TLS E. Rescorla Internet-Draft RTFM, Inc. Obsoletes: 6347 (If Approved) H

Total Page:16

File Type:pdf, Size:1020Kb

TLS E. Rescorla Internet-Draft RTFM, Inc. Obsoletes: 6347 (If Approved) H TLS E. Rescorla Internet-Draft RTFM, Inc. Obsoletes: 6347 (if approved) H. Tschofenig Intended status: Standards Track Arm Limited Expires: 1 November 2021 N. Modadugu Google, Inc. 30 April 2021 The Datagram Transport Layer Security (DTLS) Protocol Version 1.3 draft-ietf-tls-dtls13-43 Abstract This document specifies Version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. The DTLS 1.3 protocol is intentionally based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection/non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document obsoletes RFC 6347. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 1 November 2021. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. Rescorla, et al. Expires 1 November 2021 [Page 1] Internet-Draft DTLS 1.3 April 2021 This document is subject to BCP 78 and the IETF Trust’s Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Table of Contents 1. Introduction . 4 2. Conventions and Terminology . 4 3. DTLS Design Rationale and Overview . 6 3.1. Packet Loss . 7 3.2. Reordering . 8 3.3. Fragmentation . 8 3.4. Replay Detection . 8 4. The DTLS Record Layer . 8 4.1. Demultiplexing DTLS Records . 12 4.2. Sequence Number and Epoch . 14 4.2.1. Processing Guidelines . 14 4.2.2. Reconstructing the Sequence Number and Epoch . 15 4.2.3. Record Number Encryption . 15 4.3. Transport Layer Mapping . 16 4.4. PMTU Issues . 17 4.5. Record Payload Protection . 19 4.5.1. Anti-Replay . 19 4.5.2. Handling Invalid Records . 20 4.5.3. AEAD Limits . 20 5. The DTLS Handshake Protocol . 22 5.1. Denial-of-Service Countermeasures . 22 5.2. DTLS Handshake Message Format . 25 5.3. ClientHello Message . 27 5.4. ServerHello Message . 28 5.5. Handshake Message Fragmentation and Reassembly . 28 Rescorla, et al. Expires 1 November 2021 [Page 2] Internet-Draft DTLS 1.3 April 2021 5.6. End Of Early Data . 29 5.7. DTLS Handshake Flights . 30 5.8. Timeout and Retransmission . 34 5.8.1. State Machine . 34 5.8.2. Timer Values . 37 5.8.3. Large Flight Sizes . 38 5.8.4. State machine duplication for post-handshake messages . 38 5.9. CertificateVerify and Finished Messages . 40 5.10. Cryptographic Label Prefix . 40 5.11. Alert Messages . 40 5.12. Establishing New Associations with Existing Parameters . 40 6. Example of Handshake with Timeout and Retransmission . 41 6.1. Epoch Values and Rekeying . 42 7. ACK Message . 45 7.1. Sending ACKs . 46 7.2. Receiving ACKs . 47 7.3. Design Rationale . 48 8. Key Updates . 48 9. Connection ID Updates . 50 9.1. Connection ID Example . 51 10. Application Data Protocol . 53 11. Security Considerations . 53 12. Changes since DTLS 1.2 . 55 13. Updates affecting DTLS 1.2 . 56 14. IANA Considerations . 56 15. References . 57 15.1. Normative References . 57 15.2. Informative References . 58 Appendix A. Protocol Data Structures and Constant Values . 61 A.1. Record Layer . 61 A.2. Handshake Protocol . 62 A.3. ACKs . 64 A.4. Connection ID Management . 64 Appendix B. Analysis of Limits on CCM Usage . 64 B.1. Confidentiality Limits . 65 B.2. Integrity Limits . 66 B.3. Limits for AEAD_AES_128_CCM_8 . 66 Appendix C. Implementation Pitfalls . 67 Appendix D. History . 67 Appendix E. Working Group Information . 70 Appendix F. Contributors . 70 Appendix G. Acknowledgements . 71 Authors’ Addresses . 71 Rescorla, et al. Expires 1 November 2021 [Page 3] Internet-Draft DTLS 1.3 April 2021 1. Introduction RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH The source for this draft is maintained in GitHub. Suggested changes should be submitted as pull requests at https://github.com/tlswg/ dtls13-spec. Instructions are on that page as well. Editorial changes can be managed in GitHub, but any substantive change should be discussed on the TLS mailing list. The primary goal of the TLS protocol is to establish an authenticated, confidentiality and integrity protected channel between two communicating peers. The TLS protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. However, TLS must run over a reliable transport channel - typically TCP [RFC0793]. There are applications that use UDP [RFC0768] as a transport and to offer communication security protection for those applications the Datagram Transport Layer Security (DTLS) protocol has been developed. DTLS is deliberately designed to be as similar to TLS as possible, both to minimize new security invention and to maximize the amount of code and infrastructure reuse. DTLS 1.0 [RFC4347] was originally defined as a delta from TLS 1.1 [RFC4346] and DTLS 1.2 [RFC6347] was defined as a series of deltas to TLS 1.2 [RFC5246]. There is no DTLS 1.1; that version number was skipped in order to harmonize version numbers with TLS. This specification describes the most current version of the DTLS protocol as a delta from TLS 1.3 [TLS13]. It obsoletes DTLS 1.2. Implementations that speak both DTLS 1.2 and DTLS 1.3 can interoperate with those that speak only DTLS 1.2 (using DTLS 1.2 of course), just as TLS 1.3 implementations can interoperate with TLS 1.2 (see Appendix D of [TLS13] for details). While backwards compatibility with DTLS 1.0 is possible the use of DTLS 1.0 is not recommended as explained in Section 3.1.2 of RFC 7525 [RFC7525] and [DEPRECATE]. 2. Conventions and Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. The following terms are used: Rescorla, et al. Expires 1 November 2021 [Page 4] Internet-Draft DTLS 1.3 April 2021 * client: The endpoint initiating the DTLS connection. * association: Shared state between two endpoints established with a DTLS handshake. * connection: Synonym for association. * endpoint: Either the client or server of the connection. * epoch: one set of cryptographic keys used for encryption and decryption. * handshake: An initial negotiation between client and server that establishes the parameters of the connection. * peer: An endpoint. When discussing a particular endpoint, "peer" refers to the endpoint that is remote to the primary subject of discussion. * receiver: An endpoint that is receiving records. * sender: An endpoint that is transmitting records. * server: The endpoint which did not initiate the DTLS connection. * CID: Connection ID * MSL: Maximum Segment Lifetime The reader is assumed to be familiar with [TLS13]. As in TLS 1.3, the HelloRetryRequest has the same format as a ServerHello message, but for convenience we use the term HelloRetryRequest throughout this document as if it were a distinct message. DTLS 1.3 uses network byte order (big-endian) format for encoding messages based on the encoding format defined in [TLS13] and earlier (D)TLS specifications. The reader is also assumed to be familiar with [I-D.ietf-tls-dtls-connection-id] as this document applies the CID functionality to DTLS 1.3. Figures in this document illustrate various combinations of the DTLS protocol exchanges and the symbols have the following meaning: * ’+’ indicates noteworthy extensions sent in the previously noted message. Rescorla, et al. Expires 1 November 2021 [Page 5] Internet-Draft DTLS 1.3 April 2021 * ’*’ indicates optional or situation-dependent messages/extensions that are not always sent. * ’{}’ indicates messages protected using keys derived from a [sender]_handshake_traffic_secret. * ’[]’ indicates messages protected using keys derived from traffic_secret_N. 3. DTLS Design Rationale and Overview The basic design philosophy of DTLS is to construct "TLS over datagram transport". Datagram transport does not require nor provide reliable or in-order delivery of data.
Recommended publications
  • Towards a Verifiably Secure Quantum-Resistant Key Exchange
    INSTITUT FÜR INFORMATIK DER LUDWIG–MAXIMILIANS–UNIVERSITÄT MÜNCHEN Masterarbeit Towards a Verifiably Secure Quantum-Resistant Key Exchange in IKEv2 Tobias Heider INSTITUT FÜR INFORMATIK DER LUDWIG–MAXIMILIANS–UNIVERSITÄT MÜNCHEN Masterarbeit Towards a Verifiably Secure Quantum-Resistant Key Exchange in IKEv2 Tobias Heider Aufgabensteller: Prof. Dr. Dieter Kranzlmüller Betreuer: Sophia Grundner-Culemann Tobias Guggemos Stefan-Lukas Gazdag (genua GmbH) Abgabetermin: 28. Oktober 2019 Hiermit versichere ich, dass ich die vorliegende Masterarbeit selbständig verfasst und keine anderen als die angegebenen Quellen und Hilfsmittel verwendet habe. München, den 7. Juli 2077 .............................................. (Unterschrift des Kandidaten) Abstract Recent breakthroughs in the field of quantum computing have sparked fears that the cryp- tographic methods we rely on every day may be broken in the near future. Even worse, encrypted network communication protocols like the IPsec suite rely on an asymmetric key exchange to derive a set of symmetric keys used to encrypt network traffic. An attacker storing recordings of the key exchange and the following communication can break the key exchange, extract the symmetric keys and compromise the clear text data once a powerful enough quantum computer is available in the future . The goal of this work is to make the IKEv2 protocol and thus the whole IPsec communication quantum-resistant, using novel cryptographic methods collected in the NIST post-quantum standardization project, without introducing new security weaknesses. The challenge lies in the constraints of the new cryptographic schemes, such as enormous key sizes, which the IKEv2 protocol was not designed for. A thorough analysis of the quantum-resistant key exchange methods in regards to their constraints and an analysis of the IKEv2 protocol in terms of its limitations and security properties gives a clear insight of the changes required to support the new methods.
    [Show full text]
  • 225738Pre.Pdf
    PDF hosted at the Radboud Repository of the Radboud University Nijmegen The following full text is a preprint version which may differ from the publisher's version. For additional information about this publication click this link. https://hdl.handle.net/2066/225738 Please be advised that this information was generated on 2021-09-27 and may be subject to change. Post-quantum TLS without handshake signatures Full version, May 7, 2020 Peter Schwabe Douglas Stebila Thom Wiggers Radboud University University of Waterloo Radboud University [email protected] [email protected] [email protected] ABSTRACT Client Server static (sig): pk(, sk( We present KEMTLS, an alternative to the TLS 1.3 handshake that TCP SYN uses key-encapsulation mechanisms (KEMs) instead of signatures TCP SYN-ACK for server authentication. Among existing post-quantum candidates, G $ Z@ signature schemes generally have larger public key/signature sizes 6G compared to the public key/ciphertext sizes of KEMs: by using an ~ $ Z@ IND-CCA-secure KEM for server authentication in post-quantum ss 6G~ TLS, we obtain multiple benefits. A size-optimized post-quantum KDF(ss) ~ instantiation of KEMTLS requires less than half the bandwidth of a 6 , AEAD (cert[pk( ]kSig(sk(, transcript)kkey confirmation) size-optimized post-quantum instantiation of TLS 1.3. In a speed- AEAD 0 (key confirmation) optimized instantiation, KEMTLS reduces the amount of server CPU AEAD 00 (application data) cycles by almost 90% compared to TLS 1.3, while at the same time AEAD 000 (application data) reducing communication size, reducing the time until the client can start sending encrypted application data, and eliminating code for Figure 1: High-level overview of TLS 1.3, using signatures signatures from the server’s trusted code base.
    [Show full text]
  • Post-Quantum Authentication in TLS 1.3: a Performance Study
    Post-Quantum Authentication in TLS 1.3: A Performance Study Dimitrios Sikeridis∗, Panos Kampanakisy, Michael Devetsikiotis∗ ∗ Dept. of Electrical and Computer Engineering, The University of New Mexico, Albuquerque, NM, USA ySecurity & Trust Organization, Cisco Systems, USA fdsike, [email protected], [email protected] Abstract—The potential development of large-scale quantum Apart from connection integrity and confidentiality, TLS computers is raising concerns among IT and security research provides authentication usually with the use of X.509 certifi- professionals due to their ability to solve (elliptic curve) discrete cates [45]. Such certificates are issued by trusted third-parties logarithm and integer factorization problems in polynomial time. called Certificate Authorities (CAs). Endpoints verify the All currently used public key algorithms would be deemed communicating peer’s identity and public key (PK) contained insecure in a post-quantum (PQ) setting. In response, the National inside his certificate by leveraging a chain of certificates that is Institute of Standards and Technology (NIST) has initiated a pro- rooted to a pre-trusted root CA. The two most popular digital cess to standardize quantum-resistant crypto algorithms, focusing primarily on their security guarantees. Since PQ algorithms signature algorithms used in certificates today are the Elliptic present significant differences over classical ones, their overall Curve Digital Signature (ECDSA) and RivestShamirAdleman evaluation should not be performed out-of-context. This work (RSA). Their security guaranties rely on the hardness of the presents a detailed performance evaluation of the NIST signa- elliptic curve discrete logarithm (ECDL) and integer factoriza- ture algorithm candidates and investigates the imposed latency tion (IF) problems respectively.
    [Show full text]
  • Post-Quantum TLS Without Handshake Signatures Full Version, May 7, 2020
    Post-quantum TLS without handshake signatures Full version, May 7, 2020 Peter Schwabe Douglas Stebila Thom Wiggers Radboud University University of Waterloo Radboud University [email protected] [email protected] [email protected] ABSTRACT Client Server static (sig): pk(, sk( We present KEMTLS, an alternative to the TLS 1.3 handshake that TCP SYN uses key-encapsulation mechanisms (KEMs) instead of signatures TCP SYN-ACK for server authentication. Among existing post-quantum candidates, G $ Z@ signature schemes generally have larger public key/signature sizes 6G compared to the public key/ciphertext sizes of KEMs: by using an ~ $ Z@ IND-CCA-secure KEM for server authentication in post-quantum ss 6G~ TLS, we obtain multiple benefits. A size-optimized post-quantum KDF(ss) ~ instantiation of KEMTLS requires less than half the bandwidth of a 6 , AEAD (cert[pk( ]kSig(sk(, transcript)kkey confirmation) size-optimized post-quantum instantiation of TLS 1.3. In a speed- AEAD 0 (key confirmation) optimized instantiation, KEMTLS reduces the amount of server CPU AEAD 00 (application data) cycles by almost 90% compared to TLS 1.3, while at the same time AEAD 000 (application data) reducing communication size, reducing the time until the client can start sending encrypted application data, and eliminating code for Figure 1: High-level overview of TLS 1.3, using signatures signatures from the server’s trusted code base. for server authentication. Primes (0) on keys denote additional keys derived from the same shared secret using appropriate labels. KEYWORDS Post-quantum cryptography, key-encapsulation mechanisms, Trans- and by Cloudflare using X25519/NTRU-HRSS and X25519 together port Layer Security, NIST PQC with the supersingular-isogeny scheme SIKE [50].
    [Show full text]
  • Reading for Week 13: Quantum Computing: Pages 139-167
    Reading for Week 13: Quantum computing: pages 139-167 Quantum communications: pages 189-193; 200-205; 217-223 Law and Policy for the Quantum Age Draft: Do not circulate without permission Chris Jay Hoofnagle and Simson Garfinkel April 2, 2021 Note to reviewers Thank you for taking the time to look through our draft! We are most interested finding and correcting text that is factually wrong, technically inaccurate, or misleading. Please do not concern yourself with typos or grammar errors. We will be focusing on those later when we have all of the text in its near-final form. (However, we are interest in word usage errors, or in misspelling that are the result of homophones, as they are much harder to detect and correct in editing.) You can find the current draft of this book (as well as previous PDFs)here: https://simson.net/quantum-2021-slgcjh/ Thank you again! Please email us at: [email protected] and [email protected] 5 (NEAR FINAL) Quantum Computing Applications “A good way of pumping funding into the building of an actual quantum computer would be to find an efficient quantum factoring algo- rithm!”1 The risk of wide-scale cryptanalysis pervades narratives about quantum com- puting. We argue in this chapter that Feynman’s vision for quantum computing will ultimately prevail, despite the discovery of Peter Shor’s factoring algorithm that generated excitement about a use of quantum computers that people could understand—and dread. Feynman’s vision of quantum devices that simulate com- plex quantum interactions is more exciting and strategically relevant, yet also more difficult to portray popular descriptions of technology.
    [Show full text]
  • Post-Quantum Authentication in TLS 1.3: a Performance Study
    Post-Quantum Authentication in TLS 1.3: A Performance Study Dimitrios Sikeridis∗, Panos Kampanakisy, Michael Devetsikiotis∗ [email protected], [email protected], [email protected] ∗ Dept. of Electrical and Computer Engineering, The University of New Mexico, Albuquerque, NM, USA ySecurity & Trust Organization, Cisco Systems, USA Updates: Initially uploaded to Cryptology ePrint Archive which builds encrypted tunnels between digital entities. Studies on Jan 23, 2020. Revised to the submitted NDSS 2020 camera- suggest that over 60% of Internet connections are implemented ready manuscript on Jan 27, 2020. Revised to include clari- over the TLS-based secure HTTPS protocol [20], [64]. TLS fication in Section VII-C on optimizing the TCP initcwnd adoption is expected to keep increasing as users and client on Feb 26, 2020. vendors strive for ubiquitous encryption and privacy [51]. Abstract—The potential development of large-scale quantum Apart from connection integrity and confidentiality, TLS computers is raising concerns among IT and security research provides authentication usually with the use of X.509 certifi- professionals due to their ability to solve (elliptic curve) discrete cates [45]. Such certificates are issued by trusted third-parties logarithm and integer factorization problems in polynomial time. called Certificate Authorities (CAs). Endpoints verify the All currently used public key algorithms would be deemed insecure in a post-quantum (PQ) setting. In response, the National communicating peer’s identity and public key (PK) contained Institute of Standards and Technology (NIST) has initiated a pro- inside his certificate by leveraging a chain of certificates that is cess to standardize quantum-resistant crypto algorithms, focusing rooted to a pre-trusted root CA.
    [Show full text]
  • Post-Quantum TLS Without Handshake Signatures Full Version, April 21, 2021
    Post-Quantum TLS Without Handshake Signatures Full version, April 21, 2021 Peter Schwabe Douglas Stebila Thom Wiggers Max Planck Institute for Security and University of Waterloo Radboud University Privacy & Radboud University [email protected] [email protected] [email protected] ABSTRACT Client Server static (sig): pk(, sk( We present KEMTLS, an alternative to the TLS 1.3 handshake that TCP SYN uses key-encapsulation mechanisms (KEMs) instead of signatures TCP SYN-ACK for server authentication. Among existing post-quantum candidates, G $ Z @ 6G signature schemes generally have larger public key/signature sizes compared to the public key/ciphertext sizes of KEMs: by using an ~ $ Z@ ss 6G~ IND-CCA-secure KEM for server authentication in post-quantum , 0, 00, 000 KDF(ss) TLS, we obtain multiple benefits. A size-optimized post-quantum ~ 6 , AEAD (cert[pk( ]kSig(sk(, transcript)kkey confirmation) instantiation of KEMTLS requires less than half the bandwidth of a ss 6~G size-optimized post-quantum instantiation of TLS 1.3. In a speed- , 0, 00, 000 KDF(ss) optimized instantiation, KEMTLS reduces the amount of server CPU AEAD 0 (application data) cycles by almost 90% compared to TLS 1.3, while at the same time AEAD 00 (key confirmation) reducing communication size, reducing the time until the client can AEAD 000 (application data) start sending encrypted application data, and eliminating code for signatures from the server’s trusted code base. Figure 1: High-level overview of TLS 1.3, using signatures for CCS CONCEPTS server authentication. • Security and privacy ! Security protocols; Web protocol security; Public key encryption.
    [Show full text]
  • Towards Post-Quantum Security for Signal's X3DH Handshake
    A version of this paper appears in the proceedings of Selected Areas in Cryptography (SAC 2020), 27th International Conference. Towards Post-Quantum Security for Signal's X3DH Handshake Jacqueline Brendel1, Marc Fischlin2, Felix G¨unther3, Christian Janson2, and Douglas Stebila4 1CISPA Helmholtz Center for Information Security, Saarbr¨ucken,Germany 2Technische Universit¨atDarmstadt, Darmstadt, Germany 3Department of Computer Science, ETH Z¨urich,Z¨urich,Switzerland 4University of Waterloo, Waterloo, Canada October 5, 2020 Abstract Modern key exchange protocols are usually based on the Diffie–Hellman (DH) primitive. The beauty of this primitive, among other things, is its potential reusage of key shares: DH shares can be either used a single time or in multiple runs. Since DH-based protocols are insecure against quantum adversaries, alternative solutions have to be found when moving to the post-quantum setting. However, most post- quantum candidates, including schemes based on lattices and even supersingular isogeny DH, are not known to be secure under key reuse. In particular, this means that they cannot be necessarily deployed as an immediate DH substitute in protocols. In this paper, we introduce the notion of a split key encapsulation mechanism (split KEM) to translate the desired key-reusability of a DH-based protocol to a KEM-based flow. We provide the relevant security notions of split KEMs and show how the formalism lends itself to lifting Signal's X3DH handshake to the post-quantum KEM setting without additional message flows. Although the proposed framework conceptually solves the raised issues, instantiating it securely from post-quantum assumptions proved to be non-trivial.
    [Show full text]