| blob | e21d270969cd2533b1154456f899a7f6906ab20d |
7 Tim Dierks
8 Independent
9 Eric Rescorla
10 INTERNET-DRAFT RTFM, Inc.
11 <draft-ietf-tls-rfc2246-bis-12.txt> June 2005 (Expires December 2005)
13 The TLS Protocol
14 Version 1.1
16 Status of this Memo
18 By submitting this Internet-Draft, each author represents that
19 any applicable patent or other IPR claims of which he or she is
20 aware have been or will be disclosed, and any of which he or she
21 becomes aware will be disclosed, in accordance with Section 6 of
22 BCP 79.
24 Internet-Drafts are working documents of the Internet Engineering
25 Task Force (IETF), its areas, and its working groups. Note that other
26 groups may also distribute working documents as Internet-Drafts.
28 Internet-Drafts are draft documents valid for a maximum of six months
29 and may be updated, replaced, or obsoleted by other documents at any
30 time. It is inappropriate to use Internet-Drafts as reference
31 material or to cite them other than a "work in progress."
33 The list of current Internet-Drafts can be accessed at
34 http://www.ietf.org/1id-abstracts.html
36 The list of Internet-Draft Shadow Directories can be accessed at
37 http://www.ietf.org/shadow.html
39 Copyright Notice
41 Copyright (C) The Internet Society (2005). All Rights Reserved.
43 Abstract
45 This document specifies Version 1.1 of the Transport Layer Security
46 (TLS) protocol. The TLS protocol provides communications security
47 over the Internet. The protocol allows client/server applications to
48 communicate in a way that is designed to prevent eavesdropping,
49 tampering, or message forgery.
51 Table of Contents
53 1. Introduction
54 5 1.1 Requirements Terminology
58 Dierks & Rescorla Standards Track [Page 1]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
61 6 2. Goals
62 7 3. Goals of this document
63 7 4. Presentation language
64 8 4.1. Basic block size
65 9 4.2. Miscellaneous
66 9 4.3. Vectors
67 9 4.4. Numbers
68 10 4.5. Enumerateds
69 10 4.6. Constructed types
70 11 4.6.1. Variants
71 12 4.7. Cryptographic attributes
72 13 4.8. Constants
73 14 5. HMAC and the pseudorandom function
74 14 6. The TLS Record Protocol
75 16 6.1. Connection states
76 17 6.2. Record layer
77 19 6.2.1. Fragmentation
78 19 6.2.2. Record compression and decompression
79 20 6.2.3. Record payload protection
80 21 6.2.3.1. Null or standard stream cipher
81 22 6.2.3.2. CBC block cipher
82 22 6.3. Key calculation
83 25 7. The TLS Handshaking Protocols
84 26 7.1. Change cipher spec protocol
85 27 7.2. Alert protocol
86 27 7.2.1. Closure alerts
87 28 7.2.2. Error alerts
88 29 7.3. Handshake Protocol overview
89 32 7.4. Handshake protocol
90 36 7.4.1. Hello messages
91 37 7.4.1.1. Hello request
92 37 7.4.1.2. Client hello
93 38 7.4.1.3. Server hello
94 40 7.4.2. Server certificate
95 41 7.4.3. Server key exchange message
96 43 7.4.4. Certificate request
97 45 7.4.5. Server hello done
98 46 7.4.6. Client certificate
99 47 7.4.7. Client key exchange message
100 47 7.4.7.1. RSA encrypted premaster secret message
101 48 7.4.7.2. Client Diffie-Hellman public value
102 50 7.4.8. Certificate verify
103 51 7.4.9. Finished
104 51 8. Cryptographic computations
105 52 8.1. Computing the master secret
106 52 8.1.1. RSA
107 54 8.1.2. Diffie-Hellman
108 54 9. Mandatory Cipher Suites
112 Dierks & Rescorla Standards Track [Page 2]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
115 54 A. Protocol constant values
116 56 A.1. Record layer
117 56 A.2. Change cipher specs message
118 57 A.3. Alert messages
119 57 A.4. Handshake protocol
120 58 A.4.1. Hello messages
121 58 A.4.2. Server authentication and key exchange messages
122 59 A.4.3. Client authentication and key exchange messages
123 60 A.4.4. Handshake finalization message
124 61 A.5. The CipherSuite
125 61 A.6. The Security Parameters
126 64 B. Glossary
127 66 C. CipherSuite definitions
128 70 D. Implementation Notes
129 72 D.1 Random Number Generation and Seeding
130 72 D.2 Certificates and authentication
131 72 D.3 CipherSuites
132 72 E. Backward Compatibility With SSL
133 73 E.1. Version 2 client hello
134 74 E.2. Avoiding man-in-the-middle version rollback
135 75 F. Security analysis
136 77 F.1. Handshake protocol
137 77 F.1.1. Authentication and key exchange
138 77 F.1.1.1. Anonymous key exchange
139 77 F.1.1.2. RSA key exchange and authentication
140 78 F.1.1.3. Diffie-Hellman key exchange with authentication
141 79 F.1.2. Version rollback attacks
142 79 F.1.3. Detecting attacks against the handshake protocol
143 80 F.1.4. Resuming sessions
144 80 F.1.5. MD5 and SHA
145 81 F.2. Protecting application data
146 81 F.3. Explicit IVs
147 81 F.4 Security of Composite Cipher Modes
148 82 F.5 Denial of Service
149 83 F.6. Final notes
150 83
153 Change history
155 31-Jun-5 ekr@rtfm.com
156 * IETF Last Call comments (minor cleanups)
158 03-Dec-04 ekr@rtfm.com
159 * Removed export cipher suites
161 26-Oct-04 ekr@rtfm.com
162 * Numerous cleanups from Last Call comments
166 Dierks & Rescorla Standards Track [Page 3]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
169 10-Aug-04 ekr@rtfm.com
170 * Added clarifying material about interleaved application data.
172 27-Jul-04 ekr@rtfm.com
173 * Premature closes no longer cause a session to be nonresumable.
174 Response to WG consensus.
176 * Added IANA considerations and registry for cipher suites
177 and ClientCertificateTypes
179 26-Jun-03 ekr@rtfm.com
180 * Incorporated Last Call comments from Franke Marcus, Jack Lloyd,
181 Brad Wetmore, and others.
183 22-Apr-03 ekr@rtfm.com
184 * coverage of the Vaudenay, Boneh-Brumley, and KPR attacks
185 * cleaned up IV text a bit.
186 * Added discussion of Denial of Service attacks.
188 11-Feb-02 ekr@rtfm.com
189 * Clarified the behavior of empty certificate lists [Nelson Bolyard]
190 * Added text explaining the security implications of authenticate
191 then encrypt.
192 * Cleaned up the explicit IV text.
193 * Added some more acknowledgement names
195 02-Nov-02 ekr@rtfm.com
196 * Changed this to be TLS 1.1.
197 * Added fixes for the Rogaway and Vaudenay CBC attacks
198 * Separated references into normative and informative
200 01-Mar-02 ekr@rtfm.com
201 * Tightened up the language in F.1.1.2 [Peter Watkins]
202 * Fixed smart quotes [Bodo Moeller]
203 * Changed handling of padding errors to prevent CBC-based attack
204 [Bodo Moeller]
205 * Fixed certificate_list spec in the appendix [Aman Sawrup]
206 * Fixed a bug in the V2 definitions [Aman Sawrup]
207 * Fixed S 7.2.1 to point out that you don't need a close notify
208 if you just sent some other fatal alert [Andreas Sterbenz]
209 * Marked alert 41 reserved [Andreas Sterbenz]
210 * Changed S 7.4.2 to point out that 512-bit keys cannot be used for
211 signing [Andreas Sterbenz]
212 * Added reserved client key types from SSLv3 [Andreas Sterbenz]
213 * Changed EXPORT40 to "40-bit EXPORT" in S 9 [Andreas Sterbenz]
214 * Removed RSA patent statement [Andreas Sterbenz]
215 * Removed references to BSAFE and RSAREF [Andreas Sterbenz]
220 Dierks & Rescorla Standards Track [Page 4]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
223 14-Feb-02 ekr@rtfm.com
224 * Re-converted to I-D from RFC
225 * Made RSA/3DES the mandatory cipher suite.
226 * Added discussion of the EncryptedPMS encoding and PMS version number
227 issues to 7.4.7.1
228 * Removed the requirement in 7.4.1.3 that the Server random must be
229 different from the Client random, since these are randomly generated
230 and we don't expect servers to reject Server random values which
231 coincidentally are the same as the Client random.
232 * Replaced may/should/must with MAY/SHOULD/MUST where appropriate.
233 In many cases, shoulds became MUSTs, where I believed that was the
234 actual sense of the text. Added an RFC 2119 bulletin.
235 * Clarified the meaning of "empty certificate" message. [Peter Gutmann]
236 * Redid the CertificateRequest grammar to allow no distinguished names.
237 [Peter Gutmann]
238 * Removed the reference to requiring the master secret to generate
239 the CertificateVerify in F.1.1 [Bodo Moeller]
240 * Deprecated EXPORT40.
241 * Fixed a bunch of errors in the SSLv2 backward compatible client hello.
243 1. Introduction
245 The primary goal of the TLS Protocol is to provide privacy and data
246 integrity between two communicating applications. The protocol is
247 composed of two layers: the TLS Record Protocol and the TLS Handshake
248 Protocol. At the lowest level, layered on top of some reliable
249 transport protocol (e.g., TCP[TCP]), is the TLS Record Protocol. The
250 TLS Record Protocol provides connection security that has two basic
251 properties:
253 - The connection is private. Symmetric cryptography is used for
254 data encryption (e.g., DES [DES], RC4 [SCH], etc.). The keys for
255 this symmetric encryption are generated uniquely for each
256 connection and are based on a secret negotiated by another
257 protocol (such as the TLS Handshake Protocol). The Record
258 Protocol can also be used without encryption.
260 - The connection is reliable. Message transport includes a message
261 integrity check using a keyed MAC. Secure hash functions (e.g.,
262 SHA, MD5, etc.) are used for MAC computations. The Record
263 Protocol can operate without a MAC, but is generally only used in
264 this mode while another protocol is using the Record Protocol as
265 a transport for negotiating security parameters.
267 The TLS Record Protocol is used for encapsulation of various higher
268 level protocols. One such encapsulated protocol, the TLS Handshake
269 Protocol, allows the server and client to authenticate each other and
270 to negotiate an encryption algorithm and cryptographic keys before
274 Dierks & Rescorla Standards Track [Page 5]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
277 the application protocol transmits or receives its first byte of
278 data. The TLS Handshake Protocol provides connection security that
279 has three basic properties:
281 - The peer's identity can be authenticated using asymmetric, or
282 public key, cryptography (e.g., RSA [RSA], DSS [DSS], etc.). This
283 authentication can be made optional, but is generally required
284 for at least one of the peers.
286 - The negotiation of a shared secret is secure: the negotiated
287 secret is unavailable to eavesdroppers, and for any authenticated
288 connection the secret cannot be obtained, even by an attacker who
289 can place himself in the middle of the connection.
291 - The negotiation is reliable: no attacker can modify the
292 negotiation communication without being detected by the parties
293 to the communication.
295 One advantage of TLS is that it is application protocol independent.
296 Higher level protocols can layer on top of the TLS Protocol
297 transparently. The TLS standard, however, does not specify how
298 protocols add security with TLS; the decisions on how to initiate TLS
299 handshaking and how to interpret the authentication certificates
300 exchanged are left up to the judgment of the designers and
301 implementors of protocols which run on top of TLS.
303 This document is a revision of the TLS 1.0 [TLS1.0] protocol which
304 contains some small security improvements, clarifications, and
305 editorial improvements. The major changes are:
307 - The implicit Initialization Vector (IV) is replaced with an
308 explicit
309 IV to protect against CBC attacks [CBCATT].
311 - Handling of padding errors is changed to use the bad_record_mac
312 alert rather than the decryption_failed alert to protect against
313 CBC attacks.
315 - IANA registries are defined for protocol parameters.
317 - Premature closes no longer cause a session to be nonresumable.
319 - Additional informational notes were added for various new attacks
320 on TLS.
322 In addition, a number of minor clarifications and editorial
323 improvements were made.
328 Dierks & Rescorla Standards Track [Page 6]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
331 1.1 Requirements Terminology
333 Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and
334 "MAY" that appear in this document are to be interpreted as described
335 in RFC 2119 [REQ].
337 2. Goals
339 The goals of TLS Protocol, in order of their priority, are:
341 1. Cryptographic security: TLS should be used to establish a secure
342 connection between two parties.
344 2. Interoperability: Independent programmers should be able to
345 develop applications utilizing TLS that will then be able to
346 successfully exchange cryptographic parameters without knowledge
347 of one another's code.
349 3. Extensibility: TLS seeks to provide a framework into which new
350 public key and bulk encryption methods can be incorporated as
351 necessary. This will also accomplish two sub-goals: to prevent
352 the need to create a new protocol (and risking the introduction
353 of possible new weaknesses) and to avoid the need to implement an
354 entire new security library.
356 4. Relative efficiency: Cryptographic operations tend to be highly
357 CPU intensive, particularly public key operations. For this
358 reason, the TLS protocol has incorporated an optional session
359 caching scheme to reduce the number of connections that need to
360 be established from scratch. Additionally, care has been taken to
361 reduce network activity.
363 3. Goals of this document
365 This document and the TLS protocol itself are based on the SSL 3.0
366 Protocol Specification as published by Netscape. The differences
367 between this protocol and SSL 3.0 are not dramatic, but they are
368 significant enough that TLS 1.1, TLS 1.0, and SSL 3.0 do not
369 interoperate (although each protocol incorporates a mechanism by
370 which an implementation can back down prior versions. This document
371 is intended primarily for readers who will be implementing the
372 protocol and those doing cryptographic analysis of it. The
373 specification has been written with this in mind, and it is intended
374 to reflect the needs of those two groups. For that reason, many of
375 the algorithm-dependent data structures and rules are included in the
376 body of the text (as opposed to in an appendix), providing easier
377 access to them.
382 Dierks & Rescorla Standards Track [Page 7]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
385 This document is not intended to supply any details of service
386 definition nor interface definition, although it does cover select
387 areas of policy as they are required for the maintenance of solid
388 security.
390 4. Presentation language
392 This document deals with the formatting of data in an external
393 representation. The following very basic and somewhat casually
394 defined presentation syntax will be used. The syntax draws from
395 several sources in its structure. Although it resembles the
396 programming language "C" in its syntax and XDR [XDR] in both its
397 syntax and intent, it would be risky to draw too many parallels. The
398 purpose of this presentation language is to document TLS only, not to
399 have general application beyond that particular goal.
436 Dierks & Rescorla Standards Track [Page 8]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
439 4.1. Basic block size
441 The representation of all data items is explicitly specified. The
442 basic data block size is one byte (i.e. 8 bits). Multiple byte data
443 items are concatenations of bytes, from left to right, from top to
444 bottom. From the bytestream a multi-byte item (a numeric in the
445 example) is formed (using C notation) by:
447 value = (byte[0] << 8*(n-1)) | (byte[1] << 8*(n-2)) |
448 ... | byte[n-1];
450 This byte ordering for multi-byte values is the commonplace network
451 byte order or big endian format.
453 4.2. Miscellaneous
455 Comments begin with "/*" and end with "*/".
457 Optional components are denoted by enclosing them in "[[ ]]" double
458 brackets.
460 Single byte entities containing uninterpreted data are of type
461 opaque.
463 4.3. Vectors
465 A vector (single dimensioned array) is a stream of homogeneous data
466 elements. The size of the vector may be specified at documentation
467 time or left unspecified until runtime. In either case the length
468 declares the number of bytes, not the number of elements, in the
469 vector. The syntax for specifying a new type T' that is a fixed
470 length vector of type T is
472 T T'[n];
474 Here T' occupies n bytes in the data stream, where n is a multiple of
475 the size of T. The length of the vector is not included in the
476 encoded stream.
478 In the following example, Datum is defined to be three consecutive
479 bytes that the protocol does not interpret, while Data is three
480 consecutive Datum, consuming a total of nine bytes.
482 opaque Datum[3]; /* three uninterpreted bytes */
483 Datum Data[9]; /* 3 consecutive 3 byte vectors */
490 Dierks & Rescorla Standards Track [Page 9]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
493 Variable length vectors are defined by specifying a subrange of legal
494 lengths, inclusively, using the notation <floor..ceiling>. When
495 encoded, the actual length precedes the vector's contents in the byte
496 stream. The length will be in the form of a number consuming as many
497 bytes as required to hold the vector's specified maximum (ceiling)
498 length. A variable length vector with an actual length field of zero
499 is referred to as an empty vector.
501 T T'<floor..ceiling>;
503 In the following example, mandatory is a vector that must contain
504 between 300 and 400 bytes of type opaque. It can never be empty. The
505 actual length field consumes two bytes, a uint16, sufficient to
506 represent the value 400 (see Section 4.4). On the other hand, longer
507 can represent up to 800 bytes of data, or 400 uint16 elements, and it
508 may be empty. Its encoding will include a two byte actual length
509 field prepended to the vector. The length of an encoded vector must
510 be an even multiple of the length of a single element (for example, a
511 17 byte vector of uint16 would be illegal).
513 opaque mandatory<300..400>;
514 /* length field is 2 bytes, cannot be empty */
515 uint16 longer<0..800>;
516 /* zero to 400 16-bit unsigned integers */
518 4.4. Numbers
520 The basic numeric data type is an unsigned byte (uint8). All larger
521 numeric data types are formed from fixed length series of bytes
522 concatenated as described in Section 4.1 and are also unsigned. The
523 following numeric types are predefined.
525 uint8 uint16[2];
526 uint8 uint24[3];
527 uint8 uint32[4];
528 uint8 uint64[8];
530 All values, here and elsewhere in the specification, are stored in
531 "network" or "big-endian" order; the uint32 represented by the hex
532 bytes 01 02 03 04 is equivalent to the decimal value 16909060.
534 4.5. Enumerateds
536 An additional sparse data type is available called enum. A field of
537 type enum can only assume the values declared in the definition.
538 Each definition is a different type. Only enumerateds of the same
539 type may be assigned or compared. Every element of an enumerated must
544 Dierks & Rescorla Standards Track [Page 10]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
547 be assigned a value, as demonstrated in the following example. Since
548 the elements of the enumerated are not ordered, they can be assigned
549 any unique value, in any order.
551 enum { e1(v1), e2(v2), ... , en(vn) [[, (n)]] } Te;
553 Enumerateds occupy as much space in the byte stream as would its
554 maximal defined ordinal value. The following definition would cause
555 one byte to be used to carry fields of type Color.
557 enum { red(3), blue(5), white(7) } Color;
559 One may optionally specify a value without its associated tag to
560 force the width definition without defining a superfluous element.
561 In the following example, Taste will consume two bytes in the data
562 stream but can only assume the values 1, 2 or 4.
564 enum { sweet(1), sour(2), bitter(4), (32000) } Taste;
566 The names of the elements of an enumeration are scoped within the
567 defined type. In the first example, a fully qualified reference to
568 the second element of the enumeration would be Color.blue. Such
569 qualification is not required if the target of the assignment is well
570 specified.
572 Color color = Color.blue; /* overspecified, legal */
573 Color color = blue; /* correct, type implicit */
575 For enumerateds that are never converted to external representation,
576 the numerical information may be omitted.
578 enum { low, medium, high } Amount;
580 4.6. Constructed types
582 Structure types may be constructed from primitive types for
583 convenience. Each specification declares a new, unique type. The
584 syntax for definition is much like that of C.
586 struct {
587 T1 f1;
588 T2 f2;
589 ...
590 Tn fn;
591 } [[T]];
598 Dierks & Rescorla Standards Track [Page 11]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
601 The fields within a structure may be qualified using the type's name
602 using a syntax much like that available for enumerateds. For example,
603 T.f2 refers to the second field of the previous declaration.
604 Structure definitions may be embedded.
606 4.6.1. Variants
608 Defined structures may have variants based on some knowledge that is
609 available within the environment. The selector must be an enumerated
610 type that defines the possible variants the structure defines. There
611 must be a case arm for every element of the enumeration declared in
612 the select. The body of the variant structure may be given a label
613 for reference. The mechanism by which the variant is selected at
614 runtime is not prescribed by the presentation language.
616 struct {
617 T1 f1;
618 T2 f2;
619 ....
620 Tn fn;
621 select (E) {
622 case e1: Te1;
623 case e2: Te2;
624 ....
625 case en: Ten;
626 } [[fv]];
627 } [[Tv]];
629 For example:
631 enum { apple, orange } VariantTag;
632 struct {
633 uint16 number;
634 opaque string<0..10>; /* variable length */
635 } V1;
636 struct {
637 uint32 number;
638 opaque string[10]; /* fixed length */
639 } V2;
640 struct {
641 select (VariantTag) { /* value of selector is implicit */
642 case apple: V1; /* VariantBody, tag = apple */
643 case orange: V2; /* VariantBody, tag = orange */
644 } variant_body; /* optional label on variant */
645 } VariantRecord;
647 Variant structures may be qualified (narrowed) by specifying a value
648 for the selector prior to the type. For example, a
652 Dierks & Rescorla Standards Track [Page 12]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
655 orange VariantRecord
657 is a narrowed type of a VariantRecord containing a variant_body of
658 type V2.
660 4.7. Cryptographic attributes
662 The four cryptographic operations digital signing, stream cipher
663 encryption, block cipher encryption, and public key encryption are
664 designated digitally-signed, stream-ciphered, block-ciphered, and
665 public-key-encrypted, respectively. A field's cryptographic
666 processing is specified by prepending an appropriate key word
667 designation before the field's type specification. Cryptographic keys
668 are implied by the current session state (see Section 6.1).
670 In digital signing, one-way hash functions are used as input for a
671 signing algorithm. A digitally-signed element is encoded as an opaque
672 vector <0..2^16-1>, where the length is specified by the signing
673 algorithm and key.
675 In RSA signing, a 36-byte structure of two hashes (one SHA and one
676 MD5) is signed (encrypted with the private key). It is encoded with
677 PKCS #1 block type 0 or type 1 as described in [PKCS1A].
679 Note: the standard reference for PKCS#1 is now RFC 3447 [PKCS1B].
680 However, to minimize differences with TLS 1.0 text, we are using the
681 terminology of RFC 2313 [PKCS1A].
683 In DSS, the 20 bytes of the SHA hash are run directly through the
684 Digital Signing Algorithm with no additional hashing. This produces
685 two values, r and s. The DSS signature is an opaque vector, as above,
686 the contents of which are the DER encoding of:
688 Dss-Sig-Value ::= SEQUENCE {
689 r INTEGER,
690 s INTEGER
691 }
693 In stream cipher encryption, the plaintext is exclusive-ORed with an
694 identical amount of output generated from a cryptographically-secure
695 keyed pseudorandom number generator.
697 In block cipher encryption, every block of plaintext encrypts to a
698 block of ciphertext. All block cipher encryption is done in CBC
699 (Cipher Block Chaining) mode, and all items which are block-ciphered
700 will be an exact multiple of the cipher block length.
702 In public key encryption, a public key algorithm is used to encrypt
706 Dierks & Rescorla Standards Track [Page 13]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
709 data in such a way that it can be decrypted only with the matching
710 private key. A public-key-encrypted element is encoded as an opaque
711 vector <0..2^16-1>, where the length is specified by the signing
712 algorithm and key.
714 An RSA encrypted value is encoded with PKCS #1 block type 2 as
715 described in [PKCS1].
717 In the following example:
719 stream-ciphered struct {
720 uint8 field1;
721 uint8 field2;
722 digitally-signed opaque hash[20];
723 } UserType;
725 The contents of hash are used as input for the signing algorithm,
726 then the entire structure is encrypted with a stream cipher. The
727 length of this structure, in bytes would be equal to 2 bytes for
728 field1 and field2, plus two bytes for the length of the signature,
729 plus the length of the output of the signing algorithm. This is known
730 due to the fact that the algorithm and key used for the signing are
731 known prior to encoding or decoding this structure.
733 4.8. Constants
735 Typed constants can be defined for purposes of specification by
736 declaring a symbol of the desired type and assigning values to it.
737 Under-specified types (opaque, variable length vectors, and
738 structures that contain opaque) cannot be assigned values. No fields
739 of a multi-element structure or vector may be elided.
741 For example,
743 struct {
744 uint8 f1;
745 uint8 f2;
746 } Example1;
748 Example1 ex1 = {1, 4}; /* assigns f1 = 1, f2 = 4 */
750 5. HMAC and the pseudorandom function
752 A number of operations in the TLS record and handshake layer required
753 a keyed MAC; this is a secure digest of some data protected by a
754 secret. Forging the MAC is infeasible without knowledge of the MAC
755 secret. The construction we use for this operation is known as HMAC,
756 described in [HMAC].
760 Dierks & Rescorla Standards Track [Page 14]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
763 HMAC can be used with a variety of different hash algorithms. TLS
764 uses it in the handshake with two different algorithms: MD5 and
765 SHA-1, denoting these as HMAC_MD5(secret, data) and HMAC_SHA(secret,
814 Dierks & Rescorla Standards Track [Page 15]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
817 data). Additional hash algorithms can be defined by cipher suites and
818 used to protect record data, but MD5 and SHA-1 are hard coded into
819 the description of the handshaking for this version of the protocol.
821 In addition, a construction is required to do expansion of secrets
822 into blocks of data for the purposes of key generation or validation.
823 This pseudo-random function (PRF) takes as input a secret, a seed,
824 and an identifying label and produces an output of arbitrary length.
826 In order to make the PRF as secure as possible, it uses two hash
827 algorithms in a way which should guarantee its security if either
828 algorithm remains secure.
830 First, we define a data expansion function, P_hash(secret, data)
831 which uses a single hash function to expand a secret and seed into an
832 arbitrary quantity of output:
834 P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
835 HMAC_hash(secret, A(2) + seed) +
836 HMAC_hash(secret, A(3) + seed) + ...
838 Where + indicates concatenation.
840 A() is defined as:
841 A(0) = seed
842 A(i) = HMAC_hash(secret, A(i-1))
844 P_hash can be iterated as many times as is necessary to produce the
845 required quantity of data. For example, if P_SHA-1 was being used to
846 create 64 bytes of data, it would have to be iterated 4 times
847 (through A(4)), creating 80 bytes of output data; the last 16 bytes
848 of the final iteration would then be discarded, leaving 64 bytes of
849 output data.
851 TLS's PRF is created by splitting the secret into two halves and
852 using one half to generate data with P_MD5 and the other half to
853 generate data with P_SHA-1, then exclusive-or'ing the outputs of
854 these two expansion functions together.
856 S1 and S2 are the two halves of the secret and each is the same
857 length. S1 is taken from the first half of the secret, S2 from the
858 second half. Their length is created by rounding up the length of the
859 overall secret divided by two; thus, if the original secret is an odd
860 number of bytes long, the last byte of S1 will be the same as the
861 first byte of S2.
863 L_S = length in bytes of secret;
864 L_S1 = L_S2 = ceil(L_S / 2);
868 Dierks & Rescorla Standards Track [Page 16]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
871 The secret is partitioned into two halves (with the possibility of
872 one shared byte) as described above, S1 taking the first L_S1 bytes
873 and S2 the last L_S2 bytes.
875 The PRF is then defined as the result of mixing the two pseudorandom
876 streams by exclusive-or'ing them together.
878 PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
879 P_SHA-1(S2, label + seed);
881 The label is an ASCII string. It should be included in the exact form
882 it is given without a length byte or trailing null character. For
883 example, the label "slithy toves" would be processed by hashing the
884 following bytes:
886 73 6C 69 74 68 79 20 74 6F 76 65 73
888 Note that because MD5 produces 16 byte outputs and SHA-1 produces 20
889 byte outputs, the boundaries of their internal iterations will not be
890 aligned; to generate a 80 byte output will involve P_MD5 being
891 iterated through A(5), while P_SHA-1 will only iterate through A(4).
893 6. The TLS Record Protocol
895 The TLS Record Protocol is a layered protocol. At each layer,
896 messages may include fields for length, description, and content.
897 The Record Protocol takes messages to be transmitted, fragments the
898 data into manageable blocks, optionally compresses the data, applies
899 a MAC, encrypts, and transmits the result. Received data is
900 decrypted, verified, decompressed, and reassembled, then delivered to
901 higher level clients.
903 Four record protocol clients are described in this document: the
904 handshake protocol, the alert protocol, the change cipher spec
905 protocol, and the application data protocol. In order to allow
906 extension of the TLS protocol, additional record types can be
907 supported by the record protocol. Any new record types SHOULD
908 allocate type values immediately beyond the ContentType values for
909 the four record types described here (see Appendix A.1). All such
910 values must be defined by RFC 2434 Standards Action. See section 11
911 for IANA Considerations for ContentType values.
913 If a TLS implementation receives a record type it does not
914 understand, it SHOULD just ignore it. Any protocol designed for use
915 over TLS MUST be carefully designed to deal with all possible attacks
916 against it. Note that because the type and length of a record are
917 not protected by encryption, care SHOULD be taken to minimize the
918 value of traffic analysis of these values.
922 Dierks & Rescorla Standards Track [Page 17]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
925 6.1. Connection states
927 A TLS connection state is the operating environment of the TLS Record
928 Protocol. It specifies a compression algorithm, encryption algorithm,
929 and MAC algorithm. In addition, the parameters for these algorithms
930 are known: the MAC secret and the bulk encryption keys for the
931 connection in both the read and the write directions. Logically,
932 there are always four connection states outstanding: the current read
933 and write states, and the pending read and write states. All records
934 are processed under the current read and write states. The security
935 parameters for the pending states can be set by the TLS Handshake
936 Protocol, and the Change Cipher Spec can selectively make either of
937 the pending states current, in which case the appropriate current
938 state is disposed of and replaced with the pending state; the pending
939 state is then reinitialized to an empty state. It is illegal to make
940 a state which has not been initialized with security parameters a
941 current state. The initial current state always specifies that no
942 encryption, compression, or MAC will be used.
944 The security parameters for a TLS Connection read and write state are
945 set by providing the following values:
947 connection end
948 Whether this entity is considered the "client" or the "server" in
949 this connection.
951 bulk encryption algorithm
952 An algorithm to be used for bulk encryption. This specification
953 includes the key size of this algorithm, how much of that key is
954 secret, whether it is a block or stream cipher, the block size of
955 the cipher (if appropriate).
957 MAC algorithm
958 An algorithm to be used for message authentication. This
959 specification includes the size of the hash which is returned by
960 the MAC algorithm.
962 compression algorithm
963 An algorithm to be used for data compression. This specification
964 must include all information the algorithm requires to do
965 compression.
967 master secret
968 A 48 byte secret shared between the two peers in the connection.
970 client random
971 A 32 byte value provided by the client.
976 Dierks & Rescorla Standards Track [Page 18]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
979 server random
980 A 32 byte value provided by the server.
982 These parameters are defined in the presentation language as:
984 enum { server, client } ConnectionEnd;
986 enum { null, rc4, rc2, des, 3des, des40, idea, aes } BulkCipherAlgorithm;
988 enum { stream, block } CipherType;
990 enum { null, md5, sha } MACAlgorithm;
992 enum { null(0), (255) } CompressionMethod;
994 /* The algorithms specified in CompressionMethod,
995 BulkCipherAlgorithm, and MACAlgorithm may be added to. */
997 struct {
998 ConnectionEnd entity;
999 BulkCipherAlgorithm bulk_cipher_algorithm;
1000 CipherType cipher_type;
1001 uint8 key_size;
1002 uint8 key_material_length;
1003 MACAlgorithm mac_algorithm;
1004 uint8 hash_size;
1005 CompressionMethod compression_algorithm;
1006 opaque master_secret[48];
1007 opaque client_random[32];
1008 opaque server_random[32];
1009 } SecurityParameters;
1011 The record layer will use the security parameters to generate the
1012 following four items:
1014 client write MAC secret
1015 server write MAC secret
1016 client write key
1017 server write key
1019 The client write parameters are used by the server when receiving and
1020 processing records and vice-versa. The algorithm used for generating
1021 these items from the security parameters is described in section 6.3.
1023 Once the security parameters have been set and the keys have been
1024 generated, the connection states can be instantiated by making them
1025 the current states. These current states MUST be updated for each
1026 record processed. Each connection state includes the following
1030 Dierks & Rescorla Standards Track [Page 19]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1033 elements:
1035 compression state
1036 The current state of the compression algorithm.
1038 cipher state
1039 The current state of the encryption algorithm. This will consist
1040 of the scheduled key for that connection. For stream ciphers,
1041 this will also contain whatever the necessary state information
1042 is to allow the stream to continue to encrypt or decrypt data.
1044 MAC secret
1045 The MAC secret for this connection as generated above.
1047 sequence number
1048 Each connection state contains a sequence number, which is
1049 maintained separately for read and write states. The sequence
1050 number MUST be set to zero whenever a connection state is made
1051 the active state. Sequence numbers are of type uint64 and may not
1052 exceed 2^64-1. Sequence numbers do not wrap. If a TLS
1053 implementation would need to wrap a sequence number it must
1054 renegotiate instead. A sequence number is incremented after each
1055 record: specifically, the first record which is transmitted under
1056 a particular connection state MUST use sequence number 0.
1058 6.2. Record layer
1060 The TLS Record Layer receives uninterpreted data from higher layers
1061 in non-empty blocks of arbitrary size.
1063 6.2.1. Fragmentation
1065 The record layer fragments information blocks into TLSPlaintext
1066 records carrying data in chunks of 2^14 bytes or less. Client message
1067 boundaries are not preserved in the record layer (i.e., multiple
1068 client messages of the same ContentType MAY be coalesced into a
1069 single TLSPlaintext record, or a single message MAY be fragmented
1070 across several records).
1073 struct {
1074 uint8 major, minor;
1075 } ProtocolVersion;
1077 enum {
1078 change_cipher_spec(20), alert(21), handshake(22),
1079 application_data(23), (255)
1080 } ContentType;
1084 Dierks & Rescorla Standards Track [Page 20]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1087 struct {
1088 ContentType type;
1089 ProtocolVersion version;
1090 uint16 length;
1091 opaque fragment[TLSPlaintext.length];
1092 } TLSPlaintext;
1094 type
1095 The higher level protocol used to process the enclosed fragment.
1097 version
1098 The version of the protocol being employed. This document
1099 describes TLS Version 1.1, which uses the version { 3, 2 }. The
1100 version value 3.2 is historical: TLS version 1.1 is a minor
1101 modification to the TLS 1.0 protocol, which was itself a minor
1102 modification to the SSL 3.0 protocol, which bears the version
1103 value 3.0. (See Appendix A.1).
1105 length
1106 The length (in bytes) of the following TLSPlaintext.fragment.
1107 The length should not exceed 2^14.
1109 fragment
1110 The application data. This data is transparent and treated as an
1111 independent block to be dealt with by the higher level protocol
1112 specified by the type field.
1114 Note: Data of different TLS Record layer content types MAY be
1115 interleaved. Application data is generally of higher precedence
1116 for transmission than other content types and therefore handshake
1117 records may be held if application data is pending. However,
1118 records MUST be delivered to the network in the same order as
1119 they are protected by the record layer. Recipients MUST receive
1120 and process interleaved application layer traffic during
1121 handshakes subsequent to the first one on a connection.
1123 6.2.2. Record compression and decompression
1125 All records are compressed using the compression algorithm defined in
1126 the current session state. There is always an active compression
1127 algorithm; however, initially it is defined as
1128 CompressionMethod.null. The compression algorithm translates a
1129 TLSPlaintext structure into a TLSCompressed structure. Compression
1130 functions are initialized with default state information whenever a
1131 connection state is made active.
1138 Dierks & Rescorla Standards Track [Page 21]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1141 Compression must be lossless and may not increase the content length
1142 by more than 1024 bytes. If the decompression function encounters a
1143 TLSCompressed.fragment that would decompress to a length in excess of
1144 2^14 bytes, it should report a fatal decompression failure error.
1146 struct {
1147 ContentType type; /* same as TLSPlaintext.type */
1148 ProtocolVersion version;/* same as TLSPlaintext.version */
1149 uint16 length;
1150 opaque fragment[TLSCompressed.length];
1151 } TLSCompressed;
1153 length
1154 The length (in bytes) of the following TLSCompressed.fragment.
1155 The length should not exceed 2^14 + 1024.
1157 fragment
1158 The compressed form of TLSPlaintext.fragment.
1160 Note: A CompressionMethod.null operation is an identity operation; no
1161 fields are altered.
1163 Implementation note:
1164 Decompression functions are responsible for ensuring that
1165 messages cannot cause internal buffer overflows.
1167 6.2.3. Record payload protection
1169 The encryption and MAC functions translate a TLSCompressed structure
1170 into a TLSCiphertext. The decryption functions reverse the process.
1171 The MAC of the record also includes a sequence number so that
1172 missing, extra or repeated messages are detectable.
1174 struct {
1175 ContentType type;
1176 ProtocolVersion version;
1177 uint16 length;
1178 select (CipherSpec.cipher_type) {
1179 case stream: GenericStreamCipher;
1180 case block: GenericBlockCipher;
1181 } fragment;
1182 } TLSCiphertext;
1184 type
1185 The type field is identical to TLSCompressed.type.
1187 version
1188 The version field is identical to TLSCompressed.version.
1192 Dierks & Rescorla Standards Track [Page 22]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1195 length
1196 The length (in bytes) of the following TLSCiphertext.fragment.
1197 The length may not exceed 2^14 + 2048.
1199 fragment
1200 The encrypted form of TLSCompressed.fragment, with the MAC.
1202 6.2.3.1. Null or standard stream cipher
1204 Stream ciphers (including BulkCipherAlgorithm.null - see Appendix
1205 A.6) convert TLSCompressed.fragment structures to and from stream
1206 TLSCiphertext.fragment structures.
1208 stream-ciphered struct {
1209 opaque content[TLSCompressed.length];
1210 opaque MAC[CipherSpec.hash_size];
1211 } GenericStreamCipher;
1213 The MAC is generated as:
1215 HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type +
1216 TLSCompressed.version + TLSCompressed.length +
1217 TLSCompressed.fragment));
1219 where "+" denotes concatenation.
1221 seq_num
1222 The sequence number for this record.
1224 hash
1225 The hashing algorithm specified by
1226 SecurityParameters.mac_algorithm.
1228 Note that the MAC is computed before encryption. The stream cipher
1229 encrypts the entire block, including the MAC. For stream ciphers that
1230 do not use a synchronization vector (such as RC4), the stream cipher
1231 state from the end of one record is simply used on the subsequent
1232 packet. If the CipherSuite is TLS_NULL_WITH_NULL_NULL, encryption
1233 consists of the identity operation (i.e., the data is not encrypted
1234 and the MAC size is zero implying that no MAC is used).
1235 TLSCiphertext.length is TLSCompressed.length plus
1236 CipherSpec.hash_size.
1238 6.2.3.2. CBC block cipher
1240 For block ciphers (such as RC2, DES, or AES), the encryption and MAC
1241 functions convert TLSCompressed.fragment structures to and from block
1242 TLSCiphertext.fragment structures.
1246 Dierks & Rescorla Standards Track [Page 23]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1249 block-ciphered struct {
1250 opaque IV[CipherSpec.block_length];
1251 opaque content[TLSCompressed.length];
1252 opaque MAC[CipherSpec.hash_size];
1253 uint8 padding[GenericBlockCipher.padding_length];
1254 uint8 padding_length;
1255 } GenericBlockCipher;
1257 The MAC is generated as described in Section 6.2.3.1.
1259 IV
1260 Unlike previous versions of SSL and TLS, TLS 1.1 uses an explicit
1261 IV in order to prevent the attacks described by [CBCATT].
1262 We recommend the following equivalently strong procedures.
1263 For clarity we use the following notation.
1265 IV -- the transmitted value of the IV field in the
1266 GenericBlockCipher structure.
1267 CBC residue -- the last ciphertext block of the previous record
1268 mask -- the actual value which the cipher XORs with the
1269 plaintext prior to encryption of the first cipher block
1270 of the record.
1272 In prior versions of TLS, there was no IV field and the CBC residue
1273 and mask were one and the same. See Sections 6.1, 6.2.3.2 and 6.3,
1274 of [TLS1.0] for details of TLS 1.0 IV handling.
1276 One of the following two algorithms SHOULD be used to generate the
1277 per-record IV:
1279 (1) Generate a cryptographically strong random string R of
1280 length CipherSpec.block_length. Place R
1281 in the IV field. Set the mask to R. Thus, the first
1282 cipher block will be encrypted as E(R XOR Data).
1284 (2) Generate a cryptographically strong random number R of
1285 length CipherSpec.block_length and prepend it to the plaintext
1286 prior to encryption. In
1287 this case either:
1289 (a) The cipher may use a fixed mask such as zero.
1290 (b) The CBC residue from the previous record may be used
1291 as the mask. This preserves maximum code compatibility
1292 with TLS 1.0 and SSL 3. It also has the advantage that
1293 it does not require the ability to quickly reset the IV,
1294 which is known to be a problem on some systems.
1296 In either 2(a) or 2(b) the data (R || data) is fed into the
1300 Dierks & Rescorla Standards Track [Page 24]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1303 encryption process. The first cipher block (containing
1304 E(mask XOR R) is placed in the IV field. The first
1305 block of content contains E(IV XOR data)
1307 The following alternative procedure MAY be used: However, it has
1308 not been demonstrated to be equivalently cryptographically strong
1309 to the above procedures. The sender prepends a fixed block F to
1310 the plaintext (or alternatively a block generated with a weak
1311 PRNG). He then encrypts as in (2) above, using the CBC residue
1312 from the previous block as the mask for the prepended block. Note
1313 that in this case the mask for the first record transmitted by
1314 the application (the Finished) MUST be generated using a
1315 cryptographically strong PRNG.
1317 The decryption operation for all three alternatives is the same.
1318 The receiver decrypts the entire GenericBlockCipher structure and
1319 then discards the first cipher block, corresponding to the IV
1320 component.
1322 padding
1323 Padding that is added to force the length of the plaintext to be
1324 an integral multiple of the block cipher's block length. The
1325 padding MAY be any length up to 255 bytes long, as long as it
1326 results in the TLSCiphertext.length being an integral multiple of
1327 the block length. Lengths longer than necessary might be
1328 desirable to frustrate attacks on a protocol based on analysis of
1329 the lengths of exchanged messages. Each uint8 in the padding data
1330 vector MUST be filled with the padding length value. The receiver
1331 MUST check this padding and SHOULD use the bad_record_mac alert
1332 to indicate padding errors.
1334 padding_length
1335 The padding length MUST be such that the total size of the
1336 GenericBlockCipher structure is a multiple of the cipher's block
1337 length. Legal values range from zero to 255, inclusive. This
1338 length specifies the length of the padding field exclusive of the
1339 padding_length field itself.
1341 The encrypted data length (TLSCiphertext.length) is one more than the
1342 sum of TLSCompressed.length, CipherSpec.hash_size, and
1343 padding_length.
1345 Example: If the block length is 8 bytes, the content length
1346 (TLSCompressed.length) is 61 bytes, and the MAC length is 20
1347 bytes, the length before padding is 82 bytes (this does not
1348 include the IV, which may or may not be encrypted, as
1349 discussed above). Thus, the padding length modulo 8 must be
1350 equal to 6 in order to make the total length an even multiple
1354 Dierks & Rescorla Standards Track [Page 25]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1357 of 8 bytes (the block length). The padding length can be 6,
1358 14, 22, and so on, through 254. If the padding length were the
1359 minimum necessary, 6, the padding would be 6 bytes, each
1360 containing the value 6. Thus, the last 8 octets of the
1361 GenericBlockCipher before block encryption would be xx 06 06
1362 06 06 06 06 06, where xx is the last octet of the MAC.
1364 Note: With block ciphers in CBC mode (Cipher Block Chaining),
1365 it is critical that the entire plaintext of the record be known
1366 before any ciphertext is transmitted. Otherwise it is possible
1367 for the attacker to mount the attack described in [CBCATT].
1369 Implementation Note: Canvel et. al. [CBCTIME] have demonstrated a
1370 timing attack on CBC padding based on the time required to
1371 compute the MAC. In order to defend against this attack,
1372 implementations MUST ensure that record processing time is
1373 essentially the same whether or not the padding is correct. In
1374 general, the best way to to do this is to compute the MAC even if
1375 the padding is incorrect, and only then reject the packet. For
1376 instance, if the pad appears to be incorrect the implementation
1377 might assume a zero-length pad and then compute the MAC. This
1378 leaves a small timing channel, since MAC performance depends to
1379 some extent on the size of the data fragment, but it is not
1380 believed to be large enough to be exploitable due to the large
1381 block size of existing MACs and the small size of the timing
1382 signal.
1384 6.3. Key calculation
1386 The Record Protocol requires an algorithm to generate keys, and MAC
1387 secrets from the security parameters provided by the handshake
1388 protocol.
1390 The master secret is hashed into a sequence of secure bytes, which
1391 are assigned to the MAC secrets and keys required by the current
1392 connection state (see Appendix A.6). CipherSpecs require a client
1393 write MAC secret, a server write MAC secret, a client write key, and
1394 a server write key, which are generated from the master secret in
1395 that order. Unused values are empty.
1397 When generating keys and MAC secrets, the master secret is used as an
1398 entropy source.
1400 To generate the key material, compute
1402 key_block = PRF(SecurityParameters.master_secret,
1403 "key expansion",
1404 SecurityParameters.server_random +
1408 Dierks & Rescorla Standards Track [Page 26]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1411 SecurityParameters.client_random);
1413 until enough output has been generated. Then the key_block is
1414 partitioned as follows:
1416 client_write_MAC_secret[SecurityParameters.hash_size]
1417 server_write_MAC_secret[SecurityParameters.hash_size]
1418 client_write_key[SecurityParameters.key_material_length]
1419 server_write_key[SecurityParameters.key_material_length]
1422 Implementation note:
1423 The currently defined which requires the most material is
1424 AES_256_CBC_SHA, defined in [TLSAES]. It requires 2 x 32 byte
1425 keys and 2 x 20 byte MAC secrets, for a total 104 bytes of key
1426 material.
1428 7. The TLS Handshaking Protocols
1430 TLS has three subprotocols which are used to allow peers to agree
1431 upon security parameters for the record layer, authenticate
1432 themselves, instantiate negotiated security parameters, and
1433 report error conditions to each other.
1435 The Handshake Protocol is responsible for negotiating a session,
1436 which consists of the following items:
1438 session identifier
1439 An arbitrary byte sequence chosen by the server to identify an
1440 active or resumable session state.
1442 peer certificate
1443 X509v3 [X509] certificate of the peer. This element of the
1444 state may be null.
1446 compression method
1447 The algorithm used to compress data prior to encryption.
1449 cipher spec
1450 Specifies the bulk data encryption algorithm (such as null,
1451 DES, etc.) and a MAC algorithm (such as MD5 or SHA). It also
1452 defines cryptographic attributes such as the hash_size. (See
1453 Appendix A.6 for formal definition)
1455 master secret
1456 48-byte secret shared between the client and server.
1462 Dierks & Rescorla Standards Track [Page 27]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1465 is resumable
1466 A flag indicating whether the session can be used to initiate
1467 new connections.
1469 These items are then used to create security parameters for use by
1470 the Record Layer when protecting application data. Many connections
1471 can be instantiated using the same session through the resumption
1472 feature of the TLS Handshake Protocol.
1474 7.1. Change cipher spec protocol
1476 The change cipher spec protocol exists to signal transitions in
1477 ciphering strategies. The protocol consists of a single message,
1478 which is encrypted and compressed under the current (not the pending)
1479 connection state. The message consists of a single byte of value 1.
1481 struct {
1482 enum { change_cipher_spec(1), (255) } type;
1483 } ChangeCipherSpec;
1485 The change cipher spec message is sent by both the client and server
1486 to notify the receiving party that subsequent records will be
1487 protected under the newly negotiated CipherSpec and keys. Reception
1488 of this message causes the receiver to instruct the Record Layer to
1489 immediately copy the read pending state into the read current state.
1490 Immediately after sending this message, the sender MUST instruct the
1491 record layer to make the write pending state the write active state.
1492 (See section 6.1.) The change cipher spec message is sent during the
1493 handshake after the security parameters have been agreed upon, but
1494 before the verifying finished message is sent (see section 7.4.9).
1496 Note: if a rehandshake occurs while data is flowing on a connection,
1497 the communicating parties may continue to send data using the old
1498 CipherSpec. However, once the ChangeCipherSpec has been sent, the new
1499 CipherSpec MUST be used. The first side to send the ChangeCipherSpec
1500 does not know that the other side has finished computing the new
1501 keying material (e.g. if it has to perform a time consuming public
1502 key operation). Thus, a small window of time during which the
1503 recipient must buffer the data MAY exist. In practice, with modern
1504 machines this interval is likely to be fairly short.
1506 7.2. Alert protocol
1508 One of the content types supported by the TLS Record layer is the
1509 alert type. Alert messages convey the severity of the message and a
1510 description of the alert. Alert messages with a level of fatal result
1511 in the immediate termination of the connection. In this case, other
1512 connections corresponding to the session may continue, but the
1516 Dierks & Rescorla Standards Track [Page 28]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1519 session identifier MUST be invalidated, preventing the failed session
1520 from being used to establish new connections. Like other messages,
1521 alert messages are encrypted and compressed, as specified by the
1522 current connection state.
1524 enum { warning(1), fatal(2), (255) } AlertLevel;
1526 enum {
1527 close_notify(0),
1528 unexpected_message(10),
1529 bad_record_mac(20),
1530 decryption_failed(21),
1531 record_overflow(22),
1532 decompression_failure(30),
1533 handshake_failure(40),
1534 no_certificate_RESERVED (41),
1535 bad_certificate(42),
1536 unsupported_certificate(43),
1537 certificate_revoked(44),
1538 certificate_expired(45),
1539 certificate_unknown(46),
1540 illegal_parameter(47),
1541 unknown_ca(48),
1542 access_denied(49),
1543 decode_error(50),
1544 decrypt_error(51),
1545 export_restriction_RESERVED(60),
1546 protocol_version(70),
1547 insufficient_security(71),
1548 internal_error(80),
1549 user_canceled(90),
1550 no_renegotiation(100),
1551 (255)
1552 } AlertDescription;
1554 struct {
1555 AlertLevel level;
1556 AlertDescription description;
1557 } Alert;
1559 7.2.1. Closure alerts
1561 The client and the server must share knowledge that the connection is
1562 ending in order to avoid a truncation attack. Either party may
1563 initiate the exchange of closing messages.
1565 close_notify
1566 This message notifies the recipient that the sender will not send
1570 Dierks & Rescorla Standards Track [Page 29]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1573 any more messages on this connection. Note that as of TLS 1.1,
1574 failure to properly close a connection no longer requires that a
1575 session not be resumed. This is a change from TLS 1.0 to conform
1576 with widespread implementation practice.
1578 Either party may initiate a close by sending a close_notify alert.
1579 Any data received after a closure alert is ignored.
1581 Unless some other fatal alert has been transmitted, each party is
1582 required to send a close_notify alert before closing the write side
1583 of the connection. The other party MUST respond with a close_notify
1584 alert of its own and close down the connection immediately,
1585 discarding any pending writes. It is not required for the initiator
1586 of the close to wait for the responding close_notify alert before
1587 closing the read side of the connection.
1589 If the application protocol using TLS provides that any data may be
1590 carried over the underlying transport after the TLS connection is
1591 closed, the TLS implementation must receive the responding
1592 close_notify alert before indicating to the application layer that
1593 the TLS connection has ended. If the application protocol will not
1594 transfer any additional data, but will only close the underlying
1595 transport connection, then the implementation MAY choose to close the
1596 transport without waiting for the responding close_notify. No part of
1597 this standard should be taken to dictate the manner in which a usage
1598 profile for TLS manages its data transport, including when
1599 connections are opened or closed.
1601 Note: It is assumed that closing a connection reliably delivers
1602 pending data before destroying the transport.
1604 7.2.2. Error alerts
1606 Error handling in the TLS Handshake protocol is very simple. When an
1607 error is detected, the detecting party sends a message to the other
1608 party. Upon transmission or receipt of an fatal alert message, both
1609 parties immediately close the connection. Servers and clients MUST
1610 forget any session-identifiers, keys, and secrets associated with a
1611 failed connection. Thus, any connection terminated with a fatal alert
1612 MUST NOT be resumed. The following error alerts are defined:
1614 unexpected_message
1615 An inappropriate message was received. This alert is always fatal
1616 and should never be observed in communication between proper
1617 implementations.
1619 bad_record_mac
1620 This alert is returned if a record is received with an incorrect
1624 Dierks & Rescorla Standards Track [Page 30]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1627 MAC. This alert also MUST be returned if an alert is sent because
1628 a TLSCiphertext decrypted in an invalid way: either it wasn't an
1629 even multiple of the block length, or its padding values, when
1630 checked, weren't correct. This message is always fatal.
1632 decryption_failed
1633 This alert MAY be returned if a TLSCiphertext decrypted in an
1634 invalid way: either it wasn't an even multiple of the block
1635 length, or its padding values, when checked, weren't correct.
1636 This message is always fatal.
1638 Note: Differentiating between bad_record_mac and
1639 decryption_failed alerts may permit certain attacks against CBC
1640 mode as used in TLS [CBCATT]. It is preferable to uniformly use
1641 the bad_record_mac alert to hide the specific type of the error.
1644 record_overflow
1645 A TLSCiphertext record was received which had a length more than
1646 2^14+2048 bytes, or a record decrypted to a TLSCompressed record
1647 with more than 2^14+1024 bytes. This message is always fatal.
1649 decompression_failure
1650 The decompression function received improper input (e.g. data
1651 that would expand to excessive length). This message is always
1652 fatal.
1654 handshake_failure
1655 Reception of a handshake_failure alert message indicates that the
1656 sender was unable to negotiate an acceptable set of security
1657 parameters given the options available. This is a fatal error.
1659 no_certificate_RESERVED
1660 This alert was used in SSLv3 but not in TLS. It should not be
1661 sent by compliant implementations.
1663 bad_certificate
1664 A certificate was corrupt, contained signatures that did not
1665 verify correctly, etc.
1667 unsupported_certificate
1668 A certificate was of an unsupported type.
1670 certificate_revoked
1671 A certificate was revoked by its signer.
1673 certificate_expired
1674 A certificate has expired or is not currently valid.
1678 Dierks & Rescorla Standards Track [Page 31]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1681 certificate_unknown
1682 Some other (unspecified) issue arose in processing the
1683 certificate, rendering it unacceptable.
1685 illegal_parameter
1686 A field in the handshake was out of range or inconsistent with
1687 other fields. This is always fatal.
1689 unknown_ca
1690 A valid certificate chain or partial chain was received, but the
1691 certificate was not accepted because the CA certificate could not
1692 be located or couldn't be matched with a known, trusted CA. This
1693 message is always fatal.
1695 access_denied
1696 A valid certificate was received, but when access control was
1697 applied, the sender decided not to proceed with negotiation.
1698 This message is always fatal.
1700 decode_error
1701 A message could not be decoded because some field was out of the
1702 specified range or the length of the message was incorrect. This
1703 message is always fatal.
1705 decrypt_error
1706 A handshake cryptographic operation failed, including being
1707 unable to correctly verify a signature, decrypt a key exchange,
1708 or validate a finished message.
1710 export_restriction_RESERVED
1711 This alert was used in TLS 1.0 but not TLS 1.1.
1713 protocol_version
1714 The protocol version the client has attempted to negotiate is
1715 recognized, but not supported. (For example, old protocol
1716 versions might be avoided for security reasons). This message is
1717 always fatal.
1719 insufficient_security
1720 Returned instead of handshake_failure when a negotiation has
1721 failed specifically because the server requires ciphers more
1722 secure than those supported by the client. This message is always
1723 fatal.
1725 internal_error
1726 An internal error unrelated to the peer or the correctness of the
1727 protocol makes it impossible to continue (such as a memory
1728 allocation failure). This message is always fatal.
1732 Dierks & Rescorla Standards Track [Page 32]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1735 user_canceled
1736 This handshake is being canceled for some reason unrelated to a
1737 protocol failure. If the user cancels an operation after the
1738 handshake is complete, just closing the connection by sending a
1739 close_notify is more appropriate. This alert should be followed
1740 by a close_notify. This message is generally a warning.
1742 no_renegotiation
1743 Sent by the client in response to a hello request or by the
1744 server in response to a client hello after initial handshaking.
1745 Either of these would normally lead to renegotiation; when that
1746 is not appropriate, the recipient should respond with this alert;
1747 at that point, the original requester can decide whether to
1748 proceed with the connection. One case where this would be
1749 appropriate would be where a server has spawned a process to
1750 satisfy a request; the process might receive security parameters
1751 (key length, authentication, etc.) at startup and it might be
1752 difficult to communicate changes to these parameters after that
1753 point. This message is always a warning.
1755 For all errors where an alert level is not explicitly specified, the
1756 sending party MAY determine at its discretion whether this is a fatal
1757 error or not; if an alert with a level of warning is received, the
1758 receiving party MAY decide at its discretion whether to treat this as
1759 a fatal error or not. However, all messages which are transmitted
1760 with a level of fatal MUST be treated as fatal messages.
1762 New alerts values MUST be defined by RFC 2434 Standards Action. See
1763 Section 11 for IANA Considerations for alert values.
1765 7.3. Handshake Protocol overview
1767 The cryptographic parameters of the session state are produced by the
1768 TLS Handshake Protocol, which operates on top of the TLS Record
1769 Layer. When a TLS client and server first start communicating, they
1770 agree on a protocol version, select cryptographic algorithms,
1771 optionally authenticate each other, and use public-key encryption
1772 techniques to generate shared secrets.
1774 The TLS Handshake Protocol involves the following steps:
1776 - Exchange hello messages to agree on algorithms, exchange random
1777 values, and check for session resumption.
1779 - Exchange the necessary cryptographic parameters to allow the
1780 client and server to agree on a premaster secret.
1782 - Exchange certificates and cryptographic information to allow the
1786 Dierks & Rescorla Standards Track [Page 33]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1789 client and server to authenticate themselves.
1791 - Generate a master secret from the premaster secret and exchanged
1792 random values.
1794 - Provide security parameters to the record layer.
1796 - Allow the client and server to verify that their peer has
1797 calculated the same security parameters and that the handshake
1798 occurred without tampering by an attacker.
1800 Note that higher layers should not be overly reliant on TLS always
1801 negotiating the strongest possible connection between two peers:
1802 there are a number of ways a man in the middle attacker can attempt
1803 to make two entities drop down to the least secure method they
1804 support. The protocol has been designed to minimize this risk, but
1805 there are still attacks available: for example, an attacker could
1806 block access to the port a secure service runs on, or attempt to get
1807 the peers to negotiate an unauthenticated connection. The fundamental
1808 rule is that higher levels must be cognizant of what their security
1809 requirements are and never transmit information over a channel less
1810 secure than what they require. The TLS protocol is secure, in that
1811 any cipher suite offers its promised level of security: if you
1812 negotiate 3DES with a 1024 bit RSA key exchange with a host whose
1813 certificate you have verified, you can expect to be that secure.
1840 Dierks & Rescorla Standards Track [Page 34]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1843 However, you SHOULD never send data over a link encrypted with 40 bit
1844 security unless you feel that data is worth no more than the effort
1845 required to break that encryption.
1847 These goals are achieved by the handshake protocol, which can be
1848 summarized as follows: The client sends a client hello message to
1849 which the server must respond with a server hello message, or else a
1850 fatal error will occur and the connection will fail. The client hello
1851 and server hello are used to establish security enhancement
1852 capabilities between client and server. The client hello and server
1853 hello establish the following attributes: Protocol Version, Session
1854 ID, Cipher Suite, and Compression Method. Additionally, two random
1855 values are generated and exchanged: ClientHello.random and
1856 ServerHello.random.
1858 The actual key exchange uses up to four messages: the server
1859 certificate, the server key exchange, the client certificate, and the
1860 client key exchange. New key exchange methods can be created by
1861 specifying a format for these messages and defining the use of the
1862 messages to allow the client and server to agree upon a shared
1863 secret. This secret MUST be quite long; currently defined key
1864 exchange methods exchange secrets which range from 48 to 128 bytes in
1865 length.
1867 Following the hello messages, the server will send its certificate,
1868 if it is to be authenticated. Additionally, a server key exchange
1869 message may be sent, if it is required (e.g. if their server has no
1870 certificate, or if its certificate is for signing only). If the
1871 server is authenticated, it may request a certificate from the
1872 client, if that is appropriate to the cipher suite selected. Now the
1873 server will send the server hello done message, indicating that the
1874 hello-message phase of the handshake is complete. The server will
1875 then wait for a client response. If the server has sent a certificate
1876 request message, the client must send the certificate message. The
1877 client key exchange message is now sent, and the content of that
1878 message will depend on the public key algorithm selected between the
1879 client hello and the server hello. If the client has sent a
1880 certificate with signing ability, a digitally-signed certificate
1881 verify message is sent to explicitly verify the certificate.
1883 At this point, a change cipher spec message is sent by the client,
1884 and the client copies the pending Cipher Spec into the current Cipher
1885 Spec. The client then immediately sends the finished message under
1886 the new algorithms, keys, and secrets. In response, the server will
1887 send its own change cipher spec message, transfer the pending to the
1888 current Cipher Spec, and send its finished message under the new
1894 Dierks & Rescorla Standards Track [Page 35]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1897 Cipher Spec. At this point, the handshake is complete and the client
1898 and server may begin to exchange application layer data. (See flow
1899 chart below.) Application data MUST NOT be sent prior to the
1900 completion of the first handshake (before a cipher suite other
1901 TLS_NULL_WITH_NULL_NULL is established).
1902 Client Server
1904 ClientHello -------->
1905 ServerHello
1906 Certificate*
1907 ServerKeyExchange*
1908 CertificateRequest*
1909 <-------- ServerHelloDone
1910 Certificate*
1911 ClientKeyExchange
1912 CertificateVerify*
1913 [ChangeCipherSpec]
1914 Finished -------->
1915 [ChangeCipherSpec]
1916 <-------- Finished
1917 Application Data <-------> Application Data
1919 Fig. 1 - Message flow for a full handshake
1921 * Indicates optional or situation-dependent messages that are not
1922 always sent.
1924 Note: To help avoid pipeline stalls, ChangeCipherSpec is an
1925 independent TLS Protocol content type, and is not actually a TLS
1926 handshake message.
1928 When the client and server decide to resume a previous session or
1929 duplicate an existing session (instead of negotiating new security
1930 parameters) the message flow is as follows:
1932 The client sends a ClientHello using the Session ID of the session to
1933 be resumed. The server then checks its session cache for a match. If
1934 a match is found, and the server is willing to re-establish the
1935 connection under the specified session state, it will send a
1936 ServerHello with the same Session ID value. At this point, both
1937 client and server MUST send change cipher spec messages and proceed
1938 directly to finished messages. Once the re-establishment is complete,
1939 the client and server MAY begin to exchange application layer data.
1940 (See flow chart below.) If a Session ID match is not found, the
1941 server generates a new session ID and the TLS client and server
1942 perform a full handshake.
1948 Dierks & Rescorla Standards Track [Page 36]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
1951 Client Server
1953 ClientHello -------->
1954 ServerHello
1955 [ChangeCipherSpec]
1956 <-------- Finished
1957 [ChangeCipherSpec]
1958 Finished -------->
1959 Application Data <-------> Application Data
1961 Fig. 2 - Message flow for an abbreviated handshake
1963 The contents and significance of each message will be presented in
1964 detail in the following sections.
1966 7.4. Handshake protocol
1968 The TLS Handshake Protocol is one of the defined higher level clients
1969 of the TLS Record Protocol. This protocol is used to negotiate the
1970 secure attributes of a session. Handshake messages are supplied to
1971 the TLS Record Layer, where they are encapsulated within one or more
1972 TLSPlaintext structures, which are processed and transmitted as
1973 specified by the current active session state.
1975 enum {
1976 hello_request(0), client_hello(1), server_hello(2),
1977 certificate(11), server_key_exchange (12),
1978 certificate_request(13), server_hello_done(14),
1979 certificate_verify(15), client_key_exchange(16),
1980 finished(20), (255)
1981 } HandshakeType;
1983 struct {
1984 HandshakeType msg_type; /* handshake type */
1985 uint24 length; /* bytes in message */
1986 select (HandshakeType) {
1987 case hello_request: HelloRequest;
1988 case client_hello: ClientHello;
1989 case server_hello: ServerHello;
1990 case certificate: Certificate;
1991 case server_key_exchange: ServerKeyExchange;
1992 case certificate_request: CertificateRequest;
1993 case server_hello_done: ServerHelloDone;
1994 case certificate_verify: CertificateVerify;
1995 case client_key_exchange: ClientKeyExchange;
1996 case finished: Finished;
1997 } body;
1998 } Handshake;
2002 Dierks & Rescorla Standards Track [Page 37]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2005 The handshake protocol messages are presented below in the order they
2006 MUST be sent; sending handshake messages in an unexpected order
2007 results in a fatal error. Unneeded handshake messages can be omitted,
2008 however. Note one exception to the ordering: the Certificate message
2009 is used twice in the handshake (from server to client, then from
2010 client to server), but described only in its first position. The one
2011 message which is not bound by these ordering rules is the Hello
2012 Request message, which can be sent at any time, but which should be
2013 ignored by the client if it arrives in the middle of a handshake.
2015 New Handshake message type values MUST be defined via RFC 2434
2016 Standards Action. See Section 11 for IANA Considerations for these
2017 values.
2019 7.4.1. Hello messages
2021 The hello phase messages are used to exchange security enhancement
2022 capabilities between the client and server. When a new session
2023 begins, the Record Layer's connection state encryption, hash, and
2024 compression algorithms are initialized to null. The current
2025 connection state is used for renegotiation messages.
2027 7.4.1.1. Hello request
2029 When this message will be sent:
2030 The hello request message MAY be sent by the server at any time.
2032 Meaning of this message:
2033 Hello request is a simple notification that the client should
2034 begin the negotiation process anew by sending a client hello
2035 message when convenient. This message will be ignored by the
2036 client if the client is currently negotiating a session. This
2037 message may be ignored by the client if it does not wish to
2038 renegotiate a session, or the client may, if it wishes, respond
2039 with a no_renegotiation alert. Since handshake messages are
2040 intended to have transmission precedence over application data,
2041 it is expected that the negotiation will begin before no more
2042 than a few records are received from the client. If the server
2043 sends a hello request but does not receive a client hello in
2044 response, it may close the connection with a fatal alert.
2046 After sending a hello request, servers SHOULD not repeat the request
2047 until the subsequent handshake negotiation is complete.
2049 Structure of this message:
2050 struct { } HelloRequest;
2056 Dierks & Rescorla Standards Track [Page 38]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2059 Note: This message MUST NOT be included in the message hashes which are
2060 maintained throughout the handshake and used in the finished
2061 messages and the certificate verify message.
2063 7.4.1.2. Client hello
2065 When this message will be sent:
2066 When a client first connects to a server it is required to send
2067 the client hello as its first message. The client can also send a
2068 client hello in response to a hello request or on its own
2069 initiative in order to renegotiate the security parameters in an
2070 existing connection.
2072 Structure of this message:
2073 The client hello message includes a random structure, which is
2074 used later in the protocol.
2076 struct {
2077 uint32 gmt_unix_time;
2078 opaque random_bytes[28];
2079 } Random;
2081 gmt_unix_time
2082 The current time and date in standard UNIX 32-bit format (seconds
2083 since the midnight starting Jan 1, 1970, GMT, ignoring leap
2084 seconds) according to the sender's internal clock. Clocks are not
2085 required to be set correctly by the basic TLS Protocol; higher
2086 level or application protocols may define additional
2087 requirements.
2089 random_bytes
2090 28 bytes generated by a secure random number generator.
2092 The client hello message includes a variable length session
2093 identifier. If not empty, the value identifies a session between the
2094 same client and server whose security parameters the client wishes to
2095 reuse. The session identifier MAY be from an earlier connection, this
2096 connection, or another currently active connection. The second option
2097 is useful if the client only wishes to update the random structures
2098 and derived values of a connection, while the third option makes it
2099 possible to establish several independent secure connections without
2100 repeating the full handshake protocol. These independent connections
2101 may occur sequentially or simultaneously; a SessionID becomes valid
2102 when the handshake negotiating it completes with the exchange of
2103 Finished messages and persists until removed due to aging or because
2104 a fatal error was encountered on a connection associated with the
2105 session. The actual contents of the SessionID are defined by the
2106 server.
2110 Dierks & Rescorla Standards Track [Page 39]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2113 opaque SessionID<0..32>;
2115 Warning:
2116 Because the SessionID is transmitted without encryption or
2117 immediate MAC protection, servers MUST not place confidential
2118 information in session identifiers or let the contents of fake
2119 session identifiers cause any breach of security. (Note that the
2120 content of the handshake as a whole, including the SessionID, is
2121 protected by the Finished messages exchanged at the end of the
2122 handshake.)
2124 The CipherSuite list, passed from the client to the server in the
2125 client hello message, contains the combinations of cryptographic
2126 algorithms supported by the client in order of the client's
2127 preference (favorite choice first). Each CipherSuite defines a key
2128 exchange algorithm, a bulk encryption algorithm (including secret key
2129 length) and a MAC algorithm. The server will select a cipher suite
2130 or, if no acceptable choices are presented, return a handshake
2131 failure alert and close the connection.
2133 uint8 CipherSuite[2]; /* Cryptographic suite selector */
2135 The client hello includes a list of compression algorithms supported
2136 by the client, ordered according to the client's preference.
2138 enum { null(0), (255) } CompressionMethod;
2140 struct {
2141 ProtocolVersion client_version;
2142 Random random;
2143 SessionID session_id;
2144 CipherSuite cipher_suites<2..2^16-1>;
2145 CompressionMethod compression_methods<1..2^8-1>;
2146 } ClientHello;
2148 client_version
2149 The version of the TLS protocol by which the client wishes to
2150 communicate during this session. This SHOULD be the latest
2151 (highest valued) version supported by the client. For this
2152 version of the specification, the version will be 3.2 (See
2153 Appendix E for details about backward compatibility).
2155 random
2156 A client-generated random structure.
2158 session_id
2159 The ID of a session the client wishes to use for this connection.
2160 This field should be empty if no session_id is available or the
2164 Dierks & Rescorla Standards Track [Page 40]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2167 client wishes to generate new security parameters.
2169 cipher_suites
2170 This is a list of the cryptographic options supported by the
2171 client, with the client's first preference first. If the
2172 session_id field is not empty (implying a session resumption
2173 request) this vector MUST include at least the cipher_suite from
2174 that session. Values are defined in Appendix A.5.
2176 compression_methods
2177 This is a list of the compression methods supported by the
2178 client, sorted by client preference. If the session_id field is
2179 not empty (implying a session resumption request) it must include
2180 the compression_method from that session. This vector must
2181 contain, and all implementations must support,
2182 CompressionMethod.null. Thus, a client and server will always be
2183 able to agree on a compression method.
2185 After sending the client hello message, the client waits for a server
2186 hello message. Any other handshake message returned by the server
2187 except for a hello request is treated as a fatal error.
2189 Forward compatibility note:
2190 In the interests of forward compatibility, it is permitted for a
2191 client hello message to include extra data after the compression
2192 methods. This data MUST be included in the handshake hashes, but
2193 must otherwise be ignored. This is the only handshake message for
2194 which this is legal; for all other messages, the amount of data
2195 in the message MUST match the description of the message
2196 precisely.
2198 Note: For the intended use of trailing data in the ClientHello, see RFC
2199 3546 [TLSEXT].
2201 7.4.1.3. Server hello
2203 When this message will be sent:
2204 The server will send this message in response to a client hello
2205 message when it was able to find an acceptable set of algorithms.
2206 If it cannot find such a match, it will respond with a handshake
2207 failure alert.
2209 Structure of this message:
2210 struct {
2211 ProtocolVersion server_version;
2212 Random random;
2213 SessionID session_id;
2214 CipherSuite cipher_suite;
2218 Dierks & Rescorla Standards Track [Page 41]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2221 CompressionMethod compression_method;
2222 } ServerHello;
2224 server_version
2225 This field will contain the lower of that suggested by the client
2226 in the client hello and the highest supported by the server. For
2227 this version of the specification, the version is 3.2 (See
2228 Appendix E for details about backward compatibility).
2230 random
2231 This structure is generated by the server and MUST be
2232 independently generated from the ClientHello.random.
2234 session_id
2235 This is the identity of the session corresponding to this
2236 connection. If the ClientHello.session_id was non-empty, the
2237 server will look in its session cache for a match. If a match is
2238 found and the server is willing to establish the new connection
2239 using the specified session state, the server will respond with
2240 the same value as was supplied by the client. This indicates a
2241 resumed session and dictates that the parties must proceed
2242 directly to the finished messages. Otherwise this field will
2243 contain a different value identifying the new session. The server
2244 may return an empty session_id to indicate that the session will
2245 not be cached and therefore cannot be resumed. If a session is
2246 resumed, it must be resumed using the same cipher suite it was
2247 originally negotiated with.
2249 cipher_suite
2250 The single cipher suite selected by the server from the list in
2251 ClientHello.cipher_suites. For resumed sessions this field is the
2252 value from the state of the session being resumed.
2254 compression_method
2255 The single compression algorithm selected by the server from the
2256 list in ClientHello.compression_methods. For resumed sessions
2257 this field is the value from the resumed session state.
2259 7.4.2. Server certificate
2261 When this message will be sent:
2262 The server MUST send a certificate whenever the agreed-upon key
2263 exchange method is not an anonymous one. This message will always
2264 immediately follow the server hello message.
2266 Meaning of this message:
2267 The certificate type MUST be appropriate for the selected cipher
2268 suite's key exchange algorithm, and is generally an X.509v3
2272 Dierks & Rescorla Standards Track [Page 42]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2275 certificate. It MUST contain a key which matches the key exchange
2276 method, as follows. Unless otherwise specified, the signing
2277 algorithm for the certificate MUST be the same as the algorithm
2278 for the certificate key. Unless otherwise specified, the public
2279 key MAY be of any length.
2281 Key Exchange Algorithm Certificate Key Type
2283 RSA RSA public key; the certificate MUST
2284 allow the key to be used for encryption.
2286 DHE_DSS DSS public key.
2288 DHE_RSA RSA public key which can be used for
2289 signing.
2291 DH_DSS Diffie-Hellman key. The algorithm used
2292 to sign the certificate MUST be DSS.
2294 DH_RSA Diffie-Hellman key. The algorithm used
2295 to sign the certificate MUST be RSA.
2297 All certificate profiles, key and cryptographic formats are defined
2298 by the IETF PKIX working group [PKIX]. When a key usage extension is
2299 present, the digitalSignature bit MUST be set for the key to be
2300 eligible for signing, as described above, and the keyEncipherment bit
2301 MUST be present to allow encryption, as described above. The
2302 keyAgreement bit must be set on Diffie-Hellman certificates.
2304 As CipherSuites which specify new key exchange methods are specified
2305 for the TLS Protocol, they will imply certificate format and the
2306 required encoded keying information.
2308 Structure of this message:
2309 opaque ASN.1Cert<1..2^24-1>;
2311 struct {
2312 ASN.1Cert certificate_list<0..2^24-1>;
2313 } Certificate;
2315 certificate_list
2316 This is a sequence (chain) of X.509v3 certificates. The sender's
2317 certificate must come first in the list. Each following
2318 certificate must directly certify the one preceding it. Because
2319 certificate validation requires that root keys be distributed
2320 independently, the self-signed certificate which specifies the
2321 root certificate authority may optionally be omitted from the
2322 chain, under the assumption that the remote end must already
2326 Dierks & Rescorla Standards Track [Page 43]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2329 possess it in order to validate it in any case.
2331 The same message type and structure will be used for the client's
2332 response to a certificate request message. Note that a client MAY
2333 send no certificates if it does not have an appropriate certificate
2334 to send in response to the server's authentication request.
2336 Note: PKCS #7 [PKCS7] is not used as the format for the certificate
2337 vector because PKCS #6 [PKCS6] extended certificates are not
2338 used. Also PKCS #7 defines a SET rather than a SEQUENCE, making
2339 the task of parsing the list more difficult.
2341 7.4.3. Server key exchange message
2343 When this message will be sent:
2344 This message will be sent immediately after the server
2345 certificate message (or the server hello message, if this is an
2346 anonymous negotiation).
2348 The server key exchange message is sent by the server only when
2349 the server certificate message (if sent) does not contain enough
2350 data to allow the client to exchange a premaster secret. This is
2351 true for the following key exchange methods:
2353 DHE_DSS
2354 DHE_RSA
2355 DH_anon
2357 It is not legal to send the server key exchange message for the
2358 following key exchange methods:
2360 RSA
2361 DH_DSS
2362 DH_RSA
2364 Meaning of this message:
2365 This message conveys cryptographic information to allow the
2366 client to communicate the premaster secret: either an RSA public
2367 key to encrypt the premaster secret with, or a Diffie-Hellman
2368 public key with which the client can complete a key exchange
2369 (with the result being the premaster secret.)
2371 As additional CipherSuites are defined for TLS which include new key
2372 exchange algorithms, the server key exchange message will be sent if
2373 and only if the certificate type associated with the key exchange
2374 algorithm does not provide enough information for the client to
2375 exchange a premaster secret.
2380 Dierks & Rescorla Standards Track [Page 44]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2383 Structure of this message:
2384 enum { rsa, diffie_hellman } KeyExchangeAlgorithm;
2386 struct {
2387 opaque rsa_modulus<1..2^16-1>;
2388 opaque rsa_exponent<1..2^16-1>;
2389 } ServerRSAParams;
2391 rsa_modulus
2392 The modulus of the server's temporary RSA key.
2394 rsa_exponent
2395 The public exponent of the server's temporary RSA key.
2397 struct {
2398 opaque dh_p<1..2^16-1>;
2399 opaque dh_g<1..2^16-1>;
2400 opaque dh_Ys<1..2^16-1>;
2401 } ServerDHParams; /* Ephemeral DH parameters */
2403 dh_p
2404 The prime modulus used for the Diffie-Hellman operation.
2406 dh_g
2407 The generator used for the Diffie-Hellman operation.
2409 dh_Ys
2410 The server's Diffie-Hellman public value (g^X mod p).
2412 struct {
2413 select (KeyExchangeAlgorithm) {
2414 case diffie_hellman:
2415 ServerDHParams params;
2416 Signature signed_params;
2417 case rsa:
2418 ServerRSAParams params;
2419 Signature signed_params;
2420 };
2421 } ServerKeyExchange;
2423 struct {
2424 select (KeyExchangeAlgorithm) {
2425 case diffie_hellman:
2426 ServerDHParams params;
2427 case rsa:
2428 ServerRSAParams params;
2429 };
2430 } ServerParams;
2434 Dierks & Rescorla Standards Track [Page 45]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2437 params
2438 The server's key exchange parameters.
2440 signed_params
2441 For non-anonymous key exchanges, a hash of the corresponding
2442 params value, with the signature appropriate to that hash
2443 applied.
2445 md5_hash
2446 MD5(ClientHello.random + ServerHello.random + ServerParams);
2448 sha_hash
2449 SHA(ClientHello.random + ServerHello.random + ServerParams);
2451 enum { anonymous, rsa, dsa } SignatureAlgorithm;
2454 struct {
2455 select (SignatureAlgorithm) {
2456 case anonymous: struct { };
2457 case rsa:
2458 digitally-signed struct {
2459 opaque md5_hash[16];
2460 opaque sha_hash[20];
2461 };
2462 case dsa:
2463 digitally-signed struct {
2464 opaque sha_hash[20];
2465 };
2466 };
2467 };
2468 } Signature;
2470 7.4.4. Certificate request
2472 When this message will be sent:
2473 A non-anonymous server can optionally request a certificate from
2474 the client, if appropriate for the selected cipher suite. This
2475 message, if sent, will immediately follow the Server Key Exchange
2476 message (if it is sent; otherwise, the Server Certificate
2477 message).
2479 Structure of this message:
2480 enum {
2481 rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
2482 rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
2483 fortezza_dms_RESERVED(20),
2484 (255)
2488 Dierks & Rescorla Standards Track [Page 46]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2491 } ClientCertificateType;
2493 opaque DistinguishedName<1..2^16-1>;
2495 struct {
2496 ClientCertificateType certificate_types<1..2^8-1>;
2497 DistinguishedName certificate_authorities<0..2^16-1>;
2498 } CertificateRequest;
2500 certificate_types
2501 This field is a list of the types of certificates requested,
2502 sorted in order of the server's preference.
2504 certificate_authorities
2505 A list of the distinguished names of acceptable certificate
2506 authorities. These distinguished names may specify a desired
2507 distinguished name for a root CA or for a subordinate CA;
2508 thus, this message can be used both to describe known roots
2509 and a desired authorization space. If the
2510 certificate_authorities list is empty then the client MAY
2511 send any certificate of the appropriate
2512 ClientCertificateType, unless there is some external
2513 arrangement to the contrary.
2516 ClientCertificateType values are divided into three groups:
2518 1. Values from 0 (zero) through 63 decimal (0x3F) inclusive are
2519 reserved for IETF Standards Track protocols.
2521 2. Values from 64 decimal (0x40) through 223 decimal (0xDF) inclusive
2522 are reserved for assignment for non-Standards Track methods.
2524 3. Values from 224 decimal (0xE0) through 255 decimal (0xFF)
2525 inclusive are reserved for private use.
2527 Additional information describing the role of IANA in the
2528 allocation of ClientCertificateType code points is described
2529 in Section 11.
2531 Note: Values listed as RESERVED may not be used. They were used in SSLv3.
2533 Note: DistinguishedName is derived from [X501]. DistinguishedNames are
2534 represented in DER-encoded format.
2536 Note: It is a fatal handshake_failure alert for an anonymous server to
2537 request client authentication.
2542 Dierks & Rescorla Standards Track [Page 47]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2545 7.4.5. Server hello done
2547 When this message will be sent:
2548 The server hello done message is sent by the server to indicate
2549 the end of the server hello and associated messages. After
2550 sending this message the server will wait for a client response.
2552 Meaning of this message:
2553 This message means that the server is done sending messages to
2554 support the key exchange, and the client can proceed with its
2555 phase of the key exchange.
2557 Upon receipt of the server hello done message the client SHOULD
2558 verify that the server provided a valid certificate if required
2559 and check that the server hello parameters are acceptable.
2561 Structure of this message:
2562 struct { } ServerHelloDone;
2564 7.4.6. Client certificate
2566 When this message will be sent:
2567 This is the first message the client can send after receiving a
2568 server hello done message. This message is only sent if the
2569 server requests a certificate. If no suitable certificate is
2570 available, the client SHOULD send a certificate message
2571 containing no certificates. That is, the certificate_list
2572 structure has a length of zero. If client authentication is
2573 required by the server for the handshake to continue, it may
2574 respond with a fatal handshake failure alert. Client certificates
2575 are sent using the Certificate structure defined in Section
2576 7.4.2.
2579 Note: When using a static Diffie-Hellman based key exchange method
2580 (DH_DSS or DH_RSA), if client authentication is requested, the
2581 Diffie-Hellman group and generator encoded in the client's
2582 certificate MUST match the server specified Diffie-Hellman
2583 parameters if the client's parameters are to be used for the key
2584 exchange.
2586 7.4.7. Client key exchange message
2588 When this message will be sent:
2589 This message is always sent by the client. It MUST immediately
2590 follow the client certificate message, if it is sent. Otherwise
2591 it MUST be the first message sent by the client after it receives
2592 the server hello done message.
2596 Dierks & Rescorla Standards Track [Page 48]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2599 Meaning of this message:
2600 With this message, the premaster secret is set, either though
2601 direct transmission of the RSA-encrypted secret, or by the
2602 transmission of Diffie-Hellman parameters which will allow each
2603 side to agree upon the same premaster secret. When the key
2604 exchange method is DH_RSA or DH_DSS, client certification has
2605 been requested, and the client was able to respond with a
2606 certificate which contained a Diffie-Hellman public key whose
2607 parameters (group and generator) matched those specified by the
2608 server in its certificate, this message MUST not contain any
2609 data.
2611 Structure of this message:
2612 The choice of messages depends on which key exchange method has
2613 been selected. See Section 7.4.3 for the KeyExchangeAlgorithm
2614 definition.
2616 struct {
2617 select (KeyExchangeAlgorithm) {
2618 case rsa: EncryptedPreMasterSecret;
2619 case diffie_hellman: ClientDiffieHellmanPublic;
2620 } exchange_keys;
2621 } ClientKeyExchange;
2623 7.4.7.1. RSA encrypted premaster secret message
2625 Meaning of this message:
2626 If RSA is being used for key agreement and authentication, the
2627 client generates a 48-byte premaster secret, encrypts it using
2628 the public key from the server's certificate or the temporary RSA
2629 key provided in a server key exchange message, and sends the
2630 result in an encrypted premaster secret message. This structure
2631 is a variant of the client key exchange message, not a message in
2632 itself.
2634 Structure of this message:
2635 struct {
2636 ProtocolVersion client_version;
2637 opaque random[46];
2638 } PreMasterSecret;
2640 client_version
2641 The latest (newest) version supported by the client. This is
2642 used to detect version roll-back attacks. Upon receiving the
2643 premaster secret, the server SHOULD check that this value
2644 matches the value transmitted by the client in the client
2645 hello message.
2650 Dierks & Rescorla Standards Track [Page 49]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2653 random
2654 46 securely-generated random bytes.
2656 struct {
2657 public-key-encrypted PreMasterSecret pre_master_secret;
2658 } EncryptedPreMasterSecret;
2660 pre_master_secret
2661 This random value is generated by the client and is used to
2662 generate the master secret, as specified in Section 8.1.
2664 Note: An attack discovered by Daniel Bleichenbacher [BLEI] can be used
2665 to attack a TLS server which is using PKCS#1 v 1.5 encoded RSA.
2666 The attack takes advantage of the fact that by failing in
2667 different ways, a TLS server can be coerced into revealing
2668 whether a particular message, when decrypted, is properly PKCS#1
2669 v1.5 formatted or not.
2671 The best way to avoid vulnerability to this attack is to treat
2672 incorrectly formatted messages in a manner indistinguishable from
2673 correctly formatted RSA blocks. Thus, when it receives an
2674 incorrectly formatted RSA block, a server should generate a
2675 random 48-byte value and proceed using it as the premaster
2676 secret. Thus, the server will act identically whether the
2677 received RSA block is correctly encoded or not.
2679 [PKCS1B] defines a newer version of PKCS#1 encoding that is more
2680 secure against the Bleichenbacher attack. However, for maximal
2681 compatibility with TLS 1.0, TLS 1.1 retains the original
2682 encoding. No variants of the Bleichenbacher attack are known to
2683 exist provided that the above recommendations are followed.
2685 Implementation Note: public-key-encrypted data is represented as an
2686 opaque vector <0..2^16-1> (see section 4.7). Thus the RSA-
2687 encrypted PreMasterSecret in a ClientKeyExchange is preceded by
2688 two length bytes. These bytes are redundant in the case of RSA
2689 because the EncryptedPreMasterSecret is the only data in the
2690 ClientKeyExchange and its length can therefore be unambiguously
2691 determined. The SSLv3 specification was not clear about the
2692 encoding of public-key-encrypted data and therefore many SSLv3
2693 implementations do not include the the length bytes, encoding the
2694 RSA encrypted data directly in the ClientKeyExchange message.
2696 This specification requires correct encoding of the
2697 EncryptedPreMasterSecret complete with length bytes. The
2698 resulting PDU is incompatible with many SSLv3 implementations.
2699 Implementors upgrading from SSLv3 must modify their
2700 implementations to generate and accept the correct encoding.
2704 Dierks & Rescorla Standards Track [Page 50]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2707 Implementors who wish to be compatible with both SSLv3 and TLS
2708 should make their implementation's behavior dependent on the
2709 protocol version.
2711 Implementation Note: It is now known that remote timing-based attacks
2712 on SSL are possible, at least when the client and server are on
2713 the same LAN. Accordingly, implementations which use static RSA
2714 keys SHOULD use RSA blinding or some other anti-timing technique,
2715 as described in [TIMING].
2717 Note: The version number in the PreMasterSecret MUST be the version
2718 offered by the client in the ClientHello, not the version
2719 negotiated for the connection. This feature is designed to
2720 prevent rollback attacks. Unfortunately, many implementations use
2721 the negotiated version instead and therefore checking the version
2722 number may lead to failure to interoperate with such incorrect
2723 client implementations. Client implementations MUST and Server
2724 implementations MAY check the version number. In practice, since
2725 the TLS handshake MACs prevent downgrade and no good attacks are
2726 known on those MACs, ambiguity is not considered a serious
2727 security risk. Note that if servers choose to to check the
2728 version number, they should randomize the PreMasterSecret in case
2729 of error, rather than generate an alert, in order to avoid
2730 variants on the Bleichenbacher attack. [KPR03]
2732 7.4.7.2. Client Diffie-Hellman public value
2734 Meaning of this message:
2735 This structure conveys the client's Diffie-Hellman public value
2736 (Yc) if it was not already included in the client's certificate.
2737 The encoding used for Yc is determined by the enumerated
2738 PublicValueEncoding. This structure is a variant of the client
2739 key exchange message, not a message in itself.
2741 Structure of this message:
2742 enum { implicit, explicit } PublicValueEncoding;
2744 implicit
2745 If the client certificate already contains a suitable Diffie-
2746 Hellman key, then Yc is implicit and does not need to be sent
2747 again. In this case, the client key exchange message will be
2748 sent, but MUST be empty.
2750 explicit
2751 Yc needs to be sent.
2753 struct {
2754 select (PublicValueEncoding) {
2758 Dierks & Rescorla Standards Track [Page 51]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2761 case implicit: struct { };
2762 case explicit: opaque dh_Yc<1..2^16-1>;
2763 } dh_public;
2764 } ClientDiffieHellmanPublic;
2766 dh_Yc
2767 The client's Diffie-Hellman public value (Yc).
2769 7.4.8. Certificate verify
2771 When this message will be sent:
2772 This message is used to provide explicit verification of a client
2773 certificate. This message is only sent following a client
2774 certificate that has signing capability (i.e. all certificates
2775 except those containing fixed Diffie-Hellman parameters). When
2776 sent, it MUST immediately follow the client key exchange message.
2778 Structure of this message:
2779 struct {
2780 Signature signature;
2781 } CertificateVerify;
2783 The Signature type is defined in 7.4.3.
2785 CertificateVerify.signature.md5_hash
2786 MD5(handshake_messages);
2788 CertificateVerify.signature.sha_hash
2789 SHA(handshake_messages);
2791 Here handshake_messages refers to all handshake messages sent or
2792 received starting at client hello up to but not including this
2793 message, including the type and length fields of the handshake
2794 messages. This is the concatenation of all the Handshake structures
2795 as defined in 7.4 exchanged thus far.
2797 7.4.9. Finished
2799 When this message will be sent:
2800 A finished message is always sent immediately after a change
2801 cipher spec message to verify that the key exchange and
2802 authentication processes were successful. It is essential that a
2803 change cipher spec message be received between the other
2804 handshake messages and the Finished message.
2806 Meaning of this message:
2807 The finished message is the first protected with the just-
2808 negotiated algorithms, keys, and secrets. Recipients of finished
2812 Dierks & Rescorla Standards Track [Page 52]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2815 messages MUST verify that the contents are correct. Once a side
2816 has sent its Finished message and received and validated the
2817 Finished message from its peer, it may begin to send and receive
2818 application data over the connection.
2820 struct {
2821 opaque verify_data[12];
2822 } Finished;
2824 verify_data
2825 PRF(master_secret, finished_label, MD5(handshake_messages) +
2826 SHA-1(handshake_messages)) [0..11];
2828 finished_label
2829 For Finished messages sent by the client, the string "client
2830 finished". For Finished messages sent by the server, the
2831 string "server finished".
2833 handshake_messages
2834 All of the data from all messages in this handshake (not
2835 including any HelloRequest messages) up to but not including
2836 this message. This is only data visible at the handshake
2837 layer and does not include record layer headers. This is the
2838 concatenation of all the Handshake structures as defined in
2839 7.4 exchanged thus far.
2841 It is a fatal error if a finished message is not preceded by a change
2842 cipher spec message at the appropriate point in the handshake.
2844 The value handshake_messages includes all handshake messages starting
2845 at client hello up to, but not including, this finished message. This
2846 may be different from handshake_messages in Section 7.4.8 because it
2847 would include the certificate verify message (if sent). Also, the
2848 handshake_messages for the finished message sent by the client will
2849 be different from that for the finished message sent by the server,
2850 because the one which is sent second will include the prior one.
2852 Note: Change cipher spec messages, alerts and any other record types
2853 are not handshake messages and are not included in the hash
2854 computations. Also, Hello Request messages are omitted from
2855 handshake hashes.
2857 8. Cryptographic computations
2859 In order to begin connection protection, the TLS Record Protocol
2860 requires specification of a suite of algorithms, a master secret, and
2861 the client and server random values. The authentication, encryption,
2862 and MAC algorithms are determined by the cipher_suite selected by the
2866 Dierks & Rescorla Standards Track [Page 53]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2869 server and revealed in the server hello message. The compression
2870 algorithm is negotiated in the hello messages, and the random values
2871 are exchanged in the hello messages. All that remains is to calculate
2872 the master secret.
2874 8.1. Computing the master secret
2876 For all key exchange methods, the same algorithm is used to convert
2877 the pre_master_secret into the master_secret. The pre_master_secret
2878 should be deleted from memory once the master_secret has been
2879 computed.
2881 master_secret = PRF(pre_master_secret, "master secret",
2882 ClientHello.random + ServerHello.random)
2883 [0..47];
2885 The master secret is always exactly 48 bytes in length. The length of
2886 the premaster secret will vary depending on key exchange method.
2920 Dierks & Rescorla Standards Track [Page 54]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2923 8.1.1. RSA
2925 When RSA is used for server authentication and key exchange, a
2926 48-byte pre_master_secret is generated by the client, encrypted under
2927 the server's public key, and sent to the server. The server uses its
2928 private key to decrypt the pre_master_secret. Both parties then
2929 convert the pre_master_secret into the master_secret, as specified
2930 above.
2932 RSA digital signatures are performed using PKCS #1 [PKCS1] block type
2933 1. RSA public key encryption is performed using PKCS #1 block type 2.
2935 8.1.2. Diffie-Hellman
2937 A conventional Diffie-Hellman computation is performed. The
2938 negotiated key (Z) is used as the pre_master_secret, and is converted
2939 into the master_secret, as specified above. Leading bytes of Z that
2940 contain all zero bits are stripped before it is used as the
2941 pre_master_secret.
2943 Note: Diffie-Hellman parameters are specified by the server, and may
2944 be either ephemeral or contained within the server's certificate.
2946 9. Mandatory Cipher Suites
2948 In the absence of an application profile standard specifying
2949 otherwise, a TLS compliant application MUST implement the cipher
2950 suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.
2952 10. Application data protocol
2954 Application data messages are carried by the Record Layer and are
2955 fragmented, compressed and encrypted based on the current connection
2956 state. The messages are treated as transparent data to the record
2957 layer.
2959 11. IANA Considerations
2961 Section 7.4.3 describes a TLS ClientCertificateType Registry to be
2962 maintained by the IANA, as defining a number of such code point
2963 identifiers. ClientCertificateType identifiers with values in the
2964 range 0-63 (decimal) inclusive are assigned via RFC 2434 Standards
2965 Action. Values from the range 64-223 (decimal) inclusive are assigned
2966 via [RFC 2434] Specification Required. Identifier values from
2967 224-255 (decimal) inclusive are reserved for RFC 2434 Private Use.
2968 The registry will be initially populated with the values in this
2969 document.
2974 Dierks & Rescorla Standards Track [Page 55]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
2977 Section A.5 describes a TLS Cipher Suite Registry to be maintained by
2978 the IANA, as well as defining a number of such cipher suite
2979 identifiers. Cipher suite values with the first byte in the range
2980 0-191 (decimal) inclusive are assigned via RFC 2434 Standards Action.
2981 Values with the first byte in the range 192-254 (decimal) are
2982 assigned via RFC 2434 Specification Required. Values with the first
2983 byte 255 (decimal) are reserved for RFC 2434 Private Use. The
2984 registry will be initially populated with the values from this
2985 document, [TLSAES], and [TLSKRB].
2987 Section 6 requires that all ContentType values be defined by RFC 2434
2988 Standards Action. IANA SHOULD create a TLS ContentType registry,
2989 initially populated with values from this document. Future values
2990 MUST be allocated via Standards Action as described in [RFC 2434].
2992 Section 7.2.2 requires that all Alert values be defined by RFC 2434
2993 Standards Action. IANA SHOULD create a TLS Alert registry, initially
2994 populated with values from this document and [TLSEXT]. Future values
2995 MUST be allocated via Standards Action as described in [RFC 2434].
2997 Section 7.4 requires that all HandshakeType values be defined by RFC
2998 2434 Standards Action. IANA SHOULD create a TLS HandshakeType
2999 registry, initially populated with values from this document,
3000 [TLSEXT], and [TLSKRB]. Future values MUST be allocated via
3001 Standards Action as described in [RFC 2434].
3028 Dierks & Rescorla Standards Track [Page 56]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3031 A. Protocol constant values
3033 This section describes protocol types and constants.
3035 A.1. Record layer
3037 struct {
3038 uint8 major, minor;
3039 } ProtocolVersion;
3041 ProtocolVersion version = { 3, 2 }; /* TLS v1.1 */
3043 enum {
3044 change_cipher_spec(20), alert(21), handshake(22),
3045 application_data(23), (255)
3046 } ContentType;
3048 struct {
3049 ContentType type;
3050 ProtocolVersion version;
3051 uint16 length;
3052 opaque fragment[TLSPlaintext.length];
3053 } TLSPlaintext;
3055 struct {
3056 ContentType type;
3057 ProtocolVersion version;
3058 uint16 length;
3059 opaque fragment[TLSCompressed.length];
3060 } TLSCompressed;
3062 struct {
3063 ContentType type;
3064 ProtocolVersion version;
3065 uint16 length;
3066 select (CipherSpec.cipher_type) {
3067 case stream: GenericStreamCipher;
3068 case block: GenericBlockCipher;
3069 } fragment;
3070 } TLSCiphertext;
3072 stream-ciphered struct {
3073 opaque content[TLSCompressed.length];
3074 opaque MAC[CipherSpec.hash_size];
3075 } GenericStreamCipher;
3077 block-ciphered struct {
3078 opaque IV[CipherSpec.block_length];
3082 Dierks & Rescorla Standards Track [Page 57]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3085 opaque content[TLSCompressed.length];
3086 opaque MAC[CipherSpec.hash_size];
3087 uint8 padding[GenericBlockCipher.padding_length];
3088 uint8 padding_length;
3089 } GenericBlockCipher;
3091 A.2. Change cipher specs message
3093 struct {
3094 enum { change_cipher_spec(1), (255) } type;
3095 } ChangeCipherSpec;
3097 A.3. Alert messages
3099 enum { warning(1), fatal(2), (255) } AlertLevel;
3101 enum {
3102 close_notify(0),
3103 unexpected_message(10),
3104 bad_record_mac(20),
3105 decryption_failed(21),
3106 record_overflow(22),
3107 decompression_failure(30),
3108 handshake_failure(40),
3109 no_certificate_RESERVED (41),
3110 bad_certificate(42),
3111 unsupported_certificate(43),
3112 certificate_revoked(44),
3113 certificate_expired(45),
3114 certificate_unknown(46),
3115 illegal_parameter(47),
3116 unknown_ca(48),
3117 access_denied(49),
3118 decode_error(50),
3119 decrypt_error(51),
3120 export_restriction_RESERVED(60),
3121 protocol_version(70),
3122 insufficient_security(71),
3123 internal_error(80),
3124 user_canceled(90),
3125 no_renegotiation(100),
3126 (255)
3127 } AlertDescription;
3129 struct {
3130 AlertLevel level;
3131 AlertDescription description;
3132 } Alert;
3136 Dierks & Rescorla Standards Track [Page 58]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3139 A.4. Handshake protocol
3141 enum {
3142 hello_request(0), client_hello(1), server_hello(2),
3143 certificate(11), server_key_exchange (12),
3144 certificate_request(13), server_hello_done(14),
3145 certificate_verify(15), client_key_exchange(16),
3146 finished(20), (255)
3147 } HandshakeType;
3149 struct {
3150 HandshakeType msg_type;
3151 uint24 length;
3152 select (HandshakeType) {
3153 case hello_request: HelloRequest;
3154 case client_hello: ClientHello;
3155 case server_hello: ServerHello;
3156 case certificate: Certificate;
3157 case server_key_exchange: ServerKeyExchange;
3158 case certificate_request: CertificateRequest;
3159 case server_hello_done: ServerHelloDone;
3160 case certificate_verify: CertificateVerify;
3161 case client_key_exchange: ClientKeyExchange;
3162 case finished: Finished;
3163 } body;
3164 } Handshake;
3166 A.4.1. Hello messages
3168 struct { } HelloRequest;
3170 struct {
3171 uint32 gmt_unix_time;
3172 opaque random_bytes[28];
3173 } Random;
3175 opaque SessionID<0..32>;
3177 uint8 CipherSuite[2];
3179 enum { null(0), (255) } CompressionMethod;
3181 struct {
3182 ProtocolVersion client_version;
3183 Random random;
3184 SessionID session_id;
3185 CipherSuite cipher_suites<2..2^16-1>;
3186 CompressionMethod compression_methods<1..2^8-1>;
3190 Dierks & Rescorla Standards Track [Page 59]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3193 } ClientHello;
3195 struct {
3196 ProtocolVersion server_version;
3197 Random random;
3198 SessionID session_id;
3199 CipherSuite cipher_suite;
3200 CompressionMethod compression_method;
3201 } ServerHello;
3203 A.4.2. Server authentication and key exchange messages
3205 opaque ASN.1Cert<2^24-1>;
3207 struct {
3208 ASN.1Cert certificate_list<0..2^24-1>;
3209 } Certificate;
3211 enum { rsa, diffie_hellman } KeyExchangeAlgorithm;
3213 struct {
3214 opaque rsa_modulus<1..2^16-1>;
3215 opaque rsa_exponent<1..2^16-1>;
3216 } ServerRSAParams;
3218 struct {
3219 opaque dh_p<1..2^16-1>;
3220 opaque dh_g<1..2^16-1>;
3221 opaque dh_Ys<1..2^16-1>;
3222 } ServerDHParams;
3224 struct {
3225 select (KeyExchangeAlgorithm) {
3226 case diffie_hellman:
3227 ServerDHParams params;
3228 Signature signed_params;
3229 case rsa:
3230 ServerRSAParams params;
3231 Signature signed_params;
3232 };
3233 } ServerKeyExchange;
3235 enum { anonymous, rsa, dsa } SignatureAlgorithm;
3237 struct {
3238 select (KeyExchangeAlgorithm) {
3239 case diffie_hellman:
3240 ServerDHParams params;
3244 Dierks & Rescorla Standards Track [Page 60]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3247 case rsa:
3248 ServerRSAParams params;
3249 };
3250 } ServerParams;
3252 struct {
3253 select (SignatureAlgorithm) {
3254 case anonymous: struct { };
3255 case rsa:
3256 digitally-signed struct {
3257 opaque md5_hash[16];
3258 opaque sha_hash[20];
3259 };
3260 case dsa:
3261 digitally-signed struct {
3262 opaque sha_hash[20];
3263 };
3264 };
3265 };
3266 } Signature;
3268 enum {
3269 rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
3270 rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
3271 fortezza_dms_RESERVED(20),
3272 (255)
3273 } ClientCertificateType;
3275 opaque DistinguishedName<1..2^16-1>;
3277 struct {
3278 ClientCertificateType certificate_types<1..2^8-1>;
3279 DistinguishedName certificate_authorities<0..2^16-1>;
3280 } CertificateRequest;
3282 struct { } ServerHelloDone;
3284 A.4.3. Client authentication and key exchange messages
3286 struct {
3287 select (KeyExchangeAlgorithm) {
3288 case rsa: EncryptedPreMasterSecret;
3289 case diffie_hellman: ClientDiffieHellmanPublic;
3290 } exchange_keys;
3291 } ClientKeyExchange;
3293 struct {
3294 ProtocolVersion client_version;
3298 Dierks & Rescorla Standards Track [Page 61]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3301 opaque random[46];
3302 } PreMasterSecret;
3304 struct {
3305 public-key-encrypted PreMasterSecret pre_master_secret;
3306 } EncryptedPreMasterSecret;
3308 enum { implicit, explicit } PublicValueEncoding;
3310 struct {
3311 select (PublicValueEncoding) {
3312 case implicit: struct {};
3313 case explicit: opaque DH_Yc<1..2^16-1>;
3314 } dh_public;
3315 } ClientDiffieHellmanPublic;
3317 struct {
3318 Signature signature;
3319 } CertificateVerify;
3321 A.4.4. Handshake finalization message
3323 struct {
3324 opaque verify_data[12];
3325 } Finished;
3327 A.5. The CipherSuite
3329 The following values define the CipherSuite codes used in the client
3330 hello and server hello messages.
3332 A CipherSuite defines a cipher specification supported in TLS Version
3333 1.1.
3335 TLS_NULL_WITH_NULL_NULL is specified and is the initial state of a
3336 TLS connection during the first handshake on that channel, but must
3337 not be negotiated, as it provides no more protection than an
3338 unsecured connection.
3340 CipherSuite TLS_NULL_WITH_NULL_NULL = { 0x00,0x00 };
3342 The following CipherSuite definitions require that the server provide
3343 an RSA certificate that can be used for key exchange. The server may
3344 request either an RSA or a DSS signature-capable certificate in the
3345 certificate request message.
3347 CipherSuite TLS_RSA_WITH_NULL_MD5 = { 0x00,0x01 };
3348 CipherSuite TLS_RSA_WITH_NULL_SHA = { 0x00,0x02 };
3352 Dierks & Rescorla Standards Track [Page 62]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3355 CipherSuite TLS_RSA_WITH_RC4_128_MD5 = { 0x00,0x04 };
3356 CipherSuite TLS_RSA_WITH_RC4_128_SHA = { 0x00,0x05 };
3357 CipherSuite TLS_RSA_WITH_IDEA_CBC_SHA = { 0x00,0x07 };
3358 CipherSuite TLS_RSA_WITH_DES_CBC_SHA = { 0x00,0x09 };
3359 CipherSuite TLS_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0A };
3361 The following CipherSuite definitions are used for server-
3362 authenticated (and optionally client-authenticated) Diffie-Hellman.
3363 DH denotes cipher suites in which the server's certificate contains
3364 the Diffie-Hellman parameters signed by the certificate authority
3365 (CA). DHE denotes ephemeral Diffie-Hellman, where the Diffie-Hellman
3366 parameters are signed by a DSS or RSA certificate, which has been
3367 signed by the CA. The signing algorithm used is specified after the
3368 DH or DHE parameter. The server can request an RSA or DSS signature-
3369 capable certificate from the client for client authentication or it
3370 may request a Diffie-Hellman certificate. Any Diffie-Hellman
3371 certificate provided by the client must use the parameters (group and
3372 generator) described by the server.
3374 CipherSuite TLS_DH_DSS_WITH_DES_CBC_SHA = { 0x00,0x0C };
3375 CipherSuite TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0D };
3376 CipherSuite TLS_DH_RSA_WITH_DES_CBC_SHA = { 0x00,0x0F };
3377 CipherSuite TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x10 };
3378 CipherSuite TLS_DHE_DSS_WITH_DES_CBC_SHA = { 0x00,0x12 };
3379 CipherSuite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x13 };
3380 CipherSuite TLS_DHE_RSA_WITH_DES_CBC_SHA = { 0x00,0x15 };
3381 CipherSuite TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x16 };
3383 The following cipher suites are used for completely anonymous Diffie-
3384 Hellman communications in which neither party is authenticated. Note
3385 that this mode is vulnerable to man-in-the-middle attacks and is
3386 therefore deprecated.
3388 CipherSuite TLS_DH_anon_WITH_RC4_128_MD5 = { 0x00,0x18 };
3389 CipherSuite TLS_DH_anon_WITH_DES_CBC_SHA = { 0x00,0x1A };
3390 CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1B };
3392 When SSLv3 and TLS 1.0 were designed, the United States restricted
3393 the export of cryptographic software containing certain strong
3394 encryption algorithms. A series of cipher suites were designed to
3395 operate at reduced key lengths in order to comply with those
3396 regulations. Due to advances in computer performance, these
3397 algorithms are now unacceptably weak and export restrictions have
3398 since been loosened. TLS 1.1 implementations MUST NOT negotiate these
3399 cipher suites in TLS 1.1 mode. However, for backward compatibility
3400 they may be offered in the ClientHello for use with TLS 1.0 or SSLv3
3401 only servers. TLS 1.1 clients MUST check that the server did not
3402 choose one of these cipher suites during the handshake. These
3406 Dierks & Rescorla Standards Track [Page 63]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3409 ciphersuites are listed below for informational purposes and to
3410 reserve the numbers.
3412 CipherSuite TLS_RSA_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x03 };
3413 CipherSuite TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x06 };
3414 CipherSuite TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x08 };
3415 CipherSuite TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x0B };
3416 CipherSuite TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x0E };
3417 CipherSuite TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x11 };
3418 CipherSuite TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x14 };
3419 CipherSuite TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x17 };
3420 CipherSuite TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x19 };
3422 The following cipher suites were defined in [TLSKRB] and are included
3423 here for completeness. See [TLSKRB] for details:
3425 CipherSuite TLS_KRB5_WITH_DES_CBC_SHA = { 0x00,0x1E };
3426 CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1F };
3427 CipherSuite TLS_KRB5_WITH_RC4_128_SHA = { 0x00,0x20 };
3428 CipherSuite TLS_KRB5_WITH_IDEA_CBC_SHA = { 0x00,0x21 };
3429 CipherSuite TLS_KRB5_WITH_DES_CBC_MD5 = { 0x00,0x22 };
3430 CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = { 0x00,0x23 };
3431 CipherSuite TLS_KRB5_WITH_RC4_128_MD5 = { 0x00,0x24 };
3432 CipherSuite TLS_KRB5_WITH_IDEA_CBC_MD5 = { 0x00,0x25 };
3434 The following exportable cipher suites were defined in [TLSKRB] and
3435 are included here for completeness. TLS 1.1 implementations MUST NOT
3436 negotiate these cipher suites.
3438 CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = { 0x00,0x26
3439 };
3440 CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = { 0x00,0x27
3441 };
3442 CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_SHA = { 0x00,0x28
3443 };
3444 CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = { 0x00,0x29
3445 };
3446 CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x2A
3447 };
3448 CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x2B
3449 };
3451 The following cipher suites were defined in [TLSAES] and are included
3452 here for completeness. See [TLSAES] for details:
3454 CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F };
3455 CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 };
3456 CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 };
3460 Dierks & Rescorla Standards Track [Page 64]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3463 CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 };
3464 CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 };
3465 CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 };
3467 CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x35 };
3468 CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x36 };
3469 CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 };
3470 CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x38 };
3471 CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x39 };
3472 CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00, 0x3A };
3474 The cipher suite space is divided into three regions:
3476 1. Cipher suite values with first byte 0x00 (zero)
3477 through decimal 191 (0xBF) inclusive are reserved for the IETF
3478 Standards Track protocols.
3480 2. Cipher suite values with first byte decimal 192 (0xC0)
3481 through decimal 254 (0xFE) inclusive are reserved
3482 for assignment for non-Standards Track methods.
3484 3. Cipher suite values with first byte 0xFF are
3485 reserved for private use.
3486 Additional information describing the role of IANA in the allocation
3487 of cipher suite code points is described in Section 11.
3489 Note: The cipher suite values { 0x00, 0x1C } and { 0x00, 0x1D } are
3490 reserved to avoid collision with Fortezza-based cipher suites in SSL
3491 3.
3493 A.6. The Security Parameters
3495 These security parameters are determined by the TLS Handshake
3496 Protocol and provided as parameters to the TLS Record Layer in order
3497 to initialize a connection state. SecurityParameters includes:
3499 enum { null(0), (255) } CompressionMethod;
3501 enum { server, client } ConnectionEnd;
3503 enum { null, rc4, rc2, des, 3des, des40, aes, idea }
3504 BulkCipherAlgorithm;
3506 enum { stream, block } CipherType;
3508 enum { null, md5, sha } MACAlgorithm;
3510 /* The algorithms specified in CompressionMethod,
3514 Dierks & Rescorla Standards Track [Page 65]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3517 BulkCipherAlgorithm, and MACAlgorithm may be added to. */
3519 struct {
3520 ConnectionEnd entity;
3521 BulkCipherAlgorithm bulk_cipher_algorithm;
3522 CipherType cipher_type;
3523 uint8 key_size;
3524 uint8 key_material_length;
3525 MACAlgorithm mac_algorithm;
3526 uint8 hash_size;
3527 CompressionMethod compression_algorithm;
3528 opaque master_secret[48];
3529 opaque client_random[32];
3530 opaque server_random[32];
3531 } SecurityParameters;
3568 Dierks & Rescorla Standards Track [Page 66]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3571 B. Glossary
3573 Advanced Encryption Standard (AES)
3574 AES is a widely used symmetric encryption algorithm.
3575 AES is
3576 a block cipher with a 128, 192, or 256 bit keys and a 16 byte
3577 block size. [AES] TLS currently only supports the 128 and 256
3578 bit key sizes.
3580 application protocol
3581 An application protocol is a protocol that normally layers
3582 directly on top of the transport layer (e.g., TCP/IP). Examples
3583 include HTTP, TELNET, FTP, and SMTP.
3585 asymmetric cipher
3586 See public key cryptography.
3588 authentication
3589 Authentication is the ability of one entity to determine the
3590 identity of another entity.
3592 block cipher
3593 A block cipher is an algorithm that operates on plaintext in
3594 groups of bits, called blocks. 64 bits is a common block size.
3596 bulk cipher
3597 A symmetric encryption algorithm used to encrypt large quantities
3598 of data.
3600 cipher block chaining (CBC)
3601 CBC is a mode in which every plaintext block encrypted with a
3602 block cipher is first exclusive-ORed with the previous ciphertext
3603 block (or, in the case of the first block, with the
3604 initialization vector). For decryption, every block is first
3605 decrypted, then exclusive-ORed with the previous ciphertext block
3606 (or IV).
3608 certificate
3609 As part of the X.509 protocol (a.k.a. ISO Authentication
3610 framework), certificates are assigned by a trusted Certificate
3611 Authority and provide a strong binding between a party's identity
3612 or some other attributes and its public key.
3614 client
3615 The application entity that initiates a TLS connection to a
3616 server. This may or may not imply that the client initiated the
3617 underlying transport connection. The primary operational
3618 difference between the server and client is that the server is
3622 Dierks & Rescorla Standards Track [Page 67]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3625 generally authenticated, while the client is only optionally
3626 authenticated.
3628 client write key
3629 The key used to encrypt data written by the client.
3631 client write MAC secret
3632 The secret data used to authenticate data written by the client.
3634 connection
3635 A connection is a transport (in the OSI layering model
3636 definition) that provides a suitable type of service. For TLS,
3637 such connections are peer to peer relationships. The connections
3638 are transient. Every connection is associated with one session.
3640 Data Encryption Standard
3641 DES is a very widely used symmetric encryption algorithm. DES is
3642 a block cipher with a 56 bit key and an 8 byte block size. Note
3643 that in TLS, for key generation purposes, DES is treated as
3644 having an 8 byte key length (64 bits), but it still only provides
3645 56 bits of protection. (The low bit of each key byte is presumed
3646 to be set to produce odd parity in that key byte.) DES can also
3647 be operated in a mode where three independent keys and three
3648 encryptions are used for each block of data; this uses 168 bits
3649 of key (24 bytes in the TLS key generation method) and provides
3650 the equivalent of 112 bits of security. [DES], [3DES]
3652 Digital Signature Standard (DSS)
3653 A standard for digital signing, including the Digital Signing
3654 Algorithm, approved by the National Institute of Standards and
3655 Technology, defined in NIST FIPS PUB 186, "Digital Signature
3656 Standard," published May, 1994 by the U.S. Dept. of Commerce.
3657 [DSS]
3659 digital signatures
3660 Digital signatures utilize public key cryptography and one-way
3661 hash functions to produce a signature of the data that can be
3662 authenticated, and is difficult to forge or repudiate.
3664 handshake
3665 An initial negotiation between client and server that establishes
3666 the parameters of their transactions.
3668 Initialization Vector (IV)
3669 When a block cipher is used in CBC mode, the initialization
3670 vector is exclusive-ORed with the first plaintext block prior to
3671 encryption.
3676 Dierks & Rescorla Standards Track [Page 68]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3679 IDEA
3680 A 64-bit block cipher designed by Xuejia Lai and James Massey.
3681 [IDEA]
3683 Message Authentication Code (MAC)
3684 A Message Authentication Code is a one-way hash computed from a
3685 message and some secret data. It is difficult to forge without
3686 knowing the secret data. Its purpose is to detect if the message
3687 has been altered.
3689 master secret
3690 Secure secret data used for generating encryption keys, MAC
3691 secrets, and IVs.
3693 MD5
3694 MD5 is a secure hashing function that converts an arbitrarily
3695 long data stream into a digest of fixed size (16 bytes). [MD5]
3697 public key cryptography
3698 A class of cryptographic techniques employing two-key ciphers.
3699 Messages encrypted with the public key can only be decrypted with
3700 the associated private key. Conversely, messages signed with the
3701 private key can be verified with the public key.
3703 one-way hash function
3704 A one-way transformation that converts an arbitrary amount of
3705 data into a fixed-length hash. It is computationally hard to
3706 reverse the transformation or to find collisions. MD5 and SHA are
3707 examples of one-way hash functions.
3709 RC2
3710 A block cipher developed by Ron Rivest at RSA Data Security, Inc.
3711 [RSADSI] described in [RC2].
3713 RC4
3714 A stream cipher invented by Ron Rivest. A compatible cipher is
3715 described in [SCH].
3717 RSA
3718 A very widely used public-key algorithm that can be used for
3719 either encryption or digital signing. [RSA]
3721 server
3722 The server is the application entity that responds to requests
3723 for connections from clients. See also under client.
3730 Dierks & Rescorla Standards Track [Page 69]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3733 session
3734 A TLS session is an association between a client and a server.
3735 Sessions are created by the handshake protocol. Sessions define a
3736 set of cryptographic security parameters, which can be shared
3737 among multiple connections. Sessions are used to avoid the
3738 expensive negotiation of new security parameters for each
3739 connection.
3741 session identifier
3742 A session identifier is a value generated by a server that
3743 identifies a particular session.
3745 server write key
3746 The key used to encrypt data written by the server.
3748 server write MAC secret
3749 The secret data used to authenticate data written by the server.
3751 SHA
3752 The Secure Hash Algorithm is defined in FIPS PUB 180-2. It
3753 produces a 20-byte output. Note that all references to SHA
3754 actually use the modified SHA-1 algorithm. [SHA]
3756 SSL
3757 Netscape's Secure Socket Layer protocol [SSL3]. TLS is based on
3758 SSL Version 3.0
3760 stream cipher
3761 An encryption algorithm that converts a key into a
3762 cryptographically-strong keystream, which is then exclusive-ORed
3763 with the plaintext.
3765 symmetric cipher
3766 See bulk cipher.
3768 Transport Layer Security (TLS)
3769 This protocol; also, the Transport Layer Security working group
3770 of the Internet Engineering Task Force (IETF). See "Comments" at
3771 the end of this document.
3784 Dierks & Rescorla Standards Track [Page 70]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3787 C. CipherSuite definitions
3789 CipherSuite Key Cipher Hash
3790 Exchange
3792 TLS_NULL_WITH_NULL_NULL NULL NULL NULL
3793 TLS_RSA_WITH_NULL_MD5 RSA NULL MD5
3794 TLS_RSA_WITH_NULL_SHA RSA NULL SHA
3795 TLS_RSA_WITH_RC4_128_MD5 RSA RC4_128 MD5
3796 TLS_RSA_WITH_RC4_128_SHA RSA RC4_128 SHA
3797 TLS_RSA_WITH_IDEA_CBC_SHA RSA IDEA_CBC SHA
3798 TLS_RSA_WITH_DES_CBC_SHA RSA DES_CBC SHA
3799 TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES_EDE_CBC SHA
3800 TLS_DH_DSS_WITH_DES_CBC_SHA DH_DSS DES_CBC SHA
3801 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA DH_DSS 3DES_EDE_CBC SHA
3802 TLS_DH_RSA_WITH_DES_CBC_SHA DH_RSA DES_CBC SHA
3803 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA DH_RSA 3DES_EDE_CBC SHA
3804 TLS_DHE_DSS_WITH_DES_CBC_SHA DHE_DSS DES_CBC SHA
3805 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE_DSS 3DES_EDE_CBC SHA
3806 TLS_DHE_RSA_WITH_DES_CBC_SHA DHE_RSA DES_CBC SHA
3807 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA 3DES_EDE_CBC SHA
3808 TLS_DH_anon_WITH_RC4_128_MD5 DH_anon RC4_128 MD5
3809 TLS_DH_anon_WITH_DES_CBC_SHA DH_anon DES_CBC SHA
3810 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA DH_anon 3DES_EDE_CBC SHA
3812 Key
3813 Exchange
3814 Algorithm Description Key size limit
3816 DHE_DSS Ephemeral DH with DSS signatures None
3817 DHE_RSA Ephemeral DH with RSA signatures None
3818 DH_anon Anonymous DH, no signatures None
3819 DH_DSS DH with DSS-based certificates None
3820 DH_RSA DH with RSA-based certificates None
3821 RSA = none
3822 NULL No key exchange N/A
3823 RSA RSA key exchange None
3825 Key Expanded IV Block
3826 Cipher Type Material Key Material Size Size
3828 NULL Stream 0 0 0 N/A
3829 IDEA_CBC Block 16 16 8 8
3830 RC2_CBC_40 Block 5 16 8 8
3831 RC4_40 Stream 5 16 0 N/A
3832 RC4_128 Stream 16 16 0 N/A
3833 DES40_CBC Block 5 8 8 8
3834 DES_CBC Block 8 8 8 8
3838 Dierks & Rescorla Standards Track [Page 71]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3841 3DES_EDE_CBC Block 24 24 8 8
3843 Type
3844 Indicates whether this is a stream cipher or a block cipher
3845 running in CBC mode.
3847 Key Material
3848 The number of bytes from the key_block that are used for
3849 generating the write keys.
3851 Expanded Key Material
3852 The number of bytes actually fed into the encryption algorithm
3854 IV Size
3855 How much data needs to be generated for the initialization
3856 vector. Zero for stream ciphers; equal to the block size for
3857 block ciphers.
3859 Block Size
3860 The amount of data a block cipher enciphers in one chunk; a
3861 block cipher running in CBC mode can only encrypt an even
3862 multiple of its block size.
3864 Hash Hash Padding
3865 function Size Size
3866 NULL 0 0
3867 MD5 16 48
3868 SHA 20 40
3892 Dierks & Rescorla Standards Track [Page 72]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3895 D. Implementation Notes
3897 The TLS protocol cannot prevent many common security mistakes. This
3898 section provides several recommendations to assist implementors.
3900 D.1 Random Number Generation and Seeding
3902 TLS requires a cryptographically-secure pseudorandom number generator
3903 (PRNG). Care must be taken in designing and seeding PRNGs. PRNGs
3904 based on secure hash operations, most notably MD5 and/or SHA, are
3905 acceptable, but cannot provide more security than the size of the
3906 random number generator state. (For example, MD5-based PRNGs usually
3907 provide 128 bits of state.)
3909 To estimate the amount of seed material being produced, add the
3910 number of bits of unpredictable information in each seed byte. For
3911 example, keystroke timing values taken from a PC compatible's 18.2 Hz
3912 timer provide 1 or 2 secure bits each, even though the total size of
3913 the counter value is 16 bits or more. To seed a 128-bit PRNG, one
3914 would thus require approximately 100 such timer values.
3916 [RANDOM] provides guidance on the generation of random values.
3918 D.2 Certificates and authentication
3920 Implementations are responsible for verifying the integrity of
3921 certificates and should generally support certificate revocation
3922 messages. Certificates should always be verified to ensure proper
3923 signing by a trusted Certificate Authority (CA). The selection and
3924 addition of trusted CAs should be done very carefully. Users should
3925 be able to view information about the certificate and root CA.
3927 D.3 CipherSuites
3929 TLS supports a range of key sizes and security levels, including some
3930 which provide no or minimal security. A proper implementation will
3931 probably not support many cipher suites. For example, 40-bit
3932 encryption is easily broken, so implementations requiring strong
3933 security should not allow 40-bit keys. Similarly, anonymous Diffie-
3934 Hellman is strongly discouraged because it cannot prevent man-in-the-
3935 middle attacks. Applications should also enforce minimum and maximum
3936 key sizes. For example, certificate chains containing 512-bit RSA
3937 keys or signatures are not appropriate for high-security
3938 applications.
3946 Dierks & Rescorla Standards Track [Page 73]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
3949 E. Backward Compatibility With SSL
3951 For historical reasons and in order to avoid a profligate consumption
3952 of reserved port numbers, application protocols which are secured by
3953 TLS 1.1, TLS 1.0, SSL 3.0, and SSL 2.0 all frequently share the same
3954 connection port: for example, the https protocol (HTTP secured by SSL
3955 or TLS) uses port 443 regardless of which security protocol it is
3956 using. Thus, some mechanism must be determined to distinguish and
3957 negotiate among the various protocols.
3959 TLS versions 1.1, 1.0, and SSL 3.0 are very similar; thus, supporting
3960 both is easy. TLS clients who wish to negotiate with such older
3961 servers SHOULD send client hello messages using the SSL 3.0 record
3962 format and client hello structure, sending {3, 2} for the version
3963 field to note that they support TLS 1.1. If the server supports only
3964 TLS 1.0 or SSL 3.0, it will respond with a downrev 3.0 server hello;
3965 if it supports TLS 1.1 it will respond with a TLS 1.1 server hello.
3966 The negotiation then proceeds as appropriate for the negotiated
3967 protocol.
3969 Similarly, a TLS 1.1 server which wishes to interoperate with TLS
3970 1.0 or SSL 3.0 clients SHOULD accept SSL 3.0 client hello messages
3971 and respond with a SSL 3.0 server hello if an SSL 3.0 client hello
3972 with a version field of {3, 0} is received, denoting that this client
3973 does not support TLS. Similarly, if a SSL 3.0 or TLS 1.0 hello with a
3974 version field of {3, 1} is received, the server SHOULD respond with a
3975 TLS 1.0 hello with a version field of {3, 1}.
3977 Whenever a client already knows the highest protocol known to a
3978 server (for example, when resuming a session), it SHOULD initiate the
3979 connection in that native protocol.
3981 TLS 1.1 clients that support SSL Version 2.0 servers MUST send SSL
3982 Version 2.0 client hello messages [SSL2]. TLS servers SHOULD accept
3983 either client hello format if they wish to support SSL 2.0 clients on
3984 the same connection port. The only deviations from the Version 2.0
3985 specification are the ability to specify a version with a value of
3986 three and the support for more ciphering types in the CipherSpec.
3988 Warning: The ability to send Version 2.0 client hello messages will be
3989 phased out with all due haste. Implementors SHOULD make every
3990 effort to move forward as quickly as possible. Version 3.0
3991 provides better mechanisms for moving to newer versions.
3993 The following cipher specifications are carryovers from SSL Version
3994 2.0. These are assumed to use RSA for key exchange and
3995 authentication.
4000 Dierks & Rescorla Standards Track [Page 74]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4003 V2CipherSpec TLS_RC4_128_WITH_MD5 = { 0x01,0x00,0x80 };
4004 V2CipherSpec TLS_RC4_128_EXPORT40_WITH_MD5 = { 0x02,0x00,0x80 };
4005 V2CipherSpec TLS_RC2_CBC_128_CBC_WITH_MD5 = { 0x03,0x00,0x80 };
4006 V2CipherSpec TLS_RC2_CBC_128_CBC_EXPORT40_WITH_MD5
4007 = { 0x04,0x00,0x80 };
4008 V2CipherSpec TLS_IDEA_128_CBC_WITH_MD5 = { 0x05,0x00,0x80 };
4009 V2CipherSpec TLS_DES_64_CBC_WITH_MD5 = { 0x06,0x00,0x40 };
4010 V2CipherSpec TLS_DES_192_EDE3_CBC_WITH_MD5 = { 0x07,0x00,0xC0 };
4012 Cipher specifications native to TLS can be included in Version 2.0
4013 client hello messages using the syntax below. Any V2CipherSpec
4014 element with its first byte equal to zero will be ignored by Version
4015 2.0 servers. Clients sending any of the above V2CipherSpecs SHOULD
4016 also include the TLS equivalent (see Appendix A.5):
4018 V2CipherSpec (see TLS name) = { 0x00, CipherSuite };
4020 Note: TLS 1.1 clients may generate the SSLv2 EXPORT cipher suites in
4021 handshakes for backward compatibility but MUST NOT negotiate them in
4022 TLS 1.1 mode.
4024 E.1. Version 2 client hello
4026 The Version 2.0 client hello message is presented below using this
4027 document's presentation model. The true definition is still assumed
4028 to be the SSL Version 2.0 specification. Note that this message MUST
4029 be sent directly on the wire, not wrapped as an SSLv3 record
4031 uint8 V2CipherSpec[3];
4033 struct {
4034 uint16 msg_length;
4035 uint8 msg_type;
4036 Version version;
4037 uint16 cipher_spec_length;
4038 uint16 session_id_length;
4039 uint16 challenge_length;
4040 V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length];
4041 opaque session_id[V2ClientHello.session_id_length];
4042 opaque challenge[V2ClientHello.challenge_length;
4043 } V2ClientHello;
4045 msg_length
4046 This field is the length of the following data in bytes. The high
4047 bit MUST be 1 and is not part of the length.
4049 msg_type
4050 This field, in conjunction with the version field, identifies a
4054 Dierks & Rescorla Standards Track [Page 75]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4057 version 2 client hello message. The value SHOULD be one (1).
4059 version
4060 The highest version of the protocol supported by the client
4061 (equals ProtocolVersion.version, see Appendix A.1).
4063 cipher_spec_length
4064 This field is the total length of the field cipher_specs. It
4065 cannot be zero and MUST be a multiple of the V2CipherSpec length
4066 (3).
4068 session_id_length
4069 This field MUST have a value of zero.
4071 challenge_length
4072 The length in bytes of the client's challenge to the server to
4073 authenticate itself. When using the SSLv2 backward compatible
4074 handshake the client MUST use a 32-byte challenge.
4076 cipher_specs
4077 This is a list of all CipherSpecs the client is willing and able
4078 to use. There MUST be at least one CipherSpec acceptable to the
4079 server.
4081 session_id
4082 This field MUST be empty.
4084 challenge
4085 The client challenge to the server for the server to identify
4086 itself is a (nearly) arbitrary length random. The TLS server will
4087 right justify the challenge data to become the ClientHello.random
4088 data (padded with leading zeroes, if necessary), as specified in
4089 this protocol specification. If the length of the challenge is
4090 greater than 32 bytes, only the last 32 bytes are used. It is
4091 legitimate (but not necessary) for a V3 server to reject a V2
4092 ClientHello that has fewer than 16 bytes of challenge data.
4094 Note: Requests to resume a TLS session MUST use a TLS client hello.
4096 E.2. Avoiding man-in-the-middle version rollback
4098 When TLS clients fall back to Version 2.0 compatibility mode, they
4099 SHOULD use special PKCS #1 block formatting. This is done so that TLS
4100 servers will reject Version 2.0 sessions with TLS-capable clients.
4102 When TLS clients are in Version 2.0 compatibility mode, they set the
4103 right-hand (least-significant) 8 random bytes of the PKCS padding
4104 (not including the terminal null of the padding) for the RSA
4108 Dierks & Rescorla Standards Track [Page 76]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4111 encryption of the ENCRYPTED-KEY-DATA field of the CLIENT-MASTER-KEY
4112 to 0x03 (the other padding bytes are random). After decrypting the
4113 ENCRYPTED-KEY-DATA field, servers that support TLS SHOULD issue an
4114 error if these eight padding bytes are 0x03. Version 2.0 servers
4115 receiving blocks padded in this manner will proceed normally.
4162 Dierks & Rescorla Standards Track [Page 77]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4165 F. Security analysis
4167 The TLS protocol is designed to establish a secure connection between
4168 a client and a server communicating over an insecure channel. This
4169 document makes several traditional assumptions, including that
4170 attackers have substantial computational resources and cannot obtain
4171 secret information from sources outside the protocol. Attackers are
4172 assumed to have the ability to capture, modify, delete, replay, and
4173 otherwise tamper with messages sent over the communication channel.
4174 This appendix outlines how TLS has been designed to resist a variety
4175 of attacks.
4177 F.1. Handshake protocol
4179 The handshake protocol is responsible for selecting a CipherSpec and
4180 generating a Master Secret, which together comprise the primary
4181 cryptographic parameters associated with a secure session. The
4182 handshake protocol can also optionally authenticate parties who have
4183 certificates signed by a trusted certificate authority.
4185 F.1.1. Authentication and key exchange
4187 TLS supports three authentication modes: authentication of both
4188 parties, server authentication with an unauthenticated client, and
4189 total anonymity. Whenever the server is authenticated, the channel is
4190 secure against man-in-the-middle attacks, but completely anonymous
4191 sessions are inherently vulnerable to such attacks. Anonymous
4192 servers cannot authenticate clients. If the server is authenticated,
4193 its certificate message must provide a valid certificate chain
4194 leading to an acceptable certificate authority. Similarly,
4195 authenticated clients must supply an acceptable certificate to the
4196 server. Each party is responsible for verifying that the other's
4197 certificate is valid and has not expired or been revoked.
4199 The general goal of the key exchange process is to create a
4200 pre_master_secret known to the communicating parties and not to
4201 attackers. The pre_master_secret will be used to generate the
4202 master_secret (see Section 8.1). The master_secret is required to
4203 generate the finished messages, encryption keys, and MAC secrets (see
4204 Sections 7.4.8, 7.4.9 and 6.3). By sending a correct finished
4205 message, parties thus prove that they know the correct
4206 pre_master_secret.
4208 F.1.1.1. Anonymous key exchange
4210 Completely anonymous sessions can be established using RSA or Diffie-
4211 Hellman for key exchange. With anonymous RSA, the client encrypts a
4212 pre_master_secret with the server's uncertified public key extracted
4216 Dierks & Rescorla Standards Track [Page 78]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4219 from the server key exchange message. The result is sent in a client
4220 key exchange message. Since eavesdroppers do not know the server's
4221 private key, it will be infeasible for them to decode the
4222 pre_master_secret.
4224 Note: No anonymous RSA Cipher Suites are defined in this document.
4226 With Diffie-Hellman, the server's public parameters are contained in
4227 the server key exchange message and the client's are sent in the
4228 client key exchange message. Eavesdroppers who do not know the
4229 private values should not be able to find the Diffie-Hellman result
4230 (i.e. the pre_master_secret).
4232 Warning: Completely anonymous connections only provide protection
4233 against passive eavesdropping. Unless an independent tamper-
4234 proof channel is used to verify that the finished messages
4235 were not replaced by an attacker, server authentication is
4236 required in environments where active man-in-the-middle
4237 attacks are a concern.
4239 F.1.1.2. RSA key exchange and authentication
4241 With RSA, key exchange and server authentication are combined. The
4242 public key may be either contained in the server's certificate or may
4243 be a temporary RSA key sent in a server key exchange message. When
4244 temporary RSA keys are used, they are signed by the server's RSA
4245 certificate. The signature includes the current ClientHello.random,
4246 so old signatures and temporary keys cannot be replayed. Servers may
4247 use a single temporary RSA key for multiple negotiation sessions.
4249 Note: The temporary RSA key option is useful if servers need large
4250 certificates but must comply with government-imposed size limits
4251 on keys used for key exchange.
4253 Note that if ephemeral RSA is not used, compromise of the server's
4254 static RSA key results in a loss of confidentiality for all sessions
4255 protected under that static key. TLS users desiring Perfect Forward
4256 Secrecy should use DHE cipher suites. The damage done by exposure of
4257 a private key can be limited by changing one's private key (and
4258 certificate) frequently.
4260 After verifying the server's certificate, the client encrypts a
4261 pre_master_secret with the server's public key. By successfully
4262 decoding the pre_master_secret and producing a correct finished
4263 message, the server demonstrates that it knows the private key
4264 corresponding to the server certificate.
4266 When RSA is used for key exchange, clients are authenticated using
4270 Dierks & Rescorla Standards Track [Page 79]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4273 the certificate verify message (see Section 7.4.8). The client signs
4274 a value derived from the master_secret and all preceding handshake
4275 messages. These handshake messages include the server certificate,
4276 which binds the signature to the server, and ServerHello.random,
4277 which binds the signature to the current handshake process.
4279 F.1.1.3. Diffie-Hellman key exchange with authentication
4281 When Diffie-Hellman key exchange is used, the server can either
4282 supply a certificate containing fixed Diffie-Hellman parameters or
4283 can use the server key exchange message to send a set of temporary
4284 Diffie-Hellman parameters signed with a DSS or RSA certificate.
4285 Temporary parameters are hashed with the hello.random values before
4286 signing to ensure that attackers do not replay old parameters. In
4287 either case, the client can verify the certificate or signature to
4288 ensure that the parameters belong to the server.
4290 If the client has a certificate containing fixed Diffie-Hellman
4291 parameters, its certificate contains the information required to
4292 complete the key exchange. Note that in this case the client and
4293 server will generate the same Diffie-Hellman result (i.e.,
4294 pre_master_secret) every time they communicate. To prevent the
4295 pre_master_secret from staying in memory any longer than necessary,
4296 it should be converted into the master_secret as soon as possible.
4297 Client Diffie-Hellman parameters must be compatible with those
4298 supplied by the server for the key exchange to work.
4300 If the client has a standard DSS or RSA certificate or is
4301 unauthenticated, it sends a set of temporary parameters to the server
4302 in the client key exchange message, then optionally uses a
4303 certificate verify message to authenticate itself.
4305 If the same DH keypair is to be used for multiple handshakes, either
4306 because the client or server has a certificate containing a fixed DH
4307 keypair or because the server is reusing DH keys, care must be taken
4308 to prevent small subgroup attacks. Implementations SHOULD follow the
4309 guidelines found in [SUBGROUP].
4311 Small subgroup attacks are most easily avoided by using one of the
4312 DHE ciphersuites and generating a fresh DH private key (X) for each
4313 handshake. If a suitable base (such as 2) is chosen, g^X mod p can be
4314 computed very quickly so the performance cost is minimized.
4315 Additionally, using a fresh key for each handshake provides Perfect
4316 Forward Secrecy. Implementations SHOULD generate a new X for each
4317 handshake when using DHE ciphersuites.
4319 F.1.2. Version rollback attacks
4324 Dierks & Rescorla Standards Track [Page 80]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4327 Because TLS includes substantial improvements over SSL Version 2.0,
4328 attackers may try to make TLS-capable clients and servers fall back
4329 to Version 2.0. This attack can occur if (and only if) two TLS-
4330 capable parties use an SSL 2.0 handshake.
4332 Although the solution using non-random PKCS #1 block type 2 message
4333 padding is inelegant, it provides a reasonably secure way for Version
4334 3.0 servers to detect the attack. This solution is not secure against
4335 attackers who can brute force the key and substitute a new ENCRYPTED-
4336 KEY-DATA message containing the same key (but with normal padding)
4337 before the application specified wait threshold has expired. Parties
4338 concerned about attacks of this scale should not be using 40-bit
4339 encryption keys anyway. Altering the padding of the least-significant
4340 8 bytes of the PKCS padding does not impact security for the size of
4341 the signed hashes and RSA key lengths used in the protocol, since
4342 this is essentially equivalent to increasing the input block size by
4343 8 bytes.
4345 F.1.3. Detecting attacks against the handshake protocol
4347 An attacker might try to influence the handshake exchange to make the
4348 parties select different encryption algorithms than they would
4349 normally chooses.
4351 For this attack, an attacker must actively change one or more
4352 handshake messages. If this occurs, the client and server will
4353 compute different values for the handshake message hashes. As a
4354 result, the parties will not accept each others' finished messages.
4355 Without the master_secret, the attacker cannot repair the finished
4356 messages, so the attack will be discovered.
4358 F.1.4. Resuming sessions
4360 When a connection is established by resuming a session, new
4361 ClientHello.random and ServerHello.random values are hashed with the
4362 session's master_secret. Provided that the master_secret has not been
4363 compromised and that the secure hash operations used to produce the
4364 encryption keys and MAC secrets are secure, the connection should be
4365 secure and effectively independent from previous connections.
4366 Attackers cannot use known encryption keys or MAC secrets to
4367 compromise the master_secret without breaking the secure hash
4368 operations (which use both SHA and MD5).
4370 Sessions cannot be resumed unless both the client and server agree.
4371 If either party suspects that the session may have been compromised,
4372 or that certificates may have expired or been revoked, it should
4373 force a full handshake. An upper limit of 24 hours is suggested for
4374 session ID lifetimes, since an attacker who obtains a master_secret
4378 Dierks & Rescorla Standards Track [Page 81]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4381 may be able to impersonate the compromised party until the
4382 corresponding session ID is retired. Applications that may be run in
4383 relatively insecure environments should not write session IDs to
4384 stable storage.
4386 F.1.5. MD5 and SHA
4388 TLS uses hash functions very conservatively. Where possible, both MD5
4389 and SHA are used in tandem to ensure that non-catastrophic flaws in
4390 one algorithm will not break the overall protocol.
4392 F.2. Protecting application data
4394 The master_secret is hashed with the ClientHello.random and
4395 ServerHello.random to produce unique data encryption keys and MAC
4396 secrets for each connection.
4398 Outgoing data is protected with a MAC before transmission. To prevent
4399 message replay or modification attacks, the MAC is computed from the
4400 MAC secret, the sequence number, the message length, the message
4401 contents, and two fixed character strings. The message type field is
4402 necessary to ensure that messages intended for one TLS Record Layer
4403 client are not redirected to another. The sequence number ensures
4404 that attempts to delete or reorder messages will be detected. Since
4405 sequence numbers are 64-bits long, they should never overflow.
4406 Messages from one party cannot be inserted into the other's output,
4407 since they use independent MAC secrets. Similarly, the server-write
4408 and client-write keys are independent so stream cipher keys are used
4409 only once.
4411 If an attacker does break an encryption key, all messages encrypted
4412 with it can be read. Similarly, compromise of a MAC key can make
4413 message modification attacks possible. Because MACs are also
4414 encrypted, message-alteration attacks generally require breaking the
4415 encryption algorithm as well as the MAC.
4417 Note: MAC secrets may be larger than encryption keys, so messages can
4418 remain tamper resistant even if encryption keys are broken.
4420 F.3. Explicit IVs
4422 [CBCATT] describes a chosen plaintext attack on TLS that depends
4423 on knowing the IV for a record. Previous versions of TLS [TLS1.0]
4424 used the CBC residue of the previous record as the IV and
4425 therefore enabled this attack. This version uses an explicit IV
4426 in order to protect against this attack.
4432 Dierks & Rescorla Standards Track [Page 82]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4435 F.4 Security of Composite Cipher Modes
4437 TLS secures transmitted application data via the use of symmetric
4438 encryption and authentication functions defined in the negotiated
4439 ciphersuite. The objective is to protect both the integrity and
4440 confidentiality of the transmitted data from malicious actions by
4441 active attackers in the network. It turns out that the order in
4442 which encryption and authentication functions are applied to the
4443 data plays an important role for achieving this goal [ENCAUTH].
4445 The most robust method, called encrypt-then-authenticate, first
4446 applies encryption to the data and then applies a MAC to the
4447 ciphertext. This method ensures that the integrity and
4448 confidentiality goals are obtained with ANY pair of encryption
4449 and MAC functions provided that the former is secure against
4450 chosen plaintext attacks and the MAC is secure against chosen-
4451 message attacks. TLS uses another method, called authenticate-
4452 then-encrypt, in which first a MAC is computed on the plaintext
4453 and then the concatenation of plaintext and MAC is encrypted.
4454 This method has been proven secure for CERTAIN combinations of
4455 encryption functions and MAC functions, but is not guaranteed to
4456 be secure in general. In particular, it has been shown that there
4457 exist perfectly secure encryption functions (secure even in the
4458 information theoretic sense) that combined with any secure MAC
4459 function fail to provide the confidentiality goal against an
4460 active attack. Therefore, new ciphersuites and operation modes
4461 adopted into TLS need to be analyzed under the authenticate-then-
4462 encrypt method to verify that they achieve the stated integrity
4463 and confidentiality goals.
4465 Currently, the security of the authenticate-then-encrypt method
4466 has been proven for some important cases. One is the case of
4467 stream ciphers in which a computationally unpredictable pad of
4468 the length of the message plus the length of the MAC tag is
4469 produced using a pseudo-random generator and this pad is xor-ed
4470 with the concatenation of plaintext and MAC tag. The other is
4471 the case of CBC mode using a secure block cipher. In this case,
4472 security can be shown if one applies one CBC encryption pass to
4473 the concatenation of plaintext and MAC and uses a new,
4474 independent and unpredictable, IV for each new pair of plaintext
4475 and MAC. In previous versions of SSL, CBC mode was used properly
4476 EXCEPT that it used a predictable IV in the form of the last
4477 block of the previous ciphertext. This made TLS open to chosen
4478 plaintext attacks. This verson of the protocol is immune to
4479 those attacks. For exact details in the encryption modes proven
4480 secure see [ENCAUTH].
4486 Dierks & Rescorla Standards Track [Page 83]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4489 F.5 Denial of Service
4491 TLS is susceptible to a number of denial of service (DoS)
4492 attacks. In particular, an attacker who initiates a large number
4493 of TCP connections can cause a server to consume large amounts of
4494 CPU doing RSA decryption. However, because TLS is generally used
4495 over TCP, it is difficult for the attacker to hide his point of
4496 origin if proper TCP SYN randomization is used [SEQNUM] by the
4497 TCP stack.
4499 Because TLS runs over TCP, it is also susceptible to a number of
4500 denial of service attacks on individual connections. In
4501 particular, attackers can forge RSTs, terminating connections, or
4502 forge partial TLS records, causing the connection to stall.
4503 These attacks cannot in general be defended against by a TCP-
4504 using protocol. Implementors or users who are concerned with this
4505 class of attack should use IPsec AH [AH] or ESP [ESP].
4507 F.6. Final notes
4509 For TLS to be able to provide a secure connection, both the client
4510 and server systems, keys, and applications must be secure. In
4511 addition, the implementation must be free of security errors.
4513 The system is only as strong as the weakest key exchange and
4514 authentication algorithm supported, and only trustworthy
4515 cryptographic functions should be used. Short public keys, 40-bit
4516 bulk encryption keys, and anonymous servers should be used with great
4517 caution. Implementations and users must be careful when deciding
4518 which certificates and certificate authorities are acceptable; a
4519 dishonest certificate authority can do tremendous damage.
4540 Dierks & Rescorla Standards Track [Page 84]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4543 Security Considerations
4545 Security issues are discussed throughout this memo, especially in
4546 Appendices D, E, and F.
4548 Normative References
4550 [3DES] W. Tuchman, "Hellman Presents No Shortcut Solutions To DES,"
4551 IEEE Spectrum, v. 16, n. 7, July 1979, pp40-41.
4553 [DES] ANSI X3.106, "American National Standard for Information
4554 Systems-Data Link Encryption," American National Standards
4555 Institute, 1983.
4557 [DSS] NIST FIPS PUB 186-2, "Digital Signature Standard," National
4558 Institute of Standards and Technology, U.S. Department of
4559 Commerce, 2000.
4561 [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
4562 Hashing for Message Authentication," RFC 2104, February
4563 1997.
4565 [IDEA] X. Lai, "On the Design and Security of Block Ciphers," ETH
4566 Series in Information Processing, v. 1, Konstanz: Hartung-
4567 Gorre Verlag, 1992.
4569 [MD2] Kaliski, B., "The MD2 Message Digest Algorithm", RFC 1319,
4570 April 1992.
4572 [MD5] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321,
4573 April 1992.
4575 [PKCS1A] B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1:
4576 RSA Cryptography Specifications Version 1.5", RFC 2313,
4577 March 1998.
4579 [PKCS1B] J. Jonsson, B. Kaliski, "Public-Key Cryptography Standards
4580 (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC
4581 3447, February 2003.
4583 [PKIX] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet
4584 Public Key Infrastructure: Part I: X.509 Certificate and CRL
4585 Profile", RFC 3280, April 2002.
4587 [RC2] Rivest, R., "A Description of the RC2(r) Encryption
4588 Algorithm", RFC 2268, January 1998.
4590 [SCH] B. Schneier. "Applied Cryptography: Protocols, Algorithms,
4594 Dierks & Rescorla Standards Track [Page 85]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4597 and Source Code in C, 2ed", Published by John Wiley & Sons,
4598 Inc. 1996.
4600 [SHA] NIST FIPS PUB 180-2, "Secure Hash Standard," National
4601 Institute of Standards and Technology, U.S. Department of
4602 Commerce., August 2001.
4604 [REQ] Bradner, S., "Key words for use in RFCs to Indicate
4605 Requirement Levels", BCP 14, RFC 2119, March 1997.
4607 [RFC2434] T. Narten, H. Alvestrand, "Guidelines for Writing an IANA
4608 Considerations Section in RFCs", RFC 3434, October 1998.
4610 [TLSAES] Chown, P. "Advanced Encryption Standard (AES) Ciphersuites
4611 for Transport Layer Security (TLS)", RFC 3268, June 2002.
4613 [TLSEXT] Blake-Wilson, S., Nystrom, M, Hopwood, D., Mikkelsen, J.,
4614 Wright, T., "Transport Layer Security (TLS) Extensions", RFC
4615 3546, June 2003.
4616 [TLSKRB] A. Medvinsky, M. Hur, "Addition of Kerberos Cipher Suites to
4617 Transport Layer Security (TLS)", RFC 2712, October 1999.
4620 Informative References
4622 [AH] Kent, S., and Atkinson, R., "IP Authentication Header", RFC
4623 2402, November 1998.
4625 [BLEI] Bleichenbacher D., "Chosen Ciphertext Attacks against
4626 Protocols Based on RSA Encryption Standard PKCS #1" in
4627 Advances in Cryptology -- CRYPTO'98, LNCS vol. 1462, pages:
4628 1-12, 1998.
4630 [CBCATT] Moeller, B., "Security of CBC Ciphersuites in SSL/TLS:
4631 Problems and Countermeasures",
4632 http://www.openssl.org/~bodo/tls-cbc.txt.
4634 [CBCTIME] Canvel, B., "Password Interception in a SSL/TLS Channel",
4635 http://lasecwww.epfl.ch/memo_ssl.shtml, 2003.
4637 [ENCAUTH] Krawczyk, H., "The Order of Encryption and Authentication
4638 for Protecting Communications (Or: How Secure is SSL?)",
4639 Crypto 2001.
4641 [ESP] Kent, S., and Atkinson, R., "IP Encapsulating Security
4642 Payload (ESP)", RFC 2406, November 1998.
4644 [FTP] Postel J., and J. Reynolds, "File Transfer Protocol", STD 9,
4648 Dierks & Rescorla Standards Track [Page 86]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4651 RFC 959, October 1985.
4653 [HTTP] Berners-Lee, T., Fielding, R., and H. Frystyk, "Hypertext
4654 Transfer Protocol -- HTTP/1.0", RFC 1945, May 1996.
4656 [KPR03] Klima, V., Pokorny, O., Rosa, T., "Attacking RSA-based
4657 Sessions in SSL/TLS", http://eprint.iacr.org/2003/052/,
4658 March 2003.
4660 [PKCS6] RSA Laboratories, "PKCS #6: RSA Extended Certificate Syntax
4661 Standard," version 1.5, November 1993.
4663 [PKCS7] RSA Laboratories, "PKCS #7: RSA Cryptographic Message Syntax
4664 Standard," version 1.5, November 1993.
4666 [RANDOM] D. Eastlake 3rd, S. Crocker, J. Schiller. "Randomness
4667 Recommendations for Security", RFC 1750, December 1994.
4669 [RSA] R. Rivest, A. Shamir, and L. M. Adleman, "A Method for
4670 Obtaining Digital Signatures and Public-Key Cryptosystems,"
4671 Communications of the ACM, v. 21, n. 2, Feb 1978, pp.
4672 120-126.
4674 [SEQNUM] Bellovin. S., "Defending Against Sequence Number Attacks",
4675 RFC 1948, May 1996.
4677 [SSL2] Hickman, Kipp, "The SSL Protocol", Netscape Communications
4678 Corp., Feb 9, 1995.
4680 [SSL3] A. Frier, P. Karlton, and P. Kocher, "The SSL 3.0 Protocol",
4681 Netscape Communications Corp., Nov 18, 1996.
4683 [SUBGROUP] R. Zuccherato, "Methods for Avoiding the Small-Subgroup
4684 Attacks on the Diffie-Hellman Key Agreement Method for
4685 S/MIME", RFC 2785, March 2000.
4687 [TCP] Postel, J., "Transmission Control Protocol," STD 7, RFC 793,
4688 September 1981.
4690 [TIMING] Boneh, D., Brumley, D., "Remote timing attacks are
4691 practical", USENIX Security Symposium 2003.
4693 [TLS1.0] Dierks, T., and Allen, C., "The TLS Protocol, Version 1.0",
4694 RFC 2246, January 1999.
4696 [X.501] ITU-T Recommendation X.501: Information Technology - Open
4697 Systems Interconnection - The Directory: Models, 1993.
4702 Dierks & Rescorla Standards Track [Page 87]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4705 [X.509] ITU-T Recommendation X.509 (1997 E): Information Technology -
4706 Open Systems Interconnection - The
4708 [X509] CCITT. Recommendation X.509: "The Directory - Authentication
4709 Framework". 1988.
4711 [XDR] R. Srinivansan, Sun Microsystems, "XDR: External Data
4712 Representation Standard", RFC 1832, August 1995.
4715 Credits
4717 Working Group Chairs
4718 Win Treese
4719 EMail: treese@acm.org
4721 Eric Rescorla
4722 EMail: ekr@rtfm.com
4725 Editors
4727 Tim Dierks Eric Rescorla
4728 Independent RTFM, Inc.
4730 EMail: tim@dierks.org EMail: ekr@rtfm.com
4734 Other contributors
4736 Christopher Allen (co-editor of TLS 1.0)
4737 Alacrity Ventures
4738 ChristopherA@AlacrityManagement.com
4740 Martin Abadi
4741 University of California, Santa Cruz
4742 abadi@cs.ucsc.edu
4744 Ran Canetti
4745 IBM
4746 canetti@watson.ibm.com
4748 Taher Elgamal
4749 taher@securify.com
4750 Securify
4752 Anil Gangolli
4756 Dierks & Rescorla Standards Track [Page 88]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4759 anil@busybuddha.org
4761 Kipp Hickman
4763 Phil Karlton (co-author of SSLv3)
4765 Paul Kocher (co-author of SSLv3)
4766 Cryptography Research
4767 paul@cryptography.com
4769 Hugo Krawczyk
4770 Technion Israel Institute of Technology
4771 hugo@ee.technion.ac.il
4773 Robert Relyea
4774 Netscape Communications
4775 relyea@netscape.com
4777 Jim Roskind
4778 Netscape Communications
4779 jar@netscape.com
4781 Michael Sabin
4783 Dan Simon
4784 Microsoft, Inc.
4785 dansimon@microsoft.com
4787 Tom Weinstein
4789 Comments
4791 The discussion list for the IETF TLS working group is located at the
4792 e-mail address <ietf-tls@lists.consensus.com>. Information on the
4793 group and information on how to subscribe to the list is at
4794 <http://lists.consensus.com/>.
4796 Archives of the list can be found at:
4797 <http://www.imc.org/ietf-tls/mail-archive/>
4810 Dierks & Rescorla Standards Track [Page 89]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4813 Full Copyright Statement
4815 The IETF takes no position regarding the validity or scope of any
4816 Intellectual Property Rights or other rights that might be claimed to
4817 pertain to the implementation or use of the technology described in
4818 this document or the extent to which any license under such rights
4819 might or might not be available; nor does it represent that it has
4820 made any independent effort to identify any such rights. Information
4821 on the procedures with respect to rights in RFC documents can be
4822 found in BCP 78 and BCP 79.
4824 Copies of IPR disclosures made to the IETF Secretariat and any
4825 assurances of licenses to be made available, or the result of an
4826 attempt made to obtain a general license or permission for the use of
4827 such proprietary rights by implementers or users of this
4828 specification can be obtained from the IETF on-line IPR repository at
4829 http://www.ietf.org/ipr.
4831 The IETF invites any interested party to bring to its attention any
4832 copyrights, patents or patent applications, or other proprietary
4833 rights that may cover technology that may be required to implement
4834 this standard. Please address the information to the IETF at ietf-
4835 ipr@ietf.org.
4837 Copyright Notice
4838 Copyright (C) The Internet Society (2003). This document is subject
4839 to the rights, licenses and restrictions contained in BCP 78, and
4840 except as set forth therein, the authors retain all their rights.
4842 This document and the information contained herein are provided on an
4843 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
4844 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
4845 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
4846 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
4847 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
4848 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
4864 Dierks & Rescorla Standards Track [Page 90]\fdraft-ietf-tls-rfc2246-bis-12.txt TLS June 2005
4918 Dierks & Rescorla Standards Track [Page 91]\f