https那些事儿
(一)SSL/TLS协议运行机制的概述
一、作用
不使用SSL/TLS的HTTP通信,就是不加密的通信。所有信息明文传播,带来了三大风险。
(1) 窃听风险(eavesdropping):第三方可以获知通信内容。
(2) 篡改风险(tampering):第三方可以修改通信内容。
(3) 冒充风险(pretending):第三方可以冒充他人身份参与通信。
SSL/TLS协议是为了解决这三大风险而设计的,希望达到:
(1) 所有信息都是加密传播,第三方无法窃听。
(2) 具有校验机制,一旦被篡改,通信双方会立刻发现。
(3) 配备身份证书,防止身份被冒充。
互联网是开放环境,通信双方都是未知身份,这为协议的设计带来了很大的难度。而且,协议还必须能够经受所有匪夷所思的攻击,这使得SSL/TLS协议变得异常复杂。
二、历史
互联网加密通信协议的历史,几乎与互联网一样长。
1994年,NetScape公司设计了SSL协议(Secure Sockets Layer)的1.0版,但是未发布。
1995年,NetScape公司发布SSL 2.0版,很快发现有严重漏洞。
1996年,SSL 3.0版问世,得到大规模应用。
1999年,互联网标准化组织ISOC接替NetScape公司,发布了SSL的升级版TLS 1.0版。
2006年和2008年,TLS进行了两次升级,分别为TLS 1.1版和TLS 1.2版。最新的变动是2011年TLS 1.2的修订版。
目前,应用最广泛的是TLS 1.0,接下来是SSL 3.0。但是,主流浏览器都已经实现了TLS 1.2的支持。
TLS 1.0通常被标示为SSL 3.1,TLS 1.1为SSL 3.2,TLS 1.2为SSL 3.3。
三、基本的运行过程
SSL/TLS协议的基本思路是采用公钥加密法,也就是说,客户端先向服务器端索要公钥,然后用公钥加密信息,服务器收到密文后,用自己的私钥解密。
但是,这里有两个问题。
(1)如何保证公钥不被篡改?
解决方法:将公钥放在数字证书中。只要证书是可信的,公钥就是可信的。
(2)公钥加密计算量太大,如何减少耗用的时间?
解决方法:每一次对话(session),客户端和服务器端都生成一个"对话密钥"(session key),用它来加密信息。由于"对话密钥"是对称加密,所以运算速度非常快,而服务器公钥只用于加密"对话密钥"本身,这样就减少了加密运算的消耗时间。
因此,SSL/TLS协议的基本过程是这样的:
(1) 客户端向服务器端索要并验证公钥。
(2) 双方协商生成"对话密钥"。
(3) 双方采用"对话密钥"进行加密通信。
上面过程的前两步,又称为"握手阶段"(handshake)。
四、握手阶段的详细过程
"握手阶段"涉及四次通信,我们一个个来看。需要注意的是,"握手阶段"的所有通信都是明文的。
4.1 客户端发出请求(ClientHello)
首先,客户端(通常是浏览器)先向服务器发出加密通信的请求,这被叫做ClientHello请求。
在这一步,客户端主要向服务器提供以下信息。
(1) 支持的协议版本,比如TLS 1.0版。
(2) 一个客户端生成的随机数,稍后用于生成"对话密钥"。
(3) 支持的加密方法,比如RSA公钥加密。
(4) 支持的压缩方法。
这里需要注意的是,客户端发送的信息之中不包括服务器的域名。也就是说,理论上服务器只能包含一个网站,否则会分不清应该向客户端提供哪一个网站的数字证书。这就是为什么通常一台服务器只能有一张数字证书的原因。
对于虚拟主机的用户来说,这当然很不方便。2006年,TLS协议加入了一个Server Name Indication扩展,允许客户端向服务器提供它所请求的域名。
4.2 服务器回应(SeverHello)
服务器收到客户端请求后,向客户端发出回应,这叫做SeverHello。服务器的回应包含以下内容。
(1) 确认使用的加密通信协议版本,比如TLS 1.0版本。如果浏览器与服务器支持的版本不一致,服务器关闭加密通信。
(2) 一个服务器生成的随机数,稍后用于生成"对话密钥"。
(3) 确认使用的加密方法,比如RSA公钥加密。
(4) 服务器证书。
除了上面这些信息,如果服务器需要确认客户端的身份,就会再包含一项请求,要求客户端提供"客户端证书"。比如,金融机构往往只允许认证客户连入自己的网络,就会向正式客户提供USB密钥,里面就包含了一张客户端证书。
4.3 客户端回应
客户端收到服务器回应以后,首先验证服务器证书。如果证书不是可信机构颁布、或者证书中的域名与实际域名不一致、或者证书已经过期,就会向访问者显示一个警告,由其选择是否还要继续通信。
如果证书没有问题,客户端就会从证书中取出服务器的公钥。然后,向服务器发送下面三项信息。
(1) 一个随机数。该随机数用服务器公钥加密,防止被窃听。
(2) 编码改变通知,表示随后的信息都将用双方商定的加密方法和密钥发送。
(3) 客户端握手结束通知,表示客户端的握手阶段已经结束。这一项同时也是前面发送的所有内容的hash值,用来供服务器校验。
上面第一项的随机数,是整个握手阶段出现的第三个随机数,又称"pre-master key"。有了它以后,客户端和服务器就同时有了三个随机数,接着双方就用事先商定的加密方法,各自生成本次会话所用的同一把"会话密钥"。
至于为什么一定要用三个随机数,来生成"会话密钥",dog250解释得很好:
"不管是客户端还是服务器,都需要随机数,这样生成的密钥才不会每次都一样。由于SSL协议中证书是静态的,因此十分有必要引入一种随机因素来保证协商出来的密钥的随机性。
对于RSA密钥交换算法来说,pre-master-key本身就是一个随机数,再加上hello消息中的随机,三个随机数通过一个密钥导出器最终导出一个对称密钥。
pre master的存在在于SSL协议不信任每个主机都能产生完全随机的随机数,如果随机数不随机,那么pre master secret就有可能被猜出来,那么仅适用pre master secret作为密钥就不合适了,因此必须引入新的随机因素,那么客户端和服务器加上pre master secret三个随机数一同生成的密钥就不容易被猜出了,一个伪随机可能完全不随机,可是是三个伪随机就十分接近随机了,每增加一个自由度,随机性增加的可不是一。"
此外,如果前一步,服务器要求客户端证书,客户端会在这一步发送证书及相关信息。
4.4 服务器的最后回应
服务器收到客户端的第三个随机数pre-master key之后,计算生成本次会话所用的"会话密钥"。然后,向客户端最后发送下面信息。
(1)编码改变通知,表示随后的信息都将用双方商定的加密方法和密钥发送。
(2)服务器握手结束通知,表示服务器的握手阶段已经结束。这一项同时也是前面发送的所有内容的hash值,用来供客户端校验。
至此,整个握手阶段全部结束。接下来,客户端与服务器进入加密通信,就完全是使用普通的HTTP协议,只不过用"会话密钥"加密内容。
(二)Https(SSL/TLS)原理详解
概述
Https(Hyper Text Transfer Protocol over Secure Socket Layer),是一种基于SSL/TLS的Http,所有的http数据都是在SSL/TLS协议封装之上传输的。Https协议在Http协议的基础上,添加了SSL/TLS握手以及数据加密传输,也属于应用层协议。所以,研究Https协议原理,最终其实是研究SSL/TLS协议。
SSL协议,是一种安全传输协议,最初是由 Netscape 在1996年发布,由于一些安全的原因SSL v1.0和SSL v2.0都没有公开,直到1996年的SSL v3.0。TLS是SSL v3.0的升级版,目前市面上所有的Https都是用的是TLS,而不是SSL。
TLS握手
TLS的握手阶段是发生在TCP握手之后。握手实际上是一种协商的过程,对协议所必需的一些参数进行协商。TLS握手过程分为四步,过程如下:(备注:图中加方括号的均为可选消息)
Client Hello
由于客户端(如浏览器)对一些加解密算法的支持程度不一样,但是在TLS协议传输过程中必须使用同一套加解密算法才能保证数据能够正常的加解密。在TLS握手阶段,客户端首先要告知服务端,自己支持哪些加密算法,所以客户端需要将本地支持的加密套件(Cipher Suite)的列表传送给服务端。除此之外,客户端还要产生一个随机数,这个随机数一方面需要在客户端保存,另一方面需要传送给服务端,客户端的随机数需要跟服务端产生的随机数结合起来产生后面要讲到的Master Secret。
Server Hello
上图中,从Server Hello到Server Done,有些服务端的实现是每条单独发送,有服务端实现是合并到一起发送。Sever Hello和Server Done都是只有头没有内容的数据。
服务端在接收到客户端的Client Hello之后,服务端需要将自己的证书发送给客户端。这个证书是对于服务端的一种认证。例如,客户端收到了一个来自于称自己是www.alipay.com的数据,但是如何证明对方是合法的alipay支付宝呢?这就是证书的作用,支付宝的证书可以证明它是alipay,而不是财付通。证书是需要申请,并由专门的数字证书认证机构(CA)通过非常严格的审核之后颁发的电子证书。颁发证书的同时会产生一个私钥和公钥。私钥由服务端自己保存,不可泄漏。公钥则是附带在证书的信息中,可以公开的。证书本身也附带一个证书电子签名,这个签名用来验证证书的完整性和真实性,可以防止证书被串改。另外,证书还有个有效期。
在服务端向客户端发送的证书中没有提供足够的信息的时候,还可以向客户端发送一个Server Key Exchange。
此外,对于非常重要的保密数据,服务端还需要对客户端进行验证,以保证数据传送给了安全的合法的客户端。服务端可以向客户端发出Cerficate Request消息,要求客户端发送证书对客户端的合法性进行验证。
跟客户端一样,服务端也需要产生一个随机数发送给客户端。客户端和服务端都需要使用这两个随机数来产生Master Secret。
最后服务端会发送一个Server Hello Done消息给客户端,表示Server Hello消息结束了。
Client Key Exchange
如果服务端需要对客户端进行验证,在客户端收到服务端的Server Hello消息之后,首先需要向服务端发送客户端的证书,让服务端来验证客户端的合法性。
在此之前的所有TLS握手信息都是明文传送的。在收到服务端的证书等信息之后,客户端会使用一些加密算法(例如:RSA, Diffie-Hellman)产生一个48个字节的Key,这个Key叫PreMaster Secret,很多材料上也被称作PreMaster Key, 最终通过Master secret生成session secret, session secret就是用来对应用数据进行加解密的。PreMaster secret属于一个保密的Key,只要截获PreMaster secret,就可以通过之前明文传送的随机数,最终计算出session secret,所以PreMaster secret使用RSA非对称加密的方式,使用服务端传过来的公钥进行加密,然后传给服务端。
接着,客户端需要对服务端的证书进行检查,检查证书的完整性以及证书跟服务端域名是否吻合。
ChangeCipherSpec是一个独立的协议,体现在数据包中就是一个字节的数据,用于告知服务端,客户端已经切换到之前协商好的加密套件的状态,准备使用之前协商好的加密套件加密数据并传输了。
在ChangecipherSpec传输完毕之后,客户端会使用之前协商好的加密套件和session secret加密一段Finish的数据传送给服务端,此数据是为了在正式传输应用数据之前对刚刚握手建立起来的加解密通道进行验证。
Server Finish
服务端在接收到客户端传过来的PreMaster加密数据之后,使用私钥对这段加密数据进行解密,并对数据进行验证,也会使用跟客户端同样的方式生成session secret,一切准备好之后,会给客户端发送一个ChangeCipherSpec,告知客户端已经切换到协商过的加密套件状态,准备使用加密套件和session secret加密数据了。之后,服务端也会使用session secret加密后一段Finish消息发送给客户端,以验证之前通过握手建立起来的加解密通道是否成功。
根据之前的握手信息,如果客户端和服务端都能对Finish信息进行正常加解密且消息正确的被验证,则说明握手通道已经建立成功,接下来,双方可以使用上面产生的session secret对数据进行加密传输了。
Secret Keys
上面的分析和讲解主要是为了突出握手的过程,所以PreMaster secret,Master secret,session secret都是一代而过,但是对于Https,SSL/TLS深入的理解和掌握,这些Secret Keys是非常重要的部分。所以,准备把这些Secret Keys抽出来单独分析和讲解。
我们先来看看这些Secret Keys的的生成过程以及作用流程图:
PreMaster secret
PreMaster secret是在客户端使用RSA或者Diffie-Hellman等加密算法生成的。它将用来跟服务端和客户端在Hello阶段产生的随机数结合在一起生成Master secret。在客户端使用服务单的公钥对PreMaster secret进行加密之后传送给服务端,服务端将使用私钥进行解密得到PreMaster secret。也就是说服务端和客户端都有一份相同的PreMaster secret和随机数。
PreMaster secret前两个字节是TLS的版本号,这是一个比较重要的用来核对握手数据的版本号,因为在Client Hello阶段,客户端会发送一份加密套件列表和当前支持的SSL/TLS的版本号给服务端,而且是使用明文传送的,如果握手的数据包被破解之后,攻击者很有可能串改数据包,选择一个安全性较低的加密套件和版本给服务端,从而对数据进行破解。所以,服务端需要对密文中解密出来对的PreMaster版本号跟之前Client Hello阶段的版本号进行对比,如果版本号变低,则说明被串改,则立即停止发送任何消息。
关于PreMaster Secret(Key)的计算:
Client Hello 和Server Hello阶段都会发送各自的Random随机数给对方,最终都是用来计算Master Secret的。
至于PreMaster Secret(Key)的计算,主要是通过RSA或者Diffie-Hellman算法生成。我们可以看出,由于在Say Hello阶段,随机数都是明文传送的,如果PreMaster Secret泄漏的话,会导致整个SSL/TLS失效。PreMaster/Master Secret(Key)的计算流程如图所示:
Master secret
上面已经提到,由于服务端和客户端都有一份相同的PreMaster secret和随机数,这个随机数将作为后面产生Master secret的种子,结合PreMaster secret,客户端和服务端将计算出同样的Master secret。
Master secret是有系列的hash值组成的,它将作为数据加解密相关的secret的Key Material。Master secret最终解析出来的数据如下:
其中,write MAC key,就是session secret或者说是session key。Client write MAC key是客户端发数据的session secret,Server write MAC secret是服务端发送数据的session key。MAC(Message Authentication Code),是一个数字签名,用来验证数据的完整性,可以检测到数据是否被串改。关于MAC的工作原理详见MAC。
关于Session Secret(Key)的计算:
Session Secret(Key)是从Key Materaial中获取的。Key Material的计算跟Master Secret(Key)的计算类似,只不过计算的次数要多。 Key Material需要计算12次,从而产生12个hash值,计算过程如图:
由于画图展示的原因,上面我只画出了计算4个hash的流程,其实这个是要计算12次,来产生12个hash。
产生12个hash之后,紧接着就可以从这个Key Material中获取Session Secret了。
如图所示,从Key Material依次可以解析出Client MAC, Server MAC, Client Cipher,Server Cipher, Client IV, Server IV。 其中,Client/Server MAC是用来对数据进行验证的,Cliet/Server Cipher就是Client/Server write encryption Key,用来对数据进行加解密的。
应用数据传输
在所有的握手阶段都完成之后,就可以开始传送应用数据了。应用数据在传输之前,首先要附加上MAC secret,然后再对这个数据包使用write encryption key进行加密。在服务端收到密文之后,使用Client write encryption key进行解密,客户端收到服务端的数据之后使用Server write encryption key进行解密,然后使用各自的write MAC key对数据的完整性包括是否被串改进行验证。
(三)The Transport Layer Security (TLS) Protocol
Version 1.2
- Status of This Memo
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
- Abstract
- This document specifies Version 1.2 of the Transport Layer Security
- (TLS) protocol. The TLS protocol provides communications security
- over the Internet. The protocol allows client/server applications to
- communicate in a way that is designed to prevent eavesdropping,
- tampering, or message forgery.
- Table of Contents
- 1. Introduction ....................................................4
- 1.1. Requirements Terminology ...................................5
- 1.2. Major Differences from TLS 1.1 .............................5
- 2. Goals ...........................................................6
- 3. Goals of This Document ..........................................7
- 4. Presentation Language ...........................................7
- 4.1. Basic Block Size ...........................................7
- 4.2. Miscellaneous ..............................................8
- 4.3. Vectors ....................................................8
- 4.4. Numbers ....................................................9
- 4.5. Enumerateds ................................................9
- 4.6. Constructed Types .........................................10
- 4.6.1. Variants ...........................................10
- 4.7. Cryptographic Attributes ..................................12
- 4.8. Constants .................................................14
- 5. HMAC and the Pseudorandom Function .............................14
- 6. The TLS Record Protocol ........................................15
- 6.1. Connection States .........................................16
- 6.2. Record Layer ..............................................19
- 6.2.1. Fragmentation ......................................19
- Dierks & Rescorla Standards Track [Page 1]
- RFC 5246 TLS August 2008
- 6.2.2. Record Compression and Decompression ...............20
- 6.2.3. Record Payload Protection ..........................21
- 6.2.3.1. Null or Standard Stream Cipher ............22
- 6.2.3.2. CBC Block Cipher ..........................22
- 6.2.3.3. AEAD Ciphers ..............................24
- 6.3. Key Calculation ...........................................25
- 7. The TLS Handshaking Protocols ..................................26
- 7.1. Change Cipher Spec Protocol ...............................27
- 7.2. Alert Protocol ............................................28
- 7.2.1. Closure Alerts .....................................29
- 7.2.2. Error Alerts .......................................30
- 7.3. Handshake Protocol Overview ...............................33
- 7.4. Handshake Protocol ........................................37
- 7.4.1. Hello Messages .....................................38
- 7.4.1.1. Hello Request .............................38
- 7.4.1.2. Client Hello ..............................39
- 7.4.1.3. Server Hello ..............................42
- 7.4.1.4. Hello Extensions ..........................44
- 7.4.1.4.1. Signature Algorithms ...........45
- 7.4.2. Server Certificate .................................47
- 7.4.3. Server Key Exchange Message ........................50
- 7.4.4. Certificate Request ................................53
- 7.4.5. Server Hello Done ..................................55
- 7.4.6. Client Certificate .................................55
- 7.4.7. Client Key Exchange Message ........................57
- 7.4.7.1. RSA-Encrypted Premaster Secret Message ....58
- 7.4.7.2. Client Diffie-Hellman Public Value ........61
- 7.4.8. Certificate Verify .................................62
- 7.4.9. Finished ...........................................63
- 8. Cryptographic Computations .....................................64
- 8.1. Computing the Master Secret ...............................64
- 8.1.1. RSA ................................................65
- 8.1.2. Diffie-Hellman .....................................65
- 9. Mandatory Cipher Suites ........................................65
- 10. Application Data Protocol .....................................65
- 11. Security Considerations .......................................65
- 12. IANA Considerations ...........................................65
- Appendix A. Protocol Data Structures and Constant Values ..........68
- A.1. Record Layer ..............................................68
- A.2. Change Cipher Specs Message ...............................69
- A.3. Alert Messages ............................................69
- A.4. Handshake Protocol ........................................70
- A.4.1. Hello Messages .....................................71
- A.4.2. Server Authentication and Key Exchange Messages ....72
- A.4.3. Client Authentication and Key Exchange Messages ....74
- A.4.4. Handshake Finalization Message .....................74
- A.5. The Cipher Suite ..........................................75
- A.6. The Security Parameters ...................................77
- Dierks & Rescorla Standards Track [Page 2]
- RFC 5246 TLS August 2008
- A.7. Changes to RFC 4492 .......................................78
- Appendix B. Glossary ..............................................78
- Appendix C. Cipher Suite Definitions ..............................83
- Appendix D. Implementation Notes ..................................85
- D.1. Random Number Generation and Seeding ......................85
- D.2. Certificates and Authentication ...........................85
- D.3. Cipher Suites .............................................85
- D.4. Implementation Pitfalls ...................................85
- Appendix E. Backward Compatibility ................................87
- E.1. Compatibility with TLS 1.0/1.1 and SSL 3.0 ................87
- E.2. Compatibility with SSL 2.0 ................................88
- E.3. Avoiding Man-in-the-Middle Version Rollback ...............90
- Appendix F. Security Analysis .....................................91
- F.1. Handshake Protocol ........................................91
- F.1.1. Authentication and Key Exchange ....................91
- F.1.1.1. Anonymous Key Exchange ....................91
- F.1.1.2. RSA Key Exchange and Authentication .......92
- F.1.1.3. Diffie-Hellman Key Exchange with
- Authentication ............................92
- F.1.2. Version Rollback Attacks ...........................93
- F.1.3. Detecting Attacks Against the Handshake Protocol ...94
- F.1.4. Resuming Sessions ..................................94
- F.2. Protecting Application Data ...............................94
- F.3. Explicit IVs ..............................................95
- F.4. Security of Composite Cipher Modes ........................95
- F.5. Denial of Service .........................................96
- F.6. Final Notes ...............................................96
- Normative References ..............................................97
- Informative References ............................................98
- Working Group Information ........................................101
- Contributors .....................................................101
- Dierks & Rescorla Standards Track [Page 3]
- RFC 5246 TLS August 2008
1. Introduction
- The primary goal of the TLS protocol is to provide privacy and data
- integrity between two communicating applications. The protocol is
- composed of two layers: the TLS Record Protocol and the TLS Handshake
- Protocol. At the lowest level, layered on top of some reliable
- transport protocol (e.g., TCP [TCP]), is the TLS Record Protocol.
- The TLS Record Protocol provides connection security that has two
- basic properties:
- - The connection is private. Symmetric cryptography is used for
- data encryption (e.g., AES [AES], RC4 [SCH], etc.). The keys for
- this symmetric encryption are generated uniquely for each
- connection and are based on a secret negotiated by another
- protocol (such as the TLS Handshake Protocol). The Record
- Protocol can also be used without encryption.
- - The connection is reliable. Message transport includes a message
- integrity check using a keyed MAC. Secure hash functions (e.g.,
- SHA-1, etc.) are used for MAC computations. The Record Protocol
- can operate without a MAC, but is generally only used in this mode
- while another protocol is using the Record Protocol as a transport
- for negotiating security parameters.
- The TLS Record Protocol is used for encapsulation of various higher-
- level protocols. One such encapsulated protocol, the TLS Handshake
- Protocol, allows the server and client to authenticate each other and
- to negotiate an encryption algorithm and cryptographic keys before
- the application protocol transmits or receives its first byte of
- data. The TLS Handshake Protocol provides connection security that
- has three basic properties:
- - The peer's identity can be authenticated using asymmetric, or
- public key, cryptography (e.g., RSA [RSA], DSA [DSS], etc.). This
- authentication can be made optional, but is generally required for
- at least one of the peers.
- - The negotiation of a shared secret is secure: the negotiated
- secret is unavailable to eavesdroppers, and for any authenticated
- connection the secret cannot be obtained, even by an attacker who
- can place himself in the middle of the connection.
- - The negotiation is reliable: no attacker can modify the
- negotiation communication without being detected by the parties to
- the communication.
- Dierks & Rescorla Standards Track [Page 4]
- RFC 5246 TLS August 2008
- One advantage of TLS is that it is application protocol independent.
- Higher-level protocols can layer on top of the TLS protocol
- transparently. The TLS standard, however, does not specify how
- protocols add security with TLS; the decisions on how to initiate TLS
- handshaking and how to interpret the authentication certificates
- exchanged are left to the judgment of the designers and implementors
- of protocols that run on top of TLS.
1.1. Requirements Terminology
1.2. Major Differences from TLS 1.1
- This document is a revision of the TLS 1.1 [TLS1.1] protocol which
- contains improved flexibility, particularly for negotiation of
- cryptographic algorithms. The major changes are:
- - The MD5/SHA-1 combination in the pseudorandom function (PRF) has
- been replaced with cipher-suite-specified PRFs. All cipher suites
- in this document use P_SHA256.
- - The MD5/SHA-1 combination in the digitally-signed element has been
- replaced with a single hash. Signed elements now include a field
- that explicitly specifies the hash algorithm used.
- - Substantial cleanup to the client's and server's ability to
- specify which hash and signature algorithms they will accept.
- Note that this also relaxes some of the constraints on signature
- and hash algorithms from previous versions of TLS.
- - Addition of support for authenticated encryption with additional
- data modes.
- - TLS Extensions definition and AES Cipher Suites were merged in
- from external [TLSEXT] and [TLSAES].
- - Tighter checking of EncryptedPreMasterSecret version numbers.
- - Tightened up a number of requirements.
- - Verify_data length now depends on the cipher suite (default is
- still 12).
- - Cleaned up description of Bleichenbacher/Klima attack defenses.
- Dierks & Rescorla Standards Track [Page 5]
- RFC 5246 TLS August 2008
- - Alerts MUST now be sent in many cases.
- - After a certificate_request, if no certificates are available,
- clients now MUST send an empty certificate list.
- - TLS_RSA_WITH_AES_128_CBC_SHA is now the mandatory to implement
- cipher suite.
- - Added HMAC-SHA256 cipher suites.
- - Removed IDEA and DES cipher suites. They are now deprecated and
- will be documented in a separate document.
- - Support for the SSLv2 backward-compatible hello is now a MAY, not
- a SHOULD, with sending it a SHOULD NOT. Support will probably
- become a SHOULD NOT in the future.
- - Added limited "fall-through" to the presentation language to allow
- multiple case arms to have the same encoding.
- - Added an Implementation Pitfalls sections
- - The usual clarifications and editorial work.
2. Goals
- The goals of the TLS protocol, in order of priority, are as follows:
- 1. Cryptographic security: TLS should be used to establish a secure
- connection between two parties.
- 2. Interoperability: Independent programmers should be able to
- develop applications utilizing TLS that can successfully exchange
- cryptographic parameters without knowledge of one another's code.
- 3. Extensibility: TLS seeks to provide a framework into which new
- public key and bulk encryption methods can be incorporated as
- necessary. This will also accomplish two sub-goals: preventing
- the need to create a new protocol (and risking the introduction of
- possible new weaknesses) and avoiding the need to implement an
- entire new security library.
- 4. Relative efficiency: Cryptographic operations tend to be highly
- CPU intensive, particularly public key operations. For this
- reason, the TLS protocol has incorporated an optional session
- caching scheme to reduce the number of connections that need to be
- established from scratch. Additionally, care has been taken to
- reduce network activity.
- Dierks & Rescorla Standards Track [Page 6]
- RFC 5246 TLS August 2008
3. Goals of This Document
- This document and the TLS protocol itself are based on the SSL 3.0
- Protocol Specification as published by Netscape. The differences
- between this protocol and SSL 3.0 are not dramatic, but they are
- significant enough that the various versions of TLS and SSL 3.0 do
- not interoperate (although each protocol incorporates a mechanism by
- which an implementation can back down to prior versions). This
- document is intended primarily for readers who will be implementing
- the protocol and for those doing cryptographic analysis of it. The
- specification has been written with this in mind, and it is intended
- to reflect the needs of those two groups. For that reason, many of
- the algorithm-dependent data structures and rules are included in the
- body of the text (as opposed to in an appendix), providing easier
- access to them.
- This document is not intended to supply any details of service
- definition or of interface definition, although it does cover select
- areas of policy as they are required for the maintenance of solid
- security.
4. Presentation Language
- This document deals with the formatting of data in an external
- representation. The following very basic and somewhat casually
- defined presentation syntax will be used. The syntax draws from
- several sources in its structure. Although it resembles the
- programming language "C" in its syntax and XDR [XDR] in both its
- syntax and intent, it would be risky to draw too many parallels. The
- purpose of this presentation language is to document TLS only; it has
- no general application beyond that particular goal.
4.1. Basic Block Size
- The representation of all data items is explicitly specified. The
- basic data block size is one byte (i.e., 8 bits). Multiple byte data
- items are concatenations of bytes, from left to right, from top to
- bottom. From the byte stream, a multi-byte item (a numeric in the
- example) is formed (using C notation) by:
- value = (byte[0] << 8*(n-1)) | (byte[1] << 8*(n-2)) |
- ... | byte[n-1];
- This byte ordering for multi-byte values is the commonplace network
- byte order or big-endian format.
- Dierks & Rescorla Standards Track [Page 7]
- RFC 5246 TLS August 2008
4.2. Miscellaneous
- Comments begin with "/*" and end with "*/".
- Optional components are denoted by enclosing them in "[[ ]]" double
- brackets.
- Single-byte entities containing uninterpreted data are of type
- opaque.
4.3. Vectors
- A vector (single-dimensioned array) is a stream of homogeneous data
- elements. The size of the vector may be specified at documentation
- time or left unspecified until runtime. In either case, the length
- declares the number of bytes, not the number of elements, in the
- vector. The syntax for specifying a new type, T', that is a fixed-
- length vector of type T is
- T T'[n];
- Here, T' occupies n bytes in the data stream, where n is a multiple
- of the size of T. The length of the vector is not included in the
- encoded stream.
- In the following example, Datum is defined to be three consecutive
- bytes that the protocol does not interpret, while Data is three
- consecutive Datum, consuming a total of nine bytes.
- opaque Datum[3]; /* three uninterpreted bytes */
- Datum Data[9]; /* 3 consecutive 3 byte vectors */
- Variable-length vectors are defined by specifying a subrange of legal
- lengths, inclusively, using the notation <floor..ceiling>. When
- these are encoded, the actual length precedes the vector's contents
- in the byte stream. The length will be in the form of a number
- consuming as many bytes as required to hold the vector's specified
- maximum (ceiling) length. A variable-length vector with an actual
- length field of zero is referred to as an empty vector.
- T T'<floor..ceiling>;
- In the following example, mandatory is a vector that must contain
- between 300 and 400 bytes of type opaque. It can never be empty.
- The actual length field consumes two bytes, a uint16, which is
- sufficient to represent the value 400 (see Section 4.4). On the
- other hand, longer can represent up to 800 bytes of data, or 400
- uint16 elements, and it may be empty. Its encoding will include a
- Dierks & Rescorla Standards Track [Page 8]
- RFC 5246 TLS August 2008
- two-byte actual length field prepended to the vector. The length of
- an encoded vector must be an even multiple of the length of a single
- element (for example, a 17-byte vector of uint16 would be illegal).
- opaque mandatory<300..400>;
- /* length field is 2 bytes, cannot be empty */
- uint16 longer<0..800>;
- /* zero to 400 16-bit unsigned integers */
4.4. Numbers
- The basic numeric data type is an unsigned byte (uint8). All larger
- numeric data types are formed from fixed-length series of bytes
- concatenated as described in Section 4.1 and are also unsigned. The
- following numeric types are predefined.
- uint8 uint16[2];
- uint8 uint24[3];
- uint8 uint32[4];
- uint8 uint64[8];
- All values, here and elsewhere in the specification, are stored in
- network byte (big-endian) order; the uint32 represented by the hex
- bytes 01 02 03 04 is equivalent to the decimal value 16909060.
- Note that in some cases (e.g., DH parameters) it is necessary to
- represent integers as opaque vectors. In such cases, they are
- represented as unsigned integers (i.e., leading zero octets are not
- required even if the most significant bit is set).
4.5. Enumerateds
- An additional sparse data type is available called enum. A field of
- type enum can only assume the values declared in the definition.
- Each definition is a different type. Only enumerateds of the same
- type may be assigned or compared. Every element of an enumerated
- must be assigned a value, as demonstrated in the following example.
- Since the elements of the enumerated are not ordered, they can be
- assigned any unique value, in any order.
- enum { e1(v1), e2(v2), ... , en(vn) [[, (n)]] } Te;
- An enumerated occupies as much space in the byte stream as would its
- maximal defined ordinal value. The following definition would cause
- one byte to be used to carry fields of type Color.
- enum { red(3), blue(5), white(7) } Color;
- Dierks & Rescorla Standards Track [Page 9]
- RFC 5246 TLS August 2008
- One may optionally specify a value without its associated tag to
- force the width definition without defining a superfluous element.
- In the following example, Taste will consume two bytes in the data
- stream but can only assume the values 1, 2, or 4.
- enum { sweet(1), sour(2), bitter(4), (32000) } Taste;
- The names of the elements of an enumeration are scoped within the
- defined type. In the first example, a fully qualified reference to
- the second element of the enumeration would be Color.blue. Such
- qualification is not required if the target of the assignment is well
- specified.
- Color color = Color.blue; /* overspecified, legal */
- Color color = blue; /* correct, type implicit */
- For enumerateds that are never converted to external representation,
- the numerical information may be omitted.
- enum { low, medium, high } Amount;
4.6. Constructed Types
- Structure types may be constructed from primitive types for
- convenience. Each specification declares a new, unique type. The
- syntax for definition is much like that of C.
- struct {
- T1 f1;
- T2 f2;
- ...
- Tn fn;
- } [[T]];
- The fields within a structure may be qualified using the type's name,
- with a syntax much like that available for enumerateds. For example,
- T.f2 refers to the second field of the previous declaration.
- Structure definitions may be embedded.
4.6.1. Variants
- Defined structures may have variants based on some knowledge that is
- available within the environment. The selector must be an enumerated
- type that defines the possible variants the structure defines. There
- must be a case arm for every element of the enumeration declared in
- the select. Case arms have limited fall-through: if two case arms
- follow in immediate succession with no fields in between, then they
- Dierks & Rescorla Standards Track [Page 10]
- RFC 5246 TLS August 2008
- both contain the same fields. Thus, in the example below, "orange"
- and "banana" both contain V2. Note that this is a new piece of
- syntax in TLS 1.2.
- The body of the variant structure may be given a label for reference.
- The mechanism by which the variant is selected at runtime is not
- prescribed by the presentation language.
- struct {
- T1 f1;
- T2 f2;
- ....
- Tn fn;
- select (E) {
- case e1: Te1;
- case e2: Te2;
- case e3: case e4: Te3;
- ....
- case en: Ten;
- } [[fv]];
- } [[Tv]];
- For example:
- enum { apple, orange, banana } VariantTag;
- struct {
- uint16 number;
- opaque string<0..10>; /* variable length */
- } V1;
- struct {
- uint32 number;
- opaque string[10]; /* fixed length */
- } V2;
- struct {
- select (VariantTag) { /* value of selector is implicit */
- case apple:
- V1; /* VariantBody, tag = apple */
- case orange:
- case banana:
- V2; /* VariantBody, tag = orange or banana */
- } variant_body; /* optional label on variant */
- } VariantRecord;
- Dierks & Rescorla Standards Track [Page 11]
- RFC 5246 TLS August 2008
4.7. Cryptographic Attributes
- The five cryptographic operations -- digital signing, stream cipher
- encryption, block cipher encryption, authenticated encryption with
- additional data (AEAD) encryption, and public key encryption -- are
- designated digitally-signed, stream-ciphered, block-ciphered, aead-
- ciphered, and public-key-encrypted, respectively. A field's
- cryptographic processing is specified by prepending an appropriate
- key word designation before the field's type specification.
- Cryptographic keys are implied by the current session state (see
- Section 6.1).
- A digitally-signed element is encoded as a struct DigitallySigned:
- struct {
- SignatureAndHashAlgorithm algorithm;
- opaque signature<0..2^16-1>;
- } DigitallySigned;
- The algorithm field specifies the algorithm used (see Section
- 7.4.1.4.1 for the definition of this field). Note that the
- introduction of the algorithm field is a change from previous
- versions. The signature is a digital signature using those
- algorithms over the contents of the element. The contents themselves
- do not appear on the wire but are simply calculated. The length of
- the signature is specified by the signing algorithm and key.
- In RSA signing, the opaque vector contains the signature generated
- using the RSASSA-PKCS1-v1_5 signature scheme defined in [PKCS1]. As
- discussed in [PKCS1], the DigestInfo MUST be DER-encoded [X680]
- [X690]. For hash algorithms without parameters (which includes
- SHA-1), the DigestInfo.AlgorithmIdentifier.parameters field MUST be
- NULL, but implementations MUST accept both without parameters and
- with NULL parameters. Note that earlier versions of TLS used a
- different RSA signature scheme that did not include a DigestInfo
- encoding.
- In DSA, the 20 bytes of the SHA-1 hash are run directly through the
- Digital Signing Algorithm with no additional hashing. This produces
- two values, r and s. The DSA signature is an opaque vector, as
- above, the contents of which are the DER encoding of:
- Dss-Sig-Value ::= SEQUENCE {
- r INTEGER,
- s INTEGER
- }
- Dierks & Rescorla Standards Track [Page 12]
- RFC 5246 TLS August 2008
- Note: In current terminology, DSA refers to the Digital Signature
- Algorithm and DSS refers to the NIST standard. In the original SSL
- and TLS specs, "DSS" was used universally. This document uses "DSA"
- to refer to the algorithm, "DSS" to refer to the standard, and it
- uses "DSS" in the code point definitions for historical continuity.
- In stream cipher encryption, the plaintext is exclusive-ORed with an
- identical amount of output generated from a cryptographically secure
- keyed pseudorandom number generator.
- In block cipher encryption, every block of plaintext encrypts to a
- block of ciphertext. All block cipher encryption is done in CBC
- (Cipher Block Chaining) mode, and all items that are block-ciphered
- will be an exact multiple of the cipher block length.
- In AEAD encryption, the plaintext is simultaneously encrypted and
- integrity protected. The input may be of any length, and aead-
- ciphered output is generally larger than the input in order to
- accommodate the integrity check value.
- In public key encryption, a public key algorithm is used to encrypt
- data in such a way that it can be decrypted only with the matching
- private key. A public-key-encrypted element is encoded as an opaque
- vector <0..2^16-1>, where the length is specified by the encryption
- algorithm and key.
- RSA encryption is done using the RSAES-PKCS1-v1_5 encryption scheme
- defined in [PKCS1].
- In the following example
- stream-ciphered struct {
- uint8 field1;
- uint8 field2;
- digitally-signed opaque {
- uint8 field3<0..255>;
- uint8 field4;
- };
- } UserType;
- The contents of the inner struct (field3 and field4) are used as
- input for the signature/hash algorithm, and then the entire structure
- is encrypted with a stream cipher. The length of this structure, in
- bytes, would be equal to two bytes for field1 and field2, plus two
- bytes for the signature and hash algorithm, plus two bytes for the
- length of the signature, plus the length of the output of the signing
- Dierks & Rescorla Standards Track [Page 13]
- RFC 5246 TLS August 2008
- algorithm. The length of the signature is known because the
- algorithm and key used for the signing are known prior to encoding or
- decoding this structure.
4.8. Constants
- Typed constants can be defined for purposes of specification by
- declaring a symbol of the desired type and assigning values to it.
- Under-specified types (opaque, variable-length vectors, and
- structures that contain opaque) cannot be assigned values. No fields
- of a multi-element structure or vector may be elided.
- For example:
- struct {
- uint8 f1;
- uint8 f2;
- } Example1;
- Example1 ex1 = {1, 4}; /* assigns f1 = 1, f2 = 4 */
5. HMAC and the Pseudorandom Function
- The TLS record layer uses a keyed Message Authentication Code (MAC)
- to protect message integrity. The cipher suites defined in this
- document use a construction known as HMAC, described in [HMAC], which
- is based on a hash function. Other cipher suites MAY define their
- own MAC constructions, if needed.
- In addition, a construction is required to do expansion of secrets
- into blocks of data for the purposes of key generation or validation.
- This pseudorandom function (PRF) takes as input a secret, a seed, and
- an identifying label and produces an output of arbitrary length.
- In this section, we define one PRF, based on HMAC. This PRF with the
- SHA-256 hash function is used for all cipher suites defined in this
- document and in TLS documents published prior to this document when
- TLS 1.2 is negotiated. New cipher suites MUST explicitly specify a
- PRF and, in general, SHOULD use the TLS PRF with SHA-256 or a
- stronger standard hash function.
- First, we define a data expansion function, P_hash(secret, data),
- that uses a single hash function to expand a secret and seed into an
- arbitrary quantity of output:
- Dierks & Rescorla Standards Track [Page 14]
- RFC 5246 TLS August 2008
- P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
- HMAC_hash(secret, A(2) + seed) +
- HMAC_hash(secret, A(3) + seed) + ...
- where + indicates concatenation.
- A() is defined as:
- A(0) = seed
- A(i) = HMAC_hash(secret, A(i-1))
- P_hash can be iterated as many times as necessary to produce the
- required quantity of data. For example, if P_SHA256 is being used to
- create 80 bytes of data, it will have to be iterated three times
- (through A(3)), creating 96 bytes of output data; the last 16 bytes
- of the final iteration will then be discarded, leaving 80 bytes of
- output data.
- TLS's PRF is created by applying P_hash to the secret as:
- PRF(secret, label, seed) = P_<hash>(secret, label + seed)
- The label is an ASCII string. It should be included in the exact
- form it is given without a length byte or trailing null character.
- For example, the label "slithy toves" would be processed by hashing
- the following bytes:
- 73 6C 69 74 68 79 20 74 6F 76 65 73
6. The TLS Record Protocol
- The TLS Record Protocol is a layered protocol. At each layer,
- messages may include fields for length, description, and content.
- The Record Protocol takes messages to be transmitted, fragments the
- data into manageable blocks, optionally compresses the data, applies
- a MAC, encrypts, and transmits the result. Received data is
- decrypted, verified, decompressed, reassembled, and then delivered to
- higher-level clients.
- Four protocols that use the record protocol are described in this
- document: the handshake protocol, the alert protocol, the change
- cipher spec protocol, and the application data protocol. In order to
- allow extension of the TLS protocol, additional record content types
- can be supported by the record protocol. New record content type
- values are assigned by IANA in the TLS Content Type Registry as
- described in Section 12.
- Dierks & Rescorla Standards Track [Page 15]
- RFC 5246 TLS August 2008
- Implementations MUST NOT send record types not defined in this
- document unless negotiated by some extension. If a TLS
- implementation receives an unexpected record type, it MUST send an
- unexpected_message alert.
- Any protocol designed for use over TLS must be carefully designed to
- deal with all possible attacks against it. As a practical matter,
- this means that the protocol designer must be aware of what security
- properties TLS does and does not provide and cannot safely rely on
- the latter.
- Note in particular that type and length of a record are not protected
- by encryption. If this information is itself sensitive, application
- designers may wish to take steps (padding, cover traffic) to minimize
- information leakage.
6.1. Connection States
- A TLS connection state is the operating environment of the TLS Record
- Protocol. It specifies a compression algorithm, an encryption
- algorithm, and a MAC algorithm. In addition, the parameters for
- these algorithms are known: the MAC key and the bulk encryption keys
- for the connection in both the read and the write directions.
- Logically, there are always four connection states outstanding: the
- current read and write states, and the pending read and write states.
- All records are processed under the current read and write states.
- The security parameters for the pending states can be set by the TLS
- Handshake Protocol, and the ChangeCipherSpec can selectively make
- either of the pending states current, in which case the appropriate
- current state is disposed of and replaced with the pending state; the
- pending state is then reinitialized to an empty state. It is illegal
- to make a state that has not been initialized with security
- parameters a current state. The initial current state always
- specifies that no encryption, compression, or MAC will be used.
- The security parameters for a TLS Connection read and write state are
- set by providing the following values:
- connection end
- Whether this entity is considered the "client" or the "server" in
- this connection.
- PRF algorithm
- An algorithm used to generate keys from the master secret (see
- Sections 5 and 6.3).
- Dierks & Rescorla Standards Track [Page 16]
- RFC 5246 TLS August 2008
- bulk encryption algorithm
- An algorithm to be used for bulk encryption. This specification
- includes the key size of this algorithm, whether it is a block,
- stream, or AEAD cipher, the block size of the cipher (if
- appropriate), and the lengths of explicit and implicit
- initialization vectors (or nonces).
- MAC algorithm
- An algorithm to be used for message authentication. This
- specification includes the size of the value returned by the MAC
- algorithm.
- compression algorithm
- An algorithm to be used for data compression. This specification
- must include all information the algorithm requires to do
- compression.
- master secret
- A 48-byte secret shared between the two peers in the connection.
- client random
- A 32-byte value provided by the client.
- server random
- A 32-byte value provided by the server.
- These parameters are defined in the presentation language as:
- enum { server, client } ConnectionEnd;
- enum { tls_prf_sha256 } PRFAlgorithm;
- enum { null, rc4, 3des, aes }
- BulkCipherAlgorithm;
- enum { stream, block, aead } CipherType;
- enum { null, hmac_md5, hmac_sha1, hmac_sha256,
- hmac_sha384, hmac_sha512} MACAlgorithm;
- enum { null(0), (255) } CompressionMethod;
- /* The algorithms specified in CompressionMethod, PRFAlgorithm,
- BulkCipherAlgorithm, and MACAlgorithm may be added to. */
- Dierks & Rescorla Standards Track [Page 17]
- RFC 5246 TLS August 2008
- struct {
- ConnectionEnd entity;
- PRFAlgorithm prf_algorithm;
- BulkCipherAlgorithm bulk_cipher_algorithm;
- CipherType cipher_type;
- uint8 enc_key_length;
- uint8 block_length;
- uint8 fixed_iv_length;
- uint8 record_iv_length;
- MACAlgorithm mac_algorithm;
- uint8 mac_length;
- uint8 mac_key_length;
- CompressionMethod compression_algorithm;
- opaque master_secret[48];
- opaque client_random[32];
- opaque server_random[32];
- } SecurityParameters;
- The record layer will use the security parameters to generate the
- following six items (some of which are not required by all ciphers,
- and are thus empty):
- client write MAC key
- server write MAC key
- client write encryption key
- server write encryption key
- client write IV
- server write IV
- The client write parameters are used by the server when receiving and
- processing records and vice versa. The algorithm used for generating
- these items from the security parameters is described in Section 6.3.
- Once the security parameters have been set and the keys have been
- generated, the connection states can be instantiated by making them
- the current states. These current states MUST be updated for each
- record processed. Each connection state includes the following
- elements:
- compression state
- The current state of the compression algorithm.
- cipher state
- The current state of the encryption algorithm. This will consist
- of the scheduled key for that connection. For stream ciphers,
- this will also contain whatever state information is necessary to
- allow the stream to continue to encrypt or decrypt data.
- Dierks & Rescorla Standards Track [Page 18]
- RFC 5246 TLS August 2008
- MAC key
- The MAC key for this connection, as generated above.
- sequence number
- Each connection state contains a sequence number, which is
- maintained separately for read and write states. The sequence
- number MUST be set to zero whenever a connection state is made the
- active state. Sequence numbers are of type uint64 and may not
- exceed 2^64-1. Sequence numbers do not wrap. If a TLS
- implementation would need to wrap a sequence number, it must
- renegotiate instead. A sequence number is incremented after each
- record: specifically, the first record transmitted under a
- particular connection state MUST use sequence number 0.
6.2. Record Layer
- The TLS record layer receives uninterpreted data from higher layers
- in non-empty blocks of arbitrary size.
6.2.1. Fragmentation
- The record layer fragments information blocks into TLSPlaintext
- records carrying data in chunks of 2^14 bytes or less. Client
- message boundaries are not preserved in the record layer (i.e.,
- multiple client messages of the same ContentType MAY be coalesced
- into a single TLSPlaintext record, or a single message MAY be
- fragmented across several records).
- struct {
- uint8 major;
- uint8 minor;
- } ProtocolVersion;
- enum {
- change_cipher_spec(20), alert(21), handshake(22),
- application_data(23), (255)
- } ContentType;
- struct {
- ContentType type;
- ProtocolVersion version;
- uint16 length;
- opaque fragment[TLSPlaintext.length];
- } TLSPlaintext;
- type
- The higher-level protocol used to process the enclosed fragment.
- Dierks & Rescorla Standards Track [Page 19]
- RFC 5246 TLS August 2008
- version
- The version of the protocol being employed. This document
- describes TLS Version 1.2, which uses the version { 3, 3 }. The
- version value 3.3 is historical, deriving from the use of {3, 1}
- for TLS 1.0. (See Appendix A.1.) Note that a client that
- supports multiple versions of TLS may not know what version will
- be employed before it receives the ServerHello. See Appendix E
- for discussion about what record layer version number should be
- employed for ClientHello.
- length
- The length (in bytes) of the following TLSPlaintext.fragment. The
- length MUST NOT exceed 2^14.
- fragment
- The application data. This data is transparent and treated as an
- independent block to be dealt with by the higher-level protocol
- specified by the type field.
- Implementations MUST NOT send zero-length fragments of Handshake,
- Alert, or ChangeCipherSpec content types. Zero-length fragments of
- Application data MAY be sent as they are potentially useful as a
- traffic analysis countermeasure.
- Note: Data of different TLS record layer content types MAY be
- interleaved. Application data is generally of lower precedence for
- transmission than other content types. However, records MUST be
- delivered to the network in the same order as they are protected by
- the record layer. Recipients MUST receive and process interleaved
- application layer traffic during handshakes subsequent to the first
- one on a connection.
6.2.2. Record Compression and Decompression
- All records are compressed using the compression algorithm defined in
- the current session state. There is always an active compression
- algorithm; however, initially it is defined as
- CompressionMethod.null. The compression algorithm translates a
- TLSPlaintext structure into a TLSCompressed structure. Compression
- functions are initialized with default state information whenever a
- connection state is made active. [RFC3749] describes compression
- algorithms for TLS.
- Compression must be lossless and may not increase the content length
- by more than 1024 bytes. If the decompression function encounters a
- TLSCompressed.fragment that would decompress to a length in excess of
- 2^14 bytes, it MUST report a fatal decompression failure error.
- Dierks & Rescorla Standards Track [Page 20]
- RFC 5246 TLS August 2008
- struct {
- ContentType type; /* same as TLSPlaintext.type */
- ProtocolVersion version;/* same as TLSPlaintext.version */
- uint16 length;
- opaque fragment[TLSCompressed.length];
- } TLSCompressed;
- length
- The length (in bytes) of the following TLSCompressed.fragment.
- The length MUST NOT exceed 2^14 + 1024.
- fragment
- The compressed form of TLSPlaintext.fragment.
- Note: A CompressionMethod.null operation is an identity operation;
- no fields are altered.
- Implementation note: Decompression functions are responsible for
- ensuring that messages cannot cause internal buffer overflows.
6.2.3. Record Payload Protection
- The encryption and MAC functions translate a TLSCompressed
- structure into a TLSCiphertext. The decryption functions reverse
- the process. The MAC of the record also includes a sequence
- number so that missing, extra, or repeated messages are
- detectable.
- struct {
- ContentType type;
- ProtocolVersion version;
- uint16 length;
- select (SecurityParameters.cipher_type) {
- case stream: GenericStreamCipher;
- case block: GenericBlockCipher;
- case aead: GenericAEADCipher;
- } fragment;
- } TLSCiphertext;
- type
- The type field is identical to TLSCompressed.type.
- version
- The version field is identical to TLSCompressed.version.
- length
- The length (in bytes) of the following TLSCiphertext.fragment.
- The length MUST NOT exceed 2^14 + 2048.
- Dierks & Rescorla Standards Track [Page 21]
- RFC 5246 TLS August 2008
- fragment
- The encrypted form of TLSCompressed.fragment, with the MAC.
6.2.3.1. Null or Standard Stream Cipher
- Stream ciphers (including BulkCipherAlgorithm.null; see Appendix A.6)
- convert TLSCompressed.fragment structures to and from stream
- TLSCiphertext.fragment structures.
- stream-ciphered struct {
- opaque content[TLSCompressed.length];
- opaque MAC[SecurityParameters.mac_length];
- } GenericStreamCipher;
- The MAC is generated as:
- MAC(MAC_write_key, seq_num +
- TLSCompressed.type +
- TLSCompressed.version +
- TLSCompressed.length +
- TLSCompressed.fragment);
- where "+" denotes concatenation.
- seq_num
- The sequence number for this record.
- MAC
- The MAC algorithm specified by SecurityParameters.mac_algorithm.
- Note that the MAC is computed before encryption. The stream cipher
- encrypts the entire block, including the MAC. For stream ciphers
- that do not use a synchronization vector (such as RC4), the stream
- cipher state from the end of one record is simply used on the
- subsequent packet. If the cipher suite is TLS_NULL_WITH_NULL_NULL,
- encryption consists of the identity operation (i.e., the data is not
- encrypted, and the MAC size is zero, implying that no MAC is used).
- For both null and stream ciphers, TLSCiphertext.length is
- TLSCompressed.length plus SecurityParameters.mac_length.
6.2.3.2. CBC Block Cipher
- For block ciphers (such as 3DES or AES), the encryption and MAC
- functions convert TLSCompressed.fragment structures to and from block
- TLSCiphertext.fragment structures.
- Dierks & Rescorla Standards Track [Page 22]
- RFC 5246 TLS August 2008
- struct {
- opaque IV[SecurityParameters.record_iv_length];
- block-ciphered struct {
- opaque content[TLSCompressed.length];
- opaque MAC[SecurityParameters.mac_length];
- uint8 padding[GenericBlockCipher.padding_length];
- uint8 padding_length;
- };
- } GenericBlockCipher;
- The MAC is generated as described in Section 6.2.3.1.
- IV
- The Initialization Vector (IV) SHOULD be chosen at random, and
- MUST be unpredictable. Note that in versions of TLS prior to 1.1,
- there was no IV field, and the last ciphertext block of the
- previous record (the "CBC residue") was used as the IV. This was
- changed to prevent the attacks described in [CBCATT]. For block
- ciphers, the IV length is of length
- SecurityParameters.record_iv_length, which is equal to the
- SecurityParameters.block_size.
- padding
- Padding that is added to force the length of the plaintext to be
- an integral multiple of the block cipher's block length. The
- padding MAY be any length up to 255 bytes, as long as it results
- in the TLSCiphertext.length being an integral multiple of the
- block length. Lengths longer than necessary might be desirable to
- frustrate attacks on a protocol that are based on analysis of the
- lengths of exchanged messages. Each uint8 in the padding data
- vector MUST be filled with the padding length value. The receiver
- MUST check this padding and MUST use the bad_record_mac alert to
- indicate padding errors.
- padding_length
- The padding length MUST be such that the total size of the
- GenericBlockCipher structure is a multiple of the cipher's block
- length. Legal values range from zero to 255, inclusive. This
- length specifies the length of the padding field exclusive of the
- padding_length field itself.
- The encrypted data length (TLSCiphertext.length) is one more than the
- sum of SecurityParameters.block_length, TLSCompressed.length,
- SecurityParameters.mac_length, and padding_length.
- Example: If the block length is 8 bytes, the content length
- (TLSCompressed.length) is 61 bytes, and the MAC length is 20 bytes,
- then the length before padding is 82 bytes (this does not include the
- Dierks & Rescorla Standards Track [Page 23]
- RFC 5246 TLS August 2008
- IV. Thus, the padding length modulo 8 must be equal to 6 in order to
- make the total length an even multiple of 8 bytes (the block length).
- The padding length can be 6, 14, 22, and so on, through 254. If the
- padding length were the minimum necessary, 6, the padding would be 6
- bytes, each containing the value 6. Thus, the last 8 octets of the
- GenericBlockCipher before block encryption would be xx 06 06 06 06 06
- 06 06, where xx is the last octet of the MAC.
- Note: With block ciphers in CBC mode (Cipher Block Chaining), it is
- critical that the entire plaintext of the record be known before any
- ciphertext is transmitted. Otherwise, it is possible for the
- attacker to mount the attack described in [CBCATT].
- Implementation note: Canvel et al. [CBCTIME] have demonstrated a
- timing attack on CBC padding based on the time required to compute
- the MAC. In order to defend against this attack, implementations
- MUST ensure that record processing time is essentially the same
- whether or not the padding is correct. In general, the best way to
- do this is to compute the MAC even if the padding is incorrect, and
- only then reject the packet. For instance, if the pad appears to be
- incorrect, the implementation might assume a zero-length pad and then
- compute the MAC. This leaves a small timing channel, since MAC
- performance depends to some extent on the size of the data fragment,
- but it is not believed to be large enough to be exploitable, due to
- the large block size of existing MACs and the small size of the
- timing signal.
6.2.3.3. AEAD Ciphers
- For AEAD [AEAD] ciphers (such as [CCM] or [GCM]), the AEAD function
- converts TLSCompressed.fragment structures to and from AEAD
- TLSCiphertext.fragment structures.
- struct {
- opaque nonce_explicit[SecurityParameters.record_iv_length];
- aead-ciphered struct {
- opaque content[TLSCompressed.length];
- };
- } GenericAEADCipher;
- AEAD ciphers take as input a single key, a nonce, a plaintext, and
- "additional data" to be included in the authentication check, as
- described in Section 2.1 of [AEAD]. The key is either the
- client_write_key or the server_write_key. No MAC key is used.
- Each AEAD cipher suite MUST specify how the nonce supplied to the
- AEAD operation is constructed, and what is the length of the
- GenericAEADCipher.nonce_explicit part. In many cases, it is
- Dierks & Rescorla Standards Track [Page 24]
- RFC 5246 TLS August 2008
- appropriate to use the partially implicit nonce technique described
- in Section 3.2.1 of [AEAD]; with record_iv_length being the length of
- the explicit part. In this case, the implicit part SHOULD be derived
- from key_block as client_write_iv and server_write_iv (as described
- in Section 6.3), and the explicit part is included in
- GenericAEAEDCipher.nonce_explicit.
- The plaintext is the TLSCompressed.fragment.
- The additional authenticated data, which we denote as
- additional_data, is defined as follows:
- additional_data = seq_num + TLSCompressed.type +
- TLSCompressed.version + TLSCompressed.length;
- where "+" denotes concatenation.
- The aead_output consists of the ciphertext output by the AEAD
- encryption operation. The length will generally be larger than
- TLSCompressed.length, but by an amount that varies with the AEAD
- cipher. Since the ciphers might incorporate padding, the amount of
- overhead could vary with different TLSCompressed.length values. Each
- AEAD cipher MUST NOT produce an expansion of greater than 1024 bytes.
- Symbolically,
- AEADEncrypted = AEAD-Encrypt(write_key, nonce, plaintext,
- additional_data)
- In order to decrypt and verify, the cipher takes as input the key,
- nonce, the "additional_data", and the AEADEncrypted value. The
- output is either the plaintext or an error indicating that the
- decryption failed. There is no separate integrity check. That is:
- TLSCompressed.fragment = AEAD-Decrypt(write_key, nonce,
- AEADEncrypted,
- additional_data)
- If the decryption fails, a fatal bad_record_mac alert MUST be
- generated.
6.3. Key Calculation
- The Record Protocol requires an algorithm to generate keys required
- by the current connection state (see Appendix A.6) from the security
- parameters provided by the handshake protocol.
- Dierks & Rescorla Standards Track [Page 25]
- RFC 5246 TLS August 2008
- The master secret is expanded into a sequence of secure bytes, which
- is then split to a client write MAC key, a server write MAC key, a
- client write encryption key, and a server write encryption key. Each
- of these is generated from the byte sequence in that order. Unused
- values are empty. Some AEAD ciphers may additionally require a
- client write IV and a server write IV (see Section 6.2.3.3).
- When keys and MAC keys are generated, the master secret is used as an
- entropy source.
- To generate the key material, compute
- key_block = PRF(SecurityParameters.master_secret,
- "key expansion",
- SecurityParameters.server_random +
- SecurityParameters.client_random);
- until enough output has been generated. Then, the key_block is
- partitioned as follows:
- client_write_MAC_key[SecurityParameters.mac_key_length]
- server_write_MAC_key[SecurityParameters.mac_key_length]
- client_write_key[SecurityParameters.enc_key_length]
- server_write_key[SecurityParameters.enc_key_length]
- client_write_IV[SecurityParameters.fixed_iv_length]
- server_write_IV[SecurityParameters.fixed_iv_length]
- Currently, the client_write_IV and server_write_IV are only generated
- for implicit nonce techniques as described in Section 3.2.1 of
- [AEAD].
- Implementation note: The currently defined cipher suite which
- requires the most material is AES_256_CBC_SHA256. It requires 2 x 32
- byte keys and 2 x 32 byte MAC keys, for a total 128 bytes of key
- material.
7. The TLS Handshaking Protocols
- TLS has three subprotocols that are used to allow peers to agree upon
- security parameters for the record layer, to authenticate themselves,
- to instantiate negotiated security parameters, and to report error
- conditions to each other.
- The Handshake Protocol is responsible for negotiating a session,
- which consists of the following items:
- Dierks & Rescorla Standards Track [Page 26]
- RFC 5246 TLS August 2008
- session identifier
- An arbitrary byte sequence chosen by the server to identify an
- active or resumable session state.
- peer certificate
- X509v3 [PKIX] certificate of the peer. This element of the state
- may be null.
- compression method
- The algorithm used to compress data prior to encryption.
- cipher spec
- Specifies the pseudorandom function (PRF) used to generate keying
- material, the bulk data encryption algorithm (such as null, AES,
- etc.) and the MAC algorithm (such as HMAC-SHA1). It also defines
- cryptographic attributes such as the mac_length. (See Appendix
- A.6 for formal definition.)
- master secret
- 48-byte secret shared between the client and server.
- is resumable
- A flag indicating whether the session can be used to initiate new
- connections.
- These items are then used to create security parameters for use by
- the record layer when protecting application data. Many connections
- can be instantiated using the same session through the resumption
- feature of the TLS Handshake Protocol.
7.1. Change Cipher Spec Protocol
- The change cipher spec protocol exists to signal transitions in
- ciphering strategies. The protocol consists of a single message,
- which is encrypted and compressed under the current (not the pending)
- connection state. The message consists of a single byte of value 1.
- struct {
- enum { change_cipher_spec(1), (255) } type;
- } ChangeCipherSpec;
- The ChangeCipherSpec message is sent by both the client and the
- server to notify the receiving party that subsequent records will be
- protected under the newly negotiated CipherSpec and keys. Reception
- of this message causes the receiver to instruct the record layer to
- immediately copy the read pending state into the read current state.
- Immediately after sending this message, the sender MUST instruct the
- record layer to make the write pending state the write active state.
- Dierks & Rescorla Standards Track [Page 27]
- RFC 5246 TLS August 2008
- (See Section 6.1.) The ChangeCipherSpec message is sent during the
- handshake after the security parameters have been agreed upon, but
- before the verifying Finished message is sent.
- Note: If a rehandshake occurs while data is flowing on a connection,
- the communicating parties may continue to send data using the old
- CipherSpec. However, once the ChangeCipherSpec has been sent, the
- new CipherSpec MUST be used. The first side to send the
- ChangeCipherSpec does not know that the other side has finished
- computing the new keying material (e.g., if it has to perform a
- time-consuming public key operation). Thus, a small window of time,
- during which the recipient must buffer the data, MAY exist. In
- practice, with modern machines this interval is likely to be fairly
- short.
7.2. Alert Protocol
- One of the content types supported by the TLS record layer is the
- alert type. Alert messages convey the severity of the message
- (warning or fatal) and a description of the alert. Alert messages
- with a level of fatal result in the immediate termination of the
- connection. In this case, other connections corresponding to the
- session may continue, but the session identifier MUST be invalidated,
- preventing the failed session from being used to establish new
- connections. Like other messages, alert messages are encrypted and
- compressed, as specified by the current connection state.
- enum { warning(1), fatal(2), (255) } AlertLevel;
- enum {
- close_notify(0),
- unexpected_message(10),
- bad_record_mac(20),
- decryption_failed_RESERVED(21),
- record_overflow(22),
- decompression_failure(30),
- handshake_failure(40),
- no_certificate_RESERVED(41),
- bad_certificate(42),
- unsupported_certificate(43),
- certificate_revoked(44),
- certificate_expired(45),
- certificate_unknown(46),
- illegal_parameter(47),
- unknown_ca(48),
- access_denied(49),
- decode_error(50),
- decrypt_error(51),
- Dierks & Rescorla Standards Track [Page 28]
- RFC 5246 TLS August 2008
- export_restriction_RESERVED(60),
- protocol_version(70),
- insufficient_security(71),
- internal_error(80),
- user_canceled(90),
- no_renegotiation(100),
- unsupported_extension(110),
- (255)
- } AlertDescription;
- struct {
- AlertLevel level;
- AlertDescription description;
- } Alert;
7.2.1. Closure Alerts
- The client and the server must share knowledge that the connection is
- ending in order to avoid a truncation attack. Either party may
- initiate the exchange of closing messages.
- close_notify
- This message notifies the recipient that the sender will not send
- any more messages on this connection. Note that as of TLS 1.1,
- failure to properly close a connection no longer requires that a
- session not be resumed. This is a change from TLS 1.0 to conform
- with widespread implementation practice.
- Either party may initiate a close by sending a close_notify alert.
- Any data received after a closure alert is ignored.
- Unless some other fatal alert has been transmitted, each party is
- required to send a close_notify alert before closing the write side
- of the connection. The other party MUST respond with a close_notify
- alert of its own and close down the connection immediately,
- discarding any pending writes. It is not required for the initiator
- of the close to wait for the responding close_notify alert before
- closing the read side of the connection.
- If the application protocol using TLS provides that any data may be
- carried over the underlying transport after the TLS connection is
- closed, the TLS implementation must receive the responding
- close_notify alert before indicating to the application layer that
- the TLS connection has ended. If the application protocol will not
- transfer any additional data, but will only close the underlying
- transport connection, then the implementation MAY choose to close the
- transport without waiting for the responding close_notify. No part
- Dierks & Rescorla Standards Track [Page 29]
- RFC 5246 TLS August 2008
- of this standard should be taken to dictate the manner in which a
- usage profile for TLS manages its data transport, including when
- connections are opened or closed.
- Note: It is assumed that closing a connection reliably delivers
- pending data before destroying the transport.
7.2.2. Error Alerts
- Error handling in the TLS Handshake protocol is very simple. When an
- error is detected, the detecting party sends a message to the other
- party. Upon transmission or receipt of a fatal alert message, both
- parties immediately close the connection. Servers and clients MUST
- forget any session-identifiers, keys, and secrets associated with a
- failed connection. Thus, any connection terminated with a fatal
- alert MUST NOT be resumed.
- Whenever an implementation encounters a condition which is defined as
- a fatal alert, it MUST send the appropriate alert prior to closing
- the connection. For all errors where an alert level is not
- explicitly specified, the sending party MAY determine at its
- discretion whether to treat this as a fatal error or not. If the
- implementation chooses to send an alert but intends to close the
- connection immediately afterwards, it MUST send that alert at the
- fatal alert level.
- If an alert with a level of warning is sent and received, generally
- the connection can continue normally. If the receiving party decides
- not to proceed with the connection (e.g., after having received a
- no_renegotiation alert that it is not willing to accept), it SHOULD
- send a fatal alert to terminate the connection. Given this, the
- sending party cannot, in general, know how the receiving party will
- behave. Therefore, warning alerts are not very useful when the
- sending party wants to continue the connection, and thus are
- sometimes omitted. For example, if a peer decides to accept an
- expired certificate (perhaps after confirming this with the user) and
- wants to continue the connection, it would not generally send a
- certificate_expired alert.
- The following error alerts are defined:
- unexpected_message
- An inappropriate message was received. This alert is always fatal
- and should never be observed in communication between proper
- implementations.
- Dierks & Rescorla Standards Track [Page 30]
- RFC 5246 TLS August 2008
- bad_record_mac
- This alert is returned if a record is received with an incorrect
- MAC. This alert also MUST be returned if an alert is sent because
- a TLSCiphertext decrypted in an invalid way: either it wasn't an
- even multiple of the block length, or its padding values, when
- checked, weren't correct. This message is always fatal and should
- never be observed in communication between proper implementations
- (except when messages were corrupted in the network).
- decryption_failed_RESERVED
- This alert was used in some earlier versions of TLS, and may have
- permitted certain attacks against the CBC mode [CBCATT]. It MUST
- NOT be sent by compliant implementations.
- record_overflow
- A TLSCiphertext record was received that had a length more than
- 2^14+2048 bytes, or a record decrypted to a TLSCompressed record
- with more than 2^14+1024 bytes. This message is always fatal and
- should never be observed in communication between proper
- implementations (except when messages were corrupted in the
- network).
- decompression_failure
- The decompression function received improper input (e.g., data
- that would expand to excessive length). This message is always
- fatal and should never be observed in communication between proper
- implementations.
- handshake_failure
- Reception of a handshake_failure alert message indicates that the
- sender was unable to negotiate an acceptable set of security
- parameters given the options available. This is a fatal error.
- no_certificate_RESERVED
- This alert was used in SSLv3 but not any version of TLS. It MUST
- NOT be sent by compliant implementations.
- bad_certificate
- A certificate was corrupt, contained signatures that did not
- verify correctly, etc.
- unsupported_certificate
- A certificate was of an unsupported type.
- certificate_revoked
- A certificate was revoked by its signer.
- Dierks & Rescorla Standards Track [Page 31]
- RFC 5246 TLS August 2008
- certificate_expired
- A certificate has expired or is not currently valid.
- certificate_unknown
- Some other (unspecified) issue arose in processing the
- certificate, rendering it unacceptable.
- illegal_parameter
- A field in the handshake was out of range or inconsistent with
- other fields. This message is always fatal.
- unknown_ca
- A valid certificate chain or partial chain was received, but the
- certificate was not accepted because the CA certificate could not
- be located or couldn't be matched with a known, trusted CA. This
- message is always fatal.
- access_denied
- A valid certificate was received, but when access control was
- applied, the sender decided not to proceed with negotiation. This
- message is always fatal.
- decode_error
- A message could not be decoded because some field was out of the
- specified range or the length of the message was incorrect. This
- message is always fatal and should never be observed in
- communication between proper implementations (except when messages
- were corrupted in the network).
- decrypt_error
- A handshake cryptographic operation failed, including being unable
- to correctly verify a signature or validate a Finished message.
- This message is always fatal.
- export_restriction_RESERVED
- This alert was used in some earlier versions of TLS. It MUST NOT
- be sent by compliant implementations.
- protocol_version
- The protocol version the client has attempted to negotiate is
- recognized but not supported. (For example, old protocol versions
- might be avoided for security reasons.) This message is always
- fatal.
- Dierks & Rescorla Standards Track [Page 32]
- RFC 5246 TLS August 2008
- insufficient_security
- Returned instead of handshake_failure when a negotiation has
- failed specifically because the server requires ciphers more
- secure than those supported by the client. This message is always
- fatal.
- internal_error
- An internal error unrelated to the peer or the correctness of the
- protocol (such as a memory allocation failure) makes it impossible
- to continue. This message is always fatal.
- user_canceled
- This handshake is being canceled for some reason unrelated to a
- protocol failure. If the user cancels an operation after the
- handshake is complete, just closing the connection by sending a
- close_notify is more appropriate. This alert should be followed
- by a close_notify. This message is generally a warning.
- no_renegotiation
- Sent by the client in response to a hello request or by the server
- in response to a client hello after initial handshaking. Either
- of these would normally lead to renegotiation; when that is not
- appropriate, the recipient should respond with this alert. At
- that point, the original requester can decide whether to proceed
- with the connection. One case where this would be appropriate is
- where a server has spawned a process to satisfy a request; the
- process might receive security parameters (key length,
- authentication, etc.) at startup, and it might be difficult to
- communicate changes to these parameters after that point. This
- message is always a warning.
- unsupported_extension
- sent by clients that receive an extended server hello containing
- an extension that they did not put in the corresponding client
- hello. This message is always fatal.
- New Alert values are assigned by IANA as described in Section 12.
7.3. Handshake Protocol Overview
- The cryptographic parameters of the session state are produced by the
- TLS Handshake Protocol, which operates on top of the TLS record
- layer. When a TLS client and server first start communicating, they
- agree on a protocol version, select cryptographic algorithms,
- optionally authenticate each other, and use public-key encryption
- techniques to generate shared secrets.
- Dierks & Rescorla Standards Track [Page 33]
- RFC 5246 TLS August 2008
- The TLS Handshake Protocol involves the following steps:
- - Exchange hello messages to agree on algorithms, exchange random
- values, and check for session resumption.
- - Exchange the necessary cryptographic parameters to allow the
- client and server to agree on a premaster secret.
- - Exchange certificates and cryptographic information to allow the
- client and server to authenticate themselves.
- - Generate a master secret from the premaster secret and exchanged
- random values.
- - Provide security parameters to the record layer.
- - Allow the client and server to verify that their peer has
- calculated the same security parameters and that the handshake
- occurred without tampering by an attacker.
- Note that higher layers should not be overly reliant on whether TLS
- always negotiates the strongest possible connection between two
- peers. There are a number of ways in which a man-in-the-middle
- attacker can attempt to make two entities drop down to the least
- secure method they support. The protocol has been designed to
- minimize this risk, but there are still attacks available: for
- example, an attacker could block access to the port a secure service
- runs on, or attempt to get the peers to negotiate an unauthenticated
- connection. The fundamental rule is that higher levels must be
- cognizant of what their security requirements are and never transmit
- information over a channel less secure than what they require. The
- TLS protocol is secure in that any cipher suite offers its promised
- level of security: if you negotiate 3DES with a 1024-bit RSA key
- exchange with a host whose certificate you have verified, you can
- expect to be that secure.
- These goals are achieved by the handshake protocol, which can be
- summarized as follows: The client sends a ClientHello message to
- which the server must respond with a ServerHello message, or else a
- fatal error will occur and the connection will fail. The ClientHello
- and ServerHello are used to establish security enhancement
- capabilities between client and server. The ClientHello and
- ServerHello establish the following attributes: Protocol Version,
- Session ID, Cipher Suite, and Compression Method. Additionally, two
- random values are generated and exchanged: ClientHello.random and
- ServerHello.random.
- Dierks & Rescorla Standards Track [Page 34]
- RFC 5246 TLS August 2008
- The actual key exchange uses up to four messages: the server
- Certificate, the ServerKeyExchange, the client Certificate, and the
- ClientKeyExchange. New key exchange methods can be created by
- specifying a format for these messages and by defining the use of the
- messages to allow the client and server to agree upon a shared
- secret. This secret MUST be quite long; currently defined key
- exchange methods exchange secrets that range from 46 bytes upwards.
- Following the hello messages, the server will send its certificate in
- a Certificate message if it is to be authenticated. Additionally, a
- ServerKeyExchange message may be sent, if it is required (e.g., if
- the server has no certificate, or if its certificate is for signing
- only). If the server is authenticated, it may request a certificate
- from the client, if that is appropriate to the cipher suite selected.
- Next, the server will send the ServerHelloDone message, indicating
- that the hello-message phase of the handshake is complete. The
- server will then wait for a client response. If the server has sent
- a CertificateRequest message, the client MUST send the Certificate
- message. The ClientKeyExchange message is now sent, and the content
- of that message will depend on the public key algorithm selected
- between the ClientHello and the ServerHello. If the client has sent
- a certificate with signing ability, a digitally-signed
- CertificateVerify message is sent to explicitly verify possession of
- the private key in the certificate.
- At this point, a ChangeCipherSpec message is sent by the client, and
- the client copies the pending Cipher Spec into the current Cipher
- Spec. The client then immediately sends the Finished message under
- the new algorithms, keys, and secrets. In response, the server will
- send its own ChangeCipherSpec message, transfer the pending to the
- current Cipher Spec, and send its Finished message under the new
- Cipher Spec. At this point, the handshake is complete, and the
- client and server may begin to exchange application layer data. (See
- flow chart below.) Application data MUST NOT be sent prior to the
- completion of the first handshake (before a cipher suite other than
- TLS_NULL_WITH_NULL_NULL is established).
- Dierks & Rescorla Standards Track [Page 35]
- RFC 5246 TLS August 2008
- Client Server
- ClientHello -------->
- ServerHello
- Certificate*
- ServerKeyExchange*
- CertificateRequest*
- <-------- ServerHelloDone
- Certificate*
- ClientKeyExchange
- CertificateVerify*
- [ChangeCipherSpec]
- Finished -------->
- [ChangeCipherSpec]
- <-------- Finished
- Application Data <-------> Application Data
- Figure 1. Message flow for a full handshake
- * Indicates optional or situation-dependent messages that are not
- always sent.
- Note: To help avoid pipeline stalls, ChangeCipherSpec is an
- independent TLS protocol content type, and is not actually a TLS
- handshake message.
- When the client and server decide to resume a previous session or
- duplicate an existing session (instead of negotiating new security
- parameters), the message flow is as follows:
- The client sends a ClientHello using the Session ID of the session to
- be resumed. The server then checks its session cache for a match.
- If a match is found, and the server is willing to re-establish the
- connection under the specified session state, it will send a
- ServerHello with the same Session ID value. At this point, both
- client and server MUST send ChangeCipherSpec messages and proceed
- directly to Finished messages. Once the re-establishment is
- complete, the client and server MAY begin to exchange application
- layer data. (See flow chart below.) If a Session ID match is not
- found, the server generates a new session ID, and the TLS client and
- server perform a full handshake.
- Dierks & Rescorla Standards Track [Page 36]
- RFC 5246 TLS August 2008
- Client Server
- ClientHello -------->
- ServerHello
- [ChangeCipherSpec]
- <-------- Finished
- [ChangeCipherSpec]
- Finished -------->
- Application Data <-------> Application Data
- Figure 2. Message flow for an abbreviated handshake
- The contents and significance of each message will be presented in
- detail in the following sections.
7.4. Handshake Protocol
- The TLS Handshake Protocol is one of the defined higher-level clients
- of the TLS Record Protocol. This protocol is used to negotiate the
- secure attributes of a session. Handshake messages are supplied to
- the TLS record layer, where they are encapsulated within one or more
- TLSPlaintext structures, which are processed and transmitted as
- specified by the current active session state.
- enum {
- hello_request(0), client_hello(1), server_hello(2),
- certificate(11), server_key_exchange (12),
- certificate_request(13), server_hello_done(14),
- certificate_verify(15), client_key_exchange(16),
- finished(20), (255)
- } HandshakeType;
- struct {
- HandshakeType msg_type; /* handshake type */
- uint24 length; /* bytes in message */
- select (HandshakeType) {
- case hello_request: HelloRequest;
- case client_hello: ClientHello;
- case server_hello: ServerHello;
- case certificate: Certificate;
- case server_key_exchange: ServerKeyExchange;
- case certificate_request: CertificateRequest;
- case server_hello_done: ServerHelloDone;
- case certificate_verify: CertificateVerify;
- case client_key_exchange: ClientKeyExchange;
- case finished: Finished;
- } body;
- } Handshake;
- Dierks & Rescorla Standards Track [Page 37]
- RFC 5246 TLS August 2008
- The handshake protocol messages are presented below in the order they
- MUST be sent; sending handshake messages in an unexpected order
- results in a fatal error. Unneeded handshake messages can be
- omitted, however. Note one exception to the ordering: the
- Certificate message is used twice in the handshake (from server to
- client, then from client to server), but described only in its first
- position. The one message that is not bound by these ordering rules
- is the HelloRequest message, which can be sent at any time, but which
- SHOULD be ignored by the client if it arrives in the middle of a
- handshake.
- New handshake message types are assigned by IANA as described in
- Section 12.
7.4.1. Hello Messages
- The hello phase messages are used to exchange security enhancement
- capabilities between the client and server. When a new session
- begins, the record layer's connection state encryption, hash, and
- compression algorithms are initialized to null. The current
- connection state is used for renegotiation messages.
7.4.1.1. Hello Request
- When this message will be sent:
- The HelloRequest message MAY be sent by the server at any time.
- Meaning of this message:
- HelloRequest is a simple notification that the client should begin
- the negotiation process anew. In response, the client should send
- a ClientHello message when convenient. This message is not
- intended to establish which side is the client or server but
- merely to initiate a new negotiation. Servers SHOULD NOT send a
- HelloRequest immediately upon the client's initial connection. It
- is the client's job to send a ClientHello at that time.
- This message will be ignored by the client if the client is
- currently negotiating a session. This message MAY be ignored by
- the client if it does not wish to renegotiate a session, or the
- client may, if it wishes, respond with a no_renegotiation alert.
- Since handshake messages are intended to have transmission
- precedence over application data, it is expected that the
- negotiation will begin before no more than a few records are
- received from the client. If the server sends a HelloRequest but
- does not receive a ClientHello in response, it may close the
- connection with a fatal alert.
- Dierks & Rescorla Standards Track [Page 38]
- RFC 5246 TLS August 2008
- After sending a HelloRequest, servers SHOULD NOT repeat the
- request until the subsequent handshake negotiation is complete.
- Structure of this message:
- struct { } HelloRequest;
- This message MUST NOT be included in the message hashes that are
- maintained throughout the handshake and used in the Finished messages
- and the certificate verify message.
7.4.1.2. Client Hello
- When this message will be sent:
- When a client first connects to a server, it is required to send
- the ClientHello as its first message. The client can also send a
- ClientHello in response to a HelloRequest or on its own initiative
- in order to renegotiate the security parameters in an existing
- connection.
- Structure of this message:
- The ClientHello message includes a random structure, which is used
- later in the protocol.
- struct {
- uint32 gmt_unix_time;
- opaque random_bytes[28];
- } Random;
- gmt_unix_time
- The current time and date in standard UNIX 32-bit format
- (seconds since the midnight starting Jan 1, 1970, UTC, ignoring
- leap seconds) according to the sender's internal clock. Clocks
- are not required to be set correctly by the basic TLS protocol;
- higher-level or application protocols may define additional
- requirements. Note that, for historical reasons, the data
- element is named using GMT, the predecessor of the current
- worldwide time base, UTC.
- random_bytes
- 28 bytes generated by a secure random number generator.
- The ClientHello message includes a variable-length session
- identifier. If not empty, the value identifies a session between the
- same client and server whose security parameters the client wishes to
- reuse. The session identifier MAY be from an earlier connection,
- Dierks & Rescorla Standards Track [Page 39]
- RFC 5246 TLS August 2008
- this connection, or from another currently active connection. The
- second option is useful if the client only wishes to update the
- random structures and derived values of a connection, and the third
- option makes it possible to establish several independent secure
- connections without repeating the full handshake protocol. These
- independent connections may occur sequentially or simultaneously; a
- SessionID becomes valid when the handshake negotiating it completes
- with the exchange of Finished messages and persists until it is
- removed due to aging or because a fatal error was encountered on a
- connection associated with the session. The actual contents of the
- SessionID are defined by the server.
- opaque SessionID<0..32>;
- Warning: Because the SessionID is transmitted without encryption or
- immediate MAC protection, servers MUST NOT place confidential
- information in session identifiers or let the contents of fake
- session identifiers cause any breach of security. (Note that the
- content of the handshake as a whole, including the SessionID, is
- protected by the Finished messages exchanged at the end of the
- handshake.)
- The cipher suite list, passed from the client to the server in the
- ClientHello message, contains the combinations of cryptographic
- algorithms supported by the client in order of the client's
- preference (favorite choice first). Each cipher suite defines a key
- exchange algorithm, a bulk encryption algorithm (including secret key
- length), a MAC algorithm, and a PRF. The server will select a cipher
- suite or, if no acceptable choices are presented, return a handshake
- failure alert and close the connection. If the list contains cipher
- suites the server does not recognize, support, or wish to use, the
- server MUST ignore those cipher suites, and process the remaining
- ones as usual.
- uint8 CipherSuite[2]; /* Cryptographic suite selector */
- The ClientHello includes a list of compression algorithms supported
- by the client, ordered according to the client's preference.
- enum { null(0), (255) } CompressionMethod;
- Dierks & Rescorla Standards Track [Page 40]
- RFC 5246 TLS August 2008
- struct {
- ProtocolVersion client_version;
- Random random;
- SessionID session_id;
- CipherSuite cipher_suites<2..2^16-2>;
- CompressionMethod compression_methods<1..2^8-1>;
- select (extensions_present) {
- case false:
- struct {};
- case true:
- Extension extensions<0..2^16-1>;
- };
- } ClientHello;
- TLS allows extensions to follow the compression_methods field in an
- extensions block. The presence of extensions can be detected by
- determining whether there are bytes following the compression_methods
- at the end of the ClientHello. Note that this method of detecting
- optional data differs from the normal TLS method of having a
- variable-length field, but it is used for compatibility with TLS
- before extensions were defined.
- client_version
- The version of the TLS protocol by which the client wishes to
- communicate during this session. This SHOULD be the latest
- (highest valued) version supported by the client. For this
- version of the specification, the version will be 3.3 (see
- Appendix E for details about backward compatibility).
- random
- A client-generated random structure.
- session_id
- The ID of a session the client wishes to use for this connection.
- This field is empty if no session_id is available, or if the
- client wishes to generate new security parameters.
- cipher_suites
- This is a list of the cryptographic options supported by the
- client, with the client's first preference first. If the
- session_id field is not empty (implying a session resumption
- request), this vector MUST include at least the cipher_suite from
- that session. Values are defined in Appendix A.5.
- compression_methods
- This is a list of the compression methods supported by the client,
- sorted by client preference. If the session_id field is not empty
- (implying a session resumption request), it MUST include the
- Dierks & Rescorla Standards Track [Page 41]
- RFC 5246 TLS August 2008
- compression_method from that session. This vector MUST contain,
- and all implementations MUST support, CompressionMethod.null.
- Thus, a client and server will always be able to agree on a
- compression method.
- extensions
- Clients MAY request extended functionality from servers by sending
- data in the extensions field. The actual "Extension" format is
- defined in Section 7.4.1.4.
- In the event that a client requests additional functionality using
- extensions, and this functionality is not supplied by the server, the
- client MAY abort the handshake. A server MUST accept ClientHello
- messages both with and without the extensions field, and (as for all
- other messages) it MUST check that the amount of data in the message
- precisely matches one of these formats; if not, then it MUST send a
- fatal "decode_error" alert.
- After sending the ClientHello message, the client waits for a
- ServerHello message. Any handshake message returned by the server,
- except for a HelloRequest, is treated as a fatal error.
7.4.1.3. Server Hello
- When this message will be sent:
- The server will send this message in response to a ClientHello
- message when it was able to find an acceptable set of algorithms.
- If it cannot find such a match, it will respond with a handshake
- failure alert.
- Structure of this message:
- struct {
- ProtocolVersion server_version;
- Random random;
- SessionID session_id;
- CipherSuite cipher_suite;
- CompressionMethod compression_method;
- select (extensions_present) {
- case false:
- struct {};
- case true:
- Extension extensions<0..2^16-1>;
- };
- } ServerHello;
- Dierks & Rescorla Standards Track [Page 42]
- RFC 5246 TLS August 2008
- The presence of extensions can be detected by determining whether
- there are bytes following the compression_method field at the end of
- the ServerHello.
- server_version
- This field will contain the lower of that suggested by the client
- in the client hello and the highest supported by the server. For
- this version of the specification, the version is 3.3. (See
- Appendix E for details about backward compatibility.)
- random
- This structure is generated by the server and MUST be
- independently generated from the ClientHello.random.
- session_id
- This is the identity of the session corresponding to this
- connection. If the ClientHello.session_id was non-empty, the
- server will look in its session cache for a match. If a match is
- found and the server is willing to establish the new connection
- using the specified session state, the server will respond with
- the same value as was supplied by the client. This indicates a
- resumed session and dictates that the parties must proceed
- directly to the Finished messages. Otherwise, this field will
- contain a different value identifying the new session. The server
- may return an empty session_id to indicate that the session will
- not be cached and therefore cannot be resumed. If a session is
- resumed, it must be resumed using the same cipher suite it was
- originally negotiated with. Note that there is no requirement
- that the server resume any session even if it had formerly
- provided a session_id. Clients MUST be prepared to do a full
- negotiation -- including negotiating new cipher suites -- during
- any handshake.
- cipher_suite
- The single cipher suite selected by the server from the list in
- ClientHello.cipher_suites. For resumed sessions, this field is
- the value from the state of the session being resumed.
- compression_method
- The single compression algorithm selected by the server from the
- list in ClientHello.compression_methods. For resumed sessions,
- this field is the value from the resumed session state.
- extensions
- A list of extensions. Note that only extensions offered by the
- client can appear in the server's list.
- Dierks & Rescorla Standards Track [Page 43]
- RFC 5246 TLS August 2008
7.4.1.4. Hello Extensions
- The extension format is:
- struct {
- ExtensionType extension_type;
- opaque extension_data<0..2^16-1>;
- } Extension;
- enum {
- signature_algorithms(13), (65535)
- } ExtensionType;
- Here:
- - "extension_type" identifies the particular extension type.
- - "extension_data" contains information specific to the particular
- extension type.
- The initial set of extensions is defined in a companion document
- [TLSEXT]. The list of extension types is maintained by IANA as
- described in Section 12.
- An extension type MUST NOT appear in the ServerHello unless the same
- extension type appeared in the corresponding ClientHello. If a
- client receives an extension type in ServerHello that it did not
- request in the associated ClientHello, it MUST abort the handshake
- with an unsupported_extension fatal alert.
- Nonetheless, "server-oriented" extensions may be provided in the
- future within this framework. Such an extension (say, of type x)
- would require the client to first send an extension of type x in a
- ClientHello with empty extension_data to indicate that it supports
- the extension type. In this case, the client is offering the
- capability to understand the extension type, and the server is taking
- the client up on its offer.
- When multiple extensions of different types are present in the
- ClientHello or ServerHello messages, the extensions MAY appear in any
- order. There MUST NOT be more than one extension of the same type.
- Finally, note that extensions can be sent both when starting a new
- session and when requesting session resumption. Indeed, a client
- that requests session resumption does not in general know whether the
- server will accept this request, and therefore it SHOULD send the
- same extensions as it would send if it were not attempting
- resumption.
- Dierks & Rescorla Standards Track [Page 44]
- RFC 5246 TLS August 2008
- In general, the specification of each extension type needs to
- describe the effect of the extension both during full handshake and
- session resumption. Most current TLS extensions are relevant only
- when a session is initiated: when an older session is resumed, the
- server does not process these extensions in Client Hello, and does
- not include them in Server Hello. However, some extensions may
- specify different behavior during session resumption.
- There are subtle (and not so subtle) interactions that may occur in
- this protocol between new features and existing features which may
- result in a significant reduction in overall security. The following
- considerations should be taken into account when designing new
- extensions:
- - Some cases where a server does not agree to an extension are error
- conditions, and some are simply refusals to support particular
- features. In general, error alerts should be used for the former,
- and a field in the server extension response for the latter.
- - Extensions should, as far as possible, be designed to prevent any
- attack that forces use (or non-use) of a particular feature by
- manipulation of handshake messages. This principle should be
- followed regardless of whether the feature is believed to cause a
- security problem.
- Often the fact that the extension fields are included in the
- inputs to the Finished message hashes will be sufficient, but
- extreme care is needed when the extension changes the meaning of
- messages sent in the handshake phase. Designers and implementors
- should be aware of the fact that until the handshake has been
- authenticated, active attackers can modify messages and insert,
- remove, or replace extensions.
- - It would be technically possible to use extensions to change major
- aspects of the design of TLS; for example the design of cipher
- suite negotiation. This is not recommended; it would be more
- appropriate to define a new version of TLS -- particularly since
- the TLS handshake algorithms have specific protection against
- version rollback attacks based on the version number, and the
- possibility of version rollback should be a significant
- consideration in any major design change.
7.4.1.4.1. Signature Algorithms
- The client uses the "signature_algorithms" extension to indicate to
- the server which signature/hash algorithm pairs may be used in
- digital signatures. The "extension_data" field of this extension
- contains a "supported_signature_algorithms" value.
- Dierks & Rescorla Standards Track [Page 45]
- RFC 5246 TLS August 2008
- enum {
- none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
- sha512(6), (255)
- } HashAlgorithm;
- enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
- SignatureAlgorithm;
- struct {
- HashAlgorithm hash;
- SignatureAlgorithm signature;
- } SignatureAndHashAlgorithm;
- SignatureAndHashAlgorithm
- supported_signature_algorithms<2..2^16-2>;
- Each SignatureAndHashAlgorithm value lists a single hash/signature
- pair that the client is willing to verify. The values are indicated
- in descending order of preference.
- Note: Because not all signature algorithms and hash algorithms may be
- accepted by an implementation (e.g., DSA with SHA-1, but not
- SHA-256), algorithms here are listed in pairs.
- hash
- This field indicates the hash algorithm which may be used. The
- values indicate support for unhashed data, MD5 [MD5], SHA-1,
- SHA-224, SHA-256, SHA-384, and SHA-512 [SHS], respectively. The
- "none" value is provided for future extensibility, in case of a
- signature algorithm which does not require hashing before signing.
- signature
- This field indicates the signature algorithm that may be used.
- The values indicate anonymous signatures, RSASSA-PKCS1-v1_5
- [PKCS1] and DSA [DSS], and ECDSA [ECDSA], respectively. The
- "anonymous" value is meaningless in this context but used in
- Section 7.4.3. It MUST NOT appear in this extension.
- The semantics of this extension are somewhat complicated because the
- cipher suite indicates permissible signature algorithms but not hash
- algorithms. Sections 7.4.2 and 7.4.3 describe the appropriate rules.
- If the client supports only the default hash and signature algorithms
- (listed in this section), it MAY omit the signature_algorithms
- extension. If the client does not support the default algorithms, or
- supports other hash and signature algorithms (and it is willing to
- use them for verifying messages sent by the server, i.e., server
- certificates and server key exchange), it MUST send the
- Dierks & Rescorla Standards Track [Page 46]
- RFC 5246 TLS August 2008
- signature_algorithms extension, listing the algorithms it is willing
- to accept.
- If the client does not send the signature_algorithms extension, the
- server MUST do the following:
- - If the negotiated key exchange algorithm is one of (RSA, DHE_RSA,
- DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA), behave as if client had
- sent the value {sha1,rsa}.
- - If the negotiated key exchange algorithm is one of (DHE_DSS,
- DH_DSS), behave as if the client had sent the value {sha1,dsa}.
- - If the negotiated key exchange algorithm is one of (ECDH_ECDSA,
- ECDHE_ECDSA), behave as if the client had sent value {sha1,ecdsa}.
- Note: this is a change from TLS 1.1 where there are no explicit
- rules, but as a practical matter one can assume that the peer
- supports MD5 and SHA-1.
- Note: this extension is not meaningful for TLS versions prior to 1.2.
- Clients MUST NOT offer it if they are offering prior versions.
- However, even if clients do offer it, the rules specified in [TLSEXT]
- require servers to ignore extensions they do not understand.
- Servers MUST NOT send this extension. TLS servers MUST support
- receiving this extension.
- When performing session resumption, this extension is not included in
- Server Hello, and the server ignores the extension in Client Hello
- (if present).
7.4.2. Server Certificate
- When this message will be sent:
- The server MUST send a Certificate message whenever the agreed-
- upon key exchange method uses certificates for authentication
- (this includes all key exchange methods defined in this document
- except DH_anon). This message will always immediately follow the
- ServerHello message.
- Meaning of this message:
- This message conveys the server's certificate chain to the client.
- The certificate MUST be appropriate for the negotiated cipher
- suite's key exchange algorithm and any negotiated extensions.
- Dierks & Rescorla Standards Track [Page 47]
- RFC 5246 TLS August 2008
- Structure of this message:
- opaque ASN.1Cert<1..2^24-1>;
- struct {
- ASN.1Cert certificate_list<0..2^24-1>;
- } Certificate;
- certificate_list
- This is a sequence (chain) of certificates. The sender's
- certificate MUST come first in the list. Each following
- certificate MUST directly certify the one preceding it. Because
- certificate validation requires that root keys be distributed
- independently, the self-signed certificate that specifies the root
- certificate authority MAY be omitted from the chain, under the
- assumption that the remote end must already possess it in order to
- validate it in any case.
- The same message type and structure will be used for the client's
- response to a certificate request message. Note that a client MAY
- send no certificates if it does not have an appropriate certificate
- to send in response to the server's authentication request.
- Note: PKCS #7 [PKCS7] is not used as the format for the certificate
- vector because PKCS #6 [PKCS6] extended certificates are not used.
- Also, PKCS #7 defines a SET rather than a SEQUENCE, making the task
- of parsing the list more difficult.
- The following rules apply to the certificates sent by the server:
- - The certificate type MUST be X.509v3, unless explicitly negotiated
- otherwise (e.g., [TLSPGP]).
- - The end entity certificate's public key (and associated
- restrictions) MUST be compatible with the selected key exchange
- algorithm.
- Key Exchange Alg. Certificate Key Type
- RSA RSA public key; the certificate MUST allow the
- RSA_PSK key to be used for encryption (the
- keyEncipherment bit MUST be set if the key
- usage extension is present).
- Note: RSA_PSK is defined in [TLSPSK].
- Dierks & Rescorla Standards Track [Page 48]
- RFC 5246 TLS August 2008
- DHE_RSA RSA public key; the certificate MUST allow the
- ECDHE_RSA key to be used for signing (the
- digitalSignature bit MUST be set if the key
- usage extension is present) with the signature
- scheme and hash algorithm that will be employed
- in the server key exchange message.
- Note: ECDHE_RSA is defined in [TLSECC].
- DHE_DSS DSA public key; the certificate MUST allow the
- key to be used for signing with the hash
- algorithm that will be employed in the server
- key exchange message.
- DH_DSS Diffie-Hellman public key; the keyAgreement bit
- DH_RSA MUST be set if the key usage extension is
- present.
- ECDH_ECDSA ECDH-capable public key; the public key MUST
- ECDH_RSA use a curve and point format supported by the
- client, as described in [TLSECC].
- ECDHE_ECDSA ECDSA-capable public key; the certificate MUST
- allow the key to be used for signing with the
- hash algorithm that will be employed in the
- server key exchange message. The public key
- MUST use a curve and point format supported by
- the client, as described in [TLSECC].
- - The "server_name" and "trusted_ca_keys" extensions [TLSEXT] are
- used to guide certificate selection.
- If the client provided a "signature_algorithms" extension, then all
- certificates provided by the server MUST be signed by a
- hash/signature algorithm pair that appears in that extension. Note
- that this implies that a certificate containing a key for one
- signature algorithm MAY be signed using a different signature
- algorithm (for instance, an RSA key signed with a DSA key). This is
- a departure from TLS 1.1, which required that the algorithms be the
- same. Note that this also implies that the DH_DSS, DH_RSA,
- ECDH_ECDSA, and ECDH_RSA key exchange algorithms do not restrict the
- algorithm used to sign the certificate. Fixed DH certificates MAY be
- signed with any hash/signature algorithm pair appearing in the
- extension. The names DH_DSS, DH_RSA, ECDH_ECDSA, and ECDH_RSA are
- historical.
- Dierks & Rescorla Standards Track [Page 49]
- RFC 5246 TLS August 2008
- If the server has multiple certificates, it chooses one of them based
- on the above-mentioned criteria (in addition to other criteria, such
- as transport layer endpoint, local configuration and preferences,
- etc.). If the server has a single certificate, it SHOULD attempt to
- validate that it meets these criteria.
- Note that there are certificates that use algorithms and/or algorithm
- combinations that cannot be currently used with TLS. For example, a
- certificate with RSASSA-PSS signature key (id-RSASSA-PSS OID in
- SubjectPublicKeyInfo) cannot be used because TLS defines no
- corresponding signature algorithm.
- As cipher suites that specify new key exchange methods are specified
- for the TLS protocol, they will imply the certificate format and the
- required encoded keying information.
7.4.3. Server Key Exchange Message
- When this message will be sent:
- This message will be sent immediately after the server Certificate
- message (or the ServerHello message, if this is an anonymous
- negotiation).
- The ServerKeyExchange message is sent by the server only when the
- server Certificate message (if sent) does not contain enough data
- to allow the client to exchange a premaster secret. This is true
- for the following key exchange methods:
- DHE_DSS
- DHE_RSA
- DH_anon
- It is not legal to send the ServerKeyExchange message for the
- following key exchange methods:
- RSA
- DH_DSS
- DH_RSA
- Other key exchange algorithms, such as those defined in [TLSECC],
- MUST specify whether the ServerKeyExchange message is sent or not;
- and if the message is sent, its contents.
- Dierks & Rescorla Standards Track [Page 50]
- RFC 5246 TLS August 2008
- Meaning of this message:
- This message conveys cryptographic information to allow the client
- to communicate the premaster secret: a Diffie-Hellman public key
- with which the client can complete a key exchange (with the result
- being the premaster secret) or a public key for some other
- algorithm.
- Structure of this message:
- enum { dhe_dss, dhe_rsa, dh_anon, rsa, dh_dss, dh_rsa
- /* may be extended, e.g., for ECDH -- see [TLSECC] */
- } KeyExchangeAlgorithm;
- struct {
- opaque dh_p<1..2^16-1>;
- opaque dh_g<1..2^16-1>;
- opaque dh_Ys<1..2^16-1>;
- } ServerDHParams; /* Ephemeral DH parameters */
- dh_p
- The prime modulus used for the Diffie-Hellman operation.
- dh_g
- The generator used for the Diffie-Hellman operation.
- dh_Ys
- The server's Diffie-Hellman public value (g^X mod p).
- Dierks & Rescorla Standards Track [Page 51]
- RFC 5246 TLS August 2008
- struct {
- select (KeyExchangeAlgorithm) {
- case dh_anon:
- ServerDHParams params;
- case dhe_dss:
- case dhe_rsa:
- ServerDHParams params;
- digitally-signed struct {
- opaque client_random[32];
- opaque server_random[32];
- ServerDHParams params;
- } signed_params;
- case rsa:
- case dh_dss:
- case dh_rsa:
- struct {} ;
- /* message is omitted for rsa, dh_dss, and dh_rsa */
- /* may be extended, e.g., for ECDH -- see [TLSECC] */
- };
- } ServerKeyExchange;
- params
- The server's key exchange parameters.
- signed_params
- For non-anonymous key exchanges, a signature over the server's
- key exchange parameters.
- If the client has offered the "signature_algorithms" extension, the
- signature algorithm and hash algorithm MUST be a pair listed in that
- extension. Note that there is a possibility for inconsistencies
- here. For instance, the client might offer DHE_DSS key exchange but
- omit any DSA pairs from its "signature_algorithms" extension. In
- order to negotiate correctly, the server MUST check any candidate
- cipher suites against the "signature_algorithms" extension before
- selecting them. This is somewhat inelegant but is a compromise
- designed to minimize changes to the original cipher suite design.
- In addition, the hash and signature algorithms MUST be compatible
- with the key in the server's end-entity certificate. RSA keys MAY be
- used with any permitted hash algorithm, subject to restrictions in
- the certificate, if any.
- Because DSA signatures do not contain any secure indication of hash
- algorithm, there is a risk of hash substitution if multiple hashes
- may be used with any key. Currently, DSA [DSS] may only be used with
- SHA-1. Future revisions of DSS [DSS-3] are expected to allow the use
- of other digest algorithms with DSA, as well as guidance as to which
- Dierks & Rescorla Standards Track [Page 52]
- RFC 5246 TLS August 2008
- digest algorithms should be used with each key size. In addition,
- future revisions of [PKIX] may specify mechanisms for certificates to
- indicate which digest algorithms are to be used with DSA.
- As additional cipher suites are defined for TLS that include new key
- exchange algorithms, the server key exchange message will be sent if
- and only if the certificate type associated with the key exchange
- algorithm does not provide enough information for the client to
- exchange a premaster secret.
7.4.4. Certificate Request
- When this message will be sent:
- A non-anonymous server can optionally request a certificate from
- the client, if appropriate for the selected cipher suite. This
- message, if sent, will immediately follow the ServerKeyExchange
- message (if it is sent; otherwise, this message follows the
- server's Certificate message).
- Structure of this message:
- enum {
- rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
- rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
- fortezza_dms_RESERVED(20), (255)
- } ClientCertificateType;
- opaque DistinguishedName<1..2^16-1>;
- struct {
- ClientCertificateType certificate_types<1..2^8-1>;
- SignatureAndHashAlgorithm
- supported_signature_algorithms<2^16-1>;
- DistinguishedName certificate_authorities<0..2^16-1>;
- } CertificateRequest;
- certificate_types
- A list of the types of certificate types that the client may
- offer.
- rsa_sign a certificate containing an RSA key
- dss_sign a certificate containing a DSA key
- rsa_fixed_dh a certificate containing a static DH key.
- dss_fixed_dh a certificate containing a static DH key
- Dierks & Rescorla Standards Track [Page 53]
- RFC 5246 TLS August 2008
- supported_signature_algorithms
- A list of the hash/signature algorithm pairs that the server is
- able to verify, listed in descending order of preference.
- certificate_authorities
- A list of the distinguished names [X501] of acceptable
- certificate_authorities, represented in DER-encoded format. These
- distinguished names may specify a desired distinguished name for a
- root CA or for a subordinate CA; thus, this message can be used to
- describe known roots as well as a desired authorization space. If
- the certificate_authorities list is empty, then the client MAY
- send any certificate of the appropriate ClientCertificateType,
- unless there is some external arrangement to the contrary.
- The interaction of the certificate_types and
- supported_signature_algorithms fields is somewhat complicated.
- certificate_types has been present in TLS since SSLv3, but was
- somewhat underspecified. Much of its functionality is superseded by
- supported_signature_algorithms. The following rules apply:
- - Any certificates provided by the client MUST be signed using a
- hash/signature algorithm pair found in
- supported_signature_algorithms.
- - The end-entity certificate provided by the client MUST contain a
- key that is compatible with certificate_types. If the key is a
- signature key, it MUST be usable with some hash/signature
- algorithm pair in supported_signature_algorithms.
- - For historical reasons, the names of some client certificate types
- include the algorithm used to sign the certificate. For example,
- in earlier versions of TLS, rsa_fixed_dh meant a certificate
- signed with RSA and containing a static DH key. In TLS 1.2, this
- functionality has been obsoleted by the
- supported_signature_algorithms, and the certificate type no longer
- restricts the algorithm used to sign the certificate. For
- example, if the server sends dss_fixed_dh certificate type and
- {{sha1, dsa}, {sha1, rsa}} signature types, the client MAY reply
- with a certificate containing a static DH key, signed with RSA-
- SHA1.
- New ClientCertificateType values are assigned by IANA as described in
- Section 12.
- Note: Values listed as RESERVED may not be used. They were used in
- SSLv3.
- Dierks & Rescorla Standards Track [Page 54]
- RFC 5246 TLS August 2008
- Note: It is a fatal handshake_failure alert for an anonymous server
- to request client authentication.
7.4.5. Server Hello Done
- When this message will be sent:
- The ServerHelloDone message is sent by the server to indicate the
- end of the ServerHello and associated messages. After sending
- this message, the server will wait for a client response.
- Meaning of this message:
- This message means that the server is done sending messages to
- support the key exchange, and the client can proceed with its
- phase of the key exchange.
- Upon receipt of the ServerHelloDone message, the client SHOULD
- verify that the server provided a valid certificate, if required,
- and check that the server hello parameters are acceptable.
- Structure of this message:
- struct { } ServerHelloDone;
7.4.6. Client Certificate
- When this message will be sent:
- This is the first message the client can send after receiving a
- ServerHelloDone message. This message is only sent if the server
- requests a certificate. If no suitable certificate is available,
- the client MUST send a certificate message containing no
- certificates. That is, the certificate_list structure has a
- length of zero. If the client does not send any certificates, the
- server MAY at its discretion either continue the handshake without
- client authentication, or respond with a fatal handshake_failure
- alert. Also, if some aspect of the certificate chain was
- unacceptable (e.g., it was not signed by a known, trusted CA), the
- server MAY at its discretion either continue the handshake
- (considering the client unauthenticated) or send a fatal alert.
- Client certificates are sent using the Certificate structure
- defined in Section 7.4.2.
- Dierks & Rescorla Standards Track [Page 55]
- RFC 5246 TLS August 2008
- Meaning of this message:
- This message conveys the client's certificate chain to the server;
- the server will use it when verifying the CertificateVerify
- message (when the client authentication is based on signing) or
- calculating the premaster secret (for non-ephemeral Diffie-
- Hellman). The certificate MUST be appropriate for the negotiated
- cipher suite's key exchange algorithm, and any negotiated
- extensions.
- In particular:
- - The certificate type MUST be X.509v3, unless explicitly negotiated
- otherwise (e.g., [TLSPGP]).
- - The end-entity certificate's public key (and associated
- restrictions) has to be compatible with the certificate types
- listed in CertificateRequest:
- Client Cert. Type Certificate Key Type
- rsa_sign RSA public key; the certificate MUST allow the
- key to be used for signing with the signature
- scheme and hash algorithm that will be
- employed in the certificate verify message.
- dss_sign DSA public key; the certificate MUST allow the
- key to be used for signing with the hash
- algorithm that will be employed in the
- certificate verify message.
- ecdsa_sign ECDSA-capable public key; the certificate MUST
- allow the key to be used for signing with the
- hash algorithm that will be employed in the
- certificate verify message; the public key
- MUST use a curve and point format supported by
- the server.
- rsa_fixed_dh Diffie-Hellman public key; MUST use the same
- dss_fixed_dh parameters as server's key.
- rsa_fixed_ecdh ECDH-capable public key; MUST use the
- ecdsa_fixed_ecdh same curve as the server's key, and MUST use a
- point format supported by the server.
- - If the certificate_authorities list in the certificate request
- message was non-empty, one of the certificates in the certificate
- chain SHOULD be issued by one of the listed CAs.
- Dierks & Rescorla Standards Track [Page 56]
- RFC 5246 TLS August 2008
- - The certificates MUST be signed using an acceptable hash/
- signature algorithm pair, as described in Section 7.4.4. Note
- that this relaxes the constraints on certificate-signing
- algorithms found in prior versions of TLS.
- Note that, as with the server certificate, there are certificates
- that use algorithms/algorithm combinations that cannot be currently
- used with TLS.
7.4.7. Client Key Exchange Message
- When this message will be sent:
- This message is always sent by the client. It MUST immediately
- follow the client certificate message, if it is sent. Otherwise,
- it MUST be the first message sent by the client after it receives
- the ServerHelloDone message.
- Meaning of this message:
- With this message, the premaster secret is set, either by direct
- transmission of the RSA-encrypted secret or by the transmission of
- Diffie-Hellman parameters that will allow each side to agree upon
- the same premaster secret.
- When the client is using an ephemeral Diffie-Hellman exponent,
- then this message contains the client's Diffie-Hellman public
- value. If the client is sending a certificate containing a static
- DH exponent (i.e., it is doing fixed_dh client authentication),
- then this message MUST be sent but MUST be empty.
- Structure of this message:
- The choice of messages depends on which key exchange method has
- been selected. See Section 7.4.3 for the KeyExchangeAlgorithm
- definition.
- Dierks & Rescorla Standards Track [Page 57]
- RFC 5246 TLS August 2008
- struct {
- select (KeyExchangeAlgorithm) {
- case rsa:
- EncryptedPreMasterSecret;
- case dhe_dss:
- case dhe_rsa:
- case dh_dss:
- case dh_rsa:
- case dh_anon:
- ClientDiffieHellmanPublic;
- } exchange_keys;
- } ClientKeyExchange;
7.4.7.1. RSA-Encrypted Premaster Secret Message
- Meaning of this message:
- If RSA is being used for key agreement and authentication, the
- client generates a 48-byte premaster secret, encrypts it using the
- public key from the server's certificate, and sends the result in
- an encrypted premaster secret message. This structure is a
- variant of the ClientKeyExchange message and is not a message in
- itself.
- Structure of this message:
- struct {
- ProtocolVersion client_version;
- opaque random[46];
- } PreMasterSecret;
- client_version
- The latest (newest) version supported by the client. This is
- used to detect version rollback attacks.
- random
- 46 securely-generated random bytes.
- struct {
- public-key-encrypted PreMasterSecret pre_master_secret;
- } EncryptedPreMasterSecret;
- pre_master_secret
- This random value is generated by the client and is used to
- generate the master secret, as specified in Section 8.1.
- Dierks & Rescorla Standards Track [Page 58]
- RFC 5246 TLS August 2008
- Note: The version number in the PreMasterSecret is the version
- offered by the client in the ClientHello.client_version, not the
- version negotiated for the connection. This feature is designed to
- prevent rollback attacks. Unfortunately, some old implementations
- use the negotiated version instead, and therefore checking the
- version number may lead to failure to interoperate with such
- incorrect client implementations.
- Client implementations MUST always send the correct version number in
- PreMasterSecret. If ClientHello.client_version is TLS 1.1 or higher,
- server implementations MUST check the version number as described in
- the note below. If the version number is TLS 1.0 or earlier, server
- implementations SHOULD check the version number, but MAY have a
- configuration option to disable the check. Note that if the check
- fails, the PreMasterSecret SHOULD be randomized as described below.
- Note: Attacks discovered by Bleichenbacher [BLEI] and Klima et al.
- [KPR03] can be used to attack a TLS server that reveals whether a
- particular message, when decrypted, is properly PKCS#1 formatted,
- contains a valid PreMasterSecret structure, or has the correct
- version number.
- As described by Klima [KPR03], these vulnerabilities can be avoided
- by treating incorrectly formatted message blocks and/or mismatched
- version numbers in a manner indistinguishable from correctly
- formatted RSA blocks. In other words:
- 1. Generate a string R of 46 random bytes
- 2. Decrypt the message to recover the plaintext M
- 3. If the PKCS#1 padding is not correct, or the length of message
- M is not exactly 48 bytes:
- pre_master_secret = ClientHello.client_version || R
- else If ClientHello.client_version <= TLS 1.0, and version
- number check is explicitly disabled:
- pre_master_secret = M
- else:
- pre_master_secret = ClientHello.client_version || M[2..47]
- Note that explicitly constructing the pre_master_secret with the
- ClientHello.client_version produces an invalid master_secret if the
- client has sent the wrong version in the original pre_master_secret.
- An alternative approach is to treat a version number mismatch as a
- PKCS-1 formatting error and randomize the premaster secret
- completely:
- Dierks & Rescorla Standards Track [Page 59]
- RFC 5246 TLS August 2008
- 1. Generate a string R of 48 random bytes
- 2. Decrypt the message to recover the plaintext M
- 3. If the PKCS#1 padding is not correct, or the length of message
- M is not exactly 48 bytes:
- pre_master_secret = R
- else If ClientHello.client_version <= TLS 1.0, and version
- number check is explicitly disabled:
- premaster secret = M
- else If M[0..1] != ClientHello.client_version:
- premaster secret = R
- else:
- premaster secret = M
- Although no practical attacks against this construction are known,
- Klima et al. [KPR03] describe some theoretical attacks, and therefore
- the first construction described is RECOMMENDED.
- In any case, a TLS server MUST NOT generate an alert if processing an
- RSA-encrypted premaster secret message fails, or the version number
- is not as expected. Instead, it MUST continue the handshake with a
- randomly generated premaster secret. It may be useful to log the
- real cause of failure for troubleshooting purposes; however, care
- must be taken to avoid leaking the information to an attacker
- (through, e.g., timing, log files, or other channels.)
- The RSAES-OAEP encryption scheme defined in [PKCS1] is more secure
- against the Bleichenbacher attack. However, for maximal
- compatibility with earlier versions of TLS, this specification uses
- the RSAES-PKCS1-v1_5 scheme. No variants of the Bleichenbacher
- attack are known to exist provided that the above recommendations are
- followed.
- Implementation note: Public-key-encrypted data is represented as an
- opaque vector <0..2^16-1> (see Section 4.7). Thus, the RSA-encrypted
- PreMasterSecret in a ClientKeyExchange is preceded by two length
- bytes. These bytes are redundant in the case of RSA because the
- EncryptedPreMasterSecret is the only data in the ClientKeyExchange
- and its length can therefore be unambiguously determined. The SSLv3
- specification was not clear about the encoding of public-key-
- encrypted data, and therefore many SSLv3 implementations do not
- include the length bytes -- they encode the RSA-encrypted data
- directly in the ClientKeyExchange message.
- This specification requires correct encoding of the
- EncryptedPreMasterSecret complete with length bytes. The resulting
- PDU is incompatible with many SSLv3 implementations. Implementors
- Dierks & Rescorla Standards Track [Page 60]
- RFC 5246 TLS August 2008
- upgrading from SSLv3 MUST modify their implementations to generate
- and accept the correct encoding. Implementors who wish to be
- compatible with both SSLv3 and TLS should make their implementation's
- behavior dependent on the protocol version.
- Implementation note: It is now known that remote timing-based attacks
- on TLS are possible, at least when the client and server are on the
- same LAN. Accordingly, implementations that use static RSA keys MUST
- use RSA blinding or some other anti-timing technique, as described in
- [TIMING].
7.4.7.2. Client Diffie-Hellman Public Value
- Meaning of this message:
- This structure conveys the client's Diffie-Hellman public value
- (Yc) if it was not already included in the client's certificate.
- The encoding used for Yc is determined by the enumerated
- PublicValueEncoding. This structure is a variant of the client
- key exchange message, and not a message in itself.
- Structure of this message:
- enum { implicit, explicit } PublicValueEncoding;
- implicit
- If the client has sent a certificate which contains a suitable
- Diffie-Hellman key (for fixed_dh client authentication), then
- Yc is implicit and does not need to be sent again. In this
- case, the client key exchange message will be sent, but it MUST
- be empty.
- explicit
- Yc needs to be sent.
- struct {
- select (PublicValueEncoding) {
- case implicit: struct { };
- case explicit: opaque dh_Yc<1..2^16-1>;
- } dh_public;
- } ClientDiffieHellmanPublic;
- dh_Yc
- The client's Diffie-Hellman public value (Yc).
- Dierks & Rescorla Standards Track [Page 61]
- RFC 5246 TLS August 2008
7.4.8. Certificate Verify
- When this message will be sent:
- This message is used to provide explicit verification of a client
- certificate. This message is only sent following a client
- certificate that has signing capability (i.e., all certificates
- except those containing fixed Diffie-Hellman parameters). When
- sent, it MUST immediately follow the client key exchange message.
- Structure of this message:
- struct {
- digitally-signed struct {
- opaque handshake_messages[handshake_messages_length];
- }
- } CertificateVerify;
- Here handshake_messages refers to all handshake messages sent or
- received, starting at client hello and up to, but not including,
- this message, including the type and length fields of the
- handshake messages. This is the concatenation of all the
- Handshake structures (as defined in Section 7.4) exchanged thus
- far. Note that this requires both sides to either buffer the
- messages or compute running hashes for all potential hash
- algorithms up to the time of the CertificateVerify computation.
- Servers can minimize this computation cost by offering a
- restricted set of digest algorithms in the CertificateRequest
- message.
- The hash and signature algorithms used in the signature MUST be
- one of those present in the supported_signature_algorithms field
- of the CertificateRequest message. In addition, the hash and
- signature algorithms MUST be compatible with the key in the
- client's end-entity certificate. RSA keys MAY be used with any
- permitted hash algorithm, subject to restrictions in the
- certificate, if any.
- Because DSA signatures do not contain any secure indication of
- hash algorithm, there is a risk of hash substitution if multiple
- hashes may be used with any key. Currently, DSA [DSS] may only be
- used with SHA-1. Future revisions of DSS [DSS-3] are expected to
- allow the use of other digest algorithms with DSA, as well as
- guidance as to which digest algorithms should be used with each
- key size. In addition, future revisions of [PKIX] may specify
- mechanisms for certificates to indicate which digest algorithms
- are to be used with DSA.
- Dierks & Rescorla Standards Track [Page 62]
- RFC 5246 TLS August 2008
7.4.9. Finished
- When this message will be sent:
- A Finished message is always sent immediately after a change
- cipher spec message to verify that the key exchange and
- authentication processes were successful. It is essential that a
- change cipher spec message be received between the other handshake
- messages and the Finished message.
- Meaning of this message:
- The Finished message is the first one protected with the just
- negotiated algorithms, keys, and secrets. Recipients of Finished
- messages MUST verify that the contents are correct. Once a side
- has sent its Finished message and received and validated the
- Finished message from its peer, it may begin to send and receive
- application data over the connection.
- Structure of this message:
- struct {
- opaque verify_data[verify_data_length];
- } Finished;
- verify_data
- PRF(master_secret, finished_label, Hash(handshake_messages))
- [0..verify_data_length-1];
- finished_label
- For Finished messages sent by the client, the string
- "client finished". For Finished messages sent by the server,
- the string "server finished".
- Hash denotes a Hash of the handshake messages. For the PRF
- defined in Section 5, the Hash MUST be the Hash used as the basis
- for the PRF. Any cipher suite which defines a different PRF MUST
- also define the Hash to use in the Finished computation.
- In previous versions of TLS, the verify_data was always 12 octets
- long. In the current version of TLS, it depends on the cipher
- suite. Any cipher suite which does not explicitly specify
- verify_data_length has a verify_data_length equal to 12. This
- includes all existing cipher suites. Note that this
- representation has the same encoding as with previous versions.
- Future cipher suites MAY specify other lengths but such length
- MUST be at least 12 bytes.
- Dierks & Rescorla Standards Track [Page 63]
- RFC 5246 TLS August 2008
- handshake_messages
- All of the data from all messages in this handshake (not
- including any HelloRequest messages) up to, but not including,
- this message. This is only data visible at the handshake layer
- and does not include record layer headers. This is the
- concatenation of all the Handshake structures as defined in
- Section 7.4, exchanged thus far.
- It is a fatal error if a Finished message is not preceded by a
- ChangeCipherSpec message at the appropriate point in the handshake.
- The value handshake_messages includes all handshake messages starting
- at ClientHello up to, but not including, this Finished message. This
- may be different from handshake_messages in Section 7.4.8 because it
- would include the CertificateVerify message (if sent). Also, the
- handshake_messages for the Finished message sent by the client will
- be different from that for the Finished message sent by the server,
- because the one that is sent second will include the prior one.
- Note: ChangeCipherSpec messages, alerts, and any other record types
- are not handshake messages and are not included in the hash
- computations. Also, HelloRequest messages are omitted from handshake
- hashes.
8. Cryptographic Computations
- In order to begin connection protection, the TLS Record Protocol
- requires specification of a suite of algorithms, a master secret, and
- the client and server random values. The authentication, encryption,
- and MAC algorithms are determined by the cipher_suite selected by the
- server and revealed in the ServerHello message. The compression
- algorithm is negotiated in the hello messages, and the random values
- are exchanged in the hello messages. All that remains is to
- calculate the master secret.
8.1. Computing the Master Secret
- For all key exchange methods, the same algorithm is used to convert
- the pre_master_secret into the master_secret. The pre_master_secret
- should be deleted from memory once the master_secret has been
- computed.
- master_secret = PRF(pre_master_secret, "master secret",
- ClientHello.random + ServerHello.random)
- [0..47];
- The master secret is always exactly 48 bytes in length. The length
- of the premaster secret will vary depending on key exchange method.
- Dierks & Rescorla Standards Track [Page 64]
- RFC 5246 TLS August 2008
8.1.1. RSA
- When RSA is used for server authentication and key exchange, a 48-
- byte pre_master_secret is generated by the client, encrypted under
- the server's public key, and sent to the server. The server uses its
- private key to decrypt the pre_master_secret. Both parties then
- convert the pre_master_secret into the master_secret, as specified
- above.
8.1.2. Diffie-Hellman
- A conventional Diffie-Hellman computation is performed. The
- negotiated key (Z) is used as the pre_master_secret, and is converted
- into the master_secret, as specified above. Leading bytes of Z that
- contain all zero bits are stripped before it is used as the
- pre_master_secret.
- Note: Diffie-Hellman parameters are specified by the server and may
- be either ephemeral or contained within the server's certificate.
9. Mandatory Cipher Suites
- In the absence of an application profile standard specifying
- otherwise, a TLS-compliant application MUST implement the cipher
- suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5 for the
- definition).
10. Application Data Protocol
- Application data messages are carried by the record layer and are
- fragmented, compressed, and encrypted based on the current connection
- state. The messages are treated as transparent data to the record
- layer.
11. Security Considerations
- Security issues are discussed throughout this memo, especially in
- Appendices D, E, and F.
12. IANA Considerations
- RFC 5246 TLS August 2008
- - TLS ClientCertificateType Identifiers Registry: Future values in
- the range 0-63 (decimal) inclusive are assigned via Standards
- Action [RFC2434]. Values in the range 64-223 (decimal) inclusive
- are assigned via Specification Required [RFC2434]. Values from
- 224-255 (decimal) inclusive are reserved for Private Use
- [RFC2434].
- - TLS Cipher Suite Registry: Future values with the first byte in
- the range 0-191 (decimal) inclusive are assigned via Standards
- Action [RFC2434]. Values with the first byte in the range 192-254
- (decimal) are assigned via Specification Required [RFC2434].
- Values with the first byte 255 (decimal) are reserved for Private
- Use [RFC2434].
- - This document defines several new HMAC-SHA256-based cipher suites,
- whose values (in Appendix A.5) have been allocated from the TLS
- Cipher Suite registry.
- - TLS ContentType Registry: Future values are allocated via
- Standards Action [RFC2434].
- - TLS Alert Registry: Future values are allocated via Standards
- Action [RFC2434].
- - TLS HandshakeType Registry: Future values are allocated via
- Standards Action [RFC2434].
- This document also uses a registry originally created in [RFC4366].
- IANA has updated it to reference this document. The registry and its
- allocation policy (unchanged from [RFC4366]) is listed below:
- - TLS ExtensionType Registry: Future values are allocated via IETF
- Consensus [RFC2434]. IANA has updated this registry to include
- the signature_algorithms extension and its corresponding value
- (see Section 7.4.1.4).
- In addition, this document defines two new registries to be
- maintained by IANA:
- - TLS SignatureAlgorithm Registry: The registry has been initially
- populated with the values described in Section 7.4.1.4.1. Future
- values in the range 0-63 (decimal) inclusive are assigned via
- Standards Action [RFC2434]. Values in the range 64-223 (decimal)
- inclusive are assigned via Specification Required [RFC2434].
- Values from 224-255 (decimal) inclusive are reserved for Private
- Use [RFC2434].
- Dierks & Rescorla Standards Track [Page 66]
- RFC 5246 TLS August 2008
- - TLS HashAlgorithm Registry: The registry has been initially
- populated with the values described in Section 7.4.1.4.1. Future
- values in the range 0-63 (decimal) inclusive are assigned via
- Standards Action [RFC2434]. Values in the range 64-223 (decimal)
- inclusive are assigned via Specification Required [RFC2434].
- Values from 224-255 (decimal) inclusive are reserved for Private
- Use [RFC2434].
- This document also uses the TLS Compression Method Identifiers
- Registry, defined in [RFC3749]. IANA has allocated value 0 for
- the "null" compression method.
- Dierks & Rescorla Standards Track [Page 67]
- RFC 5246 TLS August 2008
Appendix A. Protocol Data Structures and Constant Values
- This section describes protocol types and constants.
A.1. Record Layer
- struct {
- uint8 major;
- uint8 minor;
- } ProtocolVersion;
- ProtocolVersion version = { 3, 3 }; /* TLS v1.2*/
- enum {
- change_cipher_spec(20), alert(21), handshake(22),
- application_data(23), (255)
- } ContentType;
- struct {
- ContentType type;
- ProtocolVersion version;
- uint16 length;
- opaque fragment[TLSPlaintext.length];
- } TLSPlaintext;
- struct {
- ContentType type;
- ProtocolVersion version;
- uint16 length;
- opaque fragment[TLSCompressed.length];
- } TLSCompressed;
- struct {
- ContentType type;
- ProtocolVersion version;
- uint16 length;
- select (SecurityParameters.cipher_type) {
- case stream: GenericStreamCipher;
- case block: GenericBlockCipher;
- case aead: GenericAEADCipher;
- } fragment;
- } TLSCiphertext;
- stream-ciphered struct {
- opaque content[TLSCompressed.length];
- opaque MAC[SecurityParameters.mac_length];
- } GenericStreamCipher;
- Dierks & Rescorla Standards Track [Page 68]
- RFC 5246 TLS August 2008
- struct {
- opaque IV[SecurityParameters.record_iv_length];
- block-ciphered struct {
- opaque content[TLSCompressed.length];
- opaque MAC[SecurityParameters.mac_length];
- uint8 padding[GenericBlockCipher.padding_length];
- uint8 padding_length;
- };
- } GenericBlockCipher;
- struct {
- opaque nonce_explicit[SecurityParameters.record_iv_length];
- aead-ciphered struct {
- opaque content[TLSCompressed.length];
- };
- } GenericAEADCipher;
A.2. Change Cipher Specs Message
- struct {
- enum { change_cipher_spec(1), (255) } type;
- } ChangeCipherSpec;
A.3. Alert Messages
- enum { warning(1), fatal(2), (255) } AlertLevel;
- enum {
- close_notify(0),
- unexpected_message(10),
- bad_record_mac(20),
- decryption_failed_RESERVED(21),
- record_overflow(22),
- decompression_failure(30),
- handshake_failure(40),
- no_certificate_RESERVED(41),
- bad_certificate(42),
- unsupported_certificate(43),
- certificate_revoked(44),
- certificate_expired(45),
- certificate_unknown(46),
- illegal_parameter(47),
- unknown_ca(48),
- access_denied(49),
- decode_error(50),
- decrypt_error(51),
- export_restriction_RESERVED(60),
- protocol_version(70),
- Dierks & Rescorla Standards Track [Page 69]
- RFC 5246 TLS August 2008
- insufficient_security(71),
- internal_error(80),
- user_canceled(90),
- no_renegotiation(100),
- unsupported_extension(110), /* new */
- (255)
- } AlertDescription;
- struct {
- AlertLevel level;
- AlertDescription description;
- } Alert;
A.4. Handshake Protocol
- enum {
- hello_request(0), client_hello(1), server_hello(2),
- certificate(11), server_key_exchange (12),
- certificate_request(13), server_hello_done(14),
- certificate_verify(15), client_key_exchange(16),
- finished(20)
- (255)
- } HandshakeType;
- struct {
- HandshakeType msg_type;
- uint24 length;
- select (HandshakeType) {
- case hello_request: HelloRequest;
- case client_hello: ClientHello;
- case server_hello: ServerHello;
- case certificate: Certificate;
- case server_key_exchange: ServerKeyExchange;
- case certificate_request: CertificateRequest;
- case server_hello_done: ServerHelloDone;
- case certificate_verify: CertificateVerify;
- case client_key_exchange: ClientKeyExchange;
- case finished: Finished;
- } body;
- } Handshake;
- Dierks & Rescorla Standards Track [Page 70]
- RFC 5246 TLS August 2008
A.4.1. Hello Messages
- struct { } HelloRequest;
- struct {
- uint32 gmt_unix_time;
- opaque random_bytes[28];
- } Random;
- opaque SessionID<0..32>;
- uint8 CipherSuite[2];
- enum { null(0), (255) } CompressionMethod;
- struct {
- ProtocolVersion client_version;
- Random random;
- SessionID session_id;
- CipherSuite cipher_suites<2..2^16-2>;
- CompressionMethod compression_methods<1..2^8-1>;
- select (extensions_present) {
- case false:
- struct {};
- case true:
- Extension extensions<0..2^16-1>;
- };
- } ClientHello;
- struct {
- ProtocolVersion server_version;
- Random random;
- SessionID session_id;
- CipherSuite cipher_suite;
- CompressionMethod compression_method;
- select (extensions_present) {
- case false:
- struct {};
- case true:
- Extension extensions<0..2^16-1>;
- };
- } ServerHello;
- struct {
- ExtensionType extension_type;
- opaque extension_data<0..2^16-1>;
- } Extension;
- Dierks & Rescorla Standards Track [Page 71]
- RFC 5246 TLS August 2008
- enum {
- signature_algorithms(13), (65535)
- } ExtensionType;
- enum{
- none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
- sha512(6), (255)
- } HashAlgorithm;
- enum {
- anonymous(0), rsa(1), dsa(2), ecdsa(3), (255)
- } SignatureAlgorithm;
- struct {
- HashAlgorithm hash;
- SignatureAlgorithm signature;
- } SignatureAndHashAlgorithm;
- SignatureAndHashAlgorithm
- supported_signature_algorithms<2..2^16-1>;
A.4.2. Server Authentication and Key Exchange Messages
- opaque ASN.1Cert<2^24-1>;
- struct {
- ASN.1Cert certificate_list<0..2^24-1>;
- } Certificate;
- enum { dhe_dss, dhe_rsa, dh_anon, rsa,dh_dss, dh_rsa
- /* may be extended, e.g., for ECDH -- see [TLSECC] */
- } KeyExchangeAlgorithm;
- struct {
- opaque dh_p<1..2^16-1>;
- opaque dh_g<1..2^16-1>;
- opaque dh_Ys<1..2^16-1>;
- } ServerDHParams; /* Ephemeral DH parameters */
- Dierks & Rescorla Standards Track [Page 72]
- RFC 5246 TLS August 2008
- struct {
- select (KeyExchangeAlgorithm) {
- case dh_anon:
- ServerDHParams params;
- case dhe_dss:
- case dhe_rsa:
- ServerDHParams params;
- digitally-signed struct {
- opaque client_random[32];
- opaque server_random[32];
- ServerDHParams params;
- } signed_params;
- case rsa:
- case dh_dss:
- case dh_rsa:
- struct {} ;
- /* message is omitted for rsa, dh_dss, and dh_rsa */
- /* may be extended, e.g., for ECDH -- see [TLSECC] */
- } ServerKeyExchange;
- enum {
- rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
- rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
- fortezza_dms_RESERVED(20),
- (255)
- } ClientCertificateType;
- opaque DistinguishedName<1..2^16-1>;
- struct {
- ClientCertificateType certificate_types<1..2^8-1>;
- DistinguishedName certificate_authorities<0..2^16-1>;
- } CertificateRequest;
- struct { } ServerHelloDone;
- Dierks & Rescorla Standards Track [Page 73]
- RFC 5246 TLS August 2008
A.4.3. Client Authentication and Key Exchange Messages
- struct {
- select (KeyExchangeAlgorithm) {
- case rsa:
- EncryptedPreMasterSecret;
- case dhe_dss:
- case dhe_rsa:
- case dh_dss:
- case dh_rsa:
- case dh_anon:
- ClientDiffieHellmanPublic;
- } exchange_keys;
- } ClientKeyExchange;
- struct {
- ProtocolVersion client_version;
- opaque random[46];
- } PreMasterSecret;
- struct {
- public-key-encrypted PreMasterSecret pre_master_secret;
- } EncryptedPreMasterSecret;
- enum { implicit, explicit } PublicValueEncoding;
- struct {
- select (PublicValueEncoding) {
- case implicit: struct {};
- case explicit: opaque DH_Yc<1..2^16-1>;
- } dh_public;
- } ClientDiffieHellmanPublic;
- struct {
- digitally-signed struct {
- opaque handshake_messages[handshake_messages_length];
- }
- } CertificateVerify;
A.4.4. Handshake Finalization Message
- struct {
- opaque verify_data[verify_data_length];
- } Finished;
- Dierks & Rescorla Standards Track [Page 74]
- RFC 5246 TLS August 2008
A.5. The Cipher Suite
- The following values define the cipher suite codes used in the
- ClientHello and ServerHello messages.
- A cipher suite defines a cipher specification supported in TLS
- Version 1.2.
- TLS_NULL_WITH_NULL_NULL is specified and is the initial state of a
- TLS connection during the first handshake on that channel, but MUST
- NOT be negotiated, as it provides no more protection than an
- unsecured connection.
- CipherSuite TLS_NULL_WITH_NULL_NULL = { 0x00,0x00 };
- The following CipherSuite definitions require that the server provide
- an RSA certificate that can be used for key exchange. The server may
- request any signature-capable certificate in the certificate request
- message.
- CipherSuite TLS_RSA_WITH_NULL_MD5 = { 0x00,0x01 };
- CipherSuite TLS_RSA_WITH_NULL_SHA = { 0x00,0x02 };
- CipherSuite TLS_RSA_WITH_NULL_SHA256 = { 0x00,0x3B };
- CipherSuite TLS_RSA_WITH_RC4_128_MD5 = { 0x00,0x04 };
- CipherSuite TLS_RSA_WITH_RC4_128_SHA = { 0x00,0x05 };
- CipherSuite TLS_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0A };
- CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00,0x2F };
- CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00,0x35 };
- CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256 = { 0x00,0x3C };
- CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA256 = { 0x00,0x3D };
- The following cipher suite definitions are used for server-
- authenticated (and optionally client-authenticated) Diffie-Hellman.
- DH denotes cipher suites in which the server's certificate contains
- the Diffie-Hellman parameters signed by the certificate authority
- (CA). DHE denotes ephemeral Diffie-Hellman, where the Diffie-Hellman
- parameters are signed by a signature-capable certificate, which has
- been signed by the CA. The signing algorithm used by the server is
- specified after the DHE component of the CipherSuite name. The
- server can request any signature-capable certificate from the client
- for client authentication, or it may request a Diffie-Hellman
- certificate. Any Diffie-Hellman certificate provided by the client
- must use the parameters (group and generator) described by the
- server.
- Dierks & Rescorla Standards Track [Page 75]
- RFC 5246 TLS August 2008
- CipherSuite TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0D };
- CipherSuite TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x10 };
- CipherSuite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x13 };
- CipherSuite TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x16 };
- CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00,0x30 };
- CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00,0x31 };
- CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00,0x32 };
- CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00,0x33 };
- CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00,0x36 };
- CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00,0x37 };
- CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00,0x38 };
- CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00,0x39 };
- CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = { 0x00,0x3E };
- CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = { 0x00,0x3F };
- CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = { 0x00,0x40 };
- CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = { 0x00,0x67 };
- CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = { 0x00,0x68 };
- CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = { 0x00,0x69 };
- CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = { 0x00,0x6A };
- CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = { 0x00,0x6B };
- The following cipher suites are used for completely anonymous
- Diffie-Hellman communications in which neither party is
- authenticated. Note that this mode is vulnerable to man-in-the-
- middle attacks. Using this mode therefore is of limited use: These
- cipher suites MUST NOT be used by TLS 1.2 implementations unless the
- application layer has specifically requested to allow anonymous key
- exchange. (Anonymous key exchange may sometimes be acceptable, for
- example, to support opportunistic encryption when no set-up for
- authentication is in place, or when TLS is used as part of more
- complex security protocols that have other means to ensure
- authentication.)
- CipherSuite TLS_DH_anon_WITH_RC4_128_MD5 = { 0x00,0x18 };
- CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1B };
- CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00,0x34 };
- CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00,0x3A };
- CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA256 = { 0x00,0x6C };
- CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA256 = { 0x00,0x6D };
- Note that using non-anonymous key exchange without actually verifying
- the key exchange is essentially equivalent to anonymous key exchange,
- and the same precautions apply. While non-anonymous key exchange
- will generally involve a higher computational and communicational
- cost than anonymous key exchange, it may be in the interest of
- interoperability not to disable non-anonymous key exchange when the
- application layer is allowing anonymous key exchange.
- Dierks & Rescorla Standards Track [Page 76]
- RFC 5246 TLS August 2008
- New cipher suite values have been assigned by IANA as described in
- Section 12.
- Note: The cipher suite values { 0x00, 0x1C } and { 0x00, 0x1D } are
- reserved to avoid collision with Fortezza-based cipher suites in
- SSL 3.
A.6. The Security Parameters
- These security parameters are determined by the TLS Handshake
- Protocol and provided as parameters to the TLS record layer in order
- to initialize a connection state. SecurityParameters includes:
- enum { null(0), (255) } CompressionMethod;
- enum { server, client } ConnectionEnd;
- enum { tls_prf_sha256 } PRFAlgorithm;
- enum { null, rc4, 3des, aes } BulkCipherAlgorithm;
- enum { stream, block, aead } CipherType;
- enum { null, hmac_md5, hmac_sha1, hmac_sha256, hmac_sha384,
- hmac_sha512} MACAlgorithm;
- /* Other values may be added to the algorithms specified in
- CompressionMethod, PRFAlgorithm, BulkCipherAlgorithm, and
- MACAlgorithm. */
- struct {
- ConnectionEnd entity;
- PRFAlgorithm prf_algorithm;
- BulkCipherAlgorithm bulk_cipher_algorithm;
- CipherType cipher_type;
- uint8 enc_key_length;
- uint8 block_length;
- uint8 fixed_iv_length;
- uint8 record_iv_length;
- MACAlgorithm mac_algorithm;
- uint8 mac_length;
- uint8 mac_key_length;
- CompressionMethod compression_algorithm;
- opaque master_secret[48];
- opaque client_random[32];
- opaque server_random[32];
- } SecurityParameters;
- Dierks & Rescorla Standards Track [Page 77]
- RFC 5246 TLS August 2008
A.7. Changes to RFC 4492
- RFC 4492 [TLSECC] adds Elliptic Curve cipher suites to TLS. This
- document changes some of the structures used in that document. This
- section details the required changes for implementors of both RFC
- 4492 and TLS 1.2. Implementors of TLS 1.2 who are not implementing
- RFC 4492 do not need to read this section.
- This document adds a "signature_algorithm" field to the digitally-
- signed element in order to identify the signature and digest
- algorithms used to create a signature. This change applies to
- digital signatures formed using ECDSA as well, thus allowing ECDSA
- signatures to be used with digest algorithms other than SHA-1,
- provided such use is compatible with the certificate and any
- restrictions imposed by future revisions of [PKIX].
- As described in Sections 7.4.2 and 7.4.6, the restrictions on the
- signature algorithms used to sign certificates are no longer tied to
- the cipher suite (when used by the server) or the
- ClientCertificateType (when used by the client). Thus, the
- restrictions on the algorithm used to sign certificates specified in
- Sections 2 and 3 of RFC 4492 are also relaxed. As in this document,
- the restrictions on the keys in the end-entity certificate remain.
Appendix B. Glossary
- Advanced Encryption Standard (AES)
- AES [AES] is a widely used symmetric encryption algorithm. AES is
- a block cipher with a 128-, 192-, or 256-bit keys and a 16-byte
- block size. TLS currently only supports the 128- and 256-bit key
- sizes.
- application protocol
- An application protocol is a protocol that normally layers
- directly on top of the transport layer (e.g., TCP/IP). Examples
- include HTTP, TELNET, FTP, and SMTP.
- asymmetric cipher
- See public key cryptography.
- authenticated encryption with additional data (AEAD)
- A symmetric encryption algorithm that simultaneously provides
- confidentiality and message integrity.
- authentication
- Authentication is the ability of one entity to determine the
- identity of another entity.
- Dierks & Rescorla Standards Track [Page 78]
- RFC 5246 TLS August 2008
- block cipher
- A block cipher is an algorithm that operates on plaintext in
- groups of bits, called blocks. 64 bits was, and 128 bits is, a
- common block size.
- bulk cipher
- A symmetric encryption algorithm used to encrypt large quantities
- of data.
- cipher block chaining (CBC)
- CBC is a mode in which every plaintext block encrypted with a
- block cipher is first exclusive-ORed with the previous ciphertext
- block (or, in the case of the first block, with the initialization
- vector). For decryption, every block is first decrypted, then
- exclusive-ORed with the previous ciphertext block (or IV).
- certificate
- As part of the X.509 protocol (a.k.a. ISO Authentication
- framework), certificates are assigned by a trusted Certificate
- Authority and provide a strong binding between a party's identity
- or some other attributes and its public key.
- client
- The application entity that initiates a TLS connection to a
- server. This may or may not imply that the client initiated the
- underlying transport connection. The primary operational
- difference between the server and client is that the server is
- generally authenticated, while the client is only optionally
- authenticated.
- client write key
- The key used to encrypt data written by the client.
- client write MAC key
- The secret data used to authenticate data written by the client.
- connection
- A connection is a transport (in the OSI layering model definition)
- that provides a suitable type of service. For TLS, such
- connections are peer-to-peer relationships. The connections are
- transient. Every connection is associated with one session.
- Data Encryption Standard
- DES [DES] still is a very widely used symmetric encryption
- algorithm although it is considered as rather weak now. DES is a
- block cipher with a 56-bit key and an 8-byte block size. Note
- that in TLS, for key generation purposes, DES is treated as having
- an 8-byte key length (64 bits), but it still only provides 56 bits
- Dierks & Rescorla Standards Track [Page 79]
- RFC 5246 TLS August 2008
- of protection. (The low bit of each key byte is presumed to be
- set to produce odd parity in that key byte.) DES can also be
- operated in a mode [3DES] where three independent keys and three
- encryptions are used for each block of data; this uses 168 bits of
- key (24 bytes in the TLS key generation method) and provides the
- equivalent of 112 bits of security.
- Digital Signature Standard (DSS)
- A standard for digital signing, including the Digital Signing
- Algorithm, approved by the National Institute of Standards and
- Technology, defined in NIST FIPS PUB 186-2, "Digital Signature
- Standard", published January 2000 by the U.S. Department of
- Commerce [DSS]. A significant update [DSS-3] has been drafted and
- was published in March 2006.
- digital signatures
- Digital signatures utilize public key cryptography and one-way
- hash functions to produce a signature of the data that can be
- authenticated, and is difficult to forge or repudiate.
- handshake An initial negotiation between client and server that
- establishes the parameters of their transactions.
- Initialization Vector (IV)
- When a block cipher is used in CBC mode, the initialization vector
- is exclusive-ORed with the first plaintext block prior to
- encryption.
- Message Authentication Code (MAC)
- A Message Authentication Code is a one-way hash computed from a
- message and some secret data. It is difficult to forge without
- knowing the secret data. Its purpose is to detect if the message
- has been altered.
- master secret
- Secure secret data used for generating encryption keys, MAC
- secrets, and IVs.
- MD5
- MD5 [MD5] is a hashing function that converts an arbitrarily long
- data stream into a hash of fixed size (16 bytes). Due to
- significant progress in cryptanalysis, at the time of publication
- of this document, MD5 no longer can be considered a 'secure'
- hashing function.
- Dierks & Rescorla Standards Track [Page 80]
- RFC 5246 TLS August 2008
- public key cryptography
- A class of cryptographic techniques employing two-key ciphers.
- Messages encrypted with the public key can only be decrypted with
- the associated private key. Conversely, messages signed with the
- private key can be verified with the public key.
- one-way hash function
- A one-way transformation that converts an arbitrary amount of data
- into a fixed-length hash. It is computationally hard to reverse
- the transformation or to find collisions. MD5 and SHA are
- examples of one-way hash functions.
- RC4
- A stream cipher invented by Ron Rivest. A compatible cipher is
- described in [SCH].
- RSA
- A very widely used public key algorithm that can be used for
- either encryption or digital signing. [RSA]
- server
- The server is the application entity that responds to requests for
- connections from clients. See also "client".
- session
- A TLS session is an association between a client and a server.
- Sessions are created by the handshake protocol. Sessions define a
- set of cryptographic security parameters that can be shared among
- multiple connections. Sessions are used to avoid the expensive
- negotiation of new security parameters for each connection.
- session identifier
- A session identifier is a value generated by a server that
- identifies a particular session.
- server write key
- The key used to encrypt data written by the server.
- server write MAC key
- The secret data used to authenticate data written by the server.
- SHA
- The Secure Hash Algorithm [SHS] is defined in FIPS PUB 180-2. It
- produces a 20-byte output. Note that all references to SHA
- (without a numerical suffix) actually use the modified SHA-1
- algorithm.
- Dierks & Rescorla Standards Track [Page 81]
- RFC 5246 TLS August 2008
- SHA-256
- The 256-bit Secure Hash Algorithm is defined in FIPS PUB 180-2.
- It produces a 32-byte output.
- SSL
- Netscape's Secure Socket Layer protocol [SSL3]. TLS is based on
- SSL Version 3.0.
- stream cipher
- An encryption algorithm that converts a key into a
- cryptographically strong keystream, which is then exclusive-ORed
- with the plaintext.
- symmetric cipher
- See bulk cipher.
- Transport Layer Security (TLS)
- This protocol; also, the Transport Layer Security working group of
- the Internet Engineering Task Force (IETF). See "Working Group
- Information" at the end of this document (see page 99).
- Dierks & Rescorla Standards Track [Page 82]
- RFC 5246 TLS August 2008
Appendix C. Cipher Suite Definitions
- Cipher Suite Key Cipher Mac
- Exchange
- TLS_NULL_WITH_NULL_NULL NULL NULL NULL
- TLS_RSA_WITH_NULL_MD5 RSA NULL MD5
- TLS_RSA_WITH_NULL_SHA RSA NULL SHA
- TLS_RSA_WITH_NULL_SHA256 RSA NULL SHA256
- TLS_RSA_WITH_RC4_128_MD5 RSA RC4_128 MD5
- TLS_RSA_WITH_RC4_128_SHA RSA RC4_128 SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES_EDE_CBC SHA
- TLS_RSA_WITH_AES_128_CBC_SHA RSA AES_128_CBC SHA
- TLS_RSA_WITH_AES_256_CBC_SHA RSA AES_256_CBC SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256 RSA AES_128_CBC SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256 RSA AES_256_CBC SHA256
- TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA DH_DSS 3DES_EDE_CBC SHA
- TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA DH_RSA 3DES_EDE_CBC SHA
- TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE_DSS 3DES_EDE_CBC SHA
- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA 3DES_EDE_CBC SHA
- TLS_DH_anon_WITH_RC4_128_MD5 DH_anon RC4_128 MD5
- TLS_DH_anon_WITH_3DES_EDE_CBC_SHA DH_anon 3DES_EDE_CBC SHA
- TLS_DH_DSS_WITH_AES_128_CBC_SHA DH_DSS AES_128_CBC SHA
- TLS_DH_RSA_WITH_AES_128_CBC_SHA DH_RSA AES_128_CBC SHA
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS AES_128_CBC SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA AES_128_CBC SHA
- TLS_DH_anon_WITH_AES_128_CBC_SHA DH_anon AES_128_CBC SHA
- TLS_DH_DSS_WITH_AES_256_CBC_SHA DH_DSS AES_256_CBC SHA
- TLS_DH_RSA_WITH_AES_256_CBC_SHA DH_RSA AES_256_CBC SHA
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE_DSS AES_256_CBC SHA
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA AES_256_CBC SHA
- TLS_DH_anon_WITH_AES_256_CBC_SHA DH_anon AES_256_CBC SHA
- TLS_DH_DSS_WITH_AES_128_CBC_SHA256 DH_DSS AES_128_CBC SHA256
- TLS_DH_RSA_WITH_AES_128_CBC_SHA256 DH_RSA AES_128_CBC SHA256
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE_DSS AES_128_CBC SHA256
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE_RSA AES_128_CBC SHA256
- TLS_DH_anon_WITH_AES_128_CBC_SHA256 DH_anon AES_128_CBC SHA256
- TLS_DH_DSS_WITH_AES_256_CBC_SHA256 DH_DSS AES_256_CBC SHA256
- TLS_DH_RSA_WITH_AES_256_CBC_SHA256 DH_RSA AES_256_CBC SHA256
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE_DSS AES_256_CBC SHA256
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE_RSA AES_256_CBC SHA256
- TLS_DH_anon_WITH_AES_256_CBC_SHA256 DH_anon AES_256_CBC SHA256
- Dierks & Rescorla Standards Track [Page 83]
- RFC 5246 TLS August 2008
- Key IV Block
- Cipher Type Material Size Size
- ------------ ------ -------- ---- -----
- NULL Stream 0 0 N/A
- RC4_128 Stream 16 0 N/A
- 3DES_EDE_CBC Block 24 8 8
- AES_128_CBC Block 16 16 16
- AES_256_CBC Block 32 16 16
- MAC Algorithm mac_length mac_key_length
- -------- ----------- ---------- --------------
- NULL N/A 0 0
- MD5 HMAC-MD5 16 16
- SHA HMAC-SHA1 20 20
- SHA256 HMAC-SHA256 32 32
- Type
- Indicates whether this is a stream cipher or a block cipher
- running in CBC mode.
- Key Material
- The number of bytes from the key_block that are used for
- generating the write keys.
- IV Size
- The amount of data needed to be generated for the initialization
- vector. Zero for stream ciphers; equal to the block size for
- block ciphers (this is equal to
- SecurityParameters.record_iv_length).
- Block Size
- The amount of data a block cipher enciphers in one chunk; a block
- cipher running in CBC mode can only encrypt an even multiple of
- its block size.
- Dierks & Rescorla Standards Track [Page 84]
- RFC 5246 TLS August 2008
Appendix D. Implementation Notes
- The TLS protocol cannot prevent many common security mistakes. This
- section provides several recommendations to assist implementors.
D.1. Random Number Generation and Seeding
- TLS requires a cryptographically secure pseudorandom number generator
- (PRNG). Care must be taken in designing and seeding PRNGs. PRNGs
- based on secure hash operations, most notably SHA-1, are acceptable,
- but cannot provide more security than the size of the random number
- generator state.
- To estimate the amount of seed material being produced, add the
- number of bits of unpredictable information in each seed byte. For
- example, keystroke timing values taken from a PC compatible's 18.2 Hz
- timer provide 1 or 2 secure bits each, even though the total size of
- the counter value is 16 bits or more. Seeding a 128-bit PRNG would
- thus require approximately 100 such timer values.
- [RANDOM] provides guidance on the generation of random values.
D.2. Certificates and Authentication
- Implementations are responsible for verifying the integrity of
- certificates and should generally support certificate revocation
- messages. Certificates should always be verified to ensure proper
- signing by a trusted Certificate Authority (CA). The selection and
- addition of trusted CAs should be done very carefully. Users should
- be able to view information about the certificate and root CA.
D.3. Cipher Suites
- TLS supports a range of key sizes and security levels, including some
- that provide no or minimal security. A proper implementation will
- probably not support many cipher suites. For instance, anonymous
- Diffie-Hellman is strongly discouraged because it cannot prevent man-
- in-the-middle attacks. Applications should also enforce minimum and
- maximum key sizes. For example, certificate chains containing 512-
- bit RSA keys or signatures are not appropriate for high-security
- applications.
D.4. Implementation Pitfalls
- Implementation experience has shown that certain parts of earlier TLS
- specifications are not easy to understand, and have been a source of
- interoperability and security problems. Many of these areas have
- Dierks & Rescorla Standards Track [Page 85]
- RFC 5246 TLS August 2008
- been clarified in this document, but this appendix contains a short
- list of the most important things that require special attention from
- implementors.
- TLS protocol issues:
- - Do you correctly handle handshake messages that are fragmented to
- multiple TLS records (see Section 6.2.1)? Including corner cases
- like a ClientHello that is split to several small fragments? Do
- you fragment handshake messages that exceed the maximum fragment
- size? In particular, the certificate and certificate request
- handshake messages can be large enough to require fragmentation.
- - Do you ignore the TLS record layer version number in all TLS
- records before ServerHello (see Appendix E.1)?
- - Do you handle TLS extensions in ClientHello correctly, including
- omitting the extensions field completely?
- - Do you support renegotiation, both client and server initiated?
- While renegotiation is an optional feature, supporting it is
- highly recommended.
- - When the server has requested a client certificate, but no
- suitable certificate is available, do you correctly send an empty
- Certificate message, instead of omitting the whole message (see
- Section 7.4.6)?
- Cryptographic details:
- - In the RSA-encrypted Premaster Secret, do you correctly send and
- verify the version number? When an error is encountered, do you
- continue the handshake to avoid the Bleichenbacher attack (see
- Section 7.4.7.1)?
- - What countermeasures do you use to prevent timing attacks against
- RSA decryption and signing operations (see Section 7.4.7.1)?
- - When verifying RSA signatures, do you accept both NULL and missing
- parameters (see Section 4.7)? Do you verify that the RSA padding
- doesn't have additional data after the hash value? [FI06]
- - When using Diffie-Hellman key exchange, do you correctly strip
- leading zero bytes from the negotiated key (see Section 8.1.2)?
- - Does your TLS client check that the Diffie-Hellman parameters sent
- by the server are acceptable (see Section F.1.1.3)?
- Dierks & Rescorla Standards Track [Page 86]
- RFC 5246 TLS August 2008
- - How do you generate unpredictable IVs for CBC mode ciphers (see
- Section 6.2.3.2)?
- - Do you accept long CBC mode padding (up to 255 bytes; see Section
- 6.2.3.2)?
- - How do you address CBC mode timing attacks (Section 6.2.3.2)?
- - Do you use a strong and, most importantly, properly seeded random
- number generator (see Appendix D.1) for generating the premaster
- secret (for RSA key exchange), Diffie-Hellman private values, the
- DSA "k" parameter, and other security-critical values?
Appendix E. Backward Compatibility
E.1. Compatibility with TLS 1.0/1.1 and SSL 3.0
- Since there are various versions of TLS (1.0, 1.1, 1.2, and any
- future versions) and SSL (2.0 and 3.0), means are needed to negotiate
- the specific protocol version to use. The TLS protocol provides a
- built-in mechanism for version negotiation so as not to bother other
- protocol components with the complexities of version selection.
- TLS versions 1.0, 1.1, and 1.2, and SSL 3.0 are very similar, and use
- compatible ClientHello messages; thus, supporting all of them is
- relatively easy. Similarly, servers can easily handle clients trying
- to use future versions of TLS as long as the ClientHello format
- remains compatible, and the client supports the highest protocol
- version available in the server.
- A TLS 1.2 client who wishes to negotiate with such older servers will
- send a normal TLS 1.2 ClientHello, containing { 3, 3 } (TLS 1.2) in
- ClientHello.client_version. If the server does not support this
- version, it will respond with a ServerHello containing an older
- version number. If the client agrees to use this version, the
- negotiation will proceed as appropriate for the negotiated protocol.
- If the version chosen by the server is not supported by the client
- (or not acceptable), the client MUST send a "protocol_version" alert
- message and close the connection.
- If a TLS server receives a ClientHello containing a version number
- greater than the highest version supported by the server, it MUST
- reply according to the highest version supported by the server.
- A TLS server can also receive a ClientHello containing a version
- number smaller than the highest supported version. If the server
- wishes to negotiate with old clients, it will proceed as appropriate
- Dierks & Rescorla Standards Track [Page 87]
- RFC 5246 TLS August 2008
- for the highest version supported by the server that is not greater
- than ClientHello.client_version. For example, if the server supports
- TLS 1.0, 1.1, and 1.2, and client_version is TLS 1.0, the server will
- proceed with a TLS 1.0 ServerHello. If server supports (or is
- willing to use) only versions greater than client_version, it MUST
- send a "protocol_version" alert message and close the connection.
- Whenever a client already knows the highest protocol version known to
- a server (for example, when resuming a session), it SHOULD initiate
- the connection in that native protocol.
- Note: some server implementations are known to implement version
- negotiation incorrectly. For example, there are buggy TLS 1.0
- servers that simply close the connection when the client offers a
- version newer than TLS 1.0. Also, it is known that some servers will
- refuse the connection if any TLS extensions are included in
- ClientHello. Interoperability with such buggy servers is a complex
- topic beyond the scope of this document, and may require multiple
- connection attempts by the client.
- Earlier versions of the TLS specification were not fully clear on
- what the record layer version number (TLSPlaintext.version) should
- contain when sending ClientHello (i.e., before it is known which
- version of the protocol will be employed). Thus, TLS servers
- compliant with this specification MUST accept any value {03,XX} as
- the record layer version number for ClientHello.
- TLS clients that wish to negotiate with older servers MAY send any
- value {03,XX} as the record layer version number. Typical values
- would be {03,00}, the lowest version number supported by the client,
- and the value of ClientHello.client_version. No single value will
- guarantee interoperability with all old servers, but this is a
- complex topic beyond the scope of this document.
E.2. Compatibility with SSL 2.0
- TLS 1.2 clients that wish to support SSL 2.0 servers MUST send
- version 2.0 CLIENT-HELLO messages defined in [SSL2]. The message
- MUST contain the same version number as would be used for ordinary
- ClientHello, and MUST encode the supported TLS cipher suites in the
- CIPHER-SPECS-DATA field as described below.
- Warning: The ability to send version 2.0 CLIENT-HELLO messages will
- be phased out with all due haste, since the newer ClientHello format
- provides better mechanisms for moving to newer versions and
- negotiating extensions. TLS 1.2 clients SHOULD NOT support SSL 2.0.
- Dierks & Rescorla Standards Track [Page 88]
- RFC 5246 TLS August 2008
- However, even TLS servers that do not support SSL 2.0 MAY accept
- version 2.0 CLIENT-HELLO messages. The message is presented below in
- sufficient detail for TLS server implementors; the true definition is
- still assumed to be [SSL2].
- For negotiation purposes, 2.0 CLIENT-HELLO is interpreted the same
- way as a ClientHello with a "null" compression method and no
- extensions. Note that this message MUST be sent directly on the
- wire, not wrapped as a TLS record. For the purposes of calculating
- Finished and CertificateVerify, the msg_length field is not
- considered to be a part of the handshake message.
- uint8 V2CipherSpec[3];
- struct {
- uint16 msg_length;
- uint8 msg_type;
- Version version;
- uint16 cipher_spec_length;
- uint16 session_id_length;
- uint16 challenge_length;
- V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length];
- opaque session_id[V2ClientHello.session_id_length];
- opaque challenge[V2ClientHello.challenge_length;
- } V2ClientHello;
- msg_length
- The highest bit MUST be 1; the remaining bits contain the length
- of the following data in bytes.
- msg_type
- This field, in conjunction with the version field, identifies a
- version 2 ClientHello message. The value MUST be 1.
- version
- Equal to ClientHello.client_version.
- cipher_spec_length
- This field is the total length of the field cipher_specs. It
- cannot be zero and MUST be a multiple of the V2CipherSpec length
- (3).
- session_id_length
- This field MUST have a value of zero for a client that claims to
- support TLS 1.2.
- Dierks & Rescorla Standards Track [Page 89]
- RFC 5246 TLS August 2008
- challenge_length
- The length in bytes of the client's challenge to the server to
- authenticate itself. Historically, permissible values are between
- 16 and 32 bytes inclusive. When using the SSLv2 backward-
- compatible handshake the client SHOULD use a 32-byte challenge.
- cipher_specs
- This is a list of all CipherSpecs the client is willing and able
- to use. In addition to the 2.0 cipher specs defined in [SSL2],
- this includes the TLS cipher suites normally sent in
- ClientHello.cipher_suites, with each cipher suite prefixed by a
- zero byte. For example, the TLS cipher suite {0x00,0x0A} would be
- sent as {0x00,0x00,0x0A}.
- session_id
- This field MUST be empty.
- challenge
- Corresponds to ClientHello.random. If the challenge length is
- less than 32, the TLS server will pad the data with leading (note:
- not trailing) zero bytes to make it 32 bytes long.
- Note: Requests to resume a TLS session MUST use a TLS client hello.
E.3. Avoiding Man-in-the-Middle Version Rollback
- When TLS clients fall back to Version 2.0 compatibility mode, they
- MUST use special PKCS#1 block formatting. This is done so that TLS
- servers will reject Version 2.0 sessions with TLS-capable clients.
- When a client negotiates SSL 2.0 but also supports TLS, it MUST set
- the right-hand (least-significant) 8 random bytes of the PKCS padding
- (not including the terminal null of the padding) for the RSA
- encryption of the ENCRYPTED-KEY-DATA field of the CLIENT-MASTER-KEY
- to 0x03 (the other padding bytes are random).
- When a TLS-capable server negotiates SSL 2.0 it SHOULD, after
- decrypting the ENCRYPTED-KEY-DATA field, check that these 8 padding
- bytes are 0x03. If they are not, the server SHOULD generate a random
- value for SECRET-KEY-DATA, and continue the handshake (which will
- eventually fail since the keys will not match). Note that reporting
- the error situation to the client could make the server vulnerable to
- attacks described in [BLEI].
- Dierks & Rescorla Standards Track [Page 90]
- RFC 5246 TLS August 2008
Appendix F. Security Analysis
- The TLS protocol is designed to establish a secure connection between
- a client and a server communicating over an insecure channel. This
- document makes several traditional assumptions, including that
- attackers have substantial computational resources and cannot obtain
- secret information from sources outside the protocol. Attackers are
- assumed to have the ability to capture, modify, delete, replay, and
- otherwise tamper with messages sent over the communication channel.
- This appendix outlines how TLS has been designed to resist a variety
- of attacks.
F.1. Handshake Protocol
- The handshake protocol is responsible for selecting a cipher spec and
- generating a master secret, which together comprise the primary
- cryptographic parameters associated with a secure session. The
- handshake protocol can also optionally authenticate parties who have
- certificates signed by a trusted certificate authority.
F.1.1. Authentication and Key Exchange
- TLS supports three authentication modes: authentication of both
- parties, server authentication with an unauthenticated client, and
- total anonymity. Whenever the server is authenticated, the channel
- is secure against man-in-the-middle attacks, but completely anonymous
- sessions are inherently vulnerable to such attacks. Anonymous
- servers cannot authenticate clients. If the server is authenticated,
- its certificate message must provide a valid certificate chain
- leading to an acceptable certificate authority. Similarly,
- authenticated clients must supply an acceptable certificate to the
- server. Each party is responsible for verifying that the other's
- certificate is valid and has not expired or been revoked.
- The general goal of the key exchange process is to create a
- pre_master_secret known to the communicating parties and not to
- attackers. The pre_master_secret will be used to generate the
- master_secret (see Section 8.1). The master_secret is required to
- generate the Finished messages, encryption keys, and MAC keys (see
- Sections 7.4.9 and 6.3). By sending a correct Finished message,
- parties thus prove that they know the correct pre_master_secret.
F.1.1.1. Anonymous Key Exchange
- Completely anonymous sessions can be established using Diffie-Hellman
- for key exchange. The server's public parameters are contained in
- the server key exchange message, and the client's are sent in the
- Dierks & Rescorla Standards Track [Page 91]
- RFC 5246 TLS August 2008
- client key exchange message. Eavesdroppers who do not know the
- private values should not be able to find the Diffie-Hellman result
- (i.e., the pre_master_secret).
- Warning: Completely anonymous connections only provide protection
- against passive eavesdropping. Unless an independent tamper-proof
- channel is used to verify that the Finished messages were not
- replaced by an attacker, server authentication is required in
- environments where active man-in-the-middle attacks are a concern.
F.1.1.2. RSA Key Exchange and Authentication
- With RSA, key exchange and server authentication are combined. The
- public key is contained in the server's certificate. Note that
- compromise of the server's static RSA key results in a loss of
- confidentiality for all sessions protected under that static key.
- TLS users desiring Perfect Forward Secrecy should use DHE cipher
- suites. The damage done by exposure of a private key can be limited
- by changing one's private key (and certificate) frequently.
- After verifying the server's certificate, the client encrypts a
- pre_master_secret with the server's public key. By successfully
- decoding the pre_master_secret and producing a correct Finished
- message, the server demonstrates that it knows the private key
- corresponding to the server certificate.
- When RSA is used for key exchange, clients are authenticated using
- the certificate verify message (see Section 7.4.8). The client signs
- a value derived from all preceding handshake messages. These
- handshake messages include the server certificate, which binds the
- signature to the server, and ServerHello.random, which binds the
- signature to the current handshake process.
F.1.1.3. Diffie-Hellman Key Exchange with Authentication
- When Diffie-Hellman key exchange is used, the server can either
- supply a certificate containing fixed Diffie-Hellman parameters or
- use the server key exchange message to send a set of temporary
- Diffie-Hellman parameters signed with a DSA or RSA certificate.
- Temporary parameters are hashed with the hello.random values before
- signing to ensure that attackers do not replay old parameters. In
- either case, the client can verify the certificate or signature to
- ensure that the parameters belong to the server.
- If the client has a certificate containing fixed Diffie-Hellman
- parameters, its certificate contains the information required to
- complete the key exchange. Note that in this case the client and
- server will generate the same Diffie-Hellman result (i.e.,
- Dierks & Rescorla Standards Track [Page 92]
- RFC 5246 TLS August 2008
- pre_master_secret) every time they communicate. To prevent the
- pre_master_secret from staying in memory any longer than necessary,
- it should be converted into the master_secret as soon as possible.
- Client Diffie-Hellman parameters must be compatible with those
- supplied by the server for the key exchange to work.
- If the client has a standard DSA or RSA certificate or is
- unauthenticated, it sends a set of temporary parameters to the server
- in the client key exchange message, then optionally uses a
- certificate verify message to authenticate itself.
- If the same DH keypair is to be used for multiple handshakes, either
- because the client or server has a certificate containing a fixed DH
- keypair or because the server is reusing DH keys, care must be taken
- to prevent small subgroup attacks. Implementations SHOULD follow the
- guidelines found in [SUBGROUP].
- Small subgroup attacks are most easily avoided by using one of the
- DHE cipher suites and generating a fresh DH private key (X) for each
- handshake. If a suitable base (such as 2) is chosen, g^X mod p can
- be computed very quickly; therefore, the performance cost is
- minimized. Additionally, using a fresh key for each handshake
- provides Perfect Forward Secrecy. Implementations SHOULD generate a
- new X for each handshake when using DHE cipher suites.
- Because TLS allows the server to provide arbitrary DH groups, the
- client should verify that the DH group is of suitable size as defined
- by local policy. The client SHOULD also verify that the DH public
- exponent appears to be of adequate size. [KEYSIZ] provides a useful
- guide to the strength of various group sizes. The server MAY choose
- to assist the client by providing a known group, such as those
- defined in [IKEALG] or [MODP]. These can be verified by simple
- comparison.
F.1.2. Version Rollback Attacks
- Because TLS includes substantial improvements over SSL Version 2.0,
- attackers may try to make TLS-capable clients and servers fall back
- to Version 2.0. This attack can occur if (and only if) two TLS-
- capable parties use an SSL 2.0 handshake.
- Although the solution using non-random PKCS #1 block type 2 message
- padding is inelegant, it provides a reasonably secure way for Version
- 3.0 servers to detect the attack. This solution is not secure
- against attackers who can brute-force the key and substitute a new
- ENCRYPTED-KEY-DATA message containing the same key (but with normal
- padding) before the application-specified wait threshold has expired.
- Altering the padding of the least-significant 8 bytes of the PKCS
- Dierks & Rescorla Standards Track [Page 93]
- RFC 5246 TLS August 2008
- padding does not impact security for the size of the signed hashes
- and RSA key lengths used in the protocol, since this is essentially
- equivalent to increasing the input block size by 8 bytes.
F.1.3. Detecting Attacks Against the Handshake Protocol
- An attacker might try to influence the handshake exchange to make the
- parties select different encryption algorithms than they would
- normally choose.
- For this attack, an attacker must actively change one or more
- handshake messages. If this occurs, the client and server will
- compute different values for the handshake message hashes. As a
- result, the parties will not accept each others' Finished messages.
- Without the master_secret, the attacker cannot repair the Finished
- messages, so the attack will be discovered.
F.1.4. Resuming Sessions
- When a connection is established by resuming a session, new
- ClientHello.random and ServerHello.random values are hashed with the
- session's master_secret. Provided that the master_secret has not
- been compromised and that the secure hash operations used to produce
- the encryption keys and MAC keys are secure, the connection should be
- secure and effectively independent from previous connections.
- Attackers cannot use known encryption keys or MAC secrets to
- compromise the master_secret without breaking the secure hash
- operations.
- Sessions cannot be resumed unless both the client and server agree.
- If either party suspects that the session may have been compromised,
- or that certificates may have expired or been revoked, it should
- force a full handshake. An upper limit of 24 hours is suggested for
- session ID lifetimes, since an attacker who obtains a master_secret
- may be able to impersonate the compromised party until the
- corresponding session ID is retired. Applications that may be run in
- relatively insecure environments should not write session IDs to
- stable storage.
F.2. Protecting Application Data
- The master_secret is hashed with the ClientHello.random and
- ServerHello.random to produce unique data encryption keys and MAC
- secrets for each connection.
- Outgoing data is protected with a MAC before transmission. To
- prevent message replay or modification attacks, the MAC is computed
- from the MAC key, the sequence number, the message length, the
- Dierks & Rescorla Standards Track [Page 94]
- RFC 5246 TLS August 2008
- message contents, and two fixed character strings. The message type
- field is necessary to ensure that messages intended for one TLS
- record layer client are not redirected to another. The sequence
- number ensures that attempts to delete or reorder messages will be
- detected. Since sequence numbers are 64 bits long, they should never
- overflow. Messages from one party cannot be inserted into the
- other's output, since they use independent MAC keys. Similarly, the
- server write and client write keys are independent, so stream cipher
- keys are used only once.
- If an attacker does break an encryption key, all messages encrypted
- with it can be read. Similarly, compromise of a MAC key can make
- message-modification attacks possible. Because MACs are also
- encrypted, message-alteration attacks generally require breaking the
- encryption algorithm as well as the MAC.
- Note: MAC keys may be larger than encryption keys, so messages can
- remain tamper resistant even if encryption keys are broken.
F.3. Explicit IVs
- [CBCATT] describes a chosen plaintext attack on TLS that depends on
- knowing the IV for a record. Previous versions of TLS [TLS1.0] used
- the CBC residue of the previous record as the IV and therefore
- enabled this attack. This version uses an explicit IV in order to
- protect against this attack.
F.4. Security of Composite Cipher Modes
- TLS secures transmitted application data via the use of symmetric
- encryption and authentication functions defined in the negotiated
- cipher suite. The objective is to protect both the integrity and
- confidentiality of the transmitted data from malicious actions by
- active attackers in the network. It turns out that the order in
- which encryption and authentication functions are applied to the data
- plays an important role for achieving this goal [ENCAUTH].
- The most robust method, called encrypt-then-authenticate, first
- applies encryption to the data and then applies a MAC to the
- ciphertext. This method ensures that the integrity and
- confidentiality goals are obtained with ANY pair of encryption and
- MAC functions, provided that the former is secure against chosen
- plaintext attacks and that the MAC is secure against chosen-message
- attacks. TLS uses another method, called authenticate-then-encrypt,
- in which first a MAC is computed on the plaintext and then the
- concatenation of plaintext and MAC is encrypted. This method has
- been proven secure for CERTAIN combinations of encryption functions
- and MAC functions, but it is not guaranteed to be secure in general.
- Dierks & Rescorla Standards Track [Page 95]
- RFC 5246 TLS August 2008
- In particular, it has been shown that there exist perfectly secure
- encryption functions (secure even in the information-theoretic sense)
- that combined with any secure MAC function, fail to provide the
- confidentiality goal against an active attack. Therefore, new cipher
- suites and operation modes adopted into TLS need to be analyzed under
- the authenticate-then-encrypt method to verify that they achieve the
- stated integrity and confidentiality goals.
- Currently, the security of the authenticate-then-encrypt method has
- been proven for some important cases. One is the case of stream
- ciphers in which a computationally unpredictable pad of the length of
- the message, plus the length of the MAC tag, is produced using a
- pseudorandom generator and this pad is exclusive-ORed with the
- concatenation of plaintext and MAC tag. The other is the case of CBC
- mode using a secure block cipher. In this case, security can be
- shown if one applies one CBC encryption pass to the concatenation of
- plaintext and MAC and uses a new, independent, and unpredictable IV
- for each new pair of plaintext and MAC. In versions of TLS prior to
- 1.1, CBC mode was used properly EXCEPT that it used a predictable IV
- in the form of the last block of the previous ciphertext. This made
- TLS open to chosen plaintext attacks. This version of the protocol
- is immune to those attacks. For exact details in the encryption
- modes proven secure, see [ENCAUTH].
F.5. Denial of Service
- TLS is susceptible to a number of denial-of-service (DoS) attacks.
- In particular, an attacker who initiates a large number of TCP
- connections can cause a server to consume large amounts of CPU for
- doing RSA decryption. However, because TLS is generally used over
- TCP, it is difficult for the attacker to hide his point of origin if
- proper TCP SYN randomization is used [SEQNUM] by the TCP stack.
- Because TLS runs over TCP, it is also susceptible to a number of DoS
- attacks on individual connections. In particular, attackers can
- forge RSTs, thereby terminating connections, or forge partial TLS
- records, thereby causing the connection to stall. These attacks
- cannot in general be defended against by a TCP-using protocol.
- Implementors or users who are concerned with this class of attack
- should use IPsec AH [AH] or ESP [ESP].
F.6. Final Notes
- For TLS to be able to provide a secure connection, both the client
- and server systems, keys, and applications must be secure. In
- addition, the implementation must be free of security errors.
- Dierks & Rescorla Standards Track [Page 96]
- RFC 5246 TLS August 2008
- The system is only as strong as the weakest key exchange and
- authentication algorithm supported, and only trustworthy
- cryptographic functions should be used. Short public keys and
- anonymous servers should be used with great caution. Implementations
- and users must be careful when deciding which certificates and
- certificate authorities are acceptable; a dishonest certificate
- authority can do tremendous damage.
Reference:
http://www.fenesky.com/blog/2014/07/19/how-https-works.html
http://www.fenesky.com/blog/2014/07/25/how-premaster-secret.html
http://www.fenesky.com/blog/2014/07/25/how-session-secret.html
https://www.openssl.org/
http://www.ruanyifeng.com/blog/2014/02/ssl_tls.html
https://tools.ietf.org/html/rfc5246
https://s.how/nginx-ssl/
http://www.ruanyifeng.com/blog/2011/02/seven_myths_about_https.html
https://tlswg.github.io/tls13-spec/
https那些事儿的更多相关文章
- HTTPS那些事儿(一)-HTTPS原理
HTTPS那些事儿(一) 近期看了<http权威指南>的几个章节.对HTTPS有了部分了解,同一时候在网上查阅了一些资料,遂打算记录一下心得,写的仓促,肯定有非常多错误的地方.欢迎大家指正 ...
- HTTPS那个东西(一)-HTTPS原理
HTTPS那个东西(一) 最近看了<http权威指南>几个章节,对HTTPS随着节,了一些资料,遂打算记录一下心得.写的仓促,肯定有非常多错误的地方,欢迎大家指正. 1.HTTP是什么 那 ...
- JSP和Servlet那些事儿系列--HTTPS
原文:http://qingkangxu.iteye.com/blog/1614053 <JSP和Servlet那些事儿 >系列文章旨在阐述Servlet(Struts和Spring的MV ...
- Javascript中关于cookie的那些事儿
Javascript-cookie 什么是cookie? 指某些网站为了辨别用户身份.进行session跟踪而储存在用户本地终端上的数据(通常经过加密).简单点来说就是:浏览器缓存. cookie由什 ...
- StartCom 申请 SSL 证书及 Nginx HTTPS 支持配置全攻略
来源:https://www.williamyao.com/index.php/archives/1397/ 前言 最近收到 StartCom 的邮件,数字证书即将过期,想到去年在 StartSSL ...
- 从 HTTP 到 HTTPS - IIS 部署免费 HTTPS
这篇文章首发于我的个人网站:听说 - https://tasaid.com/,建议在我的个人网站阅读,拥有更好的阅读体验. 这篇文章与 博客园 和 Segmentfault 共享. 前端开发QQ群:3 ...
- 结合个人经历总结的前端入门方法 (转自https://github.com/qiu-deqing/FE-learning)
结合个人经历总结的前端入门方法 (https://github.com/qiu-deqing/FE-learning),里面有很详细的介绍. 之前一直想学习前端的,都不知道怎么下手都一年了啥也没学到, ...
- MVC之前的那点事儿系列(7):WebActivator的实现原理详解
文章内容 上篇文章,我们分析如何动态注册HttpModule的实现,本篇我们来分析一下通过上篇代码原理实现的WebActivator类库,WebActivator提供了3种功能,允许我们分别在Http ...
- JSP的那些事儿(2)---- DWR2.0 的配置和使用
JSP的那些事儿(2)----DWR2.0 的配置和使用 分类: Web开发 JAVA 2009-04-23 15:43 999人阅读 评论(0) 收藏 举报 jspdwrjavascriptserv ...
随机推荐
- [安卓][转]internal(com.android.internal)和hidden(@hide)APIs简介及在应用程序中的调用方法
转自:http://www.cnblogs.com/xirihanlin/archive/2011/06/05/2073118.html [引言]:我在做android softap的时候看到andr ...
- Android文件Apk下载变ZIP压缩包
在azure云存储中 上传apk文件 使用ie下载 变成zip压缩包 解决方法 编辑 blob 属性和元数据 修改 内容类型 为 application/vnd.android.package-arc ...
- PHP ceil() 函数
定义和用法 ceil() 函数向上舍入为最接近的整数. 语法 ceil(x) 参数 描述 x 必需.一个数. 说明 返回不小于 x 的下一个整数,x 如果有小数部分则进一位.ceil() 返回的类型仍 ...
- poj3356 dp
//Accepted 4100 KB 0 ms //类似poj1080 //dp[i][j]表示s1用前i个,s2用前j个的最少匹配步数 //dp[i][j]=min(dp[i][j-1]+1,dp[ ...
- powershell命令大全
Name Category Synopsis ---- -------- -------- ac Alias Add-Content asnp Alias Add-PSSnapin clc Alias ...
- (转)IOS之Info.plist文件简介
原文:IOS之Info.plist文件简介 http://www.apkbus.com/android-130240-1-1.html (出处: Android开发论坛 - 安卓开发论坛 - Andr ...
- GSM Hacking:如何对GSM/GPRS网络测试进行测试
写在前面 这里需要介绍的是GSM / GPRS网络测试的一些方法,随着现在硬件设备连网现象的普遍存在,例如智能电表.自动变速箱控制单元(TCU).POS机.报警系统等.这些设备通常需要与网络连接,GS ...
- 极客DIY:打造属于自己的无线移动渗透测试箱
本文中介绍的工具.技术带有一定的攻击性,请合理合法使用. 你想不想拥有一款属于自己的移动无线渗透测试箱,如果你感兴趣,下面介绍的设备将会对你很有帮助.这个箱子被称为“MiTM(中间人攻击)WiFi箱” ...
- Interview----最长连续乘积字串
题目描述: 给一个浮点数序列,取最大乘积连续子串的值,例如 -2.5,4,0,3,0.5,8,-1,则取出的最大乘积连续子串为3,0.5,8. 也就是说,上述数组中,3 0.5 8这3个数的乘积3*0 ...
- cocos2dx 搭建 android 平台 -2
1.配置Cocos2d-x for Xcode. 这一块比较简单, 可以参见其他文章. 重点:install-templates-xcode.sh 2.配置普通Android开发环境 这一块包括JDK ...