Compact TLS 1.3

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Structure definitions listed below override TLS 1.3 definitions; any PDU not internally defined is taken from TLS 1.3.

Template-based Specialization A significant transmission overhead in TLS 1.3 is contributed to by two factors, : - the negotiation of algorithm parameters, and extensions, as well as - the exchange of certificates. TLS 1.3 supports different credential types and modes that are impacted differently by a compression scheme. For example, TLS supports certificate-based authentication, raw public key-based authentication as well as pre-shared key (PSK)-based authentication. PSK-based authentication can be used with externally configured PSKs or with PSKs established through tickets. The basic idea of template-based specialization is that we start with the basic TLS 1.3 handshake, which is fully general and then remove degrees of freedom, eliding parts of the handshake which are used to express those degrees of freedom. For example, if we only support one version of TLS, then it is not necessary to have version negotiation and the supported_versions extension can be omitted. Importantly, this process is performed only for the wire encoding but not for the handshake transcript. The result is that the transcript for a specialized cTLS handshake is the same as the transcript for a TLS 1.3 handshake with the same features used. One way of thinking of this is as if specialization is a stateful compression layer between the handshake and the record layer: By assuming that out-of-band agreements took place already prior to the start of the cTLS protocol exchange, the amount of data exchanged can be radically reduced. Because different clients may use different compression templates and because multiple compression templates may be available for use in different deployment environments, a client needs to inform the server about the profile it is planning to use. The profile field in the ClientHello serves this purpose. Although the template-based specialization mechanisms described here are general, we also include specific mechanism for certificate-based exchanges because those are where the most complexity and size reduction can be obtained. Most of the other exchanges in TLS 1.3 are highly optimized and do not require compression to be used. The compression profile defining the use of algorithms, algorithm parameters, and extensions is specified via a JSON dictionary. For example, the following specialization describes a protocol with a single fixed version (TLS 1.3) and a single fixed cipher suite (TLS_AES_128_GCM_SHA256). On the wire, ClientHello.cipher_suites, ServerHello.cipher_suites, and the supported_versions extensions in the ClientHello and ServerHello would be omitted. The following elements are defined:

profile (integer):: identifies the profile being defined.
version (integer):: indicates that both sides agree to the single TLS version specified by the given integer value (772 == 0x0304 for TLS 1.3). The supported_versions extension is omitted from ClientHello.extensions and reconstructed in the transcript as a single-valued list with the specified value. The supported_versions extension is omitted from ClientHello.extensions and reconstructed in the transcript with the specified value.
cipherSuite (string):: indicates that both sides agree to the single named cipher suite, using the "TLS_AEAD_HASH" syntax defined in , Section 8.4. The ClientHello.cipher_suites field is omitted and reconstructed in the transcript as a single-valued list with the specified value. The server_hello.cipher_suite field is omitted and reconstructed in the transcript as the specified value.
dhGroup (string):: specifies a single DH group to use for key establishment. The group is listed by the code point name in , Section 4.2.7. (e.g., x25519). This implies a literal "supported_groups" extension consisting solely of this group.
signatureAlgorithm (string):: specifies a single signature scheme to use for authentication. The signature algorithm is listed by the code point name in , Section 4.2.3. (e.g., ecdsa_secp256r1_sha256). This implies a literal "signature_algorithms" extension consisting solely of this group.
random (integer):: indicates that the ClientHello.Random and ServerHello.Random values are truncated to the given length. When the transcript is reconstructed, the Random is padded to the right with 0s and the anti-downgrade mechanism in , Section 4.1.3 is disabled. IMPORTANT: Using short Random values can lead to potential attacks. The Random length MUST be less than or equal to 32 bytes.

[[Open Issue: Karthik Bhargavan suggested the idea of hashing ephemeral public keys and to use the result (truncated to 32 bytes) as random values. Such a change would require a security analysis. ]]

mutualAuth (boolean):: if set to true, indicates that the client must authenticate with a certificate by sending Certificate and a CertificateVerify message. The server MUST omit the CertificateRequest message, as its contents are redundant. [[OPEN ISSUE: We don't actually say that you can omit empty messages, so we need to add that somewhere.]]
extension_order:: indicates in what order extensions appear in respective messages. This allows to omit sending the type. If there is only a single extension to be transmitted, then the extension length field can also be omitted. For example, imagine that only the KeyShare extension needs to be sent in the ClientHello as the only extension. Then, the following structure

is compressed down to (assuming the KeyShare group has been pre-agreed)

clientHelloExtensions (predefined extensions):: Predefined ClientHello extensions, see {predefined-extensions}
serverHelloExtensions (predefined extensions):: Predefined ServerHello extensions, see {predefined-extensions}
encryptedExtensions (predefined extensions):: Predefined EncryptedExtensions extensions, see {predefined-extensions}
certRequestExtensions (predefined extensions):: Predefined CertificateRequest extensions, see {predefined-extensions}
knownCertificates (known certificates):: A compression dictionary for the Certificate message, see {known-certs}
finishedSize (integer):: indicates that the Finished value is to be truncated to the given length. When the transcript is reconstructed, the remainder of the Finished value is filled in by the receiving side.

[[OPEN ISSUE: How short should we allow this to be? TLS 1.3 uses the native hash and TLS 1.2 used 12 bytes. More analysis is needed to know the minimum safe Finished size. See ; Section E.1 for more on this, as well as https://mailarchive.ietf.org/arch/msg/tls/TugB5ddJu3nYg7chcyeIyUqWSbA.]]

optional (object):: contains keys that are not required to be understood by the client. Server operators MUST NOT place a key in this section unless the server is able to determine whether the key is in use based on the client data it receives. A key MUST NOT appear in both the main template and the optional section.

Requirements on TLS Implementations To be compatible with the specializations described in this section, a TLS stack needs to provide the following features:

If specialization of extensions is to be used, then the TLS stack MUST order each vector of Extension values in ascending order according to the ExtensionType. This allows for a deterministic reconstruction of the extension list.
If truncated Random values are to be used, then the TLS stack MUST be configurable to set the remaining bytes of the random values to zero. This ensures that the reconstructed, padded random value matches the original.
If truncated Finished values are to be used, then the TLS stack MUST be configurable so that only the provided bytes of the Finished are verified, or so that the expected remaining values can be computed.

Predefined Extensions Extensions used in the ClientHello, ServerHello, EncryptedExtensions, and CertificateRequest messages can be "predefined" in a compression profile, so that they do not have to be sent on the wire. A predefined extensions object is a dictionary whose keys are extension names specified in the TLS ExtensionTypeRegistry specified in . The corresponding value is a hex-encoded value for the ExtensionData field of the extension. When compressing a handshake message, the sender compares the extensions in the message being compressed to the predefined extensions object, applying the following rules:

If the extensions list in the message is not sorted in ascending order by extension type, it is an error, because the decompressed message will not match.
If there is no entry in the predefined extensions object for the type of the extension, then the extension is included in the compressed message
If there is an entry:
- If the ExtensionData of the extension does not match the value in the dictionary, it is an error, because decompression will not produce the correct result.
- If the ExtensionData matches, then the extension is removed, and not included in the compressed message.

When decompressing a handshake message the receiver reconstitutes the original extensions list using the predefined extensions:

If there is an extension in the compressed message with a type that exists in the predefined extensions object, it is an error, because such an extension would not have been sent by a sender with a compatible compression profile.
For each entry in the predefined extensions dictionary, an extension is added to the decompressed message with the specified type and value.
The resulting vector of extensions MUST be sorted in ascending order by extension type.

Note that the "version", "dhGroup", and "signatureAlgorithm" fields in the compression profile are specific instances of this algorithm for the corresponding extensions. [[OPEN ISSUE: Are there other extensions that would benefit from special treatment, as opposed to hex values.]]

Known Certificates Certificates are a major contributor to the size of a TLS handshake. In order to avoid this overhead when the parties to a handshake have already exchanged certificates, a compression profile can specify a dictionary of "known certificates" that effectively acts as a compression dictionary on certificates. A known certificates object is a JSON dictionary whose keys are strings containing hex-encoded compressed values. The corresponding values are hex-encoded strings representing the uncompressed values. For example: When compressing a Certificate message, the sender examines the cert_data field of each CertificateEntry. If the cert_data matches a value in the known certificates object, then the sender replaces the cert_data with the corresponding key. Decompression works the opposite way, replacing keys with values. Note that in this scheme, there is no signaling on the wire for whether a given cert_data value is compressed or uncompressed. Known certificates objects SHOULD be constructed in such a way as to avoid a uncompressed object being mistaken for compressed one and erroneously decompressed. For X.509, it is sufficient for the first byte of the compressed value (key) to have a value other than 0x30, since every X.509 certificate starts with this byte.

Record Layer The only cTLS records that are sent in plaintext are handshake records (ClientHello and ServerHello/HRR) and alerts. cTLS alerts are the same as TLS alerts and use the same content types. For handshake records, we set the content_type field to a fixed cTLS-specific value to distinguish cTLS plaintext records from encrypted records, TLS/DTLS records, and other protocols using the same 5-tuple. ; } CTLSPlaintext; ]]> [[OPEN ISSUE: The profile_id is needed in the ClientHello to inform the server what compression profile to use. For a ServerHello this field is not required. Should we make this field optional?]] Encrypted records use DTLS 1.3 record framing, comprising a configuration octet followed by optional connection ID, sequence number, and length fields. The encryption process and additional data are also as described in DTLS. The presence and size of the connection ID field is negotiated as in DTLS. As with DTLS, the length field MAY be omitted by clearing the L bit, which means that the record consumes the entire rest of the data in the lower level transport. In this case it is not possible to have multiple DTLSCiphertext format records without length fields in the same datagram. In stream-oriented transports (e.g., TCP), the length field MUST be present. For use over other transports length information may be inferred from the underlying layer. Normal DTLS does not provide a mechanism for suppressing the sequence number field entirely. When a reliable, ordered transport (e.g., TCP) is in use, the S bit in the configuration octet MUST be cleared and the sequence number MUST be omitted. When an unreliable transport is in use, the S bit has its usual meaning and the sequence number MUST be included.

Handshake Layer The cTLS handshake framing is same as the TLS 1.3 handshake framing, except for two changes:

The length field is omitted.
The HelloRetryRequest message is a true handshake message instead of a specialization of ServerHello.

Value	Description	DTLS-OK	Reference
TBD	ctls	Y	RFCXXXX
TBD	ctls_handshake	Y	RFCXXXX

Key	JSON Type	Reference
profile	number	(This document)
version	number	(This document)
cipherSuite	string	(This document)
dhGroup	string	(This document)
signatureAlgorithm	string	(This document)
random	number	(This document)
mutualAuth	true/false	(This document)
extension_order	object	(This document)
clientHelloExtensions	object	(This document)
serverHelloExtensions	object	(This document)
encryptedExtensions	object	(This document)
certRequestExtensions	object	(This document)
knownCertificates	object	(This document)
finishedSize	number	(This document)
optional	object	(This document)