| blob | 8952fbe826ac780ce227c9116fb04d818ddd048b |
2 INTERNET-DRAFT Tim Dierks
3 Obsoletes (if approved): 4346 Independent
4 Intended status: Proposed Standard Eric Rescorla
5 Network Resonance, Inc.
6 <draft-ietf-tls-rfc4346-bis-04.txt> July 2007 (Expires January 2008)
8 The TLS Protocol
9 Version 1.2
11 Status of this Memo
12 By submitting this Internet-Draft, each author represents that any
13 applicable patent or other IPR claims of which he or she is aware
14 have been or will be disclosed, and any of which he or she becomes
15 aware will be disclosed, in accordance with Section 6 of BCP 79.
17 Internet-Drafts are working documents of the Internet Engineering
18 Task Force (IETF), its areas, and its working groups. Note that
19 other groups may also distribute working documents as Internet-
20 Drafts.
22 Internet-Drafts are draft documents valid for a maximum of six months
23 and may be updated, replaced, or obsoleted by other documents at any
24 time. It is inappropriate to use Internet-Drafts as reference
25 material or to cite them other than as "work in progress."
27 The list of current Internet-Drafts can be accessed at
28 http://www.ietf.org/ietf/1id-abstracts.txt.
30 The list of Internet-Draft Shadow Directories can be accessed at
31 http://www.ietf.org/shadow.html.
33 Copyright Notice
35 Copyright (C) The IETF Trust (2007).
37 Abstract
39 This document specifies Version 1.2 of the Transport Layer Security
40 (TLS) protocol. The TLS protocol provides communications security
41 over the Internet. The protocol allows client/server applications to
42 communicate in a way that is designed to prevent eavesdropping,
43 tampering, or message forgery.
45 Table of Contents
47 1. Introduction 3
48 1.1 Requirements Terminology 5
49 1.2 Major Differences from TLS 1.1 5
53 Dierks & Rescorla Standards Track [Page 1]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
56 2. Goals 5
57 3. Goals of This Document 6
58 4. Presentation Language 6
59 4.1. Basic Block Size 7
60 4.2. Miscellaneous 7
61 4.3. Vectors 7
62 4.4. Numbers 8
63 4.5. Enumerateds 9
64 4.6. Constructed Types 9
65 4.6.1. Variants 10
66 4.7. Cryptographic Attributes 11
67 4.8. Constants 12
68 5. HMAC and the Pseudorandom fFunction 13
69 6. The TLS Record Protocol 14
70 6.1. Connection States 14
71 6.2. Record layer 17
72 6.2.1. Fragmentation 17
73 6.2.2. Record Compression and Decompression 18
74 6.2.3. Record Payload Protection 19
75 6.2.3.1. Null or Standard Stream Cipher 20
76 6.2.3.2. CBC Block Cipher 20
77 6.2.3.3. AEAD ciphers 22
78 6.3. Key Calculation 23
79 7. The TLS Handshaking Protocols 24
80 7.1. Change Cipher Spec Protocol 25
81 7.2. Alert Protocol 26
82 7.2.1. Closure Alerts 27
83 7.2.2. Error Alerts 27
84 7.3. Handshake Protocol Overview 31
85 7.4. Handshake Protocol 35
86 7.4.1. Hello Messages 36
87 7.4.1.1. Hello Request 36
88 7.4.1.2. Client Hello 37
89 7.4.1.3. Server Hello 40
90 7.4.1.4 Hello Extensions 41
91 7.4.1.4.1 Cert Hash Types 43
92 7.4.2. Server Certificate 43
93 7.4.3. Server Key Exchange Message 45
94 7.4.4. Certificate Request 47
95 7.4.5 Server hello done 49
96 7.4.6. Client Certificate 49
97 7.4.7. Client Key Exchange Message 49
98 7.4.7.1. RSA Encrypted Premaster Secret Message 50
99 7.4.7.1. Client Diffie-Hellman Public Value 53
100 7.4.8. Certificate verify 53
101 7.4.9. Finished 54
102 8. Cryptographic Computations 55
103 8.1. Computing the Master Secret 55
107 Dierks & Rescorla Standards Track [Page 2]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
110 8.1.1. RSA 56
111 8.1.2. Diffie-Hellman 56
112 9. Mandatory Cipher Suites 56
113 10. Application Data Protocol 56
114 11. Security Considerations 56
115 12. IANA Considerations 57
116 A. Protocol Constant Values 59
117 A.1. Record Layer 59
118 A.2. Change Cipher Specs Message 60
119 A.3. Alert Messages 60
120 A.4. Handshake Protocol 62
121 A.4.1. Hello Messages 62
122 A.4.2. Server Authentication and Key Exchange Messages 63
123 A.4.3. Client Authentication and Key Exchange Messages 65
124 A.4.4. Handshake Finalization Message 65
125 A.5. The CipherSuite 65
126 A.6. The Security Parameters 68
127 B. Glossary 70
128 C. CipherSuite Definitions 74
129 D. Implementation Notes 76
130 D.1 Random Number Generation and Seeding 76
131 D.2 Certificates and Authentication 76
132 D.3 CipherSuites 76
133 E. Backward Compatibility 77
134 E.1 Compatibility with TLS 1.0/1.1 and SSL 3.0 77
135 E.2 Compatibility with SSL 2.0 78
136 E.2. Avoiding Man-in-the-Middle Version Rollback 80
137 F. Security Analysis 81
138 F.1. Handshake Protocol 81
139 F.1.1. Authentication and Key Exchange 81
140 F.1.1.1. Anonymous Key Exchange 81
141 F.1.1.2. RSA Key Exchange and Authentication 82
142 F.1.1.3. Diffie-Hellman Key Exchange with Authentication 82
143 F.1.2. Version Rollback Attacks 83
144 F.1.3. Detecting Attacks Against the Handshake Protocol 84
145 F.1.4. Resuming Sessions 84
146 F.1.5 Extensions 85
147 F.2. Protecting Application Data 85
148 F.3. Explicit IVs 85
149 F.4. Security of Composite Cipher Modes 86
150 F.5 Denial of Service 87
151 F.6. Final Notes 87
154 1. Introduction
156 The primary goal of the TLS Protocol is to provide privacy and data
157 integrity between two communicating applications. The protocol is
161 Dierks & Rescorla Standards Track [Page 3]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
164 composed of two layers: the TLS Record Protocol and the TLS Handshake
165 Protocol. At the lowest level, layered on top of some reliable
166 transport protocol (e.g., TCP[TCP]), is the TLS Record Protocol. The
167 TLS Record Protocol provides connection security that has two basic
168 properties:
170 - The connection is private. Symmetric cryptography is used for
171 data encryption (e.g., DES [DES], RC4 [SCH] etc.). The keys for
172 this symmetric encryption are generated uniquely for each
173 connection and are based on a secret negotiated by another
174 protocol (such as the TLS Handshake Protocol). The Record
175 Protocol can also be used without encryption.
177 - The connection is reliable. Message transport includes a message
178 integrity check using a keyed MAC. Secure hash functions (e.g.,
179 SHA, MD5, etc.) are used for MAC computations. The Record
180 Protocol can operate without a MAC, but is generally only used in
181 this mode while another protocol is using the Record Protocol as
182 a transport for negotiating security parameters.
184 The TLS Record Protocol is used for encapsulation of various higher-
185 level protocols. One such encapsulated protocol, the TLS Handshake
186 Protocol, allows the server and client to authenticate each other and
187 to negotiate an encryption algorithm and cryptographic keys before
188 the application protocol transmits or receives its first byte of
189 data. The TLS Handshake Protocol provides connection security that
190 has three basic properties:
192 - The peer's identity can be authenticated using asymmetric, or
193 public key, cryptography (e.g., RSA [RSA], DSS [DSS], etc.). This
194 authentication can be made optional, but is generally required
195 for at least one of the peers.
197 - The negotiation of a shared secret is secure: the negotiated
198 secret is unavailable to eavesdroppers, and for any authenticated
199 connection the secret cannot be obtained, even by an attacker who
200 can place himself in the middle of the connection.
202 - The negotiation is reliable: no attacker can modify the
203 negotiation communication without being detected by the parties
204 to the communication.
206 One advantage of TLS is that it is application protocol independent.
207 Higher-level protocols can layer on top of the TLS Protocol
208 transparently. The TLS standard, however, does not specify how
209 protocols add security with TLS; the decisions on how to initiate TLS
210 handshaking and how to interpret the authentication certificates
211 exchanged are left to the judgment of the designers and implementors
215 Dierks & Rescorla Standards Track [Page 4]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
218 of protocols that run on top of TLS.
220 1.1 Requirements Terminology
222 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
223 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
224 document are to be interpreted as described in RFC 2119 [RFC2119].
226 1.2 Major Differences from TLS 1.1
227 This document is a revision of the TLS 1.1 [TLS1.1] protocol which
228 contains improved flexibility, particularly for negotiation of
229 cryptographic algorithms. The major changes are:
231 - Merged in TLS Extensions definition and AES Cipher Suites from
232 external documents.
234 - Replacement of MD5/SHA-1 combination in the PRF. Addition
235 of cipher-suite specified PRFs.
237 - Replacement of MD5/SHA-1 combination in the digitally-signed
238 element.
240 - Allow the client to indicate which hash functions it supports
241 for digital signature.
243 - Allow the server to indicate which hash functions it supports
244 for digital signature.
246 - Addition of support for authenticated encryption with additional
247 data modes.
249 - Tightened up a number of requirements.
251 - The usual clarifications and editorial work.
253 - Added some guidance that DH groups should be checked.
255 - Cleaned up description of Bleichenbacher/Klima attack defenses.
257 - Tighter checking of EncryptedPreMasterSecret version numbers.
259 - Stronger language about when alerts MUST be sent.
262 2. Goals
264 The goals of TLS Protocol, in order of their priority, are as
265 follows:
269 Dierks & Rescorla Standards Track [Page 5]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
272 1. Cryptographic security: TLS should be used to establish a secure
273 connection between two parties.
275 2. Interoperability: Independent programmers should be able to
276 develop applications utilizing TLS that can successfully exchange
277 cryptographic parameters without knowledge of one another's code.
279 3. Extensibility: TLS seeks to provide a framework into which new
280 public key and bulk encryption methods can be incorporated as
281 necessary. This will also accomplish two sub-goals: preventing
282 the need to create a new protocol (and risking the introduction
283 of possible new weaknesses) and avoiding the need to implement an
284 entire new security library.
286 4. Relative efficiency: Cryptographic operations tend to be highly
287 CPU intensive, particularly public key operations. For this
288 reason, the TLS protocol has incorporated an optional session
289 caching scheme to reduce the number of connections that need to
290 be established from scratch. Additionally, care has been taken to
291 reduce network activity.
293 3. Goals of This Document
295 This document and the TLS protocol itself are based on the SSL 3.0
296 Protocol Specification as published by Netscape. The differences
297 between this protocol and SSL 3.0 are not dramatic, but they are
298 significant enough that the various versions of TLS and SSL 3.0 do
299 not interoperate (although each protocol incorporates a mechanism by
300 which an implementation can back down to prior versions). This
301 document is intended primarily for readers who will be implementing
302 the protocol and for those doing cryptographic analysis of it. The
303 specification has been written with this in mind, and it is intended
304 to reflect the needs of those two groups. For that reason, many of
305 the algorithm-dependent data structures and rules are included in the
306 body of the text (as opposed to in an appendix), providing easier
307 access to them.
309 This document is not intended to supply any details of service
310 definition or of interface definition, although it does cover select
311 areas of policy as they are required for the maintenance of solid
312 security.
314 4. Presentation Language
316 This document deals with the formatting of data in an external
317 representation. The following very basic and somewhat casually
318 defined presentation syntax will be used. The syntax draws from
319 several sources in its structure. Although it resembles the
323 Dierks & Rescorla Standards Track [Page 6]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
326 programming language "C" in its syntax and XDR [XDR] in both its
327 syntax and intent, it would be risky to draw too many parallels. The
328 purpose of this presentation language is to document TLS only; it has
329 no general application beyond that particular goal.
331 4.1. Basic Block Size
333 The representation of all data items is explicitly specified. The
334 basic data block size is one byte (i.e., 8 bits). Multiple byte data
335 items are concatenations of bytes, from left to right, from top to
336 bottom. From the bytestream, a multi-byte item (a numeric in the
337 example) is formed (using C notation) by:
339 value = (byte[0] << 8*(n-1)) | (byte[1] << 8*(n-2)) |
340 ... | byte[n-1];
342 This byte ordering for multi-byte values is the commonplace network
343 byte order or big endian format.
345 4.2. Miscellaneous
347 Comments begin with "/*" and end with "*/".
349 Optional components are denoted by enclosing them in "[[ ]]" double
350 brackets.
352 Single-byte entities containing uninterpreted data are of type
353 opaque.
355 4.3. Vectors
357 A vector (single dimensioned array) is a stream of homogeneous data
358 elements. The size of the vector may be specified at documentation
359 time or left unspecified until runtime. In either case, the length
360 declares the number of bytes, not the number of elements, in the
361 vector. The syntax for specifying a new type, T', that is a fixed-
362 length vector of type T is
364 T T'[n];
366 Here, T' occupies n bytes in the data stream, where n is a multiple
367 of the size of T. The length of the vector is not included in the
368 encoded stream.
370 In the following example, Datum is defined to be three consecutive
371 bytes that the protocol does not interpret, while Data is three
372 consecutive Datum, consuming a total of nine bytes.
377 Dierks & Rescorla Standards Track [Page 7]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
380 opaque Datum[3]; /* three uninterpreted bytes */
381 Datum Data[9]; /* 3 consecutive 3 byte vectors */
383 Variable-length vectors are defined by specifying a subrange of legal
384 lengths, inclusively, using the notation <floor..ceiling>. When
385 these are encoded, the actual length precedes the vector's contents
386 in the byte stream. The length will be in the form of a number
387 consuming as many bytes as required to hold the vector's specified
388 maximum (ceiling) length. A variable-length vector with an actual
389 length field of zero is referred to as an empty vector.
391 T T'<floor..ceiling>;
393 In the following example, mandatory is a vector that must contain
394 between 300 and 400 bytes of type opaque. It can never be empty. The
395 actual length field consumes two bytes, a uint16, sufficient to
396 represent the value 400 (see Section 4.4). On the other hand, longer
397 can represent up to 800 bytes of data, or 400 uint16 elements, and it
398 may be empty. Its encoding will include a two-byte actual length
399 field prepended to the vector. The length of an encoded vector must
400 be an even multiple of the length of a single element (for example, a
401 17-byte vector of uint16 would be illegal).
403 opaque mandatory<300..400>;
404 /* length field is 2 bytes, cannot be empty */
405 uint16 longer<0..800>;
406 /* zero to 400 16-bit unsigned integers */
408 4.4. Numbers
410 The basic numeric data type is an unsigned byte (uint8). All larger
411 numeric data types are formed from fixed-length series of bytes
412 concatenated as described in Section 4.1 and are also unsigned. The
413 following numeric types are predefined.
415 uint8 uint16[2];
416 uint8 uint24[3];
417 uint8 uint32[4];
418 uint8 uint64[8];
420 All values, here and elsewhere in the specification, are stored in
421 "network" or "big-endian" order; the uint32 represented by the hex
422 bytes 01 02 03 04 is equivalent to the decimal value 16909060.
424 Note that in some cases (e.g., DH parameters) it is necessary to
425 represent integers as opaque vectors. In such cases, they are
426 represented as unsigned integers (i.e., leading zero octets are not
427 required even if the most significant bit is set).
431 Dierks & Rescorla Standards Track [Page 8]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
434 4.5. Enumerateds
436 An additional sparse data type is available called enum. A field of
437 type enum can only assume the values declared in the definition.
438 Each definition is a different type. Only enumerateds of the same
439 type may be assigned or compared. Every element of an enumerated must
440 be assigned a value, as demonstrated in the following example. Since
441 the elements of the enumerated are not ordered, they can be assigned
442 any unique value, in any order.
444 enum { e1(v1), e2(v2), ... , en(vn) [[, (n)]] } Te;
446 Enumerateds occupy as much space in the byte stream as would its
447 maximal defined ordinal value. The following definition would cause
448 one byte to be used to carry fields of type Color.
450 enum { red(3), blue(5), white(7) } Color;
452 One may optionally specify a value without its associated tag to
453 force the width definition without defining a superfluous element.
454 In the following example, Taste will consume two bytes in the data
455 stream but can only assume the values 1, 2, or 4.
457 enum { sweet(1), sour(2), bitter(4), (32000) } Taste;
459 The names of the elements of an enumeration are scoped within the
460 defined type. In the first example, a fully qualified reference to
461 the second element of the enumeration would be Color.blue. Such
462 qualification is not required if the target of the assignment is well
463 specified.
465 Color color = Color.blue; /* overspecified, legal */
466 Color color = blue; /* correct, type implicit */
468 For enumerateds that are never converted to external representation,
469 the numerical information may be omitted.
471 enum { low, medium, high } Amount;
473 4.6. Constructed Types
475 Structure types may be constructed from primitive types for
476 convenience. Each specification declares a new, unique type. The
477 syntax for definition is much like that of C.
479 struct {
480 T1 f1;
481 T2 f2;
485 Dierks & Rescorla Standards Track [Page 9]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
488 ...
489 Tn fn;
490 } [[T]];
492 The fields within a structure may be qualified using the type's name,
493 with a syntax much like that available for enumerateds. For example,
494 T.f2 refers to the second field of the previous declaration.
495 Structure definitions may be embedded.
497 4.6.1. Variants
499 Defined structures may have variants based on some knowledge that is
500 available within the environment. The selector must be an enumerated
501 type that defines the possible variants the structure defines. There
502 must be a case arm for every element of the enumeration declared in
503 the select. The body of the variant structure may be given a label
504 for reference. The mechanism by which the variant is selected at
505 runtime is not prescribed by the presentation language.
507 struct {
508 T1 f1;
509 T2 f2;
510 ....
511 Tn fn;
512 select (E) {
513 case e1: Te1;
514 case e2: Te2;
515 ....
516 case en: Ten;
517 } [[fv]];
518 } [[Tv]];
520 For example:
522 enum { apple, orange } VariantTag;
523 struct {
524 uint16 number;
525 opaque string<0..10>; /* variable length */
526 } V1;
527 struct {
528 uint32 number;
529 opaque string[10]; /* fixed length */
530 } V2;
531 struct {
532 select (VariantTag) { /* value of selector is implicit */
533 case apple: V1; /* VariantBody, tag = apple */
534 case orange: V2; /* VariantBody, tag = orange */
535 } variant_body; /* optional label on variant */
539 Dierks & Rescorla Standards Track [Page 10]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
542 } VariantRecord;
544 Variant structures may be qualified (narrowed) by specifying a value
545 for the selector prior to the type. For example, an
547 orange VariantRecord
549 is a narrowed type of a VariantRecord containing a variant_body of
550 type V2.
552 4.7. Cryptographic Attributes
554 The five cryptographic operations digital signing, stream cipher
555 encryption, block cipher encryption, authenticated encryption with
556 additional data (AEAD) encryption and public key encryption are
557 designated digitally-signed, stream-ciphered, block-ciphered, aead-
558 ciphered, and public-key-encrypted, respectively. A field's
559 cryptographic processing is specified by prepending an appropriate
560 key word designation before the field's type specification.
561 Cryptographic keys are implied by the current session state (see
562 Section 6.1).
564 In digital signing, one-way hash functions are used as input for a
565 signing algorithm. A digitally-signed element is encoded as an opaque
566 vector <0..2^16-1>, where the length is specified by the signing
567 algorithm and key.
569 In RSA signing, the opaque vector contains the signature generated
570 using the RSASSA-PKCS1-v1_5 signature scheme defined in [PKCS1]. As
571 discussed in [PKCS1], the DigestInfo MUST be DER encoded and for
572 digest algorithms without parameters (which include SHA-1) the
573 DigestInfo.AlgorithmIdentifier.parameters field MUST be NULL but
574 implementations MUST accept both without parameters and with NULL
575 parameters. Note that earlier versions of TLS used a different RSA
576 signature scheme which did not include a DigestInfo encoding.
578 In DSS, the 20 bytes of the SHA-1 hash are run directly through the
579 Digital Signing Algorithm with no additional hashing. This produces
580 two values, r and s. The DSS signature is an opaque vector, as above,
581 the contents of which are the DER encoding of:
583 Dss-Sig-Value ::= SEQUENCE {
584 r INTEGER,
585 s INTEGER
586 }
588 In stream cipher encryption, the plaintext is exclusive-ORed with an
589 identical amount of output generated from a cryptographically secure
593 Dierks & Rescorla Standards Track [Page 11]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
596 keyed pseudorandom number generator.
598 In block cipher encryption, every block of plaintext encrypts to a
599 block of ciphertext. All block cipher encryption is done in CBC
600 (Cipher Block Chaining) mode, and all items that are block-ciphered
601 will be an exact multiple of the cipher block length.
603 In AEAD encryption, the plaintext is simultaneously encrypted and
604 integrity protected. The input may be of any length and the output is
605 generally larger than the input in order to accomodate the integrity
606 check value.
608 In public key encryption, a public key algorithm is used to encrypt
609 data in such a way that it can be decrypted only with the matching
610 private key. A public-key-encrypted element is encoded as an opaque
611 vector <0..2^16-1>, where the length is specified by the signing
612 algorithm and key.
614 RSA encryption is done using the RSAES-PKCS1-v1_5 encryption scheme
615 defined in [PKCS1].
617 In the following example
619 stream-ciphered struct {
620 uint8 field1;
621 uint8 field2;
622 digitally-signed opaque hash[20];
623 } UserType;
625 the contents of hash are used as input for the signing algorithm, and
626 then the entire structure is encrypted with a stream cipher. The
627 length of this structure, in bytes, would be equal to two bytes for
628 field1 and field2, plus two bytes for the length of the signature,
629 plus the length of the output of the signing algorithm. This is known
630 because the algorithm and key used for the signing are known prior to
631 encoding or decoding this structure.
633 4.8. Constants
635 Typed constants can be defined for purposes of specification by
636 declaring a symbol of the desired type and assigning values to it.
637 Under-specified types (opaque, variable length vectors, and
638 structures that contain opaque) cannot be assigned values. No fields
639 of a multi-element structure or vector may be elided.
641 For example:
643 struct {
647 Dierks & Rescorla Standards Track [Page 12]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
650 uint8 f1;
651 uint8 f2;
652 } Example1;
654 Example1 ex1 = {1, 4}; /* assigns f1 = 1, f2 = 4 */
656 5. HMAC and the Pseudorandom fFunction
658 A number of operations in the TLS record and handshake layer requires
659 a keyed MAC; this is a secure digest of some data protected by a
660 secret. Forging the MAC is infeasible without knowledge of the MAC
661 secret. The construction TLS provides for this operation is known as
662 HMAC and is described in [HMAC]. Cipher suites MAY define their own
663 MACs.
665 In addition, a construction is required to do expansion of secrets
666 into blocks of data for the purposes of key generation or validation.
667 This pseudo-random function (PRF) takes as input a secret, a seed,
668 and an identifying label and produces an output of arbitrary length.
669 We define one PRF, based on HMAC, which is used for all cipher suites
670 in this document. Cipher suites MAY define their own PRFs.
672 First, we define a data expansion function, P_hash(secret, data) that
673 uses a single hash function to expand a secret and seed into an
674 arbitrary quantity of output:
676 P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
677 HMAC_hash(secret, A(2) + seed) +
678 HMAC_hash(secret, A(3) + seed) + ...
680 Where + indicates concatenation.
682 A() is defined as:
683 A(0) = seed
684 A(i) = HMAC_hash(secret, A(i-1))
686 P_hash can be iterated as many times as is necessary to produce the
687 required quantity of data. For example, if P_SHA-1 is being used to
688 create 64 bytes of data, it will have to be iterated 4 times (through
689 A(4)), creating 80 bytes of output data; the last 16 bytes of the
690 final iteration will then be discarded, leaving 64 bytes of output
691 data.
693 TLS's PRF is created by applying P_hash to the secret S as:
695 PRF(secret, label, seed) = P_<hash>(secret, label + seed)
697 All the cipher suites defined in this document and in TLS documents
701 Dierks & Rescorla Standards Track [Page 13]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
704 prior to this document MUST use SHA-256 as the basis for their PRF.
705 New cipher suites MUST specify a PRF and in general SHOULD use the
706 TLS PRF with SHA-256 or a stronger standard hash function.
708 The label is an ASCII string. It should be included in the exact form
709 it is given without a length byte or trailing null character. For
710 example, the label "slithy toves" would be processed by hashing the
711 following bytes:
713 73 6C 69 74 68 79 20 74 6F 76 65 73
716 6. The TLS Record Protocol
718 The TLS Record Protocol is a layered protocol. At each layer,
719 messages may include fields for length, description, and content.
720 The Record Protocol takes messages to be transmitted, fragments the
721 data into manageable blocks, optionally compresses the data, applies
722 a MAC, encrypts, and transmits the result. Received data is
723 decrypted, verified, decompressed, reassembled, and then delivered to
724 higher-level clients.
726 Four record protocol clients are described in this document: the
727 handshake protocol, the alert protocol, the change cipher spec
728 protocol, and the application data protocol. In order to allow
729 extension of the TLS protocol, additional record types can be
730 supported by the record protocol. New record type values are assigned
731 by IANA as described in Section 11.
734 If a TLS implementation receives a record type it does not
735 understand, it SHOULD just ignore it. Any protocol designed for use
736 over TLS MUST be carefully designed to deal with all possible attacks
737 against it. Note that because the type and length of a record are
738 not protected by encryption, care SHOULD be taken to minimize the
739 value of traffic analysis of these values. Implementations MUST not
740 send record types not defined in this document unless negotiated by
741 some extension.
743 6.1. Connection States
745 A TLS connection state is the operating environment of the TLS Record
746 Protocol. It specifies a compression algorithm, an encryption
747 algorithm, and MAC algorithm. In addition, the parameters for these
748 algorithms are known: the MAC secret and the bulk encryption keys for
749 the connection in both the read and the write directions. Logically,
750 there are always four connection states outstanding: the current read
751 and write states, and the pending read and write states. All records
755 Dierks & Rescorla Standards Track [Page 14]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
758 are processed under the current read and write states. The security
759 parameters for the pending states can be set by the TLS Handshake
760 Protocol, and the Change Cipher Spec can selectively make either of
761 the pending states current, in which case the appropriate current
762 state is disposed of and replaced with the pending state; the pending
763 state is then reinitialized to an empty state. It is illegal to make
764 a state that has not been initialized with security parameters a
765 current state. The initial current state always specifies that no
766 encryption, compression, or MAC will be used.
768 The security parameters for a TLS Connection read and write state are
769 set by providing the following values:
771 connection end
772 Whether this entity is considered the "client" or the "server" in
773 this connection.
775 bulk encryption algorithm
776 An algorithm to be used for bulk encryption. This specification
777 includes the key size of this algorithm, how much of that key is
778 secret, whether it is a block, stream, or AEAD cipher, and the
779 block size of the cipher (if appropriate).
781 MAC algorithm
782 An algorithm to be used for message authentication. This
783 specification includes the size of the value returned by the MAC
784 algorithm.
786 compression algorithm
787 An algorithm to be used for data compression. This specification
788 must include all information the algorithm requires to do
789 compression.
791 master secret
792 A 48-byte secret shared between the two peers in the connection.
794 client random
795 A 32-byte value provided by the client.
797 server random
798 A 32-byte value provided by the server.
800 These parameters are defined in the presentation language as:
802 enum { server, client } ConnectionEnd;
804 enum { null, rc4, rc2, des, 3des, des40, idea, aes } BulkCipherAlgorithm;
809 Dierks & Rescorla Standards Track [Page 15]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
812 enum { stream, block, aead } CipherType;
814 enum { null, md5, sha, sha256, sha384, sha512} MACAlgorithm;
816 /* The use of "sha" above is historical and denotes SHA-1 */
818 enum { null(0), (255) } CompressionMethod;
820 /* The algorithms specified in CompressionMethod,
821 BulkCipherAlgorithm, and MACAlgorithm may be added to. */
823 struct {
824 ConnectionEnd entity;
825 BulkCipherAlgorithm bulk_cipher_algorithm;
826 CipherType cipher_type;
827 uint8 enc_key_length;
828 uint8 block_length;
829 uint8 iv_length;
830 MACAlgorithm mac_algorithm;
831 uint8 mac_length;
832 uint8 mac_key_length;
833 CompressionMethod compression_algorithm;
834 opaque master_secret[48];
835 opaque client_random[32];
836 opaque server_random[32];
837 } SecurityParameters;
839 The record layer will use the security parameters to generate the
840 following four items:
842 client write MAC secret
843 server write MAC secret
844 client write key
845 server write key
847 The client write parameters are used by the server when receiving and
848 processing records and vice-versa. The algorithm used for generating
849 these items from the security parameters is described in Section 6.3.
851 Once the security parameters have been set and the keys have been
852 generated, the connection states can be instantiated by making them
853 the current states. These current states MUST be updated for each
854 record processed. Each connection state includes the following
855 elements:
857 compression state
858 The current state of the compression algorithm.
863 Dierks & Rescorla Standards Track [Page 16]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
866 cipher state
867 The current state of the encryption algorithm. This will consist
868 of the scheduled key for that connection. For stream ciphers,
869 this will also contain whatever state information is necessary to
870 allow the stream to continue to encrypt or decrypt data.
872 MAC secret
873 The MAC secret for this connection, as generated above.
875 sequence number
876 Each connection state contains a sequence number, which is
877 maintained separately for read and write states. The sequence
878 number MUST be set to zero whenever a connection state is made
879 the active state. Sequence numbers are of type uint64 and may not
880 exceed 2^64-1. Sequence numbers do not wrap. If a TLS
881 implementation would need to wrap a sequence number, it must
882 renegotiate instead. A sequence number is incremented after each
883 record: specifically, the first record transmitted under a
884 particular connection state MUST use sequence number 0.
886 6.2. Record layer
888 The TLS Record Layer receives uninterpreted data from higher layers
889 in non-empty blocks of arbitrary size.
891 6.2.1. Fragmentation
893 The record layer fragments information blocks into TLSPlaintext
894 records carrying data in chunks of 2^14 bytes or less. Client message
895 boundaries are not preserved in the record layer (i.e., multiple
896 client messages of the same ContentType MAY be coalesced into a
897 single TLSPlaintext record, or a single message MAY be fragmented
898 across several records).
901 struct {
902 uint8 major, minor;
903 } ProtocolVersion;
905 enum {
906 change_cipher_spec(20), alert(21), handshake(22),
907 application_data(23), (255)
908 } ContentType;
910 struct {
911 ContentType type;
912 ProtocolVersion version;
913 uint16 length;
917 Dierks & Rescorla Standards Track [Page 17]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
920 opaque fragment[TLSPlaintext.length];
921 } TLSPlaintext;
923 type
924 The higher-level protocol used to process the enclosed fragment.
926 version
927 The version of the protocol being employed. This document
928 describes TLS Version 1.2, which uses the version { 3, 3 }. The
929 version value 3.3 is historical, deriving from the use of 3.1 for
930 TLS 1.0. (See Appendix A.1). Note that a client that supports
931 multiple versions of TLS may not know what version will be
932 employed before it receives ServerHello. See Appendix E for
933 discussion about what record layer version number should be
934 employed for ClientHello.
936 length
937 The length (in bytes) of the following TLSPlaintext.fragment.
938 The length MUST not exceed 2^14.
940 fragment
941 The application data. This data is transparent and treated as an
942 independent block to be dealt with by the higher-level protocol
943 specified by the type field.
945 Implementations MUST not send zero-length fragments of Handshake,
946 Alert, or Change Cipher Spec content types. Zero-length fragments
947 of Application data MAY be sent as they are potentially useful as
948 a traffic analysis countermeasure.
950 Note: Data of different TLS Record layer content types MAY be
951 interleaved. Application data is generally of lower precedence
952 for transmission than other content types. However, records MUST
953 be delivered to the network in the same order as they are
954 protected by the record layer. Recipients MUST receive and
955 process interleaved application layer traffic during handshakes
956 subsequent to the first one on a connection.
959 6.2.2. Record Compression and Decompression
961 All records are compressed using the compression algorithm defined in
962 the current session state. There is always an active compression
963 algorithm; however, initially it is defined as
964 CompressionMethod.null. The compression algorithm translates a
965 TLSPlaintext structure into a TLSCompressed structure. Compression
966 functions are initialized with default state information whenever a
967 connection state is made active.
971 Dierks & Rescorla Standards Track [Page 18]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
974 Compression must be lossless and may not increase the content length
975 by more than 1024 bytes. If the decompression function encounters a
976 TLSCompressed.fragment that would decompress to a length in excess of
977 2^14 bytes, it MUST report a fatal decompression failure error.
979 struct {
980 ContentType type; /* same as TLSPlaintext.type */
981 ProtocolVersion version;/* same as TLSPlaintext.version */
982 uint16 length;
983 opaque fragment[TLSCompressed.length];
984 } TLSCompressed;
986 length
987 The length (in bytes) of the following TLSCompressed.fragment.
988 The length should not exceed 2^14 + 1024.
990 fragment
991 The compressed form of TLSPlaintext.fragment.
993 Note: A CompressionMethod.null operation is an identity operation; no
994 fields are altered.
996 Implementation note:
997 Decompression functions are responsible for ensuring that
998 messages cannot cause internal buffer overflows.
1000 6.2.3. Record Payload Protection
1002 The encryption and MAC functions translate a TLSCompressed structure
1003 into a TLSCiphertext. The decryption functions reverse the process.
1004 The MAC of the record also includes a sequence number so that
1005 missing, extra, or repeated messages are detectable.
1007 struct {
1008 ContentType type;
1009 ProtocolVersion version;
1010 uint16 length;
1011 select (SecurityParameters.cipher_type) {
1012 case stream: GenericStreamCipher;
1013 case block: GenericBlockCipher;
1014 case aead: GenericAEADCipher;
1015 } fragment;
1016 } TLSCiphertext;
1018 type
1019 The type field is identical to TLSCompressed.type.
1021 version
1025 Dierks & Rescorla Standards Track [Page 19]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1028 The version field is identical to TLSCompressed.version.
1030 length
1031 The length (in bytes) of the following TLSCiphertext.fragment.
1032 The length may not exceed 2^14 + 2048.
1034 fragment
1035 The encrypted form of TLSCompressed.fragment, with the MAC.
1037 6.2.3.1. Null or Standard Stream Cipher
1039 Stream ciphers (including BulkCipherAlgorithm.null, see Appendix A.6)
1040 convert TLSCompressed.fragment structures to and from stream
1041 TLSCiphertext.fragment structures.
1043 stream-ciphered struct {
1044 opaque content[TLSCompressed.length];
1045 opaque MAC[SecurityParameters.mac_length];
1046 } GenericStreamCipher;
1048 The MAC is generated as:
1050 HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type +
1051 TLSCompressed.version + TLSCompressed.length +
1052 TLSCompressed.fragment));
1054 where "+" denotes concatenation.
1056 seq_num
1057 The sequence number for this record.
1059 hash
1060 The hashing algorithm specified by
1061 SecurityParameters.mac_algorithm.
1063 Note that the MAC is computed before encryption. The stream cipher
1064 encrypts the entire block, including the MAC. For stream ciphers that
1065 do not use a synchronization vector (such as RC4), the stream cipher
1066 state from the end of one record is simply used on the subsequent
1067 packet. If the CipherSuite is TLS_NULL_WITH_NULL_NULL, encryption
1068 consists of the identity operation (i.e., the data is not encrypted,
1069 and the MAC size is zero, implying that no MAC is used).
1070 TLSCiphertext.length is TLSCompressed.length plus
1071 SecurityParameters.mac_length.
1073 6.2.3.2. CBC Block Cipher
1079 Dierks & Rescorla Standards Track [Page 20]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1082 For block ciphers (such as RC2, DES, or AES), the encryption and MAC
1083 functions convert TLSCompressed.fragment structures to and from block
1084 TLSCiphertext.fragment structures.
1086 block-ciphered struct {
1087 opaque IV[SecurityParameters.block_length];
1088 opaque content[TLSCompressed.length];
1089 opaque MAC[SecurityParameters.mac_length];
1090 uint8 padding[GenericBlockCipher.padding_length];
1091 uint8 padding_length;
1092 } GenericBlockCipher;
1094 The MAC is generated as described in Section 6.2.3.1.
1096 IV
1097 TLS 1.2 uses an explicit IV in order to prevent the attacks
1098 described by [CBCATT]. The IV SHOULD be chosen at random and MUST
1099 be unpredictable. In order to decrypt, thereceiver decrypts the
1100 entire GenericBlockCipher structure and then discards the first
1101 cipher block, corresponding to the IV component.
1103 padding
1104 Padding that is added to force the length of the plaintext to be
1105 an integral multiple of the block cipher's block length. The
1106 padding MAY be any length up to 255 bytes, as long as it results
1107 in the TLSCiphertext.length being an integral multiple of the
1108 block length. Lengths longer than necessary might be desirable to
1109 frustrate attacks on a protocol that are based on analysis of the
1110 lengths of exchanged messages. Each uint8 in the padding data
1111 vector MUST be filled with the padding length value. The receiver
1112 MUST check this padding and SHOULD use the bad_record_mac alert
1113 to indicate padding errors.
1115 padding_length
1116 The padding length MUST be such that the total size of the
1117 GenericBlockCipher structure is a multiple of the cipher's block
1118 length. Legal values range from zero to 255, inclusive. This
1119 length specifies the length of the padding field exclusive of the
1120 padding_length field itself.
1122 The encrypted data length (TLSCiphertext.length) is one more than the
1123 sum of TLSCompressed.length, SecurityParameters.mac_length, and
1124 padding_length.
1126 Example: If the block length is 8 bytes, the content length
1127 (TLSCompressed.length) is 61 bytes, and the MAC length is 20
1128 bytes, then the length before padding is 82 bytes (this does
1129 not include the IV, which may or may not be encrypted, as
1133 Dierks & Rescorla Standards Track [Page 21]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1136 discussed above). Thus, the padding length modulo 8 must be
1137 equal to 6 in order to make the total length an even multiple
1138 of 8 bytes (the block length). The padding length can be 6,
1139 14, 22, and so on, through 254. If the padding length were the
1140 minimum necessary, 6, the padding would be 6 bytes, each
1141 containing the value 6. Thus, the last 8 octets of the
1142 GenericBlockCipher before block encryption would be xx 06 06
1143 06 06 06 06 06, where xx is the last octet of the MAC.
1145 Note: With block ciphers in CBC mode (Cipher Block Chaining),
1146 it is critical that the entire plaintext of the record be known
1147 before any ciphertext is transmitted. Otherwise, it is possible
1148 for the attacker to mount the attack described in [CBCATT].
1150 Implementation Note: Canvel et al. [CBCTIME] have demonstrated a timing
1151 attack on CBC padding based on the time required to compute the
1152 MAC. In order to defend against this attack, implementations MUST
1153 ensure that record processing time is essentially the same
1154 whether or not the padding is correct. In general, the best way
1155 to do this is to compute the MAC even if the padding is
1156 incorrect, and only then reject the packet. For instance, if the
1157 pad appears to be incorrect, the implementation might assume a
1158 zero-length pad and then compute the MAC. This leaves a small
1159 timing channel, since MAC performance depends to some extent on
1160 the size of the data fragment, but it is not believed to be large
1161 enough to be exploitable, due to the large block size of existing
1162 MACs and the small size of the timing signal.
1164 6.2.3.3. AEAD ciphers
1166 For AEAD [AEAD] ciphers (such as [CCM] or [GCM]) the AEAD function
1167 converts TLSCompressed.fragment structures to and from AEAD
1168 TLSCiphertext.fragment structures.
1170 aead-ciphered struct {
1171 opaque IV[SecurityParameters.iv_length];
1172 opaque aead_output[AEADEncrypted.length];
1173 } GenericAEADCipher;
1175 AEAD ciphers take as input a single key, a nonce, a plaintext, and
1176 "additional data" to be included in the authentication check, as
1177 described in Section 2.1 of [AEAD]. These inputs are as follows.
1179 The key is either the client_write_key or the server_write_key. The
1180 MAC key will be of length zero.
1182 The nonce supplied to the AEAD operations is determined by the IV in
1183 aead-ciphered struct. Each IV used in distinct invocations of the
1187 Dierks & Rescorla Standards Track [Page 22]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1190 AEAD encryption operation MUST be distinct, for any fixed value of
1191 the key. Implementations SHOULD use the recommended nonce formation
1192 method of [AEAD] to generate IVs, and MAY use any other method that
1193 meets this requirement. The length of the IV depends on the AEAD
1194 cipher; that length MAY be zero. Note that in many cases it is
1195 appropriate to use the partially implicit nonce technique of S 3.2.1
1196 of AEAD, in which case the client_write_iv and server_write_iv should
1197 be used as the "fixed-common".
1199 The plaintext is the TLSCompressed.fragment.
1201 The additional authenticated data, which we denote as
1202 additional_data, is defined as follows:
1204 additional_data = seq_num + TLSCompressed.type +
1205 TLSCompressed.version + TLSCompressed.length;
1207 The aead_output consists of the ciphertext output by the AEAD
1208 encryption operation. AEADEncrypted.length will generally be larger
1209 than TLSCompressed.length, but by an amount that varies with the AEAD
1210 cipher. Since the ciphers might incorporate padding, the amount of
1211 overhead could vary with different TLSCompressed.length values. Each
1212 AEAD cipher MUST NOT produce an expansion of greater than 1024 bytes.
1213 Symbolically,
1215 AEADEncrypted = AEAD-Encrypt(key, IV, plaintext,
1216 additional_data)
1218 Where "+" denotes concatenation.
1221 In order to decrypt and verify, the cipher takes as input the key,
1222 IV, the "additional_data", and the AEADEncrypted value. The output is
1223 either the plaintext or an error indicating that the decryption
1224 failed. There is no separate integrity check. I.e.,
1226 TLSCompressed.fragment = AEAD-Decrypt(write_key, IV, AEADEncrypted,
1227 TLSCiphertext.type + TLSCiphertext.version +
1228 TLSCiphertext.length);
1230 If the decryption fails, a fatal bad_record_mac alert MUST be
1231 generated.
1233 6.3. Key Calculation
1235 The Record Protocol requires an algorithm to generate keys, and MAC
1236 secrets from the security parameters provided by the handshake
1237 protocol.
1241 Dierks & Rescorla Standards Track [Page 23]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1244 The master secret is hashed into a sequence of secure bytes, which
1245 are assigned to the MAC secrets and keys required by the current
1246 connection state (see Appendix A.6). CipherSpecs require a client
1247 write MAC secret, a server write MAC secret, a client write key, and
1248 a server write key, each of which is generated from the master secret
1249 in that order. Unused values are empty.
1251 When keys and MAC secrets are generated, the master secret is used as
1252 an entropy source.
1254 To generate the key material, compute
1256 key_block = PRF(SecurityParameters.master_secret,
1257 "key expansion",
1258 SecurityParameters.server_random +
1259 SecurityParameters.client_random);
1261 until enough output has been generated. Then the key_block is
1262 partitioned as follows:
1264 client_write_MAC_secret[SecurityParameters.mac_key_length]
1265 server_write_MAC_secret[SecurityParameters.mac_key_length]
1266 client_write_key[SecurityParameters.enc_key_length]
1267 server_write_key[SecurityParameters.enc_key_length]
1270 Implementation note:
1271 The currently defined cipher suite which requires the most
1272 material is AES_256_CBC_SHA, defined in [TLSAES]. It requires 2 x
1273 32 byte keys and 2 x 20 byte MAC secrets, for a total 104 bytes
1274 of key material.
1276 7. The TLS Handshaking Protocols
1278 TLS has three subprotocols that are used to allow peers to agree
1279 upon security parameters for the record layer, to authenticate
1280 themselves, to instantiate negotiated security parameters, and to
1281 report error conditions to each other.
1283 The Handshake Protocol is responsible for negotiating a session,
1284 which consists of the following items:
1286 session identifier
1287 An arbitrary byte sequence chosen by the server to identify an
1288 active or resumable session state.
1290 peer certificate
1291 X509v3 [X509] certificate of the peer. This element of the
1295 Dierks & Rescorla Standards Track [Page 24]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1298 state may be null.
1300 compression method
1301 The algorithm used to compress data prior to encryption.
1303 cipher spec
1304 Specifies the bulk data encryption algorithm (such as null,
1305 DES, etc.) and a MAC algorithm (such as MD5 or SHA). It also
1306 defines cryptographic attributes such as the mac_length. (See
1307 Appendix A.6 for formal definition.)
1309 master secret
1310 48-byte secret shared between the client and server.
1312 is resumable
1313 A flag indicating whether the session can be used to initiate
1314 new connections.
1316 These items are then used to create security parameters for use by
1317 the Record Layer when protecting application data. Many connections
1318 can be instantiated using the same session through the resumption
1319 feature of the TLS Handshake Protocol.
1321 7.1. Change Cipher Spec Protocol
1323 The change cipher spec protocol exists to signal transitions in
1324 ciphering strategies. The protocol consists of a single message,
1325 which is encrypted and compressed under the current (not the pending)
1326 connection state. The message consists of a single byte of value 1.
1328 struct {
1329 enum { change_cipher_spec(1), (255) } type;
1330 } ChangeCipherSpec;
1332 The change cipher spec message is sent by both the client and the
1333 server to notify the receiving party that subsequent records will be
1334 protected under the newly negotiated CipherSpec and keys. Reception
1335 of this message causes the receiver to instruct the Record Layer to
1336 immediately copy the read pending state into the read current state.
1337 Immediately after sending this message, the sender MUST instruct the
1338 record layer to make the write pending state the write active state.
1339 (See Section 6.1.) The change cipher spec message is sent during the
1340 handshake after the security parameters have been agreed upon, but
1341 before the verifying finished message is sent (see Section 7.4.11
1343 Note: If a rehandshake occurs while data is flowing on a connection,
1344 the communicating parties may continue to send data using the old
1345 CipherSpec. However, once the ChangeCipherSpec has been sent, the new
1349 Dierks & Rescorla Standards Track [Page 25]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1352 CipherSpec MUST be used. The first side to send the ChangeCipherSpec
1353 does not know that the other side has finished computing the new
1354 keying material (e.g., if it has to perform a time consuming public
1355 key operation). Thus, a small window of time, during which the
1356 recipient must buffer the data, MAY exist. In practice, with modern
1357 machines this interval is likely to be fairly short.
1359 7.2. Alert Protocol
1361 One of the content types supported by the TLS Record layer is the
1362 alert type. Alert messages convey the severity of the message and a
1363 description of the alert. Alert messages with a level of fatal result
1364 in the immediate termination of the connection. In this case, other
1365 connections corresponding to the session may continue, but the
1366 session identifier MUST be invalidated, preventing the failed session
1367 from being used to establish new connections. Like other messages,
1368 alert messages are encrypted and compressed, as specified by the
1369 current connection state.
1371 enum { warning(1), fatal(2), (255) } AlertLevel;
1373 enum {
1374 close_notify(0),
1375 unexpected_message(10),
1376 bad_record_mac(20),
1377 decryption_failed_RESERVED(21),
1378 record_overflow(22),
1379 decompression_failure(30),
1380 handshake_failure(40),
1381 no_certificate_RESERVED(41),
1382 bad_certificate(42),
1383 unsupported_certificate(43),
1384 certificate_revoked(44),
1385 certificate_expired(45),
1386 certificate_unknown(46),
1387 illegal_parameter(47),
1388 unknown_ca(48),
1389 access_denied(49),
1390 decode_error(50),
1391 decrypt_error(51),
1392 export_restriction_RESERVED(60),
1393 protocol_version(70),
1394 insufficient_security(71),
1395 internal_error(80),
1396 user_canceled(90),
1397 no_renegotiation(100),
1398 unsupported_extension(110), /* new */
1399 (255)
1403 Dierks & Rescorla Standards Track [Page 26]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1406 } AlertDescription;
1408 struct {
1409 AlertLevel level;
1410 AlertDescription description;
1411 } Alert;
1413 7.2.1. Closure Alerts
1415 The client and the server must share knowledge that the connection is
1416 ending in order to avoid a truncation attack. Either party may
1417 initiate the exchange of closing messages.
1419 close_notify
1420 This message notifies the recipient that the sender will not send
1421 any more messages on this connection. Note that as of TLS 1.1,
1422 failure to properly close a connection no longer requires that a
1423 session not be resumed. This is a change from TLS 1.0 to conform
1424 with widespread implementation practice.
1426 Either party may initiate a close by sending a close_notify alert.
1427 Any data received after a closure alert is ignored.
1429 Unless some other fatal alert has been transmitted, each party is
1430 required to send a close_notify alert before closing the write side
1431 of the connection. The other party MUST respond with a close_notify
1432 alert of its own and close down the connection immediately,
1433 discarding any pending writes. It is not required for the initiator
1434 of the close to wait for the responding close_notify alert before
1435 closing the read side of the connection.
1437 If the application protocol using TLS provides that any data may be
1438 carried over the underlying transport after the TLS connection is
1439 closed, the TLS implementation must receive the responding
1440 close_notify alert before indicating to the application layer that
1441 the TLS connection has ended. If the application protocol will not
1442 transfer any additional data, but will only close the underlying
1443 transport connection, then the implementation MAY choose to close the
1444 transport without waiting for the responding close_notify. No part of
1445 this standard should be taken to dictate the manner in which a usage
1446 profile for TLS manages its data transport, including when
1447 connections are opened or closed.
1449 Note: It is assumed that closing a connection reliably delivers
1450 pending data before destroying the transport.
1452 7.2.2. Error Alerts
1457 Dierks & Rescorla Standards Track [Page 27]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1460 Error handling in the TLS Handshake protocol is very simple. When an
1461 error is detected, the detecting party sends a message to the other
1462 party. Upon transmission or receipt of a fatal alert message, both
1463 parties immediately close the connection. Servers and clients MUST
1464 forget any session-identifiers, keys, and secrets associated with a
1465 failed connection. Thus, any connection terminated with a fatal alert
1466 MUST NOT be resumed.
1468 Whenever an implementation encounters a condition which is defined as
1469 a fatal alert, it MUST send the appropriate alert prior to closing
1470 the connection. In cases where an implementation chooses to send an
1471 alert which MAY be a warning alert but intends to close the
1472 connection immediately afterwards, it MUST send that alert at the
1473 fatal alert level.
1475 If an alert with a level of warning is sent and received, generally
1476 the connection can continue normally. If the receiving party decides
1477 not to proceed with the connection (e.g., after having received a
1478 no_renegotiation alert that it is not willing to accept), it SHOULD
1479 send a fatal alert to terminate the connection.
1482 The following error alerts are defined:
1484 unexpected_message
1485 An inappropriate message was received. This alert is always fatal
1486 and should never be observed in communication between proper
1487 implementations.
1489 bad_record_mac
1490 This alert is returned if a record is received with an incorrect
1491 MAC. This alert also MUST be returned if an alert is sent because
1492 a TLSCiphertext decrypted in an invalid way: either it wasn't an
1493 even multiple of the block length, or its padding values, when
1494 checked, weren't correct. This message is always fatal.
1496 decryption_failed_RESERVED
1497 This alert was used in some earlier versions of TLS, and may have
1498 permitted certain attacks against the CBC mode [CBCATT]. It MUST
1499 NOT be sent by compliant implementations.
1501 record_overflow
1502 A TLSCiphertext record was received that had a length more than
1503 2^14+2048 bytes, or a record decrypted to a TLSCompressed record
1504 with more than 2^14+1024 bytes. This message is always fatal.
1506 decompression_failure
1507 The decompression function received improper input (e.g., data
1511 Dierks & Rescorla Standards Track [Page 28]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1514 that would expand to excessive length). This message is always
1515 fatal.
1517 handshake_failure
1518 Reception of a handshake_failure alert message indicates that the
1519 sender was unable to negotiate an acceptable set of security
1520 parameters given the options available. This is a fatal error.
1522 no_certificate_RESERVED
1523 This alert was used in SSLv3 but not any version of TLS. It MUST
1524 NOT be sent by compliant implementations.
1526 bad_certificate
1527 A certificate was corrupt, contained signatures that did not
1528 verify correctly, etc.
1530 unsupported_certificate
1531 A certificate was of an unsupported type.
1533 certificate_revoked
1534 A certificate was revoked by its signer.
1536 certificate_expired
1537 A certificate has expired or is not currently valid.
1539 certificate_unknown
1540 Some other (unspecified) issue arose in processing the
1541 certificate, rendering it unacceptable.
1543 illegal_parameter
1544 A field in the handshake was out of range or inconsistent with
1545 other fields. This is always fatal.
1547 unknown_ca
1548 A valid certificate chain or partial chain was received, but the
1549 certificate was not accepted because the CA certificate could not
1550 be located or couldn't be matched with a known, trusted CA. This
1551 message is always fatal.
1553 access_denied
1554 A valid certificate was received, but when access control was
1555 applied, the sender decided not to proceed with negotiation.
1556 This message is always fatal.
1558 decode_error
1559 A message could not be decoded because some field was out of the
1560 specified range or the length of the message was incorrect. This
1561 message is always fatal.
1565 Dierks & Rescorla Standards Track [Page 29]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1568 decrypt_error
1569 A handshake cryptographic operation failed, including being
1570 unable to correctly verify a signature, decrypt a key exchange,
1571 or validate a finished message.
1573 export_restriction_RESERVED
1574 This alert was used in some earlier versions of TLS. It MUST NOT
1575 be sent by compliant implementations.
1577 protocol_version
1578 The protocol version the client has attempted to negotiate is
1579 recognized but not supported. (For example, old protocol versions
1580 might be avoided for security reasons). This message is always
1581 fatal.
1583 insufficient_security
1584 Returned instead of handshake_failure when a negotiation has
1585 failed specifically because the server requires ciphers more
1586 secure than those supported by the client. This message is always
1587 fatal.
1589 internal_error
1590 An internal error unrelated to the peer or the correctness of the
1591 protocol (such as a memory allocation failure) makes it
1592 impossible to continue. This message is always fatal.
1594 user_canceled
1595 This handshake is being canceled for some reason unrelated to a
1596 protocol failure. If the user cancels an operation after the
1597 handshake is complete, just closing the connection by sending a
1598 close_notify is more appropriate. This alert should be followed
1599 by a close_notify. This message is generally a warning.
1601 no_renegotiation
1602 Sent by the client in response to a hello request or by the
1603 server in response to a client hello after initial handshaking.
1604 Either of these would normally lead to renegotiation; when that
1605 is not appropriate, the recipient should respond with this alert.
1606 At that point, the original requester can decide whether to
1607 proceed with the connection. One case where this would be
1608 appropriate is where a server has spawned a process to satisfy a
1609 request; the process might receive security parameters (key
1610 length, authentication, etc.) at startup and it might be
1611 difficult to communicate changes to these parameters after that
1612 point. This message is always a warning.
1614 unsupported_extension
1615 sent by clients that receive an extended server hello containing
1619 Dierks & Rescorla Standards Track [Page 30]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1622 an extension that they did not put in the corresponding client
1623 hello (see Section 2.3). This message is always fatal.
1625 For all errors where an alert level is not explicitly specified, the
1626 sending party MAY determine at its discretion whether this is a fatal
1627 error or not; if an alert with a level of warning is received, the
1628 receiving party MAY decide at its discretion whether to treat this as
1629 a fatal error or not. However, all messages that are transmitted
1630 with a level of fatal MUST be treated as fatal messages.
1632 New Alert values are assigned by IANA as described in Section 11.
1634 7.3. Handshake Protocol Overview
1636 The cryptographic parameters of the session state are produced by the
1637 TLS Handshake Protocol, which operates on top of the TLS Record
1638 Layer. When a TLS client and server first start communicating, they
1639 agree on a protocol version, select cryptographic algorithms,
1640 optionally authenticate each other, and use public-key encryption
1641 techniques to generate shared secrets.
1643 The TLS Handshake Protocol involves the following steps:
1645 - Exchange hello messages to agree on algorithms, exchange random
1646 values, and check for session resumption.
1648 - Exchange the necessary cryptographic parameters to allow the
1649 client and server to agree on a premaster secret.
1651 - Exchange certificates and cryptographic information to allow the
1652 client and server to authenticate themselves.
1654 - Generate a master secret from the premaster secret and exchanged
1655 random values.
1657 - Provide security parameters to the record layer.
1659 - Allow the client and server to verify that their peer has
1660 calculated the same security parameters and that the handshake
1661 occurred without tampering by an attacker.
1663 Note that higher layers should not be overly reliant on whether TLS
1664 always negotiates the strongest possible connection between two
1665 peers. There are a number of ways in which a man in the middle
1666 attacker can attempt to make two entities drop down to the least
1667 secure method they support. The protocol has been designed to
1668 minimize this risk, but there are still attacks available: for
1669 example, an attacker could block access to the port a secure service
1673 Dierks & Rescorla Standards Track [Page 31]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1676 runs on, or attempt to get the peers to negotiate an unauthenticated
1677 connection. The fundamental rule is that higher levels must be
1678 cognizant of what their security requirements are and never transmit
1679 information over a channel less secure than what they require. The
1680 TLS protocol is secure in that any cipher suite offers its promised
1681 level of security: if you negotiate 3DES with a 1024 bit RSA key
1682 exchange with a host whose certificate you have verified, you can
1683 expect to be that secure.
1685 These goals are achieved by the handshake protocol, which can be
1686 summarized as follows: The client sends a client hello message to
1687 which the server must respond with a server hello message, or else a
1688 fatal error will occur and the connection will fail. The client hello
1689 and server hello are used to establish security enhancement
1690 capabilities between client and server. The client hello and server
1691 hello establish the following attributes: Protocol Version, Session
1692 ID, Cipher Suite, and Compression Method. Additionally, two random
1693 values are generated and exchanged: ClientHello.random and
1694 ServerHello.random.
1696 The actual key exchange uses up to four messages: the server
1697 certificate, the server key exchange, the client certificate, and the
1698 client key exchange. New key exchange methods can be created by
1699 specifying a format for these messages and by defining the use of the
1700 messages to allow the client and server to agree upon a shared
1701 secret. This secret MUST be quite long; currently defined key
1702 exchange methods exchange secrets that range from 48 to 128 bytes in
1703 length.
1705 Following the hello messages, the server will send its certificate,
1706 if it is to be authenticated. Additionally, a server key exchange
1707 message may be sent, if it is required (e.g., if their server has no
1708 certificate, or if its certificate is for signing only). If the
1709 server is authenticated, it may request a certificate from the
1710 client, if that is appropriate to the cipher suite selected. Next,
1711 the server will send the server hello done message, indicating that
1712 the hello-message phase of the handshake is complete. The server will
1713 then wait for a client response. If the server has sent a certificate
1714 request message, the client must send the certificate message. The
1715 client key exchange message is now sent, and the content of that
1716 message will depend on the public key algorithm selected between the
1717 client hello and the server hello. If the client has sent a
1718 certificate with signing ability, a digitally-signed certificate
1719 verify message is sent to explicitly verify possession of the private
1720 key in the certificate.
1722 At this point, a change cipher spec message is sent by the client,
1723 and the client copies the pending Cipher Spec into the current Cipher
1727 Dierks & Rescorla Standards Track [Page 32]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1730 Spec. The client then immediately sends the finished message under
1731 the new algorithms, keys, and secrets. In response, the server will
1732 send its own change cipher spec message, transfer the pending to the
1733 current Cipher Spec, and send its finished message under the new
1781 Dierks & Rescorla Standards Track [Page 33]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1784 Cipher Spec. At this point, the handshake is complete, and the client
1785 and server may begin to exchange application layer data. (See flow
1786 chart below.) Application data MUST NOT be sent prior to the
1787 completion of the first handshake (before a cipher suite other
1788 TLS_NULL_WITH_NULL_NULL is established).
1790 Client Server
1792 ClientHello -------->
1793 ServerHello
1794 Certificate*
1795 CertificateStatus*
1796 ServerKeyExchange*
1797 CertificateRequest*
1798 <-------- ServerHelloDone
1799 Certificate*
1800 ClientKeyExchange
1801 CertificateVerify*
1802 [ChangeCipherSpec]
1803 Finished -------->
1804 [ChangeCipherSpec]
1805 <-------- Finished
1806 Application Data <-------> Application Data
1808 Fig. 1. Message flow for a full handshake
1810 * Indicates optional or situation-dependent messages that are not
1811 always sent.
1813 Note: To help avoid pipeline stalls, ChangeCipherSpec is an
1814 independent TLS Protocol content type, and is not actually a TLS
1815 handshake message.
1817 When the client and server decide to resume a previous session or
1818 duplicate an existing session (instead of negotiating new security
1819 parameters), the message flow is as follows:
1821 The client sends a ClientHello using the Session ID of the session to
1822 be resumed. The server then checks its session cache for a match. If
1823 a match is found, and the server is willing to re-establish the
1824 connection under the specified session state, it will send a
1825 ServerHello with the same Session ID value. At this point, both
1826 client and server MUST send change cipher spec messages and proceed
1827 directly to finished messages. Once the re-establishment is complete,
1828 the client and server MAY begin to exchange application layer data.
1829 (See flow chart below.) If a Session ID match is not found, the
1830 server generates a new session ID and the TLS client and server
1831 perform a full handshake.
1835 Dierks & Rescorla Standards Track [Page 34]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1838 Client Server
1840 ClientHello -------->
1841 ServerHello
1842 [ChangeCipherSpec]
1843 <-------- Finished
1844 [ChangeCipherSpec]
1845 Finished -------->
1846 Application Data <-------> Application Data
1848 Fig. 2. Message flow for an abbreviated handshake
1850 The contents and significance of each message will be presented in
1851 detail in the following sections.
1853 7.4. Handshake Protocol
1855 The TLS Handshake Protocol is one of the defined higher-level clients
1856 of the TLS Record Protocol. This protocol is used to negotiate the
1857 secure attributes of a session. Handshake messages are supplied to
1858 the TLS Record Layer, where they are encapsulated within one or more
1859 TLSPlaintext structures, which are processed and transmitted as
1860 specified by the current active session state.
1862 enum {
1863 hello_request(0), client_hello(1), server_hello(2),
1864 certificate(11), server_key_exchange (12),
1865 certificate_request(13), server_hello_done(14),
1866 certificate_verify(15), client_key_exchange(16),
1867 finished(20)
1868 (255)
1869 } HandshakeType;
1871 struct {
1872 HandshakeType msg_type; /* handshake type */
1873 uint24 length; /* bytes in message */
1874 select (HandshakeType) {
1875 case hello_request: HelloRequest;
1876 case client_hello: ClientHello;
1877 case server_hello: ServerHello;
1878 case certificate: Certificate;
1879 case server_key_exchange: ServerKeyExchange;
1880 case certificate_request: CertificateRequest;
1881 case server_hello_done: ServerHelloDone;
1882 case certificate_verify: CertificateVerify;
1883 case client_key_exchange: ClientKeyExchange;
1884 case finished: Finished;
1885 } body;
1889 Dierks & Rescorla Standards Track [Page 35]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1892 } Handshake;
1894 The handshake protocol messages are presented below in the order they
1895 MUST be sent; sending handshake messages in an unexpected order
1896 results in a fatal error. Unneeded handshake messages can be omitted,
1897 however. Note one exception to the ordering: the Certificate message
1898 is used twice in the handshake (from server to client, then from
1899 client to server), but described only in its first position. The one
1900 message that is not bound by these ordering rules is the Hello
1901 Request message, which can be sent at any time, but which should be
1902 ignored by the client if it arrives in the middle of a handshake.
1904 New Handshake message types are assigned by IANA as described in
1905 Section 11.
1907 7.4.1. Hello Messages
1909 The hello phase messages are used to exchange security enhancement
1910 capabilities between the client and server. When a new session
1911 begins, the Record Layer's connection state encryption, hash, and
1912 compression algorithms are initialized to null. The current
1913 connection state is used for renegotiation messages.
1915 7.4.1.1. Hello Request
1917 When this message will be sent:
1918 The hello request message MAY be sent by the server at any time.
1920 Meaning of this message:
1921 Hello request is a simple notification that the client should
1922 begin the negotiation process anew by sending a client hello
1923 message when convenient. This message is not intended to
1924 establish which side is the client or server but merely to
1925 initiate a new negotiation. Servers SHOULD not send a
1926 HelloRequest immediately upon the client's initial connection.
1927 It is the client's job to send a ClientHello at that time.
1929 This message will be ignored by the client if the client is
1930 currently negotiating a session. This message may be ignored by
1931 the client if it does not wish to renegotiate a session, or the
1932 client may, if it wishes, respond with a no_renegotiation alert.
1933 Since handshake messages are intended to have transmission
1934 precedence over application data, it is expected that the
1935 negotiation will begin before no more than a few records are
1936 received from the client. If the server sends a hello request but
1937 does not receive a client hello in response, it may close the
1938 connection with a fatal alert.
1943 Dierks & Rescorla Standards Track [Page 36]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
1946 After sending a hello request, servers SHOULD not repeat the request
1947 until the subsequent handshake negotiation is complete.
1949 Structure of this message:
1950 struct { } HelloRequest;
1952 Note: This message MUST NOT be included in the message hashes that are
1953 maintained throughout the handshake and used in the finished
1954 messages and the certificate verify message.
1956 7.4.1.2. Client Hello
1958 When this message will be sent:
1959 When a client first connects to a server it is required to send
1960 the client hello as its first message. The client can also send a
1961 client hello in response to a hello request or on its own
1962 initiative in order to renegotiate the security parameters in an
1963 existing connection.
1965 Structure of this message:
1966 The client hello message includes a random structure, which is
1967 used later in the protocol.
1969 struct {
1970 uint32 gmt_unix_time;
1971 opaque random_bytes[28];
1972 } Random;
1974 gmt_unix_time
1975 The current time and date in standard UNIX 32-bit format (seconds
1976 since the midnight starting Jan 1, 1970, GMT, ignoring leap
1977 seconds) according to the sender's internal clock. Clocks are not
1978 required to be set correctly by the basic TLS Protocol; higher-
1979 level or application protocols may define additional
1980 requirements.
1982 random_bytes
1983 28 bytes generated by a secure random number generator.
1985 The client hello message includes a variable-length session
1986 identifier. If not empty, the value identifies a session between the
1987 same client and server whose security parameters the client wishes to
1988 reuse. The session identifier MAY be from an earlier connection, this
1989 connection, or from another currently active connection. The second
1990 option is useful if the client only wishes to update the random
1991 structures and derived values of a connection, and the third option
1992 makes it possible to establish several independent secure connections
1993 without repeating the full handshake protocol. These independent
1997 Dierks & Rescorla Standards Track [Page 37]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2000 connections may occur sequentially or simultaneously; a SessionID
2001 becomes valid when the handshake negotiating it completes with the
2002 exchange of Finished messages and persists until it is removed due to
2003 aging or because a fatal error was encountered on a connection
2004 associated with the session. The actual contents of the SessionID are
2005 defined by the server.
2007 opaque SessionID<0..32>;
2009 Warning:
2010 Because the SessionID is transmitted without encryption or
2011 immediate MAC protection, servers MUST not place confidential
2012 information in session identifiers or let the contents of fake
2013 session identifiers cause any breach of security. (Note that the
2014 content of the handshake as a whole, including the SessionID, is
2015 protected by the Finished messages exchanged at the end of the
2016 handshake.)
2018 The CipherSuite list, passed from the client to the server in the
2019 client hello message, contains the combinations of cryptographic
2020 algorithms supported by the client in order of the client's
2021 preference (favorite choice first). Each CipherSuite defines a key
2022 exchange algorithm, a bulk encryption algorithm (including secret key
2023 length), a MAC algorithm, and a PRF. The server will select a cipher
2024 suite or, if no acceptable choices are presented, return a handshake
2025 failure alert and close the connection.
2027 uint8 CipherSuite[2]; /* Cryptographic suite selector */
2029 The client hello includes a list of compression algorithms supported
2030 by the client, ordered according to the client's preference.
2032 enum { null(0), (255) } CompressionMethod;
2034 struct {
2035 ProtocolVersion client_version;
2036 Random random;
2037 SessionID session_id;
2038 CipherSuite cipher_suites<2..2^16-1>;
2039 CompressionMethod compression_methods<1..2^8-1>;
2040 select (extensions_present) {
2041 case false:
2042 struct {};
2043 case true:
2044 Extension extensions<0..2^16-1>;
2045 }
2046 } ClientHello;
2051 Dierks & Rescorla Standards Track [Page 38]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2054 TLS allows extensions to follow the compression_methods field in an
2055 extensions block. The presence of extensions can be detected by
2056 determining whether there are bytes following the compression_methods
2057 at the end of the ClientHello. Note that this method of detecting
2058 optional data differs from the normal TLS method of having a
2059 variable-length field but is used for compatibility with TLS before
2060 extensions were defined.
2062 client_version
2063 The version of the TLS protocol by which the client wishes to
2064 communicate during this session. This SHOULD be the latest
2065 (highest valued) version supported by the client. For this
2066 version of the specification, the version will be 3.3 (See
2067 Appendix E for details about backward compatibility).
2069 random
2070 A client-generated random structure.
2072 session_id
2073 The ID of a session the client wishes to use for this connection.
2074 This field should be empty if no session_id is available, or it
2075 the client wishes to generate new security parameters.
2077 cipher_suites
2078 This is a list of the cryptographic options supported by the
2079 client, with the client's first preference first. If the
2080 session_id field is not empty (implying a session resumption
2081 request) this vector MUST include at least the cipher_suite from
2082 that session. Values are defined in Appendix A.5.
2084 compression_methods
2085 This is a list of the compression methods supported by the
2086 client, sorted by client preference. If the session_id field is
2087 not empty (implying a session resumption request) it MUST include
2088 the compression_method from that session. This vector MUST
2089 contain, and all implementations MUST support,
2090 CompressionMethod.null. Thus, a client and server will always be
2091 able to agree on a compression method.
2093 client_hello_extension_list
2094 Clients MAY request extended functionality from servers by
2095 sending data in the client_hello_extension_list. Here the new
2096 "client_hello_extension_list" field contains a list of
2097 extensions. The actual "Extension" format is defined in Section
2098 7.4.1.4.
2100 In the event that a client requests additional functionality using
2101 extensions, and this functionality is not supplied by the server, the
2105 Dierks & Rescorla Standards Track [Page 39]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2108 client MAY abort the handshake. A server that supports the
2109 extensions mechanism MUST accept only client hello messages in either
2110 the original (TLS 1.0/TLS 1.1) ClientHello or the extended
2111 ClientHello format defined in this document, and (as for all other
2112 messages) MUST check that the amount of data in the message precisely
2113 matches one of these formats; if not then it MUST send a fatal
2114 "decode_error" alert.
2116 After sending the client hello message, the client waits for a server
2117 hello message. Any other handshake message returned by the server
2118 except for a hello request is treated as a fatal error.
2121 7.4.1.3. Server Hello
2124 When this message will be sent:
2125 The server will send this message in response to a client hello
2126 message when it was able to find an acceptable set of algorithms.
2127 If it cannot find such a match, it will respond with a handshake
2128 failure alert.
2130 Structure of this message:
2131 struct {
2132 ProtocolVersion server_version;
2133 Random random;
2134 SessionID session_id;
2135 CipherSuite cipher_suite;
2136 CompressionMethod compression_method;
2137 select (extensions_present) {
2138 case false:
2139 struct {};
2140 case true:
2141 Extension extensions<0..2^16-1>;
2142 }
2143 } ServerHello;
2145 The presence of extensions can be detected by determining whether
2146 there are bytes following the compression_method field at the end of
2147 the ServerHello.
2149 server_version
2150 This field will contain the lower of that suggested by the client
2151 in the client hello and the highest supported by the server. For
2152 this version of the specification, the version is 3.3. (See
2153 Appendix E for details about backward compatibility.)
2155 random
2159 Dierks & Rescorla Standards Track [Page 40]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2162 This structure is generated by the server and MUST be
2163 independently generated from the ClientHello.random.
2165 session_id
2166 This is the identity of the session corresponding to this
2167 connection. If the ClientHello.session_id was non-empty, the
2168 server will look in its session cache for a match. If a match is
2169 found and the server is willing to establish the new connection
2170 using the specified session state, the server will respond with
2171 the same value as was supplied by the client. This indicates a
2172 resumed session and dictates that the parties must proceed
2173 directly to the finished messages. Otherwise this field will
2174 contain a different value identifying the new session. The server
2175 may return an empty session_id to indicate that the session will
2176 not be cached and therefore cannot be resumed. If a session is
2177 resumed, it must be resumed using the same cipher suite it was
2178 originally negotiated with. Note that there is no requirement
2179 that the server resume any session even if it had formerly
2180 provided a session_id. Client MUST be prepared to do a full
2181 negotiation -- including negotiating new cipher suites -- during
2182 any handshake.
2184 cipher_suite
2185 The single cipher suite selected by the server from the list in
2186 ClientHello.cipher_suites. For resumed sessions, this field is
2187 the value from the state of the session being resumed.
2189 compression_method
2190 The single compression algorithm selected by the server from the
2191 list in ClientHello.compression_methods. For resumed sessions
2192 this field is the value from the resumed session state.
2194 server_hello_extension_list
2195 A list of extensions. Note that only extensions offered by the
2196 client can appear in the server's list.
2198 7.4.1.4 Hello Extensions
2200 The extension format is:
2202 struct {
2203 ExtensionType extension_type;
2204 opaque extension_data<0..2^16-1>;
2205 } Extension;
2207 enum {
2208 signature_hash_types(TBD-BY-IANA), (65535)
2209 } ExtensionType;
2213 Dierks & Rescorla Standards Track [Page 41]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2216 Here:
2218 - "extension_type" identifies the particular extension type.
2220 - "extension_data" contains information specific to the particular
2221 extension type.
2223 The list of extension types, as defined in Section 2.3, is maintained
2224 by the Internet Assigned Numbers Authority (IANA). Thus an
2225 application needs to be made to the IANA in order to obtain a new
2226 extension type value. Since there are subtle (and not so subtle)
2227 interactions that may occur in this protocol between new features and
2228 existing features which may result in a significant reduction in
2229 overall security, new values SHALL be defined only through the IETF
2230 Consensus process specified in [IANA]. (This means that new
2231 assignments can be made only via RFCs approved by the IESG.) The
2232 initial set of extensions is defined in a companion document [TBD].
2234 The following considerations should be taken into account when
2235 designing new extensions:
2237 - Some cases where a server does not agree to an extension are
2238 error
2239 conditions, and some simply a refusal to support a particular
2240 feature. In general error alerts should be used for the former,
2241 and a field in the server extension response for the latter.
2243 - Extensions should as far as possible be designed to prevent any
2244 attack that forces use (or non-use) of a particular feature by
2245 manipulation of handshake messages. This principle should be
2246 followed regardless of whether the feature is believed to cause a
2247 security problem.
2249 Often the fact that the extension fields are included in the
2250 inputs to the Finished message hashes will be sufficient, but
2251 extreme care is needed when the extension changes the meaning of
2252 messages sent in the handshake phase. Designers and implementors
2253 should be aware of the fact that until the handshake has been
2254 authenticated, active attackers can modify messages and insert,
2255 remove, or replace extensions.
2257 - It would be technically possible to use extensions to change
2258 major aspects of the design of TLS; for example the design of
2259 cipher suite negotiation. This is not recommended; it would be
2260 more appropriate to define a new version of TLS - particularly
2261 since the TLS handshake algorithms have specific protection
2262 against version rollback attacks based on the version number, and
2263 the possibility of version rollback should be a significant
2267 Dierks & Rescorla Standards Track [Page 42]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2270 consideration in any major design change.
2272 7.4.1.4.1 Cert Hash Types
2274 The client MAY use the "signature_hash_types" to indicate to the
2275 server which hash functions may be used in digital signatures.
2276 The "extension_data" field of this extension contains:
2278 enum{
2279 md5(0), sha1(1), sha256(2), sha384(3), sha512(4), (255)
2280 } HashType;
2282 struct {
2283 HashType types<1..255>;
2284 } SignatureHashTypes;
2286 These values indicate support for MD5 [MD5], SHA-1, SHA-256, SHA-384,
2287 and SHA-512 [SHA] respectively. The server MUST NOT send this
2288 extension. The values are indicated in descending order of
2289 preference.
2291 Clients SHOULD send this extension if they support any algorithm
2292 other than SHA-1. If this extension is not used, servers SHOULD
2293 assume that the client supports only SHA-1. Note: this is a change
2294 from TLS 1.1 where there are no explicit rules but as a practical
2295 matter one can assume that the peer supports MD5 and SHA-1.
2297 7.4.2. Server Certificate
2299 When this message will be sent:
2300 The server MUST send a certificate whenever the agreed-upon key
2301 exchange method uses certificates for authentication (this
2302 includes all key exchange methods defined in this document except
2303 DH_anon). This message will always immediately follow the server
2304 hello message.
2306 Meaning of this message:
2307 The certificate type MUST be appropriate for the selected cipher
2308 suite's key exchange algorithm, and is generally an X.509v3
2309 certificate. It MUST contain a key that matches the key exchange
2310 method, as follows. Unless otherwise specified, the signing
2311 algorithm for the certificate MUST be the same as the algorithm
2312 for the certificate key. Unless otherwise specified, the public
2313 key MAY be of any length.
2315 Key Exchange Algorithm Certificate Key Type
2317 RSA RSA public key; the certificate MUST
2321 Dierks & Rescorla Standards Track [Page 43]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2324 allow the key to be used for encryption.
2326 DHE_DSS DSS public key.
2328 DHE_RSA RSA public key that can be used for
2329 signing.
2331 DH_DSS Diffie-Hellman key. The algorithm used
2332 to sign the certificate MUST be DSS.
2334 DH_RSA Diffie-Hellman key. The algorithm used
2335 to sign the certificate MUST be RSA.
2337 All certificate profiles and key and cryptographic formats are
2338 defined by the IETF PKIX working group [PKIX]. When a key usage
2339 extension is present, the digitalSignature bit MUST be set for the
2340 key to be eligible for signing, as described above, and the
2341 keyEncipherment bit MUST be present to allow encryption, as described
2342 above. The keyAgreement bit must be set on Diffie-Hellman
2343 certificates.
2345 As CipherSuites that specify new key exchange methods are specified
2346 for the TLS Protocol, they will imply certificate format and the
2347 required encoded keying information.
2349 Structure of this message:
2350 opaque ASN.1Cert<1..2^24-1>;
2352 struct {
2353 ASN.1Cert certificate_list<0..2^24-1>;
2354 } Certificate;
2356 certificate_list
2357 This is a sequence (chain) of X.509v3 certificates. The sender's
2358 certificate must come first in the list. Each following
2359 certificate must directly certify the one preceding it. Because
2360 certificate validation requires that root keys be distributed
2361 independently, the self-signed certificate that specifies the
2362 root certificate authority may optionally be omitted from the
2363 chain, under the assumption that the remote end must already
2364 possess it in order to validate it in any case.
2366 The same message type and structure will be used for the client's
2367 response to a certificate request message. Note that a client MAY
2368 send no certificates if it does not have an appropriate certificate
2369 to send in response to the server's authentication request.
2371 Note: PKCS #7 [PKCS7] is not used as the format for the certificate
2375 Dierks & Rescorla Standards Track [Page 44]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2378 vector because PKCS #6 [PKCS6] extended certificates are not
2379 used. Also, PKCS #7 defines a SET rather than a SEQUENCE, making
2380 the task of parsing the list more difficult.
2382 7.4.3. Server Key Exchange Message
2384 When this message will be sent:
2385 This message will be sent immediately after the server
2386 certificate message (or the server hello message, if this is an
2387 anonymous negotiation).
2389 The server key exchange message is sent by the server only when
2390 the server certificate message (if sent) does not contain enough
2391 data to allow the client to exchange a premaster secret. This is
2392 true for the following key exchange methods:
2394 DHE_DSS
2395 DHE_RSA
2396 DH_anon
2398 It is not legal to send the server key exchange message for the
2399 following key exchange methods:
2401 RSA
2402 DH_DSS
2403 DH_RSA
2405 Meaning of this message:
2406 This message conveys cryptographic information to allow the
2407 client to communicate the premaster secret: a Diffie-Hellman
2408 public key with which the client can complete a key exchange
2409 (with the result being the premaster secret) or a public key for
2410 some other algorithm.
2412 As additional CipherSuites are defined for TLS that include new key
2413 exchange algorithms, the server key exchange message will be sent if
2414 and only if the certificate type associated with the key exchange
2415 algorithm does not provide enough information for the client to
2416 exchange a premaster secret.
2418 If the client has offered the SignatureHashTypes extension, the hash
2419 function MUST be one of those listed in that extension. Otherwise it
2420 MUST be assumed that only SHA-1 is supported.
2422 If the SignatureAlgorithm being used to sign the ServerKeyExchange
2423 message is DSA, the hash algorithm MUST be SHA-1. [TODO: This is
2424 incorrect. What it should say is that it must be specified in the
2425 SPKI of the cert. However, I don't believe this is actually defined.
2429 Dierks & Rescorla Standards Track [Page 45]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2432 Rather, the DSA certs just say dsa. We need new certs to say
2433 dsaWithSHAXXX.]
2435 If the SignatureAlgorithm is RSA, then any hash function accepted by
2436 the client MAY be used. The selected hash function MUST be indicated
2437 in the digest_algorithm field of the signature structure.
2439 The hash algorithm is denoted Hash below. Hash.length is the length
2440 of the output of that algorithm.
2442 Structure of this message:
2443 enum { diffie_hellman } KeyExchangeAlgorithm;
2445 struct {
2446 opaque dh_p<1..2^16-1>;
2447 opaque dh_g<1..2^16-1>;
2448 opaque dh_Ys<1..2^16-1>;
2449 } ServerDHParams; /* Ephemeral DH parameters */
2451 dh_p
2452 The prime modulus used for the Diffie-Hellman operation.
2454 dh_g
2455 The generator used for the Diffie-Hellman operation.
2457 dh_Ys
2458 The server's Diffie-Hellman public value (g^X mod p).
2460 struct {
2461 select (KeyExchangeAlgorithm) {
2462 case diffie_hellman:
2463 ServerDHParams params;
2464 Signature signed_params;
2465 };
2466 } ServerKeyExchange;
2468 struct {
2469 select (KeyExchangeAlgorithm) {
2470 case diffie_hellman:
2471 ServerDHParams params;
2472 };
2473 } ServerParams;
2475 params
2476 The server's key exchange parameters.
2478 signed_params
2479 For non-anonymous key exchanges, a hash of the corresponding
2483 Dierks & Rescorla Standards Track [Page 46]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2486 params value, with the signature appropriate to that hash
2487 applied.
2489 hash
2490 Hash(ClientHello.random + ServerHello.random + ServerParams)
2492 sha_hash
2493 SHA1(ClientHello.random + ServerHello.random + ServerParams)
2495 enum { anonymous, rsa, dsa } SignatureAlgorithm;
2498 struct {
2499 select (SignatureAlgorithm) {
2500 case anonymous: struct { };
2501 case rsa:
2502 HashType digest_algorithm; // NEW
2503 digitally-signed struct {
2504 opaque hash[Hash.length];
2505 };
2506 case dsa:
2507 digitally-signed struct {
2508 opaque sha_hash[20];
2509 };
2510 };
2511 };
2512 } Signature;
2514 7.4.4. Certificate Request
2516 When this message will be sent:
2517 A non-anonymous server can optionally request a certificate from
2518 the client, if appropriate for the selected cipher suite. This
2519 message, if sent, will immediately follow the Server Key Exchange
2520 message (if it is sent; otherwise, the Server Certificate
2521 message).
2523 Structure of this message:
2524 enum {
2525 rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
2526 rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
2527 fortezza_dms_RESERVED(20),
2528 (255)
2529 } ClientCertificateType;
2532 opaque DistinguishedName<1..2^16-1>;
2537 Dierks & Rescorla Standards Track [Page 47]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2540 struct {
2541 ClientCertificateType certificate_types<1..2^8-1>;
2542 HashType certificate_hash<1..2^8-1>;
2543 DistinguishedName certificate_authorities<0..2^16-1>;
2544 } CertificateRequest;
2546 certificate_types
2547 This field is a list of the types of certificates requested,
2548 sorted in order of the server's preference.
2550 certificate_types
2551 A list of the types of certificate types which the client may
2552 offer.
2553 rsa_sign a certificate containing an RSA key
2554 dss_sign a certificate containing a DSS key
2555 rsa_fixed_dh a certificate signed with RSA and containing
2556 a static DH key.
2557 dss_fixed_dh a certificate signed with DSS and containing
2558 a static DH key
2560 Certificate types rsa_sign and dss_sign SHOULD contain
2561 certificates signed with the same algorithm. However, this is
2562 not required. This is a holdover from TLS 1.0 and 1.1.
2565 certificate_hash
2566 A list of acceptable hash algorithms to be used in signatures
2567 in both the client certificate and the CertificateVerify.
2568 These algorithms are listed in descending order of
2569 preference.
2572 certificate_authorities
2573 A list of the distinguished names of acceptable certificate
2574 authorities. These distinguished names may specify a desired
2575 distinguished name for a root CA or for a subordinate CA;
2576 thus, this message can be used both to describe known roots
2577 and a desired authorization space. If the
2578 certificate_authorities list is empty then the client MAY
2579 send any certificate of the appropriate
2580 ClientCertificateType, unless there is some external
2581 arrangement to the contrary.
2583 New ClientCertificateType values are assigned by IANA as described in
2584 Section 11.
2586 Note: Values listed as RESERVED may not be used. They were
2587 used in SSLv3.
2591 Dierks & Rescorla Standards Track [Page 48]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2594 Note: DistinguishedName is derived from [X501]. DistinguishedNames are
2595 represented in DER-encoded format.
2597 Note: It is a fatal handshake_failure alert for an anonymous server to
2598 request client authentication.
2600 7.4.5 Server hello done
2602 When this message will be sent:
2603 The server hello done message is sent by the server to indicate
2604 the end of the server hello and associated messages. After
2605 sending this message, the server will wait for a client response.
2607 Meaning of this message:
2608 This message means that the server is done sending messages to
2609 support the key exchange, and the client can proceed with its
2610 phase of the key exchange.
2612 Upon receipt of the server hello done message, the client SHOULD
2613 verify that the server provided a valid certificate, if required
2614 and check that the server hello parameters are acceptable.
2616 Structure of this message:
2617 struct { } ServerHelloDone;
2619 7.4.6. Client Certificate
2621 When this message will be sent:
2622 This is the first message the client can send after receiving a
2623 server hello done message. This message is only sent if the
2624 server requests a certificate. If no suitable certificate is
2625 available, the client SHOULD send a certificate message
2626 containing no certificates. That is, the certificate_list
2627 structure has a length of zero. If client authentication is
2628 required by the server for the handshake to continue, it may
2629 respond with a fatal handshake failure alert. Client certificates
2630 are sent using the Certificate structure defined in Section
2631 7.4.2.
2634 Note: When using a static Diffie-Hellman based key exchange method
2635 (DH_DSS or DH_RSA), if client authentication is requested, the
2636 Diffie-Hellman group and generator encoded in the client's
2637 certificate MUST match the server specified Diffie-Hellman
2638 parameters if the client's parameters are to be used for the key
2639 exchange.
2641 7.4.7. Client Key Exchange Message
2645 Dierks & Rescorla Standards Track [Page 49]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2648 When this message will be sent:
2649 This message is always sent by the client. It MUST immediately
2650 follow the client certificate message, if it is sent. Otherwise
2651 it MUST be the first message sent by the client after it receives
2652 the server hello done message.
2654 Meaning of this message:
2655 With this message, the premaster secret is set, either though
2656 direct transmission of the RSA-encrypted secret, or by the
2657 transmission of Diffie-Hellman parameters that will allow each
2658 side to agree upon the same premaster secret. When the key
2659 exchange method is DH_RSA or DH_DSS, client certification has
2660 been requested, and the client was able to respond with a
2661 certificate that contained a Diffie-Hellman public key whose
2662 parameters (group and generator) matched those specified by the
2663 server in its certificate, this message MUST not contain any
2664 data.
2666 Structure of this message:
2667 The choice of messages depends on which key exchange method has
2668 been selected. See Section 7.4.3 for the KeyExchangeAlgorithm
2669 definition.
2671 struct {
2672 select (KeyExchangeAlgorithm) {
2673 case rsa: EncryptedPreMasterSecret;
2674 case diffie_hellman: ClientDiffieHellmanPublic;
2675 } exchange_keys;
2676 } ClientKeyExchange;
2678 7.4.7.1. RSA Encrypted Premaster Secret Message
2680 Meaning of this message:
2681 If RSA is being used for key agreement and authentication, the
2682 client generates a 48-byte premaster secret, encrypts it using
2683 the public key from the server's certificate and sends the result
2684 in an encrypted premaster secret message. This structure is a
2685 variant of the client key exchange message and is not a message
2686 in itself.
2688 Structure of this message:
2689 struct {
2690 ProtocolVersion client_version;
2691 opaque random[46];
2692 } PreMasterSecret;
2694 client_version
2695 The latest (newest) version supported by the client. This is
2699 Dierks & Rescorla Standards Track [Page 50]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2702 used to detect version roll-back attacks. Upon receiving the
2703 premaster secret, the server SHOULD check that this value
2704 matches the value transmitted by the client in the client
2705 hello message.
2707 random
2708 46 securely-generated random bytes.
2710 struct {
2711 public-key-encrypted PreMasterSecret pre_master_secret;
2712 } EncryptedPreMasterSecret;
2714 pre_master_secret
2715 This random value is generated by the client and is used to
2716 generate the master secret, as specified in Section 8.1.
2718 Note: The version number in the PreMasterSecret is the version offered
2719 by the client in the ClientHello.client_version, not the
2720 version negotiated for the connection. This feature is
2721 designed to prevent rollback attacks. Unfortunately, some
2722 old implementations use the negotiated version instead and
2723 therefore checking the version number may lead to failure to
2724 interoperate with such incorrect client implementations.
2726 Client implementations MUST always send the correct version
2727 number in PreMasterSecret. If ClientHello.client_version is
2728 TLS 1.1 or higher, server implementations MUST check the
2729 version number as described in the note below. If the version
2730 number is earlier than 1.0, server implementations SHOULD
2731 check the version number, but MAY have a configuration option
2732 to disable the check. Note that if the check fails, the
2733 PreMasterSecret SHOULD be randomized as described below.
2735 Note: Attacks discovered by Bleichenbacher [BLEI] and Klima et al.
2736 [KPR03] can be used to attack a TLS server that reveals whether a
2737 particular message, when decrypted, is properly PKCS#1 formatted,
2738 contains a valid PreMasterSecret structure, or has the correct
2739 version number.
2741 The best way to avoid these vulnerabilities is to treat incorrectly
2742 formatted messages in a manner indistinguishable from correctly
2743 formatted RSA blocks. In other words:
2745 1. Generate a string R of 46 random bytes
2747 2. Decrypt the message M
2749 3. If the PKCS#1 padding is not correct, or the length of
2753 Dierks & Rescorla Standards Track [Page 51]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2756 message M is not exactly 48 bytes:
2757 premaster secret = ClientHello.client_version || R
2758 else If ClientHello.client_version <= TLS 1.0, and
2759 version number check is explicitly disabled:
2760 premaster secret = M
2761 else:
2762 premaster secret = ClientHello.client_version || M[2..47]
2764 In any case, a TLS server MUST NOT generate an alert if processing an
2765 RSA-encrypted premaster secret message fails, or the version number
2766 is not as expected. Instead, it MUST continue the handshake with a
2767 randomly generated premaster secret. It may be useful to log the
2768 real cause of failure for troubleshooting purposes; however, care
2769 must be taken to avoid leaking the information to an attacker
2770 (though, e.g., timing, log files, or other channels.
2772 The RSAES-OAEP encryption scheme defined in [PKCS1] is more secure
2773 against the Bleichenbacher attack. However, for maximal compatibility
2774 with earlier versions of TLS, this specification uses the RSAES-
2775 PKCS1-v1_5 scheme. No variants of the Bleichenbacher attack are known
2776 to exist provided that the above recommendations are followed.
2778 Implementation Note: Public-key-encrypted data is represented as an
2779 opaque vector <0..2^16-1> (see Section 4.7). Thus, the RSA-encrypted
2780 PreMasterSecret in a ClientKeyExchange is preceded by two length
2781 bytes. These bytes are redundant in the case of RSA because the
2782 EncryptedPreMasterSecret is the only data in the ClientKeyExchange
2783 and its length can therefore be unambiguously determined. The SSLv3
2784 specification was not clear about the encoding of public-key-
2785 encrypted data, and therefore many SSLv3 implementations do not
2786 include the the length bytes, encoding the RSA encrypted data
2787 directly in the ClientKeyExchange message.
2789 This specification requires correct encoding of the
2790 EncryptedPreMasterSecret complete with length bytes. The resulting
2791 PDU is incompatible with many SSLv3 implementations. Implementors
2792 upgrading from SSLv3 MUST modify their implementations to generate
2793 and accept the correct encoding. Implementors who wish to be
2794 compatible with both SSLv3 and TLS should make their implementation's
2795 behavior dependent on the protocol version.
2797 Implementation Note: It is now known that remote timing-based attacks
2798 on SSL are possible, at least when the client and server are on the
2799 same LAN. Accordingly, implementations that use static RSA keys MUST
2800 use RSA blinding or some other anti-timing technique, as described in
2801 [TIMING].
2807 Dierks & Rescorla Standards Track [Page 52]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2810 7.4.7.1. Client Diffie-Hellman Public Value
2812 Meaning of this message:
2813 This structure conveys the client's Diffie-Hellman public value
2814 (Yc) if it was not already included in the client's certificate.
2815 The encoding used for Yc is determined by the enumerated
2816 PublicValueEncoding. This structure is a variant of the client
2817 key exchange message, and not a message in itself.
2819 Structure of this message:
2820 enum { implicit, explicit } PublicValueEncoding;
2822 implicit
2823 If the client certificate already contains a suitable Diffie-
2824 Hellman key, then Yc is implicit and does not need to be sent
2825 again. In this case, the client key exchange message will be
2826 sent, but it MUST be empty.
2828 explicit
2829 Yc needs to be sent.
2831 struct {
2832 select (PublicValueEncoding) {
2833 case implicit: struct { };
2834 case explicit: opaque dh_Yc<1..2^16-1>;
2835 } dh_public;
2836 } ClientDiffieHellmanPublic;
2838 dh_Yc
2839 The client's Diffie-Hellman public value (Yc).
2841 7.4.8. Certificate verify
2843 When this message will be sent:
2844 This message is used to provide explicit verification of a client
2845 certificate. This message is only sent following a client
2846 certificate that has signing capability (i.e. all certificates
2847 except those containing fixed Diffie-Hellman parameters). When
2848 sent, it MUST immediately follow the client key exchange message.
2850 Structure of this message:
2851 struct {
2852 Signature signature;
2853 } CertificateVerify;
2855 The Signature type is defined in 7.4.3.
2861 Dierks & Rescorla Standards Track [Page 53]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2864 The hash function MUST be one of the algorithms offered in the
2865 CertificateRequest message.
2867 If the SignatureAlgorithm being used to sign the ServerKeyExchange
2868 message is DSA, the hash function used MUST be SHA-1.
2869 [TODO: This is incorrect. What it should say is that it must
2870 be specified in the SPKI of the cert. However, I don't believe
2871 this is actually defined. Rather, the DSA certs just say
2872 dsa. We need new certs to say dsaWithSHAXXX]
2874 If the SignatureAlgorithm is RSA, then any of the functions offered
2875 by the server may be used. The selected hash function MUST be
2876 indicated in the digest_algorithm field of the signature structure.
2878 The hash algorithm is denoted Hash below.
2880 CertificateVerify.signature.hash
2881 Hash(handshake_messages);
2883 CertificateVerify.signature.sha_hash
2884 SHA(handshake_messages);
2886 Here handshake_messages refers to all handshake messages sent or
2887 received starting at client hello up to but not including this
2888 message, including the type and length fields of the handshake
2889 messages. This is the concatenation of all the Handshake structures
2890 as defined in 7.4 exchanged thus far.
2892 7.4.9. Finished
2894 When this message will be sent:
2895 A finished message is always sent immediately after a change
2896 cipher spec message to verify that the key exchange and
2897 authentication processes were successful. It is essential that a
2898 change cipher spec message be received between the other
2899 handshake messages and the Finished message.
2901 Meaning of this message:
2902 The finished message is the first protected with the just-
2903 negotiated algorithms, keys, and secrets. Recipients of finished
2904 messages MUST verify that the contents are correct. Once a side
2905 has sent its Finished message and received and validated the
2906 Finished message from its peer, it may begin to send and receive
2907 application data over the connection.
2909 struct {
2910 opaque verify_data[12];
2911 } Finished;
2915 Dierks & Rescorla Standards Track [Page 54]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2918 verify_data
2919 PRF(master_secret, finished_label, Hash(handshake_messages))[0..11];
2921 finished_label
2922 For Finished messages sent by the client, the string "client
2923 finished". For Finished messages sent by the server, the
2924 string "server finished".
2926 Hash denotes the negotiated hash used for the PRF. If a new
2927 PRF is defined, then this hash MUST be specified.
2929 handshake_messages
2930 All of the data from all messages in this handshake (not
2931 including any HelloRequest messages) up to but not including
2932 this message. This is only data visible at the handshake
2933 layer and does not include record layer headers. This is the
2934 concatenation of all the Handshake structures as defined in
2935 7.4, exchanged thus far.
2937 It is a fatal error if a finished message is not preceded by a change
2938 cipher spec message at the appropriate point in the handshake.
2940 The value handshake_messages includes all handshake messages starting
2941 at client hello up to, but not including, this finished message. This
2942 may be different from handshake_messages in Section 7.4.9 because it
2943 would include the certificate verify message (if sent). Also, the
2944 handshake_messages for the finished message sent by the client will
2945 be different from that for the finished message sent by the server,
2946 because the one that is sent second will include the prior one.
2948 Note: Change cipher spec messages, alerts and, any other record types
2949 are not handshake messages and are not included in the hash
2950 computations. Also, Hello Request messages are omitted from
2951 handshake hashes.
2953 8. Cryptographic Computations
2955 In order to begin connection protection, the TLS Record Protocol
2956 requires specification of a suite of algorithms, a master secret, and
2957 the client and server random values. The authentication, encryption,
2958 and MAC algorithms are determined by the cipher_suite selected by the
2959 server and revealed in the server hello message. The compression
2960 algorithm is negotiated in the hello messages, and the random values
2961 are exchanged in the hello messages. All that remains is to calculate
2962 the master secret.
2964 8.1. Computing the Master Secret
2969 Dierks & Rescorla Standards Track [Page 55]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
2972 For all key exchange methods, the same algorithm is used to convert
2973 the pre_master_secret into the master_secret. The pre_master_secret
2974 should be deleted from memory once the master_secret has been
2975 computed.
2977 master_secret = PRF(pre_master_secret, "master secret",
2978 ClientHello.random + ServerHello.random)
2979 [0..47];
2981 The master secret is always exactly 48 bytes in length. The length of
2982 the premaster secret will vary depending on key exchange method.
2984 8.1.1. RSA
2986 When RSA is used for server authentication and key exchange, a
2987 48-byte pre_master_secret is generated by the client, encrypted under
2988 the server's public key, and sent to the server. The server uses its
2989 private key to decrypt the pre_master_secret. Both parties then
2990 convert the pre_master_secret into the master_secret, as specified
2991 above.
2993 8.1.2. Diffie-Hellman
2995 A conventional Diffie-Hellman computation is performed. The
2996 negotiated key (Z) is used as the pre_master_secret, and is converted
2997 into the master_secret, as specified above. Leading bytes of Z that
2998 contain all zero bits are stripped before it is used as the
2999 pre_master_secret.
3001 Note: Diffie-Hellman parameters are specified by the server and may
3002 be either ephemeral or contained within the server's certificate.
3004 9. Mandatory Cipher Suites
3006 In the absence of an application profile standard specifying
3007 otherwise, a TLS compliant application MUST implement the cipher
3008 suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.
3010 10. Application Data Protocol
3012 Application data messages are carried by the Record Layer and are
3013 fragmented, compressed, and encrypted based on the current connection
3014 state. The messages are treated as transparent data to the record
3015 layer.
3017 11. Security Considerations
3019 Security issues are discussed throughoutthis memo, especially in
3023 Dierks & Rescorla Standards Track [Page 56]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3026 Appendices D, E, and F.
3028 12. IANA Considerations
3030 This document uses several registries that were originally created in
3031 [RFC4346]. IANA is requested to update (has updated) these to
3032 reference this document. The registries and their allocation policies
3033 (unchanged from [RFC4346]) are listed below.
3035 o TLS ClientCertificateType Identifiers Registry: Future
3036 values in the range 0-63 (decimal) inclusive are assigned via
3037 Standards Action [RFC2434]. Values in the range 64-223
3038 (decimal) inclusive are assigned Specification Required
3039 [RFC2434]. Values from 224-255 (decimal) inclusive are
3040 reserved for Private Use [RFC2434].
3042 o TLS Cipher Suite Registry: Future values with the first byte
3043 in the range 0-191 (decimal) inclusive are assigned via
3044 Standards Action [RFC2434]. Values with the first byte in
3045 the range 192-254 (decimal) are assigned via Specification
3046 Required [RFC2434]. Values with the first byte 255 (decimal)
3047 are reserved for Private Use [RFC2434].
3049 o TLS ContentType Registry: Future values are allocated via
3050 Standards Action [RFC2434].
3052 o TLS Alert Registry: Future values are allocated via
3053 Standards Action [RFC2434].
3055 o TLS HandshakeType Registry: Future values are allocated via
3056 Standards Action [RFC2434].
3058 This document also uses a registry originally created in [RFC4366].
3059 IANA is requested to update (has updated) it to reference this
3060 document. The registry and its allocation policy (unchanged from
3061 [RFC4366]) is listed below:.
3063 o TLS ExtensionType Registry: Future values are allocated
3064 via IETF Consensus [RFC2434]
3066 In addition, this document defines one new registry to be maintained
3067 by IANA:
3069 o TLS HashType Registry: The registry will be initially
3070 populated with the values described in Section 7.4.1.4.7.
3071 Future values in the range 0-63 (decimal) inclusive are
3072 assigned via Standards Action [RFC2434]. Values in the
3073 range 64-223 (decimal) inclusive are assigned via
3077 Dierks & Rescorla Standards Track [Page 57]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3080 Specification Required [RFC2434]. Values from 224-255
3081 (decimal) inclusive are reserved for Private Use [RFC2434].
3083 This document defines one new TLS extension, cert_hash_type, which is
3084 to be (has been) allocated value TBD-BY-IANA in the TLS ExtensionType
3085 registry.
3131 Dierks & Rescorla Standards Track [Page 58]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3134 Appendix A. Protocol Constant Values
3136 This section describes protocol types and constants.
3138 A.1. Record Layer
3140 struct {
3141 uint8 major, minor;
3142 } ProtocolVersion;
3144 ProtocolVersion version = { 3, 3 }; /* TLS v1.2*/
3146 enum {
3147 change_cipher_spec(20), alert(21), handshake(22),
3148 application_data(23), (255)
3149 } ContentType;
3151 struct {
3152 ContentType type;
3153 ProtocolVersion version;
3154 uint16 length;
3155 opaque fragment[TLSPlaintext.length];
3156 } TLSPlaintext;
3158 struct {
3159 ContentType type;
3160 ProtocolVersion version;
3161 uint16 length;
3162 opaque fragment[TLSCompressed.length];
3163 } TLSCompressed;
3165 struct {
3166 ContentType type;
3167 ProtocolVersion version;
3168 uint16 length;
3169 select (SecurityParameters.cipher_type) {
3170 case stream: GenericStreamCipher;
3171 case block: GenericBlockCipher;
3172 case aead: GenericAEADCipher;
3173 } fragment;
3174 } TLSCiphertext;
3176 stream-ciphered struct {
3177 opaque content[TLSCompressed.length];
3178 opaque MAC[SecurityParameters.mac_length];
3179 } GenericStreamCipher;
3181 block-ciphered struct {
3185 Dierks & Rescorla Standards Track [Page 59]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3188 opaque IV[SecurityParameters.block_length];
3189 opaque content[TLSCompressed.length];
3190 opaque MAC[SecurityParameters.mac_length];
3191 uint8 padding[GenericBlockCipher.padding_length];
3192 uint8 padding_length;
3193 } GenericBlockCipher;
3195 aead-ciphered struct {
3196 opaque IV[SecurityParameters.iv_length];
3197 opaque aead_output[AEADEncrypted.length];
3198 } GenericAEADCipher;
3200 A.2. Change Cipher Specs Message
3202 struct {
3203 enum { change_cipher_spec(1), (255) } type;
3204 } ChangeCipherSpec;
3206 A.3. Alert Messages
3208 enum { warning(1), fatal(2), (255) } AlertLevel;
3210 enum {
3211 close_notify(0),
3212 unexpected_message(10),
3213 bad_record_mac(20),
3214 decryption_failed_RESERVED(21),
3215 record_overflow(22),
3216 decompression_failure(30),
3217 handshake_failure(40),
3218 no_certificate_RESERVED(41),
3219 bad_certificate(42),
3220 unsupported_certificate(43),
3221 certificate_revoked(44),
3222 certificate_expired(45),
3223 certificate_unknown(46),
3224 illegal_parameter(47),
3225 unknown_ca(48),
3226 access_denied(49),
3227 decode_error(50),
3228 decrypt_error(51),
3229 export_restriction_RESERVED(60),
3230 protocol_version(70),
3231 insufficient_security(71),
3232 internal_error(80),
3233 user_canceled(90),
3234 no_renegotiation(100),
3235 unsupported_extension(110), /* new */
3239 Dierks & Rescorla Standards Track [Page 60]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3242 (255)
3243 } AlertDescription;
3245 struct {
3246 AlertLevel level;
3247 AlertDescription description;
3248 } Alert;
3293 Dierks & Rescorla Standards Track [Page 61]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3296 A.4. Handshake Protocol
3298 enum {
3299 hello_request(0), client_hello(1), server_hello(2),
3300 certificate(11), server_key_exchange (12),
3301 certificate_request(13), server_hello_done(14),
3302 certificate_verify(15), client_key_exchange(16),
3303 finished(20)
3304 (255)
3305 } HandshakeType;
3307 struct {
3308 HandshakeType msg_type;
3309 uint24 length;
3310 select (HandshakeType) {
3311 case hello_request: HelloRequest;
3312 case client_hello: ClientHello;
3313 case server_hello: ServerHello;
3314 case certificate: Certificate;
3315 case server_key_exchange: ServerKeyExchange;
3316 case certificate_request: CertificateRequest;
3317 case server_hello_done: ServerHelloDone;
3318 case certificate_verify: CertificateVerify;
3319 case client_key_exchange: ClientKeyExchange;
3320 case finished: Finished;
3321 } body;
3322 } Handshake;
3324 A.4.1. Hello Messages
3326 struct { } HelloRequest;
3328 struct {
3329 uint32 gmt_unix_time;
3330 opaque random_bytes[28];
3331 } Random;
3333 opaque SessionID<0..32>;
3335 uint8 CipherSuite[2];
3337 enum { null(0), (255) } CompressionMethod;
3339 struct {
3340 ProtocolVersion client_version;
3341 Random random;
3342 SessionID session_id;
3343 CipherSuite cipher_suites<2..2^16-1>;
3347 Dierks & Rescorla Standards Track [Page 62]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3350 CompressionMethod compression_methods<1..2^8-1>;
3351 select (extensions_present) {
3352 case false:
3353 struct {};
3354 case true:
3355 Extension extensions<0..2^16-1>;
3356 }
3357 } ClientHello;
3359 struct {
3360 ProtocolVersion server_version;
3361 Random random;
3362 SessionID session_id;
3363 CipherSuite cipher_suite;
3364 CompressionMethod compression_method;
3365 select (extensions_present) {
3366 case false:
3367 struct {};
3368 case true:
3369 Extension extensions<0..2^16-1>;
3370 }
3371 } ServerHello;
3373 struct {
3374 ExtensionType extension_type;
3375 opaque extension_data<0..2^16-1>;
3376 } Extension;
3378 enum {
3379 signature_hash_types(TBD-BY-IANA), (65535)
3380 } ExtensionType;
3382 A.4.2. Server Authentication and Key Exchange Messages
3384 opaque ASN.1Cert<2^24-1>;
3386 struct {
3387 ASN.1Cert certificate_list<0..2^24-1>;
3388 } Certificate;
3390 enum { diffie_hellman } KeyExchangeAlgorithm;
3392 struct {
3393 opaque dh_p<1..2^16-1>;
3394 opaque dh_g<1..2^16-1>;
3395 opaque dh_Ys<1..2^16-1>;
3396 } ServerDHParams;
3401 Dierks & Rescorla Standards Track [Page 63]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3404 struct {
3405 select (KeyExchangeAlgorithm) {
3406 case diffie_hellman:
3407 ServerDHParams params;
3408 Signature signed_params;
3409 } ServerKeyExchange;
3411 enum { anonymous, rsa, dsa } SignatureAlgorithm;
3413 struct {
3414 select (KeyExchangeAlgorithm) {
3415 case diffie_hellman:
3416 ServerDHParams params;
3417 };
3418 } ServerParams;
3420 struct {
3421 select (SignatureAlgorithm) {
3422 case anonymous: struct { };
3423 case rsa:
3424 HashType digest_algorithm; // NEW
3425 digitally-signed struct {
3426 opaque hash[Hash.length];
3427 };
3428 case dsa:
3429 digitally-signed struct {
3430 opaque sha_hash[20];
3431 };
3432 };
3433 };
3434 } Signature;
3436 enum {
3437 rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
3438 rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
3439 fortezza_dms_RESERVED(20),
3440 (255)
3441 } ClientCertificateType;
3443 opaque DistinguishedName<1..2^16-1>;
3445 struct {
3446 ClientCertificateType certificate_types<1..2^8-1>;
3447 DistinguishedName certificate_authorities<0..2^16-1>;
3448 } CertificateRequest;
3450 struct { } ServerHelloDone;
3455 Dierks & Rescorla Standards Track [Page 64]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3458 A.4.3. Client Authentication and Key Exchange Messages
3460 struct {
3461 select (KeyExchangeAlgorithm) {
3462 case rsa: EncryptedPreMasterSecret;
3463 case diffie_hellman: ClientDiffieHellmanPublic;
3464 } exchange_keys;
3465 } ClientKeyExchange;
3467 struct {
3468 ProtocolVersion client_version;
3469 opaque random[46];
3470 } PreMasterSecret;
3472 struct {
3473 public-key-encrypted PreMasterSecret pre_master_secret;
3474 } EncryptedPreMasterSecret;
3476 enum { implicit, explicit } PublicValueEncoding;
3478 struct {
3479 select (PublicValueEncoding) {
3480 case implicit: struct {};
3481 case explicit: opaque DH_Yc<1..2^16-1>;
3482 } dh_public;
3483 } ClientDiffieHellmanPublic;
3485 struct {
3486 Signature signature;
3487 } CertificateVerify;
3489 A.4.4. Handshake Finalization Message
3491 struct {
3492 opaque verify_data[12];
3493 } Finished;
3495 A.5. The CipherSuite
3497 The following values define the CipherSuite codes used in the client
3498 hello and server hello messages.
3500 A CipherSuite defines a cipher specification supported in TLS Version
3501 1.1.
3503 TLS_NULL_WITH_NULL_NULL is specified and is the initial state of a
3504 TLS connection during the first handshake on that channel, but MUST
3505 not be negotiated, as it provides no more protection than an
3509 Dierks & Rescorla Standards Track [Page 65]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3512 unsecured connection.
3514 CipherSuite TLS_NULL_WITH_NULL_NULL = { 0x00,0x00 };
3516 The following CipherSuite definitions require that the server provide
3517 an RSA certificate that can be used for key exchange. The server may
3518 request either an RSA or a DSS signature-capable certificate in the
3519 certificate request message.
3521 CipherSuite TLS_RSA_WITH_NULL_MD5 = { 0x00,0x01 };
3522 CipherSuite TLS_RSA_WITH_NULL_SHA = { 0x00,0x02 };
3523 CipherSuite TLS_RSA_WITH_RC4_128_MD5 = { 0x00,0x04 };
3524 CipherSuite TLS_RSA_WITH_RC4_128_SHA = { 0x00,0x05 };
3525 CipherSuite TLS_RSA_WITH_IDEA_CBC_SHA = { 0x00,0x07 };
3526 CipherSuite TLS_RSA_WITH_DES_CBC_SHA = { 0x00,0x09 };
3527 CipherSuite TLS_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0A };
3528 CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F };
3529 CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x35 };
3531 The following CipherSuite definitions are used for server-
3532 authenticated (and optionally client-authenticated) Diffie-Hellman.
3533 DH denotes cipher suites in which the server's certificate contains
3534 the Diffie-Hellman parameters signed by the certificate authority
3535 (CA). DHE denotes ephemeral Diffie-Hellman, where the Diffie-Hellman
3536 parameters are signed by a DSS or RSA certificate, which has been
3537 signed by the CA. The signing algorithm used is specified after the
3538 DH or DHE parameter. The server can request an RSA or DSS signature-
3539 capable certificate from the client for client authentication or it
3540 may request a Diffie-Hellman certificate. Any Diffie-Hellman
3541 certificate provided by the client must use the parameters (group and
3542 generator) described by the server.
3544 CipherSuite TLS_DH_DSS_WITH_DES_CBC_SHA = { 0x00,0x0C };
3545 CipherSuite TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0D };
3546 CipherSuite TLS_DH_RSA_WITH_DES_CBC_SHA = { 0x00,0x0F };
3547 CipherSuite TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x10 };
3548 CipherSuite TLS_DHE_DSS_WITH_DES_CBC_SHA = { 0x00,0x12 };
3549 CipherSuite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x13 };
3550 CipherSuite TLS_DHE_RSA_WITH_DES_CBC_SHA = { 0x00,0x15 };
3551 CipherSuite TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x16 };
3552 CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 };
3553 CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 };
3554 CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 };
3555 CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 };
3556 CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x36 };
3557 CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 };
3558 CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x38 };
3559 CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x39 };
3563 Dierks & Rescorla Standards Track [Page 66]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3566 The following cipher suites are used for completely anonymous Diffie-
3567 Hellman communications in which neither party is authenticated. Note
3568 that this mode is vulnerable to man-in-the-middle attacks. Using
3569 this mode therefore is of limited use: These ciphersuites MUST NOT be
3570 used by TLS 1.2 implementations unless the application layer has
3571 specifically requested to allow anonymous key exchange. (Anonymous
3572 key exchange may sometimes be acceptable, for example, to support
3573 opportunistic encryption when no set-up for authentication is in
3574 place, or when TLS is used as part of more complex security protocols
3575 that have other means to ensure authentication.)
3577 CipherSuite TLS_DH_anon_WITH_RC4_128_MD5 = { 0x00, 0x18 };
3578 CipherSuite TLS_DH_anon_WITH_DES_CBC_SHA = { 0x00, 0x1A };
3579 CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = { 0x00, 0x1B };
3580 CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 };
3581 CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00, 0x3A };
3583 Note that using non-anonymous key exchange without actually verifying
3584 the key exchange is essentially equivalent to anonymous key exchange,
3585 and the same precautions apply. While non-anonymous key exchange
3586 will generally involve a higher computational and communicational
3587 cost than anonymous key exchange, it may be in the interest of
3588 interoperability not to disable non-anonymous key exchange when the
3589 application layer is allowing anonymous key exchange.
3591 When SSLv3 and TLS 1.0 were designed, the United States restricted
3592 the export of cryptographic software containing certain strong
3593 encryption algorithms. A series of cipher suites were designed to
3594 operate at reduced key lengths in order to comply with those
3595 regulations. Due to advances in computer performance, these
3596 algorithms are now unacceptably weak and export restrictions have
3597 since been loosened. TLS 1.2 implementations MUST NOT negotiate these
3598 cipher suites in TLS 1.2 mode. However, for backward compatibility
3599 they may be offered in the ClientHello for use with TLS 1.0 or SSLv3
3600 only servers. TLS 1.2 clients MUST check that the server did not
3601 choose one of these cipher suites during the handshake. These
3602 ciphersuites are listed below for informational purposes and to
3603 reserve the numbers.
3605 CipherSuite TLS_RSA_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x03 };
3606 CipherSuite TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x06 };
3607 CipherSuite TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x08 };
3608 CipherSuite TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x0B };
3609 CipherSuite TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x0E };
3610 CipherSuite TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x11 };
3611 CipherSuite TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x14 };
3612 CipherSuite TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x17 };
3613 CipherSuite TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x19 };
3617 Dierks & Rescorla Standards Track [Page 67]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3620 The following cipher suites were defined in [TLSKRB] and are included
3621 here for completeness. See [TLSKRB] for details:
3623 CipherSuite TLS_KRB5_WITH_DES_CBC_SHA = { 0x00,0x1E };
3624 CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1F };
3625 CipherSuite TLS_KRB5_WITH_RC4_128_SHA = { 0x00,0x20 };
3626 CipherSuite TLS_KRB5_WITH_IDEA_CBC_SHA = { 0x00,0x21 };
3627 CipherSuite TLS_KRB5_WITH_DES_CBC_MD5 = { 0x00,0x22 };
3628 CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = { 0x00,0x23 };
3629 CipherSuite TLS_KRB5_WITH_RC4_128_MD5 = { 0x00,0x24 };
3630 CipherSuite TLS_KRB5_WITH_IDEA_CBC_MD5 = { 0x00,0x25 };
3632 The following exportable cipher suites were defined in [TLSKRB] and
3633 are included here for completeness. TLS 1.2 implementations MUST NOT
3634 negotiate these cipher suites.
3636 CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = { 0x00,0x26
3637 };
3638 CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = { 0x00,0x27
3639 };
3640 CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_SHA = { 0x00,0x28
3641 };
3642 CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = { 0x00,0x29
3643 };
3644 CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x2A
3645 };
3646 CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x2B
3647 };
3650 New cipher suite values are assigned by IANA as described in Section
3651 11.
3653 Note: The cipher suite values { 0x00, 0x1C } and { 0x00, 0x1D } are
3654 reserved to avoid collision with Fortezza-based cipher suites in SSL
3655 3.
3657 A.6. The Security Parameters
3659 These security parameters are determined by the TLS Handshake
3660 Protocol and provided as parameters to the TLS Record Layer in order
3661 to initialize a connection state. SecurityParameters includes:
3663 enum { null(0), (255) } CompressionMethod;
3665 enum { server, client } ConnectionEnd;
3667 enum { null, rc4, rc2, des, 3des, des40, aes, idea }
3671 Dierks & Rescorla Standards Track [Page 68]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3674 BulkCipherAlgorithm;
3676 enum { stream, block, aead } CipherType;
3678 enum { null, md5, sha } MACAlgorithm;
3680 /* The algorithms specified in CompressionMethod,
3681 BulkCipherAlgorithm, and MACAlgorithm may be added to. */
3683 struct {
3684 ConnectionEnd entity;
3685 BulkCipherAlgorithm bulk_cipher_algorithm;
3686 CipherType cipher_type;
3687 uint8 enc_key_length;
3688 uint8 block_length;
3689 uint8 iv_length;
3690 MACAlgorithm mac_algorithm;
3691 uint8 mac_length;
3692 uint8 mac_key_length;
3693 CompressionMethod compression_algorithm;
3694 opaque master_secret[48];
3695 opaque client_random[32];
3696 opaque server_random[32];
3697 } SecurityParameters;
3725 Dierks & Rescorla Standards Track [Page 69]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3728 Appendix B. Glossary
3730 Advanced Encryption Standard (AES)
3731 AES is a widely used symmetric encryption algorithm. AES is a
3732 block cipher with a 128, 192, or 256 bit keys and a 16 byte block
3733 size. [AES] TLS currently only supports the 128 and 256 bit key
3734 sizes.
3736 application protocol
3737 An application protocol is a protocol that normally layers
3738 directly on top of the transport layer (e.g., TCP/IP). Examples
3739 include HTTP, TELNET, FTP, and SMTP.
3741 asymmetric cipher
3742 See public key cryptography.
3744 authenticated encryption with additional data (AEAD)
3745 A symmetric encryption algorithm that simultaneously provides
3746 confidentiality and message integrity.
3748 authentication
3749 Authentication is the ability of one entity to determine the
3750 identity of another entity.
3752 block cipher
3753 A block cipher is an algorithm that operates on plaintext in
3754 groups of bits, called blocks. 64 bits is a common block size.
3756 bulk cipher
3757 A symmetric encryption algorithm used to encrypt large quantities
3758 of data.
3760 cipher block chaining (CBC)
3761 CBC is a mode in which every plaintext block encrypted with a
3762 block cipher is first exclusive-ORed with the previous ciphertext
3763 block (or, in the case of the first block, with the
3764 initialization vector). For decryption, every block is first
3765 decrypted, then exclusive-ORed with the previous ciphertext block
3766 (or IV).
3768 certificate
3769 As part of the X.509 protocol (a.k.a. ISO Authentication
3770 framework), certificates are assigned by a trusted Certificate
3771 Authority and provide a strong binding between a party's identity
3772 or some other attributes and its public key.
3774 client
3775 The application entity that initiates a TLS connection to a
3779 Dierks & Rescorla Standards Track [Page 70]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3782 server. This may or may not imply that the client initiated the
3783 underlying transport connection. The primary operational
3784 difference between the server and client is that the server is
3785 generally authenticated, while the client is only optionally
3786 authenticated.
3788 client write key
3789 The key used to encrypt data written by the client.
3791 client write MAC secret
3792 The secret data used to authenticate data written by the client.
3794 connection
3795 A connection is a transport (in the OSI layering model
3796 definition) that provides a suitable type of service. For TLS,
3797 such connections are peer-to-peer relationships. The connections
3798 are transient. Every connection is associated with one session.
3800 Data Encryption Standard
3801 DES is a very widely used symmetric encryption algorithm. DES is
3802 a block cipher with a 56 bit key and an 8 byte block size. Note
3803 that in TLS, for key generation purposes, DES is treated as
3804 having an 8 byte key length (64 bits), but it still only provides
3805 56 bits of protection. (The low bit of each key byte is presumed
3806 to be set to produce odd parity in that key byte.) DES can also
3807 be operated in a mode where three independent keys and three
3808 encryptions are used for each block of data; this uses 168 bits
3809 of key (24 bytes in the TLS key generation method) and provides
3810 the equivalent of 112 bits of security. [DES], [3DES]
3812 Digital Signature Standard (DSS)
3813 A standard for digital signing, including the Digital Signing
3814 Algorithm, approved by the National Institute of Standards and
3815 Technology, defined in NIST FIPS PUB 186, "Digital Signature
3816 Standard", published May, 1994 by the U.S. Dept. of Commerce.
3817 [DSS]
3819 digital signatures
3820 Digital signatures utilize public key cryptography and one-way
3821 hash functions to produce a signature of the data that can be
3822 authenticated, and is difficult to forge or repudiate.
3824 handshake
3825 An initial negotiation between client and server that establishes
3826 the parameters of their transactions.
3828 Initialization Vector (IV)
3829 When a block cipher is used in CBC mode, the initialization
3833 Dierks & Rescorla Standards Track [Page 71]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3836 vector is exclusive-ORed with the first plaintext block prior to
3837 encryption.
3839 IDEA
3840 A 64-bit block cipher designed by Xuejia Lai and James Massey.
3841 [IDEA]
3843 Message Authentication Code (MAC)
3844 A Message Authentication Code is a one-way hash computed from a
3845 message and some secret data. It is difficult to forge without
3846 knowing the secret data. Its purpose is to detect if the message
3847 has been altered.
3849 master secret
3850 Secure secret data used for generating encryption keys, MAC
3851 secrets, and IVs.
3853 MD5
3854 MD5 is a secure hashing function that converts an arbitrarily
3855 long data stream into a digest of fixed size (16 bytes). [MD5]
3857 public key cryptography
3858 A class of cryptographic techniques employing two-key ciphers.
3859 Messages encrypted with the public key can only be decrypted with
3860 the associated private key. Conversely, messages signed with the
3861 private key can be verified with the public key.
3863 one-way hash function
3864 A one-way transformation that converts an arbitrary amount of
3865 data into a fixed-length hash. It is computationally hard to
3866 reverse the transformation or to find collisions. MD5 and SHA are
3867 examples of one-way hash functions.
3869 RC2
3870 A block cipher developed by Ron Rivest at RSA Data Security, Inc.
3871 [RSADSI] described in [RC2].
3873 RC4
3874 A stream cipher invented by Ron Rivest. A compatible cipher is
3875 described in [SCH].
3877 RSA
3878 A very widely used public-key algorithm that can be used for
3879 either encryption or digital signing. [RSA]
3881 server
3882 The server is the application entity that responds to requests
3883 for connections from clients. See also under client.
3887 Dierks & Rescorla Standards Track [Page 72]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3890 session
3891 A TLS session is an association between a client and a server.
3892 Sessions are created by the handshake protocol. Sessions define a
3893 set of cryptographic security parameters that can be shared among
3894 multiple connections. Sessions are used to avoid the expensive
3895 negotiation of new security parameters for each connection.
3897 session identifier
3898 A session identifier is a value generated by a server that
3899 identifies a particular session.
3901 server write key
3902 The key used to encrypt data written by the server.
3904 server write MAC secret
3905 The secret data used to authenticate data written by the server.
3907 SHA
3908 The Secure Hash Algorithm is defined in FIPS PUB 180-2. It
3909 produces a 20-byte output. Note that all references to SHA
3910 actually use the modified SHA-1 algorithm. [SHA]
3912 SSL
3913 Netscape's Secure Socket Layer protocol [SSL3]. TLS is based on
3914 SSL Version 3.0
3916 stream cipher
3917 An encryption algorithm that converts a key into a
3918 cryptographically strong keystream, which is then exclusive-ORed
3919 with the plaintext.
3921 symmetric cipher
3922 See bulk cipher.
3924 Transport Layer Security (TLS)
3925 This protocol; also, the Transport Layer Security working group
3926 of the Internet Engineering Task Force (IETF). See "Comments" at
3927 the end of this document.
3941 Dierks & Rescorla Standards Track [Page 73]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3944 Appendix C. CipherSuite Definitions
3946 CipherSuite Key Cipher Hash
3947 Exchange
3949 TLS_NULL_WITH_NULL_NULL NULL NULL NULL
3950 TLS_RSA_WITH_NULL_MD5 RSA NULL MD5
3951 TLS_RSA_WITH_NULL_SHA RSA NULL SHA
3952 TLS_RSA_WITH_RC4_128_MD5 RSA RC4_128 MD5
3953 TLS_RSA_WITH_RC4_128_SHA RSA RC4_128 SHA
3954 TLS_RSA_WITH_IDEA_CBC_SHA RSA IDEA_CBC SHA
3955 TLS_RSA_WITH_DES_CBC_SHA RSA DES_CBC SHA
3956 TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES_EDE_CBC SHA
3957 TLS_RSA_WITH_AES_128_CBC_SHA RSA AES_128_CBC SHA
3958 TLS_RSA_WITH_AES_256_SHA RSA AES_256_CBC SHA
3959 TLS_DH_DSS_WITH_DES_CBC_SHA DH_DSS DES_CBC SHA
3960 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA DH_DSS 3DES_EDE_CBC SHA
3961 TLS_DH_RSA_WITH_DES_CBC_SHA DH_RSA DES_CBC SHA
3962 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA DH_RSA 3DES_EDE_CBC SHA
3963 TLS_DHE_DSS_WITH_DES_CBC_SHA DHE_DSS DES_CBC SHA
3964 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE_DSS 3DES_EDE_CBC SHA
3965 TLS_DHE_RSA_WITH_DES_CBC_SHA DHE_RSA DES_CBC SHA
3966 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA 3DES_EDE_CBC SHA
3967 TLS_DH_anon_WITH_RC4_128_MD5 DH_anon RC4_128 MD5
3968 TLS_DH_anon_WITH_DES_CBC_SHA DH_anon DES_CBC SHA
3969 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA DH_anon 3DES_EDE_CBC SHA
3970 TLS_DH_DSS_WITH_AES_128_CBC_SHA DH_DSS AES_128_CBC SHA
3971 TLS_DH_RSA_WITH_AES_128_CBC_SHA DH_RSA AES_128_CBC SHA
3972 TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS AES_128_CBC SHA
3973 TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA AES_128_CBC SHA
3974 TLS_DH_anon_WITH_AES_128_CBC_SHA DH_anon AES_128_CBC SHA
3975 TLS_DH_DSS_WITH_AES_256_CBC_SHA DH_DSS AES_256_CBC SHA
3976 TLS_DH_RSA_WITH_AES_256_CBC_SHA DH_RSA AES_256_CBC SHA
3977 TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE_DSS AES_256_CBC SHA
3978 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA AES_256_CBC SHA
3979 TLS_DH_anon_WITH_AES_256_CBC_SHA DH_anon AES_256_CBC SHA
3981 Key
3982 Exchange
3983 Algorithm Description Key size limit
3985 DHE_DSS Ephemeral DH with DSS signatures None
3986 DHE_RSA Ephemeral DH with RSA signatures None
3987 DH_anon Anonymous DH, no signatures None
3988 DH_DSS DH with DSS-based certificates None
3989 DH_RSA DH with RSA-based certificates None
3990 RSA = none
3991 NULL No key exchange N/A
3995 Dierks & Rescorla Standards Track [Page 74]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
3998 RSA RSA key exchange None
4000 Key Expanded IV Block
4001 Cipher Type Material Key Material Size Size
4003 NULL Stream 0 0 0 N/A
4004 IDEA_CBC Block 16 16 8 8
4005 RC2_CBC_40 Block 5 16 8 8
4006 RC4_40 Stream 5 16 0 N/A
4007 RC4_128 Stream 16 16 0 N/A
4008 DES40_CBC Block 5 8 8 8
4009 DES_CBC Block 8 8 8 8
4010 3DES_EDE_CBC Block 24 24 8 8
4012 Type
4013 Indicates whether this is a stream cipher or a block cipher
4014 running in CBC mode.
4016 Key Material
4017 The number of bytes from the key_block that are used for
4018 generating the write keys.
4020 Expanded Key Material
4021 The number of bytes actually fed into the encryption algorithm.
4023 IV Size
4024 The amount of data needed to be generated for the initialization
4025 vector. Zero for stream ciphers; equal to the block size for
4026 block ciphers.
4028 Block Size
4029 The amount of data a block cipher enciphers in one chunk; a
4030 block cipher running in CBC mode can only encrypt an even
4031 multiple of its block size.
4033 Hash Hash Padding
4034 function Size Size
4035 NULL 0 0
4036 MD5 16 48
4037 SHA 20 40
4049 Dierks & Rescorla Standards Track [Page 75]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4052 Appendix D. Implementation Notes
4054 The TLS protocol cannot prevent many common security mistakes. This
4055 section provides several recommendations to assist implementors.
4057 D.1 Random Number Generation and Seeding
4059 TLS requires a cryptographically secure pseudorandom number generator
4060 (PRNG). Care must be taken in designing and seeding PRNGs. PRNGs
4061 based on secure hash operations, most notably MD5 and/or SHA, are
4062 acceptable, but cannot provide more security than the size of the
4063 random number generator state. (For example, MD5-based PRNGs usually
4064 provide 128 bits of state.)
4066 To estimate the amount of seed material being produced, add the
4067 number of bits of unpredictable information in each seed byte. For
4068 example, keystroke timing values taken from a PC compatible's 18.2 Hz
4069 timer provide 1 or 2 secure bits each, even though the total size of
4070 the counter value is 16 bits or more. Seeding a 128-bit PRNG would
4071 thus require approximately 100 such timer values.
4073 [RANDOM] provides guidance on the generation of random values.
4075 D.2 Certificates and Authentication
4077 Implementations are responsible for verifying the integrity of
4078 certificates and should generally support certificate revocation
4079 messages. Certificates should always be verified to ensure proper
4080 signing by a trusted Certificate Authority (CA). The selection and
4081 addition of trusted CAs should be done very carefully. Users should
4082 be able to view information about the certificate and root CA.
4084 D.3 CipherSuites
4086 TLS supports a range of key sizes and security levels, including some
4087 that provide no or minimal security. A proper implementation will
4088 probably not support many cipher suites. For instance, anonymous
4089 Diffie-Hellman is strongly discouraged because it cannot prevent man-
4090 in-the-middle attacks. Applications should also enforce minimum and
4091 maximum key sizes. For example, certificate chains containing 512-bit
4092 RSA keys or signatures are not appropriate for high-security
4093 applications.
4103 Dierks & Rescorla Standards Track [Page 76]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4106 Appendix E. Backward Compatibility
4108 E.1 Compatibility with TLS 1.0/1.1 and SSL 3.0
4110 Since there are various versions of TLS (1.0, 1.1, 1.2, and any
4111 future versions) and SSL (2.0 and 3.0), means are needed to negotiate
4112 the specific protocol version to use. The TLS protocol provides a
4113 built-in mechanism for version negotiation so as not to bother other
4114 protocol components with the complexities of version selection.
4116 TLS versions 1.0, 1.1, and 1.2, and SSL 3.0 are very similar, and use
4117 compatible ClientHello messages; thus, supporting all of them is
4118 relatively easy. Similarly, servers can easily handle clients trying
4119 to use future versions of TLS as long as the ClientHello format
4120 remains compatible, and the client support the highest protocol
4121 version available in the server.
4123 A TLS 1.2 client who wishes to negotiate with such older servers will
4124 send a normal TLS 1.2 ClientHello, containing { 3, 3 } (TLS 1.2) in
4125 ClientHello.client_version. If the server does not support this
4126 version, it will respond with ServerHello containing an older version
4127 number. If the client agrees to use this version, the negotiation
4128 will proceed as appropriate for the negotiated protocol.
4130 If the version chosen by the server is not supported by the client
4131 (or not acceptable), the client MUST send a "protocol_version" alert
4132 message and close the connection.
4134 If a TLS server receives a ClientHello containing a version number
4135 greater than the highest version supported by the server, it MUST
4136 reply according to the highest version supported by the server.
4138 A TLS server can also receive a ClientHello containing version number
4139 smaller than the highest supported version. If the server wishes to
4140 negotiate with old clients, it will proceed as appropriate for the
4141 highest version supported by the server that is not greater than
4142 ClientHello.client_version. For example, if the server supports TLS
4143 1.0, 1.1, and 1.2, and client_version is TLS 1.0, the server will
4144 proceed with a TLS 1.0 ServerHello. If server supports (or is willing
4145 to use) only versions greater than client_version, it MUST send a
4146 "protocol_version" alert message and close the connection.
4148 Whenever a client already knows the highest protocol known to a
4149 server (for example, when resuming a session), it SHOULD initiate the
4150 connection in that native protocol.
4152 Note: some server implementations are known to implement version
4153 negotiation incorrectly. For example, there are buggy TLS 1.0 servers
4157 Dierks & Rescorla Standards Track [Page 77]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4160 that simply close the connection when the client offers a version
4161 newer than TLS 1.0. Also, it is known that some servers will refuse
4162 connection if any TLS extensions are included in ClientHello.
4163 Interoperability with such buggy servers is a complex topic beyond
4164 the scope of this document, and may require multiple connection
4165 attempts by the client.
4167 Earlier versions of the TLS specification were not fully clear on
4168 what the record layer version number (TLSPlaintext.version) should
4169 contain when sending ClientHello (i.e., before it is known which
4170 version of the protocol will be employed). Thus, TLS servers
4171 compliant with this specification MUST accept any value {03,XX} as
4172 the record layer version number for ClientHello.
4174 TLS clients that wish to negotiate with older servers MAY send any
4175 value {03,XX} as the record layer version number. Typical values
4176 would be {03,00}, the lowest version number supported by the client,
4177 and the value of ClientHello.client_version. No single value will
4178 guarantee interoperability with all old servers, but this is a
4179 complex topic beyond the scope of this document.
4181 E.2 Compatibility with SSL 2.0
4183 TLS 1.2 clients that wish to support SSL 2.0 servers MUST send
4184 version 2.0 CLIENT-HELLO messages defined in [SSL2]. The message MUST
4185 contain the same version number as would be used for ordinary
4186 ClientHello, and MUST encode the supported TLS ciphersuites in the
4187 CIPHER-SPECS-DATA field as described below.
4189 Warning: The ability to send version 2.0 CLIENT-HELLO messages will be
4190 phased out with all due haste, since the newer ClientHello format
4191 provides better mechanisms for moving to newer versions and
4192 negotiating extensions. TLS 1.2 clients SHOULD NOT support SSL 2.0.
4194 However, even TLS servers that do not support SSL 2.0 SHOULD accept
4195 version 2.0 CLIENT-HELLO messages. The message is presented below in
4196 sufficient detail for TLS server implementors; the true definition is
4197 still assumed to be [SSL2].
4199 For negotiation purposes, 2.0 CLIENT-HELLO is interpreted the same
4200 way as a ClientHello with a "null" compression method and no
4201 extensions. Note that this message MUST be sent directly on the wire,
4202 not wrapped as a TLS record. For the purposes of calculating Finished
4203 and CertificateVerify, the msg_length field is not considered to be a
4204 part of the handshake message.
4206 uint8 V2CipherSpec[3];
4211 Dierks & Rescorla Standards Track [Page 78]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4214 struct {
4215 uint16 msg_length;
4216 uint8 msg_type;
4217 Version version;
4218 uint16 cipher_spec_length;
4219 uint16 session_id_length;
4220 uint16 challenge_length;
4221 V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length];
4222 opaque session_id[V2ClientHello.session_id_length];
4223 opaque challenge[V2ClientHello.challenge_length;
4224 } V2ClientHello;
4226 msg_length
4227 The highest bit MUST be 1; the remaining bits contain the
4228 length of the following data in bytes.
4230 msg_type
4231 This field, in conjunction with the version field, identifies a
4232 version 2 client hello message. The value MUST be one (1).
4234 version
4235 Equal to ClientHello.client_version.
4237 cipher_spec_length
4238 This field is the total length of the field cipher_specs. It
4239 cannot be zero and MUST be a multiple of the V2CipherSpec length
4240 (3).
4242 session_id_length
4243 This field MUST have a value of zero for a client that claims to
4244 support TLS 1.2.
4246 challenge_length
4247 The length in bytes of the client's challenge to the server to
4248 authenticate itself. Historically, permissible values are between
4249 16 and 32 bytes inclusive. When using the SSLv2 backward
4250 compatible handshake the client SHOULD use a 32 byte challenge.
4252 cipher_specs
4253 This is a list of all CipherSpecs the client is willing and able
4254 to use. In addition to the 2.0 cipher specs defined in [SSL2],
4255 this includes the TLS cipher suites normally sent in
4256 ClientHello.cipher_suites, each cipher suite prefixed by a zero
4257 byte. For example, TLS ciphersuite {0x00,0x0A} would be sent as
4258 {0x00,0x00,0x0A}.
4260 session_id
4261 This field MUST be empty.
4265 Dierks & Rescorla Standards Track [Page 79]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4268 challenge
4269 Corresponds to ClientHello.random. If the challenge length is
4270 less than 32, the TLS server will pad the data with leading
4271 (note: not trailing) zero bytes to make it 32 bytes long.
4273 Note: Requests to resume a TLS session MUST use a TLS client hello.
4275 E.2. Avoiding Man-in-the-Middle Version Rollback
4277 When TLS clients fall back to Version 2.0 compatibility mode, they
4278 MUST use special PKCS#1 block formatting. This is done so that TLS
4279 servers will reject Version 2.0 sessions with TLS-capable clients.
4281 When a client negotiates SSL 2.0 but also supports TLS, it MUST set
4282 the right-hand (least-significant) 8 random bytes of the PKCS padding
4283 (not including the terminal null of the padding) for the RSA
4284 encryption of the ENCRYPTED-KEY-DATA field of the CLIENT-MASTER-KEY
4285 to 0x03 (the other padding bytes are random).
4287 When a TLS-capable server negotiates SSL 2.0 it SHOULD, after
4288 decrypting the ENCRYPTED-KEY-DATA field, check that these eight
4289 padding bytes are 0x03. If they are not, the server SHOULD generate a
4290 random value for SECRET-KEY-DATA, and continue the handshake (which
4291 will eventually fail since the keys will not match). Note that
4292 reporting the error situation to the client could make the server
4293 vulnerable to attacks described in [BLEI].
4319 Dierks & Rescorla Standards Track [Page 80]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4322 Appendix F. Security Analysis
4324 The TLS protocol is designed to establish a secure connection between
4325 a client and a server communicating over an insecure channel. This
4326 document makes several traditional assumptions, including that
4327 attackers have substantial computational resources and cannot obtain
4328 secret information from sources outside the protocol. Attackers are
4329 assumed to have the ability to capture, modify, delete, replay, and
4330 otherwise tamper with messages sent over the communication channel.
4331 This appendix outlines how TLS has been designed to resist a variety
4332 of attacks.
4334 F.1. Handshake Protocol
4336 The handshake protocol is responsible for selecting a CipherSpec and
4337 generating a Master Secret, which together comprise the primary
4338 cryptographic parameters associated with a secure session. The
4339 handshake protocol can also optionally authenticate parties who have
4340 certificates signed by a trusted certificate authority.
4342 F.1.1. Authentication and Key Exchange
4344 TLS supports three authentication modes: authentication of both
4345 parties, server authentication with an unauthenticated client, and
4346 total anonymity. Whenever the server is authenticated, the channel is
4347 secure against man-in-the-middle attacks, but completely anonymous
4348 sessions are inherently vulnerable to such attacks. Anonymous
4349 servers cannot authenticate clients. If the server is authenticated,
4350 its certificate message must provide a valid certificate chain
4351 leading to an acceptable certificate authority. Similarly,
4352 authenticated clients must supply an acceptable certificate to the
4353 server. Each party is responsible for verifying that the other's
4354 certificate is valid and has not expired or been revoked.
4356 The general goal of the key exchange process is to create a
4357 pre_master_secret known to the communicating parties and not to
4358 attackers. The pre_master_secret will be used to generate the
4359 master_secret (see Section 8.1). The master_secret is required to
4360 generate the finished messages, encryption keys, and MAC secrets (see
4361 Sections 7.4.9 and 6.3). By sending a correct finished message,
4362 parties thus prove that they know the correct pre_master_secret.
4364 F.1.1.1. Anonymous Key Exchange
4366 Completely anonymous sessions can be established using RSA or Diffie-
4367 Hellman for key exchange. With anonymous RSA, the client encrypts a
4368 pre_master_secret with the server's uncertified public key extracted
4369 from the server key exchange message. The result is sent in a client
4373 Dierks & Rescorla Standards Track [Page 81]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4376 key exchange message. Since eavesdroppers do not know the server's
4377 private key, it will be infeasible for them to decode the
4378 pre_master_secret.
4380 Note: No anonymous RSA Cipher Suites are defined in this document.
4382 With Diffie-Hellman, the server's public parameters are contained in
4383 the server key exchange message and the client's are sent in the
4384 client key exchange message. Eavesdroppers who do not know the
4385 private values should not be able to find the Diffie-Hellman result
4386 (i.e. the pre_master_secret).
4388 Warning: Completely anonymous connections only provide protection
4389 against passive eavesdropping. Unless an independent tamper-
4390 proof channel is used to verify that the finished messages
4391 were not replaced by an attacker, server authentication is
4392 required in environments where active man-in-the-middle
4393 attacks are a concern.
4395 F.1.1.2. RSA Key Exchange and Authentication
4397 With RSA, key exchange and server authentication are combined. The
4398 public key is contained in the server's certificate. Note that
4399 compromise of the server's static RSA key results in a loss of
4400 confidentiality for all sessions protected under that static key. TLS
4401 users desiring Perfect Forward Secrecy should use DHE cipher suites.
4402 The damage done by exposure of a private key can be limited by
4403 changing one's private key (and certificate) frequently.
4405 After verifying the server's certificate, the client encrypts a
4406 pre_master_secret with the server's public key. By successfully
4407 decoding the pre_master_secret and producing a correct finished
4408 message, the server demonstrates that it knows the private key
4409 corresponding to the server certificate.
4411 When RSA is used for key exchange, clients are authenticated using
4412 the certificate verify message (see Section 7.4.9). The client signs
4413 a value derived from the master_secret and all preceding handshake
4414 messages. These handshake messages include the server certificate,
4415 which binds the signature to the server, and ServerHello.random,
4416 which binds the signature to the current handshake process.
4418 F.1.1.3. Diffie-Hellman Key Exchange with Authentication
4420 When Diffie-Hellman key exchange is used, the server can either
4421 supply a certificate containing fixed Diffie-Hellman parameters or
4422 use the server key exchange message to send a set of temporary
4423 Diffie-Hellman parameters signed with a DSS or RSA certificate.
4427 Dierks & Rescorla Standards Track [Page 82]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4430 Temporary parameters are hashed with the hello.random values before
4431 signing to ensure that attackers do not replay old parameters. In
4432 either case, the client can verify the certificate or signature to
4433 ensure that the parameters belong to the server.
4435 If the client has a certificate containing fixed Diffie-Hellman
4436 parameters, its certificate contains the information required to
4437 complete the key exchange. Note that in this case the client and
4438 server will generate the same Diffie-Hellman result (i.e.,
4439 pre_master_secret) every time they communicate. To prevent the
4440 pre_master_secret from staying in memory any longer than necessary,
4441 it should be converted into the master_secret as soon as possible.
4442 Client Diffie-Hellman parameters must be compatible with those
4443 supplied by the server for the key exchange to work.
4445 If the client has a standard DSS or RSA certificate or is
4446 unauthenticated, it sends a set of temporary parameters to the server
4447 in the client key exchange message, then optionally uses a
4448 certificate verify message to authenticate itself.
4450 If the same DH keypair is to be used for multiple handshakes, either
4451 because the client or server has a certificate containing a fixed DH
4452 keypair or because the server is reusing DH keys, care must be taken
4453 to prevent small subgroup attacks. Implementations SHOULD follow the
4454 guidelines found in [SUBGROUP].
4456 Small subgroup attacks are most easily avoided by using one of the
4457 DHE ciphersuites and generating a fresh DH private key (X) for each
4458 handshake. If a suitable base (such as 2) is chosen, g^X mod p can be
4459 computed very quickly, therefore the performance cost is minimized.
4460 Additionally, using a fresh key for each handshake provides Perfect
4461 Forward Secrecy. Implementations SHOULD generate a new X for each
4462 handshake when using DHE ciphersuites.
4464 Because TLS allows the server to provide arbitrary DH groups, the
4465 client SHOULD verify the correctness of the DH group. [TODO: provide
4466 a reference to some document describing how] and that it is of
4467 suitable size as defined by local policy. The client SHOULD also
4468 verify that the DH public exponent appears to be of adequate size.
4469 The server MAY choose to assist the client by providing a known
4470 group, such as those defined in [IKEALG] or [MODP]. These can be
4471 verified by simple comparison.
4473 F.1.2. Version Rollback Attacks
4475 Because TLS includes substantial improvements over SSL Version 2.0,
4476 attackers may try to make TLS-capable clients and servers fall back
4477 to Version 2.0. This attack can occur if (and only if) two TLS-
4481 Dierks & Rescorla Standards Track [Page 83]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4484 capable parties use an SSL 2.0 handshake.
4486 Although the solution using non-random PKCS #1 block type 2 message
4487 padding is inelegant, it provides a reasonably secure way for Version
4488 3.0 servers to detect the attack. This solution is not secure against
4489 attackers who can brute force the key and substitute a new ENCRYPTED-
4490 KEY-DATA message containing the same key (but with normal padding)
4491 before the application specified wait threshold has expired. Altering
4492 the padding of the least significant 8 bytes of the PKCS padding does
4493 not impact security for the size of the signed hashes and RSA key
4494 lengths used in the protocol, since this is essentially equivalent to
4495 increasing the input block size by 8 bytes.
4497 F.1.3. Detecting Attacks Against the Handshake Protocol
4499 An attacker might try to influence the handshake exchange to make the
4500 parties select different encryption algorithms than they would
4501 normally chooses.
4503 For this attack, an attacker must actively change one or more
4504 handshake messages. If this occurs, the client and server will
4505 compute different values for the handshake message hashes. As a
4506 result, the parties will not accept each others' finished messages.
4507 Without the master_secret, the attacker cannot repair the finished
4508 messages, so the attack will be discovered.
4510 F.1.4. Resuming Sessions
4512 When a connection is established by resuming a session, new
4513 ClientHello.random and ServerHello.random values are hashed with the
4514 session's master_secret. Provided that the master_secret has not been
4515 compromised and that the secure hash operations used to produce the
4516 encryption keys and MAC secrets are secure, the connection should be
4517 secure and effectively independent from previous connections.
4518 Attackers cannot use known encryption keys or MAC secrets to
4519 compromise the master_secret without breaking the secure hash
4520 operations (which use both SHA and MD5).
4522 Sessions cannot be resumed unless both the client and server agree.
4523 If either party suspects that the session may have been compromised,
4524 or that certificates may have expired or been revoked, it should
4525 force a full handshake. An upper limit of 24 hours is suggested for
4526 session ID lifetimes, since an attacker who obtains a master_secret
4527 may be able to impersonate the compromised party until the
4528 corresponding session ID is retired. Applications that may be run in
4529 relatively insecure environments should not write session IDs to
4530 stable storage.
4535 Dierks & Rescorla Standards Track [Page 84]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4538 F.1.5 Extensions
4540 Security considerations for the extension mechanism in general, and
4541 the design of new extensions, are described in the previous section.
4542 A security analysis of each of the extensions defined in this
4543 document is given below.
4545 In general, implementers should continue to monitor the state of the
4546 art, and address any weaknesses identified.
4548 F.2. Protecting Application Data
4550 The master_secret is hashed with the ClientHello.random and
4551 ServerHello.random to produce unique data encryption keys and MAC
4552 secrets for each connection.
4554 Outgoing data is protected with a MAC before transmission. To prevent
4555 message replay or modification attacks, the MAC is computed from the
4556 MAC secret, the sequence number, the message length, the message
4557 contents, and two fixed character strings. The message type field is
4558 necessary to ensure that messages intended for one TLS Record Layer
4559 client are not redirected to another. The sequence number ensures
4560 that attempts to delete or reorder messages will be detected. Since
4561 sequence numbers are 64 bits long, they should never overflow.
4562 Messages from one party cannot be inserted into the other's output,
4563 since they use independent MAC secrets. Similarly, the server-write
4564 and client-write keys are independent, so stream cipher keys are used
4565 only once.
4567 If an attacker does break an encryption key, all messages encrypted
4568 with it can be read. Similarly, compromise of a MAC key can make
4569 message modification attacks possible. Because MACs are also
4570 encrypted, message-alteration attacks generally require breaking the
4571 encryption algorithm as well as the MAC.
4573 Note: MAC secrets may be larger than encryption keys, so messages can
4574 remain tamper resistant even if encryption keys are broken.
4576 F.3. Explicit IVs
4578 [CBCATT] describes a chosen plaintext attack on TLS that depends
4579 on knowing the IV for a record. Previous versions of TLS [TLS1.0]
4580 used the CBC residue of the previous record as the IV and
4581 therefore enabled this attack. This version uses an explicit IV
4582 in order to protect against this attack.
4589 Dierks & Rescorla Standards Track [Page 85]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4592 F.4. Security of Composite Cipher Modes
4594 TLS secures transmitted application data via the use of symmetric
4595 encryption and authentication functions defined in the negotiated
4596 ciphersuite. The objective is to protect both the integrity and
4597 confidentiality of the transmitted data from malicious actions by
4598 active attackers in the network. It turns out that the order in
4599 which encryption and authentication functions are applied to the
4600 data plays an important role for achieving this goal [ENCAUTH].
4602 The most robust method, called encrypt-then-authenticate, first
4603 applies encryption to the data and then applies a MAC to the
4604 ciphertext. This method ensures that the integrity and
4605 confidentiality goals are obtained with ANY pair of encryption
4606 and MAC functions, provided that the former is secure against
4607 chosen plaintext attacks and that the MAC is secure against
4608 chosen-message attacks. TLS uses another method, called
4609 authenticate-then-encrypt, in which first a MAC is computed on
4610 the plaintext and then the concatenation of plaintext and MAC is
4611 encrypted. This method has been proven secure for CERTAIN
4612 combinations of encryption functions and MAC functions, but it is
4613 not guaranteed to be secure in general. In particular, it has
4614 been shown that there exist perfectly secure encryption functions
4615 (secure even in the information-theoretic sense) that combined
4616 with any secure MAC function, fail to provide the confidentiality
4617 goal against an active attack. Therefore, new ciphersuites and
4618 operation modes adopted into TLS need to be analyzed under the
4619 authenticate-then-encrypt method to verify that they achieve the
4620 stated integrity and confidentiality goals.
4622 Currently, the security of the authenticate-then-encrypt method
4623 has been proven for some important cases. One is the case of
4624 stream ciphers in which a computationally unpredictable pad of
4625 the length of the message, plus the length of the MAC tag, is
4626 produced using a pseudo-random generator and this pad is xor-ed
4627 with the concatenation of plaintext and MAC tag. The other is
4628 the case of CBC mode using a secure block cipher. In this case,
4629 security can be shown if one applies one CBC encryption pass to
4630 the concatenation of plaintext and MAC and uses a new,
4631 independent, and unpredictable IV for each new pair of plaintext
4632 and MAC. In previous versions of SSL, CBC mode was used properly
4633 EXCEPT that it used a predictable IV in the form of the last
4634 block of the previous ciphertext. This made TLS open to chosen
4635 plaintext attacks. This version of the protocol is immune to
4636 those attacks. For exact details in the encryption modes proven
4637 secure, see [ENCAUTH].
4643 Dierks & Rescorla Standards Track [Page 86]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4646 F.5 Denial of Service
4648 TLS is susceptible to a number of denial of service (DoS) attacks.
4649 In particular, an attacker who initiates a large number of TCP
4650 connections can cause a server to consume large amounts of CPU doing
4651 RSA decryption. However, because TLS is generally used over TCP, it
4652 is difficult for the attacker to hide his point of origin if proper
4653 TCP SYN randomization is used [SEQNUM] by the TCP stack.
4655 Because TLS runs over TCP, it is also susceptible to a number of
4656 denial of service attacks on individual connections. In particular,
4657 attackers can forge RSTs, thereby terminating connections, or forge
4658 partial TLS records, thereby causing the connection to stall. These
4659 attacks cannot in general be defended against by a TCP-using
4660 protocol. Implementors or users who are concerned with this class of
4661 attack should use IPsec AH [AH] or ESP [ESP].
4663 F.6. Final Notes
4665 For TLS to be able to provide a secure connection, both the client
4666 and server systems, keys, and applications must be secure. In
4667 addition, the implementation must be free of security errors.
4669 The system is only as strong as the weakest key exchange and
4670 authentication algorithm supported, and only trustworthy
4671 cryptographic functions should be used. Short public keys and
4672 anonymous servers should be used with great caution. Implementations
4673 and users must be careful when deciding which certificates and
4674 certificate authorities are acceptable; a dishonest certificate
4675 authority can do tremendous damage.
4697 Dierks & Rescorla Standards Track [Page 87]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4700 Security Considerations
4702 Security issues are discussed throughout this memo, especially in
4703 Appendices D, E, and F.
4706 Changes in This Version
4708 [RFC Editor: Please delete this]
4710 - Added some guidance about checking DH groups and exponents.
4711 [Issues 15 and 43]
4713 - DigestInfo now MUST be NULL but must be accepted either way
4714 per discussion in Prague [Issue 22]
4716 - Improved versions of Bleichenbacher/Klima/Version number
4717 text for the EPMS (due to Eronen) [Issue 17]
4719 - Cleaned up SSLv2 backward compatibility text [Issue 25]
4721 - Improvements to signature hash agility text [Issue 41].
4722 Still not completely fixed.
4724 - Changed cert_hash_types to signature hash types and indicated a
4725 preference order.
4727 - Strengthened language about when alerts are required. Note
4728 that it is still legal under some circumstances to close
4729 a connection with no alert.
4731 Normative References
4732 [AES] National Institute of Standards and Technology,
4733 "Specification for the Advanced Encryption Standard (AES)"
4734 FIPS 197. November 26, 2001.
4736 [3DES] National Institute of Standards and Tecnology,
4737 "Recommendation for the Triple Data Encryption Algorithm
4738 (TDEA) Block Cipher", NIST Special Publication 800-67, May
4739 2004.
4741 [DES] National Institute of Standards and Technology, "Data
4742 Encryption Standard (DES)", FIPS PUB 46-3, October 1999.
4744 [DSS] NIST FIPS PUB 186-2, "Digital Signature Standard," National
4745 Institute of Standards and Technology, U.S. Department of
4746 Commerce, 2000.
4751 Dierks & Rescorla Standards Track [Page 88]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4754 [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
4755 Hashing for Message Authentication", RFC 2104, February
4756 1997.
4758 [IDEA] X. Lai, "On the Design and Security of Block Ciphers," ETH
4759 Series in Information Processing, v. 1, Konstanz: Hartung-
4760 Gorre Verlag, 1992.
4762 [MD5] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321,
4763 April 1992.
4765 [PKCS1] J. Jonsson, B. Kaliski, "Public-Key Cryptography Standards
4766 (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC
4767 3447, February 2003.
4769 [PKIX] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet
4770 Public Key Infrastructure: Part I: X.509 Certificate and CRL
4771 Profile", RFC 3280, April 2002.
4773 [RC2] Rivest, R., "A Description of the RC2(r) Encryption
4774 Algorithm", RFC 2268, March 1998.
4776 [SCH] B. Schneier. "Applied Cryptography: Protocols, Algorithms,
4777 and Source Code in C, 2ed", Published by John Wiley & Sons,
4778 Inc. 1996.
4780 [SHA] NIST FIPS PUB 180-2, "Secure Hash Standard," National
4781 Institute of Standards and Technology, U.S. Department of
4782 Commerce., August 2001.
4784 [REQ] Bradner, S., "Key words for use in RFCs to Indicate
4785 Requirement Levels", BCP 14, RFC 2119, March 1997.
4787 [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
4788 IANA Considerations Section in RFCs", BCP 25, RFC 2434,
4789 October 1998.
4791 [URI] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform
4792 Resource Identifiers (URI): Generic Syntax", RFC 2396,
4793 August 1998.
4795 [X509-4th] ITU-T Recommendation X.509 (2000) | ISO/IEC 9594- 8:2001,
4796 "Information Systems - Open Systems Interconnection - The
4797 Directory: Public key and Attribute certificate
4798 frameworks."
4800 [X509-4th-TC1] ITU-T Recommendation X.509(2000) Corrigendum 1(2001) |
4801 ISO/IEC 9594-8:2001/Cor.1:2002, Technical Corrigendum 1 to
4805 Dierks & Rescorla Standards Track [Page 89]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4808 ISO/IEC 9594:8:2001.
4810 Informative References
4812 [AEAD] Mcgrew, D., "Authenticated Encryption", February 2007,
4813 draft-mcgrew-auth-enc-02.txt.
4815 [AH] Kent, S., and Atkinson, R., "IP Authentication Header", RFC
4816 4302, December 2005.
4818 [BLEI] Bleichenbacher D., "Chosen Ciphertext Attacks against
4819 Protocols Based on RSA Encryption Standard PKCS #1" in
4820 Advances in Cryptology -- CRYPTO'98, LNCS vol. 1462, pages:
4821 1-12, 1998.
4823 [CBCATT] Moeller, B., "Security of CBC Ciphersuites in SSL/TLS:
4824 Problems and Countermeasures",
4825 http://www.openssl.org/~bodo/tls-cbc.txt.
4827 [CBCTIME] Canvel, B., "Password Interception in a SSL/TLS Channel",
4828 http://lasecwww.epfl.ch/memo_ssl.shtml, 2003.
4830 [CCM] "NIST Special Publication 800-38C: The CCM Mode for
4831 Authentication and Confidentiality",
4832 http://csrc.nist.gov/publications/nistpubs/SP800-38C.pdf.
4834 [ENCAUTH] Krawczyk, H., "The Order of Encryption and Authentication
4835 for Protecting Communications (Or: How Secure is SSL?)",
4836 Crypto 2001.
4838 [ESP] Kent, S., and Atkinson, R., "IP Encapsulating Security
4839 Payload (ESP)", RFC 4303, December 2005.
4841 [GCM] "NIST Special Publication 800-38C: The CCM Mode for
4842 Authentication and Confidentiality",
4843 http://csrc.nist.gov/publications/nistpubs/SP800-38C.pdf.
4845 [IKEALG] Schiller, J., "Cryptographic Algorithms for Use in the
4846 Internet Key Exchange Version 2 (IKEv2)", RFC 4307, December
4847 2005.
4849 [KPR03] Klima, V., Pokorny, O., Rosa, T., "Attacking RSA-based
4850 Sessions in SSL/TLS", http://eprint.iacr.org/2003/052/,
4851 March 2003.
4853 [MODP] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
4854 Diffie-Hellman groups for Internet Key Exchange (IKE)", RFC
4855 3526, May 2003.
4859 Dierks & Rescorla Standards Track [Page 90]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4862 [PKCS6] RSA Laboratories, "PKCS #6: RSA Extended Certificate Syntax
4863 Standard," version 1.5, November 1993.
4865 [PKCS7] RSA Laboratories, "PKCS #7: RSA Cryptographic Message Syntax
4866 Standard," version 1.5, November 1993.
4868 [RANDOM] Eastlake, D., 3rd, Schiller, J., and S. Crocker, "Randomness
4869 Requirements for Security", BCP 106, RFC 4086, June 2005.
4871 [RSA] R. Rivest, A. Shamir, and L. M. Adleman, "A Method for
4872 Obtaining Digital Signatures and Public-Key Cryptosystems,"
4873 Communications of the ACM, v. 21, n. 2, Feb 1978, pp.
4874 120-126.
4876 [SEQNUM] Bellovin. S., "Defending Against Sequence Number Attacks",
4877 RFC 1948, May 1996.
4879 [SSL2] Hickman, Kipp, "The SSL Protocol", Netscape Communications
4880 Corp., Feb 9, 1995.
4882 [SSL3] A. Frier, P. Karlton, and P. Kocher, "The SSL 3.0 Protocol",
4883 Netscape Communications Corp., Nov 18, 1996.
4885 [SUBGROUP] Zuccherato, R., "Methods for Avoiding the "Small-Subgroup"
4886 Attacks on the Diffie-Hellman Key Agreement Method for
4887 S/MIME", RFC 2785, March 2000.
4889 [TCP] Postel, J., "Transmission Control Protocol," STD 7, RFC 793,
4890 September 1981.
4892 [TIMING] Boneh, D., Brumley, D., "Remote timing attacks are
4893 practical", USENIX Security Symposium 2003.
4895 [TLSAES] Chown, P., "Advanced Encryption Standard (AES) Ciphersuites
4896 for Transport Layer Security (TLS)", RFC 3268, June 2002.
4898 [TLSEXT] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
4899 Wright, T., "Transport Layer Security (TLS) Extensions", RFC
4900 3546, June 2003.
4902 [TLSKRB] Medvinsky, A. and M. Hur, "Addition of Kerberos Cipher
4903 Suites to Transport Layer Security (TLS)", RFC 2712, October
4904 1999.
4906 [TLS1.0] Dierks, T., and C. Allen, "The TLS Protocol, Version 1.0",
4907 RFC 2246, January 1999.
4909 [TLS1.1] Dierks, T., and E. Rescorla, "The TLS Protocol, Version
4913 Dierks & Rescorla Standards Track [Page 91]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4916 1.1", RFC 4346, April, 2006.
4918 [X501] ITU-T Recommendation X.501: Information Technology - Open
4919 Systems Interconnection - The Directory: Models, 1993.
4921 [X509] ITU-T Recommendation X.509 (1997 E): Information Technology -
4922 Open Systems Interconnection - "The Directory -
4923 Authentication Framework". 1988.
4925 [XDR] Srinivansan, R., Sun Microsystems, "XDR: External Data
4926 Representation Standard", RFC 1832, August 1995.
4929 Credits
4931 Working Group Chairs
4932 Eric Rescorla
4933 EMail: ekr@networkresonance.com
4935 Pasi Eronen
4936 pasi.eronen@nokia.com
4939 Editors
4941 Tim Dierks Eric Rescorla
4942 Independent Network Resonance, Inc.
4944 EMail: tim@dierks.org EMail: ekr@networkresonance.com
4948 Other contributors
4950 Christopher Allen (co-editor of TLS 1.0)
4951 Alacrity Ventures
4952 ChristopherA@AlacrityManagement.com
4954 Martin Abadi
4955 University of California, Santa Cruz
4956 abadi@cs.ucsc.edu
4958 Steven M. Bellovin
4959 Columbia University
4960 smb@cs.columbia.edu
4962 Simon Blake-Wilson
4963 BCI
4967 Dierks & Rescorla Standards Track [Page 92]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
4970 EMail: sblakewilson@bcisse.com
4972 Ran Canetti
4973 IBM
4974 canetti@watson.ibm.com
4976 Pete Chown
4977 Skygate Technology Ltd
4978 pc@skygate.co.uk
4980 Taher Elgamal
4981 taher@securify.com
4982 Securify
4984 Anil Gangolli
4985 anil@busybuddha.org
4987 Kipp Hickman
4989 David Hopwood
4990 Independent Consultant
4991 EMail: david.hopwood@blueyonder.co.uk
4993 Phil Karlton (co-author of SSLv3)
4995 Paul Kocher (co-author of SSLv3)
4996 Cryptography Research
4997 paul@cryptography.com
4999 Hugo Krawczyk
5000 Technion Israel Institute of Technology
5001 hugo@ee.technion.ac.il
5003 Jan Mikkelsen
5004 Transactionware
5005 EMail: janm@transactionware.com
5007 Magnus Nystrom
5008 RSA Security
5009 EMail: magnus@rsasecurity.com
5011 Robert Relyea
5012 Netscape Communications
5013 relyea@netscape.com
5015 Jim Roskind
5016 Netscape Communications
5017 jar@netscape.com
5021 Dierks & Rescorla Standards Track [Page 93]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
5024 Michael Sabin
5026 Dan Simon
5027 Microsoft, Inc.
5028 dansimon@microsoft.com
5030 Tom Weinstein
5032 Tim Wright
5033 Vodafone
5034 EMail: timothy.wright@vodafone.com
5036 Comments
5038 The discussion list for the IETF TLS working group is located at the
5039 e-mail address <tls@ietf.org>. Information on the group and
5040 information on how to subscribe to the list is at
5041 <https://www1.ietf.org/mailman/listinfo/tls>
5043 Archives of the list can be found at:
5044 <http://www.ietf.org/mail-archive/web/tls/current/index.html>
5075 Dierks & Rescorla Standards Track [Page 94]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
5078 Full Copyright Statement
5080 Copyright (C) The IETF Trust (2007).
5082 This document is subject to the rights, licenses and restrictions
5083 contained in BCP 78, and except as set forth therein, the authors
5084 retain all their rights.
5086 This document and the information contained herein are provided on an
5087 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
5088 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
5089 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
5090 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
5091 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
5092 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
5095 Intellectual Property
5097 The IETF takes no position regarding the validity or scope of any
5098 Intellectual Property Rights or other rights that might be claimed to
5099 pertain to the implementation or use of the technology described in
5100 this document or the extent to which any license under such rights
5101 might or might not be available; nor does it represent that it has
5102 made any independent effort to identify any such rights. Information
5103 on the procedures with respect to rights in RFC documents can be
5104 found in BCP 78 and BCP 79.
5106 Copies of IPR disclosures made to the IETF Secretariat and any
5107 assurances of licenses to be made available, or the result of an
5108 attempt made to obtain a general license or permission for the use of
5109 such proprietary rights by implementers or users of this
5110 specification can be obtained from the IETF on-line IPR repository at
5111 http://www.ietf.org/ipr.
5113 The IETF invites any interested party to bring to its attention any
5114 copyrights, patents or patent applications, or other proprietary
5115 rights that may cover technology that may be required to implement
5116 this standard. Please address the information to the IETF at
5117 ietf-ipr@ietf.org.
5120 Acknowledgment
5122 Funding for the RFC Editor function is provided by the IETF
5123 Administrative Support Activity (IASA).
5129 Dierks & Rescorla Standards Track [Page 95]\fdraft-ietf-tls-rfc4346-bis-04.txt TLS June 2007
5183 Dierks & Rescorla Standards Track [Page 96]\f