Internet Engineering Task Force (IETF)                       E. Rescorla
Request for Comments: 8446                                       Mozilla
Obsoletes: 5077, 5246, 6961                                  August 2018
Updates: 5705, 6066
Category: Standards Track
ISSN: 2070-1721


        The Transport Layer Security (TLS) Protocol Version 1.3

Abstract

   This document specifies version 1.3 of the Transport Layer Security
   (TLS) protocol.  TLS allows client/server applications to communicate
   over the Internet in a way that is designed to prevent eavesdropping,
   tampering, and message forgery.

   This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077,
   5246, and 6961.  This document also specifies new requirements for
   TLS 1.2 implementations.

Status of This Memo

   This is an Internet Standards Track document.
   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8446.

Table of Contents

   1. Introduction
      1.1. Conventions and Terminology
      1.2. Major Differences from TLS 1.2
      1.3. Updates Affecting TLS 1.2
   2. Protocol Overview
      2.1. Incorrect DHE Share
      2.2. Resumption and Pre-Shared Key (PSK)
      2.3. 0-RTT Data
   3. Presentation Language
      3.1. Basic Block Size
      3.2. Miscellaneous
      3.3. Numbers
      3.4. Vectors
      3.5. Enumerateds
      3.6. Constructed Types
      3.7. Constants
      3.8. Variants
   4. Handshake Protocol
      4.1. Key Exchange Messages
           4.1.1. Cryptographic Negotiation
           4.1.2. Client Hello
           4.1.3. Server Hello
           4.1.4. Hello Retry Request
      4.2. Extensions
           4.2.1. Supported Versions
           4.2.2. Cookie
           4.2.3. Signature Algorithms
           4.2.4. Certificate Authorities
           4.2.5. OID Filters
           4.2.6. Post-Handshake Client Authentication
           4.2.7. Supported Groups
           4.2.8. Key Share
           4.2.9. Pre-Shared Key Exchange Modes
           4.2.10. Early Data Indication
           4.2.11. Pre-Shared Key Extension
      4.3. Server Parameters
           4.3.1. Encrypted Extensions
           4.3.2. Certificate Request
      4.4. Authentication Messages
           4.4.1. The Transcript Hash
           4.4.2. Certificate
           4.4.3. Certificate Verify
           4.4.4. Finished
      4.5. End of Early Data
      4.6. Post-Handshake Messages
           4.6.1. New Session Ticket Message
           4.6.2. Post-Handshake Authentication
           4.6.3. Key and Initialization Vector Update
   5. Record Protocol
      5.1. Record Layer
      5.2. Record Payload Protection
      5.3. Per-Record Nonce
      5.4. Record Padding
      5.5. Limits on Key Usage
   6. Alert Protocol
      6.1. Closure Alerts
      6.2. Error Alerts
   7. Cryptographic Computations
      7.1. Key Schedule
      7.2. Updating Traffic Secrets
      7.3. Traffic Key Calculation
      7.4. (EC)DHE Shared Secret Calculation
           7.4.1. Finite Field Diffie-Hellman
           7.4.2. Elliptic Curve Diffie-Hellman
      7.5. Exporters
   8. 0-RTT and Anti-Replay
      8.1. Single-Use Tickets
      8.2. Client Hello Recording
      8.3. Freshness Checks
   9. Compliance Requirements
      9.1. Mandatory-to-Implement Cipher Suites
      9.2. Mandatory-to-Implement Extensions
      9.3. Protocol Invariants
   10. Security Considerations
   11. IANA Considerations
   12. References
       12.1. Normative References
       12.2. Informative References
   Appendix A. State Machine
   Appendix B. Protocol Data Structures and Constant Values
      B.1. Record Layer
      B.2. Alert Messages
      B.3. Handshake Protocol
           B.3.1. Key Exchange Messages
           B.3.2. Server Parameters Messages
           B.3.3. Authentication Messages
           B.3.4. Ticket Establishment
           B.3.5. Updating Keys
      B.4. Cipher Suites
   Appendix C. Implementation Notes
      C.1. Random Number Generation and Seeding
      C.2. Certificates and Authentication
      C.3. Implementation Pitfalls
      C.4. Client Tracking Prevention
      C.5. Unauthenticated Operation
   Appendix D. Backward Compatibility
      D.1. Negotiating with an Older Server
      D.2. Negotiating with an Older Client
      D.3. 0-RTT Backward Compatibility
      D.4. Middle-Box Compatibility Mode
      D.5. Security Restrictions Related to Backward Compatibility
   Appendix E. Overview of Security Properties
      E.1. Handshake
      E.2. Record Layer
      E.3. Traffic Analysis
      E.4. Side-Channel Attacks
      E.5. Replay Attacks on 0-RTT
      E.6. PSK Identity Exposure
      E.7. Sharing PSKs
      E.8. Attacks on Static RSA
   Acknowledgements
   Author's Address

[NOTE: This file contains the header, abstract, and table of contents
 of RFC 8446. The full specification text is available at:
   https://www.rfc-editor.org/rfc/rfc8446
   https://www.rfc-editor.org/rfc/rfc8446.txt  (text)
   https://www.rfc-editor.org/rfc/rfc8446.pdf  (PDF)

 Full document: 160 pages, August 2018
 Author: Eric Rescorla (Mozilla)
 DOI: 10.17487/RFC8446
 Obsoletes: RFC 5077, RFC 5246, RFC 6961
 Updates: RFC 5705, RFC 6066]