1 @node Introduction to TLS
2 @chapter Introduction to @acronym{TLS} and @acronym{DTLS}
4 @acronym{TLS} stands for ``Transport Layer Security'' and is the
5 successor of SSL, the Secure Sockets Layer protocol @xcite{SSL3}
6 designed by Netscape. @acronym{TLS} is an Internet protocol, defined
7 by @acronym{IETF}@footnote{IETF, or Internet Engineering Task Force,
8 is a large open international community of network designers,
9 operators, vendors, and researchers concerned with the evolution of
10 the Internet architecture and the smooth operation of the Internet.
11 It is open to any interested individual.}, described in @xcite{RFC5246}.
13 confidentiality, and authentication layers over any reliable transport
14 layer. The description, above, refers to @acronym{TLS} 1.0 but applies
15 to all other TLS versions as the differences between the protocols are not major.
17 The @acronym{DTLS} protocol, or ``Datagram @acronym{TLS}'' @xcite{RFC4347} is a
18 protocol with identical goals as @acronym{TLS}, but can operate
19 under unreliable transport layers such as @acronym{UDP}. The
20 discussions below apply to this protocol as well, except when
25 * The transport layer::
26 * The TLS record protocol::
27 * The TLS Alert Protocol::
28 * The TLS Handshake Protocol::
30 * How to use TLS in application protocols::
31 * On SSL 2 and older protocols::
38 @acronym{TLS} is a layered protocol, and consists of the record
39 protocol, the handshake protocol and the alert protocol. The record
40 protocol is to serve all other protocols and is above the transport
41 layer. The record protocol offers symmetric encryption, data
42 authenticity, and optionally compression.
43 The alert protocol offers some signaling to the other protocols. It
44 can help informing the peer for the cause of failures and other error
45 conditions. @xref{The Alert Protocol}, for more information. The
46 alert protocol is above the record protocol.
48 The handshake protocol is responsible for the security parameters'
49 negotiation, the initial key exchange and authentication.
50 @xref{The Handshake Protocol}, for more information about the handshake
51 protocol. The protocol layering in TLS is shown in @ref{fig:tls-layers}.
53 @float Figure,fig:tls-layers
54 @image{gnutls-layers,12cm}
55 @caption{The TLS protocol layers.}
58 @node The transport layer
59 @section The transport layer
60 @cindex transport protocol
61 @cindex transport layer
63 @acronym{TLS} is not limited to any transport layer and can be used
64 above any transport layer, as long as it is a reliable one. @acronym{DTLS}
65 can be used over reliable and unreliable transport layers.
66 @acronym{GnuTLS} supports TCP and UDP layers transparently using
67 the Berkeley sockets API. However, any transport layer can be used
68 by providing callbacks for @acronym{GnuTLS} to access the transport layer
69 (for details see @ref{Setting up the transport layer}).
71 @node The TLS record protocol
72 @section The TLS record protocol
73 @cindex record protocol
75 The record protocol is the secure communications provider. Its purpose
76 is to encrypt, authenticate and ---optionally--- compress packets.
77 The record layer functions can be called at any time after
78 the handshake process is finished, when there is need to receive
79 or send data. In @acronym{DTLS} however, due to re-transmission
80 timers used in the handshake out-of-order handshake data might
81 be received for some time (maximum 60 seconds) after the handshake
82 process is finished. For this reason programs using @acronym{DTLS}
83 should call the receive functions for every packet received by
84 the peer, even if no data were expected.
86 The functions to access the record protocol are limited to send
87 and receive functions, which might, given
88 the importance of this protocol in @acronym{TLS}, seem awkward. This is because
89 the record protocol's parameters are all set by the handshake protocol.
90 The record protocol initially starts with NULL parameters, which means
91 no encryption, and no MAC is used. Encryption and authentication begin
92 just after the handshake protocol has finished.
95 * Encryption algorithms used in the record layer::
96 * Compression algorithms used in the record layer::
97 * Weaknesses and countermeasures::
101 @node Encryption algorithms used in the record layer
102 @subsection Encryption algorithms used in the record layer
103 @cindex symmetric encryption algorithms
105 Confidentiality in the record layer is achieved by using symmetric
106 block encryption algorithms like @code{3DES}, @code{AES}
107 or stream algorithms like @code{ARCFOUR_128}.
108 Ciphers are encryption algorithms that use a single, secret,
109 key to encrypt and decrypt data. Block algorithms in CBC mode also provide
110 protection against statistical analysis of the data. Thus, if you're
111 using the @acronym{TLS} protocol, a random number of blocks will be
112 appended to data, to prevent eavesdroppers from guessing the actual
115 The supported in @acronym{GnuTLS} ciphers and MAC algorithms are shown in @ref{tab:ciphers} and
118 @float Table,tab:ciphers
119 @multitable @columnfractions .20 .70
120 @headitem Algorithm @tab Description
121 @item 3DES_@-CBC @tab
122 This is the DES block cipher algorithm used with triple
123 encryption (EDE). Has 64 bits block size and is used in CBC mode.
125 @item ARCFOUR_@-128 @tab
126 ARCFOUR_128 is a compatible algorithm with RSA's RC4 algorithm, which is considered to be a trade
127 secret. It is a fast cipher but considered weak today.
129 @item ARCFOUR_@-40 @tab
130 This is the ARCFOUR cipher fed with a 40 bit key,
131 which is considered weak.
134 AES or RIJNDAEL is the block cipher algorithm that replaces the old
135 DES algorithm. Has 128 bits block size and is used in CBC mode.
138 This is the AES algorithm in the authenticated encryption GCM mode.
139 This mode combines message authentication and encryption and can
140 be extremely fast on CPUs that support hardware acceleration.
142 @item CAMELLIA_@-CBC @tab
143 This is an 128-bit block cipher developed by Mitsubishi and NTT. It
144 is one of the approved ciphers of the European NESSIE and Japanese
148 @caption{Supported ciphers.}
152 @float Table,tab:macs
153 @multitable @columnfractions .20 .70
154 @headitem Algorithm @tab Description
156 This is an HMAC based on MD5 a cryptographic hash algorithm designed
157 by Ron Rivest. Outputs 128 bits of data.
159 @item MAC_@-SHA1 @tab
160 An HMAC based on the SHA1 cryptographic hash algorithm
161 designed by NSA. Outputs 160 bits of data.
163 @item MAC_@-SHA256 @tab
164 An HMAC based on SHA256. Outputs 256 bits of data.
166 @item MAC_@-AEAD @tab
167 This indicates that an authenticated encryption algorithm, such as
171 @caption{Supported MAC algorithms.}
175 @node Compression algorithms used in the record layer
176 @subsection Compression algorithms used in the record layer
177 @cindex compression algorithms
179 The TLS record layer also supports compression. The algorithms
180 implemented in @acronym{GnuTLS} can be found in the table below.
181 The included algorithms perform really good when text, or other
182 compressible data are to be transferred, but offer nothing on already
183 compressed data, such as compressed images, zipped archives etc.
184 These compression algorithms, may be useful in high bandwidth TLS
185 tunnels, and in cases where network usage has to be minimized. It
186 should be noted however that compression increases latency.
188 The record layer compression in @acronym{GnuTLS} is implemented based
189 on @xcite{RFC3749}. The supported algorithms are shown below.
191 @showenumdesc{gnutls_compression_method_t,Supported compression algorithms}
193 @node Weaknesses and countermeasures
194 @subsection Weaknesses and countermeasures
196 Some weaknesses that may affect the security of the record layer have
197 been found in @acronym{TLS} 1.0 protocol. These weaknesses can be
198 exploited by active attackers, and exploit the facts that
203 @acronym{TLS} has separate alerts for ``decryption_failed'' and
207 The decryption failure reason can be detected by timing the response
211 The IV for CBC encrypted packets is the last block of the previous
216 Those weaknesses were solved in @acronym{TLS} 1.1 @xcite{RFC4346}
217 which is implemented in @acronym{GnuTLS}. For this reason we suggest
218 to always negotiate the highest supported TLS version with the
219 peer@footnote{If this is not possible then please consult @ref{Interoperability}.}.
220 For a detailed discussion of the issues see the archives of the TLS
221 Working Group mailing list and @xcite{CBCATT}.
223 @node On Record Padding
224 @subsection On record padding
225 @cindex record padding
226 @cindex bad_record_mac
228 The TLS protocol allows for random padding of records in CBC ciphers, to prevent
229 statistical analysis based on the length of exchanged messages (see @xcite{RFC5246} section 6.2.3.2).
230 GnuTLS appears to be one of few implementation that take advantage of this text,
231 and pad records by a random length.
233 The TLS implementation in the Symbian operating system, frequently
234 used by Nokia and Sony-Ericsson mobile phones, cannot handle
235 non-minimal record padding. What happens when one of these clients
236 handshake with a GnuTLS server is that the client will fail to compute
237 the correct MAC for the record. The client sends a TLS alert
238 (@code{bad_record_mac}) and disconnects. Typically this will result
239 in error messages such as 'A TLS fatal alert has been received', 'Bad
240 record MAC', or both, on the GnuTLS server side.
242 GnuTLS implements a work around for this problem. However, it has to
243 be enabled specifically. It can be enabled by using
244 @funcref{gnutls_record_disable_padding}, or @funcref{gnutls_priority_set} with
245 the @code{%COMPAT} priority string (see @ref{Priority Strings}).
247 If you implement an application that have a configuration file, we
248 recommend that you make it possible for users or administrators to
249 specify a GnuTLS protocol priority string, which is used by your
250 application via @funcref{gnutls_priority_set}. To allow the best
251 flexibility, make it possible to have a different priority string for
252 different incoming IP addresses.
255 @node The TLS Alert Protocol
256 @section The TLS alert protocol
257 @anchor{The Alert Protocol}
258 @cindex alert protocol
260 The alert protocol is there to allow signals to be sent between peers.
261 These signals are mostly used to inform the peer about the cause of a
262 protocol failure. Some of these signals are used internally by the
263 protocol and the application protocol does not have to cope with them
264 (e.g. @code{GNUTLS_@-A_@-CLOSE_@-NOTIFY}), and others refer to the
265 application protocol solely (e.g. @code{GNUTLS_@-A_@-USER_@-CANCELLED}). An
266 alert signal includes a level indication which may be either fatal or
267 warning. Fatal alerts always terminate the current connection, and
268 prevent future re-negotiations using the current session ID. All alert
269 messages are summarized in the table below.
271 The alert messages are protected by the record protocol, thus the
272 information that is included does not leak. You must take extreme care
273 for the alert information not to leak to a possible attacker, via
274 public log files etc.
278 @node The TLS Handshake Protocol
279 @section The TLS handshake protocol
280 @anchor{The Handshake Protocol}
281 @cindex handshake protocol
283 The handshake protocol is responsible for the ciphersuite negotiation,
284 the initial key exchange, and the authentication of the two peers.
285 This is fully controlled by the application layer, thus your program
286 has to set up the required parameters. The main handshake function
287 is @funcref{gnutls_handshake}. In the next paragraphs we elaborate on
288 the handshake protocol, i.e., the ciphersuite negotiation.
292 * TLS Cipher Suites:: TLS session parameters.
293 * Authentication:: TLS authentication.
294 * Client Authentication:: Requesting a certificate from the client.
295 * Resuming Sessions:: Reusing previously established keys.
299 @node TLS Cipher Suites
300 @subsection TLS ciphersuites
302 The handshake protocol of @acronym{TLS} negotiates cipher suites of
303 a special form illustrated by the @code{TLS_DHE_RSA_WITH_3DES_CBC_SHA} cipher suite name. A typical cipher
304 suite contains these parameters:
308 @item The key exchange algorithm.
309 @code{DHE_RSA} in the example.
311 @item The Symmetric encryption algorithm and mode
312 @code{3DES_CBC} in this example.
314 @item The MAC@footnote{MAC stands for Message Authentication Code. It can be described as a keyed hash algorithm. See RFC2104.} algorithm used for authentication.
315 @code{MAC_SHA} is used in the above example.
319 The cipher suite negotiated in the handshake protocol will affect the
320 record protocol, by enabling encryption and data authentication. Note
321 that you should not over rely on @acronym{TLS} to negotiate the
322 strongest available cipher suite. Do not enable ciphers and algorithms
323 that you consider weak.
325 All the supported ciphersuites are listed in @ref{ciphersuites}.
328 @subsection Authentication
330 The key exchange algorithms of the @acronym{TLS} protocol offer
331 authentication, which is a prerequisite for a secure connection.
332 The available authentication methods in @acronym{GnuTLS} follow.
336 @item Certificate authentication: Authenticated key exchange using public key infrastructure and certificates (X.509 or OpenPGP).
337 @item @acronym{SRP} authentication: Authenticated key exchange using a password.
338 @item @acronym{PSK} authentication: Authenticated key exchange using a pre-shared key.
339 @item Anonymous authentication: Key exchange without peer authentication.
343 @node Client Authentication
344 @subsection Client authentication
345 @cindex client certificate authentication
347 In the case of ciphersuites that use certificate authentication, the
348 authentication of the client is optional in @acronym{TLS}. A server
349 may request a certificate from the client using the
350 @funcref{gnutls_certificate_server_set_request} function. We elaborate
351 in @ref{Certificate credentials}.
353 @node Resuming Sessions
354 @subsection Resuming sessions
356 @cindex resuming sessions
357 @cindex session resumption
359 The TLS handshake process performs expensive calculations
360 and a busy server might easily be put under load. To
361 reduce the load, session resumption may be used. This
362 is a feature of the @acronym{TLS} protocol which allows a
363 client to connect to a server after a successful handshake, without
364 the expensive calculations. This is achieved by re-using the previously
365 established keys, meaning the server needs to store the state of established
366 connections (unless session tickets are used -- @ref{Session tickets}).
368 Session resumption is an integral part of @acronym{GnuTLS}, and
369 @ref{Session resumption} and @ref{ex:resume-client} illustrate typical
373 @section TLS extensions
374 @cindex TLS extensions
376 A number of extensions to the @acronym{TLS} protocol have been
377 proposed mainly in @xcite{TLSEXT}. The extensions supported
378 in @acronym{GnuTLS} are:
381 @item Maximum fragment length negotiation
382 @item Server name indication
383 @item Session tickets
384 @item Safe Renegotiation
387 and they will be discussed in the subsections that follow.
390 * Maximum fragment length negotiation::
391 * Server name indication::
393 * Safe renegotiation::
396 @node Maximum fragment length negotiation
397 @subsection Maximum fragment length negotiation
398 @cindex TLS extensions
399 @cindex maximum fragment length
401 This extension allows a @acronym{TLS} implementation to negotiate a
402 smaller value for record packet maximum length. This extension may be
403 useful to clients with constrained capabilities. The functions shown
404 below can be used to control this extension.
406 @showfuncB{gnutls_record_get_max_size,gnutls_record_set_max_size}
408 @node Server name indication
409 @subsection Server name indication
411 @cindex TLS extensions
412 @cindex server name indication
414 A common problem in @acronym{HTTPS} servers is the fact that the
415 @acronym{TLS} protocol is not aware of the hostname that a client
416 connects to, when the handshake procedure begins. For that reason the
417 @acronym{TLS} server has no way to know which certificate to send.
419 This extension solves that problem within the @acronym{TLS} protocol,
420 and allows a client to send the HTTP hostname before the handshake
421 begins within the first handshake packet. The functions
422 @funcref{gnutls_server_name_set} and @funcref{gnutls_server_name_get} can be
423 used to enable this extension, or to retrieve the name sent by a
426 @showfuncB{gnutls_server_name_set,gnutls_server_name_get}
428 @node Session tickets
429 @subsection Session tickets
430 @cindex TLS extensions
431 @cindex session tickets
434 To resume a TLS session the server normally store session parameters. This
435 complicates deployment, and could be avoiding by delegating the storage
436 to the client. Because session parameters are sensitive they are encrypted
437 and authenticated with a key only known to the server and then sent to the
438 client. The Session Tickets in RFC 5077 @xcite{TLSTKT}, describe this
439 idea, which is implemented in GnuTLS.
441 @node Safe renegotiation
442 @subsection Safe renegotiation
443 @cindex renegotiation
444 @cindex safe renegotiation
446 TLS gives the option to two communicating parties to renegotiate
447 and update their security parameters. One useful example of this feature
448 was for a client to initially connect using anonymous negotiation to a
449 server, and the renegotiate using some authenticated ciphersuite. This occurred
450 to avoid having the client sending its credentials in the clear.
452 However this renegotiation, as initially designed would not ensure that
453 the party one is renegotiating is the same as the one in the initial negotiation.
454 For example one server could forward all renegotiation traffic to an other
455 server who will see this traffic as an initial negotiation attempt.
457 This might be seen as a valid design decision, but it seems it was
458 not widely known or understood, thus today some application protocols the TLS
459 renegotiation feature in a manner that enables a malicious server to insert
460 content of his choice in the beginning of a TLS session.
462 The most prominent vulnerability was with HTTPS. There servers request
463 a renegotiation to enforce an anonymous user to use a certificate in order
464 to access certain parts of a web site. The
465 attack works by having the attacker simulate a client and connect to a
466 server, with server-only authentication, and send some data intended
467 to cause harm. The server will then require renegotiation from him
468 in order to perform the request.
469 When the proper client attempts to contact the server,
470 the attacker hijacks that connection and forwards traffic to
471 the initial server that requested renegotiation. The
472 attacker will not be able to read the data exchanged between the
473 client and the server. However, the server will (incorrectly) assume
474 that the initial request sent by the attacker was sent by the now authenticated
475 client. The result is a prefix plain-text injection attack.
477 The above is just one example. Other vulnerabilities exists that do
478 not rely on the TLS renegotiation to change the client's authenticated
479 status (either TLS or application layer).
481 While fixing these application protocols and implementations would be
482 one natural reaction, an extension to TLS has been designed that
483 cryptographically binds together any renegotiated handshakes with the
484 initial negotiation. When the extension is used, the attack is
485 detected and the session can be terminated. The extension is
486 specified in @xcite{RFC5746}.
488 GnuTLS supports the safe renegotiation extension. The default
489 behavior is as follows. Clients will attempt to negotiate the safe
490 renegotiation extension when talking to servers. Servers will accept
491 the extension when presented by clients. Clients and servers will
492 permit an initial handshake to complete even when the other side does
493 not support the safe renegotiation extension. Clients and servers
494 will refuse renegotiation attempts when the extension has not been
497 Note that permitting clients to connect to servers when the safe
498 renegotiation extension is not enabled, is open up for attacks.
499 Changing this default behavior would prevent interoperability against
500 the majority of deployed servers out there. We will reconsider this
501 default behavior in the future when more servers have been upgraded.
502 Note that it is easy to configure clients to always require the safe
503 renegotiation extension from servers.
505 To modify the default behavior, we have introduced some new priority
506 strings (see @ref{Priority Strings}).
507 The @code{%UNSAFE_RENEGOTIATION} priority string permits
508 (re-)handshakes even when the safe renegotiation extension was not
509 negotiated. The default behavior is @code{%PARTIAL_RENEGOTIATION} that will
510 prevent renegotiation with clients and servers not supporting the
511 extension. This is secure for servers but leaves clients vulnerable
512 to some attacks, but this is a trade-off between security and compatibility
513 with old servers. The @code{%SAFE_RENEGOTIATION} priority string makes
514 clients and servers require the extension for every handshake. The latter
515 is the most secure option for clients, at the cost of not being able
516 to connect to legacy servers. Servers will also deny clients that
517 do not support the extension from connecting.
519 It is possible to disable use of the extension completely, in both
520 clients and servers, by using the @code{%DISABLE_SAFE_RENEGOTIATION}
521 priority string however we strongly recommend you to only do this for
522 debugging and test purposes.
524 The default values if the flags above are not specified are:
528 %PARTIAL_RENEGOTIATION
531 %PARTIAL_RENEGOTIATION
535 For applications we have introduced a new API related to safe
536 renegotiation. The @funcref{gnutls_safe_renegotiation_status} function is
537 used to check if the extension has been negotiated on a session, and
538 can be used both by clients and servers.
540 @include sec-tls-app.texi
542 @node On SSL 2 and older protocols
543 @section On SSL 2 and older protocols
546 One of the initial decisions in the @acronym{GnuTLS} development was
547 to implement the known security protocols for the transport layer.
548 Initially @acronym{TLS} 1.0 was implemented since it was the latest at
549 that time, and was considered to be the most advanced in security
550 properties. Later the @acronym{SSL} 3.0 protocol was implemented
551 since it is still the only protocol supported by several servers and
552 there are no serious security vulnerabilities known.
554 One question that may arise is why we didn't implement @acronym{SSL}
555 2.0 in the library. There are several reasons, most important being
556 that it has serious security flaws, unacceptable for a modern security
557 library. Other than that, this protocol is barely used by anyone
558 these days since it has been deprecated since 1996. The security
559 problems in @acronym{SSL} 2.0 include:
563 @item Message integrity compromised.
564 The @acronym{SSLv2} message authentication uses the MD5 function, and
567 @item Man-in-the-middle attack.
568 There is no protection of the handshake in @acronym{SSLv2}, which
569 permits a man-in-the-middle attack.
571 @item Truncation attack.
572 @acronym{SSLv2} relies on TCP FIN to close the session, so the
573 attacker can forge a TCP FIN, and the peer cannot tell if it was a
574 legitimate end of data or not.
576 @item Weak message integrity for export ciphers.
577 The cryptographic keys in @acronym{SSLv2} are used for both message
578 authentication and encryption, so if weak encryption schemes are
579 negotiated (say 40-bit keys) the message authentication code use the
580 same weak key, which isn't necessary.
585 Other protocols such as Microsoft's @acronym{PCT} 1 and @acronym{PCT}
586 2 were not implemented because they were also abandoned and deprecated
587 by @acronym{SSL} 3.0 and later @acronym{TLS} 1.0.