc8577077d9d6a1d2bd9bf0 81dc783ece60111bea7da9e5a9748069d078b2bef48de04cabe3755b197d52b3 2046949ecaa310274b4aac0d008b1948c1082cdfe2083e386d4fd84c0ed0666d 3ee26c4515c4fee73433ac703b690a9f7bf278a77486ace44c489a0c7ac8dfe4 d1a58fb3a730b993ff0f0d61b4d89557831eb4c752ffd39c10f6b9f46d8db278 da624fd800e4af85548a294c1518893a8778c4f6d6d73c93df200960104e062b 388ea97dcf4016bced7f62b4f062cb6c04c20693d9a0e3b74ba8fe74cc012378 84f40d765ae56a51688d985cf0ceaef43045ed8c3f0c33bced08537f6882613a cd3b08d665fce9dd8aa73171e2d3771a61dba2790e491d413d93d987e2745af2 9418e428be34941485c93447520ffe231da2304d6a0fd5d07d08372202369661 59bef3cf904d722324dd852513df39ae030d8173908da6364786d3c1bfcb19ea 77a63b25f1e7fc661def480c5d00d44456269ebd84efd8e3a8b2c257eec76060 682848cbf5194bc99e49ee75e4d0d254bad4bfd74970c30e44b65511d4ad0e6e c7398e08e01307eeeea14e46ccd87cf36b285221254d8fc6a6765c524ded0085 dca5bd688ddf722e2c0faf9d0fb2ce7a0c3f2cee19ca0ffba461ca8dc5d2c817 8b0762cf67135558494d2a96f1a139f0edb42d2af89a9c9122b07acbc29e5e72 2df8615c343702491098478a389c9872a10b0c9875125e257c7bfdf27eef4060 bd3d00f4c14fd3e3496c38d3c5d1a5668c39350effbc2d16ca17be4ce29f02ed 969504dda2a8c6b9ff919e693ee79e09089316e7d1d89ec099db3b2b268725d8 88536a4b8bf9aee8fb43e82a4d919d4843b1ca70a2d8d3f725ead1391377dcc0

A.3.Server Initial

The server sends the following payload in response, including an ACK frame, aCRYPTO frame, and no PADDING frames:¶

0d0000000018410a020000560303eefc e7f7b37ba1d1632e96677825ddf73988cfc79825df566dc5430b9a045a120013 0100002e00330024001d00209d3c940d89690b84d08a60993c144eca684d1081 287c834d5311bcf32bb9da1a002b00020304

The header from the server includes a new connection ID and a 2-byte packetnumber encoding for a packet number of 1:¶

c1ff00001d0008f067a5502a4262b50040740001

As a result, after protection, the header protection sample is taken startingfrom the third protected octet:¶

sample = 823a5d3a1207c86ee49132824f046524mask   = abaaf34fdcheader = caff00001d0008f067a5502a4262b5004074aaf2

The final protected packet is then:¶

caff00001d0008f067a5502a4262b500 4074aaf2f007823a5d3a1207c86ee49132824f0465243d082d868b107a38092b c80528664cbf9456ebf27673fb5fa5061ab573c9f001b81da028a00d52ab00b1 5bebaa70640e106cf2acd043e9c6b4411c0a79637134d8993701fe779e58c2fe 753d14b0564021565ea92e57bc6faf56dfc7a40870e6

A.4.Retry

This shows a Retry packet that might be sent in response to the Initial packetinAppendix A.2. The integrity check includes the client-chosenconnection ID value of 0x8394c8f03e515708, but that value is notincluded in the final Retry packet:¶

ffff00001d0008f067a5502a4262b574 6f6b656ed16926d81f6f9ca2953a8aa4575e1e49

A.5.ChaCha20-Poly1305 Short Header Packet

This example shows some of the steps required to protect a packet witha short header. This example uses AEAD_CHACHA20_POLY1305.¶

In this example, TLS produces an application write secret from which a serveruses HKDF-Expand-Label to produce four values: a key, an IV, a headerprotection key, and the secret that will be used after keys are updated (thislast value is not used further in this example).¶

secret    = 9ac312a7f877468ebe69422748ad00a1      5443f18203a07d6060f688f30f21632bkey = HKDF-Expand-Label(secret, "quic key", _, 32)    = c6d98ff3441c3fe1b2182094f69caa2e      d4b716b65488960a7a984979fb23e1c8iv  = HKDF-Expand-Label(secret, "quic iv", _, 12)    = e0459b3474bdd0e44a41c144hp  = HKDF-Expand-Label(secret, "quic hp", _, 32)    = 25a282b9e82f06f21f488917a4fc8f1b      73573685608597d0efcb076b0ab7a7a4ku  = HKDF-Expand-Label(secret, "quic ku", _, 32)    = 1223504755036d556342ee9361d25342      1a826c9ecdf3c7148684b36b714881f9

The following shows the steps involved in protecting a minimal packet with anempty Destination Connection ID. This packet contains a single PING frame (thatis, a payload of just 0x01) and has a packet number of 654360564. In thisexample, using a packet number of length 3 (that is, 49140 is encoded) avoidshaving to pad the payload of the packet; PADDING frames would be needed if thepacket number is encoded on fewer octets.¶

pn                 = 654360564 (decimal)nonce              = e0459b3474bdd0e46d417eb0unprotected header = 4200bff4payload plaintext  = 01payload ciphertext = 655e5cd55c41f69080575d7999c25a5bfb

The resulting ciphertext is the minimum size possible. One byte is skipped toproduce the sample for header protection.¶

sample = 5e5cd55c41f69080575d7999c25a5bfbmask   = aefefe7d03header = 4cfe4189

The protected packet is the smallest possible packet size of 21 bytes.¶

packet = 4cfe4189655e5cd55c41f69080575d7999c25a5bfb

B.1.Confidentiality Limits

For confidentiality, Theorem 2 in[CCM-ANALYSIS] establishes that an attackergains a distinguishing advantage over an ideal pseudorandom permutation (PRP) ofno more than:¶

(2l * q)^2 / 2^n

For a target advantage of 2^-60, which matches that used by[TLS13], thisresults in the relation:¶

q <= 2^23

That is, endpoints cannot protect more than 2^23 packets with the same set ofkeys without causing an attacker to gain an larger advantage than the target of2^-60.¶

B.2.Integrity Limits

For integrity, Theorem 1 in[CCM-ANALYSIS] establishes that an attackergains an advantage over an ideal PRP of no more than:¶

v / 2^t + (2l * (v + q))^2 / 2^n

The goal is to limit this advantage to 2^-57, to match the target in[TLS13]. Ast andn are both 128, the first term is negligible relativeto the second, so that term can be removed without a significant effect on theresult. This produces the relation:¶

v + q <= 2^24.5

Using the previously-established value of 2^23 forq and rounding, this leadsto an upper limit onv of 2^23.5. That is, endpoints cannot attempt toauthenticate more than 2^23.5 packets with the same set of keys without causingan attacker to gain an larger advantage than the target of 2^-57.¶

C.1.Since draft-ietf-quic-tls-28

• Defined limits on the number of packets that can be protected with a singlekey and limits on the number of packets that can fail authentication (#3619,#3620)¶

C.2.Since draft-ietf-quic-tls-27

• Allowed CONNECTION_CLOSE in any packet number space, with restrictions onuse of the application-specific variant (#3430, #3435, #3440)¶
• Prohibit the use of the compatibility mode from TLS 1.3 (#3594, #3595)¶

C.3.Since draft-ietf-quic-tls-26

• No changes¶

C.4.Since draft-ietf-quic-tls-25

• No changes¶

C.5.Since draft-ietf-quic-tls-24

• Rewrite key updates (#3050)¶

  • Allow but don't recommend deferring key updates (#2792, #3263)¶
  • More completely define received behavior (#2791)¶
  • Define the label used with HKDF-Expand-Label (#3054)¶

C.6.Since draft-ietf-quic-tls-23

• Key update text update (#3050):¶

  • Recommend constant-time key replacement (#2792)¶
  • Provide explicit labels for key update key derivation (#3054)¶
• Allow first Initial from a client to span multiple packets (#2928, #3045)¶
• PING can be sent at any encryption level (#3034, #3035)¶

C.7.Since draft-ietf-quic-tls-22

• Update the salt used for Initial secrets (#2887, #2980)¶

C.8.Since draft-ietf-quic-tls-21

• No changes¶

C.9.Since draft-ietf-quic-tls-20

• Mandate the use of the QUIC transport parameters extension (#2528, #2560)¶
• Define handshake completion and confirmation; define clearer rules when itencryption keys should be discarded (#2214, #2267, #2673)¶

C.10.Since draft-ietf-quic-tls-18

• Increased the set of permissible frames in 0-RTT (#2344, #2355)¶
• Transport parameter extension is mandatory (#2528, #2560)¶

C.11.Since draft-ietf-quic-tls-17

• Endpoints discard initial keys as soon as handshake keys are available (#1951,#2045)¶
• Use of ALPN or equivalent is mandatory (#2263, #2284)¶

C.12.Since draft-ietf-quic-tls-14

• Update the salt used for Initial secrets (#1970)¶
• Clarify that TLS_AES_128_CCM_8_SHA256 isn't supported (#2019)¶

• Change header protection¶

  • Sample from a fixed offset (#1575, #2030)¶
  • Cover part of the first byte, including the key phase (#1322, #2006)¶

• TLS provides an AEAD and KDF function (#2046)¶

  • Clarify that the TLS KDF is used with TLS (#1997)¶
  • Change the labels for calculation of QUIC keys (#1845, #1971, #1991)¶
• Initial keys are discarded once Handshake keys are available (#1951, #2045)¶

C.13.Since draft-ietf-quic-tls-13

• Updated to TLS 1.3 final (#1660)¶

C.14.Since draft-ietf-quic-tls-12

• Changes to integration of the TLS handshake (#829, #1018, #1094, #1165, #1190,#1233, #1242, #1252, #1450)¶

  • The cryptographic handshake uses CRYPTO frames, not stream 0¶
  • QUIC packet protection is used in place of TLS record protection¶
  • Separate QUIC packet number spaces are used for the handshake¶
  • Changed Retry to be independent of the cryptographic handshake¶
  • Limit the use of HelloRetryRequest to address TLS needs (like key shares)¶
• Changed codepoint of TLS extension (#1395, #1402)¶

C.15.Since draft-ietf-quic-tls-11

• Encrypted packet numbers.¶

C.16.Since draft-ietf-quic-tls-10

• No significant changes.¶

C.17.Since draft-ietf-quic-tls-09

• Cleaned up key schedule and updated the salt used for handshake packetprotection (#1077)¶

C.18.Since draft-ietf-quic-tls-08

• Specify value for max_early_data_size to enable 0-RTT (#942)¶
• Update key derivation function (#1003, #1004)¶

C.19.Since draft-ietf-quic-tls-07

• Handshake errors can be reported with CONNECTION_CLOSE (#608, #891)¶

C.20.Since draft-ietf-quic-tls-05

No significant changes.¶

C.21.Since draft-ietf-quic-tls-04

• Update labels used in HKDF-Expand-Label to match TLS 1.3 (#642)¶

C.22.Since draft-ietf-quic-tls-03

No significant changes.¶

C.23.Since draft-ietf-quic-tls-02

• Updates to match changes in transport draft¶

C.24.Since draft-ietf-quic-tls-01

• Use TLS alerts to signal TLS errors (#272, #374)¶
• Require ClientHello to fit in a single packet (#338)¶
• The second client handshake flight is now sent in the clear (#262, #337)¶
• The QUIC header is included as AEAD Associated Data (#226, #243, #302)¶
• Add interface necessary for client address validation (#275)¶
• Define peer authentication (#140)¶
• Require at least TLS 1.3 (#138)¶
• Define transport parameters as a TLS extension (#122)¶
• Define handling for protected packets before the handshake completes (#39)¶
• Decouple QUIC version and ALPN (#12)¶

C.25.Since draft-ietf-quic-tls-00

• Changed bit used to signal key phase¶
• Updated key phase markings during the handshake¶
• Added TLS interface requirements section¶
• Moved to use of TLS exporters for key derivation¶
• Moved TLS error code definitions into this document¶

C.26.Since draft-thomson-quic-tls-01

• Adopted as base for draft-ietf-quic-tls¶
• Updated authors/editors list¶
• Added status note¶