| blob | b18c3de33b8e1e0b93febbaf69c7e5b5fc524ba1 |
7 INTERNET-DRAFT Tim Dierks
8 Obsoletes (if approved): RFC 3268, 4346, 4366 Independent
9 Updates (if approved): RFC 4492 Eric Rescorla
10 Intended status: Proposed Standard Network Resonance, Inc.
11 <draft-ietf-tls-rfc4346-bis-08.txt> January 2008 (Expires July 2008)
14 The Transport Layer Security (TLS) Protocol
15 Version 1.2
17 Status of this Memo
19 By submitting this Internet-Draft, each author represents that any
20 applicable patent or other IPR claims of which he or she is aware
21 have been or will be disclosed, and any of which he or she becomes
22 aware will be disclosed, in accordance with Section 6 of BCP 79.
24 Internet-Drafts are working documents of the Internet Engineering
25 Task Force (IETF), its areas, and its working groups. Note that
26 other groups may also distribute working documents as Internet-
27 Drafts.
29 Internet-Drafts are draft documents valid for a maximum of six months
30 and may be updated, replaced, or obsoleted by other documents at any
31 time. It is inappropriate to use Internet-Drafts as reference
32 material or to cite them other than as "work in progress."
34 The list of current Internet-Drafts can be accessed at
35 http://www.ietf.org/ietf/1id-abstracts.txt.
37 The list of Internet-Draft Shadow Directories can be accessed at
38 http://www.ietf.org/shadow.html.
40 Copyright Notice
42 Copyright (C) The IETF Trust (2008).
44 Abstract
46 This document specifies Version 1.2 of the Transport Layer Security
47 (TLS) protocol. The TLS protocol provides communications security
48 over the Internet. The protocol allows client/server applications to
49 communicate in a way that is designed to prevent eavesdropping,
50 tampering, or message forgery.
58 Dierks & Rescorla Standards Track [Page 1]
59 \f
60 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
63 Table of Contents
65 1. Introduction 4
66 1.1. Requirements Terminology 5
67 1.2. Major Differences from TLS 1.1 5
68 2. Goals 6
69 3. Goals of This Document 6
70 4. Presentation Language 7
71 4.1. Basic Block Size 7
72 4.2. Miscellaneous 7
73 4.3. Vectors 8
74 4.4. Numbers 9
75 4.5. Enumerateds 9
76 4.6. Constructed Types 10
77 4.6.1. Variants 10
78 4.7. Cryptographic Attributes 11
79 4.8. Constants 13
80 5. HMAC and the Pseudorandom Function 13
81 6. The TLS Record Protocol 14
82 6.1. Connection States 15
83 6.2. Record layer 18
84 6.2.1. Fragmentation 18
85 6.2.2. Record Compression and Decompression 19
86 6.2.3. Record Payload Protection 20
87 6.2.3.1. Null or Standard Stream Cipher 21
88 6.2.3.2. CBC Block Cipher 21
89 6.2.3.3. AEAD ciphers 23
90 6.3. Key Calculation 24
91 7. The TLS Handshaking Protocols 25
92 7.1. Change Cipher Spec Protocol 26
93 7.2. Alert Protocol 27
94 7.2.1. Closure Alerts 28
95 7.2.2. Error Alerts 29
96 7.3. Handshake Protocol Overview 32
97 7.4. Handshake Protocol 35
98 7.4.1. Hello Messages 36
99 7.4.1.1. Hello Request 36
100 7.4.1.2. Client Hello 37
101 7.4.1.3. Server Hello 40
102 7.4.1.4 Hello Extensions 42
103 7.4.1.4.1 Signature Algorithms 43
104 7.4.2. Server Certificate 45
105 7.4.3. Server Key Exchange Message 47
106 7.4.4. Certificate Request 50
107 7.4.5 Server hello done 52
108 7.4.6. Client Certificate 52
109 7.4.7. Client Key Exchange Message 54
110 7.4.7.1. RSA Encrypted Premaster Secret Message 54
114 Dierks & Rescorla Standards Track [Page 2]
115 \f
116 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
119 7.4.7.2. Client Diffie-Hellman Public Value 57
120 7.4.8. Certificate verify 57
121 7.4.9. Finished 58
122 8. Cryptographic Computations 60
123 8.1. Computing the Master Secret 60
124 8.1.1. RSA 61
125 8.1.2. Diffie-Hellman 61
126 9. Mandatory Cipher Suites 61
127 10. Application Data Protocol 61
128 11. Security Considerations 61
129 12. IANA Considerations 61
130 A. Protocol Constant Values 64
131 A.1. Record Layer 64
132 A.2. Change Cipher Specs Message 65
133 A.3. Alert Messages 65
134 A.4. Handshake Protocol 66
135 A.4.1. Hello Messages 66
136 A.4.2. Server Authentication and Key Exchange Messages 68
137 A.4.3. Client Authentication and Key Exchange Messages 69
138 A.4.4. Handshake Finalization Message 70
139 A.5. The Cipher Suite 70
140 A.6. The Security Parameters 73
141 B. Glossary 75
142 C. Cipher Suite Definitions 79
143 D. Implementation Notes 81
144 D.1 Random Number Generation and Seeding 81
145 D.2 Certificates and Authentication 81
146 D.3 Cipher Suites 81
147 D.4 Implementation Pitfalls 81
148 E. Backward Compatibility 84
149 E.1 Compatibility with TLS 1.0/1.1 and SSL 3.0 84
150 E.2 Compatibility with SSL 2.0 85
151 E.3. Avoiding Man-in-the-Middle Version Rollback 87
152 F. Security Analysis 88
153 F.1. Handshake Protocol 88
154 F.1.1. Authentication and Key Exchange 88
155 F.1.1.1. Anonymous Key Exchange 88
156 F.1.1.2. RSA Key Exchange and Authentication 89
157 F.1.1.3. Diffie-Hellman Key Exchange with Authentication 89
158 F.1.2. Version Rollback Attacks 90
159 F.1.3. Detecting Attacks Against the Handshake Protocol 91
160 F.1.4. Resuming Sessions 91
161 F.2. Protecting Application Data 91
162 F.3. Explicit IVs 92
163 F.4. Security of Composite Cipher Modes 92
164 F.5 Denial of Service 93
165 F.6 Final Notes 93
170 Dierks & Rescorla Standards Track [Page 3]
171 \f
172 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
175 1. Introduction
177 The primary goal of the TLS Protocol is to provide privacy and data
178 integrity between two communicating applications. The protocol is
179 composed of two layers: the TLS Record Protocol and the TLS Handshake
180 Protocol. At the lowest level, layered on top of some reliable
181 transport protocol (e.g., TCP[TCP]), is the TLS Record Protocol. The
182 TLS Record Protocol provides connection security that has two basic
183 properties:
185 - The connection is private. Symmetric cryptography is used for
186 data encryption (e.g., DES [DES], RC4 [SCH] etc.). The keys for
187 this symmetric encryption are generated uniquely for each
188 connection and are based on a secret negotiated by another
189 protocol (such as the TLS Handshake Protocol). The Record Protocol
190 can also be used without encryption.
192 - The connection is reliable. Message transport includes a message
193 integrity check using a keyed MAC. Secure hash functions (e.g.,
194 SHA, MD5, etc.) are used for MAC computations. The Record Protocol
195 can operate without a MAC, but is generally only used in this mode
196 while another protocol is using the Record Protocol as a transport
197 for negotiating security parameters.
199 The TLS Record Protocol is used for encapsulation of various higher-
200 level protocols. One such encapsulated protocol, the TLS Handshake
201 Protocol, allows the server and client to authenticate each other and
202 to negotiate an encryption algorithm and cryptographic keys before
203 the application protocol transmits or receives its first byte of
204 data. The TLS Handshake Protocol provides connection security that
205 has three basic properties:
207 - The peer's identity can be authenticated using asymmetric, or
208 public key, cryptography (e.g., RSA [RSA], DSS [DSS], etc.). This
209 authentication can be made optional, but is generally required for
210 at least one of the peers.
212 - The negotiation of a shared secret is secure: the negotiated
213 secret is unavailable to eavesdroppers, and for any authenticated
214 connection the secret cannot be obtained, even by an attacker who
215 can place himself in the middle of the connection.
217 - The negotiation is reliable: no attacker can modify the
218 negotiation communication without being detected by the parties to
219 the communication.
221 One advantage of TLS is that it is application protocol independent.
222 Higher-level protocols can layer on top of the TLS Protocol
226 Dierks & Rescorla Standards Track [Page 4]
227 \f
228 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
231 transparently. The TLS standard, however, does not specify how
232 protocols add security with TLS; the decisions on how to initiate TLS
233 handshaking and how to interpret the authentication certificates
234 exchanged are left to the judgment of the designers and implementors
235 of protocols that run on top of TLS.
237 1.1. Requirements Terminology
239 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
240 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
241 document are to be interpreted as described in RFC 2119 [REQ].
243 1.2. Major Differences from TLS 1.1
245 This document is a revision of the TLS 1.1 [TLS1.1] protocol which
246 contains improved flexibility, particularly for negotiation of
247 cryptographic algorithms. The major changes are:
249 - The MD5/SHA-1 combination in the PRF has been replaced with cipher
250 suite specified PRFs. All cipher suites in this document use
251 P_SHA256.
253 - The MD5/SHA-1 combination in the digitally-signed element has been
254 replaced with a single hash.
256 - Substantial cleanup to the clients and servers ability to specify
257 which hash and signature algorithms they will accept. Note that
258 this also relaxes some of the constraints on signature and hash
259 algorithms from previous versions of TLS.
261 - Addition of support for authenticated encryption with additional
262 data modes.
264 - TLS Extensions definition and AES Cipher Suites were merged in
265 from external [TLSEXT] and [TLSAES].
267 - Tighter checking of EncryptedPreMasterSecret version numbers.
269 - Tightened up a number of requirements.
271 - Verify_data length now depends on the cipher suite (default is
272 still 12).
274 - Cleaned up description of Bleichenbacher/Klima attack defenses.
276 - Alerts MUST now be sent in many cases.
277 - After a certificate_request, if no certificates are available,
278 clients now MUST send an empty certificate list.
282 Dierks & Rescorla Standards Track [Page 5]
283 \f
284 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
287 - TLS_RSA_WITH_AES_128_CBC_SHA is now the mandatory to implement
288 cipher suite.
290 - Added HMAC-SHA256 cipher suites
292 - IDEA and DES are now deprecated.
294 - Support for the SSLv2 backward-compatible hello is now a MAY, not
295 a SHOULD. This will probably become a SHOULD NOT in the future.
297 - Added an Implementation Pitfalls sections
299 - The usual clarifications and editorial work.
300 2. Goals
302 The goals of TLS Protocol, in order of their priority, are as
303 follows:
305 1. Cryptographic security: TLS should be used to establish a secure
306 connection between two parties.
308 2. Interoperability: Independent programmers should be able to
309 develop applications utilizing TLS that can successfully exchange
310 cryptographic parameters without knowledge of one another's code.
312 3. Extensibility: TLS seeks to provide a framework into which new
313 public key and bulk encryption methods can be incorporated as
314 necessary. This will also accomplish two sub-goals: preventing the
315 need to create a new protocol (and risking the introduction of
316 possible new weaknesses) and avoiding the need to implement an
317 entire new security library.
319 4. Relative efficiency: Cryptographic operations tend to be highly
320 CPU intensive, particularly public key operations. For this
321 reason, the TLS protocol has incorporated an optional session
322 caching scheme to reduce the number of connections that need to be
323 established from scratch. Additionally, care has been taken to
324 reduce network activity.
327 3. Goals of This Document
329 This document and the TLS protocol itself are based on the SSL 3.0
330 Protocol Specification as published by Netscape. The differences
331 between this protocol and SSL 3.0 are not dramatic, but they are
332 significant enough that the various versions of TLS and SSL 3.0 do
333 not interoperate (although each protocol incorporates a mechanism by
334 which an implementation can back down to prior versions). This
338 Dierks & Rescorla Standards Track [Page 6]
339 \f
340 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
343 document is intended primarily for readers who will be implementing
344 the protocol and for those doing cryptographic analysis of it. The
345 specification has been written with this in mind, and it is intended
346 to reflect the needs of those two groups. For that reason, many of
347 the algorithm-dependent data structures and rules are included in the
348 body of the text (as opposed to in an appendix), providing easier
349 access to them.
351 This document is not intended to supply any details of service
352 definition or of interface definition, although it does cover select
353 areas of policy as they are required for the maintenance of solid
354 security.
357 4. Presentation Language
359 This document deals with the formatting of data in an external
360 representation. The following very basic and somewhat casually
361 defined presentation syntax will be used. The syntax draws from
362 several sources in its structure. Although it resembles the
363 programming language "C" in its syntax and XDR [XDR] in both its
364 syntax and intent, it would be risky to draw too many parallels. The
365 purpose of this presentation language is to document TLS only; it has
366 no general application beyond that particular goal.
368 4.1. Basic Block Size
370 The representation of all data items is explicitly specified. The
371 basic data block size is one byte (i.e., 8 bits). Multiple byte data
372 items are concatenations of bytes, from left to right, from top to
373 bottom. From the bytestream, a multi-byte item (a numeric in the
374 example) is formed (using C notation) by:
376 value = (byte[0] << 8*(n-1)) | (byte[1] << 8*(n-2)) |
377 ... | byte[n-1];
379 This byte ordering for multi-byte values is the commonplace network
380 byte order or big endian format.
382 4.2. Miscellaneous
384 Comments begin with "/*" and end with "*/".
386 Optional components are denoted by enclosing them in "[[ ]]" double
387 brackets.
389 Single-byte entities containing uninterpreted data are of type
390 opaque.
394 Dierks & Rescorla Standards Track [Page 7]
395 \f
396 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
399 4.3. Vectors
401 A vector (single dimensioned array) is a stream of homogeneous data
402 elements. The size of the vector may be specified at documentation
403 time or left unspecified until runtime. In either case, the length
404 declares the number of bytes, not the number of elements, in the
405 vector. The syntax for specifying a new type, T', that is a fixed-
406 length vector of type T is
408 T T'[n];
410 Here, T' occupies n bytes in the data stream, where n is a multiple
411 of the size of T. The length of the vector is not included in the
412 encoded stream.
414 In the following example, Datum is defined to be three consecutive
415 bytes that the protocol does not interpret, while Data is three
416 consecutive Datum, consuming a total of nine bytes.
418 opaque Datum[3]; /* three uninterpreted bytes */
419 Datum Data[9]; /* 3 consecutive 3 byte vectors */
421 Variable-length vectors are defined by specifying a subrange of legal
422 lengths, inclusively, using the notation <floor..ceiling>. When
423 these are encoded, the actual length precedes the vector's contents
424 in the byte stream. The length will be in the form of a number
425 consuming as many bytes as required to hold the vector's specified
426 maximum (ceiling) length. A variable-length vector with an actual
427 length field of zero is referred to as an empty vector.
429 T T'<floor..ceiling>;
431 In the following example, mandatory is a vector that must contain
432 between 300 and 400 bytes of type opaque. It can never be empty. The
433 actual length field consumes two bytes, a uint16, sufficient to
434 represent the value 400 (see Section 4.4). On the other hand, longer
435 can represent up to 800 bytes of data, or 400 uint16 elements, and it
436 may be empty. Its encoding will include a two-byte actual length
437 field prepended to the vector. The length of an encoded vector must
438 be an even multiple of the length of a single element (for example, a
439 17-byte vector of uint16 would be illegal).
441 opaque mandatory<300..400>;
442 /* length field is 2 bytes, cannot be empty */
443 uint16 longer<0..800>;
444 /* zero to 400 16-bit unsigned integers */
450 Dierks & Rescorla Standards Track [Page 8]
451 \f
452 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
455 4.4. Numbers
457 The basic numeric data type is an unsigned byte (uint8). All larger
458 numeric data types are formed from fixed-length series of bytes
459 concatenated as described in Section 4.1 and are also unsigned. The
460 following numeric types are predefined.
462 uint8 uint16[2];
463 uint8 uint24[3];
464 uint8 uint32[4];
465 uint8 uint64[8];
467 All values, here and elsewhere in the specification, are stored in
468 "network" or "big-endian" order; the uint32 represented by the hex
469 bytes 01 02 03 04 is equivalent to the decimal value 16909060.
471 Note that in some cases (e.g., DH parameters) it is necessary to
472 represent integers as opaque vectors. In such cases, they are
473 represented as unsigned integers (i.e., leading zero octets are not
474 required even if the most significant bit is set).
476 4.5. Enumerateds
478 An additional sparse data type is available called enum. A field of
479 type enum can only assume the values declared in the definition.
480 Each definition is a different type. Only enumerateds of the same
481 type may be assigned or compared. Every element of an enumerated must
482 be assigned a value, as demonstrated in the following example. Since
483 the elements of the enumerated are not ordered, they can be assigned
484 any unique value, in any order.
486 enum { e1(v1), e2(v2), ... , en(vn) [[, (n)]] } Te;
488 Enumerateds occupy as much space in the byte stream as would its
489 maximal defined ordinal value. The following definition would cause
490 one byte to be used to carry fields of type Color.
492 enum { red(3), blue(5), white(7) } Color;
494 One may optionally specify a value without its associated tag to
495 force the width definition without defining a superfluous element.
496 In the following example, Taste will consume two bytes in the data
497 stream but can only assume the values 1, 2, or 4.
499 enum { sweet(1), sour(2), bitter(4), (32000) } Taste;
501 The names of the elements of an enumeration are scoped within the
502 defined type. In the first example, a fully qualified reference to
506 Dierks & Rescorla Standards Track [Page 9]
507 \f
508 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
511 the second element of the enumeration would be Color.blue. Such
512 qualification is not required if the target of the assignment is well
513 specified.
515 Color color = Color.blue; /* overspecified, legal */
516 Color color = blue; /* correct, type implicit */
518 For enumerateds that are never converted to external representation,
519 the numerical information may be omitted.
521 enum { low, medium, high } Amount;
523 4.6. Constructed Types
525 Structure types may be constructed from primitive types for
526 convenience. Each specification declares a new, unique type. The
527 syntax for definition is much like that of C.
529 struct {
530 T1 f1;
531 T2 f2;
532 ...
533 Tn fn;
534 } [[T]];
536 The fields within a structure may be qualified using the type's name,
537 with a syntax much like that available for enumerateds. For example,
538 T.f2 refers to the second field of the previous declaration.
539 Structure definitions may be embedded.
541 4.6.1. Variants
543 Defined structures may have variants based on some knowledge that is
544 available within the environment. The selector must be an enumerated
545 type that defines the possible variants the structure defines. There
546 must be a case arm for every element of the enumeration declared in
547 the select. The body of the variant structure may be given a label
548 for reference. The mechanism by which the variant is selected at
549 runtime is not prescribed by the presentation language.
551 struct {
552 T1 f1;
553 T2 f2;
554 ....
555 Tn fn;
556 select (E) {
557 case e1: Te1;
558 case e2: Te2;
562 Dierks & Rescorla Standards Track [Page 10]
563 \f
564 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
567 ....
568 case en: Ten;
569 } [[fv]];
570 } [[Tv]];
572 For example:
574 enum { apple, orange } VariantTag;
575 struct {
576 uint16 number;
577 opaque string<0..10>; /* variable length */
578 } V1;
579 struct {
580 uint32 number;
581 opaque string[10]; /* fixed length */
582 } V2;
583 struct {
584 select (VariantTag) { /* value of selector is implicit */
585 case apple: V1; /* VariantBody, tag = apple */
586 case orange: V2; /* VariantBody, tag = orange */
587 } variant_body; /* optional label on variant */
588 } VariantRecord;
590 Variant structures may be qualified (narrowed) by specifying a value
591 for the selector prior to the type. For example, an
593 orange VariantRecord
595 is a narrowed type of a VariantRecord containing a variant_body of
596 type V2.
598 4.7. Cryptographic Attributes
600 The five cryptographic operations digital signing, stream cipher
601 encryption, block cipher encryption, authenticated encryption with
602 additional data (AEAD) encryption and public key encryption are
603 designated digitally-signed, stream-ciphered, block-ciphered, aead-
604 ciphered, and public-key-encrypted, respectively. A field's
605 cryptographic processing is specified by prepending an appropriate
606 key word designation before the field's type specification.
607 Cryptographic keys are implied by the current session state (see
608 Section 6.1).
610 In digital signing, one-way hash functions are used as input for a
611 signing algorithm. A digitally-signed element is encoded as an opaque
612 vector <0..2^16-1>, where the length is specified by the signing
613 algorithm and key.
618 Dierks & Rescorla Standards Track [Page 11]
619 \f
620 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
623 In RSA signing, the opaque vector contains the signature generated
624 using the RSASSA-PKCS1-v1_5 signature scheme defined in [PKCS1]. As
625 discussed in [PKCS1], the DigestInfo MUST be DER encoded and for hash
626 algorithms without parameters (which include SHA-1) the
627 DigestInfo.AlgorithmIdentifier.parameters field MUST be NULL but
628 implementations MUST accept both without parameters and with NULL
629 parameters. Note that earlier versions of TLS used a different RSA
630 signature scheme which did not include a DigestInfo encoding.
632 In DSS, the 20 bytes of the SHA-1 hash are run directly through the
633 Digital Signing Algorithm with no additional hashing. This produces
634 two values, r and s. The DSS signature is an opaque vector, as above,
635 the contents of which are the DER encoding of:
637 Dss-Sig-Value ::= SEQUENCE {
638 r INTEGER,
639 s INTEGER
640 }
642 Note: In current terminology, DSA refers to the Digital Signature
643 Algorithm and DSS refers to the NIST standard. For historical
644 reasons, this document uses DSS and DSA interchangeably
645 to refer to the DSA algorithm, as was done in SSLv3.
647 In stream cipher encryption, the plaintext is exclusive-ORed with an
648 identical amount of output generated from a cryptographically secure
649 keyed pseudorandom number generator.
651 In block cipher encryption, every block of plaintext encrypts to a
652 block of ciphertext. All block cipher encryption is done in CBC
653 (Cipher Block Chaining) mode, and all items that are block-ciphered
654 will be an exact multiple of the cipher block length.
656 In AEAD encryption, the plaintext is simultaneously encrypted and
657 integrity protected. The input may be of any length and aead-ciphered
658 output is generally larger than the input in order to accomodate the
659 integrity check value.
661 In public key encryption, a public key algorithm is used to encrypt
662 data in such a way that it can be decrypted only with the matching
663 private key. A public-key-encrypted element is encoded as an opaque
664 vector <0..2^16-1>, where the length is specified by the encryption
665 algorithm and key.
667 RSA encryption is done using the RSAES-PKCS1-v1_5 encryption scheme
668 defined in [PKCS1].
674 Dierks & Rescorla Standards Track [Page 12]
675 \f
676 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
679 In the following example
681 stream-ciphered struct {
682 uint8 field1;
683 uint8 field2;
684 digitally-signed opaque hash[20];
685 } UserType;
687 the contents of hash are used as input for the signing algorithm, and
688 then the entire structure is encrypted with a stream cipher. The
689 length of this structure, in bytes, would be equal to two bytes for
690 field1 and field2, plus two bytes for the length of the signature,
691 plus the length of the output of the signing algorithm. This is known
692 because the algorithm and key used for the signing are known prior to
693 encoding or decoding this structure.
695 4.8. Constants
697 Typed constants can be defined for purposes of specification by
698 declaring a symbol of the desired type and assigning values to it.
699 Under-specified types (opaque, variable length vectors, and
700 structures that contain opaque) cannot be assigned values. No fields
701 of a multi-element structure or vector may be elided.
703 For example:
705 struct {
706 uint8 f1;
707 uint8 f2;
708 } Example1;
710 Example1 ex1 = {1, 4}; /* assigns f1 = 1, f2 = 4 */
713 5. HMAC and the Pseudorandom Function
715 The TLS record layer uses a keyed Message Authentication Code (MAC)
716 to protect message integrity. The cipher suites defined in this
717 document use a construction known as HMAC, described in [HMAC], which
718 is based on a hash function. Other cipher suites MAY define their own
719 MAC constructions, if needed.
721 In addition, a construction is required to do expansion of secrets
722 into blocks of data for the purposes of key generation or validation.
723 This pseudo-random function (PRF) takes as input a secret, a seed,
724 and an identifying label and produces an output of arbitrary length.
726 In this section, we define one PRF, based on HMAC. This PRF with the
730 Dierks & Rescorla Standards Track [Page 13]
731 \f
732 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
735 SHA-256 hash function is used for all cipher suites defined in this
736 document and in TLS documents published prior to this document when
737 TLS 1.2 is negotiated. New cipher suites MUST explicitly specify a
738 PRF and in general SHOULD use the TLS PRF with SHA-256 or a stronger
739 standard hash function.
741 First, we define a data expansion function, P_hash(secret, data) that
742 uses a single hash function to expand a secret and seed into an
743 arbitrary quantity of output:
745 P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
746 HMAC_hash(secret, A(2) + seed) +
747 HMAC_hash(secret, A(3) + seed) + ...
749 Where + indicates concatenation.
751 A() is defined as:
753 A(0) = seed
754 A(i) = HMAC_hash(secret, A(i-1))
756 P_hash can be iterated as many times as is necessary to produce the
757 required quantity of data. For example, if P_SHA256 is being used to
758 create 80 bytes of data, it will have to be iterated three times
759 (through A(3)), creating 96 bytes of output data; the last 16 bytes
760 of the final iteration will then be discarded, leaving 80 bytes of
761 output data.
763 TLS's PRF is created by applying P_hash to the secret as:
765 PRF(secret, label, seed) = P_<hash>(secret, label + seed)
767 The label is an ASCII string. It should be included in the exact form
768 it is given without a length byte or trailing null character. For
769 example, the label "slithy toves" would be processed by hashing the
770 following bytes:
772 73 6C 69 74 68 79 20 74 6F 76 65 73
775 6. The TLS Record Protocol
777 The TLS Record Protocol is a layered protocol. At each layer,
778 messages may include fields for length, description, and content.
779 The Record Protocol takes messages to be transmitted, fragments the
780 data into manageable blocks, optionally compresses the data, applies
781 a MAC, encrypts, and transmits the result. Received data is
782 decrypted, verified, decompressed, reassembled, and then delivered to
786 Dierks & Rescorla Standards Track [Page 14]
787 \f
788 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
791 higher-level clients.
793 Four record protocol clients are described in this document: the
794 handshake protocol, the alert protocol, the change cipher spec
795 protocol, and the application data protocol. In order to allow
796 extension of the TLS protocol, additional record types can be
797 supported by the record protocol. New record type values are assigned
798 by IANA as described in Section 12.
800 Implementations MUST NOT send record types not defined in this
801 document unless negotiated by some extension. If a TLS
802 implementation receives an unexpected record type, it MUST send an
803 unexpected_message alert.
805 Any protocol designed for use over TLS MUST be carefully designed to
806 deal with all possible attacks against it. Note that because the
807 type and length of a record are not protected by encryption, care
808 SHOULD be taken to minimize the value of traffic analysis of these
809 values.
811 6.1. Connection States
813 A TLS connection state is the operating environment of the TLS Record
814 Protocol. It specifies a compression algorithm, an encryption
815 algorithm, and a MAC algorithm. In addition, the parameters for these
816 algorithms are known: the MAC key and the bulk encryption keys for
817 the connection in both the read and the write directions. Logically,
818 there are always four connection states outstanding: the current read
819 and write states, and the pending read and write states. All records
820 are processed under the current read and write states. The security
821 parameters for the pending states can be set by the TLS Handshake
822 Protocol, and the Change Cipher Spec can selectively make either of
823 the pending states current, in which case the appropriate current
824 state is disposed of and replaced with the pending state; the pending
825 state is then reinitialized to an empty state. It is illegal to make
826 a state that has not been initialized with security parameters a
827 current state. The initial current state always specifies that no
828 encryption, compression, or MAC will be used.
830 The security parameters for a TLS Connection read and write state are
831 set by providing the following values:
833 connection end
834 Whether this entity is considered the "client" or the "server" in
835 this connection.
842 Dierks & Rescorla Standards Track [Page 15]
843 \f
844 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
847 PRF algorithm
848 An algorithm used to generate keys from the master secret (see
849 Sections 5 and 6.3).
851 bulk encryption algorithm
852 An algorithm to be used for bulk encryption. This specification
853 includes the key size of this algorithm, whether it is a block,
854 stream, or AEAD cipher, the block size of the cipher (if
855 appropriate), and the lengths of explicit and implicit
856 initialization vectors (or nonces).
858 MAC algorithm
859 An algorithm to be used for message authentication. This
860 specification includes the size of the value returned by the MAC
861 algorithm.
863 compression algorithm
864 An algorithm to be used for data compression. This specification
865 must include all information the algorithm requires to do
866 compression.
868 master secret
869 A 48-byte secret shared between the two peers in the connection.
871 client random
872 A 32-byte value provided by the client.
874 server random
875 A 32-byte value provided by the server.
877 These parameters are defined in the presentation language as:
879 enum { server, client } ConnectionEnd;
881 enum { tls_prf_sha256 } PRFAlgorithm;
883 enum { null, rc4, 3des, aes }
884 BulkCipherAlgorithm;
886 enum { stream, block, aead } CipherType;
888 enum { null, hmac_md5, hmac_sha, hmac_sha256, hmac_sha384,
889 hmac_sha512} MACAlgorithm;
891 /* The use of "sha" above is historical and denotes SHA-1 */
893 enum { null(0), (255) } CompressionMethod;
898 Dierks & Rescorla Standards Track [Page 16]
899 \f
900 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
903 /* The algorithms specified in CompressionMethod,
904 BulkCipherAlgorithm, and MACAlgorithm may be added to. */
906 struct {
907 ConnectionEnd entity;
908 PRFAlgorithm prf_algorithm;
909 BulkCipherAlgorithm bulk_cipher_algorithm;
910 CipherType cipher_type;
911 uint8 enc_key_length;
912 uint8 block_length;
913 uint8 fixed_iv_length;
914 uint8 record_iv_length;
915 MACAlgorithm mac_algorithm;
916 uint8 mac_length;
917 uint8 mac_key_length;
918 CompressionMethod compression_algorithm;
919 opaque master_secret[48];
920 opaque client_random[32];
921 opaque server_random[32];
922 } SecurityParameters;
924 The record layer will use the security parameters to generate the
925 following six items (some of which are not required by all ciphers,
926 and are thus empty):
928 client write MAC key
929 server write MAC key
930 client write encryption key
931 server write encryption key
932 client write IV
933 server write IV
935 The client write parameters are used by the server when receiving and
936 processing records and vice-versa. The algorithm used for generating
937 these items from the security parameters is described in Section 6.3.
939 Once the security parameters have been set and the keys have been
940 generated, the connection states can be instantiated by making them
941 the current states. These current states MUST be updated for each
942 record processed. Each connection state includes the following
943 elements:
945 compression state
946 The current state of the compression algorithm.
948 cipher state
949 The current state of the encryption algorithm. This will consist
950 of the scheduled key for that connection. For stream ciphers, this
954 Dierks & Rescorla Standards Track [Page 17]
955 \f
956 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
959 will also contain whatever state information is necessary to allow
960 the stream to continue to encrypt or decrypt data.
962 MAC key
963 The MAC key for this connection, as generated above.
965 sequence number
966 Each connection state contains a sequence number, which is
967 maintained separately for read and write states. The sequence
968 number MUST be set to zero whenever a connection state is made the
969 active state. Sequence numbers are of type uint64 and may not
970 exceed 2^64-1. Sequence numbers do not wrap. If a TLS
971 implementation would need to wrap a sequence number, it must
972 renegotiate instead. A sequence number is incremented after each
973 record: specifically, the first record transmitted under a
974 particular connection state MUST use sequence number 0.
976 6.2. Record layer
978 The TLS Record Layer receives uninterpreted data from higher layers
979 in non-empty blocks of arbitrary size.
981 6.2.1. Fragmentation
983 The record layer fragments information blocks into TLSPlaintext
984 records carrying data in chunks of 2^14 bytes or less. Client message
985 boundaries are not preserved in the record layer (i.e., multiple
986 client messages of the same ContentType MAY be coalesced into a
987 single TLSPlaintext record, or a single message MAY be fragmented
988 across several records).
990 struct {
991 uint8 major;
992 uint8 minor;
993 } ProtocolVersion;
995 enum {
996 change_cipher_spec(20), alert(21), handshake(22),
997 application_data(23), (255)
998 } ContentType;
1000 struct {
1001 ContentType type;
1002 ProtocolVersion version;
1003 uint16 length;
1004 opaque fragment[TLSPlaintext.length];
1005 } TLSPlaintext;
1010 Dierks & Rescorla Standards Track [Page 18]
1011 \f
1012 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1015 type
1016 The higher-level protocol used to process the enclosed fragment.
1018 version
1019 The version of the protocol being employed. This document
1020 describes TLS Version 1.2, which uses the version { 3, 3 }. The
1021 version value 3.3 is historical, deriving from the use of 3.1 for
1022 TLS 1.0. (See Appendix A.1). Note that a client that supports
1023 multiple versions of TLS may not know what version will be
1024 employed before it receives ServerHello. See Appendix E for
1025 discussion about what record layer version number should be
1026 employed for ClientHello.
1028 length
1029 The length (in bytes) of the following TLSPlaintext.fragment. The
1030 length MUST NOT exceed 2^14.
1032 fragment
1033 The application data. This data is transparent and treated as an
1034 independent block to be dealt with by the higher-level protocol
1035 specified by the type field.
1037 Implementations MUST NOT send zero-length fragments of Handshake,
1038 Alert, or Change Cipher Spec content types. Zero-length fragments of
1039 Application data MAY be sent as they are potentially useful as a
1040 traffic analysis countermeasure.
1042 Note: Data of different TLS Record layer content types MAY be
1043 interleaved. Application data is generally of lower precedence for
1044 transmission than other content types. However, records MUST be
1045 delivered to the network in the same order as they are protected by
1046 the record layer. Recipients MUST receive and process interleaved
1047 application layer traffic during handshakes subsequent to the first
1048 one on a connection.
1050 6.2.2. Record Compression and Decompression
1052 All records are compressed using the compression algorithm defined in
1053 the current session state. There is always an active compression
1054 algorithm; however, initially it is defined as
1055 CompressionMethod.null. The compression algorithm translates a
1056 TLSPlaintext structure into a TLSCompressed structure. Compression
1057 functions are initialized with default state information whenever a
1058 connection state is made active.
1066 Dierks & Rescorla Standards Track [Page 19]
1067 \f
1068 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1071 Compression must be lossless and may not increase the content length
1072 by more than 1024 bytes. If the decompression function encounters a
1073 TLSCompressed.fragment that would decompress to a length in excess of
1074 2^14 bytes, it MUST report a fatal decompression failure error.
1076 struct {
1077 ContentType type; /* same as TLSPlaintext.type */
1078 ProtocolVersion version;/* same as TLSPlaintext.version */
1079 uint16 length;
1080 opaque fragment[TLSCompressed.length];
1081 } TLSCompressed;
1083 length
1084 The length (in bytes) of the following TLSCompressed.fragment.
1085 The length MUST NOT exceed 2^14 + 1024.
1087 fragment
1088 The compressed form of TLSPlaintext.fragment.
1090 Note: A CompressionMethod.null operation is an identity operation; no
1091 fields are altered.
1093 Implementation note: Decompression functions are responsible for
1094 ensuring that messages cannot cause internal buffer overflows.
1096 6.2.3. Record Payload Protection
1098 The encryption and MAC functions translate a TLSCompressed structure
1099 into a TLSCiphertext. The decryption functions reverse the process.
1100 The MAC of the record also includes a sequence number so that
1101 missing, extra, or repeated messages are detectable.
1103 struct {
1104 ContentType type;
1105 ProtocolVersion version;
1106 uint16 length;
1107 select (SecurityParameters.cipher_type) {
1108 case stream: GenericStreamCipher;
1109 case block: GenericBlockCipher;
1110 case aead: GenericAEADCipher;
1111 } fragment;
1112 } TLSCiphertext;
1114 type
1115 The type field is identical to TLSCompressed.type.
1117 version
1118 The version field is identical to TLSCompressed.version.
1122 Dierks & Rescorla Standards Track [Page 20]
1123 \f
1124 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1127 length
1128 The length (in bytes) of the following TLSCiphertext.fragment.
1129 The length MUST NOT exceed 2^14 + 2048.
1131 fragment
1132 The encrypted form of TLSCompressed.fragment, with the MAC.
1134 6.2.3.1. Null or Standard Stream Cipher
1136 Stream ciphers (including BulkCipherAlgorithm.null, see Appendix A.6)
1137 convert TLSCompressed.fragment structures to and from stream
1138 TLSCiphertext.fragment structures.
1140 stream-ciphered struct {
1141 opaque content[TLSCompressed.length];
1142 opaque MAC[SecurityParameters.mac_length];
1143 } GenericStreamCipher;
1145 The MAC is generated as:
1147 MAC(MAC_write_key, seq_num +
1148 TLSCompressed.type +
1149 TLSCompressed.version +
1150 TLSCompressed.length +
1151 TLSCompressed.fragment);
1153 where "+" denotes concatenation.
1155 seq_num
1156 The sequence number for this record.
1158 MAC
1159 The MAC algorithm specified by SecurityParameters.mac_algorithm.
1161 Note that the MAC is computed before encryption. The stream cipher
1162 encrypts the entire block, including the MAC. For stream ciphers that
1163 do not use a synchronization vector (such as RC4), the stream cipher
1164 state from the end of one record is simply used on the subsequent
1165 packet. If the cipher suite is TLS_NULL_WITH_NULL_NULL, encryption
1166 consists of the identity operation (i.e., the data is not encrypted,
1167 and the MAC size is zero, implying that no MAC is used).
1168 TLSCiphertext.length is TLSCompressed.length plus
1169 SecurityParameters.mac_length.
1171 6.2.3.2. CBC Block Cipher
1178 Dierks & Rescorla Standards Track [Page 21]
1179 \f
1180 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1183 For block ciphers (such as 3DES, or AES), the encryption and MAC
1184 functions convert TLSCompressed.fragment structures to and from block
1185 TLSCiphertext.fragment structures.
1187 struct {
1188 opaque IV[SecurityParameters.record_iv_length];
1189 block-ciphered struct {
1190 opaque content[TLSCompressed.length];
1191 opaque MAC[SecurityParameters.mac_length];
1192 uint8 padding[GenericBlockCipher.padding_length];
1193 uint8 padding_length;
1194 };
1195 } GenericBlockCipher;
1197 The MAC is generated as described in Section 6.2.3.1.
1199 IV
1200 The Initialization Vector (IV) SHOULD be chosen at random, and
1201 MUST be unpredictable. Note that in versions of TLS prior to 1.1,
1202 there was no IV field, and the last ciphertext block of the
1203 previous record (the "CBC residue") was used as the IV. This was
1204 changed to prevent the attacks described in [CBCATT]. For block
1205 ciphers, the IV length is of length
1206 SecurityParameters.record_iv_length which is equal to the
1207 SecurityParameters.block_size.
1209 padding
1210 Padding that is added to force the length of the plaintext to be
1211 an integral multiple of the block cipher's block length. The
1212 padding MAY be any length up to 255 bytes, as long as it results
1213 in the TLSCiphertext.length being an integral multiple of the
1214 block length. Lengths longer than necessary might be desirable to
1215 frustrate attacks on a protocol that are based on analysis of the
1216 lengths of exchanged messages. Each uint8 in the padding data
1217 vector MUST be filled with the padding length value. The receiver
1218 MUST check this padding and MUST use the bad_record_mac alert to
1219 indicate padding errors.
1221 padding_length
1222 The padding length MUST be such that the total size of the
1223 GenericBlockCipher structure is a multiple of the cipher's block
1224 length. Legal values range from zero to 255, inclusive. This
1225 length specifies the length of the padding field exclusive of the
1226 padding_length field itself.
1228 The encrypted data length (TLSCiphertext.length) is one more than the
1229 sum of SecurityParameters.block_length, TLSCompressed.length,
1230 SecurityParameters.mac_length, and padding_length.
1234 Dierks & Rescorla Standards Track [Page 22]
1235 \f
1236 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1239 Example: If the block length is 8 bytes, the content length
1240 (TLSCompressed.length) is 61 bytes, and the MAC length is 20 bytes,
1241 then the length before padding is 82 bytes (this does not include the
1242 IV. Thus, the padding length modulo 8 must be equal to 6 in order to
1243 make the total length an even multiple of 8 bytes (the block length).
1244 The padding length can be 6, 14, 22, and so on, through 254. If the
1245 padding length were the minimum necessary, 6, the padding would be 6
1246 bytes, each containing the value 6. Thus, the last 8 octets of the
1247 GenericBlockCipher before block encryption would be xx 06 06 06 06 06
1248 06 06, where xx is the last octet of the MAC.
1250 Note: With block ciphers in CBC mode (Cipher Block Chaining), it is
1251 critical that the entire plaintext of the record be known before any
1252 ciphertext is transmitted. Otherwise, it is possible for the attacker
1253 to mount the attack described in [CBCATT].
1255 Implementation Note: Canvel et al. [CBCTIME] have demonstrated a
1256 timing attack on CBC padding based on the time required to compute
1257 the MAC. In order to defend against this attack, implementations MUST
1258 ensure that record processing time is essentially the same whether or
1259 not the padding is correct. In general, the best way to do this is
1260 to compute the MAC even if the padding is incorrect, and only then
1261 reject the packet. For instance, if the pad appears to be incorrect,
1262 the implementation might assume a zero-length pad and then compute
1263 the MAC. This leaves a small timing channel, since MAC performance
1264 depends to some extent on the size of the data fragment, but it is
1265 not believed to be large enough to be exploitable, due to the large
1266 block size of existing MACs and the small size of the timing signal.
1268 6.2.3.3. AEAD ciphers
1270 For AEAD [AEAD] ciphers (such as [CCM] or [GCM]) the AEAD function
1271 converts TLSCompressed.fragment structures to and from AEAD
1272 TLSCiphertext.fragment structures.
1274 struct {
1275 opaque nonce_explicit[SecurityParameters.record_iv_length];
1276 aead-ciphered struct {
1277 opaque content[TLSCompressed.length];
1278 };
1279 } GenericAEADCipher;
1281 AEAD ciphers take as input a single key, a nonce, a plaintext, and
1282 "additional data" to be included in the authentication check, as
1283 described in Section 2.1 of [AEAD]. The key is either the
1284 client_write_key or the server_write_key. No MAC key is used.
1286 Each AEAD cipher suite MUST specify how the nonce supplied to the
1290 Dierks & Rescorla Standards Track [Page 23]
1291 \f
1292 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1295 AEAD operation is constructed, and what is the length of the
1296 GenericAEADCipher.nonce_explicit part. In many cases, it is
1297 appropriate to use the partially implicit nonce technique described
1298 in Section 3.2.1 of [AEAD]; with record_iv_length being the length of
1299 the explicit part. In this case, the implicit part SHOULD be derived
1300 from key_block as client_write_iv and server_write_iv (as described
1301 in Section 6.3), and the explicit part is included in
1302 GenericAEAEDCipher.nonce_explicit.
1304 The plaintext is the TLSCompressed.fragment.
1306 The additional authenticated data, which we denote as
1307 additional_data, is defined as follows:
1309 additional_data = seq_num + TLSCompressed.type +
1310 TLSCompressed.version + TLSCompressed.length;
1312 Where "+" denotes concatenation.
1314 The aead_output consists of the ciphertext output by the AEAD
1315 encryption operation. The length will generally be larger than
1316 TLSCompressed.length, but by an amount that varies with the AEAD
1317 cipher. Since the ciphers might incorporate padding, the amount of
1318 overhead could vary with different TLSCompressed.length values. Each
1319 AEAD cipher MUST NOT produce an expansion of greater than 1024 bytes.
1320 Symbolically,
1322 AEADEncrypted = AEAD-Encrypt(key, nonce, plaintext,
1323 additional_data)
1325 In order to decrypt and verify, the cipher takes as input the key,
1326 nonce, the "additional_data", and the AEADEncrypted value. The output
1327 is either the plaintext or an error indicating that the decryption
1328 failed. There is no separate integrity check. I.e.,
1330 TLSCompressed.fragment = AEAD-Decrypt(write_key, nonce,
1331 AEADEncrypted,
1332 additional_data)
1335 If the decryption fails, a fatal bad_record_mac alert MUST be
1336 generated.
1338 6.3. Key Calculation
1340 The Record Protocol requires an algorithm to generates keys required
1341 by the current connection state (see Appendix A.6) from the security
1342 parameters provided by the handshake protocol.
1346 Dierks & Rescorla Standards Track [Page 24]
1347 \f
1348 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1351 The master secret is expanded into a sequence of secure bytes, which
1352 is then split to a client write MAC key, a server write MAC key, a
1353 client write encryption key, and a server write encryption key. Each
1354 of these is generated from the byte sequence in that order. Unused
1355 values are empty. Some AEAD ciphers may additionally require a
1356 client write IV and a server write IV (see Section 6.2.3.3).
1358 When keys and MAC keys are generated, the master secret is used as an
1359 entropy source.
1361 To generate the key material, compute
1363 key_block = PRF(SecurityParameters.master_secret,
1364 "key expansion",
1365 SecurityParameters.server_random +
1366 SecurityParameters.client_random);
1368 until enough output has been generated. Then the key_block is
1369 partitioned as follows:
1371 client_write_MAC_key[SecurityParameters.mac_key_length]
1372 server_write_MAC_key[SecurityParameters.mac_key_length]
1373 client_write_key[SecurityParameters.enc_key_length]
1374 server_write_key[SecurityParameters.enc_key_length]
1375 client_write_IV[SecurityParameters.fixed_iv_length]
1376 server_write_IV[SecurityParameters.fixed_iv_length]
1378 The client_write_IV and server_write_IV are only generated for
1379 implicit nonce techniques as described in Section 3.2.1 of [AEAD].
1381 Implementation note: The currently defined cipher suite which
1382 requires the most material is AES_256_CBC_SHA. It requires 2 x 32
1383 byte keys and 2 x 20 byte MAC keys, for a total 104 bytes of key
1384 material.
1386 7. The TLS Handshaking Protocols
1388 TLS has three subprotocols that are used to allow peers to agree upon
1389 security parameters for the record layer, to authenticate themselves,
1390 to instantiate negotiated security parameters, and to report error
1391 conditions to each other.
1393 The Handshake Protocol is responsible for negotiating a session,
1394 which consists of the following items:
1396 session identifier
1397 An arbitrary byte sequence chosen by the server to identify an
1398 active or resumable session state.
1402 Dierks & Rescorla Standards Track [Page 25]
1403 \f
1404 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1407 peer certificate
1408 X509v3 [PKIX] certificate of the peer. This element of the state
1409 may be null.
1411 compression method
1412 The algorithm used to compress data prior to encryption.
1414 cipher spec
1415 Specifies the bulk data encryption algorithm (such as null, DES,
1416 etc.) and a MAC algorithm (such as MD5 or SHA). It also defines
1417 cryptographic attributes such as the mac_length. (See Appendix A.6
1418 for formal definition.)
1420 master secret
1421 48-byte secret shared between the client and server.
1423 is resumable
1424 A flag indicating whether the session can be used to initiate new
1425 connections.
1427 These items are then used to create security parameters for use by
1428 the Record Layer when protecting application data. Many connections
1429 can be instantiated using the same session through the resumption
1430 feature of the TLS Handshake Protocol.
1432 7.1. Change Cipher Spec Protocol
1434 The change cipher spec protocol exists to signal transitions in
1435 ciphering strategies. The protocol consists of a single message,
1436 which is encrypted and compressed under the current (not the pending)
1437 connection state. The message consists of a single byte of value 1.
1439 struct {
1440 enum { change_cipher_spec(1), (255) } type;
1441 } ChangeCipherSpec;
1443 The change cipher spec message is sent by both the client and the
1444 server to notify the receiving party that subsequent records will be
1445 protected under the newly negotiated CipherSpec and keys. Reception
1446 of this message causes the receiver to instruct the Record Layer to
1447 immediately copy the read pending state into the read current state.
1448 Immediately after sending this message, the sender MUST instruct the
1449 record layer to make the write pending state the write active state.
1450 (See Section 6.1.) The change cipher spec message is sent during the
1451 handshake after the security parameters have been agreed upon, but
1452 before the verifying finished message is sent.
1458 Dierks & Rescorla Standards Track [Page 26]
1459 \f
1460 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1463 Note: If a rehandshake occurs while data is flowing on a connection,
1464 the communicating parties may continue to send data using the old
1465 CipherSpec. However, once the ChangeCipherSpec has been sent, the new
1466 CipherSpec MUST be used. The first side to send the ChangeCipherSpec
1467 does not know that the other side has finished computing the new
1468 keying material (e.g., if it has to perform a time consuming public
1469 key operation). Thus, a small window of time, during which the
1470 recipient must buffer the data, MAY exist. In practice, with modern
1471 machines this interval is likely to be fairly short.
1473 7.2. Alert Protocol
1475 One of the content types supported by the TLS Record layer is the
1476 alert type. Alert messages convey the severity of the message and a
1477 description of the alert. Alert messages with a level of fatal result
1478 in the immediate termination of the connection. In this case, other
1479 connections corresponding to the session may continue, but the
1480 session identifier MUST be invalidated, preventing the failed session
1481 from being used to establish new connections. Like other messages,
1482 alert messages are encrypted and compressed, as specified by the
1483 current connection state.
1485 enum { warning(1), fatal(2), (255) } AlertLevel;
1487 enum {
1488 close_notify(0),
1489 unexpected_message(10),
1490 bad_record_mac(20),
1491 decryption_failed_RESERVED(21),
1492 record_overflow(22),
1493 decompression_failure(30),
1494 handshake_failure(40),
1495 no_certificate_RESERVED(41),
1496 bad_certificate(42),
1497 unsupported_certificate(43),
1498 certificate_revoked(44),
1499 certificate_expired(45),
1500 certificate_unknown(46),
1501 illegal_parameter(47),
1502 unknown_ca(48),
1503 access_denied(49),
1504 decode_error(50),
1505 decrypt_error(51),
1506 export_restriction_RESERVED(60),
1507 protocol_version(70),
1508 insufficient_security(71),
1509 internal_error(80),
1510 user_canceled(90),
1514 Dierks & Rescorla Standards Track [Page 27]
1515 \f
1516 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1519 no_renegotiation(100),
1520 unsupported_extension(110),
1521 (255)
1522 } AlertDescription;
1524 struct {
1525 AlertLevel level;
1526 AlertDescription description;
1527 } Alert;
1529 7.2.1. Closure Alerts
1531 The client and the server must share knowledge that the connection is
1532 ending in order to avoid a truncation attack. Either party may
1533 initiate the exchange of closing messages.
1535 close_notify
1536 This message notifies the recipient that the sender will not send
1537 any more messages on this connection. Note that as of TLS 1.1,
1538 failure to properly close a connection no longer requires that a
1539 session not be resumed. This is a change from TLS 1.0 to conform
1540 with widespread implementation practice.
1542 Either party may initiate a close by sending a close_notify alert.
1543 Any data received after a closure alert is ignored.
1545 Unless some other fatal alert has been transmitted, each party is
1546 required to send a close_notify alert before closing the write side
1547 of the connection. The other party MUST respond with a close_notify
1548 alert of its own and close down the connection immediately,
1549 discarding any pending writes. It is not required for the initiator
1550 of the close to wait for the responding close_notify alert before
1551 closing the read side of the connection.
1553 If the application protocol using TLS provides that any data may be
1554 carried over the underlying transport after the TLS connection is
1555 closed, the TLS implementation must receive the responding
1556 close_notify alert before indicating to the application layer that
1557 the TLS connection has ended. If the application protocol will not
1558 transfer any additional data, but will only close the underlying
1559 transport connection, then the implementation MAY choose to close the
1560 transport without waiting for the responding close_notify. No part of
1561 this standard should be taken to dictate the manner in which a usage
1562 profile for TLS manages its data transport, including when
1563 connections are opened or closed.
1565 Note: It is assumed that closing a connection reliably delivers
1566 pending data before destroying the transport.
1570 Dierks & Rescorla Standards Track [Page 28]
1571 \f
1572 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1575 7.2.2. Error Alerts
1577 Error handling in the TLS Handshake protocol is very simple. When an
1578 error is detected, the detecting party sends a message to the other
1579 party. Upon transmission or receipt of a fatal alert message, both
1580 parties immediately close the connection. Servers and clients MUST
1581 forget any session-identifiers, keys, and secrets associated with a
1582 failed connection. Thus, any connection terminated with a fatal alert
1583 MUST NOT be resumed.
1585 Whenever an implementation encounters a condition which is defined as
1586 a fatal alert, it MUST send the appropriate alert prior to closing
1587 the connection. For all errors where an alert level is not explicitly
1588 specified, the sending party MAY determine at its discretion whether
1589 to treat this as a fatal error or not. If the implementation chooses
1590 to send an alert but intends to close the connection immediately
1591 afterwards, it MUST send that alert at the fatal alert level.
1593 If an alert with a level of warning is sent and received, generally
1594 the connection can continue normally. If the receiving party decides
1595 not to proceed with the connection (e.g., after having received a
1596 no_renegotiation alert that it is not willing to accept), it SHOULD
1597 send a fatal alert to terminate the connection. Given this, the
1598 sending party cannot, in general, know how the receiving party will
1599 behave. Therefore, warning alerts are not very useful when the
1600 sending party wants to continue the connection, and thus are
1601 sometimes omitted. For example, if a peer decides to accept an
1602 expired certificate (perhaps after confirming this with the user) and
1603 wants to continue the connection, it would not generally send a
1604 certificate_expired alert.
1606 The following error alerts are defined:
1608 unexpected_message
1609 An inappropriate message was received. This alert is always fatal
1610 and should never be observed in communication between proper
1611 implementations.
1613 bad_record_mac
1614 This alert is returned if a record is received with an incorrect
1615 MAC. This alert also MUST be returned if an alert is sent because
1616 a TLSCiphertext decrypted in an invalid way: either it wasn't an
1617 even multiple of the block length, or its padding values, when
1618 checked, weren't correct. This message is always fatal and should
1619 never be observed in communication between proper implementations
1620 (except when messages were corrupted in the network).
1626 Dierks & Rescorla Standards Track [Page 29]
1627 \f
1628 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1631 decryption_failed_RESERVED
1632 This alert was used in some earlier versions of TLS, and may have
1633 permitted certain attacks against the CBC mode [CBCATT]. It MUST
1634 NOT be sent by compliant implementations.
1636 record_overflow
1637 A TLSCiphertext record was received that had a length more than
1638 2^14+2048 bytes, or a record decrypted to a TLSCompressed record
1639 with more than 2^14+1024 bytes. This message is always fatal and
1640 should never be observed in communication between proper
1641 implementations (except when messages were corrupted in the
1642 network).
1644 decompression_failure
1645 The decompression function received improper input (e.g., data
1646 that would expand to excessive length). This message is always
1647 fatal and should never be observed in communication between proper
1648 implementations.
1650 handshake_failure
1651 Reception of a handshake_failure alert message indicates that the
1652 sender was unable to negotiate an acceptable set of security
1653 parameters given the options available. This is a fatal error.
1655 no_certificate_RESERVED
1656 This alert was used in SSLv3 but not any version of TLS. It MUST
1657 NOT be sent by compliant implementations.
1659 bad_certificate
1660 A certificate was corrupt, contained signatures that did not
1661 verify correctly, etc.
1663 unsupported_certificate
1664 A certificate was of an unsupported type.
1666 certificate_revoked
1667 A certificate was revoked by its signer.
1669 certificate_expired
1670 A certificate has expired or is not currently valid.
1672 certificate_unknown
1673 Some other (unspecified) issue arose in processing the
1674 certificate, rendering it unacceptable.
1676 illegal_parameter
1677 A field in the handshake was out of range or inconsistent with
1678 other fields. This message is always fatal.
1682 Dierks & Rescorla Standards Track [Page 30]
1683 \f
1684 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1687 unknown_ca
1688 A valid certificate chain or partial chain was received, but the
1689 certificate was not accepted because the CA certificate could not
1690 be located or couldn't be matched with a known, trusted CA. This
1691 message is always fatal.
1693 access_denied
1694 A valid certificate was received, but when access control was
1695 applied, the sender decided not to proceed with negotiation. This
1696 message is always fatal.
1698 decode_error
1699 A message could not be decoded because some field was out of the
1700 specified range or the length of the message was incorrect. This
1701 message is always fatal and should never be observed in
1702 communication between proper implementations (except when messages
1703 were corrupted in the network).
1706 decrypt_error
1707 A handshake cryptographic operation failed, including being unable
1708 to correctly verify a signature or validate a finished message.
1709 This message is always fatal.
1711 export_restriction_RESERVED
1712 This alert was used in some earlier versions of TLS. It MUST NOT
1713 be sent by compliant implementations.
1715 protocol_version
1716 The protocol version the client has attempted to negotiate is
1717 recognized but not supported. (For example, old protocol versions
1718 might be avoided for security reasons). This message is always
1719 fatal.
1721 insufficient_security
1722 Returned instead of handshake_failure when a negotiation has
1723 failed specifically because the server requires ciphers more
1724 secure than those supported by the client. This message is always
1725 fatal.
1727 internal_error
1728 An internal error unrelated to the peer or the correctness of the
1729 protocol (such as a memory allocation failure) makes it impossible
1730 to continue. This message is always fatal.
1732 user_canceled
1733 This handshake is being canceled for some reason unrelated to a
1734 protocol failure. If the user cancels an operation after the
1738 Dierks & Rescorla Standards Track [Page 31]
1739 \f
1740 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1743 handshake is complete, just closing the connection by sending a
1744 close_notify is more appropriate. This alert should be followed by
1745 a close_notify. This message is generally a warning.
1747 no_renegotiation
1748 Sent by the client in response to a hello request or by the server
1749 in response to a client hello after initial handshaking. Either
1750 of these would normally lead to renegotiation; when that is not
1751 appropriate, the recipient should respond with this alert. At
1752 that point, the original requester can decide whether to proceed
1753 with the connection. One case where this would be appropriate is
1754 where a server has spawned a process to satisfy a request; the
1755 process might receive security parameters (key length,
1756 authentication, etc.) at startup and it might be difficult to
1757 communicate changes to these parameters after that point. This
1758 message is always a warning.
1760 unsupported_extension
1761 sent by clients that receive an extended server hello containing
1762 an extension that they did not put in the corresponding client
1763 hello. This message is always fatal.
1765 For all errors where an alert level is not explicitly specified, the
1766 sending party MAY determine at its discretion whether this is a fatal
1767 error or not; if an alert with a level of warning is received, the
1768 receiving party MAY decide at its discretion whether to treat this as
1769 a fatal error or not. However, all messages that are transmitted
1770 with a level of fatal MUST be treated as fatal messages.
1772 New Alert values are assigned by IANA as described in Section 12.
1774 7.3. Handshake Protocol Overview
1776 The cryptographic parameters of the session state are produced by the
1777 TLS Handshake Protocol, which operates on top of the TLS Record
1778 Layer. When a TLS client and server first start communicating, they
1779 agree on a protocol version, select cryptographic algorithms,
1780 optionally authenticate each other, and use public-key encryption
1781 techniques to generate shared secrets.
1783 The TLS Handshake Protocol involves the following steps:
1785 - Exchange hello messages to agree on algorithms, exchange random
1786 values, and check for session resumption.
1788 - Exchange the necessary cryptographic parameters to allow the
1789 client and server to agree on a premaster secret.
1794 Dierks & Rescorla Standards Track [Page 32]
1795 \f
1796 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1799 - Exchange certificates and cryptographic information to allow the
1800 client and server to authenticate themselves.
1802 - Generate a master secret from the premaster secret and exchanged
1803 random values.
1805 - Provide security parameters to the record layer.
1807 - Allow the client and server to verify that their peer has
1808 calculated the same security parameters and that the handshake
1809 occurred without tampering by an attacker.
1811 Note that higher layers should not be overly reliant on whether TLS
1812 always negotiates the strongest possible connection between two
1813 peers. There are a number of ways in which a man in the middle
1814 attacker can attempt to make two entities drop down to the least
1815 secure method they support. The protocol has been designed to
1816 minimize this risk, but there are still attacks available: for
1817 example, an attacker could block access to the port a secure service
1818 runs on, or attempt to get the peers to negotiate an unauthenticated
1819 connection. The fundamental rule is that higher levels must be
1820 cognizant of what their security requirements are and never transmit
1821 information over a channel less secure than what they require. The
1822 TLS protocol is secure in that any cipher suite offers its promised
1823 level of security: if you negotiate 3DES with a 1024 bit RSA key
1824 exchange with a host whose certificate you have verified, you can
1825 expect to be that secure.
1827 These goals are achieved by the handshake protocol, which can be
1828 summarized as follows: The client sends a client hello message to
1829 which the server must respond with a server hello message, or else a
1830 fatal error will occur and the connection will fail. The client hello
1831 and server hello are used to establish security enhancement
1832 capabilities between client and server. The client hello and server
1833 hello establish the following attributes: Protocol Version, Session
1834 ID, Cipher Suite, and Compression Method. Additionally, two random
1835 values are generated and exchanged: ClientHello.random and
1836 ServerHello.random.
1838 The actual key exchange uses up to four messages: the server
1839 certificate, the server key exchange, the client certificate, and the
1840 client key exchange. New key exchange methods can be created by
1841 specifying a format for these messages and by defining the use of the
1842 messages to allow the client and server to agree upon a shared
1843 secret. This secret MUST be quite long; currently defined key
1844 exchange methods exchange secrets that range from 46 bytes upwards.
1846 Following the hello messages, the server will send its certificate,
1850 Dierks & Rescorla Standards Track [Page 33]
1851 \f
1852 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1855 if it is to be authenticated. Additionally, a server key exchange
1856 message may be sent, if it is required (e.g., if their server has no
1857 certificate, or if its certificate is for signing only). If the
1858 server is authenticated, it may request a certificate from the
1859 client, if that is appropriate to the cipher suite selected. Next,
1860 the server will send the server hello done message, indicating that
1861 the hello-message phase of the handshake is complete. The server will
1862 then wait for a client response. If the server has sent a certificate
1863 request message, the client MUST send the certificate message. The
1864 client key exchange message is now sent, and the content of that
1865 message will depend on the public key algorithm selected between the
1866 client hello and the server hello. If the client has sent a
1867 certificate with signing ability, a digitally-signed certificate
1868 verify message is sent to explicitly verify possession of the private
1869 key in the certificate.
1871 At this point, a change cipher spec message is sent by the client,
1872 and the client copies the pending Cipher Spec into the current Cipher
1873 Spec. The client then immediately sends the finished message under
1874 the new algorithms, keys, and secrets. In response, the server will
1875 send its own change cipher spec message, transfer the pending to the
1876 current Cipher Spec, and send its finished message under the new
1877 Cipher Spec. At this point, the handshake is complete, and the client
1878 and server may begin to exchange application layer data. (See flow
1879 chart below.) Application data MUST NOT be sent prior to the
1880 completion of the first handshake (before a cipher suite other than
1881 TLS_NULL_WITH_NULL_NULL is established).
1883 Client Server
1885 ClientHello -------->
1886 ServerHello
1887 Certificate*
1888 ServerKeyExchange*
1889 CertificateRequest*
1890 <-------- ServerHelloDone
1891 Certificate*
1892 ClientKeyExchange
1893 CertificateVerify*
1894 [ChangeCipherSpec]
1895 Finished -------->
1896 [ChangeCipherSpec]
1897 <-------- Finished
1898 Application Data <-------> Application Data
1900 Fig. 1. Message flow for a full handshake
1902 * Indicates optional or situation-dependent messages that are not
1906 Dierks & Rescorla Standards Track [Page 34]
1907 \f
1908 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1911 always sent.
1913 Note: To help avoid pipeline stalls, ChangeCipherSpec is an
1914 independent TLS Protocol content type, and is not actually a TLS
1915 handshake message.
1917 When the client and server decide to resume a previous session or
1918 duplicate an existing session (instead of negotiating new security
1919 parameters), the message flow is as follows:
1921 The client sends a ClientHello using the Session ID of the session to
1922 be resumed. The server then checks its session cache for a match. If
1923 a match is found, and the server is willing to re-establish the
1924 connection under the specified session state, it will send a
1925 ServerHello with the same Session ID value. At this point, both
1926 client and server MUST send change cipher spec messages and proceed
1927 directly to finished messages. Once the re-establishment is complete,
1928 the client and server MAY begin to exchange application layer data.
1929 (See flow chart below.) If a Session ID match is not found, the
1930 server generates a new session ID and the TLS client and server
1931 perform a full handshake.
1933 Client Server
1935 ClientHello -------->
1936 ServerHello
1937 [ChangeCipherSpec]
1938 <-------- Finished
1939 [ChangeCipherSpec]
1940 Finished -------->
1941 Application Data <-------> Application Data
1943 Fig. 2. Message flow for an abbreviated handshake
1945 The contents and significance of each message will be presented in
1946 detail in the following sections.
1948 7.4. Handshake Protocol
1950 The TLS Handshake Protocol is one of the defined higher-level clients
1951 of the TLS Record Protocol. This protocol is used to negotiate the
1952 secure attributes of a session. Handshake messages are supplied to
1953 the TLS Record Layer, where they are encapsulated within one or more
1954 TLSPlaintext structures, which are processed and transmitted as
1955 specified by the current active session state.
1957 enum {
1958 hello_request(0), client_hello(1), server_hello(2),
1962 Dierks & Rescorla Standards Track [Page 35]
1963 \f
1964 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
1967 certificate(11), server_key_exchange (12),
1968 certificate_request(13), server_hello_done(14),
1969 certificate_verify(15), client_key_exchange(16),
1970 finished(20), (255)
1971 } HandshakeType;
1973 struct {
1974 HandshakeType msg_type; /* handshake type */
1975 uint24 length; /* bytes in message */
1976 select (HandshakeType) {
1977 case hello_request: HelloRequest;
1978 case client_hello: ClientHello;
1979 case server_hello: ServerHello;
1980 case certificate: Certificate;
1981 case server_key_exchange: ServerKeyExchange;
1982 case certificate_request: CertificateRequest;
1983 case server_hello_done: ServerHelloDone;
1984 case certificate_verify: CertificateVerify;
1985 case client_key_exchange: ClientKeyExchange;
1986 case finished: Finished;
1987 } body;
1988 } Handshake;
1990 The handshake protocol messages are presented below in the order they
1991 MUST be sent; sending handshake messages in an unexpected order
1992 results in a fatal error. Unneeded handshake messages can be omitted,
1993 however. Note one exception to the ordering: the Certificate message
1994 is used twice in the handshake (from server to client, then from
1995 client to server), but described only in its first position. The one
1996 message that is not bound by these ordering rules is the Hello
1997 Request message, which can be sent at any time, but which SHOULD be
1998 ignored by the client if it arrives in the middle of a handshake.
2000 New Handshake message types are assigned by IANA as described in
2001 Section 12.
2003 7.4.1. Hello Messages
2005 The hello phase messages are used to exchange security enhancement
2006 capabilities between the client and server. When a new session
2007 begins, the Record Layer's connection state encryption, hash, and
2008 compression algorithms are initialized to null. The current
2009 connection state is used for renegotiation messages.
2011 7.4.1.1. Hello Request
2013 When this message will be sent:
2018 Dierks & Rescorla Standards Track [Page 36]
2019 \f
2020 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2023 The hello request message MAY be sent by the server at any time.
2025 Meaning of this message:
2027 Hello request is a simple notification that the client should
2028 begin the negotiation process anew by sending a client hello
2029 message when convenient. This message is not intended to establish
2030 which side is the client or server but merely to initiate a new
2031 negotiation. Servers SHOULD NOT send a HelloRequest immediately
2032 upon the client's initial connection. It is the client's job to
2033 send a ClientHello at that time.
2035 This message will be ignored by the client if the client is
2036 currently negotiating a session. This message may be ignored by
2037 the client if it does not wish to renegotiate a session, or the
2038 client may, if it wishes, respond with a no_renegotiation alert.
2039 Since handshake messages are intended to have transmission
2040 precedence over application data, it is expected that the
2041 negotiation will begin before no more than a few records are
2042 received from the client. If the server sends a hello request but
2043 does not receive a client hello in response, it may close the
2044 connection with a fatal alert.
2046 After sending a hello request, servers SHOULD NOT repeat the
2047 request until the subsequent handshake negotiation is complete.
2049 Structure of this message:
2051 struct { } HelloRequest;
2053 Note: This message MUST NOT be included in the message hashes that
2054 are maintained throughout the handshake and used in the finished
2055 messages and the certificate verify message.
2057 7.4.1.2. Client Hello
2059 When this message will be sent:
2061 When a client first connects to a server it is required to send
2062 the client hello as its first message. The client can also send a
2063 client hello in response to a hello request or on its own
2064 initiative in order to renegotiate the security parameters in an
2065 existing connection.
2067 Structure of this message:
2069 The client hello message includes a random structure, which is
2070 used later in the protocol.
2074 Dierks & Rescorla Standards Track [Page 37]
2075 \f
2076 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2079 struct {
2080 uint32 gmt_unix_time;
2081 opaque random_bytes[28];
2082 } Random;
2084 gmt_unix_time
2085 The current time and date in standard UNIX 32-bit format
2086 (seconds since the midnight starting Jan 1, 1970, GMT, ignoring
2087 leap seconds) according to the sender's internal clock. Clocks
2088 are not required to be set correctly by the basic TLS Protocol;
2089 higher-level or application protocols may define additional
2090 requirements.
2092 random_bytes
2093 28 bytes generated by a secure random number generator.
2095 The client hello message includes a variable-length session
2096 identifier. If not empty, the value identifies a session between the
2097 same client and server whose security parameters the client wishes to
2098 reuse. The session identifier MAY be from an earlier connection, this
2099 connection, or from another currently active connection. The second
2100 option is useful if the client only wishes to update the random
2101 structures and derived values of a connection, and the third option
2102 makes it possible to establish several independent secure connections
2103 without repeating the full handshake protocol. These independent
2104 connections may occur sequentially or simultaneously; a SessionID
2105 becomes valid when the handshake negotiating it completes with the
2106 exchange of Finished messages and persists until it is removed due to
2107 aging or because a fatal error was encountered on a connection
2108 associated with the session. The actual contents of the SessionID are
2109 defined by the server.
2111 opaque SessionID<0..32>;
2113 Warning: Because the SessionID is transmitted without encryption or
2114 immediate MAC protection, servers MUST NOT place confidential
2115 information in session identifiers or let the contents of fake
2116 session identifiers cause any breach of security. (Note that the
2117 content of the handshake as a whole, including the SessionID, is
2118 protected by the Finished messages exchanged at the end of the
2119 handshake.)
2121 The cipher suite list, passed from the client to the server in the
2122 client hello message, contains the combinations of cryptographic
2123 algorithms supported by the client in order of the client's
2124 preference (favorite choice first). Each cipher suite defines a key
2125 exchange algorithm, a bulk encryption algorithm (including secret key
2126 length), a MAC algorithm, and a PRF. The server will select a cipher
2130 Dierks & Rescorla Standards Track [Page 38]
2131 \f
2132 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2135 suite or, if no acceptable choices are presented, return a handshake
2136 failure alert and close the connection.
2138 uint8 CipherSuite[2]; /* Cryptographic suite selector */
2140 The client hello includes a list of compression algorithms supported
2141 by the client, ordered according to the client's preference.
2143 enum { null(0), (255) } CompressionMethod;
2145 struct {
2146 ProtocolVersion client_version;
2147 Random random;
2148 SessionID session_id;
2149 CipherSuite cipher_suites<2..2^16-2>;
2150 CompressionMethod compression_methods<1..2^8-1>;
2151 select (extensions_present) {
2152 case false:
2153 struct {};
2154 case true:
2155 Extension extensions<0..2^16-1>;
2156 };
2157 } ClientHello;
2159 TLS allows extensions to follow the compression_methods field in an
2160 extensions block. The presence of extensions can be detected by
2161 determining whether there are bytes following the compression_methods
2162 at the end of the ClientHello. Note that this method of detecting
2163 optional data differs from the normal TLS method of having a
2164 variable-length field but is used for compatibility with TLS before
2165 extensions were defined.
2167 client_version
2168 The version of the TLS protocol by which the client wishes to
2169 communicate during this session. This SHOULD be the latest
2170 (highest valued) version supported by the client. For this version
2171 of the specification, the version will be 3.3 (See Appendix E for
2172 details about backward compatibility).
2174 random
2175 A client-generated random structure.
2177 session_id
2178 The ID of a session the client wishes to use for this connection.
2179 This field is empty if no session_id is available, or it the
2180 client wishes to generate new security parameters.
2182 cipher_suites
2186 Dierks & Rescorla Standards Track [Page 39]
2187 \f
2188 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2191 This is a list of the cryptographic options supported by the
2192 client, with the client's first preference first. If the
2193 session_id field is not empty (implying a session resumption
2194 request) this vector MUST include at least the cipher_suite from
2195 that session. Values are defined in Appendix A.5.
2197 compression_methods
2198 This is a list of the compression methods supported by the client,
2199 sorted by client preference. If the session_id field is not empty
2200 (implying a session resumption request) it MUST include the
2201 compression_method from that session. This vector MUST contain,
2202 and all implementations MUST support, CompressionMethod.null.
2203 Thus, a client and server will always be able to agree on a
2204 compression method.
2206 extensions
2207 Clients MAY request extended functionality from servers by sending
2208 data in the extensions Here the new "extensions" field contains a
2209 list of extensions. The actual "Extension" format is defined in
2210 Section 7.4.1.4.
2212 In the event that a client requests additional functionality using
2213 extensions, and this functionality is not supplied by the server, the
2214 client MAY abort the handshake. A server MUST accept client hello
2215 messages both with and without the extensions field, and (as for all
2216 other messages) MUST check that the amount of data in the message
2217 precisely matches one of these formats; if not, then it MUST send a
2218 fatal "decode_error" alert.
2220 After sending the client hello message, the client waits for a server
2221 hello message. Any other handshake message returned by the server
2222 except for a hello request is treated as a fatal error.
2224 7.4.1.3. Server Hello
2226 When this message will be sent:
2228 The server will send this message in response to a client hello
2229 message when it was able to find an acceptable set of algorithms.
2230 If it cannot find such a match, it will respond with a handshake
2231 failure alert.
2233 Structure of this message:
2235 struct {
2236 ProtocolVersion server_version;
2237 Random random;
2238 SessionID session_id;
2242 Dierks & Rescorla Standards Track [Page 40]
2243 \f
2244 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2247 CipherSuite cipher_suite;
2248 CompressionMethod compression_method;
2249 select (extensions_present) {
2250 case false:
2251 struct {};
2252 case true:
2253 Extension extensions<0..2^16-1>;
2254 };
2255 } ServerHello;
2257 The presence of extensions can be detected by determining whether
2258 there are bytes following the compression_method field at the end of
2259 the ServerHello.
2261 server_version
2262 This field will contain the lower of that suggested by the client
2263 in the client hello and the highest supported by the server. For
2264 this version of the specification, the version is 3.3. (See
2265 Appendix E for details about backward compatibility.)
2267 random
2268 This structure is generated by the server and MUST be
2269 independently generated from the ClientHello.random.
2271 session_id
2272 This is the identity of the session corresponding to this
2273 connection. If the ClientHello.session_id was non-empty, the
2274 server will look in its session cache for a match. If a match is
2275 found and the server is willing to establish the new connection
2276 using the specified session state, the server will respond with
2277 the same value as was supplied by the client. This indicates a
2278 resumed session and dictates that the parties must proceed
2279 directly to the finished messages. Otherwise this field will
2280 contain a different value identifying the new session. The server
2281 may return an empty session_id to indicate that the session will
2282 not be cached and therefore cannot be resumed. If a session is
2283 resumed, it must be resumed using the same cipher suite it was
2284 originally negotiated with. Note that there is no requirement that
2285 the server resume any session even if it had formerly provided a
2286 session_id. Client MUST be prepared to do a full negotiation --
2287 including negotiating new cipher suites -- during any handshake.
2289 cipher_suite
2290 The single cipher suite selected by the server from the list in
2291 ClientHello.cipher_suites. For resumed sessions, this field is the
2292 value from the state of the session being resumed.
2294 compression_method
2298 Dierks & Rescorla Standards Track [Page 41]
2299 \f
2300 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2303 The single compression algorithm selected by the server from the
2304 list in ClientHello.compression_methods. For resumed sessions this
2305 field is the value from the resumed session state.
2307 extensions
2308 A list of extensions. Note that only extensions offered by the
2309 client can appear in the server's list.
2311 7.4.1.4 Hello Extensions
2313 The extension format is:
2315 struct {
2316 ExtensionType extension_type;
2317 opaque extension_data<0..2^16-1>;
2318 } Extension;
2320 enum {
2321 signature_algorithms(TBD-BY-IANA), (65535)
2322 } ExtensionType;
2324 Here:
2326 - "extension_type" identifies the particular extension type.
2328 - "extension_data" contains information specific to the particular
2329 extension type.
2331 The initial set of extensions is defined in a companion document
2332 [TLSEXT]. The list of extension types is maintained by IANA as
2333 described in Section 12.
2335 There are subtle (and not so subtle) interactions that may occur in
2336 this protocol between new features and existing features which may
2337 result in a significant reduction in overall security, The following
2338 considerations should be taken into account when designing new
2339 extensions:
2341 - Some cases where a server does not agree to an extension are error
2342 conditions, and some simply a refusal to support a particular
2343 feature. In general error alerts should be used for the former,
2344 and a field in the server extension response for the latter.
2346 - Extensions should as far as possible be designed to prevent any
2347 attack that forces use (or non-use) of a particular feature by
2348 manipulation of handshake messages. This principle should be
2349 followed regardless of whether the feature is believed to cause a
2350 security problem.
2354 Dierks & Rescorla Standards Track [Page 42]
2355 \f
2356 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2359 Often the fact that the extension fields are included in the
2360 inputs to the Finished message hashes will be sufficient, but
2361 extreme care is needed when the extension changes the meaning of
2362 messages sent in the handshake phase. Designers and implementors
2363 should be aware of the fact that until the handshake has been
2364 authenticated, active attackers can modify messages and insert,
2365 remove, or replace extensions.
2367 - It would be technically possible to use extensions to change major
2368 aspects of the design of TLS; for example the design of cipher
2369 suite negotiation. This is not recommended; it would be more
2370 appropriate to define a new version of TLS - particularly since
2371 the TLS handshake algorithms have specific protection against
2372 version rollback attacks based on the version number, and the
2373 possibility of version rollback should be a significant
2374 consideration in any major design change.
2376 7.4.1.4.1 Signature Algorithms
2378 The client uses the "signature_algorithms" extension to indicate to
2379 the server which signature/hash algorithm pairs may be used in
2380 digital signatures. The "extension_data" field of this extension
2381 contains a "supported_signature_algorithms" value.
2383 enum {
2384 none(0), md5(1), sha1(2), sha256(3), sha384(4),
2385 sha512(5), (255)
2386 } HashAlgorithm;
2388 enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
2389 SignatureAlgorithm;
2391 struct {
2392 HashAlgorithm hash;
2393 SignatureAlgorithm signature;
2394 } SignatureAndHashAlgorithm;
2396 SignatureAndHashAlgorithm
2397 supported_signature_algorithms<2..2^16-2>;
2399 Each SignatureAndHashAlgorithm value lists a single hash/signature
2400 pair which the client is willing to verify. The values are indicated
2401 in descending order of preference.
2403 Note: Because not all signature algorithms and hash algorithms may be
2404 accepted by an implementation (e.g., DSA with SHA-1, but not
2405 SHA-256), algorithms here are listed in pairs.
2410 Dierks & Rescorla Standards Track [Page 43]
2411 \f
2412 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2415 hash
2416 This field indicates the hash algorithm which may be used. The
2417 values indicate support for unhashed data, MD5 [MD5], SHA-1,
2418 SHA-256, SHA-384, and SHA-512 [SHA] respectively. The "none" value
2419 is provided for future extensibility, in case of a signature
2420 algorithm which does not require hashing before signing.
2422 signature
2423 This field indicates the signature algorithm which may be used.
2424 The values indicate anonymous signatures, RSASSA-PKCS1-v1_5
2425 [PKCS1] and DSA [DSS] respectively. The "anonymous" value is
2426 meaningless in this context but used in Section 7.4.3. It MUST NOT
2427 appear in this extension.
2429 The semantics of this extension are somewhat complicated because the
2430 cipher suite indicates permissible signature algorithms but not hash
2431 algorithm. Sections 7.4.2 and 7.4.3 describe the appropriate rules.
2433 If the client supports only the default hash and signature algorithms
2434 (listed in this section), it MAY omit the signature_algorithms
2435 extension. If the client does not support the default algorithms, or
2436 supports other hash and signature algorithms (and it is willing to
2437 use them for verifying messages sent by server; server certificates
2438 and server key exchange), it MUST send the signature_algorithms
2439 extension listing the algorithms it is willing to accept.
2441 If the client does not send the signature_algorithms extension, the
2442 server MUST assume the following:
2444 - If the negotiated key exchange algorithm is one of (RSA, DHE_RSA,
2445 DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA), behave as if client had sent
2446 the value (sha1,rsa).
2448 - If the negotiated key exchange algorithm is one of (DHE_DSS,
2449 DH_DSS), behave as if the client had sent the value (sha1,dsa).
2451 - If the negotiated key exchnage algorithm is one of (ECDH_ECDSA,
2452 ECDHE_ECDSA), behave as if the client had sent value (sha1,ecdsa).
2454 Note: this is a change from TLS 1.1 where there are no explicit rules
2455 but as a practical matter one can assume that the peer supports MD5
2456 and SHA-1.
2458 Note: this extension is not meaningful for TLS versions prior to 1.2.
2459 Clients MUST NOT offer it if they are offering prior versions.
2460 However, even if clients do offer it, the rules specified in [TLSEXT]
2461 require servers to ignore extensions they do not understand.
2466 Dierks & Rescorla Standards Track [Page 44]
2467 \f
2468 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2471 Servers MUST NOT send this extension. TLS servers MUST support
2472 receiving this extension.
2475 7.4.2. Server Certificate
2477 When this message will be sent:
2479 The server MUST send a certificate whenever the agreed-upon key
2480 exchange method uses certificates for authentication (this
2481 includes all key exchange methods defined in this document except
2482 DH_anon). This message will always immediately follow the server
2483 hello message.
2485 Meaning of this message:
2487 This message conveys the server's certificate chain to the client.
2488 The certificate MUST be appropriate for the negotiated cipher
2489 suite's key exchange algorithm, and any negotiated extensions.
2491 Structure of this message:
2493 opaque ASN.1Cert<1..2^24-1>;
2495 struct {
2496 ASN.1Cert certificate_list<0..2^24-1>;
2497 } Certificate;
2499 certificate_list
2500 This is a sequence (chain) of certificates. The sender's
2501 certificate MUST come first in the list. Each following
2502 certificate MUST directly certify the one preceding it. Because
2503 certificate validation requires that root keys be distributed
2504 independently, the self-signed certificate that specifies the root
2505 certificate authority MAY optionally be omitted from the chain,
2506 under the assumption that the remote end must already possess it
2507 in order to validate it in any case.
2509 The same message type and structure will be used for the client's
2510 response to a certificate request message. Note that a client MAY
2511 send no certificates if it does not have an appropriate certificate
2512 to send in response to the server's authentication request.
2514 Note: PKCS #7 [PKCS7] is not used as the format for the certificate
2515 vector because PKCS #6 [PKCS6] extended certificates are not used.
2516 Also, PKCS #7 defines a SET rather than a SEQUENCE, making the task
2517 of parsing the list more difficult.
2522 Dierks & Rescorla Standards Track [Page 45]
2523 \f
2524 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2527 The following rules apply to the certificates sent by the server:
2529 - The certificate type MUST be X.509v3, unless explicitly negotiated
2530 otherwise (e.g., [TLSPGP]).
2532 - The end entity certificate's public key (and associated
2533 restrictions) MUST be compatible with the selected key exchange
2534 algorithm.
2536 Key Exchange Alg. Certificate Key Type
2538 RSA RSA public key; the certificate MUST
2539 RSA_PSK allow the key to be used for encryption
2540 (the keyEncipherment bit MUST be set
2541 if the key usage extension is present).
2542 Note: RSA_PSK is defined in [TLSPSK].
2544 DHE_RSA RSA public key; the certificate MUST
2545 ECDHE_RSA allow the key to be used for signing
2546 (the digitalSignature bit MUST be set
2547 if the key usage extension is present)
2548 with the signature scheme and hash
2549 algorithm that will be employed in the
2550 server key exchange message.
2552 DHE_DSS DSA public key; the certificate MUST
2553 allow the key to be used for signing with
2554 the hash algorithm that will be employed
2555 in the server key exchange message.
2557 DH_DSS Diffie-Hellman public key; the
2558 DH_RSA keyAgreement bit MUST be set if the
2559 key usage extension is present.
2561 ECDH_ECDSA ECDH-capable public key; the public key
2562 ECDH_RSA MUST use a curve and point format supported
2563 by the client, as described in [TLSECC].
2565 ECDHE_ECDSA ECDSA-capable public key; the certificate
2566 MUST allow the key to be used for signing
2567 with the hash algorithm that will be
2568 employed in the server key exchange
2569 message. The public key MUST use a curve
2570 and point format supported by the client,
2571 as described in [TLSECC].
2573 - The "server_name" and "trusted_ca_keys" extensions [4366bis] are
2574 used to guide certificate selection.
2578 Dierks & Rescorla Standards Track [Page 46]
2579 \f
2580 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2583 If the client provided a "signature_algorithms" extension, then all
2584 certificates provided by the server MUST be signed by a
2585 hash/signature algorithm pair that appears in that extension. Note
2586 that this implies that a certificate containing a key for one
2587 signature algorithm MAY be signed using a different signature
2588 algorithm (for instance, an RSA key signed with a DSA key.) This is a
2589 departure from TLS 1.1, which required that the algorithms be the
2590 same. Note that this also implies that the DH_DSS, DH_RSA,
2591 ECDH_ECDSA, and ECDH_RSA key exchange algorithms do not restrict the
2592 algorithm used to sign the certificate. Fixed DH certificates MAY be
2593 signed with any hash/signature algorithm pair appearing in the
2594 extension. The naming is historical.
2596 If the server has multiple certificates, it chooses one of them based
2597 on the above-mentioned criteria (in addition to other criteria, such
2598 as transport layer endpoint, local configuration and preferences,
2599 etc.). If the server has a single certificate it SHOULD attempt to
2600 validate that it meets these criteria.
2602 Note that there are certificates that use algorithms and/or algorithm
2603 combinations that cannot be currently used with TLS. For example, a
2604 certificate with RSASSA-PSS signature key (id-RSASSA-PSS OID in
2605 SubjectPublicKeyInfo) cannot be used because TLS defines no
2606 corresponding signature algorithm.
2608 As cipher suites that specify new key exchange methods are specified
2609 for the TLS Protocol, they will imply certificate format and the
2610 required encoded keying information.
2612 7.4.3. Server Key Exchange Message
2614 When this message will be sent:
2616 This message will be sent immediately after the server certificate
2617 message (or the server hello message, if this is an anonymous
2618 negotiation).
2620 The server key exchange message is sent by the server only when
2621 the server certificate message (if sent) does not contain enough
2622 data to allow the client to exchange a premaster secret. This is
2623 true for the following key exchange methods:
2625 DHE_DSS
2626 DHE_RSA
2627 DH_anon
2629 It is not legal to send the server key exchange message for the
2630 following key exchange methods:
2634 Dierks & Rescorla Standards Track [Page 47]
2635 \f
2636 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2639 RSA
2640 DH_DSS
2641 DH_RSA
2643 Meaning of this message:
2645 This message conveys cryptographic information to allow the client
2646 to communicate the premaster secret: a Diffie-Hellman public key
2647 with which the client can complete a key exchange (with the result
2648 being the premaster secret) or a public key for some other
2649 algorithm.
2651 Structure of this message:
2653 enum { diffie_hellman, rsa } KeyExchangeAlgorithm;
2655 struct {
2656 opaque dh_p<1..2^16-1>;
2657 opaque dh_g<1..2^16-1>;
2658 opaque dh_Ys<1..2^16-1>;
2659 } ServerDHParams; /* Ephemeral DH parameters */
2661 dh_p
2662 The prime modulus used for the Diffie-Hellman operation.
2664 dh_g
2665 The generator used for the Diffie-Hellman operation.
2667 dh_Ys
2668 The server's Diffie-Hellman public value (g^X mod p).
2670 struct {
2671 select (KeyExchangeAlgorithm) {
2672 case diffie_hellman:
2673 ServerDHParams params;
2674 Signature signed_params;
2675 };
2676 } ServerKeyExchange;
2678 struct {
2679 select (KeyExchangeAlgorithm) {
2680 case diffie_hellman:
2681 ServerDHParams params;
2682 };
2683 } ServerParams;
2686 params
2690 Dierks & Rescorla Standards Track [Page 48]
2691 \f
2692 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2695 The server's key exchange parameters.
2697 signed_params
2698 For non-anonymous key exchanges, a hash of the corresponding
2699 params value, with the signature appropriate to that hash
2700 applied.
2702 hash
2703 Hash(ClientHello.random + ServerHello.random + ServerParams)
2704 where Hash is the chosen hash value and Hash.length is
2705 its output.
2707 struct {
2708 select (SignatureAlgorithm) {
2709 case anonymous: struct { };
2710 case rsa:
2711 SignatureAndHashAlgorithm signature_algorithm; /*NEW*/
2712 digitally-signed struct {
2713 opaque hash[Hash.length];
2714 };
2715 case dsa:
2716 SignatureAndHashAlgorithm signature_algorithm; /*NEW*/
2717 digitally-signed struct {
2718 opaque hash[Hash.length];
2719 };
2720 };
2721 };
2722 } Signature;
2724 If the client has offered the "signature_algorithms" extension, the
2725 signature algorithm and hash algorithm MUST be a pair listed in that
2726 extension. Note that there is a possibility for inconsistencies here.
2727 For instance, the client might offer DHE_DSS key exchange but omit
2728 any DSS pairs from its "signature_algorithms" extension. In order to
2729 negotiate correctly, the server MUST check any candidate cipher
2730 suites against the "signature_algorithms" extension before selecting
2731 them. This is somewhat inelegant but is a compromise designed to
2732 minimize changes to the original cipher suite design.
2734 In addition, the hash and signature algorithms MUST be compatible
2735 with the key in the server's end-entity certificate. RSA keys MAY be
2736 used with any permitted hash algorithm, subject to restrictions in
2737 the certificate, if any.
2739 Because DSA signatures do not contain any secure indication of hash
2740 algorithm, there is a risk of hash substitution if multiple hashes
2741 may be used with any key. Currently, DSS [DSS] may only be used with
2742 SHA-1. Future revisions of DSS [DSS-3] are expected to allow other
2746 Dierks & Rescorla Standards Track [Page 49]
2747 \f
2748 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2751 digest algorithms, as well as guidance as to which digest algorithms
2752 should be used with each key size. In addition, future revisions of
2753 [PKIX] may specify mechanisms for certificates to indicate which
2754 digest algorithms are to be used with DSA.
2756 As additional cipher suites are defined for TLS that include new key
2757 exchange algorithms, the server key exchange message will be sent if
2758 and only if the certificate type associated with the key exchange
2759 algorithm does not provide enough information for the client to
2760 exchange a premaster secret.
2762 7.4.4. Certificate Request
2764 When this message will be sent:
2766 A non-anonymous server can optionally request a certificate from
2767 the client, if appropriate for the selected cipher suite. This
2768 message, if sent, will immediately follow the Server Key Exchange
2769 message (if it is sent; otherwise, the Server Certificate
2770 message).
2772 Structure of this message:
2774 enum {
2775 rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
2776 rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
2777 fortezza_dms_RESERVED(20), (255)
2778 } ClientCertificateType;
2780 opaque DistinguishedName<1..2^16-1>;
2782 struct {
2783 ClientCertificateType certificate_types<1..2^8-1>;
2784 SignatureAndHashAlgorithm
2785 supported_signature_algorithms<2^16-1>;
2786 DistinguishedName certificate_authorities<0..2^16-1>;
2787 } CertificateRequest;
2789 certificate_types
2790 A list of the types of certificate types which the client may
2791 offer.
2793 rsa_sign a certificate containing an RSA key
2794 dss_sign a certificate containing a DSS key
2795 rsa_fixed_dh a certificate containing a static DH key.
2796 dss_fixed_dh a certificate containing a static DH key
2798 supported_signature_algorithms
2802 Dierks & Rescorla Standards Track [Page 50]
2803 \f
2804 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2807 A list of the hash/signature algorithm pairs that the server is
2808 able to verify, listed in descending order of preference.
2810 certificate_authorities
2811 A list of the distinguished names [X501] of acceptable
2812 certificate_authorities, represented in DER-encoded format. These
2813 distinguished names may specify a desired distinguished name for a
2814 root CA or for a subordinate CA; thus, this message can be used
2815 both to describe known roots and a desired authorization space. If
2816 the certificate_authorities list is empty then the client MAY send
2817 any certificate of the appropriate ClientCertificateType, unless
2818 there is some external arrangement to the contrary.
2820 The interaction of the certificate_types and
2821 supported_signature_algorithms fields is somewhat complicated.
2822 certificate_types has been present in TLS since SSLv3, but was
2823 somewhat underspecified. Much of its functionality is superseded by
2824 supported_signature_algorithms. The following rules apply:
2826 - Any certificates provided by the client MUST be signed using a
2827 hash/signature algorithm pair found in
2828 supported_signature_algorithms.
2830 - The end-entity certificate provided by the client MUST contain a
2831 key which is compatible with certificate_types. If the key is a
2832 signature key, it MUST be usable with some hash/signature
2833 algorithm pair in supported_signature_algorithms.
2835 - For historical reasons, the names of some client certificate types
2836 include the algorithm used to sign the certificate. For example,
2837 in earlier versions of TLS, rsa_fixed_dh meant a certificate
2838 signed with RSA and containing a static DH key. In TLS 1.2, this
2839 functionality has been obsoleted by the
2840 supported_signature_algorithms, and the certificate type no longer
2841 restricts the algorithm used to sign the certificate. For
2842 example, if the server sends dss_fixed_dh certificate type and
2843 {{sha1, dsa}, {sha1, rsa}} signature types, the client MAY reply
2844 with a certificate containing a static DH key, signed with RSA-
2845 SHA1.
2847 New ClientCertificateType values are assigned by IANA as described in
2848 Section 12.
2850 Note: Values listed as RESERVED may not be used. They were used in
2851 SSLv3.
2853 Note: It is a fatal handshake_failure alert for an anonymous server
2854 to request client authentication.
2858 Dierks & Rescorla Standards Track [Page 51]
2859 \f
2860 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2863 7.4.5 Server hello done
2865 When this message will be sent:
2867 The server hello done message is sent by the server to indicate
2868 the end of the server hello and associated messages. After sending
2869 this message, the server will wait for a client response.
2871 Meaning of this message:
2873 This message means that the server is done sending messages to
2874 support the key exchange, and the client can proceed with its
2875 phase of the key exchange.
2877 Upon receipt of the server hello done message, the client SHOULD
2878 verify that the server provided a valid certificate, if required
2879 and check that the server hello parameters are acceptable.
2881 Structure of this message:
2883 struct { } ServerHelloDone;
2885 7.4.6. Client Certificate
2887 When this message will be sent:
2889 This is the first message the client can send after receiving a
2890 server hello done message. This message is only sent if the server
2891 requests a certificate. If no suitable certificate is available,
2892 the client MUST send a certificate message containing no
2893 certificates. That is, the certificate_list structure has a length
2894 of zero. If the client does not send any certificates, the server
2895 MAY at its discretion either continue the handshake without client
2896 authentication, or respond with a fatal handshake_failure alert.
2897 Also, if some aspect of the certificate chain was unacceptable
2898 (e.g., it was not signed by a known, trusted CA), the server MAY
2899 at its discretion either continue the handshake (considering the
2900 client unauthenticated) or send a fatal alert.
2902 Client certificates are sent using the Certificate structure
2903 defined in Section 7.4.2.
2905 Meaning of this message:
2907 This message conveys the client's certificate chain to the server;
2908 the server will use it when verifying the certificate verify
2909 message (when the client authentication is based on signing), or
2910 calculate the premaster secret (for non-ephemeral Diffie-Hellman).
2914 Dierks & Rescorla Standards Track [Page 52]
2915 \f
2916 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2919 The certificate MUST be appropriate for the negotiated cipher
2920 suite's key exchange algorithm, and any negotiated extensions.
2922 In particular:
2924 - The certificate type MUST be X.509v3, unless explicitly negotiated
2925 otherwise (e.g. [TLSPGP]).
2927 - The end-entity certificate's public key (and associated
2928 restrictions) has to be compatible with the certificate types
2929 listed in CertificateRequest:
2931 Client Cert. Type Certificate Key Type
2933 rsa_sign RSA public key; the certificate MUST allow
2934 the key to be used for signing with the
2935 signature scheme and hash algorithm that
2936 will be employed in the certificate verify
2937 message.
2939 dss_sign DSA public key; the certificate MUST allow
2940 the key to be used for signing with the
2941 hash algorithm that will be employed in
2942 the certificate verify message.
2944 ecdsa_sign ECDSA-capable public key; the certificate
2945 MUST allow the key to be used for signing
2946 with the hash algorithm that will be
2947 employed in the certificate verify
2948 message; the public key MUST use a
2949 curve and point format supported by the
2950 server.
2952 rsa_fixed_dh Diffie-Hellman public key; MUST use
2953 dss_fixed_dh the same parameters as server's key.
2955 rsa_fixed_ecdh ECDH-capable public key; MUST use
2956 ecdsa_fixed_ecdh the same curve as server's key, and
2957 MUST use a point format supported by
2958 the server.
2960 - If the certificate_authorities list in the certificate request
2961 message was non-empty, one of the certificates in the certificate
2962 chain SHOULD be issued by one of the listed CAs.
2964 - The certificates MUST be signed using an acceptable hash/
2965 signature algorithm pair, as described in Section 7.4.4. Note that
2966 this relaxes the constraints on certificate signing algorithms
2970 Dierks & Rescorla Standards Track [Page 53]
2971 \f
2972 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
2975 found in prior versions of TLS.
2977 Note that as with the server certificate, there are certificates that
2978 use algorithms/algorithm combinations that cannot be currently used
2979 with TLS.
2981 7.4.7. Client Key Exchange Message
2983 When this message will be sent:
2985 This message is always sent by the client. It MUST immediately
2986 follow the client certificate message, if it is sent. Otherwise it
2987 MUST be the first message sent by the client after it receives the
2988 server hello done message.
2990 Meaning of this message:
2992 With this message, the premaster secret is set, either though
2993 direct transmission of the RSA-encrypted secret, or by the
2994 transmission of Diffie-Hellman parameters that will allow each
2995 side to agree upon the same premaster secret.
2997 When the client is using an ephemeral Diffie-Hellman exponent,
2998 then this message contains the client's Diffie-Hellman public
2999 value. If the client is sending a certificate containing a static
3000 DH exponent (i.e., it is doing fixed_dh client authentication)
3001 then this message MUST be sent but MUST be empty.
3004 Structure of this message:
3006 The choice of messages depends on which key exchange method has
3007 been selected. See Section 7.4.3 for the KeyExchangeAlgorithm
3008 definition.
3010 struct {
3011 select (KeyExchangeAlgorithm) {
3012 case rsa: EncryptedPreMasterSecret;
3013 case diffie_hellman: ClientDiffieHellmanPublic;
3014 } exchange_keys;
3015 } ClientKeyExchange;
3017 7.4.7.1. RSA Encrypted Premaster Secret Message
3019 Meaning of this message:
3021 If RSA is being used for key agreement and authentication, the
3022 client generates a 48-byte premaster secret, encrypts it using the
3026 Dierks & Rescorla Standards Track [Page 54]
3027 \f
3028 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3031 public key from the server's certificate and sends the result in
3032 an encrypted premaster secret message. This structure is a variant
3033 of the client key exchange message and is not a message in itself.
3035 Structure of this message:
3037 struct {
3038 ProtocolVersion client_version;
3039 opaque random[46];
3040 } PreMasterSecret;
3042 client_version
3043 The latest (newest) version supported by the client. This is
3044 used to detect version roll-back attacks.
3046 random
3047 46 securely-generated random bytes.
3049 struct {
3050 public-key-encrypted PreMasterSecret pre_master_secret;
3051 } EncryptedPreMasterSecret;
3053 pre_master_secret
3054 This random value is generated by the client and is used to
3055 generate the master secret, as specified in Section 8.1.
3057 Note: The version number in the PreMasterSecret is the version
3058 offered by the client in the ClientHello.client_version, not the
3059 version negotiated for the connection. This feature is designed to
3060 prevent rollback attacks. Unfortunately, some old implementations
3061 use the negotiated version instead and therefore checking the version
3062 number may lead to failure to interoperate with such incorrect client
3063 implementations.
3065 Client implementations MUST always send the correct version number in
3066 PreMasterSecret. If ClientHello.client_version is TLS 1.1 or higher,
3067 server implementations MUST check the version number as described in
3068 the note below. If the version number is 1.0 or earlier, server
3069 implementations SHOULD check the version number, but MAY have a
3070 configuration option to disable the check. Note that if the check
3071 fails, the PreMasterSecret SHOULD be randomized as described below.
3073 Note: Attacks discovered by Bleichenbacher [BLEI] and Klima et al.
3074 [KPR03] can be used to attack a TLS server that reveals whether a
3075 particular message, when decrypted, is properly PKCS#1 formatted,
3076 contains a valid PreMasterSecret structure, or has the correct
3077 version number.
3082 Dierks & Rescorla Standards Track [Page 55]
3083 \f
3084 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3087 The best way to avoid these vulnerabilities is to treat incorrectly
3088 formatted messages in a manner indistinguishable from correctly
3089 formatted RSA blocks. In other words:
3091 1. Generate a string R of 46 random bytes
3093 2. Decrypt the message M
3095 3. If the PKCS#1 padding is not correct, or the length of
3096 message M is not exactly 48 bytes:
3097 premaster secret = ClientHello.client_version || R
3098 else If ClientHello.client_version <= TLS 1.0, and
3099 version number check is explicitly disabled:
3100 premaster secret = M
3101 else:
3102 premaster secret = ClientHello.client_version || M[2..47]
3104 In any case, a TLS server MUST NOT generate an alert if processing an
3105 RSA-encrypted premaster secret message fails, or the version number
3106 is not as expected. Instead, it MUST continue the handshake with a
3107 randomly generated premaster secret. It may be useful to log the
3108 real cause of failure for troubleshooting purposes; however, care
3109 must be taken to avoid leaking the information to an attacker
3110 (through, e.g., timing, log files, or other channels.)
3112 The RSAES-OAEP encryption scheme defined in [PKCS1] is more secure
3113 against the Bleichenbacher attack. However, for maximal compatibility
3114 with earlier versions of TLS, this specification uses the RSAES-
3115 PKCS1-v1_5 scheme. No variants of the Bleichenbacher attack are known
3116 to exist provided that the above recommendations are followed.
3118 Implementation Note: Public-key-encrypted data is represented as an
3119 opaque vector <0..2^16-1> (see Section 4.7). Thus, the RSA-encrypted
3120 PreMasterSecret in a ClientKeyExchange is preceded by two length
3121 bytes. These bytes are redundant in the case of RSA because the
3122 EncryptedPreMasterSecret is the only data in the ClientKeyExchange
3123 and its length can therefore be unambiguously determined. The SSLv3
3124 specification was not clear about the encoding of public-key-
3125 encrypted data, and therefore many SSLv3 implementations do not
3126 include the the length bytes, encoding the RSA encrypted data
3127 directly in the ClientKeyExchange message.
3129 This specification requires correct encoding of the
3130 EncryptedPreMasterSecret complete with length bytes. The resulting
3131 PDU is incompatible with many SSLv3 implementations. Implementors
3132 upgrading from SSLv3 MUST modify their implementations to generate
3133 and accept the correct encoding. Implementors who wish to be
3134 compatible with both SSLv3 and TLS should make their implementation's
3138 Dierks & Rescorla Standards Track [Page 56]
3139 \f
3140 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3143 behavior dependent on the protocol version.
3145 Implementation Note: It is now known that remote timing-based attacks
3146 on TLS are possible, at least when the client and server are on the
3147 same LAN. Accordingly, implementations that use static RSA keys MUST
3148 use RSA blinding or some other anti-timing technique, as described in
3149 [TIMING].
3152 7.4.7.2. Client Diffie-Hellman Public Value
3154 Meaning of this message:
3156 This structure conveys the client's Diffie-Hellman public value
3157 (Yc) if it was not already included in the client's certificate.
3158 The encoding used for Yc is determined by the enumerated
3159 PublicValueEncoding. This structure is a variant of the client key
3160 exchange message, and not a message in itself.
3162 Structure of this message:
3164 enum { implicit, explicit } PublicValueEncoding;
3166 implicit
3167 If the client has sent a certificate which contains a suitable
3168 Diffie-Hellman key (for fixed_dh client authentication) then Yc
3169 is implicit and does not need to be sent again. In this case,
3170 the client key exchange message will be sent, but it MUST be
3171 empty.
3173 explicit
3174 Yc needs to be sent.
3176 struct {
3177 select (PublicValueEncoding) {
3178 case implicit: struct { };
3179 case explicit: opaque dh_Yc<1..2^16-1>;
3180 } dh_public;
3181 } ClientDiffieHellmanPublic;
3183 dh_Yc
3184 The client's Diffie-Hellman public value (Yc).
3186 7.4.8. Certificate verify
3188 When this message will be sent:
3190 This message is used to provide explicit verification of a client
3194 Dierks & Rescorla Standards Track [Page 57]
3195 \f
3196 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3199 certificate. This message is only sent following a client
3200 certificate that has signing capability (i.e. all certificates
3201 except those containing fixed Diffie-Hellman parameters). When
3202 sent, it MUST immediately follow the client key exchange message.
3204 Structure of this message:
3206 struct {
3207 SignatureAndHashAlgorithm signature_algorithm;
3208 digitally-signed struct {
3209 opaque handshake_messages[handshake_messages_length];
3210 }
3211 } CertificateVerify;
3213 Here handshake_messages refers to all handshake messages sent or
3214 received starting at client hello up to but not including this
3215 message, including the type and length fields of the handshake
3216 messages. This is the concatenation of all the Handshake
3217 structures as defined in 7.4 exchanged thus far. Note that this
3218 requires both sides to either buffer the messages or compute
3219 running hashes for all potential hash algorithms up to the time of
3220 the CertificateVerify computation. Servers can minimize this
3221 computation cost by offering a restricted set of digest algorithms
3222 in the CertificateRequest message.
3224 The hash and signature algorithms used in the signature MUST be
3225 one of those present in the supported_signature_algorithms field
3226 of the CertificateRequest message. In addition, the hash and
3227 signature algorithms MUST be compatible with the key in the
3228 client's end-entity certificate. RSA keys MAY be used with any
3229 permitted hash algorith, subject to restrictions in the
3230 certificate, if any.
3232 Because DSA signatures do not contain any secure indication of
3233 hash algorithm, there is a risk of hash substitution if multiple
3234 hashes may be used with any key. Currently, DSS [DSS] may only be
3235 used with SHA-1. Future revisions of DSS [DSS-3] are expected to
3236 allow other digest algorithms, as well as guidance as to which
3237 digest algorithms should be used with each key size. In addition,
3238 future revisions of [PKIX] may specify mechanisms for certificates
3239 to indicate which digest algorithms are to be used with DSA.
3242 7.4.9. Finished
3244 When this message will be sent:
3246 A finished message is always sent immediately after a change
3250 Dierks & Rescorla Standards Track [Page 58]
3251 \f
3252 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3255 cipher spec message to verify that the key exchange and
3256 authentication processes were successful. It is essential that a
3257 change cipher spec message be received between the other handshake
3258 messages and the Finished message.
3260 Meaning of this message:
3262 The finished message is the first protected with the just-
3263 negotiated algorithms, keys, and secrets. Recipients of finished
3264 messages MUST verify that the contents are correct. Once a side
3265 has sent its Finished message and received and validated the
3266 Finished message from its peer, it may begin to send and receive
3267 application data over the connection.
3269 Structure of this message:
3271 struct {
3272 opaque verify_data[verify_data_length];
3273 } Finished;
3275 verify_data
3276 PRF(master_secret, finished_label, Hash(handshake_messages))
3277 [0..verify_data_length-1];
3279 finished_label
3280 For Finished messages sent by the client, the string "client
3281 finished". For Finished messages sent by the server, the string
3282 "server finished".
3284 Hash denotes a Hash of the handshake messages. For the PRF defined
3285 in Section 5, the Hash MUST be the Hash used as the basis for the
3286 PRF. Any cipher suite which defines a different PRF MUST also
3287 define the Hash to use in the Finished computation.
3289 In previous versions of TLS, the verify_data was always 12 octets
3290 long. In the current version of TLS, it depends on the cipher
3291 suite. Any cipher suite which does not explicitly specify
3292 verify_data_length has a verify_data_length equal to 12. This
3293 includes all existing cipher suites. Note that this
3294 representation has the same encoding as with previous versions.
3295 Future cipher suites MAY specify other lengths but such length
3296 MUST be at least 12 bytes.
3298 handshake_messages
3299 All of the data from all messages in this handshake (not
3300 including any HelloRequest messages) up to but not including
3301 this message. This is only data visible at the handshake layer
3302 and does not include record layer headers. This is the
3306 Dierks & Rescorla Standards Track [Page 59]
3307 \f
3308 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3311 concatenation of all the Handshake structures as defined in
3312 7.4, exchanged thus far.
3314 It is a fatal error if a finished message is not preceded by a change
3315 cipher spec message at the appropriate point in the handshake.
3317 The value handshake_messages includes all handshake messages starting
3318 at client hello up to, but not including, this finished message. This
3319 may be different from handshake_messages in Section 7.4.8 because it
3320 would include the certificate verify message (if sent). Also, the
3321 handshake_messages for the finished message sent by the client will
3322 be different from that for the finished message sent by the server,
3323 because the one that is sent second will include the prior one.
3325 Note: Change cipher spec messages, alerts, and any other record types
3326 are not handshake messages and are not included in the hash
3327 computations. Also, Hello Request messages are omitted from handshake
3328 hashes.
3330 8. Cryptographic Computations
3332 In order to begin connection protection, the TLS Record Protocol
3333 requires specification of a suite of algorithms, a master secret, and
3334 the client and server random values. The authentication, encryption,
3335 and MAC algorithms are determined by the cipher_suite selected by the
3336 server and revealed in the server hello message. The compression
3337 algorithm is negotiated in the hello messages, and the random values
3338 are exchanged in the hello messages. All that remains is to calculate
3339 the master secret.
3341 8.1. Computing the Master Secret
3343 For all key exchange methods, the same algorithm is used to convert
3344 the pre_master_secret into the master_secret. The pre_master_secret
3345 should be deleted from memory once the master_secret has been
3346 computed.
3348 master_secret = PRF(pre_master_secret, "master secret",
3349 ClientHello.random + ServerHello.random)
3350 [0..47];
3352 The master secret is always exactly 48 bytes in length. The length of
3353 the premaster secret will vary depending on key exchange method.
3362 Dierks & Rescorla Standards Track [Page 60]
3363 \f
3364 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3367 8.1.1. RSA
3369 When RSA is used for server authentication and key exchange, a
3370 48-byte pre_master_secret is generated by the client, encrypted under
3371 the server's public key, and sent to the server. The server uses its
3372 private key to decrypt the pre_master_secret. Both parties then
3373 convert the pre_master_secret into the master_secret, as specified
3374 above.
3376 8.1.2. Diffie-Hellman
3378 A conventional Diffie-Hellman computation is performed. The
3379 negotiated key (Z) is used as the pre_master_secret, and is converted
3380 into the master_secret, as specified above. Leading bytes of Z that
3381 contain all zero bits are stripped before it is used as the
3382 pre_master_secret.
3384 Note: Diffie-Hellman parameters are specified by the server and may
3385 be either ephemeral or contained within the server's certificate.
3387 9. Mandatory Cipher Suites
3389 In the absence of an application profile standard specifying
3390 otherwise, a TLS compliant application MUST implement the cipher
3391 suite TLS_RSA_WITH_AES_128_CBC_SHA.
3393 10. Application Data Protocol
3395 Application data messages are carried by the Record Layer and are
3396 fragmented, compressed, and encrypted based on the current connection
3397 state. The messages are treated as transparent data to the record
3398 layer.
3400 11. Security Considerations
3402 Security issues are discussed throughout this memo, especially in
3403 Appendices D, E, and F.
3405 12. IANA Considerations
3407 This document uses several registries that were originally created in
3408 [TLS1.1]. IANA is requested to update (has updated) these to
3409 reference this document. The registries and their allocation policies
3410 (unchanged from [TLS1.1]) are listed below.
3412 - TLS ClientCertificateType Identifiers Registry: Future values in
3413 the range 0-63 (decimal) inclusive are assigned via Standards
3414 Action [RFC2434]. Values in the range 64-223 (decimal) inclusive
3418 Dierks & Rescorla Standards Track [Page 61]
3419 \f
3420 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3423 are assigned Specification Required [RFC2434]. Values from 224-255
3424 (decimal) inclusive are reserved for Private Use [RFC2434].
3426 - TLS Cipher Suite Registry: Future values with the first byte in the
3427 range 0-191 (decimal) inclusive are assigned via Standards Action
3428 [RFC2434]. Values with the first byte in the range 192-254
3429 (decimal) are assigned via Specification Required [RFC2434].
3430 Values with the first byte 255 (decimal) are reserved for Private
3431 Use [RFC2434]. This document defines several new HMAC-SHA256 based
3432 cipher suites, whose values (in Appendix A.5) are to be (have
3433 been) allocated from the TLS Cipher Suite registry.
3435 - TLS ContentType Registry: Future values are allocated via
3436 Standards Action [RFC2434].
3438 - TLS Alert Registry: Future values are allocated via Standards
3439 Action [RFC2434].
3441 - TLS HandshakeType Registry: Future values are allocated via
3442 Standards Action [RFC2434].
3444 This document also uses a registry originally created in [RFC4366].
3445 IANA is requested to update (has updated) it to reference this
3446 document. The registry and its allocation policy (unchanged from
3447 [RFC4366]) is listed below:
3449 - TLS ExtensionType Registry: Future values are allocated via IETF
3450 Consensus [RFC2434]
3452 In addition, this document defines two new registries to be
3453 maintained by IANA:
3455 - TLS SignatureAlgorithm Registry: The registry will be initially
3456 populated with the values described in Section 7.4.1.4.1. Future
3457 values in the range 0-63 (decimal) inclusive are assigned via
3458 Standards Action [RFC2434]. Values in the range 64-223 (decimal)
3459 inclusive are assigned via Specification Required [RFC2434].
3460 Values from 224-255 (decimal) inclusive are reserved for Private
3461 Use [RFC2434].
3463 - TLS HashAlgorithm Registry: The registry will be initially
3464 populated with the values described in Section 7.4.1.4.1. Future
3465 values in the range 0-63 (decimal) inclusive are assigned via
3466 Standards Action [RFC2434]. Values in the range 64-223 (decimal)
3467 inclusive are assigned via Specification Required [RFC2434].
3468 Values from 224-255 (decimal) inclusive are reserved for Private
3469 Use [RFC2434].
3474 Dierks & Rescorla Standards Track [Page 62]
3475 \f
3476 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3479 This document defines one new TLS extension, signature_algorithms,
3480 which is to be (has been) allocated value TBD-BY-IANA in the TLS
3481 ExtensionType registry.
3483 This document also uses the TLS Compression Method Identifiers
3484 Registry, defined in [RFC3749]. IANA is requested to allocate value
3485 0 for the "null" compression method.
3530 Dierks & Rescorla Standards Track [Page 63]
3531 \f
3532 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3535 Appendix A. Protocol Constant Values
3537 This section describes protocol types and constants.
3539 A.1. Record Layer
3541 struct {
3542 uint8 major;
3543 uint8 minor;
3544 } ProtocolVersion;
3546 ProtocolVersion version = { 3, 3 }; /* TLS v1.2*/
3548 enum {
3549 change_cipher_spec(20), alert(21), handshake(22),
3550 application_data(23), (255)
3551 } ContentType;
3553 struct {
3554 ContentType type;
3555 ProtocolVersion version;
3556 uint16 length;
3557 opaque fragment[TLSPlaintext.length];
3558 } TLSPlaintext;
3560 struct {
3561 ContentType type;
3562 ProtocolVersion version;
3563 uint16 length;
3564 opaque fragment[TLSCompressed.length];
3565 } TLSCompressed;
3567 struct {
3568 ContentType type;
3569 ProtocolVersion version;
3570 uint16 length;
3571 select (SecurityParameters.cipher_type) {
3572 case stream: GenericStreamCipher;
3573 case block: GenericBlockCipher;
3574 case aead: GenericAEADCipher;
3575 } fragment;
3576 } TLSCiphertext;
3578 stream-ciphered struct {
3579 opaque content[TLSCompressed.length];
3580 opaque MAC[SecurityParameters.mac_length];
3581 } GenericStreamCipher;
3586 Dierks & Rescorla Standards Track [Page 64]
3587 \f
3588 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3591 struct {
3592 opaque IV[SecurityParameters.record_iv_length];
3593 block-ciphered struct {
3594 opaque content[TLSCompressed.length];
3595 opaque MAC[SecurityParameters.mac_length];
3596 uint8 padding[GenericBlockCipher.padding_length];
3597 uint8 padding_length;
3598 };
3599 } GenericBlockCipher;
3601 aead-ciphered struct {
3602 opaque IV[SecurityParameters.record_iv_length];
3603 opaque aead_output[AEADEncrypted.length];
3604 } GenericAEADCipher;
3606 A.2. Change Cipher Specs Message
3608 struct {
3609 enum { change_cipher_spec(1), (255) } type;
3610 } ChangeCipherSpec;
3612 A.3. Alert Messages
3614 enum { warning(1), fatal(2), (255) } AlertLevel;
3616 enum {
3617 close_notify(0),
3618 unexpected_message(10),
3619 bad_record_mac(20),
3620 decryption_failed_RESERVED(21),
3621 record_overflow(22),
3622 decompression_failure(30),
3623 handshake_failure(40),
3624 no_certificate_RESERVED(41),
3625 bad_certificate(42),
3626 unsupported_certificate(43),
3627 certificate_revoked(44),
3628 certificate_expired(45),
3629 certificate_unknown(46),
3630 illegal_parameter(47),
3631 unknown_ca(48),
3632 access_denied(49),
3633 decode_error(50),
3634 decrypt_error(51),
3635 export_restriction_RESERVED(60),
3636 protocol_version(70),
3637 insufficient_security(71),
3638 internal_error(80),
3642 Dierks & Rescorla Standards Track [Page 65]
3643 \f
3644 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3647 user_canceled(90),
3648 no_renegotiation(100),
3649 unsupported_extension(110), /* new */
3650 (255)
3651 } AlertDescription;
3653 struct {
3654 AlertLevel level;
3655 AlertDescription description;
3656 } Alert;
3658 A.4. Handshake Protocol
3660 enum {
3661 hello_request(0), client_hello(1), server_hello(2),
3662 certificate(11), server_key_exchange (12),
3663 certificate_request(13), server_hello_done(14),
3664 certificate_verify(15), client_key_exchange(16),
3665 finished(20)
3666 (255)
3667 } HandshakeType;
3669 struct {
3670 HandshakeType msg_type;
3671 uint24 length;
3672 select (HandshakeType) {
3673 case hello_request: HelloRequest;
3674 case client_hello: ClientHello;
3675 case server_hello: ServerHello;
3676 case certificate: Certificate;
3677 case server_key_exchange: ServerKeyExchange;
3678 case certificate_request: CertificateRequest;
3679 case server_hello_done: ServerHelloDone;
3680 case certificate_verify: CertificateVerify;
3681 case client_key_exchange: ClientKeyExchange;
3682 case finished: Finished;
3683 } body;
3684 } Handshake;
3686 A.4.1. Hello Messages
3688 struct { } HelloRequest;
3690 struct {
3691 uint32 gmt_unix_time;
3692 opaque random_bytes[28];
3693 } Random;
3698 Dierks & Rescorla Standards Track [Page 66]
3699 \f
3700 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3703 opaque SessionID<0..32>;
3705 uint8 CipherSuite[2];
3707 enum { null(0), (255) } CompressionMethod;
3709 struct {
3710 ProtocolVersion client_version;
3711 Random random;
3712 SessionID session_id;
3713 CipherSuite cipher_suites<2..2^16-2>;
3714 CompressionMethod compression_methods<1..2^8-1>;
3715 select (extensions_present) {
3716 case false:
3717 struct {};
3718 case true:
3719 Extension extensions<0..2^16-1>;
3720 };
3721 } ClientHello;
3723 struct {
3724 ProtocolVersion server_version;
3725 Random random;
3726 SessionID session_id;
3727 CipherSuite cipher_suite;
3728 CompressionMethod compression_method;
3729 select (extensions_present) {
3730 case false:
3731 struct {};
3732 case true:
3733 Extension extensions<0..2^16-1>;
3734 };
3735 } ServerHello;
3737 struct {
3738 ExtensionType extension_type;
3739 opaque extension_data<0..2^16-1>;
3740 } Extension;
3742 enum {
3743 signature_algorithms(TBD-BY-IANA), (65535)
3744 } ExtensionType;
3746 enum{
3747 none(0), md5(1), sha1(2), sha256(3), sha384(4),
3748 sha512(5), (255)
3749 } HashAlgorithm;
3754 Dierks & Rescorla Standards Track [Page 67]
3755 \f
3756 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3759 enum { anonymous(0), rsa(1), dsa(2), (255) } SignatureAlgorithm;
3761 struct {
3762 HashAlgorithm hash;
3763 SignatureAlgorithm signature;
3764 } SignatureAndHashAlgorithm;
3766 SignatureAndHashAlgorithm
3767 supported_signature_algorithms<2..2^16-1>;
3769 A.4.2. Server Authentication and Key Exchange Messages
3771 opaque ASN.1Cert<2^24-1>;
3773 struct {
3774 ASN.1Cert certificate_list<0..2^24-1>;
3775 } Certificate;
3777 enum { rsa, diffie_hellman } KeyExchangeAlgorithm;
3779 struct {
3780 opaque dh_p<1..2^16-1>;
3781 opaque dh_g<1..2^16-1>;
3782 opaque dh_Ys<1..2^16-1>;
3783 } ServerDHParams;
3785 struct {
3786 select (KeyExchangeAlgorithm) {
3787 case diffie_hellman:
3788 ServerDHParams params;
3789 Signature signed_params;
3790 }
3791 } ServerKeyExchange;
3793 struct {
3794 select (KeyExchangeAlgorithm) {
3795 case diffie_hellman:
3796 ServerDHParams params;
3797 };
3798 } ServerParams;
3800 struct {
3801 select (SignatureAlgorithm) {
3802 case anonymous: struct { };
3803 case rsa:
3804 SignatureAndHashAlgorithm signature_algorithm; /*NEW*/
3805 digitally-signed struct {
3806 opaque hash[Hash.length];
3810 Dierks & Rescorla Standards Track [Page 68]
3811 \f
3812 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3815 };
3816 case dsa:
3817 SignatureAndHashAlgorithm signature_algorithm; /*NEW*/
3818 digitally-signed struct {
3819 opaque hash[Hash.length];
3820 };
3821 };
3822 };
3823 } Signature;
3825 enum {
3826 rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
3827 rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
3828 fortezza_dms_RESERVED(20),
3829 (255)
3830 } ClientCertificateType;
3832 opaque DistinguishedName<1..2^16-1>;
3834 struct {
3835 ClientCertificateType certificate_types<1..2^8-1>;
3836 DistinguishedName certificate_authorities<0..2^16-1>;
3837 } CertificateRequest;
3839 struct { } ServerHelloDone;
3841 A.4.3. Client Authentication and Key Exchange Messages
3843 struct {
3844 select (KeyExchangeAlgorithm) {
3845 case rsa: EncryptedPreMasterSecret;
3846 case diffie_hellman: ClientDiffieHellmanPublic;
3847 } exchange_keys;
3848 } ClientKeyExchange;
3850 struct {
3851 ProtocolVersion client_version;
3852 opaque random[46];
3853 } PreMasterSecret;
3855 struct {
3856 public-key-encrypted PreMasterSecret pre_master_secret;
3857 } EncryptedPreMasterSecret;
3859 enum { implicit, explicit } PublicValueEncoding;
3861 struct {
3862 select (PublicValueEncoding) {
3866 Dierks & Rescorla Standards Track [Page 69]
3867 \f
3868 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3871 case implicit: struct {};
3872 case explicit: opaque DH_Yc<1..2^16-1>;
3873 } dh_public;
3874 } ClientDiffieHellmanPublic;
3876 struct {
3877 Signature signature;
3878 } CertificateVerify;
3880 A.4.4. Handshake Finalization Message
3882 struct {
3883 opaque verify_data[verify_data_length];
3884 } Finished;
3886 A.5. The Cipher Suite
3888 The following values define the cipher suite codes used in the client
3889 hello and server hello messages.
3891 A cipher suite defines a cipher specification supported in TLS
3892 Version 1.2.
3894 TLS_NULL_WITH_NULL_NULL is specified and is the initial state of a
3895 TLS connection during the first handshake on that channel, but MUST
3896 not be negotiated, as it provides no more protection than an
3897 unsecured connection.
3899 CipherSuite TLS_NULL_WITH_NULL_NULL = { 0x00,0x00 };
3901 The following CipherSuite definitions require that the server provide
3902 an RSA certificate that can be used for key exchange. The server may
3903 request any signature-capable certificate in the certificate request
3904 message.
3906 CipherSuite TLS_RSA_WITH_NULL_MD5 = { 0x00,0x01 };
3907 CipherSuite TLS_RSA_WITH_NULL_SHA = { 0x00,0x02 };
3908 CipherSuite TLS_RSA_WITH_NULL_SHA256 = { 0x00,TBD1 };
3909 CipherSuite TLS_RSA_WITH_RC4_128_MD5 = { 0x00,0x04 };
3910 CipherSuite TLS_RSA_WITH_RC4_128_SHA = { 0x00,0x05 };
3911 CipherSuite TLS_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0A };
3912 CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00,0x2F };
3913 CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00,0x35 };
3914 CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256 = { 0x00,TBD2 };
3915 CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA256 = { 0x00,TBD3 };
3918 The following cipher suite definitions are used for server-
3922 Dierks & Rescorla Standards Track [Page 70]
3923 \f
3924 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3927 authenticated (and optionally client-authenticated) Diffie-Hellman.
3928 DH denotes cipher suites in which the server's certificate contains
3929 the Diffie-Hellman parameters signed by the certificate authority
3930 (CA). DHE denotes ephemeral Diffie-Hellman, where the Diffie-Hellman
3931 parameters are signed by a a signature-capable certificate, which has
3932 been signed by the CA. The signing algorithm used by the server is
3933 specified after the DHE parameter. The server can request any
3934 signature-capable certificate from the client for client
3935 authentication or it may request a Diffie-Hellman certificate. Any
3936 Diffie-Hellman certificate provided by the client must use the
3937 parameters (group and generator) described by the server.
3940 CipherSuite TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0D };
3941 CipherSuite TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x10 };
3942 CipherSuite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x13 };
3943 CipherSuite TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x16 };
3944 CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00,0x30 };
3945 CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00,0x31 };
3946 CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00,0x32 };
3947 CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00,0x33 };
3948 CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00,0x36 };
3949 CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00,0x37 };
3950 CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00,0x38 };
3951 CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00,0x39 };
3952 CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = { 0x00, TBD4 };
3953 CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = { 0x00, TBD5 };
3954 CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = { 0x00, TBD6 };
3955 CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = { 0x00, TBD7 };
3956 CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = { 0x00, TBD8 };
3957 CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = { 0x00, TBD9 };
3958 CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = { 0x00, TBD10 };
3959 CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = { 0x00, TBD11 };
3961 The following cipher suites are used for completely anonymous Diffie-
3962 Hellman communications in which neither party is authenticated. Note
3963 that this mode is vulnerable to man-in-the-middle attacks. Using
3964 this mode therefore is of limited use: These cipher suites MUST NOT
3965 be used by TLS 1.2 implementations unless the application layer has
3966 specifically requested to allow anonymous key exchange. (Anonymous
3967 key exchange may sometimes be acceptable, for example, to support
3968 opportunistic encryption when no set-up for authentication is in
3969 place, or when TLS is used as part of more complex security protocols
3970 that have other means to ensure authentication.)
3972 CipherSuite TLS_DH_anon_WITH_RC4_128_MD5 = { 0x00,0x18 };
3973 CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1B };
3974 CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00,0x34 };
3978 Dierks & Rescorla Standards Track [Page 71]
3979 \f
3980 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
3983 CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00,0x3A };
3984 CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA256 = { 0x00, TBD12 };
3985 CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA256 = { 0x00, TBD13 };
3987 Note that using non-anonymous key exchange without actually verifying
3988 the key exchange is essentially equivalent to anonymous key exchange,
3989 and the same precautions apply. While non-anonymous key exchange
3990 will generally involve a higher computational and communicational
3991 cost than anonymous key exchange, it may be in the interest of
3992 interoperability not to disable non-anonymous key exchange when the
3993 application layer is allowing anonymous key exchange.
3995 SSLv3, TLS 1.0, and TLS 1.1 supported DES and IDEA. DES had a 56-bit
3996 key which is too weak for modern use. Triple-DES (3DES) has an
3997 effective key strength of 112 bits and is still acceptable. IDEA and
3998 is no longer in wide use. Cipher suites using RC2, DES, and IDEA are
3999 hereby deprecated for TLS 1.2. TLS 1.2 implementations MUST NOT
4000 negotiate these cipher suites in TLS 1.2 mode. However, for backward
4001 compatibility they may be offered in the ClientHello for use with TLS
4002 1.0 or SSLv3 only servers. TLS 1.2 clients MUST check that the server
4003 did not choose one of these cipher suites during the handshake. These
4004 cipher suites are listed below for informational purposes and to
4005 reserve the numbers.
4007 CipherSuite TLS_RSA_WITH_IDEA_CBC_SHA = { 0x00,0x07 };
4008 CipherSuite TLS_RSA_WITH_DES_CBC_SHA = { 0x00,0x09 };
4009 CipherSuite TLS_DH_DSS_WITH_DES_CBC_SHA = { 0x00,0x0C };
4010 CipherSuite TLS_DH_RSA_WITH_DES_CBC_SHA = { 0x00,0x0F };
4011 CipherSuite TLS_DHE_RSA_WITH_DES_CBC_SHA = { 0x00,0x15 };
4012 CipherSuite TLS_DHE_DSS_WITH_DES_CBC_SHA = { 0x00,0x12 };
4013 CipherSuite TLS_DH_anon_WITH_DES_CBC_SHA = { 0x00,0x1A };
4016 When SSLv3 and TLS 1.0 were designed, the United States restricted
4017 the export of cryptographic software containing certain strong
4018 encryption algorithms. A series of cipher suites were designed to
4019 operate at reduced key lengths in order to comply with those
4020 regulations. Due to advances in computer performance, these
4021 algorithms are now unacceptably weak and export restrictions have
4022 since been loosened. TLS 1.2 implementations MUST NOT negotiate these
4023 cipher suites in TLS 1.2 mode. However, for backward compatibility
4024 they may be offered in the ClientHello for use with TLS 1.0 or SSLv3
4025 only servers. TLS 1.2 clients MUST check that the server did not
4026 choose one of these cipher suites during the handshake. These
4027 ciphersuites are listed below for informational purposes and to
4028 reserve the numbers.
4030 CipherSuite TLS_RSA_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x03 };
4034 Dierks & Rescorla Standards Track [Page 72]
4035 \f
4036 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4039 CipherSuite TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x06 };
4040 CipherSuite TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x08 };
4041 CipherSuite TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x0B };
4042 CipherSuite TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x0E };
4043 CipherSuite TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x11 };
4044 CipherSuite TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x14 };
4045 CipherSuite TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x17 };
4046 CipherSuite TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x19 };
4048 New cipher suite values are assigned by IANA as described in Section
4049 12.
4051 Note: The cipher suite values { 0x00, 0x1C } and { 0x00, 0x1D } are
4052 reserved to avoid collision with Fortezza-based cipher suites in SSL
4053 3.
4055 A.6. The Security Parameters
4057 These security parameters are determined by the TLS Handshake
4058 Protocol and provided as parameters to the TLS Record Layer in order
4059 to initialize a connection state. SecurityParameters includes:
4061 enum { null(0), (255) } CompressionMethod;
4063 enum { server, client } ConnectionEnd;
4065 enum { tls_prf_sha256 } PRFAlgorithm;
4067 enum { null, rc4, 3des, aes }
4068 BulkCipherAlgorithm;
4070 enum { stream, block, aead } CipherType;
4072 enum { null, hmac_md5, hmac_sha, hmac_sha256, hmac_sha384,
4073 hmac_sha512} MACAlgorithm;
4075 /* The algorithms specified in CompressionMethod,
4076 BulkCipherAlgorithm, and MACAlgorithm may be added to. */
4078 struct {
4079 ConnectionEnd entity;
4080 PRFAlgorithm prf_algorithm;
4081 BulkCipherAlgorithm bulk_cipher_algorithm;
4082 CipherType cipher_type;
4083 uint8 enc_key_length;
4084 uint8 block_length;
4085 uint8 fixed_iv_length;
4086 uint8 record_iv_length;
4090 Dierks & Rescorla Standards Track [Page 73]
4091 \f
4092 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4095 MACAlgorithm mac_algorithm;
4096 uint8 mac_length;
4097 uint8 mac_key_length;
4098 CompressionMethod compression_algorithm;
4099 opaque master_secret[48];
4100 opaque client_random[32];
4101 opaque server_random[32];
4102 } SecurityParameters;
4146 Dierks & Rescorla Standards Track [Page 74]
4147 \f
4148 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4151 Appendix B. Glossary
4153 Advanced Encryption Standard (AES)
4154 AES is a widely used symmetric encryption algorithm. AES is a
4155 block cipher with a 128, 192, or 256 bit keys and a 16 byte block
4156 size. [AES] TLS currently only supports the 128 and 256 bit key
4157 sizes.
4159 application protocol
4160 An application protocol is a protocol that normally layers
4161 directly on top of the transport layer (e.g., TCP/IP). Examples
4162 include HTTP, TELNET, FTP, and SMTP.
4164 asymmetric cipher
4165 See public key cryptography.
4167 authenticated encryption with additional data (AEAD)
4168 A symmetric encryption algorithm that simultaneously provides
4169 confidentiality and message integrity.
4171 authentication
4172 Authentication is the ability of one entity to determine the
4173 identity of another entity.
4175 block cipher
4176 A block cipher is an algorithm that operates on plaintext in
4177 groups of bits, called blocks. 64 bits is a common block size.
4179 bulk cipher
4180 A symmetric encryption algorithm used to encrypt large quantities
4181 of data.
4183 cipher block chaining (CBC)
4184 CBC is a mode in which every plaintext block encrypted with a
4185 block cipher is first exclusive-ORed with the previous ciphertext
4186 block (or, in the case of the first block, with the initialization
4187 vector). For decryption, every block is first decrypted, then
4188 exclusive-ORed with the previous ciphertext block (or IV).
4190 certificate
4191 As part of the X.509 protocol (a.k.a. ISO Authentication
4192 framework), certificates are assigned by a trusted Certificate
4193 Authority and provide a strong binding between a party's identity
4194 or some other attributes and its public key.
4196 client
4197 The application entity that initiates a TLS connection to a
4198 server. This may or may not imply that the client initiated the
4202 Dierks & Rescorla Standards Track [Page 75]
4203 \f
4204 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4207 underlying transport connection. The primary operational
4208 difference between the server and client is that the server is
4209 generally authenticated, while the client is only optionally
4210 authenticated.
4212 client write key
4213 The key used to encrypt data written by the client.
4215 client write MAC key
4216 The secret data used to authenticate data written by the client.
4218 connection
4219 A connection is a transport (in the OSI layering model definition)
4220 that provides a suitable type of service. For TLS, such
4221 connections are peer-to-peer relationships. The connections are
4222 transient. Every connection is associated with one session.
4224 Data Encryption Standard
4225 DES is a very widely used symmetric encryption algorithm. DES is a
4226 block cipher with a 56 bit key and an 8 byte block size. Note that
4227 in TLS, for key generation purposes, DES is treated as having an 8
4228 byte key length (64 bits), but it still only provides 56 bits of
4229 protection. (The low bit of each key byte is presumed to be set to
4230 produce odd parity in that key byte.) DES can also be operated in
4231 a mode where three independent keys and three encryptions are used
4232 for each block of data; this uses 168 bits of key (24 bytes in the
4233 TLS key generation method) and provides the equivalent of 112 bits
4234 of security. [DES], [3DES]
4236 Digital Signature Standard (DSS)
4237 A standard for digital signing, including the Digital Signing
4238 Algorithm, approved by the National Institute of Standards and
4239 Technology, defined in NIST FIPS PUB 186, "Digital Signature
4240 Standard", published May, 1994 by the U.S. Dept. of Commerce.
4241 [DSS]
4243 digital signatures
4244 Digital signatures utilize public key cryptography and one-way
4245 hash functions to produce a signature of the data that can be
4246 authenticated, and is difficult to forge or repudiate.
4248 handshake
4249 An initial negotiation between client and server that establishes
4250 the parameters of their transactions.
4252 Initialization Vector (IV)
4253 When a block cipher is used in CBC mode, the initialization vector
4254 is exclusive-ORed with the first plaintext block prior to
4258 Dierks & Rescorla Standards Track [Page 76]
4259 \f
4260 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4263 encryption.
4265 IDEA
4266 A 64-bit block cipher designed by Xuejia Lai and James Massey.
4267 [IDEA]
4269 Message Authentication Code (MAC)
4270 A Message Authentication Code is a one-way hash computed from a
4271 message and some secret data. It is difficult to forge without
4272 knowing the secret data. Its purpose is to detect if the message
4273 has been altered.
4275 master secret
4276 Secure secret data used for generating encryption keys, MAC
4277 secrets, and IVs.
4279 MD5
4280 MD5 is a secure hashing function that converts an arbitrarily long
4281 data stream into a hash of fixed size (16 bytes). [MD5]
4283 public key cryptography
4284 A class of cryptographic techniques employing two-key ciphers.
4285 Messages encrypted with the public key can only be decrypted with
4286 the associated private key. Conversely, messages signed with the
4287 private key can be verified with the public key.
4289 one-way hash function
4290 A one-way transformation that converts an arbitrary amount of data
4291 into a fixed-length hash. It is computationally hard to reverse
4292 the transformation or to find collisions. MD5 and SHA are examples
4293 of one-way hash functions.
4295 RC2
4296 A block cipher developed by Ron Rivest, described in [RC2].
4298 RC4
4299 A stream cipher invented by Ron Rivest. A compatible cipher is
4300 described in [SCH].
4302 RSA
4303 A very widely used public-key algorithm that can be used for
4304 either encryption or digital signing. [RSA]
4306 server
4307 The server is the application entity that responds to requests for
4308 connections from clients. See also under client.
4314 Dierks & Rescorla Standards Track [Page 77]
4315 \f
4316 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4319 session
4320 A TLS session is an association between a client and a server.
4321 Sessions are created by the handshake protocol. Sessions define a
4322 set of cryptographic security parameters that can be shared among
4323 multiple connections. Sessions are used to avoid the expensive
4324 negotiation of new security parameters for each connection.
4326 session identifier
4327 A session identifier is a value generated by a server that
4328 identifies a particular session.
4330 server write key
4331 The key used to encrypt data written by the server.
4333 server write MAC key
4334 The secret data used to authenticate data written by the server.
4336 SHA
4337 The Secure Hash Algorithm is defined in FIPS PUB 180-2. It
4338 produces a 20-byte output. Note that all references to SHA
4339 actually use the modified SHA-1 algorithm. [SHA]
4341 SHA-256
4342 The 256-bit Secure Hash Algorithm is defined in FIPS PUB 180-2. It
4343 produces a 32-byte output.
4345 SSL
4346 Netscape's Secure Socket Layer protocol [SSL3]. TLS is based on
4347 SSL Version 3.0
4349 stream cipher
4350 An encryption algorithm that converts a key into a
4351 cryptographically strong keystream, which is then exclusive-ORed
4352 with the plaintext.
4354 symmetric cipher
4355 See bulk cipher.
4357 Transport Layer Security (TLS)
4358 This protocol; also, the Transport Layer Security working group of
4359 the Internet Engineering Task Force (IETF). See "Comments" at the
4360 end of this document.
4370 Dierks & Rescorla Standards Track [Page 78]
4371 \f
4372 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4375 Appendix C. Cipher Suite Definitions
4377 Cipher Suite Key Cipher Mac
4378 Exchange
4380 TLS_NULL_WITH_NULL_NULL NULL NULL NULL
4381 TLS_RSA_WITH_NULL_MD5 RSA NULL MD5
4382 TLS_RSA_WITH_NULL_SHA RSA NULL SHA
4383 TLS_RSA_WITH_NULL_SHA256 RSA NULL SHA256
4384 TLS_RSA_WITH_RC4_128_MD5 RSA RC4_128 MD5
4385 TLS_RSA_WITH_RC4_128_SHA RSA RC4_128 SHA
4386 TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES_EDE_CBC SHA
4387 TLS_RSA_WITH_AES_128_CBC_SHA RSA AES_128_CBC SHA
4388 TLS_RSA_WITH_AES_256_CBC_SHA RSA AES_256_CBC SHA
4389 TLS_RSA_WITH_AES_128_CBC_SHA256 RSA AES_128_CBC SHA256
4390 TLS_RSA_WITH_AES_256_CBC_SHA256 RSA AES_256_CBC SHA256
4391 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA DH_DSS 3DES_EDE_CBC SHA
4392 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA DH_RSA 3DES_EDE_CBC SHA
4393 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE_DSS 3DES_EDE_CBC SHA
4394 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA 3DES_EDE_CBC SHA
4395 TLS_DH_anon_WITH_RC4_128_MD5 DH_anon RC4_128 MD5
4396 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA DH_anon 3DES_EDE_CBC SHA
4397 TLS_DH_DSS_WITH_AES_128_CBC_SHA DH_DSS AES_128_CBC SHA
4398 TLS_DH_RSA_WITH_AES_128_CBC_SHA DH_RSA AES_128_CBC SHA
4399 TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS AES_128_CBC SHA
4400 TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA AES_128_CBC SHA
4401 TLS_DH_anon_WITH_AES_128_CBC_SHA DH_anon AES_128_CBC SHA
4402 TLS_DH_DSS_WITH_AES_256_CBC_SHA DH_DSS AES_256_CBC SHA
4403 TLS_DH_RSA_WITH_AES_256_CBC_SHA DH_RSA AES_256_CBC SHA
4404 TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE_DSS AES_256_CBC SHA
4405 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA AES_256_CBC SHA
4406 TLS_DH_anon_WITH_AES_256_CBC_SHA DH_anon AES_256_CBC SHA
4407 TLS_DH_DSS_WITH_AES_128_CBC_SHA256 DH_DSS AES_128_CBC SHA256
4408 TLS_DH_RSA_WITH_AES_128_CBC_SHA256 DH_RSA AES_128_CBC SHA256
4409 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE_DSS AES_128_CBC SHA256
4410 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE_RSA AES_128_CBC SHA256
4411 TLS_DH_anon_WITH_AES_128_CBC_SHA256 DH_anon AES_128_CBC SHA256
4412 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 DH_DSS AES_256_CBC SHA256
4413 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 DH_RSA AES_256_CBC SHA256
4414 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE_DSS AES_256_CBC SHA256
4415 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE_RSA AES_256_CBC SHA256
4416 TLS_DH_anon_WITH_AES_256_CBC_SHA256 DH_anon AES_256_CBC SHA256
4419 Key Expanded IV Block
4420 Cipher Type Material Key Material Size Size
4422 NULL Stream 0 0 0 N/A
4426 Dierks & Rescorla Standards Track [Page 79]
4427 \f
4428 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4431 RC4_128 Stream 16 16 0 N/A
4432 3DES_EDE_CBC Block 24 24 8 8
4433 AES_128_CBC Block 16 16 16 16
4434 AES_256_CBC Block 32 32 16 16
4437 MAC Algorithm mac_length mac_key_length
4439 NULL N/A 0 0
4440 MD5 HMAC-MD5 16 16
4441 SHA HMAC-SHA1 20 20
4442 SHA256 HMAC-SHA256 32 32
4444 Type
4445 Indicates whether this is a stream cipher or a block cipher
4446 running in CBC mode.
4448 Key Material
4449 The number of bytes from the key_block that are used for
4450 generating the write keys.
4452 Expanded Key Material
4453 The number of bytes actually fed into the encryption algorithm.
4455 IV Size
4456 The amount of data needed to be generated for the initialization
4457 vector. Zero for stream ciphers; equal to the block size for block
4458 ciphers (this is equal to SecurityParameters.record_iv_length).
4460 Block Size
4461 The amount of data a block cipher enciphers in one chunk; a block
4462 cipher running in CBC mode can only encrypt an even multiple of
4463 its block size.
4482 Dierks & Rescorla Standards Track [Page 80]
4483 \f
4484 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4487 Appendix D. Implementation Notes
4489 The TLS protocol cannot prevent many common security mistakes. This
4490 section provides several recommendations to assist implementors.
4492 D.1 Random Number Generation and Seeding
4494 TLS requires a cryptographically secure pseudorandom number generator
4495 (PRNG). Care must be taken in designing and seeding PRNGs. PRNGs
4496 based on secure hash operations, most notably SHA-1, are acceptable,
4497 but cannot provide more security than the size of the random number
4498 generator state.
4500 To estimate the amount of seed material being produced, add the
4501 number of bits of unpredictable information in each seed byte. For
4502 example, keystroke timing values taken from a PC compatible's 18.2 Hz
4503 timer provide 1 or 2 secure bits each, even though the total size of
4504 the counter value is 16 bits or more. Seeding a 128-bit PRNG would
4505 thus require approximately 100 such timer values.
4507 [RANDOM] provides guidance on the generation of random values.
4509 D.2 Certificates and Authentication
4511 Implementations are responsible for verifying the integrity of
4512 certificates and should generally support certificate revocation
4513 messages. Certificates should always be verified to ensure proper
4514 signing by a trusted Certificate Authority (CA). The selection and
4515 addition of trusted CAs should be done very carefully. Users should
4516 be able to view information about the certificate and root CA.
4518 D.3 Cipher Suites
4520 TLS supports a range of key sizes and security levels, including some
4521 that provide no or minimal security. A proper implementation will
4522 probably not support many cipher suites. For instance, anonymous
4523 Diffie-Hellman is strongly discouraged because it cannot prevent man-
4524 in-the-middle attacks. Applications should also enforce minimum and
4525 maximum key sizes. For example, certificate chains containing 512-bit
4526 RSA keys or signatures are not appropriate for high-security
4527 applications.
4529 D.4 Implementation Pitfalls
4531 Implementation experience has shown that certain parts of earlier TLS
4532 specifications are not easy to understand, and have been a source of
4533 interoperability and security problems. Many of these areas have been
4534 clarified in this document, but this appendix contains a short list
4538 Dierks & Rescorla Standards Track [Page 81]
4539 \f
4540 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4543 of the most important things that require special attention from
4544 implementors.
4546 TLS protocol issues:
4548 - Do you correctly handle handshake messages that are fragmented
4549 to multiple TLS records (see Section 6.2.1)? Including corner
4550 cases like a ClientHello that is split to several small
4551 fragments? Do you fragment handshake messages that exceed the
4552 maximum fragment size? In particular, the certificate and
4553 certificate request handshake messages can be large enough to
4554 require fragmentation.
4556 - Do you ignore the TLS record layer version number in all TLS
4557 records before ServerHello (see Appendix E.1)?
4559 - Do you handle TLS extensions in ClientHello correctly,
4560 including omitting the extensions field completely?
4562 - Do you support renegotiation, both client and server initiated?
4563 While renegotiation is an optional feature, supporting
4564 it is highly recommended.
4566 - When the server has requested a client certificate, but no
4567 suitable certificate is available, do you correctly send
4568 an empty Certificate message, instead of omitting the whole
4569 message (see Section 7.4.6)?
4571 Cryptographic details:
4573 - In RSA-encrypted Premaster Secret, do you correctly send and
4574 verify the version number? When an error is encountered, do
4575 you continue the handshake to avoid the Bleichenbacher
4576 attack (see Section 7.4.7.1)?
4578 - What countermeasures do you use to prevent timing attacks against
4579 RSA decryption and signing operations (see Section 7.4.7.1)?
4581 - When verifying RSA signatures, do you accept both NULL and
4582 missing parameters (see Section 4.7)? Do you verify that the
4583 RSA padding doesn't have additional data after the hash value?
4584 [FI06]
4586 - When using Diffie-Hellman key exchange, do you correctly strip
4587 leading zero bytes from the negotiated key (see Section 8.1.2)?
4589 - Does your TLS client check that the Diffie-Hellman parameters
4590 sent by the server are acceptable (see Section F.1.1.3)?
4594 Dierks & Rescorla Standards Track [Page 82]
4595 \f
4596 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4599 - How do you generate unpredictable IVs for CBC mode ciphers
4600 (see Section 6.2.3.2)?
4602 - Do you accept long CBC mode padding (up to 255 bytes; see
4603 Section 6.2.3.2)?
4605 - How do you address CBC mode timing attacks (Section 6.2.3.2)?
4607 - Do you use a strong and, most importantly, properly seeded
4608 random number generator (see Appendix D.1) for generating the
4609 premaster secret (for RSA key exchange), Diffie-Hellman private
4610 values, the DSA "k" parameter, and other security-critical
4611 values?
4650 Dierks & Rescorla Standards Track [Page 83]
4651 \f
4652 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4655 Appendix E. Backward Compatibility
4657 E.1 Compatibility with TLS 1.0/1.1 and SSL 3.0
4659 Since there are various versions of TLS (1.0, 1.1, 1.2, and any
4660 future versions) and SSL (2.0 and 3.0), means are needed to negotiate
4661 the specific protocol version to use. The TLS protocol provides a
4662 built-in mechanism for version negotiation so as not to bother other
4663 protocol components with the complexities of version selection.
4665 TLS versions 1.0, 1.1, and 1.2, and SSL 3.0 are very similar, and use
4666 compatible ClientHello messages; thus, supporting all of them is
4667 relatively easy. Similarly, servers can easily handle clients trying
4668 to use future versions of TLS as long as the ClientHello format
4669 remains compatible, and the client support the highest protocol
4670 version available in the server.
4672 A TLS 1.2 client who wishes to negotiate with such older servers will
4673 send a normal TLS 1.2 ClientHello, containing { 3, 3 } (TLS 1.2) in
4674 ClientHello.client_version. If the server does not support this
4675 version, it will respond with ServerHello containing an older version
4676 number. If the client agrees to use this version, the negotiation
4677 will proceed as appropriate for the negotiated protocol.
4679 If the version chosen by the server is not supported by the client
4680 (or not acceptable), the client MUST send a "protocol_version" alert
4681 message and close the connection.
4683 If a TLS server receives a ClientHello containing a version number
4684 greater than the highest version supported by the server, it MUST
4685 reply according to the highest version supported by the server.
4687 A TLS server can also receive a ClientHello containing version number
4688 smaller than the highest supported version. If the server wishes to
4689 negotiate with old clients, it will proceed as appropriate for the
4690 highest version supported by the server that is not greater than
4691 ClientHello.client_version. For example, if the server supports TLS
4692 1.0, 1.1, and 1.2, and client_version is TLS 1.0, the server will
4693 proceed with a TLS 1.0 ServerHello. If server supports (or is willing
4694 to use) only versions greater than client_version, it MUST send a
4695 "protocol_version" alert message and close the connection.
4697 Whenever a client already knows the highest protocol known to a
4698 server (for example, when resuming a session), it SHOULD initiate the
4699 connection in that native protocol.
4701 Note: some server implementations are known to implement version
4702 negotiation incorrectly. For example, there are buggy TLS 1.0 servers
4706 Dierks & Rescorla Standards Track [Page 84]
4707 \f
4708 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4711 that simply close the connection when the client offers a version
4712 newer than TLS 1.0. Also, it is known that some servers will refuse
4713 connection if any TLS extensions are included in ClientHello.
4714 Interoperability with such buggy servers is a complex topic beyond
4715 the scope of this document, and may require multiple connection
4716 attempts by the client.
4718 Earlier versions of the TLS specification were not fully clear on
4719 what the record layer version number (TLSPlaintext.version) should
4720 contain when sending ClientHello (i.e., before it is known which
4721 version of the protocol will be employed). Thus, TLS servers
4722 compliant with this specification MUST accept any value {03,XX} as
4723 the record layer version number for ClientHello.
4725 TLS clients that wish to negotiate with older servers MAY send any
4726 value {03,XX} as the record layer version number. Typical values
4727 would be {03,00}, the lowest version number supported by the client,
4728 and the value of ClientHello.client_version. No single value will
4729 guarantee interoperability with all old servers, but this is a
4730 complex topic beyond the scope of this document.
4732 E.2 Compatibility with SSL 2.0
4734 TLS 1.2 clients that wish to support SSL 2.0 servers MUST send
4735 version 2.0 CLIENT-HELLO messages defined in [SSL2]. The message MUST
4736 contain the same version number as would be used for ordinary
4737 ClientHello, and MUST encode the supported TLS cipher suites in the
4738 CIPHER-SPECS-DATA field as described below.
4740 Warning: The ability to send version 2.0 CLIENT-HELLO messages will
4741 be phased out with all due haste, since the newer ClientHello format
4742 provides better mechanisms for moving to newer versions and
4743 negotiating extensions. TLS 1.2 clients SHOULD NOT support SSL 2.0.
4745 However, even TLS servers that do not support SSL 2.0 MAY accept
4746 version 2.0 CLIENT-HELLO messages. The message is presented below in
4747 sufficient detail for TLS server implementors; the true definition is
4748 still assumed to be [SSL2].
4750 For negotiation purposes, 2.0 CLIENT-HELLO is interpreted the same
4751 way as a ClientHello with a "null" compression method and no
4752 extensions. Note that this message MUST be sent directly on the wire,
4753 not wrapped as a TLS record. For the purposes of calculating Finished
4754 and CertificateVerify, the msg_length field is not considered to be a
4755 part of the handshake message.
4757 uint8 V2CipherSpec[3];
4762 Dierks & Rescorla Standards Track [Page 85]
4763 \f
4764 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4767 struct {
4768 uint16 msg_length;
4769 uint8 msg_type;
4770 Version version;
4771 uint16 cipher_spec_length;
4772 uint16 session_id_length;
4773 uint16 challenge_length;
4774 V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length];
4775 opaque session_id[V2ClientHello.session_id_length];
4776 opaque challenge[V2ClientHello.challenge_length;
4777 } V2ClientHello;
4779 msg_length
4780 The highest bit MUST be 1; the remaining bits contain the length
4781 of the following data in bytes.
4783 msg_type
4784 This field, in conjunction with the version field, identifies a
4785 version 2 client hello message. The value MUST be one (1).
4787 version
4788 Equal to ClientHello.client_version.
4790 cipher_spec_length
4791 This field is the total length of the field cipher_specs. It
4792 cannot be zero and MUST be a multiple of the V2CipherSpec length
4793 (3).
4795 session_id_length
4796 This field MUST have a value of zero for a client that claims to
4797 support TLS 1.2.
4799 challenge_length
4800 The length in bytes of the client's challenge to the server to
4801 authenticate itself. Historically, permissible values are between
4802 16 and 32 bytes inclusive. When using the SSLv2 backward
4803 compatible handshake the client SHOULD use a 32 byte challenge.
4805 cipher_specs
4806 This is a list of all CipherSpecs the client is willing and able
4807 to use. In addition to the 2.0 cipher specs defined in [SSL2],
4808 this includes the TLS cipher suites normally sent in
4809 ClientHello.cipher_suites, each cipher suite prefixed by a zero
4810 byte. For example, TLS cipher suite {0x00,0x0A} would be sent as
4811 {0x00,0x00,0x0A}.
4813 session_id
4814 This field MUST be empty.
4818 Dierks & Rescorla Standards Track [Page 86]
4819 \f
4820 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4823 challenge
4824 Corresponds to ClientHello.random. If the challenge length is less
4825 than 32, the TLS server will pad the data with leading (note: not
4826 trailing) zero bytes to make it 32 bytes long.
4828 Note: Requests to resume a TLS session MUST use a TLS client hello.
4830 E.3. Avoiding Man-in-the-Middle Version Rollback
4832 When TLS clients fall back to Version 2.0 compatibility mode, they
4833 MUST use special PKCS#1 block formatting. This is done so that TLS
4834 servers will reject Version 2.0 sessions with TLS-capable clients.
4836 When a client negotiates SSL 2.0 but also supports TLS, it MUST set
4837 the right-hand (least-significant) 8 random bytes of the PKCS padding
4838 (not including the terminal null of the padding) for the RSA
4839 encryption of the ENCRYPTED-KEY-DATA field of the CLIENT-MASTER-KEY
4840 to 0x03 (the other padding bytes are random).
4842 When a TLS-capable server negotiates SSL 2.0 it SHOULD, after
4843 decrypting the ENCRYPTED-KEY-DATA field, check that these eight
4844 padding bytes are 0x03. If they are not, the server SHOULD generate a
4845 random value for SECRET-KEY-DATA, and continue the handshake (which
4846 will eventually fail since the keys will not match). Note that
4847 reporting the error situation to the client could make the server
4848 vulnerable to attacks described in [BLEI].
4874 Dierks & Rescorla Standards Track [Page 87]
4875 \f
4876 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4879 Appendix F. Security Analysis
4881 The TLS protocol is designed to establish a secure connection between
4882 a client and a server communicating over an insecure channel. This
4883 document makes several traditional assumptions, including that
4884 attackers have substantial computational resources and cannot obtain
4885 secret information from sources outside the protocol. Attackers are
4886 assumed to have the ability to capture, modify, delete, replay, and
4887 otherwise tamper with messages sent over the communication channel.
4888 This appendix outlines how TLS has been designed to resist a variety
4889 of attacks.
4891 F.1. Handshake Protocol
4893 The handshake protocol is responsible for selecting a CipherSpec and
4894 generating a Master Secret, which together comprise the primary
4895 cryptographic parameters associated with a secure session. The
4896 handshake protocol can also optionally authenticate parties who have
4897 certificates signed by a trusted certificate authority.
4899 F.1.1. Authentication and Key Exchange
4901 TLS supports three authentication modes: authentication of both
4902 parties, server authentication with an unauthenticated client, and
4903 total anonymity. Whenever the server is authenticated, the channel is
4904 secure against man-in-the-middle attacks, but completely anonymous
4905 sessions are inherently vulnerable to such attacks. Anonymous
4906 servers cannot authenticate clients. If the server is authenticated,
4907 its certificate message must provide a valid certificate chain
4908 leading to an acceptable certificate authority. Similarly,
4909 authenticated clients must supply an acceptable certificate to the
4910 server. Each party is responsible for verifying that the other's
4911 certificate is valid and has not expired or been revoked.
4913 The general goal of the key exchange process is to create a
4914 pre_master_secret known to the communicating parties and not to
4915 attackers. The pre_master_secret will be used to generate the
4916 master_secret (see Section 8.1). The master_secret is required to
4917 generate the finished messages, encryption keys, and MAC keys (see
4918 Sections 7.4.9 and 6.3). By sending a correct finished message,
4919 parties thus prove that they know the correct pre_master_secret.
4921 F.1.1.1. Anonymous Key Exchange
4923 Completely anonymous sessions can be established using Diffie-Hellman
4924 for key exchange. The server's public parameters are contained in the
4925 server key exchange message and the client's are sent in the client
4926 key exchange message. Eavesdroppers who do not know the private
4930 Dierks & Rescorla Standards Track [Page 88]
4931 \f
4932 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4935 values should not be able to find the Diffie-Hellman result (i.e. the
4936 pre_master_secret).
4938 Warning: Completely anonymous connections only provide protection
4939 against passive eavesdropping. Unless an independent tamper-proof
4940 channel is used to verify that the finished messages were not
4941 replaced by an attacker, server authentication is required in
4942 environments where active man-in-the-middle attacks are a concern.
4944 F.1.1.2. RSA Key Exchange and Authentication
4946 With RSA, key exchange and server authentication are combined. The
4947 public key is contained in the server's certificate. Note that
4948 compromise of the server's static RSA key results in a loss of
4949 confidentiality for all sessions protected under that static key. TLS
4950 users desiring Perfect Forward Secrecy should use DHE cipher suites.
4951 The damage done by exposure of a private key can be limited by
4952 changing one's private key (and certificate) frequently.
4954 After verifying the server's certificate, the client encrypts a
4955 pre_master_secret with the server's public key. By successfully
4956 decoding the pre_master_secret and producing a correct finished
4957 message, the server demonstrates that it knows the private key
4958 corresponding to the server certificate.
4960 When RSA is used for key exchange, clients are authenticated using
4961 the certificate verify message (see Section 7.4.8). The client signs
4962 a value derived from all preceding handshake messages. These
4963 handshake messages include the server certificate, which binds the
4964 signature to the server, and ServerHello.random, which binds the
4965 signature to the current handshake process.
4967 F.1.1.3. Diffie-Hellman Key Exchange with Authentication
4969 When Diffie-Hellman key exchange is used, the server can either
4970 supply a certificate containing fixed Diffie-Hellman parameters or
4971 use the server key exchange message to send a set of temporary
4972 Diffie-Hellman parameters signed with a DSS or RSA certificate.
4973 Temporary parameters are hashed with the hello.random values before
4974 signing to ensure that attackers do not replay old parameters. In
4975 either case, the client can verify the certificate or signature to
4976 ensure that the parameters belong to the server.
4978 If the client has a certificate containing fixed Diffie-Hellman
4979 parameters, its certificate contains the information required to
4980 complete the key exchange. Note that in this case the client and
4981 server will generate the same Diffie-Hellman result (i.e.,
4982 pre_master_secret) every time they communicate. To prevent the
4986 Dierks & Rescorla Standards Track [Page 89]
4987 \f
4988 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
4991 pre_master_secret from staying in memory any longer than necessary,
4992 it should be converted into the master_secret as soon as possible.
4993 Client Diffie-Hellman parameters must be compatible with those
4994 supplied by the server for the key exchange to work.
4996 If the client has a standard DSS or RSA certificate or is
4997 unauthenticated, it sends a set of temporary parameters to the server
4998 in the client key exchange message, then optionally uses a
4999 certificate verify message to authenticate itself.
5001 If the same DH keypair is to be used for multiple handshakes, either
5002 because the client or server has a certificate containing a fixed DH
5003 keypair or because the server is reusing DH keys, care must be taken
5004 to prevent small subgroup attacks. Implementations SHOULD follow the
5005 guidelines found in [SUBGROUP].
5007 Small subgroup attacks are most easily avoided by using one of the
5008 DHE cipher suites and generating a fresh DH private key (X) for each
5009 handshake. If a suitable base (such as 2) is chosen, g^X mod p can be
5010 computed very quickly, therefore the performance cost is minimized.
5011 Additionally, using a fresh key for each handshake provides Perfect
5012 Forward Secrecy. Implementations SHOULD generate a new X for each
5013 handshake when using DHE cipher suites.
5015 Because TLS allows the server to provide arbitrary DH groups, the
5016 client should verify that the DH group is of suitable size as defined
5017 by local policy. The client SHOULD also verify that the DH public
5018 exponent appears to be of adequate size. [KEYSIZ] provides a useful
5019 guide to the strength of various group sizes. The server MAY choose
5020 to assist the client by providing a known group, such as those
5021 defined in [IKEALG] or [MODP]. These can be verified by simple
5022 comparison.
5024 F.1.2. Version Rollback Attacks
5026 Because TLS includes substantial improvements over SSL Version 2.0,
5027 attackers may try to make TLS-capable clients and servers fall back
5028 to Version 2.0. This attack can occur if (and only if) two TLS-
5029 capable parties use an SSL 2.0 handshake.
5031 Although the solution using non-random PKCS #1 block type 2 message
5032 padding is inelegant, it provides a reasonably secure way for Version
5033 3.0 servers to detect the attack. This solution is not secure against
5034 attackers who can brute force the key and substitute a new ENCRYPTED-
5035 KEY-DATA message containing the same key (but with normal padding)
5036 before the application specified wait threshold has expired. Altering
5037 the padding of the least significant 8 bytes of the PKCS padding does
5038 not impact security for the size of the signed hashes and RSA key
5042 Dierks & Rescorla Standards Track [Page 90]
5043 \f
5044 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
5047 lengths used in the protocol, since this is essentially equivalent to
5048 increasing the input block size by 8 bytes.
5050 F.1.3. Detecting Attacks Against the Handshake Protocol
5052 An attacker might try to influence the handshake exchange to make the
5053 parties select different encryption algorithms than they would
5054 normally chooses.
5056 For this attack, an attacker must actively change one or more
5057 handshake messages. If this occurs, the client and server will
5058 compute different values for the handshake message hashes. As a
5059 result, the parties will not accept each others' finished messages.
5060 Without the master_secret, the attacker cannot repair the finished
5061 messages, so the attack will be discovered.
5063 F.1.4. Resuming Sessions
5065 When a connection is established by resuming a session, new
5066 ClientHello.random and ServerHello.random values are hashed with the
5067 session's master_secret. Provided that the master_secret has not been
5068 compromised and that the secure hash operations used to produce the
5069 encryption keys and MAC keys are secure, the connection should be
5070 secure and effectively independent from previous connections.
5071 Attackers cannot use known encryption keys or MAC secrets to
5072 compromise the master_secret without breaking the secure hash
5073 operations.
5075 Sessions cannot be resumed unless both the client and server agree.
5076 If either party suspects that the session may have been compromised,
5077 or that certificates may have expired or been revoked, it should
5078 force a full handshake. An upper limit of 24 hours is suggested for
5079 session ID lifetimes, since an attacker who obtains a master_secret
5080 may be able to impersonate the compromised party until the
5081 corresponding session ID is retired. Applications that may be run in
5082 relatively insecure environments should not write session IDs to
5083 stable storage.
5085 F.2. Protecting Application Data
5087 The master_secret is hashed with the ClientHello.random and
5088 ServerHello.random to produce unique data encryption keys and MAC
5089 secrets for each connection.
5091 Outgoing data is protected with a MAC before transmission. To prevent
5092 message replay or modification attacks, the MAC is computed from the
5093 MAC key, the sequence number, the message length, the message
5094 contents, and two fixed character strings. The message type field is
5098 Dierks & Rescorla Standards Track [Page 91]
5099 \f
5100 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
5103 necessary to ensure that messages intended for one TLS Record Layer
5104 client are not redirected to another. The sequence number ensures
5105 that attempts to delete or reorder messages will be detected. Since
5106 sequence numbers are 64 bits long, they should never overflow.
5107 Messages from one party cannot be inserted into the other's output,
5108 since they use independent MAC keys. Similarly, the server-write and
5109 client-write keys are independent, so stream cipher keys are used
5110 only once.
5112 If an attacker does break an encryption key, all messages encrypted
5113 with it can be read. Similarly, compromise of a MAC key can make
5114 message modification attacks possible. Because MACs are also
5115 encrypted, message-alteration attacks generally require breaking the
5116 encryption algorithm as well as the MAC.
5118 Note: MAC keys may be larger than encryption keys, so messages can
5119 remain tamper resistant even if encryption keys are broken.
5121 F.3. Explicit IVs
5123 [CBCATT] describes a chosen plaintext attack on TLS that depends on
5124 knowing the IV for a record. Previous versions of TLS [TLS1.0] used
5125 the CBC residue of the previous record as the IV and therefore
5126 enabled this attack. This version uses an explicit IV in order to
5127 protect against this attack.
5129 F.4. Security of Composite Cipher Modes
5131 TLS secures transmitted application data via the use of symmetric
5132 encryption and authentication functions defined in the negotiated
5133 cipher suite. The objective is to protect both the integrity and
5134 confidentiality of the transmitted data from malicious actions by
5135 active attackers in the network. It turns out that the order in
5136 which encryption and authentication functions are applied to the data
5137 plays an important role for achieving this goal [ENCAUTH].
5139 The most robust method, called encrypt-then-authenticate, first
5140 applies encryption to the data and then applies a MAC to the
5141 ciphertext. This method ensures that the integrity and
5142 confidentiality goals are obtained with ANY pair of encryption and
5143 MAC functions, provided that the former is secure against chosen
5144 plaintext attacks and that the MAC is secure against chosen-message
5145 attacks. TLS uses another method, called authenticate-then-encrypt,
5146 in which first a MAC is computed on the plaintext and then the
5147 concatenation of plaintext and MAC is encrypted. This method has
5148 been proven secure for CERTAIN combinations of encryption functions
5149 and MAC functions, but it is not guaranteed to be secure in general.
5150 In particular, it has been shown that there exist perfectly secure
5154 Dierks & Rescorla Standards Track [Page 92]
5155 \f
5156 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
5159 encryption functions (secure even in the information-theoretic sense)
5160 that combined with any secure MAC function, fail to provide the
5161 confidentiality goal against an active attack. Therefore, new cipher
5162 suites and operation modes adopted into TLS need to be analyzed under
5163 the authenticate-then-encrypt method to verify that they achieve the
5164 stated integrity and confidentiality goals.
5166 Currently, the security of the authenticate-then-encrypt method has
5167 been proven for some important cases. One is the case of stream
5168 ciphers in which a computationally unpredictable pad of the length of
5169 the message, plus the length of the MAC tag, is produced using a
5170 pseudo-random generator and this pad is xor-ed with the concatenation
5171 of plaintext and MAC tag. The other is the case of CBC mode using a
5172 secure block cipher. In this case, security can be shown if one
5173 applies one CBC encryption pass to the concatenation of plaintext and
5174 MAC and uses a new, independent, and unpredictable IV for each new
5175 pair of plaintext and MAC. In versions of TLS prior to 1.1, CBC mode
5176 was used properly EXCEPT that it used a predictable IV in the form of
5177 the last block of the previous ciphertext. This made TLS open to
5178 chosen plaintext attacks. This version of the protocol is immune to
5179 those attacks. For exact details in the encryption modes proven
5180 secure, see [ENCAUTH].
5182 F.5 Denial of Service
5184 TLS is susceptible to a number of denial of service (DoS) attacks.
5185 In particular, an attacker who initiates a large number of TCP
5186 connections can cause a server to consume large amounts of CPU doing
5187 RSA decryption. However, because TLS is generally used over TCP, it
5188 is difficult for the attacker to hide his point of origin if proper
5189 TCP SYN randomization is used [SEQNUM] by the TCP stack.
5191 Because TLS runs over TCP, it is also susceptible to a number of
5192 denial of service attacks on individual connections. In particular,
5193 attackers can forge RSTs, thereby terminating connections, or forge
5194 partial TLS records, thereby causing the connection to stall. These
5195 attacks cannot in general be defended against by a TCP-using
5196 protocol. Implementors or users who are concerned with this class of
5197 attack should use IPsec AH [AH] or ESP [ESP].
5199 F.6 Final Notes
5201 For TLS to be able to provide a secure connection, both the client
5202 and server systems, keys, and applications must be secure. In
5203 addition, the implementation must be free of security errors.
5205 The system is only as strong as the weakest key exchange and
5206 authentication algorithm supported, and only trustworthy
5210 Dierks & Rescorla Standards Track [Page 93]
5211 \f
5212 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
5215 cryptographic functions should be used. Short public keys and
5216 anonymous servers should be used with great caution. Implementations
5217 and users must be careful when deciding which certificates and
5218 certificate authorities are acceptable; a dishonest certificate
5219 authority can do tremendous damage.
5221 Changes in This Version
5222 [RFC Editor: Please delete this]
5224 - Added a new pitfall about fragmenting messages when necessary
5225 [Issue #71]
5227 - Added Updates: RFC 4492 [Issue #83]
5229 - Long CBC padding pitfall [Issue #73]
5231 - Fixed ProtocolVersion structure [Issue #79]
5233 - Cleaned up extensions text [Issue #78]
5235 - Clarified alerts some [Issue #85]
5237 - Added AES to the table in Appendix C [Issue #72]
5239 - Tightened up when signature_algorithms is used
5240 (it is now a MUST if you support other than SHA-1)
5241 and the interpretation when it is absent is also a MUST
5242 [Issue #67]
5244 - Cleaned up "cipher suite" so it's always two words outside
5245 of when it refers to the syntactic type [Issue #68]
5247 - Misc editorial.
5249 - Added support for SHA256 cipher suites
5251 - Clarified warning alert behavior and client certificate omission
5252 behavior [Issue #84]
5254 Normative References
5256 [AES] National Institute of Standards and Technology,
5257 "Specification for the Advanced Encryption Standard (AES)"
5258 FIPS 197. November 26, 2001.
5260 [3DES] National Institute of Standards and Technology,
5261 "Recommendation for the Triple Data Encryption Algorithm
5262 (TDEA) Block Cipher", NIST Special Publication 800-67, May
5266 Dierks & Rescorla Standards Track [Page 94]
5267 \f
5268 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
5271 2004.
5273 [DES] National Institute of Standards and Technology, "Data
5274 Encryption Standard (DES)", FIPS PUB 46-3, October 1999.
5276 [DSS] NIST FIPS PUB 186-2, "Digital Signature Standard," National
5277 Institute of Standards and Technology, U.S. Department of
5278 Commerce, 2000.
5280 [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
5281 Hashing for Message Authentication", RFC 2104, February
5282 1997.
5284 [MD5] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321,
5285 April 1992.
5287 [PKCS1] J. Jonsson, B. Kaliski, "Public-Key Cryptography Standards
5288 (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC
5289 3447, February 2003.
5291 [PKIX] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet X.509
5292 Public Key Infrastructure Certificate and Certificate
5293 Revocation List (CRL) Profile", RFC 3280, April 2002.
5296 [SCH] B. Schneier. "Applied Cryptography: Protocols, Algorithms,
5297 and Source Code in C, 2nd ed.", Published by John Wiley &
5298 Sons, Inc. 1996.
5300 [SHA] NIST FIPS PUB 180-2, "Secure Hash Standard," National
5301 Institute of Standards and Technology, U.S. Department of
5302 Commerce., August 2001.
5304 [REQ] Bradner, S., "Key words for use in RFCs to Indicate
5305 Requirement Levels", BCP 14, RFC 2119, March 1997.
5307 [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
5308 IANA Considerations Section in RFCs", BCP 25, RFC 2434,
5309 October 1998.
5311 Informative References
5313 [AEAD] Mcgrew, D., "Authenticated Encryption", February 2007,
5314 draft-mcgrew-auth-enc-02.txt.
5316 [AH] Kent, S., and Atkinson, R., "IP Authentication Header", RFC
5317 4302, December 2005.
5322 Dierks & Rescorla Standards Track [Page 95]
5323 \f
5324 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
5327 [BLEI] Bleichenbacher D., "Chosen Ciphertext Attacks against
5328 Protocols Based on RSA Encryption Standard PKCS #1" in
5329 Advances in Cryptology -- CRYPTO'98, LNCS vol. 1462, pages:
5330 1-12, 1998.
5332 [CBCATT] Moeller, B., "Security of CBC Ciphersuites in SSL/TLS:
5333 Problems and Countermeasures",
5334 http://www.openssl.org/~bodo/tls-cbc.txt.
5336 [CBCTIME] Canvel, B., Hiltgen, A., Vaudenay, S., and M. Vuagnoux,
5337 "Password Interception in a SSL/TLS Channel", Advances in
5338 Cryptology -- CRYPTO 2003, LNCS vol. 2729, 2003.
5340 [CCM] "NIST Special Publication 800-38C: The CCM Mode for
5341 Authentication and Confidentiality",
5342 http://csrc.nist.gov/publications/nistpubs/800-38C/
5343 SP800-38C.pdf
5345 [DSS-3] NIST FIPS PUB 186-3 Draft, "Digital Signature Standard,"
5346 National Institute of Standards and Technology, U.S.
5347 Department of Commerce, 2006.
5349 [ENCAUTH] Krawczyk, H., "The Order of Encryption and Authentication
5350 for Protecting Communications (Or: How Secure is SSL?)",
5351 Crypto 2001.
5353 [ESP] Kent, S., and Atkinson, R., "IP Encapsulating Security
5354 Payload (ESP)", RFC 4303, December 2005.
5356 [FI06] Hal Finney, "Bleichenbacher's RSA signature forgery based on
5357 implementation error", ietf-openpgp@imc.org mailing list, 27
5358 August 2006, http://www.imc.org/ietf-openpgp/mail-
5359 archive/msg14307.html.
5361 [GCM] "NIST Special Publication 800-38D DRAFT (June, 2007):
5362 Recommendation for Block Cipher Modes of Operation:
5363 Galois/Counter Mode (GCM) and GMAC"
5365 [IDEA] X. Lai, "On the Design and Security of Block Ciphers," ETH
5366 Series in Information Processing, v. 1, Konstanz: Hartung-
5367 Gorre Verlag, 1992.
5369 [IKEALG] Schiller, J., "Cryptographic Algorithms for Use in the
5370 Internet Key Exchange Version 2 (IKEv2)", RFC 4307, December
5371 2005.
5373 [KEYSIZ] Orman, H., and Hoffman, P., "Determining Strengths For
5374 Public Keys Used For Exchanging Symmetric Keys" RFC 3766,
5378 Dierks & Rescorla Standards Track [Page 96]
5379 \f
5380 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
5383 April 2004.
5385 [KPR03] Klima, V., Pokorny, O., Rosa, T., "Attacking RSA-based
5386 Sessions in SSL/TLS", http://eprint.iacr.org/2003/052/,
5387 March 2003.
5389 [MODP] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
5390 Diffie-Hellman groups for Internet Key Exchange (IKE)", RFC
5391 3526, May 2003.
5393 [PKCS6] RSA Laboratories, "PKCS #6: RSA Extended Certificate Syntax
5394 Standard," version 1.5, November 1993.
5396 [PKCS7] RSA Laboratories, "PKCS #7: RSA Cryptographic Message Syntax
5397 Standard," version 1.5, November 1993.
5399 [RANDOM] Eastlake, D., 3rd, Schiller, J., and S. Crocker, "Randomness
5400 Requirements for Security", BCP 106, RFC 4086, June 2005.
5402 [RC2] Rivest, R., "A Description of the RC2(r) Encryption
5403 Algorithm", RFC 2268, March 1998.
5405 [RFC3749] Hollenbeck, S., "Transport Layer Security Protocol
5406 Compression Methods", RFC 3749, May 2004.
5408 [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
5409 Wright, T., "Transport Layer Security (TLS) Extensions", RFC
5410 4366, April 2006.
5412 [RSA] R. Rivest, A. Shamir, and L. M. Adleman, "A Method for
5413 Obtaining Digital Signatures and Public-Key Cryptosystems,"
5414 Communications of the ACM, v. 21, n. 2, Feb 1978, pp.
5415 120-126.
5417 [SEQNUM] Bellovin. S., "Defending Against Sequence Number Attacks",
5418 RFC 1948, May 1996.
5420 [SSL2] Hickman, Kipp, "The SSL Protocol", Netscape Communications
5421 Corp., Feb 9, 1995.
5423 [SSL3] A. Freier, P. Karlton, and P. Kocher, "The SSL 3.0
5424 Protocol", Netscape Communications Corp., Nov 18, 1996.
5426 [SUBGROUP] Zuccherato, R., "Methods for Avoiding the "Small-Subgroup"
5427 Attacks on the Diffie-Hellman Key Agreement Method for
5428 S/MIME", RFC 2785, March 2000.
5430 [TCP] Postel, J., "Transmission Control Protocol," STD 7, RFC 793,
5434 Dierks & Rescorla Standards Track [Page 97]
5435 \f
5436 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
5439 September 1981.
5441 [TIMING] Boneh, D., Brumley, D., "Remote timing attacks are
5442 practical", USENIX Security Symposium 2003.
5444 [TLSAES] Chown, P., "Advanced Encryption Standard (AES) Ciphersuites
5445 for Transport Layer Security (TLS)", RFC 3268, June 2002.
5447 [TLSECC] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and
5448 Moeller, B., "Elliptic Curve Cryptography (ECC) Cipher
5449 Suites for Transport Layer Security (TLS)", RFC 4492, May
5450 2006.
5452 [TLSEXT] Eastlake, D.E., "Transport Layer Security (TLS) Extensions:
5453 Extension Definitions", July 2007, draft-ietf-tls-
5454 rfc4366-bis-00.txt.
5456 [TLSPGP] Mavrogiannopoulos, N., "Using OpenPGP keys for TLS
5457 authentication", RFC 5081, November 2007.
5459 [TLSPSK] Eronen, P., Tschofenig, H., "Pre-Shared Key Ciphersuites for
5460 Transport Layer Security (TLS)", RFC 4279, December 2005.
5462 [TLS1.0] Dierks, T., and C. Allen, "The TLS Protocol, Version 1.0",
5463 RFC 2246, January 1999.
5465 [TLS1.1] Dierks, T., and E. Rescorla, "The TLS Protocol, Version
5466 1.1", RFC 4346, April, 2006.
5468 [X501] ITU-T Recommendation X.501: Information Technology - Open
5469 Systems Interconnection - The Directory: Models, 1993.
5471 [XDR] Eisler, M., "External Data Representation Standard", RFC
5472 4506, May 2006.
5475 Credits
5477 Working Group Chairs
5479 Eric Rescorla
5480 EMail: ekr@networkresonance.com
5482 Pasi Eronen
5483 pasi.eronen@nokia.com
5486 Editors
5490 Dierks & Rescorla Standards Track [Page 98]
5491 \f
5492 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
5495 Tim Dierks Eric Rescorla
5496 Independent Network Resonance, Inc.
5497 EMail: tim@dierks.org EMail: ekr@networkresonance.com
5500 Other contributors
5502 Christopher Allen (co-editor of TLS 1.0)
5503 Alacrity Ventures
5504 ChristopherA@AlacrityManagement.com
5506 Martin Abadi
5507 University of California, Santa Cruz
5508 abadi@cs.ucsc.edu
5510 Steven M. Bellovin
5511 Columbia University
5512 smb@cs.columbia.edu
5514 Simon Blake-Wilson
5515 BCI
5516 EMail: sblakewilson@bcisse.com
5518 Ran Canetti
5519 IBM
5520 canetti@watson.ibm.com
5522 Pete Chown
5523 Skygate Technology Ltd
5524 pc@skygate.co.uk
5526 Taher Elgamal
5527 taher@securify.com
5528 Securify
5530 Anil Gangolli
5531 anil@busybuddha.org
5533 Kipp Hickman
5535 Alfred Hoenes
5537 David Hopwood
5538 Independent Consultant
5539 EMail: david.hopwood@blueyonder.co.uk
5541 Phil Karlton (co-author of SSLv3)
5546 Dierks & Rescorla Standards Track [Page 99]
5547 \f
5548 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
5551 Paul Kocher (co-author of SSLv3)
5552 Cryptography Research
5553 paul@cryptography.com
5555 Hugo Krawczyk
5556 IBM
5557 hugo@ee.technion.ac.il
5559 Jan Mikkelsen
5560 Transactionware
5561 EMail: janm@transactionware.com
5563 Magnus Nystrom
5564 RSA Security
5565 EMail: magnus@rsasecurity.com
5567 Robert Relyea
5568 Netscape Communications
5569 relyea@netscape.com
5571 Jim Roskind
5572 Netscape Communications
5573 jar@netscape.com
5575 Michael Sabin
5577 Dan Simon
5578 Microsoft, Inc.
5579 dansimon@microsoft.com
5581 Tom Weinstein
5583 Tim Wright
5584 Vodafone
5585 EMail: timothy.wright@vodafone.com
5587 Comments
5589 The discussion list for the IETF TLS working group is located at the
5590 e-mail address <tls@ietf.org>. Information on the group and
5591 information on how to subscribe to the list is at
5592 <https://www1.ietf.org/mailman/listinfo/tls>
5594 Archives of the list can be found at:
5595 <http://www.ietf.org/mail-archive/web/tls/current/index.html>
5602 Dierks & Rescorla Standards Track [Page 100]
5603 \f
5604 draft-ietf-tls-rfc4346-bis-08.txt TLS January, 2008
5607 Full Copyright Statement
5609 Copyright (C) The IETF Trust (2008).
5611 This document is subject to the rights, licenses and restrictions
5612 contained in BCP 78, and except as set forth therein, the authors
5613 retain all their rights.
5615 This document and the information contained herein are provided on an
5616 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
5617 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
5618 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
5619 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
5620 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
5621 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
5624 Intellectual Property
5626 The IETF takes no position regarding the validity or scope of any
5627 Intellectual Property Rights or other rights that might be claimed to
5628 pertain to the implementation or use of the technology described in
5629 this document or the extent to which any license under such rights
5630 might or might not be available; nor does it represent that it has
5631 made any independent effort to identify any such rights. Information
5632 on the procedures with respect to rights in RFC documents can be
5633 found in BCP 78 and BCP 79.
5635 Copies of IPR disclosures made to the IETF Secretariat and any
5636 assurances of licenses to be made available, or the result of an
5637 attempt made to obtain a general license or permission for the use of
5638 such proprietary rights by implementers or users of this
5639 specification can be obtained from the IETF on-line IPR repository at
5640 http://www.ietf.org/ipr.
5642 The IETF invites any interested party to bring to its attention any
5643 copyrights, patents or patent applications, or other proprietary
5644 rights that may cover technology that may be required to implement
5645 this standard. Please address the information to the IETF at
5646 ietf-ipr@ietf.org.
5649 Acknowledgment
5651 Funding for the RFC Editor function is provided by the IETF
5652 Administrative Support Activity (IASA).
5658 Dierks & Rescorla Standards Track [Page 101]
5659 \f