| blob | 5c59051b6a678656935361f0bcab89a6709dcd2d |
1 \r
2 \r
3 Tim Dierks |\r
4 Google |\r
5 Eric Rescorla |\r
6 INTERNET-DRAFT RTFM, Inc. |\r
7 <draft-ietf-tls-rfc2246-bis-06.txt> March 2004 (Expires September 2004) |\r
8 \r
9 \r
10 The TLS Protocol\r
11 Version 1.1 |\r
12 \r
13 \r
14 Status of this Memo\r
15 \r
16 \r
17 This document is an Internet-Draft and is in full conformance with |\r
18 all provisions of Section 10 of RFC2026. Internet-Drafts are working |\r
19 documents of the Internet Engineering Task Force (IETF), its areas, |\r
20 and its working groups. Note that other groups may also distribute |\r
21 working documents as Internet-Drafts. |\r
22 \r
23 \r
24 Internet-Drafts are draft documents valid for a maximum of six months |\r
25 and may be updated, replaced, or obsoleted by other documents at any |\r
26 time. It is inappropriate to use Internet-Drafts as reference |\r
27 material or to cite them other than as "work in progress." |\r
28 \r
29 \r
30 To learn the current status of any Internet-Draft, please check the |\r
31 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow |\r
32 Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), |\r
33 munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or |\r
34 ftp.isi.edu (US West Coast).\r
35 Copyright Notice\r
36 \r
37 \r
38 Copyright (C) The Internet Society (1999-2004). All Rights Reserved. |\r
39 \r
40 \r
41 Abstract\r
42 \r
43 \r
44 This document specifies Version 1.1 of the Transport Layer Security |\r
45 (TLS) protocol. The TLS protocol provides communications security\r
46 over the Internet. The protocol allows client/server applications to\r
47 communicate in a way that is designed to prevent eavesdropping,\r
48 tampering, or message forgery.\r
49 \r
50 \r
51 Table of Contents\r
52 \r
53 \r
54 1. Introduction 3\r
55 2. Goals 4\r
56 3. Goals of this document 5\r
57 4. Presentation language 5\r
58 4.1. Basic block size 6\r
59 4.2. Miscellaneous 6\r
60 4.3. Vectors 6\r
61 \r
62 \r
63 \r
64 \r
65 Dierks & Rescorla Standards Track [Page 1] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
66 \r
67 \r
68 \r
69 4.4. Numbers 7\r
70 4.5. Enumerateds 7\r
71 4.6. Constructed types 8\r
72 4.6.1. Variants 9\r
73 4.7. Cryptographic attributes 10\r
74 4.8. Constants 11\r
75 5. HMAC and the pseudorandom function 11\r
76 6. The TLS Record Protocol 13\r
77 6.1. Connection states 14\r
78 6.2. Record layer 16\r
79 6.2.1. Fragmentation 16\r
80 6.2.2. Record compression and decompression 17\r
81 6.2.3. Record payload protection 18\r
82 6.2.3.1. Null or standard stream cipher 19\r
83 6.2.3.2. CBC block cipher 19\r
84 6.3. Key calculation 21\r
85 6.3.1. Export key generation example 22\r
86 7. The TLS Handshake Protocol 23\r
87 7.1. Change cipher spec protocol 24\r
88 7.2. Alert protocol 24\r
89 7.2.1. Closure alerts 25\r
90 7.2.2. Error alerts 26\r
91 7.3. Handshake Protocol overview 29\r
92 7.4. Handshake protocol 32\r
93 7.4.1. Hello messages 33\r
94 7.4.1.1. Hello request 33\r
95 7.4.1.2. Client hello 34\r
96 7.4.1.3. Server hello 36\r
97 7.4.2. Server certificate 37\r
98 7.4.3. Server key exchange message 39\r
99 7.4.4. Certificate request 41\r
100 7.4.5. Server hello done 42\r
101 7.4.6. Client certificate 43\r
102 7.4.7. Client key exchange message 43\r
103 7.4.7.1. RSA encrypted premaster secret message 44\r
104 7.4.7.2. Client Diffie-Hellman public value 45\r
105 7.4.8. Certificate verify 45\r
106 7.4.9. Finished 46\r
107 8. Cryptographic computations 47\r
108 8.1. Computing the master secret 47\r
109 8.1.1. RSA 48\r
110 8.1.2. Diffie-Hellman 48\r
111 9. Mandatory Cipher Suites 48\r
112 10. Application data protocol 48\r
113 A. Protocol constant values 49\r
114 A.1. Record layer 49\r
115 A.2. Change cipher specs message 50\r
116 A.3. Alert messages 50\r
117 \r
118 \r
119 \r
120 \r
121 Dierks & Rescorla Standards Track [Page 2] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
122 \r
123 \r
124 \r
125 A.4. Handshake protocol 51\r
126 A.4.1. Hello messages 51\r
127 A.4.2. Server authentication and key exchange messages 52\r
128 A.4.3. Client authentication and key exchange messages 53\r
129 A.4.4. Handshake finalization message 54\r
130 A.5. The CipherSuite 54\r
131 A.6. The Security Parameters 56\r
132 B. Glossary 57\r
133 C. CipherSuite definitions 61\r
134 D. Implementation Notes 64\r
135 D.1. Temporary RSA keys 64\r
136 D.2. Random Number Generation and Seeding 64\r
137 D.3. Certificates and authentication 65\r
138 D.4. CipherSuites 65\r
139 E. Backward Compatibility With SSL 66\r
140 E.1. Version 2 client hello 67\r
141 E.2. Avoiding man-in-the-middle version rollback 68\r
142 F. Security analysis 69\r
143 F.1. Handshake protocol 69\r
144 F.1.1. Authentication and key exchange 69\r
145 F.1.1.1. Anonymous key exchange 69\r
146 F.1.1.2. RSA key exchange and authentication 70\r
147 F.1.1.3. Diffie-Hellman key exchange with authentication 71\r
148 F.1.2. Version rollback attacks 71\r
149 F.1.3. Detecting attacks against the handshake protocol 72\r
150 F.1.4. Resuming sessions 72\r
151 F.1.5. MD5 and SHA 72\r
152 F.2. Protecting application data 72\r
153 F.3. Final notes 73\r
154 G. Patent Statement 74\r
155 Security Considerations 75\r
156 References 75\r
157 Credits 77\r
158 Comments 78\r
159 Full Copyright Statement 80\r
160 \r
161 \r
162 Change history |\r
163 \r
164 \r
165 Note: Change bars in this draft are from RFC 2246, not draft-00 |\r
166 \r
167 \r
168 26-Jun-03 ekr@rtfm.com |\r
169 * Incorporated Last Call comments from Franke Marcus, Jack Lloyd, |\r
170 Brad Wetmore, and others. |\r
171 \r
172 \r
173 22-Apr-03 ekr@rtfm.com |\r
174 * coverage of the Vaudenay, Boneh-Brumley, and KPR attacks |\r
175 * cleaned up IV text a bit. |\r
176 * Added discussion of Denial of Service attacks. |\r
177 \r
178 \r
179 \r
180 \r
181 Dierks & Rescorla Standards Track [Page 3] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
182 \r
183 \r
184 \r
185 |\r
186 11-Feb-02 ekr@rtfm.com |\r
187 * Clarified the behavior of empty certificate lists [Nelson Bolyard] |\r
188 * Added text explaining the security implications of authenticate |\r
189 then encrypt. |\r
190 * Cleaned up the explicit IV text. |\r
191 * Added some more acknowledgement names |\r
192 \r
193 \r
194 02-Nov-02 ekr@rtfm.com |\r
195 * Changed this to be TLS 1.1. |\r
196 * Added fixes for the Rogaway and Vaudenay CBC attacks |\r
197 * Separated references into normative and informative |\r
198 \r
199 \r
200 01-Mar-02 ekr@rtfm.com |\r
201 * Tightened up the language in F.1.1.2 [Peter Watkins] |\r
202 * Fixed smart quotes [Bodo Moeller] |\r
203 * Changed handling of padding errors to prevent CBC-based attack |\r
204 [Bodo Moeller] |\r
205 * Fixed certificate_list spec in the appendix [Aman Sawrup] |\r
206 * Fixed a bug in the V2 definitions [Aman Sawrup] |\r
207 * Fixed S 7.2.1 to point out that you don't need a close notify |\r
208 if you just sent some other fatal alert [Andreas Sterbenz] |\r
209 * Marked alert 41 reserved [Andreas Sterbenz] |\r
210 * Changed S 7.4.2 to point out that 512-bit keys cannot be used for |\r
211 signing [Andreas Sterbenz] |\r
212 * Added reserved client key types from SSLv3 [Andreas Sterbenz] |\r
213 * Changed EXPORT40 to "40-bit EXPORT" in S 9 [Andreas Sterbenz] |\r
214 * Removed RSA patent statement [Andreas Sterbenz] |\r
215 * Removed references to BSAFE and RSAREF [Andreas Sterbenz] |\r
216 \r
217 \r
218 14-Feb-02 ekr@rtfm.com |\r
219 * Re-converted to I-D from RFC |\r
220 * Made RSA/3DES the mandatory cipher suite. |\r
221 * Added discussion of the EncryptedPMS encoding and PMS version number|\r
222 issues to 7.4.7.1 |\r
223 * Removed the requirement in 7.4.1.3 that the Server random must be |\r
224 different from the Client random, since these are randomly generated|\r
225 and we don't expect servers to reject Server random values which |\r
226 coincidentally are the same as the Client random. |\r
227 * Replaced may/should/must with MAY/SHOULD/MUST where appropriate. |\r
228 In many cases, shoulds became MUSTs, where I believed that was the |\r
229 actual sense of the text. Added an RFC 2119 bulletin. |\r
230 * Clarified the meaning of "empty certificate" message. [Peter Gutmann]|\r
231 * Redid the CertificateRequest grammar to allow no distinguished names.|\r
232 [Peter Gutmann] |\r
233 * Removed the reference to requiring the master secret to generate |\r
234 the CertificateVerify in F.1.1 [Bodo Moeller] |\r
235 * Deprecated EXPORT40. |\r
236 \r
237 \r
238 \r
239 \r
240 Dierks & Rescorla Standards Track [Page 4] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
241 \r
242 \r
243 \r
244 * Fixed a bunch of errors in the SSLv2 backward compatible client hello.|\r
245 \r
246 \r
247 1. Introduction\r
248 \r
249 \r
250 The primary goal of the TLS Protocol is to provide privacy and data\r
251 integrity between two communicating applications. The protocol is\r
252 composed of two layers: the TLS Record Protocol and the TLS Handshake\r
253 Protocol. At the lowest level, layered on top of some reliable\r
254 transport protocol (e.g., TCP[TCP]), is the TLS Record Protocol. The\r
255 TLS Record Protocol provides connection security that has two basic\r
256 properties:\r
257 \r
258 \r
259 - - The connection is private. Symmetric cryptography is used for\r
260 data encryption (e.g., DES [DES], RC4 [RC4], etc.) The keys for\r
261 this symmetric encryption are generated uniquely for each\r
262 connection and are based on a secret negotiated by another\r
263 protocol (such as the TLS Handshake Protocol). The Record\r
264 Protocol can also be used without encryption.\r
265 \r
266 \r
267 - - The connection is reliable. Message transport includes a\r
268 message integrity check using a keyed MAC. Secure hash functions\r
269 (e.g., SHA, MD5, etc.) are used for MAC computations. The Record\r
270 Protocol can operate without a MAC, but is generally only used in\r
271 this mode while another protocol is using the Record Protocol as\r
272 a transport for negotiating security parameters.\r
273 \r
274 \r
275 The TLS Record Protocol is used for encapsulation of various higher\r
276 level protocols. One such encapsulated protocol, the TLS Handshake\r
277 Protocol, allows the server and client to authenticate each other and\r
278 to negotiate an encryption algorithm and cryptographic keys before\r
279 the application protocol transmits or receives its first byte of\r
280 data. The TLS Handshake Protocol provides connection security that\r
281 has three basic properties:\r
282 \r
283 \r
284 - - The peer's identity can be authenticated using asymmetric, or\r
285 public key, cryptography (e.g., RSA [RSA], DSS [DSS], etc.). This\r
286 authentication can be made optional, but is generally required\r
287 for at least one of the peers.\r
288 \r
289 \r
290 - - The negotiation of a shared secret is secure: the negotiated |\r
291 secret is unavailable to eavesdroppers, and for any authenticated\r
292 connection the secret cannot be obtained, even by an attacker who\r
293 can place himself in the middle of the connection.\r
294 \r
295 \r
296 - - The negotiation is reliable: no attacker can modify the\r
297 negotiation communication without being detected by the parties\r
298 to the communication.\r
299 \r
300 \r
301 \r
302 \r
303 \r
304 Dierks & Rescorla Standards Track [Page 5] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
305 \r
306 \r
307 \r
308 One advantage of TLS is that it is application protocol independent.\r
309 Higher level protocols can layer on top of the TLS Protocol\r
310 transparently. The TLS standard, however, does not specify how\r
311 protocols add security with TLS; the decisions on how to initiate TLS\r
312 handshaking and how to interpret the authentication certificates\r
313 exchanged are left up to the judgment of the designers and\r
314 implementors of protocols which run on top of TLS.\r
315 \r
316 \r
317 1.1 Requirements Terminology |\r
318 \r
319 \r
320 Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and |\r
321 "MAY" that appear in this document are to be interpreted as described |\r
322 in RFC 2119 [REQ]. |\r
323 \r
324 \r
325 2. Goals\r
326 \r
327 \r
328 The goals of TLS Protocol, in order of their priority, are:\r
329 \r
330 \r
331 1. Cryptographic security: TLS should be used to establish a secure\r
332 connection between two parties.\r
333 \r
334 \r
335 2. Interoperability: Independent programmers should be able to\r
336 develop applications utilizing TLS that will then be able to\r
337 successfully exchange cryptographic parameters without knowledge\r
338 of one another's code.\r
339 \r
340 \r
341 3. Extensibility: TLS seeks to provide a framework into which new\r
342 public key and bulk encryption methods can be incorporated as\r
343 necessary. This will also accomplish two sub-goals: to prevent\r
344 the need to create a new protocol (and risking the introduction\r
345 of possible new weaknesses) and to avoid the need to implement an\r
346 entire new security library.\r
347 \r
348 \r
349 4. Relative efficiency: Cryptographic operations tend to be highly\r
350 CPU intensive, particularly public key operations. For this\r
351 reason, the TLS protocol has incorporated an optional session\r
352 caching scheme to reduce the number of connections that need to\r
353 be established from scratch. Additionally, care has been taken to\r
354 reduce network activity.\r
355 \r
356 \r
357 3. Goals of this document\r
358 \r
359 \r
360 This document and the TLS protocol itself are based on the SSL 3.0\r
361 Protocol Specification as published by Netscape. The differences\r
362 between this protocol and SSL 3.0 are not dramatic, but they are\r
363 significant enough that TLS 1.0 and SSL 3.0 do not interoperate\r
364 (although TLS 1.0 does incorporate a mechanism by which a TLS\r
365 implementation can back down to SSL 3.0). This document is intended\r
366 \r
367 \r
368 \r
369 \r
370 Dierks & Rescorla Standards Track [Page 6] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
371 \r
372 \r
373 \r
374 primarily for readers who will be implementing the protocol and those\r
375 doing cryptographic analysis of it. The specification has been\r
376 written with this in mind, and it is intended to reflect the needs of\r
377 those two groups. For that reason, many of the algorithm-dependent\r
378 data structures and rules are included in the body of the text (as\r
379 opposed to in an appendix), providing easier access to them.\r
380 \r
381 \r
382 This document is not intended to supply any details of service\r
383 definition nor interface definition, although it does cover select\r
384 areas of policy as they are required for the maintenance of solid\r
385 security.\r
386 \r
387 \r
388 4. Presentation language\r
389 \r
390 \r
391 This document deals with the formatting of data in an external\r
392 representation. The following very basic and somewhat casually\r
393 defined presentation syntax will be used. The syntax draws from\r
394 several sources in its structure. Although it resembles the\r
395 programming language "C" in its syntax and XDR [XDR] in both its\r
396 syntax and intent, it would be risky to draw too many parallels. The\r
397 purpose of this presentation language is to document TLS only, not to\r
398 have general application beyond that particular goal.\r
399 \r
400 \r
401 \r
402 \r
403 \r
404 \r
405 \r
406 \r
407 \r
408 \r
409 \r
410 \r
411 \r
412 \r
413 \r
414 \r
415 \r
416 \r
417 \r
418 \r
419 \r
420 \r
421 \r
422 \r
423 \r
424 \r
425 \r
426 \r
427 \r
428 \r
429 Dierks & Rescorla Standards Track [Page 7] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
430 \r
431 \r
432 \r
433 4.1. Basic block size\r
434 \r
435 \r
436 The representation of all data items is explicitly specified. The\r
437 basic data block size is one byte (i.e. 8 bits). Multiple byte data\r
438 items are concatenations of bytes, from left to right, from top to\r
439 bottom. From the bytestream a multi-byte item (a numeric in the\r
440 example) is formed (using C notation) by:\r
441 \r
442 \r
443 value = (byte[0] << 8*(n-1)) | (byte[1] << 8*(n-2)) |\r
444 ... | byte[n-1];\r
445 \r
446 \r
447 This byte ordering for multi-byte values is the commonplace network\r
448 byte order or big endian format.\r
449 \r
450 \r
451 4.2. Miscellaneous\r
452 \r
453 \r
454 Comments begin with "/*" and end with "*/".\r
455 \r
456 \r
457 Optional components are denoted by enclosing them in "[[ ]]" double\r
458 brackets.\r
459 \r
460 \r
461 Single byte entities containing uninterpreted data are of type\r
462 opaque.\r
463 \r
464 \r
465 4.3. Vectors\r
466 \r
467 \r
468 A vector (single dimensioned array) is a stream of homogeneous data\r
469 elements. The size of the vector may be specified at documentation\r
470 time or left unspecified until runtime. In either case the length\r
471 declares the number of bytes, not the number of elements, in the\r
472 vector. The syntax for specifying a new type T' that is a fixed\r
473 length vector of type T is\r
474 \r
475 \r
476 T T'[n];\r
477 \r
478 \r
479 Here T' occupies n bytes in the data stream, where n is a multiple of\r
480 the size of T. The length of the vector is not included in the\r
481 encoded stream.\r
482 \r
483 \r
484 In the following example, Datum is defined to be three consecutive\r
485 bytes that the protocol does not interpret, while Data is three\r
486 consecutive Datum, consuming a total of nine bytes.\r
487 \r
488 \r
489 opaque Datum[3]; /* three uninterpreted bytes */\r
490 Datum Data[9]; /* 3 consecutive 3 byte vectors */\r
491 \r
492 \r
493 \r
494 \r
495 \r
496 \r
497 \r
498 Dierks & Rescorla Standards Track [Page 8] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
499 \r
500 \r
501 \r
502 Variable length vectors are defined by specifying a subrange of legal\r
503 lengths, inclusively, using the notation <floor..ceiling>. When\r
504 encoded, the actual length precedes the vector's contents in the byte\r
505 stream. The length will be in the form of a number consuming as many\r
506 bytes as required to hold the vector's specified maximum (ceiling)\r
507 length. A variable length vector with an actual length field of zero\r
508 is referred to as an empty vector.\r
509 \r
510 \r
511 T T'<floor..ceiling>;\r
512 \r
513 \r
514 In the following example, mandatory is a vector that must contain\r
515 between 300 and 400 bytes of type opaque. It can never be empty. The\r
516 actual length field consumes two bytes, a uint16, sufficient to\r
517 represent the value 400 (see Section 4.4). On the other hand, longer\r
518 can represent up to 800 bytes of data, or 400 uint16 elements, and it\r
519 may be empty. Its encoding will include a two byte actual length\r
520 field prepended to the vector. The length of an encoded vector must\r
521 be an even multiple of the length of a single element (for example, a\r
522 17 byte vector of uint16 would be illegal).\r
523 \r
524 \r
525 opaque mandatory<300..400>;\r
526 /* length field is 2 bytes, cannot be empty */\r
527 uint16 longer<0..800>;\r
528 /* zero to 400 16-bit unsigned integers */\r
529 \r
530 \r
531 4.4. Numbers\r
532 \r
533 \r
534 The basic numeric data type is an unsigned byte (uint8). All larger\r
535 numeric data types are formed from fixed length series of bytes\r
536 concatenated as described in Section 4.1 and are also unsigned. The\r
537 following numeric types are predefined.\r
538 \r
539 \r
540 uint8 uint16[2];\r
541 uint8 uint24[3];\r
542 uint8 uint32[4];\r
543 uint8 uint64[8];\r
544 \r
545 \r
546 All values, here and elsewhere in the specification, are stored in\r
547 "network" or "big-endian" order; the uint32 represented by the hex\r
548 bytes 01 02 03 04 is equivalent to the decimal value 16909060.\r
549 \r
550 \r
551 4.5. Enumerateds\r
552 \r
553 \r
554 An additional sparse data type is available called enum. A field of\r
555 type enum can only assume the values declared in the definition.\r
556 Each definition is a different type. Only enumerateds of the same\r
557 type may be assigned or compared. Every element of an enumerated must\r
558 \r
559 \r
560 \r
561 \r
562 \r
563 Dierks & Rescorla Standards Track [Page 9] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
564 \r
565 \r
566 \r
567 be assigned a value, as demonstrated in the following example. Since\r
568 the elements of the enumerated are not ordered, they can be assigned\r
569 any unique value, in any order.\r
570 \r
571 \r
572 enum { e1(v1), e2(v2), ... , en(vn) [[, (n)]] } Te;\r
573 \r
574 \r
575 Enumerateds occupy as much space in the byte stream as would its\r
576 maximal defined ordinal value. The following definition would cause\r
577 one byte to be used to carry fields of type Color.\r
578 \r
579 \r
580 enum { red(3), blue(5), white(7) } Color;\r
581 \r
582 \r
583 One may optionally specify a value without its associated tag to\r
584 force the width definition without defining a superfluous element.\r
585 In the following example, Taste will consume two bytes in the data\r
586 stream but can only assume the values 1, 2 or 4.\r
587 \r
588 \r
589 enum { sweet(1), sour(2), bitter(4), (32000) } Taste;\r
590 \r
591 \r
592 The names of the elements of an enumeration are scoped within the\r
593 defined type. In the first example, a fully qualified reference to\r
594 the second element of the enumeration would be Color.blue. Such\r
595 qualification is not required if the target of the assignment is well\r
596 specified.\r
597 \r
598 \r
599 Color color = Color.blue; /* overspecified, legal */\r
600 Color color = blue; /* correct, type implicit */\r
601 \r
602 \r
603 For enumerateds that are never converted to external representation,\r
604 the numerical information may be omitted.\r
605 \r
606 \r
607 enum { low, medium, high } Amount;\r
608 \r
609 \r
610 4.6. Constructed types\r
611 \r
612 \r
613 Structure types may be constructed from primitive types for\r
614 convenience. Each specification declares a new, unique type. The\r
615 syntax for definition is much like that of C.\r
616 \r
617 \r
618 struct {\r
619 T1 f1;\r
620 T2 f2;\r
621 ...\r
622 Tn fn;\r
623 } [[T]];\r
624 \r
625 \r
626 \r
627 \r
628 \r
629 \r
630 \r
631 Dierks & Rescorla Standards Track [Page 10] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
632 \r
633 \r
634 \r
635 The fields within a structure may be qualified using the type's name\r
636 using a syntax much like that available for enumerateds. For example,\r
637 T.f2 refers to the second field of the previous declaration.\r
638 Structure definitions may be embedded.\r
639 \r
640 \r
641 4.6.1. Variants\r
642 \r
643 \r
644 Defined structures may have variants based on some knowledge that is\r
645 available within the environment. The selector must be an enumerated\r
646 type that defines the possible variants the structure defines. There\r
647 must be a case arm for every element of the enumeration declared in\r
648 the select. The body of the variant structure may be given a label\r
649 for reference. The mechanism by which the variant is selected at\r
650 runtime is not prescribed by the presentation language.\r
651 \r
652 \r
653 struct {\r
654 T1 f1;\r
655 T2 f2;\r
656 ....\r
657 Tn fn;\r
658 select (E) {\r
659 case e1: Te1;\r
660 case e2: Te2;\r
661 ....\r
662 case en: Ten;\r
663 } [[fv]];\r
664 } [[Tv]];\r
665 \r
666 \r
667 For example:\r
668 \r
669 \r
670 enum { apple, orange } VariantTag;\r
671 struct {\r
672 uint16 number;\r
673 opaque string<0..10>; /* variable length */\r
674 } V1;\r
675 struct {\r
676 uint32 number;\r
677 opaque string[10]; /* fixed length */\r
678 } V2;\r
679 struct {\r
680 select (VariantTag) { /* value of selector is implicit */\r
681 case apple: V1; /* VariantBody, tag = apple */\r
682 case orange: V2; /* VariantBody, tag = orange */\r
683 } variant_body; /* optional label on variant */\r
684 } VariantRecord;\r
685 \r
686 \r
687 Variant structures may be qualified (narrowed) by specifying a value\r
688 for the selector prior to the type. For example, a\r
689 \r
690 \r
691 \r
692 \r
693 Dierks & Rescorla Standards Track [Page 11] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
694 \r
695 \r
696 \r
697 orange VariantRecord\r
698 \r
699 \r
700 is a narrowed type of a VariantRecord containing a variant_body of\r
701 type V2.\r
702 \r
703 \r
704 4.7. Cryptographic attributes\r
705 \r
706 \r
707 The four cryptographic operations digital signing, stream cipher\r
708 encryption, block cipher encryption, and public key encryption are\r
709 designated digitally-signed, stream-ciphered, block-ciphered, and\r
710 public-key-encrypted, respectively. A field's cryptographic\r
711 processing is specified by prepending an appropriate key word\r
712 designation before the field's type specification. Cryptographic keys\r
713 are implied by the current session state (see Section 6.1).\r
714 \r
715 \r
716 In digital signing, one-way hash functions are used as input for a\r
717 signing algorithm. A digitally-signed element is encoded as an opaque\r
718 vector <0..2^16-1>, where the length is specified by the signing\r
719 algorithm and key.\r
720 \r
721 \r
722 In RSA signing, a 36-byte structure of two hashes (one SHA and one\r
723 MD5) is signed (encrypted with the private key). It is encoded with\r
724 PKCS #1 block type 0 or type 1 as described in [PKCS1].\r
725 \r
726 \r
727 In DSS, the 20 bytes of the SHA hash are run directly through the\r
728 Digital Signing Algorithm with no additional hashing. This produces\r
729 two values, r and s. The DSS signature is an opaque vector, as above,\r
730 the contents of which are the DER encoding of:\r
731 \r
732 \r
733 Dss-Sig-Value ::= SEQUENCE {\r
734 r INTEGER,\r
735 s INTEGER\r
736 }\r
737 \r
738 \r
739 In stream cipher encryption, the plaintext is exclusive-ORed with an\r
740 identical amount of output generated from a cryptographically-secure\r
741 keyed pseudorandom number generator.\r
742 \r
743 \r
744 In block cipher encryption, every block of plaintext encrypts to a\r
745 block of ciphertext. All block cipher encryption is done in CBC\r
746 (Cipher Block Chaining) mode, and all items which are block-ciphered\r
747 will be an exact multiple of the cipher block length.\r
748 \r
749 \r
750 In public key encryption, a public key algorithm is used to encrypt\r
751 data in such a way that it can be decrypted only with the matching\r
752 private key. A public-key-encrypted element is encoded as an opaque\r
753 vector <0..2^16-1>, where the length is specified by the signing\r
754 algorithm and key.\r
755 \r
756 \r
757 \r
758 \r
759 Dierks & Rescorla Standards Track [Page 12] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
760 \r
761 \r
762 \r
763 An RSA encrypted value is encoded with PKCS #1 block type 2 as\r
764 described in [PKCS1].\r
765 \r
766 \r
767 In the following example:\r
768 \r
769 \r
770 stream-ciphered struct {\r
771 uint8 field1;\r
772 uint8 field2;\r
773 digitally-signed opaque hash[20];\r
774 } UserType;\r
775 \r
776 \r
777 The contents of hash are used as input for the signing algorithm,\r
778 then the entire structure is encrypted with a stream cipher. The\r
779 length of this structure, in bytes would be equal to 2 bytes for\r
780 field1 and field2, plus two bytes for the length of the signature,\r
781 plus the length of the output of the signing algorithm. This is known\r
782 due to the fact that the algorithm and key used for the signing are\r
783 known prior to encoding or decoding this structure.\r
784 \r
785 \r
786 4.8. Constants\r
787 \r
788 \r
789 Typed constants can be defined for purposes of specification by\r
790 declaring a symbol of the desired type and assigning values to it.\r
791 Under-specified types (opaque, variable length vectors, and\r
792 structures that contain opaque) cannot be assigned values. No fields\r
793 of a multi-element structure or vector may be elided.\r
794 \r
795 \r
796 For example,\r
797 \r
798 \r
799 struct {\r
800 uint8 f1;\r
801 uint8 f2;\r
802 } Example1;\r
803 \r
804 \r
805 Example1 ex1 = {1, 4}; /* assigns f1 = 1, f2 = 4 */\r
806 \r
807 \r
808 5. HMAC and the pseudorandom function\r
809 \r
810 \r
811 A number of operations in the TLS record and handshake layer required\r
812 a keyed MAC; this is a secure digest of some data protected by a\r
813 secret. Forging the MAC is infeasible without knowledge of the MAC\r
814 secret. The construction we use for this operation is known as HMAC,\r
815 described in [HMAC].\r
816 \r
817 \r
818 HMAC can be used with a variety of different hash algorithms. TLS\r
819 uses it in the handshake with two different algorithms: MD5 and\r
820 SHA-1, denoting these as HMAC_MD5(secret, data) and HMAC_SHA(secret,\r
821 \r
822 \r
823 \r
824 \r
825 \r
826 Dierks & Rescorla Standards Track [Page 13] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
827 \r
828 \r
829 \r
830 data). Additional hash algorithms can be defined by cipher suites and\r
831 used to protect record data, but MD5 and SHA-1 are hard coded into\r
832 the description of the handshaking for this version of the protocol.\r
833 \r
834 \r
835 In addition, a construction is required to do expansion of secrets\r
836 into blocks of data for the purposes of key generation or validation.\r
837 This pseudo-random function (PRF) takes as input a secret, a seed,\r
838 and an identifying label and produces an output of arbitrary length.\r
839 \r
840 \r
841 In order to make the PRF as secure as possible, it uses two hash\r
842 algorithms in a way which should guarantee its security if either\r
843 algorithm remains secure.\r
844 \r
845 \r
846 First, we define a data expansion function, P_hash(secret, data)\r
847 which uses a single hash function to expand a secret and seed into an\r
848 arbitrary quantity of output:\r
849 \r
850 \r
851 P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +\r
852 HMAC_hash(secret, A(2) + seed) +\r
853 HMAC_hash(secret, A(3) + seed) + ...\r
854 \r
855 \r
856 Where + indicates concatenation.\r
857 \r
858 \r
859 A() is defined as:\r
860 A(0) = seed\r
861 A(i) = HMAC_hash(secret, A(i-1))\r
862 \r
863 \r
864 P_hash can be iterated as many times as is necessary to produce the\r
865 required quantity of data. For example, if P_SHA-1 was being used to\r
866 create 64 bytes of data, it would have to be iterated 4 times\r
867 (through A(4)), creating 80 bytes of output data; the last 16 bytes\r
868 of the final iteration would then be discarded, leaving 64 bytes of\r
869 output data.\r
870 \r
871 \r
872 TLS's PRF is created by splitting the secret into two halves and\r
873 using one half to generate data with P_MD5 and the other half to\r
874 generate data with P_SHA-1, then exclusive-or'ing the outputs of\r
875 these two expansion functions together.\r
876 \r
877 \r
878 S1 and S2 are the two halves of the secret and each is the same\r
879 length. S1 is taken from the first half of the secret, S2 from the\r
880 second half. Their length is created by rounding up the length of the\r
881 overall secret divided by two; thus, if the original secret is an odd\r
882 number of bytes long, the last byte of S1 will be the same as the\r
883 first byte of S2.\r
884 \r
885 \r
886 L_S = length in bytes of secret;\r
887 L_S1 = L_S2 = ceil(L_S / 2);\r
888 \r
889 \r
890 \r
891 \r
892 Dierks & Rescorla Standards Track [Page 14] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
893 \r
894 \r
895 \r
896 The secret is partitioned into two halves (with the possibility of\r
897 one shared byte) as described above, S1 taking the first L_S1 bytes\r
898 and S2 the last L_S2 bytes.\r
899 \r
900 \r
901 The PRF is then defined as the result of mixing the two pseudorandom\r
902 streams by exclusive-or'ing them together.\r
903 \r
904 \r
905 PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR\r
906 P_SHA-1(S2, label + seed);\r
907 \r
908 \r
909 The label is an ASCII string. It should be included in the exact form\r
910 it is given without a length byte or trailing null character. For\r
911 example, the label "slithy toves" would be processed by hashing the\r
912 following bytes:\r
913 \r
914 \r
915 73 6C 69 74 68 79 20 74 6F 76 65 73\r
916 \r
917 \r
918 Note that because MD5 produces 16 byte outputs and SHA-1 produces 20\r
919 byte outputs, the boundaries of their internal iterations will not be\r
920 aligned; to generate a 80 byte output will involve P_MD5 being\r
921 iterated through A(5), while P_SHA-1 will only iterate through A(4).\r
922 \r
923 \r
924 6. The TLS Record Protocol\r
925 \r
926 \r
927 The TLS Record Protocol is a layered protocol. At each layer,\r
928 messages may include fields for length, description, and content.\r
929 The Record Protocol takes messages to be transmitted, fragments the\r
930 data into manageable blocks, optionally compresses the data, applies\r
931 a MAC, encrypts, and transmits the result. Received data is\r
932 decrypted, verified, decompressed, and reassembled, then delivered to\r
933 higher level clients.\r
934 \r
935 \r
936 Four record protocol clients are described in this document: the\r
937 handshake protocol, the alert protocol, the change cipher spec\r
938 protocol, and the application data protocol. In order to allow\r
939 extension of the TLS protocol, additional record types can be |\r
940 supported by the record protocol. Any new record types SHOULD\r
941 allocate type values immediately beyond the ContentType values for\r
942 the four record types described here (see Appendix A.2). If a TLS\r
943 implementation receives a record type it does not understand, it |\r
944 SHOULD just ignore it. Any protocol designed for use over TLS MUST be\r
945 carefully designed to deal with all possible attacks against it.\r
946 Note that because the type and length of a record are not protected |\r
947 by encryption, care SHOULD be taken to minimize the value of traffic\r
948 analysis of these values.\r
949 \r
950 \r
951 \r
952 \r
953 \r
954 \r
955 \r
956 Dierks & Rescorla Standards Track [Page 15] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
957 \r
958 \r
959 \r
960 6.1. Connection states\r
961 \r
962 \r
963 A TLS connection state is the operating environment of the TLS Record\r
964 Protocol. It specifies a compression algorithm, encryption algorithm,\r
965 and MAC algorithm. In addition, the parameters for these algorithms\r
966 are known: the MAC secret and the bulk encryption keys for the |\r
967 connection in both the read and the write directions. Logically,\r
968 there are always four connection states outstanding: the current read\r
969 and write states, and the pending read and write states. All records\r
970 are processed under the current read and write states. The security\r
971 parameters for the pending states can be set by the TLS Handshake\r
972 Protocol, and the Handshake Protocol can selectively make either of\r
973 the pending states current, in which case the appropriate current\r
974 state is disposed of and replaced with the pending state; the pending\r
975 state is then reinitialized to an empty state. It is illegal to make\r
976 a state which has not been initialized with security parameters a\r
977 current state. The initial current state always specifies that no\r
978 encryption, compression, or MAC will be used.\r
979 \r
980 \r
981 The security parameters for a TLS Connection read and write state are\r
982 set by providing the following values:\r
983 \r
984 \r
985 connection end\r
986 Whether this entity is considered the "client" or the "server" in\r
987 this connection.\r
988 \r
989 \r
990 bulk encryption algorithm\r
991 An algorithm to be used for bulk encryption. This specification\r
992 includes the key size of this algorithm, how much of that key is\r
993 secret, whether it is a block or stream cipher, the block size of\r
994 the cipher (if appropriate), and whether it is considered an\r
995 "export" cipher.\r
996 \r
997 \r
998 MAC algorithm\r
999 An algorithm to be used for message authentication. This\r
1000 specification includes the size of the hash which is returned by\r
1001 the MAC algorithm.\r
1002 \r
1003 \r
1004 compression algorithm\r
1005 An algorithm to be used for data compression. This specification\r
1006 must include all information the algorithm requires to do\r
1007 compression.\r
1008 \r
1009 \r
1010 master secret\r
1011 A 48 byte secret shared between the two peers in the connection.\r
1012 \r
1013 \r
1014 client random\r
1015 A 32 byte value provided by the client.\r
1016 \r
1017 \r
1018 \r
1019 \r
1020 Dierks & Rescorla Standards Track [Page 16] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1021 \r
1022 \r
1023 \r
1024 server random\r
1025 A 32 byte value provided by the server.\r
1026 \r
1027 \r
1028 These parameters are defined in the presentation language as:\r
1029 \r
1030 \r
1031 enum { server, client } ConnectionEnd;\r
1032 \r
1033 \r
1034 enum { null, rc4, rc2, des, 3des, des40 } BulkCipherAlgorithm;\r
1035 \r
1036 \r
1037 enum { stream, block } CipherType;\r
1038 \r
1039 \r
1040 enum { true, false } IsExportable;\r
1041 \r
1042 \r
1043 enum { null, md5, sha } MACAlgorithm;\r
1044 \r
1045 \r
1046 enum { null(0), (255) } CompressionMethod;\r
1047 \r
1048 \r
1049 /* The algorithms specified in CompressionMethod,\r
1050 BulkCipherAlgorithm, and MACAlgorithm may be added to. */\r
1051 \r
1052 \r
1053 struct {\r
1054 ConnectionEnd entity;\r
1055 BulkCipherAlgorithm bulk_cipher_algorithm;\r
1056 CipherType cipher_type;\r
1057 uint8 key_size;\r
1058 uint8 key_material_length;\r
1059 IsExportable is_exportable;\r
1060 MACAlgorithm mac_algorithm;\r
1061 uint8 hash_size;\r
1062 CompressionMethod compression_algorithm;\r
1063 opaque master_secret[48];\r
1064 opaque client_random[32];\r
1065 opaque server_random[32];\r
1066 } SecurityParameters;\r
1067 \r
1068 \r
1069 The record layer will use the security parameters to generate the |\r
1070 following four items:\r
1071 \r
1072 \r
1073 client write MAC secret\r
1074 server write MAC secret\r
1075 client write key\r
1076 server write key\r
1077 \r
1078 \r
1079 The client write parameters are used by the server when receiving and\r
1080 processing records and vice-versa. The algorithm used for generating\r
1081 these items from the security parameters is described in section 6.3.\r
1082 \r
1083 \r
1084 Once the security parameters have been set and the keys have been\r
1085 \r
1086 \r
1087 \r
1088 \r
1089 Dierks & Rescorla Standards Track [Page 17] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1090 \r
1091 \r
1092 \r
1093 generated, the connection states can be instantiated by making them |\r
1094 the current states. These current states MUST be updated for each\r
1095 record processed. Each connection state includes the following\r
1096 elements:\r
1097 \r
1098 \r
1099 compression state\r
1100 The current state of the compression algorithm.\r
1101 \r
1102 \r
1103 cipher state\r
1104 The current state of the encryption algorithm. This will consist |\r
1105 of the scheduled key for that connection. For stream ciphers, |\r
1106 this will also contain whatever the necessary state information |\r
1107 is to allow the stream to continue to encrypt or decrypt data.\r
1108 \r
1109 \r
1110 MAC secret\r
1111 The MAC secret for this connection as generated above.\r
1112 \r
1113 \r
1114 sequence number\r
1115 Each connection state contains a sequence number, which is\r
1116 maintained separately for read and write states. The sequence |\r
1117 number MUST be set to zero whenever a connection state is made\r
1118 the active state. Sequence numbers are of type uint64 and may not |\r
1119 exceed 2^64-1. Sequence numbers do not wrap. If a TLS |\r
1120 implementation would need to wrap a sequence number it must |\r
1121 renegotiate instead. A sequence number is incremented after each\r
1122 record: specifically, the first record which is transmitted under |\r
1123 a particular connection state MUST use sequence number 0.\r
1124 \r
1125 \r
1126 6.2. Record layer\r
1127 \r
1128 \r
1129 The TLS Record Layer receives uninterpreted data from higher layers\r
1130 in non-empty blocks of arbitrary size.\r
1131 \r
1132 \r
1133 6.2.1. Fragmentation\r
1134 \r
1135 \r
1136 The record layer fragments information blocks into TLSPlaintext\r
1137 records carrying data in chunks of 2^14 bytes or less. Client message\r
1138 boundaries are not preserved in the record layer (i.e., multiple |\r
1139 client messages of the same ContentType MAY be coalesced into a |\r
1140 single TLSPlaintext record, or a single message MAY be fragmented |\r
1141 across several records). |\r
1142 \r
1143 \r
1144 \r
1145 struct {\r
1146 uint8 major, minor;\r
1147 } ProtocolVersion;\r
1148 \r
1149 \r
1150 enum {\r
1151 \r
1152 \r
1153 \r
1154 \r
1155 Dierks & Rescorla Standards Track [Page 18] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1156 \r
1157 \r
1158 \r
1159 change_cipher_spec(20), alert(21), handshake(22),\r
1160 application_data(23), (255)\r
1161 } ContentType;\r
1162 \r
1163 \r
1164 struct {\r
1165 ContentType type;\r
1166 ProtocolVersion version;\r
1167 uint16 length;\r
1168 opaque fragment[TLSPlaintext.length];\r
1169 } TLSPlaintext;\r
1170 \r
1171 \r
1172 type\r
1173 The higher level protocol used to process the enclosed fragment.\r
1174 \r
1175 \r
1176 version\r
1177 The version of the protocol being employed. This document |\r
1178 describes TLS Version 1.1, which uses the version { 3, 2 }. The |\r
1179 version value 3.2 is historical: TLS version 1.1 is a minor |\r
1180 modification to the TLS 1.0 protocol, which was itself a minor |\r
1181 modification to the SSL 3.0 protocol, which bears the version\r
1182 value 3.0. (See Appendix A.1).\r
1183 \r
1184 \r
1185 length\r
1186 The length (in bytes) of the following TLSPlaintext.fragment.\r
1187 The length should not exceed 2^14.\r
1188 \r
1189 \r
1190 fragment\r
1191 The application data. This data is transparent and treated as an\r
1192 independent block to be dealt with by the higher level protocol\r
1193 specified by the type field.\r
1194 \r
1195 \r
1196 Note: Data of different TLS Record layer content types MAY be |\r
1197 interleaved. Application data is generally of lower precedence |\r
1198 for transmission than other content types and therefore handshake |\r
1199 records may be held if application data is pending. However, |\r
1200 records MUST be delivered to the network in the same order as |\r
1201 they are protected by the record layer. |\r
1202 \r
1203 \r
1204 6.2.2. Record compression and decompression\r
1205 \r
1206 \r
1207 All records are compressed using the compression algorithm defined in\r
1208 the current session state. There is always an active compression\r
1209 algorithm; however, initially it is defined as\r
1210 CompressionMethod.null. The compression algorithm translates a\r
1211 TLSPlaintext structure into a TLSCompressed structure. Compression\r
1212 functions are initialized with default state information whenever a\r
1213 connection state is made active.\r
1214 \r
1215 \r
1216 \r
1217 \r
1218 \r
1219 Dierks & Rescorla Standards Track [Page 19] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1220 \r
1221 \r
1222 \r
1223 Compression must be lossless and may not increase the content length\r
1224 by more than 1024 bytes. If the decompression function encounters a\r
1225 TLSCompressed.fragment that would decompress to a length in excess of\r
1226 2^14 bytes, it should report a fatal decompression failure error.\r
1227 \r
1228 \r
1229 struct {\r
1230 ContentType type; /* same as TLSPlaintext.type */\r
1231 ProtocolVersion version;/* same as TLSPlaintext.version */\r
1232 uint16 length;\r
1233 opaque fragment[TLSCompressed.length];\r
1234 } TLSCompressed;\r
1235 \r
1236 \r
1237 length\r
1238 The length (in bytes) of the following TLSCompressed.fragment.\r
1239 The length should not exceed 2^14 + 1024.\r
1240 \r
1241 \r
1242 fragment\r
1243 The compressed form of TLSPlaintext.fragment.\r
1244 \r
1245 \r
1246 Note: A CompressionMethod.null operation is an identity operation; no\r
1247 fields are altered.\r
1248 \r
1249 \r
1250 Implementation note:\r
1251 Decompression functions are responsible for ensuring that\r
1252 messages cannot cause internal buffer overflows.\r
1253 \r
1254 \r
1255 6.2.3. Record payload protection\r
1256 \r
1257 \r
1258 The encryption and MAC functions translate a TLSCompressed structure\r
1259 into a TLSCiphertext. The decryption functions reverse the process.\r
1260 The MAC of the record also includes a sequence number so that\r
1261 missing, extra or repeated messages are detectable.\r
1262 \r
1263 \r
1264 struct {\r
1265 ContentType type;\r
1266 ProtocolVersion version;\r
1267 uint16 length;\r
1268 select (CipherSpec.cipher_type) {\r
1269 case stream: GenericStreamCipher;\r
1270 case block: GenericBlockCipher;\r
1271 } fragment;\r
1272 } TLSCiphertext;\r
1273 \r
1274 \r
1275 type\r
1276 The type field is identical to TLSCompressed.type.\r
1277 \r
1278 \r
1279 version\r
1280 The version field is identical to TLSCompressed.version.\r
1281 \r
1282 \r
1283 \r
1284 \r
1285 Dierks & Rescorla Standards Track [Page 20] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1286 \r
1287 \r
1288 \r
1289 length\r
1290 The length (in bytes) of the following TLSCiphertext.fragment.\r
1291 The length may not exceed 2^14 + 2048.\r
1292 \r
1293 \r
1294 fragment |\r
1295 The encrypted form of TLSCompressed.fragment, with the MAC.\r
1296 \r
1297 \r
1298 6.2.3.1. Null or standard stream cipher\r
1299 \r
1300 \r
1301 Stream ciphers (including BulkCipherAlgorithm.null - see Appendix\r
1302 A.6) convert TLSCompressed.fragment structures to and from stream\r
1303 TLSCiphertext.fragment structures.\r
1304 \r
1305 \r
1306 stream-ciphered struct {\r
1307 opaque content[TLSCompressed.length];\r
1308 opaque MAC[CipherSpec.hash_size];\r
1309 } GenericStreamCipher;\r
1310 \r
1311 \r
1312 The MAC is generated as:\r
1313 \r
1314 \r
1315 HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type +\r
1316 TLSCompressed.version + TLSCompressed.length +\r
1317 TLSCompressed.fragment));\r
1318 \r
1319 \r
1320 where "+" denotes concatenation.\r
1321 \r
1322 \r
1323 seq_num\r
1324 The sequence number for this record.\r
1325 \r
1326 \r
1327 hash\r
1328 The hashing algorithm specified by\r
1329 SecurityParameters.mac_algorithm.\r
1330 \r
1331 \r
1332 Note that the MAC is computed before encryption. The stream cipher\r
1333 encrypts the entire block, including the MAC. For stream ciphers that\r
1334 do not use a synchronization vector (such as RC4), the stream cipher\r
1335 state from the end of one record is simply used on the subsequent\r
1336 packet. If the CipherSuite is TLS_NULL_WITH_NULL_NULL, encryption\r
1337 consists of the identity operation (i.e., the data is not encrypted\r
1338 and the MAC size is zero implying that no MAC is used).\r
1339 TLSCiphertext.length is TLSCompressed.length plus\r
1340 CipherSpec.hash_size.\r
1341 \r
1342 \r
1343 6.2.3.2. CBC block cipher\r
1344 \r
1345 \r
1346 For block ciphers (such as RC2 or DES), the encryption and MAC\r
1347 functions convert TLSCompressed.fragment structures to and from block\r
1348 TLSCiphertext.fragment structures.\r
1349 \r
1350 \r
1351 \r
1352 \r
1353 Dierks & Rescorla Standards Track [Page 21] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1354 \r
1355 \r
1356 \r
1357 block-ciphered struct {\r
1358 opaque IV[CipherSpec.block_length]; |\r
1359 opaque content[TLSCompressed.length];\r
1360 opaque MAC[CipherSpec.hash_size];\r
1361 uint8 padding[GenericBlockCipher.padding_length];\r
1362 uint8 padding_length;\r
1363 } GenericBlockCipher;\r
1364 \r
1365 \r
1366 The MAC is generated as described in Section 6.2.3.1.\r
1367 \r
1368 \r
1369 IV |\r
1370 Unlike previous versions of SSL and TLS, TLS 1.1 uses an explicit |\r
1371 IV in order to prevent the attacks described by [CBCATT]. |\r
1372 We recommend the following equivalently strong procedures. |\r
1373 For clarity we use the following notation. |\r
1374 \r
1375 \r
1376 IV -- the transmitted value of the IV field in the |\r
1377 GenericBlockCipher structure. |\r
1378 CBC residue -- the last ciphertext block of the previous record |\r
1379 mask -- the actual value which the cipher XORs with the |\r
1380 plaintext prior to encryption of the first cipher block |\r
1381 of the record. |\r
1382 \r
1383 \r
1384 In prior versions of TLS, there was no IV field and the CBC residue|\r
1385 and mask were one and the same. |\r
1386 \r
1387 \r
1388 \r
1389 (1) Generate a cryptographically strong random string R of |\r
1390 length CipherSpec.block_length. Place R |\r
1391 in the IV field. Set the mask to R. Thus, the first |\r
1392 cipher block will be encrypted as E(R XOR Data). |\r
1393 \r
1394 \r
1395 (2) Generate a cryptographically strong random number R of |\r
1396 length CipherSpec.block_length and prepend it to the plaintext|\r
1397 prior to encryption. In |\r
1398 this case either: |\r
1399 \r
1400 \r
1401 (a) The cipher may use a fixed mask such as zero. |\r
1402 (b) The CBC residue from the previous record may be used |\r
1403 as the mask. This preserves maximum code compatibility |\r
1404 with TLS 1.0 and SSL 3. It also has the advantage that |\r
1405 it does not require the ability to quickly reset the IV, |\r
1406 which is known to be a problem on some systems. |\r
1407 \r
1408 \r
1409 In either case, the data (R || data) is fed into the |\r
1410 encryption process. The first cipher block (containing |\r
1411 E(mask XOR R) is placed in the IV field. The first |\r
1412 block of content contains E(IV XOR data) |\r
1413 \r
1414 \r
1415 \r
1416 \r
1417 Dierks & Rescorla Standards Track [Page 22] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1418 \r
1419 \r
1420 \r
1421 The following alternative procedure MAY be used: However, it has |\r
1422 not been demonstrated to be equivalently cryptographically strong |\r
1423 to the above procedures. The sender prepends a fixed block F to |\r
1424 the plaintext (or alternatively a block generated with a weak |\r
1425 PRNG). He then encrypts as in (2) above, using the CBC residue |\r
1426 from the previous block as the mask for the prepended block. Note |\r
1427 that in this case the mask for the first record transmitted by |\r
1428 the application (the Finished) MUST be generated using a |\r
1429 cryptographically strong PRNG. |\r
1430 \r
1431 \r
1432 The decryption operation for all three alternatives is the same. |\r
1433 The receiver decrypts the entire GenericBlockCipher structure and |\r
1434 then discards the first cipher block, corresponding to the IV |\r
1435 component. |\r
1436 \r
1437 \r
1438 padding\r
1439 Padding that is added to force the length of the plaintext to be\r
1440 an integral multiple of the block cipher's block length. The |\r
1441 padding MAY be any length up to 255 bytes long, as long as it\r
1442 results in the TLSCiphertext.length being an integral multiple of\r
1443 the block length. Lengths longer than necessary might be\r
1444 desirable to frustrate attacks on a protocol based on analysis of\r
1445 the lengths of exchanged messages. Each uint8 in the padding data |\r
1446 vector MUST be filled with the padding length value. The receiver |\r
1447 MUST check this padding and SHOULD use the bad_record_mac alert |\r
1448 to indicate padding errors.\r
1449 \r
1450 \r
1451 padding_length\r
1452 The padding length MUST be such that the total size of the |\r
1453 GenericBlockCipher structure is a multiple of the cipher's block\r
1454 length. Legal values range from zero to 255, inclusive. This\r
1455 length specifies the length of the padding field exclusive of the\r
1456 padding_length field itself.\r
1457 \r
1458 \r
1459 The encrypted data length (TLSCiphertext.length) is one more than the\r
1460 sum of TLSCompressed.length, CipherSpec.hash_size, and\r
1461 padding_length.\r
1462 \r
1463 \r
1464 Example: If the block length is 8 bytes, the content length\r
1465 (TLSCompressed.length) is 61 bytes, and the MAC length is 20 |\r
1466 bytes, the length before padding is 82 bytes (this does not |\r
1467 include the IV, which may or may not be encrypted, as |\r
1468 discussed above). Thus, the padding length modulo 8 must be\r
1469 equal to 6 in order to make the total length an even multiple\r
1470 of 8 bytes (the block length). The padding length can be 6,\r
1471 14, 22, and so on, through 254. If the padding length were the\r
1472 minimum necessary, 6, the padding would be 6 bytes, each\r
1473 containing the value 6. Thus, the last 8 octets of the\r
1474 \r
1475 \r
1476 \r
1477 \r
1478 Dierks & Rescorla Standards Track [Page 23] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1479 \r
1480 \r
1481 \r
1482 GenericBlockCipher before block encryption would be xx 06 06\r
1483 06 06 06 06 06, where xx is the last octet of the MAC.\r
1484 \r
1485 \r
1486 Note: With block ciphers in CBC mode (Cipher Block Chaining), |\r
1487 it is critical that the entire plaintext of the record be known |\r
1488 before any ciphertext is transmitted. Otherwise it is possible |\r
1489 for the attacker to mount the attack described in [CBCATT]. |\r
1490 \r
1491 \r
1492 Implementation Note: Canvel et. al. [CBCTIME] have demonstrated a |\r
1493 timing attack on CBC padding based on the time required to |\r
1494 compute the MAC. In order to defend against this attack, |\r
1495 implementations MUST ensure that record processing time is |\r
1496 essentially the same whether or not the padding is correct. In |\r
1497 general, the best way to to do this is to compute the MAC even if |\r
1498 the padding is incorrect, and only then reject the packet. For |\r
1499 instance, if the pad appears to be incorrect the implementation |\r
1500 might assume a zero-length pad and then compute the MAC. This |\r
1501 leaves a small timing channel, since MAC performance depends to |\r
1502 some extent on the size of the data fragment, but it is not |\r
1503 believed to be large enough to be exploitable due to the large |\r
1504 block size of existing MACs and the small size of the timing |\r
1505 signal.\r
1506 \r
1507 \r
1508 6.3. Key calculation\r
1509 \r
1510 \r
1511 The Record Protocol requires an algorithm to generate keys, and MAC |\r
1512 secrets from the security parameters provided by the handshake\r
1513 protocol.\r
1514 \r
1515 \r
1516 The master secret is hashed into a sequence of secure bytes, which |\r
1517 are assigned to the MAC secrets and keys required by the current\r
1518 connection state (see Appendix A.6). CipherSpecs require a client\r
1519 write MAC secret, a server write MAC secret, a client write key, and |\r
1520 a server write key, which are generated from the master secret in |\r
1521 that order. Unused values are empty.\r
1522 \r
1523 \r
1524 When generating keys and MAC secrets, the master secret is used as an\r
1525 entropy source, and the random values provide unencrypted salt |\r
1526 material for exportable ciphers.\r
1527 \r
1528 \r
1529 To generate the key material, compute\r
1530 \r
1531 \r
1532 key_block = PRF(SecurityParameters.master_secret,\r
1533 "key expansion",\r
1534 SecurityParameters.server_random +\r
1535 SecurityParameters.client_random);\r
1536 \r
1537 \r
1538 until enough output has been generated. Then the key_block is\r
1539 \r
1540 \r
1541 \r
1542 \r
1543 Dierks & Rescorla Standards Track [Page 24] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1544 \r
1545 \r
1546 \r
1547 partitioned as follows:\r
1548 \r
1549 \r
1550 client_write_MAC_secret[SecurityParameters.hash_size]\r
1551 server_write_MAC_secret[SecurityParameters.hash_size]\r
1552 client_write_key[SecurityParameters.key_material_length]\r
1553 server_write_key[SecurityParameters.key_material_length]\r
1554 \r
1555 \r
1556 \r
1557 Implementation note:\r
1558 The cipher spec which is defined in this document which requires\r
1559 the most material is 3DES_EDE_CBC_SHA: it requires 2 x 24 byte |\r
1560 keys, 2 x 20 byte MAC secrets, for a total 88 bytes of key |\r
1561 material.\r
1562 \r
1563 \r
1564 Exportable encryption algorithms (for which CipherSpec.is_exportable\r
1565 is true) require additional processing as follows to derive their\r
1566 final write keys:\r
1567 \r
1568 \r
1569 final_client_write_key =\r
1570 PRF(SecurityParameters.client_write_key,\r
1571 "client write key",\r
1572 SecurityParameters.client_random +\r
1573 SecurityParameters.server_random);\r
1574 final_server_write_key =\r
1575 PRF(SecurityParameters.server_write_key,\r
1576 "server write key",\r
1577 SecurityParameters.client_random +\r
1578 SecurityParameters.server_random);\r
1579 \r
1580 \r
1581 6.3.1. Export key generation example\r
1582 \r
1583 \r
1584 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 requires five random bytes for\r
1585 each of the two encryption keys and 16 bytes for each of the MAC\r
1586 keys, for a total of 42 bytes of key material. The PRF output is\r
1587 stored in the key_block. The key_block is partitioned, and the write\r
1588 keys are salted because this is an exportable encryption algorithm.\r
1589 \r
1590 \r
1591 key_block = PRF(master_secret,\r
1592 "key expansion",\r
1593 server_random +\r
1594 client_random)[0..41]\r
1595 client_write_MAC_secret = key_block[0..15]\r
1596 server_write_MAC_secret = key_block[16..31]\r
1597 client_write_key = key_block[32..36]\r
1598 server_write_key = key_block[37..41]\r
1599 final_client_write_key = PRF(client_write_key,\r
1600 "client write key",\r
1601 client_random +\r
1602 \r
1603 \r
1604 \r
1605 \r
1606 Dierks & Rescorla Standards Track [Page 25] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1607 \r
1608 \r
1609 \r
1610 server_random)[0..15]\r
1611 final_server_write_key = PRF(server_write_key,\r
1612 "server write key",\r
1613 client_random +\r
1614 server_random)[0..15]\r
1615 \r
1616 \r
1617 \r
1618 7. The TLS Handshake Protocol\r
1619 \r
1620 \r
1621 The TLS Handshake Protocol consists of a suite of three sub-protocols\r
1622 which are used to allow peers to agree upon security parameters for\r
1623 the record layer, authenticate themselves, instantiate negotiated\r
1624 security parameters, and report error conditions to each other.\r
1625 \r
1626 \r
1627 The Handshake Protocol is responsible for negotiating a session,\r
1628 which consists of the following items:\r
1629 \r
1630 \r
1631 session identifier\r
1632 An arbitrary byte sequence chosen by the server to identify an\r
1633 active or resumable session state.\r
1634 \r
1635 \r
1636 peer certificate\r
1637 X509v3 [X509] certificate of the peer. This element of the state\r
1638 may be null.\r
1639 \r
1640 \r
1641 compression method\r
1642 The algorithm used to compress data prior to encryption.\r
1643 \r
1644 \r
1645 cipher spec\r
1646 Specifies the bulk data encryption algorithm (such as null, DES,\r
1647 etc.) and a MAC algorithm (such as MD5 or SHA). It also defines\r
1648 cryptographic attributes such as the hash_size. (See Appendix A.6\r
1649 for formal definition)\r
1650 \r
1651 \r
1652 master secret\r
1653 48-byte secret shared between the client and server.\r
1654 \r
1655 \r
1656 is resumable\r
1657 A flag indicating whether the session can be used to initiate new\r
1658 connections.\r
1659 \r
1660 \r
1661 These items are then used to create security parameters for use by\r
1662 the Record Layer when protecting application data. Many connections\r
1663 can be instantiated using the same session through the resumption\r
1664 feature of the TLS Handshake Protocol.\r
1665 \r
1666 \r
1667 7.1. Change cipher spec protocol\r
1668 \r
1669 \r
1670 \r
1671 \r
1672 \r
1673 Dierks & Rescorla Standards Track [Page 26] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1674 \r
1675 \r
1676 \r
1677 The change cipher spec protocol exists to signal transitions in\r
1678 ciphering strategies. The protocol consists of a single message,\r
1679 which is encrypted and compressed under the current (not the pending)\r
1680 connection state. The message consists of a single byte of value 1.\r
1681 \r
1682 \r
1683 struct {\r
1684 enum { change_cipher_spec(1), (255) } type;\r
1685 } ChangeCipherSpec;\r
1686 \r
1687 \r
1688 The change cipher spec message is sent by both the client and server\r
1689 to notify the receiving party that subsequent records will be\r
1690 protected under the newly negotiated CipherSpec and keys. Reception\r
1691 of this message causes the receiver to instruct the Record Layer to\r
1692 immediately copy the read pending state into the read current state. |\r
1693 Immediately after sending this message, the sender MUST instruct the\r
1694 record layer to make the write pending state the write active state.\r
1695 (See section 6.1.) The change cipher spec message is sent during the\r
1696 handshake after the security parameters have been agreed upon, but\r
1697 before the verifying finished message is sent (see section 7.4.9).\r
1698 \r
1699 \r
1700 7.2. Alert protocol\r
1701 \r
1702 \r
1703 One of the content types supported by the TLS Record layer is the\r
1704 alert type. Alert messages convey the severity of the message and a\r
1705 description of the alert. Alert messages with a level of fatal result\r
1706 in the immediate termination of the connection. In this case, other\r
1707 connections corresponding to the session may continue, but the |\r
1708 session identifier MUST be invalidated, preventing the failed session\r
1709 from being used to establish new connections. Like other messages,\r
1710 alert messages are encrypted and compressed, as specified by the\r
1711 current connection state.\r
1712 \r
1713 \r
1714 enum { warning(1), fatal(2), (255) } AlertLevel;\r
1715 \r
1716 \r
1717 enum {\r
1718 close_notify(0),\r
1719 unexpected_message(10),\r
1720 bad_record_mac(20),\r
1721 decryption_failed(21),\r
1722 record_overflow(22),\r
1723 decompression_failure(30),\r
1724 handshake_failure(40),\r
1725 no_certificate_RESERVED (41), |\r
1726 bad_certificate(42),\r
1727 unsupported_certificate(43),\r
1728 certificate_revoked(44),\r
1729 certificate_expired(45),\r
1730 certificate_unknown(46),\r
1731 \r
1732 \r
1733 \r
1734 \r
1735 Dierks & Rescorla Standards Track [Page 27] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1736 \r
1737 \r
1738 \r
1739 illegal_parameter(47),\r
1740 unknown_ca(48),\r
1741 access_denied(49),\r
1742 decode_error(50),\r
1743 decrypt_error(51),\r
1744 export_restriction(60),\r
1745 protocol_version(70),\r
1746 insufficient_security(71),\r
1747 internal_error(80),\r
1748 user_canceled(90),\r
1749 no_renegotiation(100),\r
1750 (255)\r
1751 } AlertDescription;\r
1752 \r
1753 \r
1754 struct {\r
1755 AlertLevel level;\r
1756 AlertDescription description;\r
1757 } Alert;\r
1758 \r
1759 \r
1760 7.2.1. Closure alerts\r
1761 \r
1762 \r
1763 The client and the server must share knowledge that the connection is\r
1764 ending in order to avoid a truncation attack. Either party may\r
1765 initiate the exchange of closing messages.\r
1766 \r
1767 \r
1768 close_notify\r
1769 This message notifies the recipient that the sender will not send |\r
1770 any more messages on this connection. The session MUST not be |\r
1771 resumed if any connection is terminated without proper\r
1772 close_notify messages with level equal to warning.\r
1773 \r
1774 \r
1775 Either party may initiate a close by sending a close_notify alert.\r
1776 Any data received after a closure alert is ignored.\r
1777 \r
1778 \r
1779 Unless some other fatal alert has been transmitted, each party is |\r
1780 required to send a close_notify alert before closing the write side |\r
1781 of the connection. The other party MUST respond with a close_notify |\r
1782 alert of its own and close down the connection immediately,\r
1783 discarding any pending writes. It is not required for the initiator\r
1784 of the close to wait for the responding close_notify alert before\r
1785 closing the read side of the connection.\r
1786 \r
1787 \r
1788 If the application protocol using TLS provides that any data may be\r
1789 carried over the underlying transport after the TLS connection is\r
1790 closed, the TLS implementation must receive the responding\r
1791 close_notify alert before indicating to the application layer that\r
1792 the TLS connection has ended. If the application protocol will not\r
1793 transfer any additional data, but will only close the underlying |\r
1794 \r
1795 \r
1796 \r
1797 \r
1798 Dierks & Rescorla Standards Track [Page 28] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1799 \r
1800 \r
1801 \r
1802 transport connection, then the implementation MAY choose to close the\r
1803 transport without waiting for the responding close_notify. No part of\r
1804 this standard should be taken to dictate the manner in which a usage\r
1805 profile for TLS manages its data transport, including when\r
1806 connections are opened or closed.\r
1807 \r
1808 \r
1809 NB: It is assumed that closing a connection reliably delivers\r
1810 pending data before destroying the transport.\r
1811 \r
1812 \r
1813 7.2.2. Error alerts\r
1814 \r
1815 \r
1816 Error handling in the TLS Handshake protocol is very simple. When an\r
1817 error is detected, the detecting party sends a message to the other\r
1818 party. Upon transmission or receipt of an fatal alert message, both |\r
1819 parties immediately close the connection. Servers and clients MUST |\r
1820 forget any session-identifiers, keys, and secrets associated with a\r
1821 failed connection. The following error alerts are defined:\r
1822 \r
1823 \r
1824 unexpected_message\r
1825 An inappropriate message was received. This alert is always fatal\r
1826 and should never be observed in communication between proper\r
1827 implementations.\r
1828 \r
1829 \r
1830 bad_record_mac\r
1831 This alert is returned if a record is received with an incorrect |\r
1832 MAC. This alert also SHOULD be returned if a TLSCiphertext |\r
1833 decrypted in an invalid way: either it wasn't an even multiple of |\r
1834 the block length, or its padding values, when checked, weren't |\r
1835 correct. This message is always fatal.\r
1836 \r
1837 \r
1838 decryption_failed\r
1839 This alert MAY be returned if a TLSCiphertext decrypted in an |\r
1840 invalid way: either it wasn't an even multiple of the block |\r
1841 length, or its padding values, when checked, weren't correct. |\r
1842 This message is always fatal. |\r
1843 \r
1844 \r
1845 NB: Differentiating between bad_record_mac and decryption_failed |\r
1846 alerts may permit certain attacks against CBC mode as used in TLS |\r
1847 [CBCATT]. It is preferable to uniformly use the bad_record_mac |\r
1848 alert to hide the specific type of the error. |\r
1849 \r
1850 \r
1851 \r
1852 record_overflow\r
1853 A TLSCiphertext record was received which had a length more than\r
1854 2^14+2048 bytes, or a record decrypted to a TLSCompressed record\r
1855 with more than 2^14+1024 bytes. This message is always fatal.\r
1856 \r
1857 \r
1858 decompression_failure\r
1859 \r
1860 \r
1861 \r
1862 \r
1863 Dierks & Rescorla Standards Track [Page 29] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1864 \r
1865 \r
1866 \r
1867 The decompression function received improper input (e.g. data\r
1868 that would expand to excessive length). This message is always\r
1869 fatal.\r
1870 \r
1871 \r
1872 handshake_failure\r
1873 Reception of a handshake_failure alert message indicates that the\r
1874 sender was unable to negotiate an acceptable set of security\r
1875 parameters given the options available. This is a fatal error.\r
1876 \r
1877 \r
1878 no_certificate_RESERVED |\r
1879 This alert was used in SSLv3 but not in TLS. It should not be |\r
1880 sent by compliant implementations. |\r
1881 \r
1882 \r
1883 bad_certificate\r
1884 A certificate was corrupt, contained signatures that did not\r
1885 verify correctly, etc.\r
1886 \r
1887 \r
1888 unsupported_certificate\r
1889 A certificate was of an unsupported type.\r
1890 \r
1891 \r
1892 certificate_revoked\r
1893 A certificate was revoked by its signer.\r
1894 \r
1895 \r
1896 certificate_expired\r
1897 A certificate has expired or is not currently valid.\r
1898 \r
1899 \r
1900 certificate_unknown\r
1901 Some other (unspecified) issue arose in processing the\r
1902 certificate, rendering it unacceptable.\r
1903 \r
1904 \r
1905 illegal_parameter\r
1906 A field in the handshake was out of range or inconsistent with\r
1907 other fields. This is always fatal.\r
1908 \r
1909 \r
1910 unknown_ca\r
1911 A valid certificate chain or partial chain was received, but the\r
1912 certificate was not accepted because the CA certificate could not |\r
1913 be located or couldn't be matched with a known, trusted CA. This\r
1914 message is always fatal.\r
1915 \r
1916 \r
1917 access_denied\r
1918 A valid certificate was received, but when access control was\r
1919 applied, the sender decided not to proceed with negotiation.\r
1920 This message is always fatal.\r
1921 \r
1922 \r
1923 decode_error\r
1924 A message could not be decoded because some field was out of the\r
1925 specified range or the length of the message was incorrect. This\r
1926 \r
1927 \r
1928 \r
1929 \r
1930 Dierks & Rescorla Standards Track [Page 30] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1931 \r
1932 \r
1933 \r
1934 message is always fatal.\r
1935 \r
1936 \r
1937 decrypt_error\r
1938 A handshake cryptographic operation failed, including being\r
1939 unable to correctly verify a signature, decrypt a key exchange,\r
1940 or validate a finished message.\r
1941 \r
1942 \r
1943 export_restriction\r
1944 A negotiation not in compliance with export restrictions was\r
1945 detected; for example, attempting to transfer a 1024 bit\r
1946 ephemeral RSA key for the RSA_EXPORT handshake method. This\r
1947 message is always fatal.\r
1948 \r
1949 \r
1950 protocol_version\r
1951 The protocol version the client has attempted to negotiate is\r
1952 recognized, but not supported. (For example, old protocol\r
1953 versions might be avoided for security reasons). This message is\r
1954 always fatal.\r
1955 \r
1956 \r
1957 insufficient_security\r
1958 Returned instead of handshake_failure when a negotiation has\r
1959 failed specifically because the server requires ciphers more\r
1960 secure than those supported by the client. This message is always\r
1961 fatal.\r
1962 \r
1963 \r
1964 internal_error\r
1965 An internal error unrelated to the peer or the correctness of the\r
1966 protocol makes it impossible to continue (such as a memory\r
1967 allocation failure). This message is always fatal.\r
1968 \r
1969 \r
1970 user_canceled\r
1971 This handshake is being canceled for some reason unrelated to a\r
1972 protocol failure. If the user cancels an operation after the\r
1973 handshake is complete, just closing the connection by sending a\r
1974 close_notify is more appropriate. This alert should be followed\r
1975 by a close_notify. This message is generally a warning.\r
1976 \r
1977 \r
1978 no_renegotiation\r
1979 Sent by the client in response to a hello request or by the\r
1980 server in response to a client hello after initial handshaking.\r
1981 Either of these would normally lead to renegotiation; when that\r
1982 is not appropriate, the recipient should respond with this alert;\r
1983 at that point, the original requester can decide whether to\r
1984 proceed with the connection. One case where this would be\r
1985 appropriate would be where a server has spawned a process to\r
1986 satisfy a request; the process might receive security parameters\r
1987 (key length, authentication, etc.) at startup and it might be\r
1988 difficult to communicate changes to these parameters after that\r
1989 \r
1990 \r
1991 \r
1992 \r
1993 Dierks & Rescorla Standards Track [Page 31] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
1994 \r
1995 \r
1996 \r
1997 point. This message is always a warning.\r
1998 \r
1999 \r
2000 For all errors where an alert level is not explicitly specified, the |\r
2001 sending party MAY determine at its discretion whether this is a fatal\r
2002 error or not; if an alert with a level of warning is received, the\r
2003 \r
2004 \r
2005 \r
2006 \r
2007 \r
2008 \r
2009 \r
2010 \r
2011 \r
2012 \r
2013 \r
2014 \r
2015 \r
2016 \r
2017 \r
2018 \r
2019 \r
2020 \r
2021 \r
2022 \r
2023 \r
2024 \r
2025 \r
2026 \r
2027 \r
2028 \r
2029 \r
2030 \r
2031 \r
2032 \r
2033 \r
2034 \r
2035 \r
2036 \r
2037 \r
2038 \r
2039 \r
2040 \r
2041 \r
2042 \r
2043 \r
2044 \r
2045 \r
2046 \r
2047 \r
2048 \r
2049 \r
2050 Dierks & Rescorla Standards Track [Page 32] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
2051 \r
2052 \r
2053 \r
2054 receiving party MAY decide at its discretion whether to treat this as |\r
2055 a fatal error or not. However, all messages which are transmitted |\r
2056 with a level of fatal MUST be treated as fatal messages.\r
2057 \r
2058 \r
2059 7.3. Handshake Protocol overview\r
2060 \r
2061 \r
2062 The cryptographic parameters of the session state are produced by the\r
2063 TLS Handshake Protocol, which operates on top of the TLS Record\r
2064 Layer. When a TLS client and server first start communicating, they\r
2065 agree on a protocol version, select cryptographic algorithms,\r
2066 optionally authenticate each other, and use public-key encryption\r
2067 techniques to generate shared secrets.\r
2068 \r
2069 \r
2070 The TLS Handshake Protocol involves the following steps:\r
2071 \r
2072 \r
2073 - - Exchange hello messages to agree on algorithms, exchange random\r
2074 values, and check for session resumption.\r
2075 \r
2076 \r
2077 - - Exchange the necessary cryptographic parameters to allow the\r
2078 client and server to agree on a premaster secret.\r
2079 \r
2080 \r
2081 - - Exchange certificates and cryptographic information to allow\r
2082 the client and server to authenticate themselves.\r
2083 \r
2084 \r
2085 - - Generate a master secret from the premaster secret and\r
2086 exchanged random values.\r
2087 \r
2088 \r
2089 - - Provide security parameters to the record layer.\r
2090 \r
2091 \r
2092 - - Allow the client and server to verify that their peer has\r
2093 calculated the same security parameters and that the handshake\r
2094 occurred without tampering by an attacker.\r
2095 \r
2096 \r
2097 Note that higher layers should not be overly reliant on TLS always\r
2098 negotiating the strongest possible connection between two peers:\r
2099 there are a number of ways a man in the middle attacker can attempt\r
2100 to make two entities drop down to the least secure method they\r
2101 support. The protocol has been designed to minimize this risk, but\r
2102 there are still attacks available: for example, an attacker could\r
2103 block access to the port a secure service runs on, or attempt to get\r
2104 the peers to negotiate an unauthenticated connection. The fundamental\r
2105 rule is that higher levels must be cognizant of what their security\r
2106 requirements are and never transmit information over a channel less\r
2107 secure than what they require. The TLS protocol is secure, in that\r
2108 any cipher suite offers its promised level of security: if you\r
2109 negotiate 3DES with a 1024 bit RSA key exchange with a host whose\r
2110 certificate you have verified, you can expect to be that secure.\r
2111 \r
2112 \r
2113 \r
2114 \r
2115 \r
2116 Dierks & Rescorla Standards Track [Page 33] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
2117 \r
2118 \r
2119 \r
2120 However, you SHOULD never send data over a link encrypted with 40 bit |\r
2121 security unless you feel that data is worth no more than the effort\r
2122 required to break that encryption.\r
2123 \r
2124 \r
2125 These goals are achieved by the handshake protocol, which can be\r
2126 summarized as follows: The client sends a client hello message to\r
2127 which the server must respond with a server hello message, or else a\r
2128 fatal error will occur and the connection will fail. The client hello\r
2129 and server hello are used to establish security enhancement\r
2130 capabilities between client and server. The client hello and server\r
2131 hello establish the following attributes: Protocol Version, Session\r
2132 ID, Cipher Suite, and Compression Method. Additionally, two random\r
2133 values are generated and exchanged: ClientHello.random and\r
2134 ServerHello.random.\r
2135 \r
2136 \r
2137 The actual key exchange uses up to four messages: the server\r
2138 certificate, the server key exchange, the client certificate, and the\r
2139 client key exchange. New key exchange methods can be created by\r
2140 specifying a format for these messages and defining the use of the\r
2141 messages to allow the client and server to agree upon a shared |\r
2142 secret. This secret MUST be quite long; currently defined key\r
2143 exchange methods exchange secrets which range from 48 to 128 bytes in\r
2144 length.\r
2145 \r
2146 \r
2147 Following the hello messages, the server will send its certificate,\r
2148 if it is to be authenticated. Additionally, a server key exchange\r
2149 message may be sent, if it is required (e.g. if their server has no\r
2150 certificate, or if its certificate is for signing only). If the\r
2151 server is authenticated, it may request a certificate from the\r
2152 client, if that is appropriate to the cipher suite selected. Now the\r
2153 server will send the server hello done message, indicating that the\r
2154 hello-message phase of the handshake is complete. The server will\r
2155 then wait for a client response. If the server has sent a certificate\r
2156 request message, the client must send the certificate message. The\r
2157 client key exchange message is now sent, and the content of that\r
2158 message will depend on the public key algorithm selected between the\r
2159 client hello and the server hello. If the client has sent a\r
2160 certificate with signing ability, a digitally-signed certificate\r
2161 verify message is sent to explicitly verify the certificate.\r
2162 \r
2163 \r
2164 At this point, a change cipher spec message is sent by the client,\r
2165 and the client copies the pending Cipher Spec into the current Cipher\r
2166 Spec. The client then immediately sends the finished message under\r
2167 the new algorithms, keys, and secrets. In response, the server will\r
2168 send its own change cipher spec message, transfer the pending to the\r
2169 current Cipher Spec, and send its finished message under the new\r
2170 \r
2171 \r
2172 \r
2173 \r
2174 \r
2175 \r
2176 Dierks & Rescorla Standards Track [Page 34] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
2177 \r
2178 \r
2179 \r
2180 Cipher Spec. At this point, the handshake is complete and the client\r
2181 and server may begin to exchange application layer data. (See flow\r
2182 chart below.)\r
2183 \r
2184 \r
2185 Client Server\r
2186 \r
2187 \r
2188 ClientHello -------->\r
2189 ServerHello\r
2190 Certificate*\r
2191 ServerKeyExchange*\r
2192 CertificateRequest*\r
2193 <-------- ServerHelloDone\r
2194 Certificate*\r
2195 ClientKeyExchange\r
2196 CertificateVerify*\r
2197 [ChangeCipherSpec]\r
2198 Finished -------->\r
2199 [ChangeCipherSpec]\r
2200 <-------- Finished\r
2201 Application Data <-------> Application Data\r
2202 \r
2203 \r
2204 Fig. 1 - Message flow for a full handshake\r
2205 \r
2206 \r
2207 * Indicates optional or situation-dependent messages that are not\r
2208 always sent.\r
2209 \r
2210 \r
2211 Note: To help avoid pipeline stalls, ChangeCipherSpec is an\r
2212 independent TLS Protocol content type, and is not actually a TLS\r
2213 handshake message.\r
2214 \r
2215 \r
2216 When the client and server decide to resume a previous session or\r
2217 duplicate an existing session (instead of negotiating new security\r
2218 parameters) the message flow is as follows:\r
2219 \r
2220 \r
2221 The client sends a ClientHello using the Session ID of the session to\r
2222 be resumed. The server then checks its session cache for a match. If\r
2223 a match is found, and the server is willing to re-establish the\r
2224 connection under the specified session state, it will send a\r
2225 ServerHello with the same Session ID value. At this point, both |\r
2226 client and server MUST send change cipher spec messages and proceed\r
2227 directly to finished messages. Once the re-establishment is complete, |\r
2228 the client and server MAY begin to exchange application layer data.\r
2229 (See flow chart below.) If a Session ID match is not found, the\r
2230 server generates a new session ID and the TLS client and server\r
2231 perform a full handshake.\r
2232 \r
2233 \r
2234 \r
2235 \r
2236 \r
2237 \r
2238 \r
2239 Dierks & Rescorla Standards Track [Page 35] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
2240 \r
2241 \r
2242 \r
2243 Client Server\r
2244 \r
2245 \r
2246 ClientHello -------->\r
2247 ServerHello\r
2248 [ChangeCipherSpec]\r
2249 <-------- Finished\r
2250 [ChangeCipherSpec]\r
2251 Finished -------->\r
2252 Application Data <-------> Application Data\r
2253 \r
2254 \r
2255 Fig. 2 - Message flow for an abbreviated handshake\r
2256 \r
2257 \r
2258 The contents and significance of each message will be presented in\r
2259 detail in the following sections.\r
2260 \r
2261 \r
2262 7.4. Handshake protocol\r
2263 \r
2264 \r
2265 The TLS Handshake Protocol is one of the defined higher level clients\r
2266 of the TLS Record Protocol. This protocol is used to negotiate the\r
2267 secure attributes of a session. Handshake messages are supplied to\r
2268 the TLS Record Layer, where they are encapsulated within one or more\r
2269 TLSPlaintext structures, which are processed and transmitted as\r
2270 specified by the current active session state.\r
2271 \r
2272 \r
2273 enum {\r
2274 hello_request(0), client_hello(1), server_hello(2),\r
2275 certificate(11), server_key_exchange (12),\r
2276 certificate_request(13), server_hello_done(14),\r
2277 certificate_verify(15), client_key_exchange(16),\r
2278 finished(20), (255)\r
2279 } HandshakeType;\r
2280 \r
2281 \r
2282 struct {\r
2283 HandshakeType msg_type; /* handshake type */\r
2284 uint24 length; /* bytes in message */\r
2285 select (HandshakeType) {\r
2286 case hello_request: HelloRequest;\r
2287 case client_hello: ClientHello;\r
2288 case server_hello: ServerHello;\r
2289 case certificate: Certificate;\r
2290 case server_key_exchange: ServerKeyExchange;\r
2291 case certificate_request: CertificateRequest;\r
2292 case server_hello_done: ServerHelloDone;\r
2293 case certificate_verify: CertificateVerify;\r
2294 case client_key_exchange: ClientKeyExchange;\r
2295 case finished: Finished;\r
2296 } body;\r
2297 } Handshake;\r
2298 \r
2299 \r
2300 \r
2301 \r
2302 Dierks & Rescorla Standards Track [Page 36] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
2303 \r
2304 \r
2305 \r
2306 The handshake protocol messages are presented below in the order they |\r
2307 MUST be sent; sending handshake messages in an unexpected order\r
2308 results in a fatal error. Unneeded handshake messages can be omitted,\r
2309 however. Note one exception to the ordering: the Certificate message\r
2310 is used twice in the handshake (from server to client, then from\r
2311 client to server), but described only in its first position. The one\r
2312 message which is not bound by these ordering rules is the Hello |\r
2313 Request message, which can be sent at any time, but which should be\r
2314 ignored by the client if it arrives in the middle of a handshake.\r
2315 \r
2316 \r
2317 7.4.1. Hello messages\r
2318 \r
2319 \r
2320 The hello phase messages are used to exchange security enhancement\r
2321 capabilities between the client and server. When a new session\r
2322 begins, the Record Layer's connection state encryption, hash, and\r
2323 compression algorithms are initialized to null. The current\r
2324 connection state is used for renegotiation messages.\r
2325 \r
2326 \r
2327 7.4.1.1. Hello request\r
2328 \r
2329 \r
2330 When this message will be sent:\r
2331 The hello request message MAY be sent by the server at any time. |\r
2332 \r
2333 \r
2334 Meaning of this message:\r
2335 Hello request is a simple notification that the client should\r
2336 begin the negotiation process anew by sending a client hello\r
2337 message when convenient. This message will be ignored by the\r
2338 client if the client is currently negotiating a session. This\r
2339 message may be ignored by the client if it does not wish to\r
2340 renegotiate a session, or the client may, if it wishes, respond\r
2341 with a no_renegotiation alert. Since handshake messages are\r
2342 intended to have transmission precedence over application data,\r
2343 it is expected that the negotiation will begin before no more\r
2344 than a few records are received from the client. If the server\r
2345 sends a hello request but does not receive a client hello in\r
2346 response, it may close the connection with a fatal alert.\r
2347 \r
2348 \r
2349 After sending a hello request, servers SHOULD not repeat the request |\r
2350 until the subsequent handshake negotiation is complete.\r
2351 \r
2352 \r
2353 Structure of this message:\r
2354 struct { } HelloRequest;\r
2355 \r
2356 \r
2357 Note: This message MUST NOT be included in the message hashes which are |\r
2358 maintained throughout the handshake and used in the finished\r
2359 messages and the certificate verify message.\r
2360 \r
2361 \r
2362 \r
2363 \r
2364 \r
2365 \r
2366 Dierks & Rescorla Standards Track [Page 37] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
2367 \r
2368 \r
2369 \r
2370 7.4.1.2. Client hello\r
2371 \r
2372 \r
2373 When this message will be sent:\r
2374 When a client first connects to a server it is required to send\r
2375 the client hello as its first message. The client can also send a\r
2376 client hello in response to a hello request or on its own\r
2377 initiative in order to renegotiate the security parameters in an\r
2378 existing connection.\r
2379 \r
2380 \r
2381 Structure of this message:\r
2382 The client hello message includes a random structure, which is\r
2383 used later in the protocol.\r
2384 \r
2385 \r
2386 struct {\r
2387 uint32 gmt_unix_time;\r
2388 opaque random_bytes[28];\r
2389 } Random;\r
2390 \r
2391 \r
2392 gmt_unix_time\r
2393 The current time and date in standard UNIX 32-bit format (seconds\r
2394 since the midnight starting Jan 1, 1970, GMT) according to the\r
2395 sender's internal clock. Clocks are not required to be set\r
2396 correctly by the basic TLS Protocol; higher level or application\r
2397 protocols may define additional requirements.\r
2398 \r
2399 \r
2400 random_bytes\r
2401 28 bytes generated by a secure random number generator.\r
2402 \r
2403 \r
2404 The client hello message includes a variable length session |\r
2405 identifier. If not empty, the value identifies a session between the\r
2406 same client and server whose security parameters the client wishes to |\r
2407 reuse. The session identifier MAY be from an earlier connection, this\r
2408 connection, or another currently active connection. The second option\r
2409 is useful if the client only wishes to update the random structures\r
2410 and derived values of a connection, while the third option makes it\r
2411 possible to establish several independent secure connections without\r
2412 repeating the full handshake protocol. These independent connections\r
2413 may occur sequentially or simultaneously; a SessionID becomes valid\r
2414 when the handshake negotiating it completes with the exchange of\r
2415 Finished messages and persists until removed due to aging or because\r
2416 a fatal error was encountered on a connection associated with the\r
2417 session. The actual contents of the SessionID are defined by the\r
2418 server.\r
2419 \r
2420 \r
2421 opaque SessionID<0..32>;\r
2422 \r
2423 \r
2424 \r
2425 \r
2426 \r
2427 \r
2428 \r
2429 Dierks & Rescorla Standards Track [Page 38] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
2430 \r
2431 \r
2432 \r
2433 Warning:\r
2434 Because the SessionID is transmitted without encryption or |\r
2435 immediate MAC protection, servers MUST not place confidential\r
2436 information in session identifiers or let the contents of fake\r
2437 session identifiers cause any breach of security. (Note that the\r
2438 content of the handshake as a whole, including the SessionID, is\r
2439 protected by the Finished messages exchanged at the end of the\r
2440 handshake.)\r
2441 \r
2442 \r
2443 The CipherSuite list, passed from the client to the server in the |\r
2444 client hello message, contains the combinations of cryptographic\r
2445 algorithms supported by the client in order of the client's\r
2446 preference (favorite choice first). Each CipherSuite defines a key\r
2447 exchange algorithm, a bulk encryption algorithm (including secret key\r
2448 length) and a MAC algorithm. The server will select a cipher suite\r
2449 or, if no acceptable choices are presented, return a handshake\r
2450 failure alert and close the connection.\r
2451 \r
2452 \r
2453 uint8 CipherSuite[2]; /* Cryptographic suite selector */\r
2454 \r
2455 \r
2456 The client hello includes a list of compression algorithms supported\r
2457 by the client, ordered according to the client's preference.\r
2458 \r
2459 \r
2460 enum { null(0), (255) } CompressionMethod;\r
2461 \r
2462 \r
2463 struct {\r
2464 ProtocolVersion client_version;\r
2465 Random random;\r
2466 SessionID session_id;\r
2467 CipherSuite cipher_suites<2..2^16-1>;\r
2468 CompressionMethod compression_methods<1..2^8-1>;\r
2469 } ClientHello;\r
2470 \r
2471 \r
2472 client_version\r
2473 The version of the TLS protocol by which the client wishes to |\r
2474 communicate during this session. This SHOULD be the latest\r
2475 (highest valued) version supported by the client. For this |\r
2476 version of the specification, the version will be 3.2 (See\r
2477 Appendix E for details about backward compatibility).\r
2478 \r
2479 \r
2480 random\r
2481 A client-generated random structure.\r
2482 \r
2483 \r
2484 session_id\r
2485 The ID of a session the client wishes to use for this connection.\r
2486 This field should be empty if no session_id is available or the\r
2487 client wishes to generate new security parameters.\r
2488 \r
2489 \r
2490 \r
2491 \r
2492 \r
2493 Dierks & Rescorla Standards Track [Page 39] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
2494 \r
2495 \r
2496 \r
2497 cipher_suites\r
2498 This is a list of the cryptographic options supported by the\r
2499 client, with the client's first preference first. If the\r
2500 session_id field is not empty (implying a session resumption |\r
2501 request) this vector MUST include at least the cipher_suite from\r
2502 that session. Values are defined in Appendix A.5.\r
2503 \r
2504 \r
2505 compression_methods\r
2506 This is a list of the compression methods supported by the\r
2507 client, sorted by client preference. If the session_id field is\r
2508 not empty (implying a session resumption request) it must include\r
2509 the compression_method from that session. This vector must\r
2510 contain, and all implementations must support,\r
2511 CompressionMethod.null. Thus, a client and server will always be\r
2512 able to agree on a compression method.\r
2513 \r
2514 \r
2515 After sending the client hello message, the client waits for a server\r
2516 hello message. Any other handshake message returned by the server\r
2517 except for a hello request is treated as a fatal error.\r
2518 \r
2519 \r
2520 Forward compatibility note:\r
2521 In the interests of forward compatibility, it is permitted for a\r
2522 client hello message to include extra data after the compression |\r
2523 methods. This data MUST be included in the handshake hashes, but\r
2524 must otherwise be ignored. This is the only handshake message for\r
2525 which this is legal; for all other messages, the amount of data |\r
2526 in the message MUST match the description of the message\r
2527 precisely.\r
2528 \r
2529 \r
2530 Note: For the intended use of trailing data in the ClientHello, see RFC |\r
2531 3546 [TLSEXT]. |\r
2532 \r
2533 \r
2534 7.4.1.3. Server hello\r
2535 \r
2536 \r
2537 When this message will be sent:\r
2538 The server will send this message in response to a client hello\r
2539 message when it was able to find an acceptable set of algorithms.\r
2540 If it cannot find such a match, it will respond with a handshake\r
2541 failure alert.\r
2542 \r
2543 \r
2544 Structure of this message:\r
2545 struct {\r
2546 ProtocolVersion server_version;\r
2547 Random random;\r
2548 SessionID session_id;\r
2549 CipherSuite cipher_suite;\r
2550 CompressionMethod compression_method;\r
2551 } ServerHello;\r
2552 \r
2553 \r
2554 \r
2555 \r
2556 Dierks & Rescorla Standards Track [Page 40] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
2557 \r
2558 \r
2559 \r
2560 server_version\r
2561 This field will contain the lower of that suggested by the client\r
2562 in the client hello and the highest supported by the server. For\r
2563 this version of the specification, the version is 3.2 (See |\r
2564 Appendix E for details about backward compatibility).\r
2565 \r
2566 \r
2567 random\r
2568 This structure is generated by the server and MUST be |\r
2569 independently generated from the ClientHello.random.\r
2570 \r
2571 \r
2572 session_id\r
2573 This is the identity of the session corresponding to this\r
2574 connection. If the ClientHello.session_id was non-empty, the\r
2575 server will look in its session cache for a match. If a match is\r
2576 found and the server is willing to establish the new connection\r
2577 using the specified session state, the server will respond with\r
2578 the same value as was supplied by the client. This indicates a\r
2579 resumed session and dictates that the parties must proceed\r
2580 directly to the finished messages. Otherwise this field will\r
2581 contain a different value identifying the new session. The server\r
2582 may return an empty session_id to indicate that the session will\r
2583 not be cached and therefore cannot be resumed. If a session is\r
2584 resumed, it must be resumed using the same cipher suite it was\r
2585 originally negotiated with.\r
2586 \r
2587 \r
2588 cipher_suite\r
2589 The single cipher suite selected by the server from the list in\r
2590 ClientHello.cipher_suites. For resumed sessions this field is the\r
2591 value from the state of the session being resumed.\r
2592 \r
2593 \r
2594 compression_method |\r
2595 The single compression algorithm selected by the server from the\r
2596 list in ClientHello.compression_methods. For resumed sessions\r
2597 this field is the value from the resumed session state.\r
2598 \r
2599 \r
2600 7.4.2. Server certificate\r
2601 \r
2602 \r
2603 When this message will be sent:\r
2604 The server MUST send a certificate whenever the agreed-upon key |\r
2605 exchange method is not an anonymous one. This message will always\r
2606 immediately follow the server hello message.\r
2607 \r
2608 \r
2609 Meaning of this message:\r
2610 The certificate type MUST be appropriate for the selected cipher |\r
2611 suite's key exchange algorithm, and is generally an X.509v3 |\r
2612 certificate. It MUST contain a key which matches the key exchange\r
2613 method, as follows. Unless otherwise specified, the signing\r
2614 \r
2615 \r
2616 \r
2617 \r
2618 \r
2619 Dierks & Rescorla Standards Track [Page 41] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
2620 \r
2621 \r
2622 \r
2623 algorithm for the certificate MUST be the same as the algorithm |\r
2624 for the certificate key. Unless otherwise specified, the public |\r
2625 key MAY be of any length.\r
2626 \r
2627 \r
2628 Key Exchange Algorithm Certificate Key Type\r
2629 \r
2630 \r
2631 RSA RSA public key; the certificate MUST |\r
2632 allow the key to be used for encryption.\r
2633 \r
2634 \r
2635 RSA_EXPORT RSA public key of length greater than\r
2636 512 bits which can be used for signing,\r
2637 or a key of 512 bits or shorter which\r
2638 can be used for encryption. |\r
2639 \r
2640 \r
2641 DHE_DSS DSS public key.\r
2642 \r
2643 \r
2644 DHE_DSS_EXPORT DSS public key.\r
2645 \r
2646 \r
2647 DHE_RSA RSA public key which can be used for\r
2648 signing.\r
2649 \r
2650 \r
2651 DHE_RSA_EXPORT RSA public key which can be used for\r
2652 signing.\r
2653 \r
2654 \r
2655 DH_DSS Diffie-Hellman key. The algorithm used\r
2656 to sign the certificate MUST be DSS. |\r
2657 \r
2658 \r
2659 DH_RSA Diffie-Hellman key. The algorithm used\r
2660 to sign the certificate MUST be RSA. |\r
2661 \r
2662 \r
2663 All certificate profiles, key and cryptographic formats are defined\r
2664 by the IETF PKIX working group [PKIX]. When a key usage extension is |\r
2665 present, the digitalSignature bit MUST be set for the key to be\r
2666 eligible for signing, as described above, and the keyEncipherment bit |\r
2667 MUST be present to allow encryption, as described above. The\r
2668 keyAgreement bit must be set on Diffie-Hellman certificates.\r
2669 \r
2670 \r
2671 As CipherSuites which specify new key exchange methods are specified\r
2672 for the TLS Protocol, they will imply certificate format and the\r
2673 required encoded keying information.\r
2674 \r
2675 \r
2676 Structure of this message:\r
2677 opaque ASN.1Cert<1..2^24-1>;\r
2678 \r
2679 \r
2680 struct {\r
2681 ASN.1Cert certificate_list<0..2^24-1>;\r
2682 } Certificate;\r
2683 \r
2684 \r
2685 \r
2686 \r
2687 \r
2688 Dierks & Rescorla Standards Track [Page 42] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
2689 \r
2690 \r
2691 \r
2692 certificate_list\r
2693 This is a sequence (chain) of X.509v3 certificates. The sender's\r
2694 certificate must come first in the list. Each following\r
2695 certificate must directly certify the one preceding it. Because\r
2696 certificate validation requires that root keys be distributed\r
2697 independently, the self-signed certificate which specifies the\r
2698 root certificate authority may optionally be omitted from the\r
2699 chain, under the assumption that the remote end must already\r
2700 possess it in order to validate it in any case.\r
2701 \r
2702 \r
2703 The same message type and structure will be used for the client's |\r
2704 response to a certificate request message. Note that a client MAY\r
2705 send no certificates if it does not have an appropriate certificate\r
2706 to send in response to the server's authentication request.\r
2707 \r
2708 \r
2709 Note: PKCS #7 [PKCS7] is not used as the format for the certificate\r
2710 vector because PKCS #6 [PKCS6] extended certificates are not\r
2711 used. Also PKCS #7 defines a SET rather than a SEQUENCE, making\r
2712 the task of parsing the list more difficult.\r
2713 \r
2714 \r
2715 7.4.3. Server key exchange message\r
2716 \r
2717 \r
2718 When this message will be sent:\r
2719 This message will be sent immediately after the server\r
2720 certificate message (or the server hello message, if this is an\r
2721 anonymous negotiation).\r
2722 \r
2723 \r
2724 The server key exchange message is sent by the server only when\r
2725 the server certificate message (if sent) does not contain enough\r
2726 data to allow the client to exchange a premaster secret. This is\r
2727 true for the following key exchange methods:\r
2728 \r
2729 \r
2730 RSA_EXPORT (if the public key in the server certificate is\r
2731 longer than 512 bits)\r
2732 DHE_DSS\r
2733 DHE_DSS_EXPORT\r
2734 DHE_RSA\r
2735 DHE_RSA_EXPORT\r
2736 DH_anon\r
2737 \r
2738 \r
2739 It is not legal to send the server key exchange message for the\r
2740 following key exchange methods:\r
2741 \r
2742 \r
2743 RSA\r
2744 RSA_EXPORT (when the public key in the server certificate is\r
2745 less than or equal to 512 bits in length)\r
2746 DH_DSS\r
2747 DH_RSA\r
2748 \r
2749 \r
2750 \r
2751 \r
2752 Dierks & Rescorla Standards Track [Page 43] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
2753 \r
2754 \r
2755 \r
2756 Meaning of this message:\r
2757 This message conveys cryptographic information to allow the\r
2758 client to communicate the premaster secret: either an RSA public\r
2759 key to encrypt the premaster secret with, or a Diffie-Hellman\r
2760 public key with which the client can complete a key exchange\r
2761 (with the result being the premaster secret.)\r
2762 \r
2763 \r
2764 As additional CipherSuites are defined for TLS which include new key |\r
2765 exchange algorithms, the server key exchange message will be sent if\r
2766 and only if the certificate type associated with the key exchange\r
2767 algorithm does not provide enough information for the client to\r
2768 exchange a premaster secret.\r
2769 \r
2770 \r
2771 Note: According to current US export law, RSA moduli larger than 512\r
2772 bits may not be used for key exchange in software exported from\r
2773 the US. With this message, the larger RSA keys encoded in\r
2774 certificates may be used to sign temporary shorter RSA keys for\r
2775 the RSA_EXPORT key exchange method.\r
2776 \r
2777 \r
2778 Structure of this message:\r
2779 enum { rsa, diffie_hellman } KeyExchangeAlgorithm;\r
2780 \r
2781 \r
2782 struct {\r
2783 opaque rsa_modulus<1..2^16-1>;\r
2784 opaque rsa_exponent<1..2^16-1>;\r
2785 } ServerRSAParams;\r
2786 \r
2787 \r
2788 rsa_modulus\r
2789 The modulus of the server's temporary RSA key.\r
2790 \r
2791 \r
2792 rsa_exponent\r
2793 The public exponent of the server's temporary RSA key.\r
2794 \r
2795 \r
2796 struct {\r
2797 opaque dh_p<1..2^16-1>;\r
2798 opaque dh_g<1..2^16-1>;\r
2799 opaque dh_Ys<1..2^16-1>;\r
2800 } ServerDHParams; /* Ephemeral DH parameters */\r
2801 \r
2802 \r
2803 dh_p\r
2804 The prime modulus used for the Diffie-Hellman operation.\r
2805 \r
2806 \r
2807 dh_g\r
2808 The generator used for the Diffie-Hellman operation.\r
2809 \r
2810 \r
2811 dh_Ys\r
2812 The server's Diffie-Hellman public value (g^X mod p).\r
2813 \r
2814 \r
2815 \r
2816 \r
2817 \r
2818 Dierks & Rescorla Standards Track [Page 44] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
2819 \r
2820 \r
2821 \r
2822 struct {\r
2823 select (KeyExchangeAlgorithm) {\r
2824 case diffie_hellman:\r
2825 ServerDHParams params;\r
2826 Signature signed_params;\r
2827 case rsa:\r
2828 ServerRSAParams params;\r
2829 Signature signed_params;\r
2830 };\r
2831 } ServerKeyExchange;\r
2832 \r
2833 \r
2834 struct { |\r
2835 select (KeyExchangeAlgorithm) { |\r
2836 case diffie_hellman: |\r
2837 ServerDHParams params; |\r
2838 case rsa: |\r
2839 ServerRSAParams params; |\r
2840 }; |\r
2841 } ServerParams; |\r
2842 \r
2843 \r
2844 params\r
2845 The server's key exchange parameters.\r
2846 \r
2847 \r
2848 signed_params\r
2849 For non-anonymous key exchanges, a hash of the corresponding\r
2850 params value, with the signature appropriate to that hash\r
2851 applied.\r
2852 \r
2853 \r
2854 md5_hash\r
2855 MD5(ClientHello.random + ServerHello.random + ServerParams);\r
2856 \r
2857 \r
2858 sha_hash\r
2859 SHA(ClientHello.random + ServerHello.random + ServerParams);\r
2860 \r
2861 \r
2862 enum { anonymous, rsa, dsa } SignatureAlgorithm;\r
2863 \r
2864 \r
2865 \r
2866 select (SignatureAlgorithm) |\r
2867 { |\r
2868 case anonymous: struct { }; |\r
2869 case rsa:\r
2870 digitally-signed struct {\r
2871 opaque md5_hash[16];\r
2872 opaque sha_hash[20];\r
2873 };\r
2874 case dsa:\r
2875 digitally-signed struct {\r
2876 opaque sha_hash[20];\r
2877 \r
2878 \r
2879 \r
2880 \r
2881 Dierks & Rescorla Standards Track [Page 45] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
2882 \r
2883 \r
2884 \r
2885 };\r
2886 } Signature;\r
2887 \r
2888 \r
2889 7.4.4. Certificate request\r
2890 \r
2891 \r
2892 When this message will be sent:\r
2893 A non-anonymous server can optionally request a certificate from\r
2894 the client, if appropriate for the selected cipher suite. This\r
2895 message, if sent, will immediately follow the Server Key Exchange\r
2896 message (if it is sent; otherwise, the Server Certificate\r
2897 message).\r
2898 \r
2899 \r
2900 Structure of this message:\r
2901 enum {\r
2902 rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),\r
2903 rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6), |\r
2904 fortezza_dms_RESERVED(20), |\r
2905 (255)\r
2906 } ClientCertificateType;\r
2907 \r
2908 \r
2909 opaque DistinguishedName<1..2^16-1>;\r
2910 \r
2911 \r
2912 struct {\r
2913 ClientCertificateType certificate_types<1..2^8-1>;\r
2914 DistinguishedName certificate_authorities<0..2^16-1>; |\r
2915 } CertificateRequest;\r
2916 \r
2917 \r
2918 certificate_types\r
2919 This field is a list of the types of certificates requested, |\r
2920 sorted in order of the server's preference. |\r
2921 \r
2922 \r
2923 certificate_authorities\r
2924 A list of the distinguished names of acceptable certificate\r
2925 authorities. These distinguished names may specify a desired\r
2926 distinguished name for a root CA or for a subordinate CA;\r
2927 thus, this message can be used both to describe known roots |\r
2928 and a desired authorization space. If the |\r
2929 certificate_authorities list is empty then the client MAY |\r
2930 send any certificate of the appropriate |\r
2931 ClientCertificateType, unless there is some external |\r
2932 arrangement to the contrary. |\r
2933 \r
2934 \r
2935 \r
2936 Note: Values listed as RESERVED may not be used. They were used in |\r
2937 SSLv3.\r
2938 \r
2939 \r
2940 Note: DistinguishedName is derived from [X509].\r
2941 \r
2942 \r
2943 \r
2944 \r
2945 \r
2946 Dierks & Rescorla Standards Track [Page 46] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
2947 \r
2948 \r
2949 \r
2950 Note: It is a fatal handshake_failure alert for an anonymous server to\r
2951 request client authentication. |\r
2952 \r
2953 \r
2954 7.4.5. Server hello done\r
2955 \r
2956 \r
2957 When this message will be sent:\r
2958 The server hello done message is sent by the server to indicate\r
2959 the end of the server hello and associated messages. After\r
2960 sending this message the server will wait for a client response.\r
2961 \r
2962 \r
2963 Meaning of this message:\r
2964 This message means that the server is done sending messages to\r
2965 support the key exchange, and the client can proceed with its\r
2966 phase of the key exchange.\r
2967 \r
2968 \r
2969 Upon receipt of the server hello done message the client SHOULD |\r
2970 verify that the server provided a valid certificate if required\r
2971 and check that the server hello parameters are acceptable.\r
2972 \r
2973 \r
2974 Structure of this message:\r
2975 struct { } ServerHelloDone;\r
2976 \r
2977 \r
2978 7.4.6. Client certificate\r
2979 \r
2980 \r
2981 When this message will be sent:\r
2982 This is the first message the client can send after receiving a\r
2983 server hello done message. This message is only sent if the\r
2984 server requests a certificate. If no suitable certificate is\r
2985 available, the client should send a certificate message |\r
2986 containing no certificates: I.e. the certificate_list structure |\r
2987 should have a length of zero. If client authentication is |\r
2988 required by the server for the handshake to continue, it may\r
2989 respond with a fatal handshake failure alert. Client certificates\r
2990 are sent using the Certificate structure defined in Section\r
2991 7.4.2.\r
2992 \r
2993 \r
2994 \r
2995 Note: When using a static Diffie-Hellman based key exchange method |\r
2996 (DH_DSS or DH_RSA), if client authentication is requested, the\r
2997 Diffie-Hellman group and generator encoded in the client's\r
2998 certificate must match the server specified Diffie-Hellman\r
2999 parameters if the client's parameters are to be used for the key\r
3000 exchange.\r
3001 \r
3002 \r
3003 7.4.7. Client key exchange message\r
3004 \r
3005 \r
3006 When this message will be sent:\r
3007 This message is always sent by the client. It will immediately\r
3008 \r
3009 \r
3010 \r
3011 \r
3012 Dierks & Rescorla Standards Track [Page 47] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3013 \r
3014 \r
3015 \r
3016 follow the client certificate message, if it is sent. Otherwise\r
3017 it will be the first message sent by the client after it receives\r
3018 the server hello done message.\r
3019 \r
3020 \r
3021 Meaning of this message:\r
3022 With this message, the premaster secret is set, either though\r
3023 direct transmission of the RSA-encrypted secret, or by the\r
3024 transmission of Diffie-Hellman parameters which will allow each\r
3025 side to agree upon the same premaster secret. When the key\r
3026 exchange method is DH_RSA or DH_DSS, client certification has\r
3027 been requested, and the client was able to respond with a\r
3028 certificate which contained a Diffie-Hellman public key whose\r
3029 parameters (group and generator) matched those specified by the |\r
3030 server in its certificate, this message MUST not contain any\r
3031 data.\r
3032 \r
3033 \r
3034 Structure of this message:\r
3035 The choice of messages depends on which key exchange method has\r
3036 been selected. See Section 7.4.3 for the KeyExchangeAlgorithm\r
3037 definition.\r
3038 \r
3039 \r
3040 struct {\r
3041 select (KeyExchangeAlgorithm) {\r
3042 case rsa: EncryptedPreMasterSecret;\r
3043 case diffie_hellman: ClientDiffieHellmanPublic;\r
3044 } exchange_keys;\r
3045 } ClientKeyExchange;\r
3046 \r
3047 \r
3048 7.4.7.1. RSA encrypted premaster secret message\r
3049 \r
3050 \r
3051 Meaning of this message:\r
3052 If RSA is being used for key agreement and authentication, the\r
3053 client generates a 48-byte premaster secret, encrypts it using\r
3054 the public key from the server's certificate or the temporary RSA\r
3055 key provided in a server key exchange message, and sends the\r
3056 result in an encrypted premaster secret message. This structure\r
3057 is a variant of the client key exchange message, not a message in\r
3058 itself.\r
3059 \r
3060 \r
3061 Structure of this message:\r
3062 struct {\r
3063 ProtocolVersion client_version;\r
3064 opaque random[46];\r
3065 } PreMasterSecret;\r
3066 \r
3067 \r
3068 client_version\r
3069 The latest (newest) version supported by the client. This is\r
3070 used to detect version roll-back attacks. Upon receiving the |\r
3071 \r
3072 \r
3073 \r
3074 \r
3075 Dierks & Rescorla Standards Track [Page 48] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3076 \r
3077 \r
3078 \r
3079 premaster secret, the server SHOULD check that this value\r
3080 matches the value transmitted by the client in the client\r
3081 hello message.\r
3082 \r
3083 \r
3084 random\r
3085 46 securely-generated random bytes.\r
3086 \r
3087 \r
3088 struct {\r
3089 public-key-encrypted PreMasterSecret pre_master_secret;\r
3090 } EncryptedPreMasterSecret;\r
3091 \r
3092 \r
3093 pre_master_secret |\r
3094 This random value is generated by the client and is used to |\r
3095 generate the master secret, as specified in Section 8.1. |\r
3096 \r
3097 \r
3098 Note: An attack discovered by Daniel Bleichenbacher [BLEI] can be used\r
3099 to attack a TLS server which is using PKCS#1 encoded RSA. The\r
3100 attack takes advantage of the fact that by failing in different\r
3101 ways, a TLS server can be coerced into revealing whether a\r
3102 particular message, when decrypted, is properly PKCS#1 formatted\r
3103 or not.\r
3104 \r
3105 \r
3106 The best way to avoid vulnerability to this attack is to treat\r
3107 incorrectly formatted messages in a manner indistinguishable from\r
3108 correctly formatted RSA blocks. Thus, when it receives an\r
3109 incorrectly formatted RSA block, a server should generate a\r
3110 random 48-byte value and proceed using it as the premaster\r
3111 secret. Thus, the server will act identically whether the |\r
3112 received RSA block is correctly encoded or not. |\r
3113 \r
3114 \r
3115 Implementation Note: public-key-encrypted data is represented as an |\r
3116 opaque vector <0..2^16-1> (see S. 4.7). Thus the RSA-encrypted |\r
3117 PreMaster Secret in a ClientKeyExchange is preceded by two length |\r
3118 bytes. These bytes are redundant in the case of RSA because the |\r
3119 EncryptedPreMasterSecret is the only data in the |\r
3120 ClientKeyExchange and its length can therefore be unambiguously |\r
3121 determined. The SSLv3 specification was not clear about the |\r
3122 encoding of public-key-encrypted data and therefore many SSLv3 |\r
3123 implementations do not include the the length bytes, encoding the |\r
3124 RSA encrypted data directly in the ClientKeyExchange message. |\r
3125 \r
3126 \r
3127 This specification requires correct encoding of the |\r
3128 EncryptedPreMasterSecret complete with length bytes. The |\r
3129 resulting PDU is incompatible with many SSLv3 implementations. |\r
3130 Implementors upgrading from SSLv3 must modify their |\r
3131 implementations to generate and accept the correct encoding. |\r
3132 Implementors who wish to be compatible with both SSLv3 and TLS |\r
3133 should make their implementation's behavior dependent on the |\r
3134 \r
3135 \r
3136 \r
3137 \r
3138 Dierks & Rescorla Standards Track [Page 49] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3139 \r
3140 \r
3141 \r
3142 protocol version. |\r
3143 \r
3144 \r
3145 Implementation Note: It is now known that remote timing-based attacks |\r
3146 on SSL are possible, at least when the client and server are on |\r
3147 the same LAN. Accordingly, implementations which use static RSA |\r
3148 keys SHOULD use RSA blinding or some other anti-timing technique, |\r
3149 as described in [TIMING].\r
3150 \r
3151 \r
3152 Note: The version number in the PreMasterSecret is that offered by the |\r
3153 client, NOT the version negotiated for the connection. This |\r
3154 feature is designed to prevent rollback attacks. Unfortunately, |\r
3155 many implementations use the negotiated version instead and |\r
3156 therefore checking the version number may lead to failure to |\r
3157 interoperate with such incorrect client implementations. Client |\r
3158 implementations MUST and Server implementations MAY check the |\r
3159 version number. In practice, since there are no significant known |\r
3160 security differences between TLS and SSLv3, rollback to SSLv3 is |\r
3161 not believed to be a serious security risk. Note that if servers |\r
3162 choose to to check the version number, they should randomize the |\r
3163 PreMasterSecret in case of error, rather than generate an alert, |\r
3164 in order to avoid variants on the Bleichenbacher attack. [KPR03]\r
3165 \r
3166 \r
3167 7.4.7.2. Client Diffie-Hellman public value\r
3168 \r
3169 \r
3170 Meaning of this message:\r
3171 This structure conveys the client's Diffie-Hellman public value\r
3172 (Yc) if it was not already included in the client's certificate.\r
3173 The encoding used for Yc is determined by the enumerated\r
3174 PublicValueEncoding. This structure is a variant of the client\r
3175 key exchange message, not a message in itself.\r
3176 \r
3177 \r
3178 Structure of this message:\r
3179 enum { implicit, explicit } PublicValueEncoding;\r
3180 \r
3181 \r
3182 implicit\r
3183 If the client certificate already contains a suitable Diffie-\r
3184 Hellman key, then Yc is implicit and does not need to be sent\r
3185 again. In this case, the Client Key Exchange message will be\r
3186 sent, but will be empty.\r
3187 \r
3188 \r
3189 explicit\r
3190 Yc needs to be sent.\r
3191 \r
3192 \r
3193 struct {\r
3194 select (PublicValueEncoding) {\r
3195 case implicit: struct { };\r
3196 case explicit: opaque dh_Yc<1..2^16-1>;\r
3197 } dh_public;\r
3198 \r
3199 \r
3200 \r
3201 \r
3202 Dierks & Rescorla Standards Track [Page 50] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3203 \r
3204 \r
3205 \r
3206 } ClientDiffieHellmanPublic;\r
3207 \r
3208 \r
3209 dh_Yc\r
3210 The client's Diffie-Hellman public value (Yc).\r
3211 \r
3212 \r
3213 7.4.8. Certificate verify\r
3214 \r
3215 \r
3216 When this message will be sent:\r
3217 This message is used to provide explicit verification of a client\r
3218 certificate. This message is only sent following a client\r
3219 certificate that has signing capability (i.e. all certificates\r
3220 except those containing fixed Diffie-Hellman parameters). When\r
3221 sent, it will immediately follow the client key exchange message.\r
3222 \r
3223 \r
3224 Structure of this message:\r
3225 struct {\r
3226 Signature signature;\r
3227 } CertificateVerify;\r
3228 \r
3229 \r
3230 The Signature type is defined in 7.4.3.\r
3231 \r
3232 \r
3233 CertificateVerify.signature.md5_hash\r
3234 MD5(handshake_messages);\r
3235 \r
3236 \r
3237 CertificateVerify.signature.sha_hash |\r
3238 SHA(handshake_messages);\r
3239 \r
3240 \r
3241 Here handshake_messages refers to all handshake messages sent or\r
3242 received starting at client hello up to but not including this\r
3243 message, including the type and length fields of the handshake\r
3244 messages. This is the concatenation of all the Handshake structures\r
3245 as defined in 7.4 exchanged thus far.\r
3246 \r
3247 \r
3248 7.4.9. Finished\r
3249 \r
3250 \r
3251 When this message will be sent:\r
3252 A finished message is always sent immediately after a change\r
3253 cipher spec message to verify that the key exchange and\r
3254 authentication processes were successful. It is essential that a\r
3255 change cipher spec message be received between the other\r
3256 handshake messages and the Finished message.\r
3257 \r
3258 \r
3259 Meaning of this message:\r
3260 The finished message is the first protected with the just-\r
3261 negotiated algorithms, keys, and secrets. Recipients of finished |\r
3262 messages MUST verify that the contents are correct. Once a side\r
3263 has sent its Finished message and received and validated the\r
3264 Finished message from its peer, it may begin to send and receive\r
3265 \r
3266 \r
3267 \r
3268 \r
3269 Dierks & Rescorla Standards Track [Page 51] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3270 \r
3271 \r
3272 \r
3273 application data over the connection.\r
3274 \r
3275 \r
3276 struct {\r
3277 opaque verify_data[12];\r
3278 } Finished;\r
3279 \r
3280 \r
3281 verify_data\r
3282 PRF(master_secret, finished_label, MD5(handshake_messages) +\r
3283 SHA-1(handshake_messages)) [0..11];\r
3284 \r
3285 \r
3286 finished_label\r
3287 For Finished messages sent by the client, the string "client\r
3288 finished". For Finished messages sent by the server, the\r
3289 string "server finished".\r
3290 \r
3291 \r
3292 handshake_messages\r
3293 All of the data from all handshake messages up to but not\r
3294 including this message. This is only data visible at the\r
3295 handshake layer and does not include record layer headers.\r
3296 This is the concatenation of all the Handshake structures as\r
3297 defined in 7.4 exchanged thus far.\r
3298 \r
3299 \r
3300 It is a fatal error if a finished message is not preceded by a change\r
3301 cipher spec message at the appropriate point in the handshake.\r
3302 \r
3303 \r
3304 The value handshake_messages includes all handshake messages starting |\r
3305 at client hello up to, but not including, this finished message. This\r
3306 may be different from handshake_messages in Section 7.4.8 because it\r
3307 would include the certificate verify message (if sent). Also, the\r
3308 handshake_messages for the finished message sent by the client will\r
3309 be different from that for the finished message sent by the server,\r
3310 because the one which is sent second will include the prior one.\r
3311 \r
3312 \r
3313 Note: Change cipher spec messages, alerts and any other record types\r
3314 are not handshake messages and are not included in the hash\r
3315 computations. Also, Hello Request messages are omitted from\r
3316 handshake hashes.\r
3317 \r
3318 \r
3319 8. Cryptographic computations\r
3320 \r
3321 \r
3322 In order to begin connection protection, the TLS Record Protocol\r
3323 requires specification of a suite of algorithms, a master secret, and\r
3324 the client and server random values. The authentication, encryption,\r
3325 and MAC algorithms are determined by the cipher_suite selected by the\r
3326 server and revealed in the server hello message. The compression\r
3327 algorithm is negotiated in the hello messages, and the random values\r
3328 are exchanged in the hello messages. All that remains is to calculate\r
3329 the master secret.\r
3330 \r
3331 \r
3332 \r
3333 \r
3334 Dierks & Rescorla Standards Track [Page 52] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3335 \r
3336 \r
3337 \r
3338 8.1. Computing the master secret\r
3339 \r
3340 \r
3341 For all key exchange methods, the same algorithm is used to convert\r
3342 the pre_master_secret into the master_secret. The pre_master_secret\r
3343 should be deleted from memory once the master_secret has been\r
3344 computed.\r
3345 \r
3346 \r
3347 master_secret = PRF(pre_master_secret, "master secret",\r
3348 ClientHello.random + ServerHello.random)\r
3349 [0..47];\r
3350 \r
3351 \r
3352 The master secret is always exactly 48 bytes in length. The length of\r
3353 the premaster secret will vary depending on key exchange method.\r
3354 \r
3355 \r
3356 \r
3357 \r
3358 \r
3359 \r
3360 \r
3361 \r
3362 \r
3363 \r
3364 \r
3365 \r
3366 \r
3367 \r
3368 \r
3369 \r
3370 \r
3371 \r
3372 \r
3373 \r
3374 \r
3375 \r
3376 \r
3377 \r
3378 \r
3379 \r
3380 \r
3381 \r
3382 \r
3383 \r
3384 \r
3385 \r
3386 \r
3387 \r
3388 \r
3389 \r
3390 \r
3391 \r
3392 \r
3393 Dierks & Rescorla Standards Track [Page 53] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3394 \r
3395 \r
3396 \r
3397 8.1.1. RSA\r
3398 \r
3399 \r
3400 When RSA is used for server authentication and key exchange, a\r
3401 48-byte pre_master_secret is generated by the client, encrypted under\r
3402 the server's public key, and sent to the server. The server uses its\r
3403 private key to decrypt the pre_master_secret. Both parties then\r
3404 convert the pre_master_secret into the master_secret, as specified\r
3405 above.\r
3406 \r
3407 \r
3408 RSA digital signatures are performed using PKCS #1 [PKCS1] block type\r
3409 1. RSA public key encryption is performed using PKCS #1 block type 2.\r
3410 \r
3411 \r
3412 8.1.2. Diffie-Hellman\r
3413 \r
3414 \r
3415 A conventional Diffie-Hellman computation is performed. The\r
3416 negotiated key (Z) is used as the pre_master_secret, and is converted\r
3417 into the master_secret, as specified above. Leading 0 bytes of Z are |\r
3418 stripped before it is used as the pre_master_secret.\r
3419 \r
3420 \r
3421 Note: Diffie-Hellman parameters are specified by the server, and may\r
3422 be either ephemeral or contained within the server's certificate.\r
3423 \r
3424 \r
3425 9. Mandatory Cipher Suites\r
3426 \r
3427 \r
3428 In the absence of an application profile standard specifying\r
3429 otherwise, a TLS compliant application MUST implement the cipher |\r
3430 suite TLS_RSA_WITH_3DES_EDE_CBC_SHA. |\r
3431 \r
3432 \r
3433 The 40-bit cipher suites are known to be susceptible to exhaustive |\r
3434 search attack by commercial attackers. Implementations of this |\r
3435 document SHOULD disable them by default if they are supported at all. |\r
3436 A future version of this document may remove them entirely.\r
3437 \r
3438 \r
3439 10. Application data protocol\r
3440 \r
3441 \r
3442 Application data messages are carried by the Record Layer and are\r
3443 fragmented, compressed and encrypted based on the current connection\r
3444 state. The messages are treated as transparent data to the record\r
3445 layer.\r
3446 \r
3447 \r
3448 \r
3449 \r
3450 \r
3451 \r
3452 \r
3453 \r
3454 \r
3455 \r
3456 \r
3457 \r
3458 \r
3459 Dierks & Rescorla Standards Track [Page 54] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3460 \r
3461 \r
3462 \r
3463 A. Protocol constant values\r
3464 \r
3465 \r
3466 This section describes protocol types and constants.\r
3467 \r
3468 \r
3469 A.1. Record layer\r
3470 \r
3471 \r
3472 struct {\r
3473 uint8 major, minor;\r
3474 } ProtocolVersion;\r
3475 \r
3476 \r
3477 ProtocolVersion version = { 3, 2 }; /* TLS v1.1 */ |\r
3478 \r
3479 \r
3480 enum {\r
3481 change_cipher_spec(20), alert(21), handshake(22),\r
3482 application_data(23), (255)\r
3483 } ContentType;\r
3484 \r
3485 \r
3486 struct {\r
3487 ContentType type;\r
3488 ProtocolVersion version;\r
3489 uint16 length;\r
3490 opaque fragment[TLSPlaintext.length];\r
3491 } TLSPlaintext;\r
3492 \r
3493 \r
3494 struct {\r
3495 ContentType type;\r
3496 ProtocolVersion version;\r
3497 uint16 length;\r
3498 opaque fragment[TLSCompressed.length];\r
3499 } TLSCompressed;\r
3500 \r
3501 \r
3502 struct {\r
3503 ContentType type;\r
3504 ProtocolVersion version;\r
3505 uint16 length;\r
3506 select (CipherSpec.cipher_type) {\r
3507 case stream: GenericStreamCipher;\r
3508 case block: GenericBlockCipher;\r
3509 } fragment;\r
3510 } TLSCiphertext;\r
3511 \r
3512 \r
3513 stream-ciphered struct {\r
3514 opaque content[TLSCompressed.length];\r
3515 opaque MAC[CipherSpec.hash_size];\r
3516 } GenericStreamCipher;\r
3517 \r
3518 \r
3519 block-ciphered struct {\r
3520 opaque IV[CipherSpec.block_length]; |\r
3521 \r
3522 \r
3523 \r
3524 \r
3525 Dierks & Rescorla Standards Track [Page 55] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3526 \r
3527 \r
3528 \r
3529 opaque content[TLSCompressed.length];\r
3530 opaque MAC[CipherSpec.hash_size];\r
3531 uint8 padding[GenericBlockCipher.padding_length];\r
3532 uint8 padding_length;\r
3533 } GenericBlockCipher;\r
3534 \r
3535 \r
3536 A.2. Change cipher specs message\r
3537 \r
3538 \r
3539 struct {\r
3540 enum { change_cipher_spec(1), (255) } type;\r
3541 } ChangeCipherSpec;\r
3542 \r
3543 \r
3544 A.3. Alert messages\r
3545 \r
3546 \r
3547 enum { warning(1), fatal(2), (255) } AlertLevel;\r
3548 \r
3549 \r
3550 enum {\r
3551 close_notify(0),\r
3552 unexpected_message(10),\r
3553 bad_record_mac(20),\r
3554 decryption_failed(21),\r
3555 record_overflow(22),\r
3556 decompression_failure(30),\r
3557 handshake_failure(40),\r
3558 no_certificate_RESERVED (41), |\r
3559 bad_certificate(42),\r
3560 unsupported_certificate(43),\r
3561 certificate_revoked(44),\r
3562 certificate_expired(45),\r
3563 certificate_unknown(46),\r
3564 illegal_parameter(47),\r
3565 unknown_ca(48),\r
3566 access_denied(49),\r
3567 decode_error(50),\r
3568 decrypt_error(51),\r
3569 export_restriction(60),\r
3570 protocol_version(70),\r
3571 insufficient_security(71),\r
3572 internal_error(80),\r
3573 user_canceled(90),\r
3574 no_renegotiation(100),\r
3575 (255)\r
3576 } AlertDescription;\r
3577 \r
3578 \r
3579 struct {\r
3580 AlertLevel level;\r
3581 AlertDescription description;\r
3582 } Alert;\r
3583 \r
3584 \r
3585 \r
3586 \r
3587 Dierks & Rescorla Standards Track [Page 56] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3588 \r
3589 \r
3590 \r
3591 A.4. Handshake protocol\r
3592 \r
3593 \r
3594 enum {\r
3595 hello_request(0), client_hello(1), server_hello(2),\r
3596 certificate(11), server_key_exchange (12),\r
3597 certificate_request(13), server_hello_done(14),\r
3598 certificate_verify(15), client_key_exchange(16),\r
3599 finished(20), (255)\r
3600 } HandshakeType;\r
3601 \r
3602 \r
3603 struct {\r
3604 HandshakeType msg_type;\r
3605 uint24 length;\r
3606 select (HandshakeType) {\r
3607 case hello_request: HelloRequest;\r
3608 case client_hello: ClientHello;\r
3609 case server_hello: ServerHello;\r
3610 case certificate: Certificate;\r
3611 case server_key_exchange: ServerKeyExchange;\r
3612 case certificate_request: CertificateRequest;\r
3613 case server_hello_done: ServerHelloDone;\r
3614 case certificate_verify: CertificateVerify;\r
3615 case client_key_exchange: ClientKeyExchange;\r
3616 case finished: Finished;\r
3617 } body;\r
3618 } Handshake;\r
3619 \r
3620 \r
3621 A.4.1. Hello messages\r
3622 \r
3623 \r
3624 struct { } HelloRequest;\r
3625 \r
3626 \r
3627 struct {\r
3628 uint32 gmt_unix_time;\r
3629 opaque random_bytes[28];\r
3630 } Random;\r
3631 \r
3632 \r
3633 opaque SessionID<0..32>;\r
3634 \r
3635 \r
3636 uint8 CipherSuite[2];\r
3637 \r
3638 \r
3639 enum { null(0), (255) } CompressionMethod;\r
3640 \r
3641 \r
3642 struct {\r
3643 ProtocolVersion client_version;\r
3644 Random random;\r
3645 SessionID session_id;\r
3646 CipherSuite cipher_suites<2..2^16-1>;\r
3647 CompressionMethod compression_methods<1..2^8-1>;\r
3648 \r
3649 \r
3650 \r
3651 \r
3652 Dierks & Rescorla Standards Track [Page 57] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3653 \r
3654 \r
3655 \r
3656 } ClientHello;\r
3657 \r
3658 \r
3659 struct {\r
3660 ProtocolVersion server_version;\r
3661 Random random;\r
3662 SessionID session_id;\r
3663 CipherSuite cipher_suite;\r
3664 CompressionMethod compression_method;\r
3665 } ServerHello;\r
3666 \r
3667 \r
3668 A.4.2. Server authentication and key exchange messages\r
3669 \r
3670 \r
3671 opaque ASN.1Cert<2^24-1>;\r
3672 \r
3673 \r
3674 struct {\r
3675 ASN.1Cert certificate_list<0..2^24-1>; |\r
3676 } Certificate;\r
3677 \r
3678 \r
3679 enum { rsa, diffie_hellman } KeyExchangeAlgorithm;\r
3680 \r
3681 \r
3682 struct {\r
3683 opaque RSA_modulus<1..2^16-1>;\r
3684 opaque RSA_exponent<1..2^16-1>;\r
3685 } ServerRSAParams;\r
3686 \r
3687 \r
3688 struct {\r
3689 opaque DH_p<1..2^16-1>;\r
3690 opaque DH_g<1..2^16-1>;\r
3691 opaque DH_Ys<1..2^16-1>;\r
3692 } ServerDHParams;\r
3693 \r
3694 \r
3695 struct {\r
3696 select (KeyExchangeAlgorithm) {\r
3697 case diffie_hellman:\r
3698 ServerDHParams params;\r
3699 Signature signed_params;\r
3700 case rsa:\r
3701 ServerRSAParams params;\r
3702 Signature signed_params;\r
3703 };\r
3704 } ServerKeyExchange;\r
3705 \r
3706 \r
3707 enum { anonymous, rsa, dsa } SignatureAlgorithm; |\r
3708 \r
3709 \r
3710 struct { |\r
3711 select (KeyExchangeAlgorithm) { |\r
3712 case diffie_hellman: |\r
3713 ServerDHParams params; |\r
3714 \r
3715 \r
3716 \r
3717 \r
3718 Dierks & Rescorla Standards Track [Page 58] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3719 \r
3720 \r
3721 \r
3722 case rsa: |\r
3723 ServerRSAParams params; |\r
3724 }; |\r
3725 } ServerParams; |\r
3726 \r
3727 \r
3728 select (SignatureAlgorithm)\r
3729 { case anonymous: struct { };\r
3730 case rsa:\r
3731 digitally-signed struct {\r
3732 opaque md5_hash[16];\r
3733 opaque sha_hash[20];\r
3734 };\r
3735 case dsa:\r
3736 digitally-signed struct {\r
3737 opaque sha_hash[20];\r
3738 };\r
3739 } Signature;\r
3740 \r
3741 \r
3742 enum {\r
3743 rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),\r
3744 rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6), |\r
3745 fortezza_dms_RESERVED(20), |\r
3746 (255) |\r
3747 } ClientCertificateType;\r
3748 \r
3749 \r
3750 opaque DistinguishedName<1..2^16-1>;\r
3751 \r
3752 \r
3753 struct {\r
3754 ClientCertificateType certificate_types<1..2^8-1>;\r
3755 DistinguishedName certificate_authorities<0..2^16-1>; |\r
3756 } CertificateRequest;\r
3757 \r
3758 \r
3759 struct { } ServerHelloDone;\r
3760 \r
3761 \r
3762 A.4.3. Client authentication and key exchange messages\r
3763 \r
3764 \r
3765 struct {\r
3766 select (KeyExchangeAlgorithm) {\r
3767 case rsa: EncryptedPreMasterSecret;\r
3768 case diffie_hellman: DiffieHellmanClientPublicValue;\r
3769 } exchange_keys;\r
3770 } ClientKeyExchange;\r
3771 \r
3772 \r
3773 struct {\r
3774 ProtocolVersion client_version;\r
3775 opaque random[46];\r
3776 } PreMasterSecret;\r
3777 \r
3778 \r
3779 \r
3780 \r
3781 \r
3782 Dierks & Rescorla Standards Track [Page 59] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3783 \r
3784 \r
3785 \r
3786 struct {\r
3787 public-key-encrypted PreMasterSecret pre_master_secret;\r
3788 } EncryptedPreMasterSecret;\r
3789 \r
3790 \r
3791 enum { implicit, explicit } PublicValueEncoding;\r
3792 \r
3793 \r
3794 struct {\r
3795 select (PublicValueEncoding) {\r
3796 case implicit: struct {};\r
3797 case explicit: opaque DH_Yc<1..2^16-1>;\r
3798 } dh_public;\r
3799 } ClientDiffieHellmanPublic;\r
3800 \r
3801 \r
3802 struct {\r
3803 Signature signature;\r
3804 } CertificateVerify;\r
3805 \r
3806 \r
3807 A.4.4. Handshake finalization message\r
3808 \r
3809 \r
3810 struct {\r
3811 opaque verify_data[12];\r
3812 } Finished;\r
3813 \r
3814 \r
3815 A.5. The CipherSuite\r
3816 \r
3817 \r
3818 The following values define the CipherSuite codes used in the client\r
3819 hello and server hello messages.\r
3820 \r
3821 \r
3822 A CipherSuite defines a cipher specification supported in TLS Version |\r
3823 1.1.\r
3824 \r
3825 \r
3826 TLS_NULL_WITH_NULL_NULL is specified and is the initial state of a\r
3827 TLS connection during the first handshake on that channel, but must\r
3828 not be negotiated, as it provides no more protection than an\r
3829 unsecured connection.\r
3830 \r
3831 \r
3832 CipherSuite TLS_NULL_WITH_NULL_NULL = { 0x00,0x00 };\r
3833 \r
3834 \r
3835 The following CipherSuite definitions require that the server provide\r
3836 an RSA certificate that can be used for key exchange. The server may\r
3837 request either an RSA or a DSS signature-capable certificate in the\r
3838 certificate request message.\r
3839 \r
3840 \r
3841 CipherSuite TLS_RSA_WITH_NULL_MD5 = { 0x00,0x01 };\r
3842 CipherSuite TLS_RSA_WITH_NULL_SHA = { 0x00,0x02 };\r
3843 CipherSuite TLS_RSA_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x03 };\r
3844 CipherSuite TLS_RSA_WITH_RC4_128_MD5 = { 0x00,0x04 };\r
3845 CipherSuite TLS_RSA_WITH_RC4_128_SHA = { 0x00,0x05 };\r
3846 \r
3847 \r
3848 \r
3849 \r
3850 Dierks & Rescorla Standards Track [Page 60] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3851 \r
3852 \r
3853 \r
3854 CipherSuite TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x06 };\r
3855 CipherSuite TLS_RSA_WITH_IDEA_CBC_SHA = { 0x00,0x07 };\r
3856 CipherSuite TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x08 };\r
3857 CipherSuite TLS_RSA_WITH_DES_CBC_SHA = { 0x00,0x09 };\r
3858 CipherSuite TLS_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0A };\r
3859 \r
3860 \r
3861 The following CipherSuite definitions are used for server-\r
3862 authenticated (and optionally client-authenticated) Diffie-Hellman.\r
3863 DH denotes cipher suites in which the server's certificate contains\r
3864 the Diffie-Hellman parameters signed by the certificate authority\r
3865 (CA). DHE denotes ephemeral Diffie-Hellman, where the Diffie-Hellman\r
3866 parameters are signed by a DSS or RSA certificate, which has been\r
3867 signed by the CA. The signing algorithm used is specified after the\r
3868 DH or DHE parameter. The server can request an RSA or DSS signature-\r
3869 capable certificate from the client for client authentication or it\r
3870 may request a Diffie-Hellman certificate. Any Diffie-Hellman\r
3871 certificate provided by the client must use the parameters (group and\r
3872 generator) described by the server.\r
3873 \r
3874 \r
3875 CipherSuite TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x0B };\r
3876 CipherSuite TLS_DH_DSS_WITH_DES_CBC_SHA = { 0x00,0x0C };\r
3877 CipherSuite TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0D };\r
3878 CipherSuite TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x0E };\r
3879 CipherSuite TLS_DH_RSA_WITH_DES_CBC_SHA = { 0x00,0x0F };\r
3880 CipherSuite TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x10 };\r
3881 CipherSuite TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x11 };\r
3882 CipherSuite TLS_DHE_DSS_WITH_DES_CBC_SHA = { 0x00,0x12 };\r
3883 CipherSuite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x13 };\r
3884 CipherSuite TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x14 };\r
3885 CipherSuite TLS_DHE_RSA_WITH_DES_CBC_SHA = { 0x00,0x15 };\r
3886 CipherSuite TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x16 };\r
3887 \r
3888 \r
3889 The following cipher suites are used for completely anonymous Diffie-\r
3890 Hellman communications in which neither party is authenticated. Note\r
3891 that this mode is vulnerable to man-in-the-middle attacks and is\r
3892 therefore deprecated.\r
3893 \r
3894 \r
3895 CipherSuite TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x17 };\r
3896 CipherSuite TLS_DH_anon_WITH_RC4_128_MD5 = { 0x00,0x18 };\r
3897 CipherSuite TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x19 };\r
3898 CipherSuite TLS_DH_anon_WITH_DES_CBC_SHA = { 0x00,0x1A };\r
3899 CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1B };\r
3900 \r
3901 \r
3902 Note: All cipher suites whose first byte is 0xFF are considered\r
3903 private and can be used for defining local/experimental\r
3904 algorithms. Interoperability of such types is a local matter.\r
3905 \r
3906 \r
3907 Note: Additional cipher suites can be registered by publishing an RFC\r
3908 \r
3909 \r
3910 \r
3911 \r
3912 Dierks & Rescorla Standards Track [Page 61] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3913 \r
3914 \r
3915 \r
3916 which specifies the cipher suites, including the necessary TLS\r
3917 protocol information, including message encoding, premaster\r
3918 secret derivation, symmetric encryption and MAC calculation and\r
3919 appropriate reference information for the algorithms involved.\r
3920 The RFC editor's office may, at its discretion, choose to publish\r
3921 specifications for cipher suites which are not completely\r
3922 described (e.g., for classified algorithms) if it finds the\r
3923 specification to be of technical interest and completely\r
3924 specified.\r
3925 \r
3926 \r
3927 Note: The cipher suite values { 0x00, 0x1C } and { 0x00, 0x1D } are\r
3928 reserved to avoid collision with Fortezza-based cipher suites in\r
3929 SSL 3.\r
3930 \r
3931 \r
3932 A.6. The Security Parameters\r
3933 \r
3934 \r
3935 These security parameters are determined by the TLS Handshake\r
3936 Protocol and provided as parameters to the TLS Record Layer in order\r
3937 to initialize a connection state. SecurityParameters includes:\r
3938 \r
3939 \r
3940 enum { null(0), (255) } CompressionMethod;\r
3941 \r
3942 \r
3943 enum { server, client } ConnectionEnd;\r
3944 \r
3945 \r
3946 enum { null, rc4, rc2, des, 3des, des40, idea }\r
3947 BulkCipherAlgorithm;\r
3948 \r
3949 \r
3950 enum { stream, block } CipherType;\r
3951 \r
3952 \r
3953 enum { true, false } IsExportable;\r
3954 \r
3955 \r
3956 enum { null, md5, sha } MACAlgorithm;\r
3957 \r
3958 \r
3959 /* The algorithms specified in CompressionMethod,\r
3960 BulkCipherAlgorithm, and MACAlgorithm may be added to. */\r
3961 \r
3962 \r
3963 struct {\r
3964 ConnectionEnd entity;\r
3965 BulkCipherAlgorithm bulk_cipher_algorithm;\r
3966 CipherType cipher_type;\r
3967 uint8 key_size;\r
3968 uint8 key_material_length;\r
3969 IsExportable is_exportable;\r
3970 MACAlgorithm mac_algorithm;\r
3971 uint8 hash_size;\r
3972 CompressionMethod compression_algorithm;\r
3973 opaque master_secret[48];\r
3974 opaque client_random[32];\r
3975 \r
3976 \r
3977 \r
3978 \r
3979 Dierks & Rescorla Standards Track [Page 62] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
3980 \r
3981 \r
3982 \r
3983 opaque server_random[32];\r
3984 } SecurityParameters;\r
3985 \r
3986 \r
3987 \r
3988 \r
3989 \r
3990 \r
3991 \r
3992 \r
3993 \r
3994 \r
3995 \r
3996 \r
3997 \r
3998 \r
3999 \r
4000 \r
4001 \r
4002 \r
4003 \r
4004 \r
4005 \r
4006 \r
4007 \r
4008 \r
4009 \r
4010 \r
4011 \r
4012 \r
4013 \r
4014 \r
4015 \r
4016 \r
4017 \r
4018 \r
4019 \r
4020 \r
4021 \r
4022 \r
4023 \r
4024 \r
4025 \r
4026 \r
4027 \r
4028 \r
4029 \r
4030 \r
4031 \r
4032 \r
4033 \r
4034 \r
4035 Dierks & Rescorla Standards Track [Page 63] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4036 \r
4037 \r
4038 \r
4039 B. Glossary\r
4040 \r
4041 \r
4042 application protocol\r
4043 An application protocol is a protocol that normally layers\r
4044 directly on top of the transport layer (e.g., TCP/IP). Examples\r
4045 include HTTP, TELNET, FTP, and SMTP.\r
4046 \r
4047 \r
4048 asymmetric cipher\r
4049 See public key cryptography.\r
4050 \r
4051 \r
4052 authentication\r
4053 Authentication is the ability of one entity to determine the\r
4054 identity of another entity.\r
4055 \r
4056 \r
4057 block cipher\r
4058 A block cipher is an algorithm that operates on plaintext in\r
4059 groups of bits, called blocks. 64 bits is a common block size.\r
4060 \r
4061 \r
4062 bulk cipher\r
4063 A symmetric encryption algorithm used to encrypt large quantities\r
4064 of data.\r
4065 \r
4066 \r
4067 cipher block chaining (CBC)\r
4068 CBC is a mode in which every plaintext block encrypted with a\r
4069 block cipher is first exclusive-ORed with the previous ciphertext\r
4070 block (or, in the case of the first block, with the\r
4071 initialization vector). For decryption, every block is first\r
4072 decrypted, then exclusive-ORed with the previous ciphertext block\r
4073 (or IV).\r
4074 \r
4075 \r
4076 certificate\r
4077 As part of the X.509 protocol (a.k.a. ISO Authentication\r
4078 framework), certificates are assigned by a trusted Certificate\r
4079 Authority and provide a strong binding between a party's identity\r
4080 or some other attributes and its public key.\r
4081 \r
4082 \r
4083 client\r
4084 The application entity that initiates a TLS connection to a\r
4085 server. This may or may not imply that the client initiated the\r
4086 underlying transport connection. The primary operational\r
4087 difference between the server and client is that the server is\r
4088 generally authenticated, while the client is only optionally\r
4089 authenticated.\r
4090 \r
4091 \r
4092 client write key\r
4093 The key used to encrypt data written by the client.\r
4094 \r
4095 \r
4096 \r
4097 \r
4098 \r
4099 \r
4100 Dierks & Rescorla Standards Track [Page 64] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4101 \r
4102 \r
4103 \r
4104 client write MAC secret\r
4105 The secret data used to authenticate data written by the client.\r
4106 \r
4107 \r
4108 connection\r
4109 A connection is a transport (in the OSI layering model\r
4110 definition) that provides a suitable type of service. For TLS,\r
4111 such connections are peer to peer relationships. The connections\r
4112 are transient. Every connection is associated with one session.\r
4113 \r
4114 \r
4115 Data Encryption Standard\r
4116 DES is a very widely used symmetric encryption algorithm. DES is\r
4117 a block cipher with a 56 bit key and an 8 byte block size. Note\r
4118 that in TLS, for key generation purposes, DES is treated as\r
4119 having an 8 byte key length (64 bits), but it still only provides\r
4120 56 bits of protection. (The low bit of each key byte is presumed\r
4121 to be set to produce odd parity in that key byte.) DES can also\r
4122 be operated in a mode where three independent keys and three\r
4123 encryptions are used for each block of data; this uses 168 bits\r
4124 of key (24 bytes in the TLS key generation method) and provides\r
4125 the equivalent of 112 bits of security. [DES], [3DES]\r
4126 \r
4127 \r
4128 Digital Signature Standard (DSS)\r
4129 A standard for digital signing, including the Digital Signing\r
4130 Algorithm, approved by the National Institute of Standards and\r
4131 Technology, defined in NIST FIPS PUB 186, "Digital Signature\r
4132 Standard," published May, 1994 by the U.S. Dept. of Commerce.\r
4133 [DSS]\r
4134 \r
4135 \r
4136 digital signatures |\r
4137 Digital signatures utilize public key cryptography and one-way\r
4138 hash functions to produce a signature of the data that can be\r
4139 authenticated, and is difficult to forge or repudiate.\r
4140 \r
4141 \r
4142 handshake\r
4143 An initial negotiation between client and server that establishes\r
4144 the parameters of their transactions.\r
4145 \r
4146 \r
4147 Initialization Vector (IV)\r
4148 When a block cipher is used in CBC mode, the initialization\r
4149 vector is exclusive-ORed with the first plaintext block prior to\r
4150 encryption.\r
4151 \r
4152 \r
4153 IDEA\r
4154 A 64-bit block cipher designed by Xuejia Lai and James Massey.\r
4155 [IDEA]\r
4156 \r
4157 \r
4158 \r
4159 \r
4160 \r
4161 \r
4162 \r
4163 Dierks & Rescorla Standards Track [Page 65] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4164 \r
4165 \r
4166 \r
4167 Message Authentication Code (MAC)\r
4168 A Message Authentication Code is a one-way hash computed from a\r
4169 message and some secret data. It is difficult to forge without\r
4170 knowing the secret data. Its purpose is to detect if the message\r
4171 has been altered.\r
4172 \r
4173 \r
4174 master secret\r
4175 Secure secret data used for generating encryption keys, MAC\r
4176 secrets, and IVs.\r
4177 \r
4178 \r
4179 MD5\r
4180 MD5 is a secure hashing function that converts an arbitrarily\r
4181 long data stream into a digest of fixed size (16 bytes). [MD5]\r
4182 \r
4183 \r
4184 public key cryptography\r
4185 A class of cryptographic techniques employing two-key ciphers.\r
4186 Messages encrypted with the public key can only be decrypted with\r
4187 the associated private key. Conversely, messages signed with the\r
4188 private key can be verified with the public key.\r
4189 \r
4190 \r
4191 one-way hash function\r
4192 A one-way transformation that converts an arbitrary amount of\r
4193 data into a fixed-length hash. It is computationally hard to\r
4194 reverse the transformation or to find collisions. MD5 and SHA are\r
4195 examples of one-way hash functions.\r
4196 \r
4197 \r
4198 RC2\r
4199 A block cipher developed by Ron Rivest at RSA Data Security, Inc.\r
4200 [RSADSI] described in [RC2].\r
4201 \r
4202 \r
4203 RC4\r
4204 A stream cipher licensed by RSA Data Security [RSADSI]. A\r
4205 compatible cipher is described in [RC4].\r
4206 \r
4207 \r
4208 RSA\r
4209 A very widely used public-key algorithm that can be used for\r
4210 either encryption or digital signing. [RSA]\r
4211 \r
4212 \r
4213 salt\r
4214 Non-secret random data used to make export encryption keys resist\r
4215 precomputation attacks.\r
4216 \r
4217 \r
4218 server\r
4219 The server is the application entity that responds to requests\r
4220 for connections from clients. See also under client.\r
4221 \r
4222 \r
4223 \r
4224 \r
4225 \r
4226 \r
4227 \r
4228 Dierks & Rescorla Standards Track [Page 66] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4229 \r
4230 \r
4231 \r
4232 session\r
4233 A TLS session is an association between a client and a server.\r
4234 Sessions are created by the handshake protocol. Sessions define a\r
4235 set of cryptographic security parameters, which can be shared\r
4236 among multiple connections. Sessions are used to avoid the\r
4237 expensive negotiation of new security parameters for each\r
4238 connection.\r
4239 \r
4240 \r
4241 session identifier\r
4242 A session identifier is a value generated by a server that\r
4243 identifies a particular session.\r
4244 \r
4245 \r
4246 server write key\r
4247 The key used to encrypt data written by the server.\r
4248 \r
4249 \r
4250 server write MAC secret\r
4251 The secret data used to authenticate data written by the server.\r
4252 \r
4253 \r
4254 SHA\r
4255 The Secure Hash Algorithm is defined in FIPS PUB 180-1. It\r
4256 produces a 20-byte output. Note that all references to SHA\r
4257 actually use the modified SHA-1 algorithm. [SHA]\r
4258 \r
4259 \r
4260 SSL\r
4261 Netscape's Secure Socket Layer protocol [SSL3]. TLS is based on\r
4262 SSL Version 3.0\r
4263 \r
4264 \r
4265 stream cipher\r
4266 An encryption algorithm that converts a key into a\r
4267 cryptographically-strong keystream, which is then exclusive-ORed\r
4268 with the plaintext.\r
4269 \r
4270 \r
4271 symmetric cipher |\r
4272 See bulk cipher.\r
4273 \r
4274 \r
4275 Transport Layer Security (TLS)\r
4276 This protocol; also, the Transport Layer Security working group\r
4277 of the Internet Engineering Task Force (IETF). See "Comments" at\r
4278 the end of this document.\r
4279 \r
4280 \r
4281 \r
4282 \r
4283 \r
4284 \r
4285 \r
4286 \r
4287 \r
4288 \r
4289 \r
4290 \r
4291 \r
4292 Dierks & Rescorla Standards Track [Page 67] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4293 \r
4294 \r
4295 \r
4296 C. CipherSuite definitions\r
4297 \r
4298 \r
4299 CipherSuite Is Key Cipher Hash\r
4300 Exportable Exchange\r
4301 \r
4302 \r
4303 TLS_NULL_WITH_NULL_NULL * NULL NULL NULL\r
4304 TLS_RSA_WITH_NULL_MD5 * RSA NULL MD5\r
4305 TLS_RSA_WITH_NULL_SHA * RSA NULL SHA\r
4306 TLS_RSA_EXPORT_WITH_RC4_40_MD5 * RSA_EXPORT RC4_40 MD5\r
4307 TLS_RSA_WITH_RC4_128_MD5 RSA RC4_128 MD5\r
4308 TLS_RSA_WITH_RC4_128_SHA RSA RC4_128 SHA\r
4309 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 * RSA_EXPORT RC2_CBC_40 MD5\r
4310 TLS_RSA_WITH_IDEA_CBC_SHA RSA IDEA_CBC SHA\r
4311 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA * RSA_EXPORT DES40_CBC SHA\r
4312 TLS_RSA_WITH_DES_CBC_SHA RSA DES_CBC SHA\r
4313 TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES_EDE_CBC SHA\r
4314 TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA * DH_DSS_EXPORT DES40_CBC SHA\r
4315 TLS_DH_DSS_WITH_DES_CBC_SHA DH_DSS DES_CBC SHA\r
4316 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA DH_DSS 3DES_EDE_CBC SHA\r
4317 TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA * DH_RSA_EXPORT DES40_CBC SHA\r
4318 TLS_DH_RSA_WITH_DES_CBC_SHA DH_RSA DES_CBC SHA\r
4319 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA DH_RSA 3DES_EDE_CBC SHA\r
4320 TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * DHE_DSS_EXPORT DES40_CBC SHA\r
4321 TLS_DHE_DSS_WITH_DES_CBC_SHA DHE_DSS DES_CBC SHA\r
4322 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE_DSS 3DES_EDE_CBC SHA\r
4323 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * DHE_RSA_EXPORT DES40_CBC SHA\r
4324 TLS_DHE_RSA_WITH_DES_CBC_SHA DHE_RSA DES_CBC SHA\r
4325 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA 3DES_EDE_CBC SHA\r
4326 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 * DH_anon_EXPORT RC4_40 MD5\r
4327 TLS_DH_anon_WITH_RC4_128_MD5 DH_anon RC4_128 MD5\r
4328 TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA DH_anon DES40_CBC SHA\r
4329 TLS_DH_anon_WITH_DES_CBC_SHA DH_anon DES_CBC SHA\r
4330 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA DH_anon 3DES_EDE_CBC SHA\r
4331 \r
4332 \r
4333 \r
4334 * Indicates IsExportable is True\r
4335 \r
4336 \r
4337 Key\r
4338 Exchange\r
4339 Algorithm Description Key size limit\r
4340 \r
4341 \r
4342 DHE_DSS Ephemeral DH with DSS signatures None\r
4343 DHE_DSS_EXPORT Ephemeral DH with DSS signatures DH = 512 bits\r
4344 DHE_RSA Ephemeral DH with RSA signatures None\r
4345 DHE_RSA_EXPORT Ephemeral DH with RSA signatures DH = 512 bits,\r
4346 RSA = none\r
4347 DH_anon Anonymous DH, no signatures None\r
4348 DH_anon_EXPORT Anonymous DH, no signatures DH = 512 bits\r
4349 \r
4350 \r
4351 \r
4352 \r
4353 Dierks & Rescorla Standards Track [Page 68] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4354 \r
4355 \r
4356 \r
4357 DH_DSS DH with DSS-based certificates None\r
4358 DH_DSS_EXPORT DH with DSS-based certificates DH = 512 bits\r
4359 DH_RSA DH with RSA-based certificates None\r
4360 DH_RSA_EXPORT DH with RSA-based certificates DH = 512 bits,\r
4361 RSA = none\r
4362 NULL No key exchange N/A\r
4363 RSA RSA key exchange None\r
4364 RSA_EXPORT RSA key exchange RSA = 512 bits\r
4365 \r
4366 \r
4367 Key size limit\r
4368 The key size limit gives the size of the largest public key that\r
4369 can be legally used for encryption or key agreement in |\r
4370 cipher suites that are exportable. |\r
4371 \r
4372 \r
4373 Key Expanded Effective IV Block\r
4374 Cipher Type Material Key Material Key Bits Size Size\r
4375 \r
4376 \r
4377 NULL * Stream 0 0 0 0 N/A\r
4378 IDEA_CBC Block 16 16 128 8 8\r
4379 RC2_CBC_40 * Block 5 16 40 8 8\r
4380 RC4_40 * Stream 5 16 40 0 N/A\r
4381 RC4_128 Stream 16 16 128 0 N/A\r
4382 DES40_CBC * Block 5 8 40 8 8\r
4383 DES_CBC Block 8 8 56 8 8\r
4384 3DES_EDE_CBC Block 24 24 168 8 8\r
4385 \r
4386 \r
4387 * Indicates IsExportable is true.\r
4388 \r
4389 \r
4390 Type\r
4391 Indicates whether this is a stream cipher or a block cipher\r
4392 running in CBC mode.\r
4393 \r
4394 \r
4395 Key Material\r
4396 The number of bytes from the key_block that are used for\r
4397 generating the write keys.\r
4398 \r
4399 \r
4400 Expanded Key Material\r
4401 The number of bytes actually fed into the encryption algorithm\r
4402 \r
4403 \r
4404 Effective Key Bits\r
4405 How much entropy material is in the key material being fed into\r
4406 the encryption routines.\r
4407 \r
4408 \r
4409 IV Size\r
4410 How much data needs to be generated for the initialization\r
4411 vector. Zero for stream ciphers; equal to the block size for\r
4412 block ciphers.\r
4413 \r
4414 \r
4415 \r
4416 \r
4417 \r
4418 Dierks & Rescorla Standards Track [Page 69] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4419 \r
4420 \r
4421 \r
4422 Block Size\r
4423 The amount of data a block cipher enciphers in one chunk; a\r
4424 block cipher running in CBC mode can only encrypt an even\r
4425 multiple of its block size.\r
4426 \r
4427 \r
4428 Hash Hash Padding\r
4429 function Size Size\r
4430 NULL 0 0\r
4431 MD5 16 48\r
4432 SHA 20 40\r
4433 \r
4434 \r
4435 \r
4436 \r
4437 \r
4438 \r
4439 \r
4440 \r
4441 \r
4442 \r
4443 \r
4444 \r
4445 \r
4446 \r
4447 \r
4448 \r
4449 \r
4450 \r
4451 \r
4452 \r
4453 \r
4454 \r
4455 \r
4456 \r
4457 \r
4458 \r
4459 \r
4460 \r
4461 \r
4462 \r
4463 \r
4464 \r
4465 \r
4466 \r
4467 \r
4468 \r
4469 \r
4470 \r
4471 \r
4472 \r
4473 \r
4474 \r
4475 Dierks & Rescorla Standards Track [Page 70] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4476 \r
4477 \r
4478 \r
4479 D. Implementation Notes\r
4480 \r
4481 \r
4482 The TLS protocol cannot prevent many common security mistakes. This\r
4483 section provides several recommendations to assist implementors.\r
4484 \r
4485 \r
4486 D.1. Temporary RSA keys\r
4487 \r
4488 \r
4489 US Export restrictions limit RSA keys used for encryption to 512\r
4490 bits, but do not place any limit on lengths of RSA keys used for\r
4491 signing operations. Certificates often need to be larger than 512\r
4492 bits, since 512-bit RSA keys are not secure enough for high-value\r
4493 transactions or for applications requiring long-term security. Some\r
4494 certificates are also designated signing-only, in which case they\r
4495 cannot be used for key exchange.\r
4496 \r
4497 \r
4498 When the public key in the certificate cannot be used for encryption,\r
4499 the server signs a temporary RSA key, which is then exchanged. In\r
4500 exportable applications, the temporary RSA key should be the maximum\r
4501 allowable length (i.e., 512 bits). Because 512-bit RSA keys are\r
4502 relatively insecure, they should be changed often. For typical\r
4503 electronic commerce applications, it is suggested that keys be\r
4504 changed daily or every 500 transactions, and more often if possible.\r
4505 Note that while it is acceptable to use the same temporary key for\r
4506 multiple transactions, it must be signed each time it is used.\r
4507 \r
4508 \r
4509 RSA key generation is a time-consuming process. In many cases, a low-\r
4510 priority process can be assigned the task of key generation.\r
4511 \r
4512 \r
4513 Whenever a new key is completed, the existing temporary key can be\r
4514 replaced with the new one.\r
4515 \r
4516 \r
4517 D.2. Random Number Generation and Seeding\r
4518 \r
4519 \r
4520 TLS requires a cryptographically-secure pseudorandom number generator\r
4521 (PRNG). Care must be taken in designing and seeding PRNGs. PRNGs\r
4522 based on secure hash operations, most notably MD5 and/or SHA, are\r
4523 acceptable, but cannot provide more security than the size of the\r
4524 random number generator state. (For example, MD5-based PRNGs usually\r
4525 provide 128 bits of state.)\r
4526 \r
4527 \r
4528 To estimate the amount of seed material being produced, add the\r
4529 number of bits of unpredictable information in each seed byte. For\r
4530 example, keystroke timing values taken from a PC compatible's 18.2 Hz\r
4531 timer provide 1 or 2 secure bits each, even though the total size of\r
4532 the counter value is 16 bits or more. To seed a 128-bit PRNG, one\r
4533 would thus require approximately 100 such timer values.\r
4534 \r
4535 \r
4536 D.3. Certificates and authentication\r
4537 \r
4538 \r
4539 \r
4540 \r
4541 Dierks & Rescorla Standards Track [Page 71] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4542 \r
4543 \r
4544 \r
4545 Implementations are responsible for verifying the integrity of\r
4546 certificates and should generally support certificate revocation\r
4547 messages. Certificates should always be verified to ensure proper\r
4548 signing by a trusted Certificate Authority (CA). The selection and\r
4549 addition of trusted CAs should be done very carefully. Users should\r
4550 be able to view information about the certificate and root CA.\r
4551 \r
4552 \r
4553 D.4. CipherSuites\r
4554 \r
4555 \r
4556 TLS supports a range of key sizes and security levels, including some\r
4557 which provide no or minimal security. A proper implementation will\r
4558 probably not support many cipher suites. For example, 40-bit\r
4559 encryption is easily broken, so implementations requiring strong\r
4560 security should not allow 40-bit keys. Similarly, anonymous Diffie-\r
4561 Hellman is strongly discouraged because it cannot prevent man-in-the-\r
4562 middle attacks. Applications should also enforce minimum and maximum\r
4563 key sizes. For example, certificate chains containing 512-bit RSA\r
4564 keys or signatures are not appropriate for high-security\r
4565 applications.\r
4566 \r
4567 \r
4568 \r
4569 \r
4570 \r
4571 \r
4572 \r
4573 \r
4574 \r
4575 \r
4576 \r
4577 \r
4578 \r
4579 \r
4580 \r
4581 \r
4582 \r
4583 \r
4584 \r
4585 \r
4586 \r
4587 \r
4588 \r
4589 \r
4590 \r
4591 \r
4592 \r
4593 \r
4594 \r
4595 \r
4596 \r
4597 \r
4598 \r
4599 Dierks & Rescorla Standards Track [Page 72] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4600 \r
4601 \r
4602 \r
4603 E. Backward Compatibility With SSL\r
4604 \r
4605 \r
4606 For historical reasons and in order to avoid a profligate consumption\r
4607 of reserved port numbers, application protocols which are secured by |\r
4608 TLS 1.1, TLS 1.0, SSL 3.0, and SSL 2.0 all frequently share the same\r
4609 connection port: for example, the https protocol (HTTP secured by SSL\r
4610 or TLS) uses port 443 regardless of which security protocol it is\r
4611 using. Thus, some mechanism must be determined to distinguish and\r
4612 negotiate among the various protocols.\r
4613 \r
4614 \r
4615 TLS versions 1.1, 1.0, and SSL 3.0 are very similar; thus, supporting |\r
4616 both is easy. TLS clients who wish to negotiate with such older |\r
4617 servers SHOULD send client hello messages using the SSL 3.0 record |\r
4618 format and client hello structure, sending {3, 2} for the version |\r
4619 field to note that they support TLS 1.1. If the server supports only |\r
4620 TLS 1.0 or SSL 3.0, it will respond with a downrev 3.0 server hello; |\r
4621 if it supports TLS 1.1 it will respond with a TLS 1.1 server hello. |\r
4622 The negotiation then proceeds as appropriate for the negotiated\r
4623 protocol.\r
4624 \r
4625 \r
4626 Similarly, a TLS 1.1 server which wishes to interoperate with TLS |\r
4627 1.0 or SSL 3.0 clients SHOULD accept SSL 3.0 client hello messages |\r
4628 and respond with a SSL 3.0 server hello if an SSL 3.0 client hello |\r
4629 with a version field of {3, 0} is received, denoting that this client |\r
4630 does not support TLS. Similarly, if a SSL 3.0 or TLS 1.0 hello with a |\r
4631 version field of {3, 1} is received, the server SHOULD respond with a |\r
4632 TLS 1.0 hello with a version field of {3, 1}.\r
4633 \r
4634 \r
4635 Whenever a client already knows the highest protocol known to a |\r
4636 server (for example, when resuming a session), it SHOULD initiate the\r
4637 connection in that native protocol.\r
4638 \r
4639 \r
4640 TLS 1.1 clients that support SSL Version 2.0 servers MUST send SSL |\r
4641 Version 2.0 client hello messages [SSL2]. TLS servers SHOULD accept\r
4642 either client hello format if they wish to support SSL 2.0 clients on\r
4643 the same connection port. The only deviations from the Version 2.0\r
4644 specification are the ability to specify a version with a value of\r
4645 three and the support for more ciphering types in the CipherSpec.\r
4646 \r
4647 \r
4648 Warning: The ability to send Version 2.0 client hello messages will be\r
4649 phased out with all due haste. Implementors SHOULD make every |\r
4650 effort to move forward as quickly as possible. Version 3.0\r
4651 provides better mechanisms for moving to newer versions.\r
4652 \r
4653 \r
4654 The following cipher specifications are carryovers from SSL Version\r
4655 2.0. These are assumed to use RSA for key exchange and\r
4656 authentication.\r
4657 \r
4658 \r
4659 \r
4660 \r
4661 \r
4662 Dierks & Rescorla Standards Track [Page 73] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4663 \r
4664 \r
4665 \r
4666 V2CipherSpec TLS_RC4_128_WITH_MD5 = { 0x01,0x00,0x80 };\r
4667 V2CipherSpec TLS_RC4_128_EXPORT40_WITH_MD5 = { 0x02,0x00,0x80 };\r
4668 V2CipherSpec TLS_RC2_CBC_128_CBC_WITH_MD5 = { 0x03,0x00,0x80 };\r
4669 V2CipherSpec TLS_RC2_CBC_128_CBC_EXPORT40_WITH_MD5\r
4670 = { 0x04,0x00,0x80 };\r
4671 V2CipherSpec TLS_IDEA_128_CBC_WITH_MD5 = { 0x05,0x00,0x80 };\r
4672 V2CipherSpec TLS_DES_64_CBC_WITH_MD5 = { 0x06,0x00,0x40 };\r
4673 V2CipherSpec TLS_DES_192_EDE3_CBC_WITH_MD5 = { 0x07,0x00,0xC0 };\r
4674 \r
4675 \r
4676 Cipher specifications native to TLS can be included in Version 2.0\r
4677 client hello messages using the syntax below. Any V2CipherSpec\r
4678 element with its first byte equal to zero will be ignored by Version |\r
4679 2.0 servers. Clients sending any of the above V2CipherSpecs SHOULD\r
4680 also include the TLS equivalent (see Appendix A.5):\r
4681 \r
4682 \r
4683 V2CipherSpec (see TLS name) = { 0x00, CipherSuite };\r
4684 \r
4685 \r
4686 E.1. Version 2 client hello\r
4687 \r
4688 \r
4689 The Version 2.0 client hello message is presented below using this\r
4690 document's presentation model. The true definition is still assumed |\r
4691 to be the SSL Version 2.0 specification. Note that this message MUST |\r
4692 be sent directly on the wire, not wrapped as an SSLv3 record\r
4693 \r
4694 \r
4695 uint8 V2CipherSpec[3];\r
4696 \r
4697 \r
4698 struct {\r
4699 uint16 msg_length; |\r
4700 uint8 msg_type;\r
4701 Version version;\r
4702 uint16 cipher_spec_length;\r
4703 uint16 session_id_length;\r
4704 uint16 challenge_length;\r
4705 V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length];\r
4706 opaque session_id[V2ClientHello.session_id_length];\r
4707 opaque challenge[V2ClientHello.challenge_length; |\r
4708 } V2ClientHello;\r
4709 \r
4710 \r
4711 msg_length |\r
4712 This field is the length of the following data in bytes. The high |\r
4713 bit MUST be 1 and is not part of the length. |\r
4714 \r
4715 \r
4716 msg_type\r
4717 This field, in conjunction with the version field, identifies a |\r
4718 version 2 client hello message. The value SHOULD be one (1).\r
4719 \r
4720 \r
4721 version\r
4722 The highest version of the protocol supported by the client\r
4723 \r
4724 \r
4725 \r
4726 \r
4727 Dierks & Rescorla Standards Track [Page 74] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4728 \r
4729 \r
4730 \r
4731 (equals ProtocolVersion.version, see Appendix A.1).\r
4732 \r
4733 \r
4734 cipher_spec_length\r
4735 This field is the total length of the field cipher_specs. It |\r
4736 cannot be zero and MUST be a multiple of the V2CipherSpec length\r
4737 (3).\r
4738 \r
4739 \r
4740 session_id_length\r
4741 This field MUST have a value of zero. |\r
4742 \r
4743 \r
4744 challenge_length\r
4745 The length in bytes of the client's challenge to the server to |\r
4746 authenticate itself. When using the SSLv2 backward compatible |\r
4747 handshake the client MUST use a 32-byte challenge.\r
4748 \r
4749 \r
4750 cipher_specs\r
4751 This is a list of all CipherSpecs the client is willing and able |\r
4752 to use. There MUST be at least one CipherSpec acceptable to the\r
4753 server.\r
4754 \r
4755 \r
4756 session_id\r
4757 This field MUST be empty. |\r
4758 \r
4759 \r
4760 challenge\r
4761 The client challenge to the server for the server to identify\r
4762 itself is a (nearly) arbitrary length random. The TLS server will\r
4763 right justify the challenge data to become the ClientHello.random\r
4764 data (padded with leading zeroes, if necessary), as specified in\r
4765 this protocol specification. If the length of the challenge is\r
4766 greater than 32 bytes, only the last 32 bytes are used. It is\r
4767 legitimate (but not necessary) for a V3 server to reject a V2\r
4768 ClientHello that has fewer than 16 bytes of challenge data.\r
4769 \r
4770 \r
4771 Note: Requests to resume a TLS session MUST use a TLS client hello. |\r
4772 \r
4773 \r
4774 E.2. Avoiding man-in-the-middle version rollback\r
4775 \r
4776 \r
4777 When TLS clients fall back to Version 2.0 compatibility mode, they |\r
4778 SHOULD use special PKCS #1 block formatting. This is done so that TLS\r
4779 servers will reject Version 2.0 sessions with TLS-capable clients.\r
4780 \r
4781 \r
4782 When TLS clients are in Version 2.0 compatibility mode, they set the\r
4783 right-hand (least-significant) 8 random bytes of the PKCS padding\r
4784 (not including the terminal null of the padding) for the RSA\r
4785 encryption of the ENCRYPTED-KEY-DATA field of the CLIENT-MASTER-KEY\r
4786 to 0x03 (the other padding bytes are random). After decrypting the |\r
4787 ENCRYPTED-KEY-DATA field, servers that support TLS SHOULD issue an\r
4788 error if these eight padding bytes are 0x03. Version 2.0 servers\r
4789 \r
4790 \r
4791 \r
4792 \r
4793 Dierks & Rescorla Standards Track [Page 75] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4794 \r
4795 \r
4796 \r
4797 receiving blocks padded in this manner will proceed normally.\r
4798 \r
4799 \r
4800 \r
4801 \r
4802 \r
4803 \r
4804 \r
4805 \r
4806 \r
4807 \r
4808 \r
4809 \r
4810 \r
4811 \r
4812 \r
4813 \r
4814 \r
4815 \r
4816 \r
4817 \r
4818 \r
4819 \r
4820 \r
4821 \r
4822 \r
4823 \r
4824 \r
4825 \r
4826 \r
4827 \r
4828 \r
4829 \r
4830 \r
4831 \r
4832 \r
4833 \r
4834 \r
4835 \r
4836 \r
4837 \r
4838 \r
4839 \r
4840 \r
4841 \r
4842 \r
4843 \r
4844 \r
4845 \r
4846 \r
4847 \r
4848 \r
4849 Dierks & Rescorla Standards Track [Page 76] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4850 \r
4851 \r
4852 \r
4853 F. Security analysis\r
4854 \r
4855 \r
4856 The TLS protocol is designed to establish a secure connection between\r
4857 a client and a server communicating over an insecure channel. This\r
4858 document makes several traditional assumptions, including that\r
4859 attackers have substantial computational resources and cannot obtain\r
4860 secret information from sources outside the protocol. Attackers are\r
4861 assumed to have the ability to capture, modify, delete, replay, and\r
4862 otherwise tamper with messages sent over the communication channel.\r
4863 This appendix outlines how TLS has been designed to resist a variety\r
4864 of attacks.\r
4865 \r
4866 \r
4867 F.1. Handshake protocol\r
4868 \r
4869 \r
4870 The handshake protocol is responsible for selecting a CipherSpec and\r
4871 generating a Master Secret, which together comprise the primary\r
4872 cryptographic parameters associated with a secure session. The\r
4873 handshake protocol can also optionally authenticate parties who have\r
4874 certificates signed by a trusted certificate authority.\r
4875 \r
4876 \r
4877 F.1.1. Authentication and key exchange\r
4878 \r
4879 \r
4880 TLS supports three authentication modes: authentication of both\r
4881 parties, server authentication with an unauthenticated client, and\r
4882 total anonymity. Whenever the server is authenticated, the channel is\r
4883 secure against man-in-the-middle attacks, but completely anonymous\r
4884 sessions are inherently vulnerable to such attacks. Anonymous\r
4885 servers cannot authenticate clients. If the server is authenticated,\r
4886 its certificate message must provide a valid certificate chain\r
4887 leading to an acceptable certificate authority. Similarly,\r
4888 authenticated clients must supply an acceptable certificate to the\r
4889 server. Each party is responsible for verifying that the other's\r
4890 certificate is valid and has not expired or been revoked.\r
4891 \r
4892 \r
4893 The general goal of the key exchange process is to create a\r
4894 pre_master_secret known to the communicating parties and not to\r
4895 attackers. The pre_master_secret will be used to generate the\r
4896 master_secret (see Section 8.1). The master_secret is required to |\r
4897 generate the finished messages, encryption keys, and MAC secrets (see\r
4898 Sections 7.4.8, 7.4.9 and 6.3). By sending a correct finished\r
4899 message, parties thus prove that they know the correct\r
4900 pre_master_secret.\r
4901 \r
4902 \r
4903 F.1.1.1. Anonymous key exchange\r
4904 \r
4905 \r
4906 Completely anonymous sessions can be established using RSA or Diffie-\r
4907 Hellman for key exchange. With anonymous RSA, the client encrypts a\r
4908 pre_master_secret with the server's uncertified public key extracted\r
4909 \r
4910 \r
4911 \r
4912 \r
4913 Dierks & Rescorla Standards Track [Page 77] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4914 \r
4915 \r
4916 \r
4917 from the server key exchange message. The result is sent in a client\r
4918 key exchange message. Since eavesdroppers do not know the server's\r
4919 private key, it will be infeasible for them to decode the |\r
4920 pre_master_secret. |\r
4921 \r
4922 \r
4923 Note: No anonymous RSA Cipher Suites are defined in this document.\r
4924 \r
4925 \r
4926 With Diffie-Hellman, the server's public parameters are contained in\r
4927 the server key exchange message and the client's are sent in the\r
4928 client key exchange message. Eavesdroppers who do not know the\r
4929 private values should not be able to find the Diffie-Hellman result\r
4930 (i.e. the pre_master_secret).\r
4931 \r
4932 \r
4933 Warning: Completely anonymous connections only provide protection\r
4934 against passive eavesdropping. Unless an independent tamper-\r
4935 proof channel is used to verify that the finished messages\r
4936 were not replaced by an attacker, server authentication is\r
4937 required in environments where active man-in-the-middle\r
4938 attacks are a concern.\r
4939 \r
4940 \r
4941 F.1.1.2. RSA key exchange and authentication\r
4942 \r
4943 \r
4944 With RSA, key exchange and server authentication are combined. The\r
4945 public key may be either contained in the server's certificate or may\r
4946 be a temporary RSA key sent in a server key exchange message. When\r
4947 temporary RSA keys are used, they are signed by the server's RSA |\r
4948 certificate. The signature includes the current ClientHello.random,\r
4949 so old signatures and temporary keys cannot be replayed. Servers may\r
4950 use a single temporary RSA key for multiple negotiation sessions.\r
4951 \r
4952 \r
4953 Note: The temporary RSA key option is useful if servers need large\r
4954 certificates but must comply with government-imposed size limits\r
4955 on keys used for key exchange.\r
4956 \r
4957 \r
4958 Note that if ephemeral RSA is not used, compromise of the server's |\r
4959 static RSA key results in a loss of confidentiality for all sessions |\r
4960 protected under that static key. TLS users desiring Perfect Forward |\r
4961 Secrecy should use DHE cipher suites. The damage done by exposure of |\r
4962 a private key can be limited by changing one's private key (and |\r
4963 certificate) frequently. |\r
4964 \r
4965 \r
4966 After verifying the server's certificate, the client encrypts a\r
4967 pre_master_secret with the server's public key. By successfully\r
4968 decoding the pre_master_secret and producing a correct finished\r
4969 message, the server demonstrates that it knows the private key\r
4970 corresponding to the server certificate.\r
4971 \r
4972 \r
4973 When RSA is used for key exchange, clients are authenticated using\r
4974 \r
4975 \r
4976 \r
4977 \r
4978 Dierks & Rescorla Standards Track [Page 78] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
4979 \r
4980 \r
4981 \r
4982 the certificate verify message (see Section 7.4.8). The client signs\r
4983 a value derived from the master_secret and all preceding handshake\r
4984 messages. These handshake messages include the server certificate,\r
4985 which binds the signature to the server, and ServerHello.random,\r
4986 which binds the signature to the current handshake process.\r
4987 \r
4988 \r
4989 F.1.1.3. Diffie-Hellman key exchange with authentication\r
4990 \r
4991 \r
4992 When Diffie-Hellman key exchange is used, the server can either\r
4993 supply a certificate containing fixed Diffie-Hellman parameters or\r
4994 can use the server key exchange message to send a set of temporary\r
4995 Diffie-Hellman parameters signed with a DSS or RSA certificate.\r
4996 Temporary parameters are hashed with the hello.random values before\r
4997 signing to ensure that attackers do not replay old parameters. In\r
4998 either case, the client can verify the certificate or signature to\r
4999 ensure that the parameters belong to the server.\r
5000 \r
5001 \r
5002 If the client has a certificate containing fixed Diffie-Hellman\r
5003 parameters, its certificate contains the information required to\r
5004 complete the key exchange. Note that in this case the client and\r
5005 server will generate the same Diffie-Hellman result (i.e.,\r
5006 pre_master_secret) every time they communicate. To prevent the\r
5007 pre_master_secret from staying in memory any longer than necessary,\r
5008 it should be converted into the master_secret as soon as possible.\r
5009 Client Diffie-Hellman parameters must be compatible with those\r
5010 supplied by the server for the key exchange to work.\r
5011 \r
5012 \r
5013 If the client has a standard DSS or RSA certificate or is\r
5014 unauthenticated, it sends a set of temporary parameters to the server\r
5015 in the client key exchange message, then optionally uses a\r
5016 certificate verify message to authenticate itself.\r
5017 \r
5018 \r
5019 If the same DH keypair is to be used for multiple handshakes, either |\r
5020 because the client or server has a certificate containing a fixed DH |\r
5021 keypair or because the server is reusing DH keys, care must be taken |\r
5022 to prevent small subgroup attacks. Implementations SHOULD follow the |\r
5023 guidelines found in [SUBGROUP]. |\r
5024 \r
5025 \r
5026 Small subgroup attacks are most easily avoided by using one of the |\r
5027 DHE ciphersuites and generating a fresh DH private key (X) for each |\r
5028 handshake. If a suitable base (such as 2) is chosen, g^X mod p can be |\r
5029 computed very quickly so the performance cost is minimized. |\r
5030 Additionally, using a fresh key for each handshake provides Perfect |\r
5031 Forward Secrecy. Implementations SHOULD generate a new X for each |\r
5032 handshake when using DHE ciphersuites. |\r
5033 \r
5034 \r
5035 F.1.2. Version rollback attacks\r
5036 \r
5037 \r
5038 \r
5039 \r
5040 \r
5041 Dierks & Rescorla Standards Track [Page 79] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
5042 \r
5043 \r
5044 \r
5045 Because TLS includes substantial improvements over SSL Version 2.0,\r
5046 attackers may try to make TLS-capable clients and servers fall back\r
5047 to Version 2.0. This attack can occur if (and only if) two TLS-\r
5048 capable parties use an SSL 2.0 handshake.\r
5049 \r
5050 \r
5051 Although the solution using non-random PKCS #1 block type 2 message\r
5052 padding is inelegant, it provides a reasonably secure way for Version\r
5053 3.0 servers to detect the attack. This solution is not secure against\r
5054 attackers who can brute force the key and substitute a new ENCRYPTED-\r
5055 KEY-DATA message containing the same key (but with normal padding)\r
5056 before the application specified wait threshold has expired. Parties\r
5057 concerned about attacks of this scale should not be using 40-bit\r
5058 encryption keys anyway. Altering the padding of the least-significant\r
5059 8 bytes of the PKCS padding does not impact security for the size of\r
5060 the signed hashes and RSA key lengths used in the protocol, since\r
5061 this is essentially equivalent to increasing the input block size by\r
5062 8 bytes.\r
5063 \r
5064 \r
5065 F.1.3. Detecting attacks against the handshake protocol\r
5066 \r
5067 \r
5068 An attacker might try to influence the handshake exchange to make the\r
5069 parties select different encryption algorithms than they would |\r
5070 normally chooses. Because many implementations will support 40-bit\r
5071 exportable encryption and some may even support null encryption or\r
5072 MAC algorithms, this attack is of particular concern.\r
5073 \r
5074 \r
5075 For this attack, an attacker must actively change one or more\r
5076 handshake messages. If this occurs, the client and server will\r
5077 compute different values for the handshake message hashes. As a\r
5078 result, the parties will not accept each others' finished messages.\r
5079 Without the master_secret, the attacker cannot repair the finished\r
5080 messages, so the attack will be discovered.\r
5081 \r
5082 \r
5083 F.1.4. Resuming sessions\r
5084 \r
5085 \r
5086 When a connection is established by resuming a session, new\r
5087 ClientHello.random and ServerHello.random values are hashed with the\r
5088 session's master_secret. Provided that the master_secret has not been\r
5089 compromised and that the secure hash operations used to produce the\r
5090 encryption keys and MAC secrets are secure, the connection should be\r
5091 secure and effectively independent from previous connections.\r
5092 Attackers cannot use known encryption keys or MAC secrets to\r
5093 compromise the master_secret without breaking the secure hash\r
5094 operations (which use both SHA and MD5).\r
5095 \r
5096 \r
5097 Sessions cannot be resumed unless both the client and server agree.\r
5098 If either party suspects that the session may have been compromised,\r
5099 or that certificates may have expired or been revoked, it should\r
5100 \r
5101 \r
5102 \r
5103 \r
5104 Dierks & Rescorla Standards Track [Page 80] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
5105 \r
5106 \r
5107 \r
5108 force a full handshake. An upper limit of 24 hours is suggested for\r
5109 session ID lifetimes, since an attacker who obtains a master_secret\r
5110 may be able to impersonate the compromised party until the\r
5111 corresponding session ID is retired. Applications that may be run in\r
5112 relatively insecure environments should not write session IDs to\r
5113 stable storage.\r
5114 \r
5115 \r
5116 F.1.5. MD5 and SHA\r
5117 \r
5118 \r
5119 TLS uses hash functions very conservatively. Where possible, both MD5\r
5120 and SHA are used in tandem to ensure that non-catastrophic flaws in\r
5121 one algorithm will not break the overall protocol.\r
5122 \r
5123 \r
5124 F.2. Protecting application data\r
5125 \r
5126 \r
5127 The master_secret is hashed with the ClientHello.random and\r
5128 ServerHello.random to produce unique data encryption keys and MAC\r
5129 secrets for each connection.\r
5130 \r
5131 \r
5132 Outgoing data is protected with a MAC before transmission. To prevent\r
5133 message replay or modification attacks, the MAC is computed from the\r
5134 MAC secret, the sequence number, the message length, the message\r
5135 contents, and two fixed character strings. The message type field is\r
5136 necessary to ensure that messages intended for one TLS Record Layer\r
5137 client are not redirected to another. The sequence number ensures\r
5138 that attempts to delete or reorder messages will be detected. Since\r
5139 sequence numbers are 64-bits long, they should never overflow.\r
5140 Messages from one party cannot be inserted into the other's output,\r
5141 since they use independent MAC secrets. Similarly, the server-write\r
5142 and client-write keys are independent so stream cipher keys are used\r
5143 only once.\r
5144 \r
5145 \r
5146 If an attacker does break an encryption key, all messages encrypted\r
5147 with it can be read. Similarly, compromise of a MAC key can make\r
5148 message modification attacks possible. Because MACs are also\r
5149 encrypted, message-alteration attacks generally require breaking the\r
5150 encryption algorithm as well as the MAC.\r
5151 \r
5152 \r
5153 Note: MAC secrets may be larger than encryption keys, so messages can\r
5154 remain tamper resistant even if encryption keys are broken.\r
5155 \r
5156 \r
5157 F.3. Explicit IVs |\r
5158 \r
5159 \r
5160 [CBCATT] describes a chosen plaintext attack on TLS that depends |\r
5161 on knowing the IV for a record. Previous versions of TLS [TLS1.0] |\r
5162 used the CBC residue of the previous record as the IV and |\r
5163 therefore enabled this attack. This version uses an explicit IV |\r
5164 in order to protect against this attack. |\r
5165 \r
5166 \r
5167 \r
5168 \r
5169 Dierks & Rescorla Standards Track [Page 81] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
5170 \r
5171 \r
5172 \r
5173 F.4 Security of Composite Cipher Modes |\r
5174 \r
5175 \r
5176 TLS secures transmitted application data via the use of symmetric |\r
5177 encryption and authentication functions defined in the negotiated |\r
5178 ciphersuite. The objective is to protect both the integrity and |\r
5179 confidentiality of the transmitted data from malicious actions by |\r
5180 active attackers in the network. It turns out that the order in |\r
5181 which encryption and authentication functions are applied to the |\r
5182 data plays an important role for achieving this goal [ENCAUTH]. |\r
5183 \r
5184 \r
5185 The most robust method, called encrypt-then-authenticate, first |\r
5186 applies encryption to the data and then applies a MAC to the |\r
5187 ciphertext. This method ensures that the integrity and |\r
5188 confidentiality goals are obtained with ANY pair of encryption |\r
5189 and MAC functions provided that the former is secure against |\r
5190 chosen plaintext attacks and the MAC is secure against chosen- |\r
5191 message attacks. TLS uses another method, called authenticate- |\r
5192 then-encrypt, in which first a MAC is computed on the plaintext |\r
5193 and then the concatenation of plaintext and MAC is encrypted. |\r
5194 This method has been proven secure for CERTAIN combinations of |\r
5195 encryption functions and MAC functions, but is not guaranteed to |\r
5196 be secure in general. In particular, it has been shown that there |\r
5197 exist perfectly secure encryption functions (secure even in the |\r
5198 information theoretic sense) that combined with any secure MAC |\r
5199 function fail to provide the confidentiality goal against an |\r
5200 active attack. Therefore, new ciphersuites and operation modes |\r
5201 adopted into TLS need to be analyzed under the authenticate-then- |\r
5202 encrypt method to verify that they achieve the stated integrity |\r
5203 and confidentiality goals. |\r
5204 \r
5205 \r
5206 Currently, the security of the authenticate-then-encrypt method |\r
5207 has been proven for some important cases. One is the case of |\r
5208 stream ciphers in which a computationally unpredictable pad of |\r
5209 the length of the message plus the length of the MAC tag is |\r
5210 produced using a pseudo-random generator and this pad is xor-ed |\r
5211 with the concatenation of plaintext and MAC tag. The other is |\r
5212 the case of CBC mode using a secure block cipher. In this case, |\r
5213 security can be shown if one applies one CBC encryption pass to |\r
5214 the concatenation of plaintext and MAC and uses a new, |\r
5215 independent and unpredictable, IV for each new pair of plaintext |\r
5216 and MAC. In previous versions of SSL, CBC mode was used properly |\r
5217 EXCEPT that it used a predictable IV in the form of the last |\r
5218 block of the previous ciphertext. This made TLS open to chosen |\r
5219 plaintext attacks. This verson of the protocol is immune to |\r
5220 those attacks. For exact details in the encryption modes proven |\r
5221 secure see [ENCAUTH]. |\r
5222 \r
5223 \r
5224 \r
5225 \r
5226 \r
5227 \r
5228 Dierks & Rescorla Standards Track [Page 82] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
5229 \r
5230 \r
5231 \r
5232 F.5 Denial of Service |\r
5233 \r
5234 \r
5235 TLS is susceptible to a number of denial of service (DoS) |\r
5236 attacks. In particular, an attacker who initiates a large number |\r
5237 of TCP connections can cause a server to consume large amounts of |\r
5238 CPU doing RSA decryption. However, because TLS is generally used |\r
5239 over TCP, it is difficult for the attacker to hide his point of |\r
5240 origin if proper TCP SYN randomization is used [SEQNUM] by the |\r
5241 TCP stack. |\r
5242 \r
5243 \r
5244 Because TLS runs over TCP, it is also susceptible to a number of |\r
5245 denial of service attacks on individual connections. In |\r
5246 particular, attackers can forge RSTs, terminating connections, or |\r
5247 forge partial TLS records, causing the connection to stall. |\r
5248 These attacks cannot in general be defended against by a TCP- |\r
5249 using protocol. Implementors or users who are concerned with this |\r
5250 class of attack should use IPsec AH [AH] or ESP [ESP]. |\r
5251 \r
5252 \r
5253 F.6. Final notes\r
5254 \r
5255 \r
5256 For TLS to be able to provide a secure connection, both the client\r
5257 and server systems, keys, and applications must be secure. In\r
5258 addition, the implementation must be free of security errors.\r
5259 \r
5260 \r
5261 The system is only as strong as the weakest key exchange and\r
5262 authentication algorithm supported, and only trustworthy\r
5263 cryptographic functions should be used. Short public keys, 40-bit\r
5264 bulk encryption keys, and anonymous servers should be used with great\r
5265 caution. Implementations and users must be careful when deciding\r
5266 which certificates and certificate authorities are acceptable; a\r
5267 dishonest certificate authority can do tremendous damage.\r
5268 \r
5269 \r
5270 \r
5271 \r
5272 \r
5273 \r
5274 \r
5275 \r
5276 \r
5277 \r
5278 \r
5279 \r
5280 \r
5281 \r
5282 \r
5283 \r
5284 \r
5285 \r
5286 \r
5287 \r
5288 \r
5289 Dierks & Rescorla Standards Track [Page 83] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
5290 \r
5291 \r
5292 \r
5293 G. Patent Statement\r
5294 \r
5295 \r
5296 Netscape Communications Corporation (now America Online) has a patent |\r
5297 claim on the Secure Sockets Layer (SSL) work that this standard is |\r
5298 based on. The Internet Standards Process as defined in RFC 2026 |\r
5299 requests that a statement be obtained from a Patent holder indicating |\r
5300 that a license will be made available to applicants under reasonable |\r
5301 terms and conditions.\r
5302 \r
5303 \r
5304 Secure Socket Layer Application Program Apparatus And Method\r
5305 ("SSL"), No. 5,657,390\r
5306 \r
5307 \r
5308 Netscape Communications has issued the following statement:\r
5309 \r
5310 \r
5311 Intellectual Property Rights\r
5312 \r
5313 \r
5314 Secure Sockets Layer\r
5315 \r
5316 \r
5317 The United States Patent and Trademark Office ("the PTO")\r
5318 recently issued U.S. Patent No. 5,657,390 ("the SSL Patent") to\r
5319 Netscape for inventions described as Secure Sockets Layers\r
5320 ("SSL"). The IETF is currently considering adopting SSL as a\r
5321 transport protocol with security features. Netscape encourages\r
5322 the royalty-free adoption and use of the SSL protocol upon the\r
5323 following terms and conditions:\r
5324 \r
5325 \r
5326 * If you already have a valid SSL Ref license today which\r
5327 includes source code from Netscape, an additional patent\r
5328 license under the SSL patent is not required.\r
5329 \r
5330 \r
5331 * If you don't have an SSL Ref license, you may have a royalty\r
5332 free license to build implementations covered by the SSL\r
5333 Patent Claims or the IETF TLS specification provided that you\r
5334 do not to assert any patent rights against Netscape or other\r
5335 companies for the implementation of SSL or the IETF TLS\r
5336 recommendation.\r
5337 \r
5338 \r
5339 What are "Patent Claims":\r
5340 \r
5341 \r
5342 Patent claims are claims in an issued foreign or domestic patent\r
5343 that:\r
5344 \r
5345 \r
5346 1) must be infringed in order to implement methods or build\r
5347 products according to the IETF TLS specification; or\r
5348 \r
5349 \r
5350 2) patent claims which require the elements of the SSL patent\r
5351 claims and/or their equivalents to be infringed.\r
5352 \r
5353 \r
5354 \r
5355 \r
5356 \r
5357 Dierks & Rescorla Standards Track [Page 84] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
5358 \r
5359 \r
5360 \r
5361 The Internet Society, Internet Architecture Board, Internet\r
5362 Engineering Steering Group and the Corporation for National Research\r
5363 Initiatives take no position on the validity or scope of the patents\r
5364 and patent applications, nor on the appropriateness of the terms of\r
5365 the assurance. The Internet Society and other groups mentioned above\r
5366 have not made any determination as to any other intellectual property\r
5367 rights which may apply to the practice of this standard. Any further\r
5368 consideration of these matters is the user's own responsibility.\r
5369 \r
5370 \r
5371 Security Considerations\r
5372 \r
5373 \r
5374 Security issues are discussed throughout this memo, especially in |\r
5375 Appendices D, E, and F.\r
5376 \r
5377 \r
5378 Normative References |\r
5379 \r
5380 \r
5381 [3DES] W. Tuchman, "Hellman Presents No Shortcut Solutions To DES," |\r
5382 IEEE Spectrum, v. 16, n. 7, July 1979, pp40-41.\r
5383 \r
5384 \r
5385 [DES] ANSI X3.106, "American National Standard for Information\r
5386 Systems-Data Link Encryption," American National Standards\r
5387 Institute, 1983.\r
5388 \r
5389 \r
5390 [DH1] W. Diffie and M. E. Hellman, "New Directions in\r
5391 Cryptography," IEEE Transactions on Information Theory, V.\r
5392 IT-22, n. 6, Jun 1977, pp. 74-84.\r
5393 \r
5394 \r
5395 [DSS] NIST FIPS PUB 186, "Digital Signature Standard," National\r
5396 Institute of Standards and Technology, U.S. Department of\r
5397 Commerce, May 18, 1994.\r
5398 \r
5399 \r
5400 [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-\r
5401 Hashing for Message Authentication," RFC 2104, February\r
5402 1997.\r
5403 \r
5404 \r
5405 [IDEA] X. Lai, "On the Design and Security of Block Ciphers," ETH\r
5406 Series in Information Processing, v. 1, Konstanz: Hartung-\r
5407 Gorre Verlag, 1992.\r
5408 \r
5409 \r
5410 [MD2] Kaliski, B., "The MD2 Message Digest Algorithm", RFC 1319,\r
5411 April 1992.\r
5412 \r
5413 \r
5414 [MD5] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321,\r
5415 April 1992.\r
5416 \r
5417 \r
5418 [PKCS1] RSA Laboratories, "PKCS #1: RSA Encryption Standard,"\r
5419 version 1.5, November 1993.\r
5420 \r
5421 \r
5422 \r
5423 \r
5424 \r
5425 Dierks & Rescorla Standards Track [Page 85] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
5426 \r
5427 \r
5428 \r
5429 [PKCS6] RSA Laboratories, "PKCS #6: RSA Extended Certificate Syntax\r
5430 Standard," version 1.5, November 1993.\r
5431 \r
5432 \r
5433 [PKCS7] RSA Laboratories, "PKCS #7: RSA Cryptographic Message Syntax\r
5434 Standard," version 1.5, November 1993.\r
5435 \r
5436 \r
5437 [PKIX] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet\r
5438 Public Key Infrastructure: Part I: X.509 Certificate and CRL\r
5439 Profile", RFC 2459, January 1999.\r
5440 \r
5441 \r
5442 [RC2] Rivest, R., "A Description of the RC2(r) Encryption\r
5443 Algorithm", RFC 2268, January 1998.\r
5444 \r
5445 \r
5446 [RC4] Thayer, R. and K. Kaukonen, A Stream Cipher Encryption\r
5447 Algorithm, Work in Progress.\r
5448 \r
5449 \r
5450 [RSA] R. Rivest, A. Shamir, and L. M. Adleman, "A Method for\r
5451 Obtaining Digital Signatures and Public-Key Cryptosystems,"\r
5452 Communications of the ACM, v. 21, n. 2, Feb 1978, pp.\r
5453 120-126.\r
5454 \r
5455 \r
5456 [SHA] NIST FIPS PUB 180-1, "Secure Hash Standard," National\r
5457 Institute of Standards and Technology, U.S. Department of\r
5458 Commerce, Work in Progress, May 31, 1994.\r
5459 \r
5460 \r
5461 [SSL2] Hickman, Kipp, "The SSL Protocol", Netscape Communications\r
5462 Corp., Feb 9, 1995.\r
5463 \r
5464 \r
5465 [SSL3] A. Frier, P. Karlton, and P. Kocher, "The SSL 3.0 Protocol",\r
5466 Netscape Communications Corp., Nov 18, 1996.\r
5467 \r
5468 \r
5469 [REQ] Bradner, S., "Key words for use in RFCs to Indicate |\r
5470 Requirement Levels", BCP 14, RFC 2119, March 1997.\r
5471 \r
5472 \r
5473 [TLS1.0] Dierks, T., and Allen, C., "The TLS Protocol, Version 1.0", |\r
5474 RFC 2246, January 1999.\r
5475 \r
5476 \r
5477 [TLSEXT] Blake-Wilson, S., Nystrom, M, Hopwood, D., Mikkelsen, J., |\r
5478 Wright, T., "Transport Layer Security (TLS) Extensions", RFC |\r
5479 3546, June 2003.\r
5480 [X509] CCITT. Recommendation X.509: "The Directory - Authentication\r
5481 Framework". 1988.\r
5482 \r
5483 \r
5484 \r
5485 \r
5486 \r
5487 \r
5488 \r
5489 \r
5490 \r
5491 \r
5492 Dierks & Rescorla Standards Track [Page 86] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
5493 \r
5494 \r
5495 \r
5496 Informative References |\r
5497 \r
5498 \r
5499 [AH] Kent, S., and Atkinson, R., "IP Authentication Header", RFC |\r
5500 2402, November 1998. |\r
5501 \r
5502 \r
5503 [BLEI] Bleichenbacher D., "Chosen Ciphertext Attacks against |\r
5504 Protocols Based on RSA Encryption Standard PKCS #1" in |\r
5505 Advances in Cryptology -- CRYPTO'98, LNCS vol. 1462, pages: |\r
5506 1-12, 1998. |\r
5507 \r
5508 \r
5509 [CBCATT] Moeller, B., "Security of CBC Ciphersuites in SSL/TLS: |\r
5510 Problems and Countermeasures", |\r
5511 http://www.openssl.org/~bodo/tls-cbc.txt. |\r
5512 \r
5513 \r
5514 [CBCTIME] Canvel, B., "Password Interception in a SSL/TLS Channel", |\r
5515 http://lasecwww.epfl.ch/memo_ssl.shtml, 2003. |\r
5516 \r
5517 \r
5518 [ENCAUTH] Krawczyk, H., "The Order of Encryption and Authentication |\r
5519 for Protecting Communications (Or: How Secure is SSL?)", |\r
5520 Crypto 2001. |\r
5521 \r
5522 \r
5523 [ESP] Kent, S., and Atkinson, R., "IP Encapsulating Security |\r
5524 Payload (ESP)", RFC 2406, November 1998. |\r
5525 \r
5526 \r
5527 [FTP] Postel J., and J. Reynolds, "File Transfer Protocol", STD 9, |\r
5528 RFC 959, October 1985. |\r
5529 \r
5530 \r
5531 [HTTP] Berners-Lee, T., Fielding, R., and H. Frystyk, "Hypertext |\r
5532 Transfer Protocol -- HTTP/1.0", RFC 1945, May 1996. |\r
5533 \r
5534 \r
5535 [KPR03] Klima, V., Pokorny, O., Rosa, T., "Attacking RSA-based |\r
5536 Sessions in SSL/TLS", http://eprint.iacr.org/2003/052/, |\r
5537 March 2003. |\r
5538 [RSADSI] Contact RSA Data Security, Inc., Tel: 415-595-8782 |\r
5539 \r
5540 \r
5541 [SCH] B. Schneier. Applied Cryptography: Protocols, Algorithms, |\r
5542 and Source Code in C, Published by John Wiley & Sons, Inc. |\r
5543 1994. |\r
5544 \r
5545 \r
5546 [SEQNUM] Bellovin. S., "Defending Against Sequence Number Attacks", |\r
5547 RFC 1948, May 1996. |\r
5548 \r
5549 \r
5550 [SUBGROUP] R. Zuccherato, "Methods for Avoiding the Small-Subgroup |\r
5551 Attacks on the Diffie-Hellman Key Agreement Method for |\r
5552 S/MIME", RFC 2785, March 2000. |\r
5553 \r
5554 \r
5555 [TCP] Postel, J., "Transmission Control Protocol," STD 7, RFC 793, |\r
5556 September 1981. |\r
5557 \r
5558 \r
5559 \r
5560 \r
5561 Dierks & Rescorla Standards Track [Page 87] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
5562 \r
5563 \r
5564 \r
5565 [TIMING] Boneh, D., Brumley, D., "Remote timing attacks are |\r
5566 practical", USENIX Security Symposium 2003. |\r
5567 \r
5568 \r
5569 [XDR] R. Srinivansan, Sun Microsystems, RFC-1832: XDR: External\r
5570 Data Representation Standard, August 1995.\r
5571 \r
5572 \r
5573 \r
5574 Credits |\r
5575 \r
5576 \r
5577 Working Group Chairs |\r
5578 Win Treese\r
5579 EMail: treese@acm.org |\r
5580 \r
5581 \r
5582 Eric Rescorla |\r
5583 EMail: ekr@rtfm.com |\r
5584 \r
5585 \r
5586 \r
5587 Editors\r
5588 \r
5589 \r
5590 Tim Dierks Eric Rescorla |\r
5591 Google RTFM, Inc. |\r
5592 \r
5593 \r
5594 EMail: tim@dierks.org EMail: ekr@rtfm.com |\r
5595 \r
5596 \r
5597 \r
5598 \r
5599 Other contributors\r
5600 \r
5601 \r
5602 Christopher Allen (co-editor of TLS 1.0) |\r
5603 Alacrity Ventures |\r
5604 ChristopherA@AlacrityVentures.com |\r
5605 \r
5606 \r
5607 Martin Abadi |\r
5608 University of California, Santa Cruz |\r
5609 abadi@cs.ucsc.edu |\r
5610 \r
5611 \r
5612 Ran Canetti |\r
5613 IBM |\r
5614 canetti@watson.ibm.com |\r
5615 \r
5616 \r
5617 Taher Elgamal |\r
5618 taher@securify.com |\r
5619 Securify |\r
5620 \r
5621 \r
5622 Anil Gangolli |\r
5623 Structured Arts |\r
5624 \r
5625 \r
5626 Kipp Hickman |\r
5627 \r
5628 \r
5629 \r
5630 \r
5631 Dierks & Rescorla Standards Track [Page 88] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
5632 \r
5633 \r
5634 \r
5635 Phil Karlton (co-author of SSLv3) |\r
5636 \r
5637 \r
5638 Paul Kocher (co-author of SSLv3) |\r
5639 Cryptography Research |\r
5640 paul@cryptography.com |\r
5641 \r
5642 \r
5643 Hugo Krawczyk |\r
5644 Technion Israel Institute of Technology |\r
5645 hugo@ee.technion.ac.il |\r
5646 \r
5647 \r
5648 Robert Relyea |\r
5649 Netscape Communications |\r
5650 relyea@netscape.com |\r
5651 \r
5652 \r
5653 Jim Roskind |\r
5654 Netscape Communications |\r
5655 jar@netscape.com |\r
5656 \r
5657 \r
5658 Michael Sabin |\r
5659 \r
5660 \r
5661 Dan Simon |\r
5662 Microsoft, Inc. |\r
5663 dansimon@microsoft.com |\r
5664 \r
5665 \r
5666 Tom Weinstein |\r
5667 \r
5668 \r
5669 Comments\r
5670 \r
5671 \r
5672 The discussion list for the IETF TLS working group is located at the\r
5673 e-mail address <ietf-tls@lists.consensus.com>. Information on the\r
5674 group and information on how to subscribe to the list is at\r
5675 <http://lists.consensus.com/>.\r
5676 \r
5677 \r
5678 Archives of the list can be found at:\r
5679 <http://www.imc.org/ietf-tls/mail-archive/>\r
5680 \r
5681 \r
5682 \r
5683 \r
5684 \r
5685 \r
5686 \r
5687 \r
5688 \r
5689 \r
5690 \r
5691 \r
5692 \r
5693 \r
5694 \r
5695 \r
5696 \r
5697 Dierks & Rescorla Standards Track [Page 89] draft-ietf-tls-rfc2246-bis-06.txt TLS March 2004\r
5698 \r
5699 \r
5700 \r
5701 Full Copyright Statement\r
5702 \r
5703 \r
5704 Copyright (C) The Internet Society (1999). All Rights Reserved.\r
5705 \r
5706 \r
5707 This document and translations of it may be copied and furnished to\r
5708 others, and derivative works that comment on or otherwise explain it\r
5709 or assist in its implementation may be prepared, copied, published\r
5710 and distributed, in whole or in part, without restriction of any\r
5711 kind, provided that the above copyright notice and this paragraph are\r
5712 included on all such copies and derivative works. However, this\r
5713 document itself may not be modified in any way, such as by removing\r
5714 the copyright notice or references to the Internet Society or other\r
5715 Internet organizations, except as needed for the purpose of\r
5716 developing Internet standards in which case the procedures for\r
5717 copyrights defined in the Internet Standards process must be\r
5718 followed, or as required to translate it into languages other than\r
5719 English.\r
5720 \r
5721 \r
5722 The limited permissions granted above are perpetual and will not be\r
5723 revoked by the Internet Society or its successors or assigns.\r
5724 \r
5725 \r
5726 This document and the information contained herein is provided on an\r
5727 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING\r
5728 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING\r
5729 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION\r
5730 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF\r
5731 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.\r
5732 \r
5733 \r
5734 \r
5735 \r
5736 \r
5737 \r
5738 \r
5739 \r
5740 \r
5741 \r
5742 \r
5743 \r
5744 \r
5745 \r
5746 \r
5747 \r
5748 \r
5749 \r
5750 \r
5751 \r
5752 \r
5753 \r
5754 \r
5755 \r
5756 Dierks & Rescorla Standards Track [Page 90]