[TLS] TLS 1.3 Record Boundaries
Andrei Popov <Andrei.Popov@microsoft.com> Tue, 24 October 2017 00:42 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CE3813AE15 for <tls@ietfa.amsl.com>; Mon, 23 Oct 2017 17:42:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OKJZRtkleUG7 for <tls@ietfa.amsl.com>; Mon, 23 Oct 2017 17:42:03 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0126.outbound.protection.outlook.com [104.47.38.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BB0F139438 for <tls@ietf.org>; Mon, 23 Oct 2017 17:42:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=DbpwO7eo5xJYHCE6C+2VgZqNeBzxFcM3WXuFB6flBgc=; b=SOpCi3c0U6FwSiVyiigUzfcVtR7A8RI/T/q776i+04DkG1UWaINBa3BbajAQRNU7tC78Tyg12QhmxcfL2FmxTIbxOAxsl461Q4IRi79BrqIPqe4TzwjlGYfWNl/U5dzJA/mHfdRkSdsXsUNDLfExH3X3lltlLBPB6ytwLDoa4dQ=
Received: from CY4PR21MB0120.namprd21.prod.outlook.com (10.173.189.14) by CY4PR21MB0277.namprd21.prod.outlook.com (10.173.193.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.197.0; Tue, 24 Oct 2017 00:42:01 +0000
Received: from CY4PR21MB0120.namprd21.prod.outlook.com ([10.173.189.14]) by CY4PR21MB0120.namprd21.prod.outlook.com ([10.173.189.14]) with mapi id 15.20.0197.001; Tue, 24 Oct 2017 00:42:01 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: "'tls@ietf.org'" <tls@ietf.org>
Thread-Topic: TLS 1.3 Record Boundaries
Thread-Index: AdNMXL4noy7fkUD8Q9qPZCvybmOXqQABBraA
Date: Tue, 24 Oct 2017 00:42:01 +0000
Message-ID: <CY4PR21MB0120498BA401EA25CC2E439B8C470@CY4PR21MB0120.namprd21.prod.outlook.com>
References: <CY4PR21MB0120175D642F6244F04CDA358C470@CY4PR21MB0120.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB0120175D642F6244F04CDA358C470@CY4PR21MB0120.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:6::4ca]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0277; 6:rjz2+hFqo504kDRqUn1ePA0AHD2CoM6C8rqbibJqwvo0TwaoG3VntmZSx4fG56mwDKyDS4aqnYJYmu6VWwSF8WU/us+ZiEfHZtQ7stRSW5roT7UwQxQQrfQIlr/wwlhQ1JnGYoLUcoOnaQvLlcX4deD+eznqXMN5uZLY9evV6faGymtZ9b3bijhp7NN+iWPvX/xRNgEofecR8dvbPh0VdxH8UsieHwOqjGS3oUonPAnEC/bvhbs9CwcPyRVZL261eP2go5ctvmLGrNMoUViXlMFnVFWZ3akhpQsxNrK1hvA1XYMJAtNmeMk/UMkxQSFjB4eK9xn1J5KpIMkYvv0QzxKw+UzsJi/tdPMm7sRFGyM=; 5:UwHMTS4tRdeyPvgTz8G4QsaVmemGeOzwm2feo6fKxy0yeGKIa8FmkH9ZMQ+r9GU89IlOC1NjEfSnVpiIS1Sg73zy92S7MMlDjoxMFZUodOKR1FGSUXbV6Axi25acShWVgZExhaqqvsJvZzXxLPjSDGmF7XrsWG6FrHpjXAT0o30=; 24:jGVabIFTWGyOJizPkcFuvO9haOI7uDZH4PlWdOZl40QVwlTSbcM99M/EcN7AOU8zZrCYrB5UUv162XLJLfaRByk1oUZAqPjDD9yJ2kwHzr8=; 7:zPQE66+u81ZvpRtx/q4c507YKVNzEQ+4eRktOIcrFFBNQDfffEmB+u+fz4w2QLsc0MY97X6ccyOzYthuxAxMRxSAgUPmkvXeqxQ/xTY8oBXRFHpQmNO2QZV8J40wqK4OK6+s/qqJe1OaQ+7S/JAr+viZ+xqwVRR1WspyOiWEikiVWsD38T94lHS2J1f6puxhURMD27FpL+aAC/NqqE6r8LSyMiukx0Zu9yaxxZL7ippfZd+4i/XJO2aEW6Bt1HvP
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: c2518516-4c22-45c6-8377-08d51a780a62
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603229); SRVR:CY4PR21MB0277;
x-ms-traffictypediagnostic: CY4PR21MB0277:
x-exchange-antispam-report-test: UriScan:(21748063052155);
x-microsoft-antispam-prvs: <CY4PR21MB0277A25D5DB2335855FC58678C470@CY4PR21MB0277.namprd21.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(2401047)(5005006)(8121501046)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(3002001)(3231020)(6055026)(61426038)(61427038)(6041248)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123564025)(20161123558100)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR21MB0277; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR21MB0277;
x-forefront-prvs: 047001DADA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(376002)(346002)(47760400005)(189002)(199003)(478600001)(72206003)(14454004)(10290500003)(76176999)(50986999)(54356999)(8990500004)(6116002)(790700001)(102836003)(7696004)(106356001)(2906002)(105586002)(7116003)(5660300001)(7736002)(10090500001)(81166006)(3660700001)(8676002)(81156014)(101416001)(3280700002)(33656002)(8936002)(74316002)(2950100002)(6436002)(6916009)(77096006)(189998001)(316002)(22452003)(6506006)(2900100001)(86612001)(86362001)(55016002)(99286003)(54896002)(9686003)(6306002)(53936002)(2940100002)(97736004)(68736007)(25786009)(491001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0277; H:CY4PR21MB0120.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0120498BA401EA25CC2E439B8C470CY4PR21MB0120namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c2518516-4c22-45c6-8377-08d51a780a62
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2017 00:42:01.3457 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0277
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TYePdo8RBKAQwIGhczyZAWZtIOM>
Subject: [TLS] TLS 1.3 Record Boundaries
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2017 00:42:05 -0000
Draft-21 says: "Handshake messages MUST NOT span key changes. Implementations MUST verify that all messages immediately preceding a key change align with a record boundary; if not, then they MUST terminate the connection with an "unexpected_message" alert. Because the ClientHello, EndOfEarlyData, ServerHello, Finished, and KeyUpdate messages can immediately precede a key change, implementations MUST send these messages in alignment with a record boundary." It is not clear to me what "sending messages in alignment with a record boundary" means. Does it mean that each record is either all plaintext or all encrypted with key X? And therefore one cannot combine, e.g., ServerHello (plaintext) and EncryptedExtensions (encrypted with the handshake traffic key) messages in one record? Thanks, Andrei
- [TLS] TLS 1.3 Record Boundaries Andrei Popov
- Re: [TLS] TLS 1.3 Record Boundaries Peter Wu
- Re: [TLS] TLS 1.3 Record Boundaries Ilari Liusvaara
- Re: [TLS] TLS 1.3 Record Boundaries Hubert Kario