2.1.TLS Overview

TLS provides two endpoints with a way to establish a means of communication overan untrusted medium (that is, the Internet) that ensures that messages theyexchange cannot be observed, modified, or forged.¶

Internally, TLS is a layered protocol, with the structure shown inFigure 1.¶

          +-------------+------------+--------------+---------+Handshake |             |            |  Application |         |Layer     |  Handshake  |   Alerts   |     Data     |   ...   |          |             |            |              |         |          +-------------+------------+--------------+---------+Record    |                                                   |Layer     |                      Records                      |          |                                                   |          +---------------------------------------------------+

Each Handshake layer message (e.g., Handshake, Alerts, and Application Data) iscarried as a series of typed TLS records by the Record layer. Records areindividually cryptographically protected and then transmitted over a reliabletransport (typically TCP), which provides sequencing and guaranteed delivery.¶

The TLS authenticated key exchange occurs between two endpoints: client andserver. The client initiates the exchange and the server responds. If the keyexchange completes successfully, both client and server will agree on a secret.TLS supports both pre-shared key (PSK) and Diffie-Hellman over either finitefields or elliptic curves ((EC)DHE) key exchanges. PSK is the basis for EarlyData (0-RTT); the latter provides perfect forward secrecy (PFS) when the (EC)DHEkeys are destroyed.¶

After completing the TLS handshake, the client will have learned andauthenticated an identity for the server and the server is optionally able tolearn and authenticate an identity for the client. TLS supports X.509[RFC5280] certificate-based authentication for both server and client.¶

The TLS key exchange is resistant to tampering by attackers and it producesshared secrets that cannot be controlled by either participating peer.¶

TLS provides two basic handshake modes of interest to QUIC:¶

• A full 1-RTT handshake, in which the client is able to send Application Dataafter one round trip and the server immediately responds after receiving thefirst handshake message from the client.¶
• A 0-RTT handshake, in which the client uses information it has previouslylearned about the server to send Application Data immediately. ThisApplication Data can be replayed by an attacker so it MUST NOT carry aself-contained trigger for any non-idempotent action.¶

A simplified TLS handshake with 0-RTT application data is shown inFigure 2.¶

    Client                                             Server    ClientHello   (0-RTT Application Data)  -------->                                                  ServerHello                                         {EncryptedExtensions}                                                    {Finished}                             <--------      [Application Data]   {Finished}                -------->   [Application Data]        <------->      [Application Data]    () Indicates messages protected by Early Data (0-RTT) Keys    {} Indicates messages protected using Handshake Keys    [] Indicates messages protected using Application Data       (1-RTT) Keys

Figure 2 omits the EndOfEarlyData message, which is not used in QUIC; seeSection 8.3. Likewise, neither ChangeCipherSpec nor KeyUpdate messages areused by QUIC. ChangeCipherSpec is redundant in TLS 1.3; seeSection 8.4.QUIC has its own key update mechanism; seeSection 6.¶

Data is protected using a number of encryption levels:¶

• Initial Keys¶
• Early Data (0-RTT) Keys¶
• Handshake Keys¶
• Application Data (1-RTT) Keys¶

Application Data may appear only in the Early Data and Application Datalevels. Handshake and Alert messages may appear in any level.¶

The 0-RTT handshake is only possible if the client and server have previouslycommunicated. In the 1-RTT handshake, the client is unable to send protectedApplication Data until it has received all of the Handshake messages sent by theserver.¶

4.1.Interface to TLS

As shown inFigure 4, the interface from QUIC to TLS consists of fourprimary functions:¶

• Sending and receiving handshake messages¶
• Processing stored transport and application state from a resumed sessionand determining if it is valid to accept early data¶
• Rekeying (both transmit and receive)¶
• Handshake state updates¶

Additional functions might be needed to configure TLS.¶

Client                                                    Server======                                                    ======Get Handshake                     Initial ------------->Install tx 0-RTT Keys                     0-RTT - - - - - - - ->                                              Handshake Received                                                   Get Handshake                     <------------- Initial                                           Install rx 0-RTT keys                                          Install Handshake keys                                                   Get Handshake                     <----------- Handshake                                           Install tx 1-RTT keys                     <- - - - - - - - 1-RTTHandshake Received (Initial)Install Handshake keysHandshake Received (Handshake)Get Handshake                     Handshake ----------->Handshake CompleteInstall 1-RTT keys                     1-RTT - - - - - - - ->                                              Handshake Received                                              Handshake Complete                                           Install rx 1-RTT keys

4.2.TLS Version

This document describes how TLS 1.3[TLS13] is used with QUIC.¶

In practice, the TLS handshake will negotiate a version of TLS to use. Thiscould result in a newer version of TLS than 1.3 being negotiated if bothendpoints support that version. This is acceptable provided that the featuresof TLS 1.3 that are used by QUIC are supported by the newer version.¶

Clients MUST NOT offer TLS versions older than 1.3. A badly configured TLSimplementation could negotiate TLS 1.2 or another older version of TLS. Anendpoint MUST terminate the connection if a version of TLS older than 1.3 isnegotiated.¶

4.3.ClientHello Size

The first Initial packet from a client contains the start or all of its firstcryptographic handshake message, which for TLS is the ClientHello. Serversmight need to parse the entire ClientHello (e.g., to access extensions such asServer Name Identification (SNI) or Application Layer Protocol Negotiation(ALPN)) in order to decide whether to accept the new incoming QUIC connection.If the ClientHello spans multiple Initial packets, such servers would need tobuffer the first received fragments, which could consume excessive resources ifthe client's address has not yet been validated. To avoid this, servers MAYuse the Retry feature (see Section 8.1 of[QUIC-TRANSPORT]) to only bufferpartial ClientHello messages from clients with a validated address.¶

QUIC packet and framing add at least 36 bytes of overhead to the ClientHellomessage. That overhead increases if the client chooses a source connection IDlonger than zero bytes. Overheads also do not include the token or adestination connection ID longer than 8 bytes, both of which might be requiredif a server sends a Retry packet.¶

A typical TLS ClientHello can easily fit into a 1200-byte packet. However, inaddition to the overheads added by QUIC, there are several variables that couldcause this limit to be exceeded. Large session tickets, multiple or large keyshares, and long lists of supported ciphers, signature algorithms, versions,QUIC transport parameters, and other negotiable parameters and extensions couldcause this message to grow.¶

For servers, in addition to connection IDs and tokens, the size of TLS sessiontickets can have an effect on a client's ability to connect efficiently.Minimizing the size of these values increases the probability that clients canuse them and still fit their ClientHello message in their first Initial packet.¶

The TLS implementation does not need to ensure that the ClientHello issufficiently large. QUIC PADDING frames are added to increase the size of thepacket as necessary.¶

4.4.Peer Authentication

The requirements for authentication depend on the application protocol that isin use. TLS provides server authentication and permits the server to requestclient authentication.¶

A client MUST authenticate the identity of the server. This typically involvesverification that the identity of the server is included in a certificate andthat the certificate is issued by a trusted entity (see for example[RFC2818]).¶

Note:

Where servers provide certificates for authentication, the size ofthe certificate chain can consume a large number of bytes. Controlling thesize of certificate chains is critical to performance in QUIC as servers arelimited to sending 3 bytes for every byte received prior to validating theclient address; see Section 8.1 of[QUIC-TRANSPORT]. The size of acertificate chain can be managed by limiting the number of names orextensions; using keys with small public key representations, like ECDSA; orby using certificate compression[COMPRESS].¶

A server MAY request that the client authenticate during the handshake. A serverMAY refuse a connection if the client is unable to authenticate when requested.The requirements for client authentication vary based on application protocoland deployment.¶

A server MUST NOT use post-handshake client authentication (as defined inSection 4.6.2 of[TLS13]), because the multiplexing offered by QUIC preventsclients from correlating the certificate request with the application-levelevent that triggered it (see[HTTP2-TLS13]).More specifically, servers MUST NOT send post-handshake TLS CertificateRequestmessages and clients MUST treat receipt of such messages as a connection errorof type PROTOCOL_VIOLATION.¶

4.5.Session Resumption

QUIC can use the session resumption feature of TLS 1.3. It does this bycarrying NewSessionTicket messages in CRYPTO frames after the handshake iscomplete. Session resumption is the basis of 0-RTT, but can be used withoutalso enabling 0-RTT.¶

Endpoints that use session resumption might need to remember some informationabout the current connection when creating a resumed connection. TLS requiresthat some information be retained; see Section 4.6.1 of[TLS13]. QUIC itselfdoes not depend on any state being retained when resuming a connection, unless0-RTT is also used; seeSection 4.6.1 and Section 7.4.1 of[QUIC-TRANSPORT]. Application protocols could depend on state that isretained between resumed connections.¶

Clients can store any state required for resumption along with the sessionticket. Servers can use the session ticket to help carry state.¶

Session resumption allows servers to link activity on the original connectionwith the resumed connection, which might be a privacy issue for clients.Clients can choose not to enable resumption to avoid creating this correlation.Clients SHOULD NOT reuse tickets as that allows entities other than the serverto correlate connections; see Section C.4 of[TLS13].¶

4.6.0-RTT

The 0-RTT feature in QUIC allows a client to send application data before thehandshake is complete. This is made possible by reusing negotiated parametersfrom a previous connection. To enable this, 0-RTT depends on the clientremembering critical parameters and providing the server with a TLS sessionticket that allows the server to recover the same information.¶

This information includes parameters that determine TLS state, as governed by[TLS13], QUIC transport parameters, the chosen application protocol, and anyinformation the application protocol might need; seeSection 4.6.3. Thisinformation determines how 0-RTT packets and their contents are formed.¶

To ensure that the same information is available to both endpoints, allinformation used to establish 0-RTT comes from the same connection. Endpointscannot selectively disregard information that might alter the sending orprocessing of 0-RTT.¶

[TLS13] sets a limit of 7 days on the time between the original connectionand any attempt to use 0-RTT. There are other constraints on 0-RTT usage,notably those caused by the potential exposure to replay attack; seeSection 9.2.¶

4.7.HelloRetryRequest

The HelloRetryRequest message (see Section 4.1.4 of[TLS13]) can be used torequest that a client provide new information, such as a key share, or tovalidate some characteristic of the client. From the perspective of QUIC,HelloRetryRequest is not differentiated from other cryptographic handshakemessages that are carried in Initial packets. Although it is in principlepossible to use this feature for address verification, QUIC implementationsSHOULD instead use the Retry feature; see Section 8.1 of[QUIC-TRANSPORT].¶

4.8.TLS Errors

If TLS experiences an error, it generates an appropriate alert as defined inSection 6 of[TLS13].¶

A TLS alert is converted into a QUIC connection error. The alert description isadded to 0x100 to produce a QUIC error code from the range reserved forCRYPTO_ERROR. The resulting value is sent in a QUIC CONNECTION_CLOSE frame oftype 0x1c.¶

The alert level of all TLS alerts is "fatal"; a TLS stack MUST NOT generatealerts at the "warning" level.¶

QUIC permits the use of a generic code in place of a specific error code; seeSection 11 of[QUIC-TRANSPORT]. For TLS alerts, this includes replacing anyalert with a generic alert, such as handshake_failure (0x128 in QUIC).Endpoints MAY use a generic error code to avoid possibly exposing confidentialinformation.¶

4.9.Discarding Unused Keys

After QUIC moves to a new encryption level, packet protection keys for previousencryption levels can be discarded. This occurs several times during thehandshake, as well as when keys are updated; seeSection 6.¶

Packet protection keys are not discarded immediately when new keys areavailable. If packets from a lower encryption level contain CRYPTO frames,frames that retransmit that data MUST be sent at the same encryption level.Similarly, an endpoint generates acknowledgements for packets at the sameencryption level as the packet being acknowledged. Thus, it is possible thatkeys for a lower encryption level are needed for a short time after keys for anewer encryption level are available.¶

An endpoint cannot discard keys for a given encryption level unless it has bothreceived and acknowledged all CRYPTO frames for that encryption level and whenall CRYPTO frames for that encryption level have been acknowledged by its peer.However, this does not guarantee that no further packets will need to bereceived or sent at that encryption level because a peer might not have receivedall the acknowledgements necessary to reach the same state.¶

Though an endpoint might retain older keys, new data MUST be sent at the highestcurrently-available encryption level. Only ACK frames and retransmissions ofdata in CRYPTO frames are sent at a previous encryption level. These packetsMAY also include PADDING frames.¶

5.1.Packet Protection Keys

QUIC derives packet protection keys in the same way that TLS derives recordprotection keys.¶

Each encryption level has separate secret values for protection of packets sentin each direction. These traffic secrets are derived by TLS (see Section 7.1 of[TLS13]) and are used by QUIC for all encryption levels except the Initialencryption level. The secrets for the Initial encryption level are computedbased on the client's initial Destination Connection ID, as described inSection 5.2.¶

The keys used for packet protection are computed from the TLS secrets using theKDF provided by TLS. In TLS 1.3, the HKDF-Expand-Label function described inSection 7.1 of[TLS13] is used, using the hash function from the negotiatedcipher suite. Other versions of TLS MUST provide a similar function in order tobe used with QUIC.¶

The current encryption level secret and the label "quic key" are input to theKDF to produce the AEAD key; the label "quic iv" is used to derive theInitialization Vector (IV); seeSection 5.3. The header protection key uses the"quic hp" label; seeSection 5.4. Using these labels provides keyseparation between QUIC and TLS; seeSection 9.6.¶

The KDF used for initial secrets is always the HKDF-Expand-Label function fromTLS 1.3; seeSection 5.2.¶

5.2.Initial Secrets

Initial packets apply the packet protection process, but use a secret derivedfrom the Destination Connection ID field from the client's first Initialpacket.¶

This secret is determined by using HKDF-Extract (see Section 2.2 of[HKDF]) with a salt of 0xafbfec289993d24c9e9786f19c6111e04390a899and a IKM of the Destination Connection ID field. This produces an intermediatepseudorandom key (PRK) that is used to derive two separate secrets for sendingand receiving.¶

The secret used by clients to construct Initial packets uses the PRK and thelabel "client in" as input to the HKDF-Expand-Label function to produce a 32byte secret; packets constructed by the server use the same process with thelabel "server in". The hash function for HKDF when deriving initial secretsand keys is SHA-256[SHA].¶

This process in pseudocode is:¶

initial_salt = 0xafbfec289993d24c9e9786f19c6111e04390a899initial_secret = HKDF-Extract(initial_salt,                              client_dst_connection_id)client_initial_secret = HKDF-Expand-Label(initial_secret,                                          "client in", "",                                          Hash.length)server_initial_secret = HKDF-Expand-Label(initial_secret,                                          "server in", "",                                          Hash.length)

The connection ID used with HKDF-Expand-Label is the Destination Connection IDin the Initial packet sent by the client. This will be a randomly-selectedvalue unless the client creates the Initial packet after receiving a Retrypacket, where the Destination Connection ID is selected by the server.¶

Future versions of QUIC SHOULD generate a new salt value, thus ensuring thatthe keys are different for each version of QUIC. This prevents a middlebox thatrecognizes only one version of QUIC from seeing or modifying the contents ofpackets from future versions.¶

The HKDF-Expand-Label function defined in TLS 1.3 MUST be used for Initialpackets even where the TLS versions offered do not include TLS 1.3.¶

The secrets used for constructing Initial packets change when a server sends aRetry packet to use the connection ID value selected by the server. The secretsdo not change when a client changes the Destination Connection ID it uses inresponse to an Initial packet from the server.¶

Note:

The Destination Connection ID is of arbitrary length, and it could be zerolength if the server sends a Retry packet with a zero-length Source ConnectionID field. In this case, the Initial keys provide no assurance to the clientthat the server received its packet; the client has to rely on the exchangethat included the Retry packet for that property.¶

Appendix A contains sample Initial packets.¶

5.3.AEAD Usage

The Authenticated Encryption with Associated Data (AEAD; see[AEAD]) functionused for QUIC packet protection is the AEAD that is negotiated for use with theTLS connection. For example, if TLS is using the TLS_AES_128_GCM_SHA256 ciphersuite, the AEAD_AES_128_GCM function is used.¶

QUIC can use any of the cipher suites defined in[TLS13] with the exceptionof TLS_AES_128_CCM_8_SHA256. A cipher suite MUST NOT be negotiated unless aheader protection scheme is defined for the cipher suite. This document definesa header protection scheme for all cipher suites defined in[TLS13] asidefrom TLS_AES_128_CCM_8_SHA256. These cipher suites have a 16-byteauthentication tag and produce an output 16 bytes larger than their input.¶

Note:

An endpoint MUST NOT reject a ClientHello that offers a cipher suite that itdoes not support, or it would be impossible to deploy a new cipher suite.This also applies to TLS_AES_128_CCM_8_SHA256.¶

When constructing packets, the AEAD function is applied prior to applyingheader protection; seeSection 5.4. The unprotected packet header is partof the associated data (A). When processing packets, an endpoint firstremoves the header protection.¶

The key and IV for the packet are computed as described inSection 5.1.The nonce, N, is formed by combining the packet protection IV with the packetnumber. The 62 bits of the reconstructed QUIC packet number in network byteorder are left-padded with zeros to the size of the IV. The exclusive OR of thepadded packet number and the IV forms the AEAD nonce.¶

The associated data, A, for the AEAD is the contents of the QUIC header,starting from the first byte of either the short or long header, up to andincluding the unprotected packet number.¶

The input plaintext, P, for the AEAD is the payload of the QUIC packet, asdescribed in[QUIC-TRANSPORT].¶

The output ciphertext, C, of the AEAD is transmitted in place of P.¶

Some AEAD functions have limits for how many packets can be encrypted under thesame key and IV; seeSection 6.6. This might be lower than the packetnumber limit. An endpoint MUST initiate a key update (Section 6) prior toexceeding any limit set for the AEAD that is in use.¶

5.4.Header Protection

Parts of QUIC packet headers, in particular the Packet Number field, areprotected using a key that is derived separately from the packet protection keyand IV. The key derived using the "quic hp" label is used to provideconfidentiality protection for those fields that are not exposed to on-pathelements.¶

This protection applies to the least-significant bits of the first byte, plusthe Packet Number field. The four least-significant bits of the first byte areprotected for packets with long headers; the five least significant bits of thefirst byte are protected for packets with short headers. For both header forms,this covers the reserved bits and the Packet Number Length field; the Key Phasebit is also protected for packets with a short header.¶

The same header protection key is used for the duration of the connection, withthe value not changing after a key update (seeSection 6). This allowsheader protection to be used to protect the key phase.¶

This process does not apply to Retry or Version Negotiation packets, which donot contain a protected payload or any of the fields that are protected by thisprocess.¶

mask = header_protection(hp_key, sample)pn_length = (packet[0] & 0x03) + 1if (packet[0] & 0x80) == 0x80:   # Long header: 4 bits masked   packet[0] ^= mask[0] & 0x0felse:   # Short header: 5 bits masked   packet[0] ^= mask[0] & 0x1f# pn_offset is the start of the Packet Number field.packet[pn_offset:pn_offset+pn_length] ^= mask[1:1+pn_length]

Initial Packet {  Header Form (1) = 1,  Fixed Bit (1) = 1,  Long Packet Type (2) = 0,  Reserved Bits (2),         # Protected  Packet Number Length (2),  # Protected  Version (32),  DCID Len (8),  Destination Connection ID (0..160),  SCID Len (8),  Source Connection ID (0..160),  Token Length (i),  Token (..),  Length (i),  Packet Number (8..32),     # Protected  Protected Payload (0..24), # Skipped Part  Protected Payload (128),   # Sampled Part  Protected Payload (..)     # Remainder}Short Header Packet {  Header Form (1) = 0,  Fixed Bit (1) = 1,  Spin Bit (1),  Reserved Bits (2),         # Protected  Key Phase (1),             # Protected  Packet Number Length (2),  # Protected  Destination Connection ID (0..160),  Packet Number (8..32),     # Protected  Protected Payload (0..24), # Skipped Part  Protected Payload (128),   # Sampled Part  Protected Payload (..),    # Remainder}

sample_offset = 1 + len(connection_id) + 4sample = packet[sample_offset..sample_offset+sample_length]

sample_offset = 7 + len(destination_connection_id) +                    len(source_connection_id) +                    len(payload_length) + 4if packet_type == Initial:    sample_offset += len(token_length) +                     len(token)sample = packet[sample_offset..sample_offset+sample_length]

mask = AES-ECB(hp_key, sample)

counter = sample[0..3]nonce = sample[4..15]mask = ChaCha20(hp_key, counter, nonce, {0,0,0,0,0})

5.5.Receiving Protected Packets

Once an endpoint successfully receives a packet with a given packet number, itMUST discard all packets in the same packet number space with higher packetnumbers if they cannot be successfully unprotected with either the same key, or- if there is a key update - the next packet protection key (seeSection 6). Similarly, a packet that appears to trigger a key update, butcannot be unprotected successfully MUST be discarded.¶

Failure to unprotect a packet does not necessarily indicate the existence of aprotocol error in a peer or an attack. The truncated packet number encodingused in QUIC can cause packet numbers to be decoded incorrectly if they aredelayed significantly.¶

5.6.Use of 0-RTT Keys

If 0-RTT keys are available (seeSection 4.6.1), the lack of replay protectionmeans that restrictions on their use are necessary to avoid replay attacks onthe protocol.¶

A client MUST only use 0-RTT keys to protect data that is idempotent. A clientMAY wish to apply additional restrictions on what data it sends prior to thecompletion of the TLS handshake. A client otherwise treats 0-RTT keys asequivalent to 1-RTT keys, except that it MUST NOT send ACKs with 0-RTT keys.¶

A client that receives an indication that its 0-RTT data has been accepted by aserver can send 0-RTT data until it receives all of the server's handshakemessages. A client SHOULD stop sending 0-RTT data if it receives an indicationthat 0-RTT data has been rejected.¶

A server MUST NOT use 0-RTT keys to protect packets; it uses 1-RTT keys toprotect acknowledgements of 0-RTT packets. A client MUST NOT attempt todecrypt 0-RTT packets it receives and instead MUST discard them.¶

Once a client has installed 1-RTT keys, it MUST NOT send any more 0-RTTpackets.¶

Note:

0-RTT data can be acknowledged by the server as it receives it, but anypackets containing acknowledgments of 0-RTT data cannot have packet protectionremoved by the client until the TLS handshake is complete. The 1-RTT keysnecessary to remove packet protection cannot be derived until the clientreceives all server handshake messages.¶

5.7.Receiving Out-of-Order Protected Packets

Due to reordering and loss, protected packets might be received by an endpointbefore the final TLS handshake messages are received. A client will be unableto decrypt 1-RTT packets from the server, whereas a server will be able todecrypt 1-RTT packets from the client. Endpoints in either role MUST NOTdecrypt 1-RTT packets from their peer prior to completing the handshake.¶

Even though 1-RTT keys are available to a server after receiving the firsthandshake messages from a client, it is missing assurances on the client state:¶

• The client is not authenticated, unless the server has chosen to use apre-shared key and validated the client's pre-shared key binder; see Section4.2.11 of[TLS13].¶
• The client has not demonstrated liveness, unless the server has validated theclient's address with a Retry packet or other means; see Section 8.1 of[QUIC-TRANSPORT].¶
• Any received 0-RTT data that the server responds to might be due to a replayattack.¶

Therefore, the server's use of 1-RTT keys before the handshake is complete islimited to sending data. A server MUST NOT process incoming 1-RTT protectedpackets before the TLS handshake is complete. Because sending acknowledgmentsindicates that all frames in a packet have been processed, a server cannot sendacknowledgments for 1-RTT packets until the TLS handshake is complete. Receivedpackets protected with 1-RTT keys MAY be stored and later decrypted and usedonce the handshake is complete.¶

Note:

TLS implementations might provide all 1-RTT secrets prior to handshakecompletion. Even where QUIC implementations have 1-RTT read keys, those keyscannot be used prior to completing the handshake.¶

The requirement for the server to wait for the client Finished message createsa dependency on that message being delivered. A client can avoid thepotential for head-of-line blocking that this implies by sending its 1-RTTpackets coalesced with a Handshake packet containing a copy of the CRYPTO framethat carries the Finished message, until one of the Handshake packets isacknowledged. This enables immediate server processing for those packets.¶

A server could receive packets protected with 0-RTT keys prior to receiving aTLS ClientHello. The server MAY retain these packets for later decryption inanticipation of receiving a ClientHello.¶

A client generally receives 1-RTT keys at the same time as the handshakecompletes. Even if it has 1-RTT secrets, a client MUST NOT processincoming 1-RTT protected packets before the TLS handshake is complete.¶

5.8.Retry Packet Integrity

Retry packets (see the Retry Packet section of[QUIC-TRANSPORT]) carry aRetry Integrity Tag that provides two properties: it allows discardingpackets that have accidentally been corrupted by the network, and it diminishesoff-path attackers' ability to send valid Retry packets.¶

The Retry Integrity Tag is a 128-bit field that is computed as the output ofAEAD_AES_128_GCM ([AEAD]) used with the following inputs:¶

• The secret key, K, is 128 bits equal to 0xccce187ed09a09d05728155a6cb96be1.¶
• The nonce, N, is 96 bits equal to 0xe54930f97f2136f0530a8c1c.¶
• The plaintext, P, is empty.¶
• The associated data, A, is the contents of the Retry Pseudo-Packet, asillustrated inFigure 8:¶

The secret key and the nonce are values derived by calling HKDF-Expand-Labelusing 0x8b0d37eb8535022ebc8d76a207d80df22646ec06dc809642c30a8baa2baaff4c as thesecret, with labels being "quic key" and "quic iv" (Section 5.1).¶

Retry Pseudo-Packet {  ODCID Length (8),  Original Destination Connection ID (0..160),  Header Form (1) = 1,  Fixed Bit (1) = 1,  Long Packet Type (2) = 3,  Type-Specific Bits (4),  Version (32),  DCID Len (8),  Destination Connection ID (0..160),  SCID Len (8),  Source Connection ID (0..160),  Retry Token (..),}

The Retry Pseudo-Packet is not sent over the wire. It is computed by takingthe transmitted Retry packet, removing the Retry Integrity Tag and prependingthe two following fields:¶

ODCID Length:

The ODCID Length field contains the length in bytes of the OriginalDestination Connection ID field that follows it, encoded as an 8-bit unsignedinteger.¶

Original Destination Connection ID:

The Original Destination Connection ID contains the value of the DestinationConnection ID from the Initial packet that this Retry is in response to. Thelength of this field is given in ODCID Length. The presence of this fieldmitigates an off-path attacker's ability to inject a Retry packet.¶

6.1.Initiating a Key Update

Endpoints maintain separate read and write secrets for packet protection. Anendpoint initiates a key update by updating its packet protection write secretand using that to protect new packets. The endpoint creates a new write secretfrom the existing write secret as performed in Section 7.2 of[TLS13]. Thisuses the KDF function provided by TLS with a label of "quic ku". Thecorresponding key and IV are created from that secret as defined inSection 5.1. The header protection key is not updated.¶

For example, to update write keys with TLS 1.3, HKDF-Expand-Label is used as:¶

secret_<n+1> = HKDF-Expand-Label(secret_<n>, "quic ku",                                 "", Hash.length)

The endpoint toggles the value of the Key Phase bit and uses the updated key andIV to protect all subsequent packets.¶

An endpoint MUST NOT initiate a key update prior to having confirmed thehandshake (Section 4.1.2). An endpoint MUST NOT initiate a subsequentkey update unless it has received an acknowledgment for a packet that was sentprotected with keys from the current key phase. This ensures that keys areavailable to both peers before another key update can be initiated. This can beimplemented by tracking the lowest packet number sent with each key phase, andthe highest acknowledged packet number in the 1-RTT space: once the latter ishigher than or equal to the former, another key update can be initiated.¶

Note:

Keys of packets other than the 1-RTT packets are never updated; their keys arederived solely from the TLS handshake state.¶

The endpoint that initiates a key update also updates the keys that it uses forreceiving packets. These keys will be needed to process packets the peer sendsafter updating.¶

An endpoint MUST retain old keys until it has successfully unprotected a packetsent using the new keys. An endpoint SHOULD retain old keys for some timeafter unprotecting a packet sent using the new keys. Discarding old keys tooearly can cause delayed packets to be discarded. Discarding packets will beinterpreted as packet loss by the peer and could adversely affect performance.¶

6.2.Responding to a Key Update

A peer is permitted to initiate a key update after receiving an acknowledgementof a packet in the current key phase. An endpoint detects a key update whenprocessing a packet with a key phase that differs from the value used to protectthe last packet it sent. To process this packet, the endpoint uses the nextpacket protection key and IV. SeeSection 6.3 for considerationsabout generating these keys.¶

If a packet is successfully processed using the next key and IV, then the peerhas initiated a key update. The endpoint MUST update its send keys to thecorresponding key phase in response, as described inSection 6.1.Sending keys MUST be updated before sending an acknowledgement for the packetthat was received with updated keys. By acknowledging the packet that triggeredthe key update in a packet protected with the updated keys, the endpoint signalsthat the key update is complete.¶

An endpoint can defer sending the packet or acknowledgement according to itsnormal packet sending behaviour; it is not necessary to immediately generate apacket in response to a key update. The next packet sent by the endpoint willuse the updated keys. The next packet that contains an acknowledgement willcause the key update to be completed. If an endpoint detects a second updatebefore it has sent any packets with updated keys containing anacknowledgement for the packet that initiated the key update, it indicates thatits peer has updated keys twice without awaiting confirmation. An endpoint MAYtreat consecutive key updates as a connection error of type KEY_UPDATE_ERROR.¶

An endpoint that receives an acknowledgement that is carried in a packetprotected with old keys where any acknowledged packet was protected with newerkeys MAY treat that as a connection error of type KEY_UPDATE_ERROR. Thisindicates that a peer has received and acknowledged a packet that initiates akey update, but has not updated keys in response.¶

6.3.Timing of Receive Key Generation

Endpoints responding to an apparent key update MUST NOT generate a timingside-channel signal that might indicate that the Key Phase bit was invalid (seeSection 9.4). Endpoints can use dummy packet protection keys inplace of discarded keys when key updates are not yet permitted. Using dummykeys will generate no variation in the timing signal produced by attempting toremove packet protection, and results in all packets with an invalid Key Phasebit being rejected.¶

The process of creating new packet protection keys for receiving packets couldreveal that a key update has occurred. An endpoint MAY perform this process aspart of packet processing, but this creates a timing signal that can be used byan attacker to learn when key updates happen and thus the value of the Key Phasebit in certain packets. Endpoints MAY instead defer the creation of the nextset of receive packet protection keys until some time after a key updatecompletes, up to three times the PTO; seeSection 6.5.¶

Once generated, the next set of packet protection keys SHOULD be retained, evenif the packet that was received was subsequently discarded. Packets containingapparent key updates are easy to forge and - while the process of key updatedoes not require significant effort - triggering this process could be used byan attacker for DoS.¶

For this reason, endpoints MUST be able to retain two sets of packet protectionkeys for receiving packets: the current and the next. Retaining the previouskeys in addition to these might improve performance, but this is not essential.¶

6.4.Sending with Updated Keys

An endpoint always sends packets that are protected with the newest keys. Keysused for packet protection can be discarded immediately after switching to newerkeys.¶

Packets with higher packet numbers MUST be protected with either the same ornewer packet protection keys than packets with lower packet numbers. Anendpoint that successfully removes protection with old keys when newer keys wereused for packets with lower packet numbers MUST treat this as a connection errorof type KEY_UPDATE_ERROR.¶

6.5.Receiving with Different Keys

For receiving packets during a key update, packets protected with older keysmight arrive if they were delayed by the network. Retaining old packetprotection keys allows these packets to be successfully processed.¶

As packets protected with keys from the next key phase use the same Key Phasevalue as those protected with keys from the previous key phase, it can benecessary to distinguish between the two. This can be done using packetnumbers. A recovered packet number that is lower than any packet number fromthe current key phase uses the previous packet protection keys; a recoveredpacket number that is higher than any packet number from the current key phaserequires the use of the next packet protection keys.¶

Some care is necessary to ensure that any process for selecting betweenprevious, current, and next packet protection keys does not expose a timing sidechannel that might reveal which keys were used to remove packet protection. SeeSection 9.5 for more information.¶

Alternatively, endpoints can retain only two sets of packet protection keys,swapping previous for next after enough time has passed to allow for reorderingin the network. In this case, the Key Phase bit alone can be used to selectkeys.¶

An endpoint MAY allow a period of approximately the Probe Timeout (PTO; see[QUIC-RECOVERY]) after receiving a packet that uses the new key generationbefore it creates the next set of packet protection keys. These updated keysMAY replace the previous keys at that time. With the caveat that PTO is asubjective measure - that is, a peer could have a different view of the RTT -this time is expected to be long enough that any reordered packets would bedeclared lost by a peer even if they were acknowledged and short enough toallow for subsequent key updates.¶

Endpoints need to allow for the possibility that a peer might not be able todecrypt packets that initiate a key update during the period when it retains oldkeys. Endpoints SHOULD wait three times the PTO before initiating a key updateafter receiving an acknowledgment that confirms that the previous key update wasreceived. Failing to allow sufficient time could lead to packets beingdiscarded.¶

An endpoint SHOULD retain old read keys for no more than three times the PTOafter having received a packet protected using the new keys. After this period,old read keys and their corresponding secrets SHOULD be discarded.¶

6.6.Limits on AEAD Usage

This document sets usage limits for AEAD algorithms to ensure that overuse doesnot give an adversary a disproportionate advantage in attacking theconfidentiality and integrity of communications when using QUIC.¶

The usage limits defined in TLS 1.3 exist for protection against attackson confidentiality and apply to successful applications of AEAD protection. Theintegrity protections in authenticated encryption also depend on limiting thenumber of attempts to forge packets. TLS achieves this by closing connectionsafter any record fails an authentication check. In comparison, QUIC ignores anypacket that cannot be authenticated, allowing multiple forgery attempts.¶

QUIC accounts for AEAD confidentiality and integrity limits separately. Theconfidentiality limit applies to the number of packets encrypted with a givenkey. The integrity limit applies to the number of packets decrypted within agiven connection. Details on enforcing these limits for each AEAD algorithmfollow below.¶

Endpoints MUST count the number of encrypted packets for each set of keys. Ifthe total number of encrypted packets with the same key exceeds theconfidentiality limit for the selected AEAD, the endpoint MUST stop using thosekeys. Endpoints MUST initiate a key update before sending more protected packetsthan the confidentiality limit for the selected AEAD permits. If a key updateis not possible or integrity limits are reached, the endpoint MUST stop usingthe connection and only send stateless resets in response to receiving packets.It is RECOMMENDED that endpoints immediately close the connection with aconnection error of type AEAD_LIMIT_REACHED before reaching a state where keyupdates are not possible.¶

For AEAD_AES_128_GCM and AEAD_AES_256_GCM, the confidentiality limit is 2^25encrypted packets; seeAppendix B.1. For AEAD_CHACHA20_POLY1305, theconfidentiality limit is greater than the number of possible packets (2^62) andso can be disregarded. For AEAD_AES_128_CCM, the confidentiality limit is 2^23.5encrypted packets; seeAppendix B.2. Applying a limit reduces the probabilitythat an attacker can distinguish the AEAD in use from a random permutation; see[AEBounds],[ROBUST], and[GCM-MU].¶

In addition to counting packets sent, endpoints MUST count the number ofreceived packets that fail authentication during the lifetime of a connection.If the total number of received packets that fail authentication within theconnection, across all keys, exceeds the integrity limit for the selected AEAD,the endpoint MUST immediately close the connection with a connection error oftype AEAD_LIMIT_REACHED and not process any more packets.¶

For AEAD_AES_128_GCM and AEAD_AES_256_GCM, the integrity limit is 2^54 invalidpackets; seeAppendix B.1. For AEAD_CHACHA20_POLY1305, the integrity limit is2^36 invalid packets; see[AEBounds]. For AEAD_AES_128_CCM, the integritylimit is 2^23.5 invalid packets; seeAppendix B.2. Applying this limit reducesthe probability that an attacker can successfully forge a packet; see[AEBounds],[ROBUST], and[GCM-MU].¶

Future analyses and specifications MAY relax confidentiality or integrity limitsfor an AEAD.¶

Note:

These limits were originally calculated using assumptions about thelimits on TLS record size. The maximum size of a TLS record is 2^14 bytes.In comparison, QUIC packets can be up to 2^16 bytes. However, it isexpected that QUIC packets will generally be smaller than TLS records.Where packets might be larger than 2^14 bytes in length, smaller limits mightbe needed.¶

Any TLS cipher suite that is specified for use with QUIC MUST define limits onthe use of the associated AEAD function that preserves margins forconfidentiality and integrity. That is, limits MUST be specified for the numberof packets that can be authenticated and for the number of packets that can failauthentication. Providing a reference to any analysis upon which values arebased - and any assumptions used in that analysis - allows limits to be adaptedto varying usage conditions.¶

6.7.Key Update Error Code

The KEY_UPDATE_ERROR error code (0xe) is used to signal errors related to keyupdates.¶

8.1.Protocol Negotiation

QUIC requires that the cryptographic handshake provide authenticated protocolnegotiation. TLS uses Application Layer Protocol Negotiation([ALPN]) to select an application protocol. Unless another mechanismis used for agreeing on an application protocol, endpoints MUST use ALPN forthis purpose.¶

When using ALPN, endpoints MUST immediately close a connection (see Section10.2 of[QUIC-TRANSPORT]) with a no_application_protocol TLS alert (QUIC errorcode 0x178; seeSection 4.8) if an application protocol is not negotiated.While[ALPN] only specifies that servers use this alert, QUIC clients MUSTuse error 0x178 to terminate a connection when ALPN negotiation fails.¶

An application protocol MAY restrict the QUIC versions that it can operate over.Servers MUST select an application protocol compatible with the QUIC versionthat the client has selected. The server MUST treat the inability to select acompatible application protocol as a connection error of type 0x178(no_application_protocol). Similarly, a client MUST treat the selection of anincompatible application protocol by a server as a connection error of type0x178.¶

8.2.QUIC Transport Parameters Extension

QUIC transport parameters are carried in a TLS extension. Different versions ofQUIC might define a different method for negotiating transport configuration.¶

Including transport parameters in the TLS handshake provides integrityprotection for these values.¶

   enum {      quic_transport_parameters(0xffa5), (65535)   } ExtensionType;

The extension_data field of the quic_transport_parameters extension contains avalue that is defined by the version of QUIC that is in use.¶

The quic_transport_parameters extension is carried in the ClientHello and theEncryptedExtensions messages during the handshake. Endpoints MUST send thequic_transport_parameters extension; endpoints that receive ClientHello orEncryptedExtensions messages without the quic_transport_parameters extensionMUST close the connection with an error of type 0x16d (equivalent to a fatal TLSmissing_extension alert, seeSection 4.8).¶

While the transport parameters are technically available prior to the completionof the handshake, they cannot be fully trusted until the handshake completes,and reliance on them should be minimized. However, any tampering with theparameters will cause the handshake to fail.¶

Endpoints MUST NOT send this extension in a TLS connection that does not useQUIC (such as the use of TLS with TCP defined in[TLS13]). A fatalunsupported_extension alert MUST be sent by an implementation that supports thisextension if the extension is received when the transport is not QUIC.¶

8.3.Removing the EndOfEarlyData Message

The TLS EndOfEarlyData message is not used with QUIC. QUIC does not rely onthis message to mark the end of 0-RTT data or to signal the change to Handshakekeys.¶

Clients MUST NOT send the EndOfEarlyData message. A server MUST treat receiptof a CRYPTO frame in a 0-RTT packet as a connection error of typePROTOCOL_VIOLATION.¶

As a result, EndOfEarlyData does not appear in the TLS handshake transcript.¶

8.4.Prohibit TLS Middlebox Compatibility Mode

Appendix D.4 of[TLS13] describes an alteration to the TLS 1.3 handshake asa workaround for bugs in some middleboxes. The TLS 1.3 middlebox compatibilitymode involves setting the legacy_session_id field to a 32-byte value in theClientHello and ServerHello, then sending a change_cipher_spec record. Bothfield and record carry no semantic content and are ignored.¶

This mode has no use in QUIC as it only applies to middleboxes that interferewith TLS over TCP. QUIC also provides no means to carry a change_cipher_specrecord. A client MUST NOT request the use of the TLS 1.3 compatibility mode. Aserver SHOULD treat the receipt of a TLS ClientHello with a non-emptylegacy_session_id field as a connection error of type PROTOCOL_VIOLATION.¶

9.1.Session Linkability

Use of TLS session tickets allows servers and possibly other entities tocorrelate connections made by the same client; seeSection 4.5 for details.¶

9.2.Replay Attacks with 0-RTT

As described in Section 8 of[TLS13], use of TLS early data comes with anexposure to replay attack. The use of 0-RTT in QUIC is similarly vulnerable toreplay attack.¶

Endpoints MUST implement and use the replay protections described in[TLS13],however it is recognized that these protections are imperfect. Therefore,additional consideration of the risk of replay is needed.¶

QUIC is not vulnerable to replay attack, except via the application protocolinformation it might carry. The management of QUIC protocol state based on theframe types defined in[QUIC-TRANSPORT] is not vulnerable to replay.Processing of QUIC frames is idempotent and cannot result in invalid connectionstates if frames are replayed, reordered or lost. QUIC connections do notproduce effects that last beyond the lifetime of the connection, except forthose produced by the application protocol that QUIC serves.¶

Note:

TLS session tickets and address validation tokens are used to carry QUICconfiguration information between connections. Specifically, to enable aserver to efficiently recover state that is used in connection establishmentand address validation. These MUST NOT be used to communicate applicationsemantics between endpoints; clients MUST treat them as opaque values. Thepotential for reuse of these tokens means that they require strongerprotections against replay.¶

A server that accepts 0-RTT on a connection incurs a higher cost than acceptinga connection without 0-RTT. This includes higher processing and computationcosts. Servers need to consider the probability of replay and all associatedcosts when accepting 0-RTT.¶

Ultimately, the responsibility for managing the risks of replay attacks with0-RTT lies with an application protocol. An application protocol that uses QUICMUST describe how the protocol uses 0-RTT and the measures that are employed toprotect against replay attack. An analysis of replay risk needs to considerall QUIC protocol features that carry application semantics.¶

Disabling 0-RTT entirely is the most effective defense against replay attack.¶

QUIC extensions MUST describe how replay attacks affect their operation, orprohibit their use in 0-RTT. Application protocols MUST either prohibit the useof extensions that carry application semantics in 0-RTT or provide replaymitigation strategies.¶

9.3.Packet Reflection Attack Mitigation

A small ClientHello that results in a large block of handshake messages from aserver can be used in packet reflection attacks to amplify the traffic generatedby an attacker.¶

QUIC includes three defenses against this attack. First, the packet containing aClientHello MUST be padded to a minimum size. Second, if responding to anunverified source address, the server is forbidden to send more than three timesas many bytes as the number of bytes it has received (see Section 8.1 of[QUIC-TRANSPORT]). Finally, because acknowledgements of Handshake packets areauthenticated, a blind attacker cannot forge them. Put together, these defenseslimit the level of amplification.¶

9.4.Header Protection Analysis

[NAN] analyzes authenticated encryptionalgorithms that provide nonce privacy, referred to as "Hide Nonce" (HN)transforms. The general header protection construction in this document isone of those algorithms (HN1). Header protection uses the output of the packetprotection AEAD to derivesample, and then encrypts the header field usinga pseudorandom function (PRF) as follows:¶

protected_field = field XOR PRF(hp_key, sample)

The header protection variants in this document use a pseudorandom permutation(PRP) in place of a generic PRF. However, since all PRPs are also PRFs[IMC],these variants do not deviate from the HN1 construction.¶

Ashp_key is distinct from the packet protection key, it follows that headerprotection achieves AE2 security as defined in[NAN] and therefore guaranteesprivacy offield, the protected packet header. Future header protectionvariants based on this construction MUST use a PRF to ensure equivalentsecurity guarantees.¶

Use of the same key and ciphertext sample more than once risks compromisingheader protection. Protecting two different headers with the same key andciphertext sample reveals the exclusive OR of the protected fields. Assumingthat the AEAD acts as a PRF, if L bits are sampled, the odds of two ciphertextsamples being identical approach 2^(-L/2), that is, the birthday bound. For thealgorithms described in this document, that probability is one in 2^64.¶

To prevent an attacker from modifying packet headers, the header is transitivelyauthenticated using packet protection; the entire packet header is part of theauthenticated additional data. Protected fields that are falsified or modifiedcan only be detected once the packet protection is removed.¶

9.5.Header Protection Timing Side-Channels

An attacker could guess values for packet numbers or Key Phase and have anendpoint confirm guesses through timing side channels. Similarly, guesses forthe packet number length can be tried and exposed. If the recipient of apacket discards packets with duplicate packet numbers without attempting toremove packet protection they could reveal through timing side-channels that thepacket number matches a received packet. For authentication to be free fromside-channels, the entire process of header protection removal, packet numberrecovery, and packet protection removal MUST be applied together without timingand other side-channels.¶

For the sending of packets, construction and protection of packet payloads andpacket numbers MUST be free from side-channels that would reveal the packetnumber or its encoded size.¶

During a key update, the time taken to generate new keys could reveal throughtiming side-channels that a key update has occurred. Alternatively, where anattacker injects packets this side-channel could reveal the value of the KeyPhase on injected packets. After receiving a key update, an endpoint SHOULDgenerate and save the next set of receive packet protection keys, as describedinSection 6.3. By generating new keys before a key update isreceived, receipt of packets will not create timing signals that leak the valueof the Key Phase.¶

This depends on not doing this key generation during packet processing and itcan require that endpoints maintain three sets of packet protection keys forreceiving: for the previous key phase, for the current key phase, and for thenext key phase. Endpoints can instead choose to defer generation of the nextreceive packet protection keys until they discard old keys so that only two setsof receive keys need to be retained at any point in time.¶

9.6.Key Diversity

In using TLS, the central key schedule of TLS is used. As a result of the TLShandshake messages being integrated into the calculation of secrets, theinclusion of the QUIC transport parameters extension ensures that handshake and1-RTT keys are not the same as those that might be produced by a server runningTLS over TCP. To avoid the possibility of cross-protocol key synchronization,additional measures are provided to improve key separation.¶

The QUIC packet protection keys and IVs are derived using a different label thanthe equivalent keys in TLS.¶

To preserve this separation, a new version of QUIC SHOULD define new labels forkey derivation for packet protection key and IV, plus the header protectionkeys. This version of QUIC uses the string "quic". Other versions can use aversion-specific label in place of that string.¶

The initial secrets use a key that is specific to the negotiated QUIC version.New QUIC versions SHOULD define a new salt value used in calculating initialsecrets.¶

A.1.Keys

The labels generated by the HKDF-Expand-Label function are:¶

client in:

00200f746c73313320636c69656e7420696e00¶

server in:

00200f746c7331332073657276657220696e00¶

quic key:

00100e746c7331332071756963206b657900¶

quic iv:

000c0d746c733133207175696320697600¶

quic hp:

00100d746c733133207175696320687000¶

The initial secret is common:¶

initial_secret = HKDF-Extract(initial_salt, cid)    = 1e7e7764529715b1e0ddc8e9753c6157      6769605187793ed366f8bbf8c9e986eb

The secrets for protecting client packets are:¶

client_initial_secret    = HKDF-Expand-Label(initial_secret, "client in", _, 32)    = 0088119288f1d866733ceeed15ff9d50      902cf82952eee27e9d4d4918ea371d87key = HKDF-Expand-Label(client_initial_secret, "quic key", _, 16)    = 175257a31eb09dea9366d8bb79ad80baiv  = HKDF-Expand-Label(client_initial_secret, "quic iv", _, 12)    = 6b26114b9cba2b63a9e8dd4fhp  = HKDF-Expand-Label(client_initial_secret, "quic hp", _, 16)    = 9ddd12c994c0698b89374a9c077a3077

The secrets for protecting server packets are:¶

server_initial_secret    = HKDF-Expand-Label(initial_secret, "server in", _, 32)    = 006f881359244dd9ad1acf85f595bad6      7c13f9f5586f5e64e1acae1d9ea8f616key = HKDF-Expand-Label(server_initial_secret, "quic key", _, 16)    = 149d0b1662ab871fbe63c49b5e655a5div  = HKDF-Expand-Label(server_initial_secret, "quic iv", _, 12)    = bab2b12a4c76016ace47856dhp  = HKDF-Expand-Label(server_initial_secret, "quic hp", _, 16)    = c0c499a65a60024a18a250974ea01dfa

A.2.Client Initial

The client sends an Initial packet. The unprotected payload of this packetcontains the following CRYPTO frame, plus enough PADDING frames to make a 1162byte payload:¶

060040f1010000ed0303ebf8fa56f129 39b9584a3896472ec40bb863cfd3e86804fe3a47f06a2b69484c000004130113 02010000c000000010000e00000b6578616d706c652e636f6dff01000100000a 00080006001d0017001800100007000504616c706e0005000501000000000033 00260024001d00209370b2c9caa47fbabaf4559fedba753de171fa71f50f1ce1 5d43e994ec74d748002b0003020304000d0010000e0403050306030203080408 050806002d00020101001c00024001ffa500320408ffffffffffffffff050480 00ffff07048000ffff0801100104800075300901100f088394c8f03e51570806 048000ffff

The unprotected header includes the connection ID and a 4-byte packet numberencoding for a packet number of 2:¶

c3ff00001d088394c8f03e5157080000449e00000002

Protecting the payload produces output that is sampled for header protection.Because the header uses a 4-byte packet number encoding, the first 16 bytes ofthe protected payload is sampled, then applied to the header:¶

sample = fb66bc6a93032b50dd8973972d149421mask = AES-ECB(hp, sample)[0..4]     = 1e9cdb9909header[0] ^= mask[0] & 0x0f     = cdheader[18..21] ^= mask[1..4]     = 9cdb990bheader = cdff00001d088394c8f03e5157080000449e9cdb990b

The resulting protected packet is:¶

cdff00001f088394c8f03e5157080000 449e9cdb990bfb66bc6a93032b50dd8973972d149421874d3849e3708d71354e a33bcdc356f3ea6e2a1a1bd7c3d140038d3e784d04c30a2cdb40c32523aba2da fe1c1bf3d27a6be38fe38ae033fbb0713c1c73661bb6639795b42b97f77068ea d51f11fbf9489af2501d09481e6c64d4b8551cd3cea70d830ce2aeeec789ef55 1a7fbe36b3f7e1549a9f8d8e153b3fac3fb7b7812c9ed7c20b4be190ebd89956 26e7f0fc887925ec6f0606c5d36aa81bebb7aacdc4a31bb5f23d55faef5c5190 5783384f375a43235b5c742c78ab1bae0a188b75efbde6b3774ed61282f9670a 9dea19e1566103ce675ab4e21081fb5860340a1e88e4f10e39eae25cd685b109 29636d4f02e7fad2a5a458249f5c0298a6d53acbe41a7fc83fa7cc01973f7a74 d1237a51974e097636b6203997f921d07bc1940a6f2d0de9f5a11432946159ed 6cc21df65c4ddd1115f86427259a196c7148b25b6478b0dc7766e1c4d1b1f515 9f90eabc61636226244642ee148b464c9e619ee50a5e3ddc836227cad938987c 4ea3c1fa7c75bbf88d89e9ada642b2b88fe8107b7ea375b1b64889a4e9e5c38a 1c896ce275a5658d250e2d76e1ed3a34ce7e3a3f383d0c996d0bed106c2899ca 6fc263ef0455e74bb6ac1640ea7bfedc59f03fee0e1725ea150ff4d69a7660c5 542119c71de270ae7c3ecfd1af2c4ce551986949cc34a66b3e216bfe18b347e6 c05fd050f85912db303a8f054ec23e38f44d1c725ab641ae929fecc8e3cefa56 19df4231f5b4c009fa0c0bbc60bc75f76d06ef154fc8577077d9d6a1d2bd9bf0 81dc783ece60111bea7da9e5a9748069d078b2bef48de04cabe3755b197d52b3 2046949ecaa310274b4aac0d008b1948c1082cdfe2083e386d4fd84c0ed0666d 3ee26c4515c4fee73433ac703b690a9f7bf278a77486ace44c489a0c7ac8dfe4 d1a58fb3a730b993ff0f0d61b4d89557831eb4c752ffd39c10f6b9f46d8db278 da624fd800e4af85548a294c1518893a8778c4f6d6d73c93df200960104e062b 388ea97dcf4016bced7f62b4f062cb6c04c20693d9a0e3b74ba8fe74cc012378 84f40d765ae56a51688d985cf0ceaef43045ed8c3f0c33bced08537f6882613a cd3b08d665fce9dd8aa73171e2d3771a61dba2790e491d413d93d987e2745af2 9418e428be34941485c93447520ffe231da2304d6a0fd5d07d08372202369661 59bef3cf904d722324dd852513df39ae030d8173908da6364786d3c1bfcb19ea 77a63b25f1e7fc661def480c5d00d44456269ebd84efd8e3a8b2c257eec76060 682848cbf5194bc99e49ee75e4d0d254bad4bfd74970c30e44b65511d4ad0e6e c7398e08e01307eeeea14e46ccd87cf36b285221254d8fc6a6765c524ded0085 dca5bd688ddf722e2c0faf9d0fb2ce7a0c3f2cee19ca0ffba461ca8dc5d2c817 8b0762cf67135558494d2a96f1a139f0edb42d2af89a9c9122b07acbc29e5e72 2df8615c343702491098478a389c9872a10b0c9875125e257c7bfdf27eef4060 bd3d00f4c14fd3e3496c38d3c5d1a5668c39350effbc2d16ca17be4ce29f02ed 969504dda2a8c6b9ff919e693ee79e09089316e7d1d89ec099db3b2b268725d8 88536a4b8bf9aee8fb43e82a4d919d48395781bc0a3e8125b4dd506ca025eb37

A.3.Server Initial

The server sends the following payload in response, including an ACK frame, aCRYPTO frame, and no PADDING frames:¶

02000000000600405a020000560303ee fce7f7b37ba1d1632e96677825ddf73988cfc79825df566dc5430b9a045a1200 130100002e00330024001d00209d3c940d89690b84d08a60993c144eca684d10 81287c834d5311bcf32bb9da1a002b00020304

The header from the server includes a new connection ID and a 2-byte packetnumber encoding for a packet number of 1:¶

c1ff00001d0008f067a5502a4262b50040740001

As a result, after protection, the header protection sample is taken startingfrom the third protected octet:¶

sample = 823a5d3a1207c86ee49132824f046524mask   = abaaf34fdcheader = caff00001d0008f067a5502a4262b5004074aaf2

The final protected packet is then:¶

c7ff00001f0008f067a5502a4262b500 4075fb12ff07823a5d24534d906ce4c76782a2167e3479c0f7f6395dc2c91676 302fe6d70bb7cbeb117b4ddb7d17349844fd61dae200b8338e1b932976b61d91 e64a02e9e0ee72e3a6f63aba4ceeeec5be2f24f2d86027572943533846caa13e 6f163fb257473d76f0e78487aca6427bda2e7e70a7ee48

A.4.Retry

This shows a Retry packet that might be sent in response to the Initial packetinAppendix A.2. The integrity check includes the client-chosenconnection ID value of 0x8394c8f03e515708, but that value is notincluded in the final Retry packet:¶

ffff00001f0008f067a5502a4262b574 6f6b656ec70ce5de430b4bdb7df1a3833a75f986

A.5.ChaCha20-Poly1305 Short Header Packet

This example shows some of the steps required to protect a packet witha short header. This example uses AEAD_CHACHA20_POLY1305.¶

In this example, TLS produces an application write secret from which a serveruses HKDF-Expand-Label to produce four values: a key, an IV, a headerprotection key, and the secret that will be used after keys are updated (thislast value is not used further in this example).¶

secret    = 9ac312a7f877468ebe69422748ad00a1      5443f18203a07d6060f688f30f21632bkey = HKDF-Expand-Label(secret, "quic key", _, 32)    = c6d98ff3441c3fe1b2182094f69caa2e      d4b716b65488960a7a984979fb23e1c8iv  = HKDF-Expand-Label(secret, "quic iv", _, 12)    = e0459b3474bdd0e44a41c144hp  = HKDF-Expand-Label(secret, "quic hp", _, 32)    = 25a282b9e82f06f21f488917a4fc8f1b      73573685608597d0efcb076b0ab7a7a4ku  = HKDF-Expand-Label(secret, "quic ku", _, 32)    = 1223504755036d556342ee9361d25342      1a826c9ecdf3c7148684b36b714881f9

The following shows the steps involved in protecting a minimal packet with anempty Destination Connection ID. This packet contains a single PING frame (thatis, a payload of just 0x01) and has a packet number of 654360564. In thisexample, using a packet number of length 3 (that is, 49140 is encoded) avoidshaving to pad the payload of the packet; PADDING frames would be needed if thepacket number is encoded on fewer octets.¶

pn                 = 654360564 (decimal)nonce              = e0459b3474bdd0e46d417eb0unprotected header = 4200bff4payload plaintext  = 01payload ciphertext = 655e5cd55c41f69080575d7999c25a5bfb

The resulting ciphertext is the minimum size possible. One byte is skipped toproduce the sample for header protection.¶

sample = 5e5cd55c41f69080575d7999c25a5bfbmask   = aefefe7d03header = 4cfe4189

The protected packet is the smallest possible packet size of 21 bytes.¶

packet = 4cfe4189655e5cd55c41f69080575d7999c25a5bfb

B.1.Analysis of AEAD_AES_128_GCM and AEAD_AES_256_GCM Usage Limits

[GCM-MU] specify concrete bounds for AEAD_AES_128_GCM and AEAD_AES_256_GCM asused in TLS 1.3 and QUIC. This section documents this analysis using severalsimplifying assumptions:¶

• The number of ciphertext blocks an attacker uses in forgery attempts isbounded by v * l, the number of forgery attempts and the size of each packet (inblocks).¶
• The amount of offline work done by an attacker does not dominate other factorsin the analysis.¶

The bounds in[GCM-MU] are tighter and more complete than those used in[AEBounds], which allows for larger limits than those described in[TLS13].¶

2 * (q * l)^2 / 2^128

q <= 2^25

(1 / 2^(8 * n)) + ((2 * v) / 2^(2 * n))        + ((2 * o * v) / 2^(k + n)) + (n * (v + (v * l)) / 2^k)

v <= 2^54

v <= 2^182

B.2.Analysis of AEAD_AES_128_CCM Usage Limits

TLS[TLS13] and[AEBounds] do not specify limits on usagefor AEAD_AES_128_CCM. However, any AEAD that is used with QUIC requires limitson use that ensure that both confidentiality and integrity are preserved. Thissection documents that analysis.¶

[CCM-ANALYSIS] is used as the basis of thisanalysis. The results of that analysis are used to derive usage limits that arebased on those chosen in[TLS13].¶

(2l * q)^2 / 2^n

q <= 2^24.5

v / 2^t + (2l * (v + q))^2 / 2^n

v + q <= 2^24.5

C.1.Since draft-ietf-quic-tls-30

• Add a new error code for AEAD_LIMIT_REACHED code to avoid conflict (#4087,#4088)¶

C.2.Since draft-ietf-quic-tls-29

• Updated limits on packet protection (#3788, #3789)¶
• Allow for packet processing to continue while waiting for TLS to providekeys (#3821, #3874)¶

C.3.Since draft-ietf-quic-tls-28

• Defined limits on the number of packets that can be protected with a singlekey and limits on the number of packets that can fail authentication (#3619,#3620)¶
• Update Initial salt, Retry keys, and samples (#3711)¶

C.4.Since draft-ietf-quic-tls-27

• Allowed CONNECTION_CLOSE in any packet number space, with restrictions onuse of the application-specific variant (#3430, #3435, #3440)¶
• Prohibit the use of the compatibility mode from TLS 1.3 (#3594, #3595)¶

C.5.Since draft-ietf-quic-tls-26

• No changes¶

C.6.Since draft-ietf-quic-tls-25

• No changes¶

C.7.Since draft-ietf-quic-tls-24

• Rewrite key updates (#3050)¶

  • Allow but don't recommend deferring key updates (#2792, #3263)¶
  • More completely define received behavior (#2791)¶
  • Define the label used with HKDF-Expand-Label (#3054)¶

C.8.Since draft-ietf-quic-tls-23

• Key update text update (#3050):¶

  • Recommend constant-time key replacement (#2792)¶
  • Provide explicit labels for key update key derivation (#3054)¶
• Allow first Initial from a client to span multiple packets (#2928, #3045)¶
• PING can be sent at any encryption level (#3034, #3035)¶

C.9.Since draft-ietf-quic-tls-22

• Update the salt used for Initial secrets (#2887, #2980)¶

C.10.Since draft-ietf-quic-tls-21

• No changes¶

C.11.Since draft-ietf-quic-tls-20

• Mandate the use of the QUIC transport parameters extension (#2528, #2560)¶
• Define handshake completion and confirmation; define clearer rules when itencryption keys should be discarded (#2214, #2267, #2673)¶

C.12.Since draft-ietf-quic-tls-18

• Increased the set of permissible frames in 0-RTT (#2344, #2355)¶
• Transport parameter extension is mandatory (#2528, #2560)¶

C.13.Since draft-ietf-quic-tls-17

• Endpoints discard initial keys as soon as handshake keys are available (#1951,#2045)¶
• Use of ALPN or equivalent is mandatory (#2263, #2284)¶

C.14.Since draft-ietf-quic-tls-14

• Update the salt used for Initial secrets (#1970)¶
• Clarify that TLS_AES_128_CCM_8_SHA256 isn't supported (#2019)¶

• Change header protection¶

  • Sample from a fixed offset (#1575, #2030)¶
  • Cover part of the first byte, including the key phase (#1322, #2006)¶

• TLS provides an AEAD and KDF function (#2046)¶

  • Clarify that the TLS KDF is used with TLS (#1997)¶
  • Change the labels for calculation of QUIC keys (#1845, #1971, #1991)¶
• Initial keys are discarded once Handshake keys are available (#1951, #2045)¶

C.15.Since draft-ietf-quic-tls-13

• Updated to TLS 1.3 final (#1660)¶

C.16.Since draft-ietf-quic-tls-12

• Changes to integration of the TLS handshake (#829, #1018, #1094, #1165, #1190,#1233, #1242, #1252, #1450)¶

  • The cryptographic handshake uses CRYPTO frames, not stream 0¶
  • QUIC packet protection is used in place of TLS record protection¶
  • Separate QUIC packet number spaces are used for the handshake¶
  • Changed Retry to be independent of the cryptographic handshake¶
  • Limit the use of HelloRetryRequest to address TLS needs (like key shares)¶
• Changed codepoint of TLS extension (#1395, #1402)¶

C.17.Since draft-ietf-quic-tls-11

• Encrypted packet numbers.¶

C.18.Since draft-ietf-quic-tls-10

• No significant changes.¶

C.19.Since draft-ietf-quic-tls-09

• Cleaned up key schedule and updated the salt used for handshake packetprotection (#1077)¶

C.20.Since draft-ietf-quic-tls-08

• Specify value for max_early_data_size to enable 0-RTT (#942)¶
• Update key derivation function (#1003, #1004)¶

C.21.Since draft-ietf-quic-tls-07

• Handshake errors can be reported with CONNECTION_CLOSE (#608, #891)¶

C.22.Since draft-ietf-quic-tls-05

No significant changes.¶

C.23.Since draft-ietf-quic-tls-04

• Update labels used in HKDF-Expand-Label to match TLS 1.3 (#642)¶

C.24.Since draft-ietf-quic-tls-03

No significant changes.¶

C.25.Since draft-ietf-quic-tls-02

• Updates to match changes in transport draft¶

C.26.Since draft-ietf-quic-tls-01

• Use TLS alerts to signal TLS errors (#272, #374)¶
• Require ClientHello to fit in a single packet (#338)¶
• The second client handshake flight is now sent in the clear (#262, #337)¶
• The QUIC header is included as AEAD Associated Data (#226, #243, #302)¶
• Add interface necessary for client address validation (#275)¶
• Define peer authentication (#140)¶
• Require at least TLS 1.3 (#138)¶
• Define transport parameters as a TLS extension (#122)¶
• Define handling for protected packets before the handshake completes (#39)¶
• Decouple QUIC version and ALPN (#12)¶

C.27.Since draft-ietf-quic-tls-00

• Changed bit used to signal key phase¶
• Updated key phase markings during the handshake¶
• Added TLS interface requirements section¶
• Moved to use of TLS exporters for key derivation¶
• Moved TLS error code definitions into this document¶

C.28.Since draft-thomson-quic-tls-01

• Adopted as base for draft-ietf-quic-tls¶
• Updated authors/editors list¶
• Added status note¶