| blob | 4f869f8905bc7f3b3af51f4b73121f3cf2a74b8d |
4 Tim Dierks
5 Independent
6 Eric Rescorla
7 INTERNET-DRAFT Network Resonance, Inc.
8 <draft-ietf-tls-rfc4346-bis-02.txt> October 2006 (Expires April 2006)
10 The TLS Protocol
11 Version 1.2
13 Status of this Memo
14 By submitting this Internet-Draft, each author represents that any
15 applicable patent or other IPR claims of which he or she is aware
16 have been or will be disclosed, and any of which he or she becomes
17 aware will be disclosed, in accordance with Section 6 of BCP 79.
19 Internet-Drafts are working documents of the Internet Engineering
20 Task Force (IETF), its areas, and its working groups. Note that
21 other groups may also distribute working documents as Internet-
22 Drafts.
24 Internet-Drafts are draft documents valid for a maximum of six months
25 and may be updated, replaced, or obsoleted by other documents at any
26 time. It is inappropriate to use Internet-Drafts as reference
27 material or to cite them other than as "work in progress."
29 The list of current Internet-Drafts can be accessed at
30 http://www.ietf.org/ietf/1id-abstracts.txt.
32 The list of Internet-Draft Shadow Directories can be accessed at
33 http://www.ietf.org/shadow.html.
35 Copyright Notice
37 Copyright (C) The Internet Society (2006).
39 Abstract
41 This document specifies Version 1.2 of the Transport Layer Security
42 (TLS) protocol. The TLS protocol provides communications security
43 over the Internet. The protocol allows client/server applications to
44 communicate in a way that is designed to prevent eavesdropping,
45 tampering, or message forgery.
47 Table of Contents
49 1. Introduction 4
50 1.1 Differences from TLS 1.1 5
51 1.1 Requirements Terminology 5
55 Dierks & Rescorla Standards Track [Page 1]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
58 2. Goals 5
59 3. Goals of this document 6
60 4. Presentation language 6
61 4.1. Basic block size 7
62 4.2. Miscellaneous 7
63 4.3. Vectors 7
64 4.4. Numbers 8
65 4.5. Enumerateds 8
66 4.6. Constructed types 9
67 4.6.1. Variants 10
68 4.7. Cryptographic attributes 11
69 4.8. Constants 12
70 5. HMAC and the pseudorandom function 12
71 6. The TLS Record Protocol 14
72 6.1. Connection states 14
73 6.2. Record layer 17
74 6.2.1. Fragmentation 17
75 6.2.2. Record compression and decompression 18
76 6.2.3. Record payload protection 19
77 6.2.3.1. Null or standard stream cipher 19
78 6.2.3.2. CBC block cipher 20
79 6.2.3.3. AEAD ciphers 23
80 6.3. Key calculation 24
81 7. The TLS Handshaking Protocols 24
82 7.1. Change cipher spec protocol 25
83 7.2. Alert protocol 26
84 7.2.1. Closure alerts 27
85 7.2.2. Error alerts 28
86 7.3. Handshake Protocol overview 31
87 7.4. Handshake protocol 35
88 7.4.1. Hello messages 36
89 7.4.1.1. Hello request 36
90 7.4.1.2. Client hello 37
91 7.4.1.3. Server hello 40
92 7.4.1.4 Hello Extensions 41
93 7.4.1.4.1 Server Name Indication 43
94 7.4.1.4.2 Maximum Fragment Length Negotiation 44
95 7.4.1.4.3 Client Certificate URLs 46
96 7.4.1.4.4 Trusted CA Indication 46
97 7.4.1.4.5 Truncated HMAC 48
98 7.4.1.4.6 Certificate Status Request 49
99 7.4.1.4.7 Cert Hash Types 50
100 7.4.1.4.8 Procedure for Defining New Extensions 51
101 7.4.2. Server certificate 52
102 7.4.3. Server key exchange message 53
103 7.4.4. CertificateStatus 56
104 7.4.5. Certificate request 56
105 7.4.6. Server hello done 58
109 Dierks & Rescorla Standards Track [Page 2]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
112 7.4.7. Client certificate 59
113 7.4.8. Client Certificate URLs 59
114 7.4.9. Client key exchange message 61
115 7.4.9.1. RSA encrypted premaster secret message 62
116 7.4.9.2. Client Diffie-Hellman public value 64
117 7.4.10. Certificate verify 65
118 7.4.10. Finished 65
119 8. Cryptographic computations 66
120 8.1. Computing the master secret 67
121 8.1.1. RSA 67
122 8.1.2. Diffie-Hellman 67
123 9. Mandatory Cipher Suites 67
124 A. Protocol constant values 71
125 A.1. Record layer 71
126 A.2. Change cipher specs message 72
127 A.3. Alert messages 72
128 A.4. Handshake protocol 74
129 A.4.1. Hello messages 74
130 A.4.2. Server authentication and key exchange messages 77
131 A.4.3. Client authentication and key exchange messages 78
132 A.4.4. Handshake finalization message 79
133 A.5. The CipherSuite 80
134 A.6. The Security Parameters 83
135 B. Glossary 84
136 C. CipherSuite definitions 88
137 D. Implementation Notes 90
138 D.1 Random Number Generation and Seeding 90
139 D.2 Certificates and authentication 90
140 D.3 CipherSuites 90
141 E. Backward Compatibility 91
142 E.1. Version 2 client hello 92
143 E.2. Avoiding man-in-the-middle version rollback 93
144 F. Security analysis 95
145 F.1. Handshake protocol 95
146 F.1.1. Authentication and key exchange 95
147 F.1.1.1. Anonymous key exchange 95
148 F.1.1.2. RSA key exchange and authentication 96
149 F.1.1.3. Diffie-Hellman key exchange with authentication 97
150 F.1.2. Version rollback attacks 97
151 F.1.3. Detecting attacks against the handshake protocol 98
152 F.1.4. Resuming sessions 98
153 F.1.5 Extensions 99
154 F.1.5.1 Security of server_name 99
155 F.1.5.2 Security of client_certificate_url 100
156 F.1.5.4. Security of trusted_ca_keys 101
157 F.1.5.5. Security of truncated_hmac 101
158 F.1.5.6. Security of status_request 102
159 F.2. Protecting application data 102
163 Dierks & Rescorla Standards Track [Page 3]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
166 F.3. Explicit IVs 103
167 F.4 Security of Composite Cipher Modes 103
168 F.5 Denial of Service 104
169 F.6. Final notes 104
172 1. Introduction
174 The primary goal of the TLS Protocol is to provide privacy and data
175 integrity between two communicating applications. The protocol is
176 composed of two layers: the TLS Record Protocol and the TLS Handshake
177 Protocol. At the lowest level, layered on top of some reliable
178 transport protocol (e.g., TCP[TCP]), is the TLS Record Protocol. The
179 TLS Record Protocol provides connection security that has two basic
180 properties:
182 - The connection is private. Symmetric cryptography is used for
183 data encryption (e.g., DES [DES], RC4 [SCH], etc.). The keys for
184 this symmetric encryption are generated uniquely for each
185 connection and are based on a secret negotiated by another
186 protocol (such as the TLS Handshake Protocol). The Record
187 Protocol can also be used without encryption.
189 - The connection is reliable. Message transport includes a message
190 integrity check using a keyed MAC. Secure hash functions (e.g.,
191 SHA, MD5, etc.) are used for MAC computations. The Record
192 Protocol can operate without a MAC, but is generally only used in
193 this mode while another protocol is using the Record Protocol as
194 a transport for negotiating security parameters.
196 The TLS Record Protocol is used for encapsulation of various higher
197 level protocols. One such encapsulated protocol, the TLS Handshake
198 Protocol, allows the server and client to authenticate each other and
199 to negotiate an encryption algorithm and cryptographic keys before
200 the application protocol transmits or receives its first byte of
201 data. The TLS Handshake Protocol provides connection security that
202 has three basic properties:
204 - The peer's identity can be authenticated using asymmetric, or
205 public key, cryptography (e.g., RSA [RSA], DSS [DSS], etc.). This
206 authentication can be made optional, but is generally required
207 for at least one of the peers.
209 - The negotiation of a shared secret is secure: the negotiated
210 secret is unavailable to eavesdroppers, and for any authenticated
211 connection the secret cannot be obtained, even by an attacker who
212 can place himself in the middle of the connection.
217 Dierks & Rescorla Standards Track [Page 4]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
220 - The negotiation is reliable: no attacker can modify the
221 negotiation communication without being detected by the parties
222 to the communication.
224 One advantage of TLS is that it is application protocol independent.
225 Higher level protocols can layer on top of the TLS Protocol
226 transparently. The TLS standard, however, does not specify how
227 protocols add security with TLS; the decisions on how to initiate TLS
228 handshaking and how to interpret the authentication certificates
229 exchanged are left up to the judgment of the designers and
230 implementors of protocols which run on top of TLS.
232 1.1 Differences from TLS 1.1
233 This document is a revision of the TLS 1.1 [TLS1.1] protocol which
234 contains improved flexibility, particularly for negotiation of
235 cryptographic algorithms. The major changes are:
237 - Merged in TLS Extensions and AES Cipher Suites from external
238 documents.
240 - Replacement of MD5/SHA-1 combination in the PRF
242 - Replacement of MD5/SHA-1 combination in the digitally-signed
243 element.
245 - Allow the client to indicate which hash functions it supports.
247 - Allow the server to indicate which hash functions it supports
249 - Addition of support for authenticated encryption with additional
250 data modes.
252 1.1 Requirements Terminology
254 Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and
255 "MAY" that appear in this document are to be interpreted as described
256 in RFC 2119 [REQ].
258 2. Goals
260 The goals of TLS Protocol, in order of their priority, are:
262 1. Cryptographic security: TLS should be used to establish a secure
263 connection between two parties.
265 2. Interoperability: Independent programmers should be able to
266 develop applications utilizing TLS that will then be able to
267 successfully exchange cryptographic parameters without knowledge
271 Dierks & Rescorla Standards Track [Page 5]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
274 of one another's code.
276 3. Extensibility: TLS seeks to provide a framework into which new
277 public key and bulk encryption methods can be incorporated as
278 necessary. This will also accomplish two sub-goals: to prevent
279 the need to create a new protocol (and risking the introduction
280 of possible new weaknesses) and to avoid the need to implement an
281 entire new security library.
283 4. Relative efficiency: Cryptographic operations tend to be highly
284 CPU intensive, particularly public key operations. For this
285 reason, the TLS protocol has incorporated an optional session
286 caching scheme to reduce the number of connections that need to
287 be established from scratch. Additionally, care has been taken to
288 reduce network activity.
290 3. Goals of this document
292 This document and the TLS protocol itself are based on the SSL 3.0
293 Protocol Specification as published by Netscape. The differences
294 between this protocol and SSL 3.0 are not dramatic, but they are
295 significant enough that the various versions of TLS and SSL 3.0 do
296 not interoperate (although each protocol incorporates a mechanism by
297 which an implementation can back down to prior versions.) This
298 document is intended primarily for readers who will be implementing
299 the protocol and those doing cryptographic analysis of it. The
300 specification has been written with this in mind, and it is intended
301 to reflect the needs of those two groups. For that reason, many of
302 the algorithm-dependent data structures and rules are included in the
303 body of the text (as opposed to in an appendix), providing easier
304 access to them.
306 This document is not intended to supply any details of service
307 definition nor interface definition, although it does cover select
308 areas of policy as they are required for the maintenance of solid
309 security.
311 4. Presentation language
313 This document deals with the formatting of data in an external
314 representation. The following very basic and somewhat casually
315 defined presentation syntax will be used. The syntax draws from
316 several sources in its structure. Although it resembles the
317 programming language "C" in its syntax and XDR [XDR] in both its
318 syntax and intent, it would be risky to draw too many parallels. The
319 purpose of this presentation language is to document TLS only, not to
320 have general application beyond that particular goal.
325 Dierks & Rescorla Standards Track [Page 6]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
328 4.1. Basic block size
330 The representation of all data items is explicitly specified. The
331 basic data block size is one byte (i.e. 8 bits). Multiple byte data
332 items are concatenations of bytes, from left to right, from top to
333 bottom. From the bytestream a multi-byte item (a numeric in the
334 example) is formed (using C notation) by:
336 value = (byte[0] << 8*(n-1)) | (byte[1] << 8*(n-2)) |
337 ... | byte[n-1];
339 This byte ordering for multi-byte values is the commonplace network
340 byte order or big endian format.
342 4.2. Miscellaneous
344 Comments begin with "/*" and end with "*/".
346 Optional components are denoted by enclosing them in "[[ ]]" double
347 brackets.
349 Single byte entities containing uninterpreted data are of type
350 opaque.
352 4.3. Vectors
354 A vector (single dimensioned array) is a stream of homogeneous data
355 elements. The size of the vector may be specified at documentation
356 time or left unspecified until runtime. In either case the length
357 declares the number of bytes, not the number of elements, in the
358 vector. The syntax for specifying a new type T' that is a fixed
359 length vector of type T is
361 T T'[n];
363 Here T' occupies n bytes in the data stream, where n is a multiple of
364 the size of T. The length of the vector is not included in the
365 encoded stream.
367 In the following example, Datum is defined to be three consecutive
368 bytes that the protocol does not interpret, while Data is three
369 consecutive Datum, consuming a total of nine bytes.
371 opaque Datum[3]; /* three uninterpreted bytes */
372 Datum Data[9]; /* 3 consecutive 3 byte vectors */
379 Dierks & Rescorla Standards Track [Page 7]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
382 Variable length vectors are defined by specifying a subrange of legal
383 lengths, inclusively, using the notation <floor..ceiling>. When
384 encoded, the actual length precedes the vector's contents in the byte
385 stream. The length will be in the form of a number consuming as many
386 bytes as required to hold the vector's specified maximum (ceiling)
387 length. A variable length vector with an actual length field of zero
388 is referred to as an empty vector.
390 T T'<floor..ceiling>;
392 In the following example, mandatory is a vector that must contain
393 between 300 and 400 bytes of type opaque. It can never be empty. The
394 actual length field consumes two bytes, a uint16, sufficient to
395 represent the value 400 (see Section 4.4). On the other hand, longer
396 can represent up to 800 bytes of data, or 400 uint16 elements, and it
397 may be empty. Its encoding will include a two byte actual length
398 field prepended to the vector. The length of an encoded vector must
399 be an even multiple of the length of a single element (for example, a
400 17 byte vector of uint16 would be illegal).
402 opaque mandatory<300..400>;
403 /* length field is 2 bytes, cannot be empty */
404 uint16 longer<0..800>;
405 /* zero to 400 16-bit unsigned integers */
407 4.4. Numbers
409 The basic numeric data type is an unsigned byte (uint8). All larger
410 numeric data types are formed from fixed length series of bytes
411 concatenated as described in Section 4.1 and are also unsigned. The
412 following numeric types are predefined.
414 uint8 uint16[2];
415 uint8 uint24[3];
416 uint8 uint32[4];
417 uint8 uint64[8];
419 All values, here and elsewhere in the specification, are stored in
420 "network" or "big-endian" order; the uint32 represented by the hex
421 bytes 01 02 03 04 is equivalent to the decimal value 16909060.
423 4.5. Enumerateds
425 An additional sparse data type is available called enum. A field of
426 type enum can only assume the values declared in the definition.
427 Each definition is a different type. Only enumerateds of the same
428 type may be assigned or compared. Every element of an enumerated must
433 Dierks & Rescorla Standards Track [Page 8]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
436 be assigned a value, as demonstrated in the following example. Since
437 the elements of the enumerated are not ordered, they can be assigned
438 any unique value, in any order.
440 enum { e1(v1), e2(v2), ... , en(vn) [[, (n)]] } Te;
442 Enumerateds occupy as much space in the byte stream as would its
443 maximal defined ordinal value. The following definition would cause
444 one byte to be used to carry fields of type Color.
446 enum { red(3), blue(5), white(7) } Color;
448 One may optionally specify a value without its associated tag to
449 force the width definition without defining a superfluous element.
450 In the following example, Taste will consume two bytes in the data
451 stream but can only assume the values 1, 2 or 4.
453 enum { sweet(1), sour(2), bitter(4), (32000) } Taste;
455 The names of the elements of an enumeration are scoped within the
456 defined type. In the first example, a fully qualified reference to
457 the second element of the enumeration would be Color.blue. Such
458 qualification is not required if the target of the assignment is well
459 specified.
461 Color color = Color.blue; /* overspecified, legal */
462 Color color = blue; /* correct, type implicit */
464 For enumerateds that are never converted to external representation,
465 the numerical information may be omitted.
467 enum { low, medium, high } Amount;
469 4.6. Constructed types
471 Structure types may be constructed from primitive types for
472 convenience. Each specification declares a new, unique type. The
473 syntax for definition is much like that of C.
475 struct {
476 T1 f1;
477 T2 f2;
478 ...
479 Tn fn;
480 } [[T]];
487 Dierks & Rescorla Standards Track [Page 9]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
490 The fields within a structure may be qualified using the type's name
491 using a syntax much like that available for enumerateds. For example,
492 T.f2 refers to the second field of the previous declaration.
493 Structure definitions may be embedded.
495 4.6.1. Variants
497 Defined structures may have variants based on some knowledge that is
498 available within the environment. The selector must be an enumerated
499 type that defines the possible variants the structure defines. There
500 must be a case arm for every element of the enumeration declared in
501 the select. The body of the variant structure may be given a label
502 for reference. The mechanism by which the variant is selected at
503 runtime is not prescribed by the presentation language.
505 struct {
506 T1 f1;
507 T2 f2;
508 ....
509 Tn fn;
510 select (E) {
511 case e1: Te1;
512 case e2: Te2;
513 ....
514 case en: Ten;
515 } [[fv]];
516 } [[Tv]];
518 For example:
520 enum { apple, orange } VariantTag;
521 struct {
522 uint16 number;
523 opaque string<0..10>; /* variable length */
524 } V1;
525 struct {
526 uint32 number;
527 opaque string[10]; /* fixed length */
528 } V2;
529 struct {
530 select (VariantTag) { /* value of selector is implicit */
531 case apple: V1; /* VariantBody, tag = apple */
532 case orange: V2; /* VariantBody, tag = orange */
533 } variant_body; /* optional label on variant */
534 } VariantRecord;
536 Variant structures may be qualified (narrowed) by specifying a value
537 for the selector prior to the type. For example, a
541 Dierks & Rescorla Standards Track [Page 10]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
544 orange VariantRecord
546 is a narrowed type of a VariantRecord containing a variant_body of
547 type V2.
549 4.7. Cryptographic attributes
551 The five cryptographic operations digital signing, stream cipher
552 encryption, block cipher encryption, authenticated encryption with
553 additional data (AEAD) encryption and public key encryption are
554 designated digitally-signed, stream-ciphered, block-ciphered, aead-
555 ciphered, and public-key-encrypted, respectively. A field's
556 cryptographic processing is specified by prepending an appropriate
557 key word designation before the field's type specification.
558 Cryptographic keys are implied by the current session state (see
559 Section 6.1).
561 In digital signing, one-way hash functions are used as input for a
562 signing algorithm. A digitally-signed element is encoded as an opaque
563 vector <0..2^16-1>, where the length is specified by the signing
564 algorithm and key.
566 In RSA signing, the output of the chosen hash function is encoded as
567 a PKCS #1 DigestInfo and then signed using block type 01 as described
568 in Section 8.1 as described in [PKCS1A].
570 Note: the standard reference for PKCS#1 is now RFC 3447 [PKCS1B].
571 However, to minimize differences with TLS 1.0 text, we are using the
572 terminology of RFC 2313 [PKCS1A].
574 In DSS, the 20 bytes of the SHA-1 hash are run directly through the
575 Digital Signing Algorithm with no additional hashing. This produces
576 two values, r and s. The DSS signature is an opaque vector, as above,
577 the contents of which are the DER encoding of:
579 Dss-Sig-Value ::= SEQUENCE {
580 r INTEGER,
581 s INTEGER
582 }
584 In stream cipher encryption, the plaintext is exclusive-ORed with an
585 identical amount of output generated from a cryptographically-secure
586 keyed pseudorandom number generator.
588 In block cipher encryption, every block of plaintext encrypts to a
589 block of ciphertext. All block cipher encryption is done in CBC
590 (Cipher Block Chaining) mode, and all items which are block-ciphered
591 will be an exact multiple of the cipher block length.
595 Dierks & Rescorla Standards Track [Page 11]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
598 In AEAD encryption, the plaintext is simultaneously encrypted and
599 integrity protected. The input may be of any length and the output is
600 generally larger than the input in order to accomodate the integrity
601 check value.
603 In public key encryption, a public key algorithm is used to encrypt
604 data in such a way that it can be decrypted only with the matching
605 private key. A public-key-encrypted element is encoded as an opaque
606 vector <0..2^16-1>, where the length is specified by the signing
607 algorithm and key.
609 An RSA encrypted value is encoded with PKCS #1 block type 2 as
610 described in [PKCS1A].
612 In the following example:
614 stream-ciphered struct {
615 uint8 field1;
616 uint8 field2;
617 digitally-signed opaque hash[20];
618 } UserType;
620 The contents of hash are used as input for the signing algorithm,
621 then the entire structure is encrypted with a stream cipher. The
622 length of this structure, in bytes would be equal to 2 bytes for
623 field1 and field2, plus two bytes for the length of the signature,
624 plus the length of the output of the signing algorithm. This is known
625 due to the fact that the algorithm and key used for the signing are
626 known prior to encoding or decoding this structure.
628 4.8. Constants
630 Typed constants can be defined for purposes of specification by
631 declaring a symbol of the desired type and assigning values to it.
632 Under-specified types (opaque, variable length vectors, and
633 structures that contain opaque) cannot be assigned values. No fields
634 of a multi-element structure or vector may be elided.
636 For example,
638 struct {
639 uint8 f1;
640 uint8 f2;
641 } Example1;
643 Example1 ex1 = {1, 4}; /* assigns f1 = 1, f2 = 4 */
645 5. HMAC and the pseudorandom function
649 Dierks & Rescorla Standards Track [Page 12]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
652 A number of operations in the TLS record and handshake layer required
653 a keyed MAC; this is a secure digest of some data protected by a
654 secret. Forging the MAC is infeasible without knowledge of the MAC
655 secret. The construction we use for this operation is known as HMAC,
656 described in [HMAC].
658 In addition, a construction is required to do expansion of secrets
659 into blocks of data for the purposes of key generation or validation.
660 This pseudo-random function (PRF) takes as input a secret, a seed,
661 and an identifying label and produces an output of arbitrary length.
663 First, we define a data expansion function, P_hash(secret, data)
664 which uses a single hash function to expand a secret and seed into an
665 arbitrary quantity of output:
667 P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
668 HMAC_hash(secret, A(2) + seed) +
669 HMAC_hash(secret, A(3) + seed) + ...
671 Where + indicates concatenation.
673 A() is defined as:
674 A(0) = seed
675 A(i) = HMAC_hash(secret, A(i-1))
677 P_hash can be iterated as many times as is necessary to produce the
678 required quantity of data. For example, if P_SHA-1 was being used to
679 create 64 bytes of data, it would have to be iterated 4 times
680 (through A(4)), creating 80 bytes of output data; the last 16 bytes
681 of the final iteration would then be discarded, leaving 64 bytes of
682 output data.
684 TLS's PRF is created by applying P_hash to the secret S as:
686 PRF(secret, label, seed) = P_<hash>(secret, label + seed)
688 Unless the cipher suite definition specifies otherwise, the hash
689 function used in P MUST be the same hash function selected for the
690 HMAC in the cipher suite. For existing cipher suites (which use MD5
691 or SHA-1), the hash MUST be SHA-1. New ciphers which do not use HMAC
692 MUST explicitly specify a PRF.
694 The label is an ASCII string. It should be included in the exact form
695 it is given without a length byte or trailing null character. For
696 example, the label "slithy toves" would be processed by hashing the
697 following bytes:
699 73 6C 69 74 68 79 20 74 6F 76 65 73
703 Dierks & Rescorla Standards Track [Page 13]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
706 6. The TLS Record Protocol
708 The TLS Record Protocol is a layered protocol. At each layer,
709 messages may include fields for length, description, and content.
710 The Record Protocol takes messages to be transmitted, fragments the
711 data into manageable blocks, optionally compresses the data, applies
712 a MAC, encrypts, and transmits the result. Received data is
713 decrypted, verified, decompressed, and reassembled, then delivered to
714 higher level clients.
716 Four record protocol clients are described in this document: the
717 handshake protocol, the alert protocol, the change cipher spec
718 protocol, and the application data protocol. In order to allow
719 extension of the TLS protocol, additional record types can be
720 supported by the record protocol. Any new record types SHOULD
721 allocate type values immediately beyond the ContentType values for
722 the four record types described here (see Appendix A.1). All such
723 values must be defined by RFC 2434 Standards Action. See section 11
724 for IANA Considerations for ContentType values.
726 If a TLS implementation receives a record type it does not
727 understand, it SHOULD just ignore it. Any protocol designed for use
728 over TLS MUST be carefully designed to deal with all possible attacks
729 against it. Note that because the type and length of a record are
730 not protected by encryption, care SHOULD be taken to minimize the
731 value of traffic analysis of these values.
733 6.1. Connection states
735 A TLS connection state is the operating environment of the TLS Record
736 Protocol. It specifies a compression algorithm, encryption algorithm,
737 and MAC algorithm. In addition, the parameters for these algorithms
738 are known: the MAC secret and the bulk encryption keys for the
739 connection in both the read and the write directions. Logically,
740 there are always four connection states outstanding: the current read
741 and write states, and the pending read and write states. All records
742 are processed under the current read and write states. The security
743 parameters for the pending states can be set by the TLS Handshake
744 Protocol, and the Change Cipher Spec can selectively make either of
745 the pending states current, in which case the appropriate current
746 state is disposed of and replaced with the pending state; the pending
747 state is then reinitialized to an empty state. It is illegal to make
748 a state which has not been initialized with security parameters a
749 current state. The initial current state always specifies that no
750 encryption, compression, or MAC will be used.
752 The security parameters for a TLS Connection read and write state are
753 set by providing the following values:
757 Dierks & Rescorla Standards Track [Page 14]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
760 connection end
761 Whether this entity is considered the "client" or the "server" in
762 this connection.
764 bulk encryption algorithm
765 An algorithm to be used for bulk encryption. This specification
766 includes the key size of this algorithm, how much of that key is
767 secret, whether it is a block, stream, or AEAD cipher, the block
768 size of the cipher (if appropriate).
770 MAC algorithm
771 An algorithm to be used for message authentication. This
772 specification includes the size of the hash which is returned by
773 the MAC algorithm.
775 compression algorithm
776 An algorithm to be used for data compression. This specification
777 must include all information the algorithm requires to do
778 compression.
780 master secret
781 A 48 byte secret shared between the two peers in the connection.
783 client random
784 A 32 byte value provided by the client.
786 server random
787 A 32 byte value provided by the server.
789 These parameters are defined in the presentation language as:
791 enum { server, client } ConnectionEnd;
793 enum { null, rc4, rc2, des, 3des, des40, idea, aes } BulkCipherAlgorithm;
795 enum { stream, block, aead } CipherType;
797 enum { null, md5, sha, sha256, sha384, sha512} MACAlgorithm;
799 /* The use of "sha" above is historical and denotes SHA-1 */
801 enum { null(0), (255) } CompressionMethod;
803 /* The algorithms specified in CompressionMethod,
804 BulkCipherAlgorithm, and MACAlgorithm may be added to. */
806 struct {
807 ConnectionEnd entity;
811 Dierks & Rescorla Standards Track [Page 15]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
814 BulkCipherAlgorithm bulk_cipher_algorithm;
815 CipherType cipher_type;
816 uint8 key_size;
817 uint8 key_material_length;
818 MACAlgorithm mac_algorithm;
819 uint8 hash_size;
820 CompressionMethod compression_algorithm;
821 opaque master_secret[48];
822 opaque client_random[32];
823 opaque server_random[32];
824 } SecurityParameters;
826 The record layer will use the security parameters to generate the
827 following four items:
829 client write MAC secret
830 server write MAC secret
831 client write key
832 server write key
834 The client write parameters are used by the server when receiving and
835 processing records and vice-versa. The algorithm used for generating
836 these items from the security parameters is described in section 6.3.
838 Once the security parameters have been set and the keys have been
839 generated, the connection states can be instantiated by making them
840 the current states. These current states MUST be updated for each
841 record processed. Each connection state includes the following
842 elements:
844 compression state
845 The current state of the compression algorithm.
847 cipher state
848 The current state of the encryption algorithm. This will consist
849 of the scheduled key for that connection. For stream ciphers,
850 this will also contain whatever the necessary state information
851 is to allow the stream to continue to encrypt or decrypt data.
853 MAC secret
854 The MAC secret for this connection as generated above.
856 sequence number
857 Each connection state contains a sequence number, which is
858 maintained separately for read and write states. The sequence
859 number MUST be set to zero whenever a connection state is made
860 the active state. Sequence numbers are of type uint64 and may not
861 exceed 2^64-1. Sequence numbers do not wrap. If a TLS
865 Dierks & Rescorla Standards Track [Page 16]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
868 implementation would need to wrap a sequence number it must
869 renegotiate instead. A sequence number is incremented after each
870 record: specifically, the first record which is transmitted under
871 a particular connection state MUST use sequence number 0.
873 6.2. Record layer
875 The TLS Record Layer receives uninterpreted data from higher layers
876 in non-empty blocks of arbitrary size.
878 6.2.1. Fragmentation
880 The record layer fragments information blocks into TLSPlaintext
881 records carrying data in chunks of 2^14 bytes or less. Client message
882 boundaries are not preserved in the record layer (i.e., multiple
883 client messages of the same ContentType MAY be coalesced into a
884 single TLSPlaintext record, or a single message MAY be fragmented
885 across several records).
888 struct {
889 uint8 major, minor;
890 } ProtocolVersion;
892 enum {
893 change_cipher_spec(20), alert(21), handshake(22),
894 application_data(23), (255)
895 } ContentType;
897 struct {
898 ContentType type;
899 ProtocolVersion version;
900 uint16 length;
901 opaque fragment[TLSPlaintext.length];
902 } TLSPlaintext;
904 type
905 The higher level protocol used to process the enclosed fragment.
907 version
908 The version of the protocol being employed. This document
909 describes TLS Version 1.2, which uses the version { 3, 3 }. The
910 version value 3.3 is historical, deriving from the use of 3.1 for
911 TLS 1.0. (See Appendix A.1).
913 length
914 The length (in bytes) of the following TLSPlaintext.fragment.
915 The length should not exceed 2^14.
919 Dierks & Rescorla Standards Track [Page 17]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
922 fragment
923 The application data. This data is transparent and treated as an
924 independent block to be dealt with by the higher level protocol
925 specified by the type field.
927 Note: Data of different TLS Record layer content types MAY be
928 interleaved. Application data is generally of lower precedence
929 for transmission than other content types. However, records MUST
930 be delivered to the network in the same order as they are
931 protected by the record layer. Recipients MUST receive and
932 process interleaved application layer traffic during handshakes
933 subsequent to the first one on a connection.
936 6.2.2. Record compression and decompression
938 All records are compressed using the compression algorithm defined in
939 the current session state. There is always an active compression
940 algorithm; however, initially it is defined as
941 CompressionMethod.null. The compression algorithm translates a
942 TLSPlaintext structure into a TLSCompressed structure. Compression
943 functions are initialized with default state information whenever a
944 connection state is made active.
946 Compression must be lossless and may not increase the content length
947 by more than 1024 bytes. If the decompression function encounters a
948 TLSCompressed.fragment that would decompress to a length in excess of
949 2^14 bytes, it should report a fatal decompression failure error.
951 struct {
952 ContentType type; /* same as TLSPlaintext.type */
953 ProtocolVersion version;/* same as TLSPlaintext.version */
954 uint16 length;
955 opaque fragment[TLSCompressed.length];
956 } TLSCompressed;
958 length
959 The length (in bytes) of the following TLSCompressed.fragment.
960 The length should not exceed 2^14 + 1024.
962 fragment
963 The compressed form of TLSPlaintext.fragment.
965 Note: A CompressionMethod.null operation is an identity operation; no
966 fields are altered.
968 Implementation note:
969 Decompression functions are responsible for ensuring that
973 Dierks & Rescorla Standards Track [Page 18]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
976 messages cannot cause internal buffer overflows.
978 6.2.3. Record payload protection
980 The encryption and MAC functions translate a TLSCompressed structure
981 into a TLSCiphertext. The decryption functions reverse the process.
982 The MAC of the record also includes a sequence number so that
983 missing, extra or repeated messages are detectable.
985 struct {
986 ContentType type;
987 ProtocolVersion version;
988 uint16 length;
989 select (CipherSpec.cipher_type) {
990 case stream: GenericStreamCipher;
991 case block: GenericBlockCipher;
992 case aead: GenericAEADCipher;
993 } fragment;
994 } TLSCiphertext;
996 type
997 The type field is identical to TLSCompressed.type.
999 version
1000 The version field is identical to TLSCompressed.version.
1002 length
1003 The length (in bytes) of the following TLSCiphertext.fragment.
1004 The length may not exceed 2^14 + 2048.
1006 fragment
1007 The encrypted form of TLSCompressed.fragment, with the MAC.
1009 6.2.3.1. Null or standard stream cipher
1011 Stream ciphers (including BulkCipherAlgorithm.null - see Appendix
1012 A.6) convert TLSCompressed.fragment structures to and from stream
1013 TLSCiphertext.fragment structures.
1015 stream-ciphered struct {
1016 opaque content[TLSCompressed.length];
1017 opaque MAC[CipherSpec.hash_size];
1018 } GenericStreamCipher;
1020 The MAC is generated as:
1022 HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type +
1023 TLSCompressed.version + TLSCompressed.length +
1027 Dierks & Rescorla Standards Track [Page 19]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1030 TLSCompressed.fragment));
1032 where "+" denotes concatenation.
1034 seq_num
1035 The sequence number for this record.
1037 hash
1038 The hashing algorithm specified by
1039 SecurityParameters.mac_algorithm.
1041 Note that the MAC is computed before encryption. The stream cipher
1042 encrypts the entire block, including the MAC. For stream ciphers that
1043 do not use a synchronization vector (such as RC4), the stream cipher
1044 state from the end of one record is simply used on the subsequent
1045 packet. If the CipherSuite is TLS_NULL_WITH_NULL_NULL, encryption
1046 consists of the identity operation (i.e., the data is not encrypted
1047 and the MAC size is zero implying that no MAC is used).
1048 TLSCiphertext.length is TLSCompressed.length plus
1049 CipherSpec.hash_size.
1051 6.2.3.2. CBC block cipher
1053 For block ciphers (such as RC2, DES, or AES), the encryption and MAC
1054 functions convert TLSCompressed.fragment structures to and from block
1055 TLSCiphertext.fragment structures.
1057 block-ciphered struct {
1058 opaque IV[CipherSpec.block_length];
1059 opaque content[TLSCompressed.length];
1060 opaque MAC[CipherSpec.hash_size];
1061 uint8 padding[GenericBlockCipher.padding_length];
1062 uint8 padding_length;
1063 } GenericBlockCipher;
1065 The MAC is generated as described in Section 6.2.3.1.
1067 IV
1068 TLS 1.2 uses an explicit IV in order to prevent the attacks described
1069 by [CBCATT]. We recommend the following equivalently strong
1070 procedures. For clarity we use the following notation.
1072 IV -- the transmitted value of the IV field in the
1073 GenericBlockCipher structure.
1074 CBC residue -- the last ciphertext block of the previous record
1075 mask -- the actual value which the cipher XORs with the
1076 plaintext prior to encryption of the first cipher block
1077 of the record.
1081 Dierks & Rescorla Standards Track [Page 20]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1084 In versions of TLS prior to 1.1, there was no IV field and the CBC residue
1085 and mask were one and the same. See Sections 6.1, 6.2.3.2 and 6.3,
1086 of [TLS1.0] for details of TLS 1.0 IV handling.
1088 One of the following two algorithms SHOULD be used to generate the
1089 per-record IV:
1091 (1) Generate a cryptographically strong random string R of
1092 length CipherSpec.block_length. Place R
1093 in the IV field. Set the mask to R. Thus, the first
1094 cipher block will be encrypted as E(R XOR Data).
1096 (2) Generate a cryptographically strong random number R of
1097 length CipherSpec.block_length and prepend it to the plaintext
1098 prior to encryption. In
1099 this case either:
1101 (a) The cipher may use a fixed mask such as zero.
1102 (b) The CBC residue from the previous record may be used
1103 as the mask. This preserves maximum code compatibility
1104 with TLS 1.0 and SSL 3. It also has the advantage that
1105 it does not require the ability to quickly reset the IV,
1106 which is known to be a problem on some systems.
1108 In either 2(a) or 2(b) the data (R || data) is fed into the
1109 encryption process. The first cipher block (containing
1110 E(mask XOR R) is placed in the IV field. The first
1111 block of content contains E(IV XOR data)
1113 The following alternative procedure MAY be used: However, it has
1114 not been demonstrated to be equivalently cryptographically strong
1115 to the above procedures. The sender prepends a fixed block F to
1116 the plaintext (or alternatively a block generated with a weak
1117 PRNG). He then encrypts as in (2) above, using the CBC residue
1118 from the previous block as the mask for the prepended block. Note
1119 that in this case the mask for the first record transmitted by
1120 the application (the Finished) MUST be generated using a
1121 cryptographically strong PRNG.
1123 The decryption operation for all three alternatives is the same.
1124 The receiver decrypts the entire GenericBlockCipher structure and
1125 then discards the first cipher block, corresponding to the IV
1126 component.
1128 padding
1129 Padding that is added to force the length of the plaintext to be
1130 an integral multiple of the block cipher's block length. The
1131 padding MAY be any length up to 255 bytes long, as long as it
1135 Dierks & Rescorla Standards Track [Page 21]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1138 results in the TLSCiphertext.length being an integral multiple of
1139 the block length. Lengths longer than necessary might be
1140 desirable to frustrate attacks on a protocol based on analysis of
1141 the lengths of exchanged messages. Each uint8 in the padding data
1142 vector MUST be filled with the padding length value. The receiver
1143 MUST check this padding and SHOULD use the bad_record_mac alert
1144 to indicate padding errors.
1146 padding_length
1147 The padding length MUST be such that the total size of the
1148 GenericBlockCipher structure is a multiple of the cipher's block
1149 length. Legal values range from zero to 255, inclusive. This
1150 length specifies the length of the padding field exclusive of the
1151 padding_length field itself.
1153 The encrypted data length (TLSCiphertext.length) is one more than the
1154 sum of TLSCompressed.length, CipherSpec.hash_size, and
1155 padding_length.
1157 Example: If the block length is 8 bytes, the content length
1158 (TLSCompressed.length) is 61 bytes, and the MAC length is 20
1159 bytes, the length before padding is 82 bytes (this does not
1160 include the IV, which may or may not be encrypted, as
1161 discussed above). Thus, the padding length modulo 8 must be
1162 equal to 6 in order to make the total length an even multiple
1163 of 8 bytes (the block length). The padding length can be 6,
1164 14, 22, and so on, through 254. If the padding length were the
1165 minimum necessary, 6, the padding would be 6 bytes, each
1166 containing the value 6. Thus, the last 8 octets of the
1167 GenericBlockCipher before block encryption would be xx 06 06
1168 06 06 06 06 06, where xx is the last octet of the MAC.
1170 Note: With block ciphers in CBC mode (Cipher Block Chaining),
1171 it is critical that the entire plaintext of the record be known
1172 before any ciphertext is transmitted. Otherwise it is possible
1173 for the attacker to mount the attack described in [CBCATT].
1175 Implementation Note: Canvel et. al. [CBCTIME] have demonstrated a
1176 timing attack on CBC padding based on the time required to
1177 compute the MAC. In order to defend against this attack,
1178 implementations MUST ensure that record processing time is
1179 essentially the same whether or not the padding is correct. In
1180 general, the best way to to do this is to compute the MAC even if
1181 the padding is incorrect, and only then reject the packet. For
1182 instance, if the pad appears to be incorrect the implementation
1183 might assume a zero-length pad and then compute the MAC. This
1184 leaves a small timing channel, since MAC performance depends to
1185 some extent on the size of the data fragment, but it is not
1189 Dierks & Rescorla Standards Track [Page 22]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1192 believed to be large enough to be exploitable due to the large
1193 block size of existing MACs and the small size of the timing
1194 signal.
1196 6.2.3.3. AEAD ciphers
1198 For AEAD [AEAD] ciphers (such as [CCM] or [GCM]) the AEAD function
1199 converts TLSCompressed.fragment structures to and from AEAD
1200 TLSCiphertext.fragment structures.
1202 aead-ciphered struct {
1203 opaque IV[CipherSpec.iv_length];
1204 opaque aead_output[AEADEncrypted.length];
1205 } GenericAEADCipher;
1207 AEAD ciphers take as input a single key, optional IV (depending on
1208 the cipher), plaintext, and "additional data" to be included in the
1209 authentication check. I.e.,
1211 AEADEncrypted = AEAD-Encrypt(key, IV, plaintext,
1212 additional_data)
1214 The key is either the client_write_key or the server_write_key. When
1215 AEAD algorithms are used the MAC keys are of zero length and are not
1216 used. The length of the IV depends on the cipher suite. If it is
1217 required it MUST be generated using a cryptographically strong random
1218 number generator. Note that the IV may be zero length. The plaintext
1219 is the TLSCompressed.fragment. The additional_data is defined as
1220 follows:
1222 additional_data = seq_num + TLSCompressed.type +
1223 TLSCompressed.version + TLSCompressed.length;
1225 Where "+" denotes concatenation.
1227 AEADEncrypted.length will generally be larger than
1228 TLSCompressed.length, but by an amount that varies with the cipher
1229 and the required padding (if any). AEAD algorithms MUST NOT produce
1230 an expansion of greater than 1024 bytes.
1232 In order to decrypt and verify, the cipher takes as input the key,
1233 IV, the "additional_data", and the AEADEncrypted value. The output is
1234 either the plaintext or an error indicating that the decryption
1235 failed. There is no separate integrity check. I.e.,
1237 TLSCompressed.fragment = AEAD-Decrypt(write_key, IV, AEADEncrypted,
1238 TLSCiphertext.type + TLSCiphertext.version +
1239 TLSCiphertext.length);
1243 Dierks & Rescorla Standards Track [Page 23]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1246 If the decryption fails, a fatal bad_record_mac alert MUST be
1247 generated.
1249 6.3. Key calculation
1251 The Record Protocol requires an algorithm to generate keys, and MAC
1252 secrets from the security parameters provided by the handshake
1253 protocol.
1255 The master secret is hashed into a sequence of secure bytes, which
1256 are assigned to the MAC secrets and keys required by the current
1257 connection state (see Appendix A.6). CipherSpecs require a client
1258 write MAC secret, a server write MAC secret, a client write key, and
1259 a server write key, which are generated from the master secret in
1260 that order. Unused values are empty.
1262 When generating keys and MAC secrets, the master secret is used as an
1263 entropy source.
1265 To generate the key material, compute
1267 key_block = PRF(SecurityParameters.master_secret,
1268 "key expansion",
1269 SecurityParameters.server_random +
1270 SecurityParameters.client_random);
1272 until enough output has been generated. Then the key_block is
1273 partitioned as follows:
1275 client_write_MAC_secret[SecurityParameters.hash_size]
1276 server_write_MAC_secret[SecurityParameters.hash_size]
1277 client_write_key[SecurityParameters.key_material_length]
1278 server_write_key[SecurityParameters.key_material_length]
1281 Implementation note:
1282 The currently defined which requires the most material is
1283 AES_256_CBC_SHA, defined in [TLSAES]. It requires 2 x 32 byte
1284 keys and 2 x 20 byte MAC secrets, for a total 104 bytes of key
1285 material.
1287 7. The TLS Handshaking Protocols
1289 TLS has three subprotocols which are used to allow peers to agree
1290 upon security parameters for the record layer, authenticate
1291 themselves, instantiate negotiated security parameters, and
1292 report error conditions to each other.
1297 Dierks & Rescorla Standards Track [Page 24]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1300 The Handshake Protocol is responsible for negotiating a session,
1301 which consists of the following items:
1303 session identifier
1304 An arbitrary byte sequence chosen by the server to identify an
1305 active or resumable session state.
1307 peer certificate
1308 X509v3 [X509] certificate of the peer. This element of the
1309 state may be null.
1311 compression method
1312 The algorithm used to compress data prior to encryption.
1314 cipher spec
1315 Specifies the bulk data encryption algorithm (such as null,
1316 DES, etc.) and a MAC algorithm (such as MD5 or SHA). It also
1317 defines cryptographic attributes such as the hash_size. (See
1318 Appendix A.6 for formal definition)
1320 master secret
1321 48-byte secret shared between the client and server.
1323 is resumable
1324 A flag indicating whether the session can be used to initiate
1325 new connections.
1327 These items are then used to create security parameters for use by
1328 the Record Layer when protecting application data. Many connections
1329 can be instantiated using the same session through the resumption
1330 feature of the TLS Handshake Protocol.
1332 7.1. Change cipher spec protocol
1334 The change cipher spec protocol exists to signal transitions in
1335 ciphering strategies. The protocol consists of a single message,
1336 which is encrypted and compressed under the current (not the pending)
1337 connection state. The message consists of a single byte of value 1.
1339 struct {
1340 enum { change_cipher_spec(1), (255) } type;
1341 } ChangeCipherSpec;
1343 The change cipher spec message is sent by both the client and server
1344 to notify the receiving party that subsequent records will be
1345 protected under the newly negotiated CipherSpec and keys. Reception
1346 of this message causes the receiver to instruct the Record Layer to
1347 immediately copy the read pending state into the read current state.
1351 Dierks & Rescorla Standards Track [Page 25]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1354 Immediately after sending this message, the sender MUST instruct the
1355 record layer to make the write pending state the write active state.
1356 (See section 6.1.) The change cipher spec message is sent during the
1357 handshake after the security parameters have been agreed upon, but
1358 before the verifying finished message is sent (see section 7.4.11
1360 Note: if a rehandshake occurs while data is flowing on a connection,
1361 the communicating parties may continue to send data using the old
1362 CipherSpec. However, once the ChangeCipherSpec has been sent, the new
1363 CipherSpec MUST be used. The first side to send the ChangeCipherSpec
1364 does not know that the other side has finished computing the new
1365 keying material (e.g. if it has to perform a time consuming public
1366 key operation). Thus, a small window of time during which the
1367 recipient must buffer the data MAY exist. In practice, with modern
1368 machines this interval is likely to be fairly short.
1370 7.2. Alert protocol
1372 One of the content types supported by the TLS Record layer is the
1373 alert type. Alert messages convey the severity of the message and a
1374 description of the alert. Alert messages with a level of fatal result
1375 in the immediate termination of the connection. In this case, other
1376 connections corresponding to the session may continue, but the
1377 session identifier MUST be invalidated, preventing the failed session
1378 from being used to establish new connections. Like other messages,
1379 alert messages are encrypted and compressed, as specified by the
1380 current connection state.
1382 enum { warning(1), fatal(2), (255) } AlertLevel;
1384 enum {
1385 close_notify(0),
1386 unexpected_message(10),
1387 bad_record_mac(20),
1388 decryption_failed(21),
1389 record_overflow(22),
1390 decompression_failure(30),
1391 handshake_failure(40),
1392 no_certificate_RESERVED (41),
1393 bad_certificate(42),
1394 unsupported_certificate(43),
1395 certificate_revoked(44),
1396 certificate_expired(45),
1397 certificate_unknown(46),
1398 illegal_parameter(47),
1399 unknown_ca(48),
1400 access_denied(49),
1401 decode_error(50),
1405 Dierks & Rescorla Standards Track [Page 26]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1408 decrypt_error(51),
1409 export_restriction_RESERVED(60),
1410 protocol_version(70),
1411 insufficient_security(71),
1412 internal_error(80),
1413 user_canceled(90),
1414 no_renegotiation(100),
1415 unsupported_extension(110), /* new */
1416 certificate_unobtainable(111), /* new */
1417 unrecognized_name(112), /* new */
1418 bad_certificate_status_response(113), /* new */
1419 bad_certificate_hash_value(114), /* new */
1420 (255)
1421 } AlertDescription;
1423 struct {
1424 AlertLevel level;
1425 AlertDescription description;
1426 } Alert;
1428 7.2.1. Closure alerts
1430 The client and the server must share knowledge that the connection is
1431 ending in order to avoid a truncation attack. Either party may
1432 initiate the exchange of closing messages.
1434 close_notify
1435 This message notifies the recipient that the sender will not send
1436 any more messages on this connection. Note that as of TLS 1.1,
1437 failure to properly close a connection no longer requires that a
1438 session not be resumed. This is a change from TLS 1.0 to conform
1439 with widespread implementation practice.
1441 Either party may initiate a close by sending a close_notify alert.
1442 Any data received after a closure alert is ignored.
1444 Unless some other fatal alert has been transmitted, each party is
1445 required to send a close_notify alert before closing the write side
1446 of the connection. The other party MUST respond with a close_notify
1447 alert of its own and close down the connection immediately,
1448 discarding any pending writes. It is not required for the initiator
1449 of the close to wait for the responding close_notify alert before
1450 closing the read side of the connection.
1452 If the application protocol using TLS provides that any data may be
1453 carried over the underlying transport after the TLS connection is
1454 closed, the TLS implementation must receive the responding
1455 close_notify alert before indicating to the application layer that
1459 Dierks & Rescorla Standards Track [Page 27]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1462 the TLS connection has ended. If the application protocol will not
1463 transfer any additional data, but will only close the underlying
1464 transport connection, then the implementation MAY choose to close the
1465 transport without waiting for the responding close_notify. No part of
1466 this standard should be taken to dictate the manner in which a usage
1467 profile for TLS manages its data transport, including when
1468 connections are opened or closed.
1470 Note: It is assumed that closing a connection reliably delivers
1471 pending data before destroying the transport.
1473 7.2.2. Error alerts
1475 Error handling in the TLS Handshake protocol is very simple. When an
1476 error is detected, the detecting party sends a message to the other
1477 party. Upon transmission or receipt of an fatal alert message, both
1478 parties immediately close the connection. Servers and clients MUST
1479 forget any session-identifiers, keys, and secrets associated with a
1480 failed connection. Thus, any connection terminated with a fatal alert
1481 MUST NOT be resumed. The following error alerts are defined:
1483 unexpected_message
1484 An inappropriate message was received. This alert is always fatal
1485 and should never be observed in communication between proper
1486 implementations.
1488 bad_record_mac
1489 This alert is returned if a record is received with an incorrect
1490 MAC. This alert also MUST be returned if an alert is sent because
1491 a TLSCiphertext decrypted in an invalid way: either it wasn't an
1492 even multiple of the block length, or its padding values, when
1493 checked, weren't correct. This message is always fatal.
1495 decryption_failed
1496 This alert MAY be returned if a TLSCiphertext decrypted in an
1497 invalid way: either it wasn't an even multiple of the block
1498 length, or its padding values, when checked, weren't correct.
1499 This message is always fatal.
1501 Note: Differentiating between bad_record_mac and
1502 decryption_failed alerts may permit certain attacks against CBC
1503 mode as used in TLS [CBCATT]. It is preferable to uniformly use
1504 the bad_record_mac alert to hide the specific type of the error.
1507 record_overflow
1508 A TLSCiphertext record was received which had a length more than
1509 2^14+2048 bytes, or a record decrypted to a TLSCompressed record
1513 Dierks & Rescorla Standards Track [Page 28]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1516 with more than 2^14+1024 bytes. This message is always fatal.
1518 decompression_failure
1519 The decompression function received improper input (e.g. data
1520 that would expand to excessive length). This message is always
1521 fatal.
1523 handshake_failure
1524 Reception of a handshake_failure alert message indicates that the
1525 sender was unable to negotiate an acceptable set of security
1526 parameters given the options available. This is a fatal error.
1528 no_certificate_RESERVED
1529 This alert was used in SSLv3 but not in TLS. It should not be
1530 sent by compliant implementations.
1532 bad_certificate
1533 A certificate was corrupt, contained signatures that did not
1534 verify correctly, etc.
1536 unsupported_certificate
1537 A certificate was of an unsupported type.
1539 certificate_revoked
1540 A certificate was revoked by its signer.
1542 certificate_expired
1543 A certificate has expired or is not currently valid.
1545 certificate_unknown
1546 Some other (unspecified) issue arose in processing the
1547 certificate, rendering it unacceptable.
1549 illegal_parameter
1550 A field in the handshake was out of range or inconsistent with
1551 other fields. This is always fatal.
1553 unknown_ca
1554 A valid certificate chain or partial chain was received, but the
1555 certificate was not accepted because the CA certificate could not
1556 be located or couldn't be matched with a known, trusted CA. This
1557 message is always fatal.
1559 access_denied
1560 A valid certificate was received, but when access control was
1561 applied, the sender decided not to proceed with negotiation.
1562 This message is always fatal.
1567 Dierks & Rescorla Standards Track [Page 29]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1570 decode_error
1571 A message could not be decoded because some field was out of the
1572 specified range or the length of the message was incorrect. This
1573 message is always fatal.
1575 decrypt_error
1576 A handshake cryptographic operation failed, including being
1577 unable to correctly verify a signature, decrypt a key exchange,
1578 or validate a finished message.
1580 export_restriction_RESERVED
1581 This alert was used in TLS 1.0 but not TLS 1.1.
1583 protocol_version
1584 The protocol version the client has attempted to negotiate is
1585 recognized, but not supported. (For example, old protocol
1586 versions might be avoided for security reasons). This message is
1587 always fatal.
1589 insufficient_security
1590 Returned instead of handshake_failure when a negotiation has
1591 failed specifically because the server requires ciphers more
1592 secure than those supported by the client. This message is always
1593 fatal.
1595 internal_error
1596 An internal error unrelated to the peer or the correctness of the
1597 protocol makes it impossible to continue (such as a memory
1598 allocation failure). This message is always fatal.
1600 user_canceled
1601 This handshake is being canceled for some reason unrelated to a
1602 protocol failure. If the user cancels an operation after the
1603 handshake is complete, just closing the connection by sending a
1604 close_notify is more appropriate. This alert should be followed
1605 by a close_notify. This message is generally a warning.
1607 no_renegotiation
1608 Sent by the client in response to a hello request or by the
1609 server in response to a client hello after initial handshaking.
1610 Either of these would normally lead to renegotiation; when that
1611 is not appropriate, the recipient should respond with this alert;
1612 at that point, the original requester can decide whether to
1613 proceed with the connection. One case where this would be
1614 appropriate would be where a server has spawned a process to
1615 satisfy a request; the process might receive security parameters
1616 (key length, authentication, etc.) at startup and it might be
1617 difficult to communicate changes to these parameters after that
1621 Dierks & Rescorla Standards Track [Page 30]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1624 point. This message is always a warning.
1626 The following error alerts apply only to the extensions described
1627 in Section XXX. To avoid "breaking" existing clients and servers,
1628 these alerts MUST NOT be sent unless the sending party has
1629 received an extended hello message from the party they are
1630 communicating with.
1632 unsupported_extension
1633 sent by clients that receive an extended server hello containing
1634 an extension that they did not put in the corresponding client
1635 hello (see Section 2.3). This message is always fatal.
1637 unrecognized_name
1638 sent by servers that receive a server_name extension request, but
1639 do not recognize the server name. This message MAY be fatal.
1641 certificate_unobtainable
1642 sent by servers who are unable to retrieve a certificate chain
1643 from the URL supplied by the client (see Section 3.3). This
1644 message MAY be fatal - for example if client authentication is
1645 required by the server for the handshake to continue and the
1646 server is unable to retrieve the certificate chain, it may send a
1647 fatal alert.
1649 bad_certificate_status_response
1650 sent by clients that receive an invalid certificate status
1651 response (see Section 3.6). This message is always fatal.
1653 bad_certificate_hash_value
1654 sent by servers when a certificate hash does not match a client
1655 provided certificate_hash. This message is always fatal.
1657 For all errors where an alert level is not explicitly specified, the
1658 sending party MAY determine at its discretion whether this is a fatal
1659 error or not; if an alert with a level of warning is received, the
1660 receiving party MAY decide at its discretion whether to treat this as
1661 a fatal error or not. However, all messages which are transmitted
1662 with a level of fatal MUST be treated as fatal messages.
1664 New alerts values MUST be defined by RFC 2434 Standards Action. See
1665 Section 11 for IANA Considerations for alert values.
1667 7.3. Handshake Protocol overview
1669 The cryptographic parameters of the session state are produced by the
1670 TLS Handshake Protocol, which operates on top of the TLS Record
1671 Layer. When a TLS client and server first start communicating, they
1675 Dierks & Rescorla Standards Track [Page 31]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1678 agree on a protocol version, select cryptographic algorithms,
1679 optionally authenticate each other, and use public-key encryption
1680 techniques to generate shared secrets.
1682 The TLS Handshake Protocol involves the following steps:
1684 - Exchange hello messages to agree on algorithms, exchange random
1685 values, and check for session resumption.
1687 - Exchange the necessary cryptographic parameters to allow the
1688 client and server to agree on a premaster secret.
1690 - Exchange certificates and cryptographic information to allow the
1691 client and server to authenticate themselves.
1693 - Generate a master secret from the premaster secret and exchanged
1694 random values.
1696 - Provide security parameters to the record layer.
1698 - Allow the client and server to verify that their peer has
1699 calculated the same security parameters and that the handshake
1700 occurred without tampering by an attacker.
1702 Note that higher layers should not be overly reliant on TLS always
1703 negotiating the strongest possible connection between two peers:
1704 there are a number of ways a man in the middle attacker can attempt
1705 to make two entities drop down to the least secure method they
1706 support. The protocol has been designed to minimize this risk, but
1707 there are still attacks available: for example, an attacker could
1708 block access to the port a secure service runs on, or attempt to get
1709 the peers to negotiate an unauthenticated connection. The fundamental
1710 rule is that higher levels must be cognizant of what their security
1711 requirements are and never transmit information over a channel less
1712 secure than what they require. The TLS protocol is secure, in that
1713 any cipher suite offers its promised level of security: if you
1714 negotiate 3DES with a 1024 bit RSA key exchange with a host whose
1715 certificate you have verified, you can expect to be that secure.
1729 Dierks & Rescorla Standards Track [Page 32]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1732 However, you SHOULD never send data over a link encrypted with 40 bit
1733 security unless you feel that data is worth no more than the effort
1734 required to break that encryption.
1736 These goals are achieved by the handshake protocol, which can be
1737 summarized as follows: The client sends a client hello message to
1738 which the server must respond with a server hello message, or else a
1739 fatal error will occur and the connection will fail. The client hello
1740 and server hello are used to establish security enhancement
1741 capabilities between client and server. The client hello and server
1742 hello establish the following attributes: Protocol Version, Session
1743 ID, Cipher Suite, and Compression Method. Additionally, two random
1744 values are generated and exchanged: ClientHello.random and
1745 ServerHello.random.
1747 The actual key exchange uses up to four messages: the server
1748 certificate, the server key exchange, the client certificate, and the
1749 client key exchange. New key exchange methods can be created by
1750 specifying a format for these messages and defining the use of the
1751 messages to allow the client and server to agree upon a shared
1752 secret. This secret MUST be quite long; currently defined key
1753 exchange methods exchange secrets which range from 48 to 128 bytes in
1754 length.
1756 Following the hello messages, the server will send its certificate,
1757 if it is to be authenticated. Additionally, a server key exchange
1758 message may be sent, if it is required (e.g. if their server has no
1759 certificate, or if its certificate is for signing only). If the
1760 server is authenticated, it may request a certificate from the
1761 client, if that is appropriate to the cipher suite selected. Now the
1762 server will send the server hello done message, indicating that the
1763 hello-message phase of the handshake is complete. The server will
1764 then wait for a client response. If the server has sent a certificate
1765 request message, the client must send the certificate message. The
1766 client key exchange message is now sent, and the content of that
1767 message will depend on the public key algorithm selected between the
1768 client hello and the server hello. If the client has sent a
1769 certificate with signing ability, a digitally-signed certificate
1770 verify message is sent to explicitly verify the certificate.
1772 At this point, a change cipher spec message is sent by the client,
1773 and the client copies the pending Cipher Spec into the current Cipher
1774 Spec. The client then immediately sends the finished message under
1775 the new algorithms, keys, and secrets. In response, the server will
1776 send its own change cipher spec message, transfer the pending to the
1777 current Cipher Spec, and send its finished message under the new
1783 Dierks & Rescorla Standards Track [Page 33]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1786 Cipher Spec. At this point, the handshake is complete and the client
1787 and server may begin to exchange application layer data. (See flow
1788 chart below.) Application data MUST NOT be sent prior to the
1789 completion of the first handshake (before a cipher suite other
1790 TLS_NULL_WITH_NULL_NULL is established).
1791 Client Server
1793 ClientHello -------->
1794 ServerHello
1795 Certificate*
1796 CertificateStatus*
1797 ServerKeyExchange*
1798 CertificateRequest*
1799 <-------- ServerHelloDone
1800 Certificate*
1801 CertificateURL*
1802 ClientKeyExchange
1803 CertificateVerify*
1804 [ChangeCipherSpec]
1805 Finished -------->
1806 [ChangeCipherSpec]
1807 <-------- Finished
1808 Application Data <-------> Application Data
1810 Fig. 1 - Message flow for a full handshake
1812 * Indicates optional or situation-dependent messages that are not
1813 always sent.
1815 Note: To help avoid pipeline stalls, ChangeCipherSpec is an
1816 independent TLS Protocol content type, and is not actually a TLS
1817 handshake message.
1819 When the client and server decide to resume a previous session or
1820 duplicate an existing session (instead of negotiating new security
1821 parameters) the message flow is as follows:
1823 The client sends a ClientHello using the Session ID of the session to
1824 be resumed. The server then checks its session cache for a match. If
1825 a match is found, and the server is willing to re-establish the
1826 connection under the specified session state, it will send a
1827 ServerHello with the same Session ID value. At this point, both
1828 client and server MUST send change cipher spec messages and proceed
1829 directly to finished messages. Once the re-establishment is complete,
1830 the client and server MAY begin to exchange application layer data.
1831 (See flow chart below.) If a Session ID match is not found, the
1832 server generates a new session ID and the TLS client and server
1833 perform a full handshake.
1837 Dierks & Rescorla Standards Track [Page 34]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1840 Client Server
1842 ClientHello -------->
1843 ServerHello
1844 [ChangeCipherSpec]
1845 <-------- Finished
1846 [ChangeCipherSpec]
1847 Finished -------->
1848 Application Data <-------> Application Data
1850 Fig. 2 - Message flow for an abbreviated handshake
1852 The contents and significance of each message will be presented in
1853 detail in the following sections.
1855 7.4. Handshake protocol
1857 The TLS Handshake Protocol is one of the defined higher level clients
1858 of the TLS Record Protocol. This protocol is used to negotiate the
1859 secure attributes of a session. Handshake messages are supplied to
1860 the TLS Record Layer, where they are encapsulated within one or more
1861 TLSPlaintext structures, which are processed and transmitted as
1862 specified by the current active session state.
1864 enum {
1865 hello_request(0), client_hello(1), server_hello(2),
1866 certificate(11), server_key_exchange (12),
1867 certificate_request(13), server_hello_done(14),
1868 certificate_verify(15), client_key_exchange(16),
1869 finished(20), certificate_url(21), certificate_status(22),
1870 (255)
1871 } HandshakeType;
1873 struct {
1874 HandshakeType msg_type; /* handshake type */
1875 uint24 length; /* bytes in message */
1876 select (HandshakeType) {
1877 case hello_request: HelloRequest;
1878 case client_hello: ClientHello;
1879 case server_hello: ServerHello;
1880 case certificate: Certificate;
1881 case server_key_exchange: ServerKeyExchange;
1882 case certificate_request: CertificateRequest;
1883 case server_hello_done: ServerHelloDone;
1884 case certificate_verify: CertificateVerify;
1885 case client_key_exchange: ClientKeyExchange;
1886 case finished: Finished;
1887 case certificate_url: CertificateURL;
1891 Dierks & Rescorla Standards Track [Page 35]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1894 case certificate_status: CertificateStatus;
1895 } body;
1896 } Handshake;
1898 The handshake protocol messages are presented below in the order they
1899 MUST be sent; sending handshake messages in an unexpected order
1900 results in a fatal error. Unneeded handshake messages can be omitted,
1901 however. Note one exception to the ordering: the Certificate message
1902 is used twice in the handshake (from server to client, then from
1903 client to server), but described only in its first position. The one
1904 message which is not bound by these ordering rules is the Hello
1905 Request message, which can be sent at any time, but which should be
1906 ignored by the client if it arrives in the middle of a handshake.
1908 New Handshake message type values MUST be defined via RFC 2434
1909 Standards Action. See Section 11 for IANA Considerations for these
1910 values.
1912 7.4.1. Hello messages
1914 The hello phase messages are used to exchange security enhancement
1915 capabilities between the client and server. When a new session
1916 begins, the Record Layer's connection state encryption, hash, and
1917 compression algorithms are initialized to null. The current
1918 connection state is used for renegotiation messages.
1920 7.4.1.1. Hello request
1922 When this message will be sent:
1923 The hello request message MAY be sent by the server at any time.
1925 Meaning of this message:
1926 Hello request is a simple notification that the client should
1927 begin the negotiation process anew by sending a client hello
1928 message when convenient. This message will be ignored by the
1929 client if the client is currently negotiating a session. This
1930 message may be ignored by the client if it does not wish to
1931 renegotiate a session, or the client may, if it wishes, respond
1932 with a no_renegotiation alert. Since handshake messages are
1933 intended to have transmission precedence over application data,
1934 it is expected that the negotiation will begin before no more
1935 than a few records are received from the client. If the server
1936 sends a hello request but does not receive a client hello in
1937 response, it may close the connection with a fatal alert.
1939 After sending a hello request, servers SHOULD not repeat the request
1940 until the subsequent handshake negotiation is complete.
1945 Dierks & Rescorla Standards Track [Page 36]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
1948 Structure of this message:
1949 struct { } HelloRequest;
1951 Note: This message MUST NOT be included in the message hashes which are
1952 maintained throughout the handshake and used in the finished
1953 messages and the certificate verify message.
1955 7.4.1.2. Client hello
1957 When this message will be sent:
1958 When a client first connects to a server it is required to send
1959 the client hello as its first message. The client can also send a
1960 client hello in response to a hello request or on its own
1961 initiative in order to renegotiate the security parameters in an
1962 existing connection.
1964 Structure of this message:
1965 The client hello message includes a random structure, which is
1966 used later in the protocol.
1968 struct {
1969 uint32 gmt_unix_time;
1970 opaque random_bytes[28];
1971 } Random;
1973 gmt_unix_time
1974 The current time and date in standard UNIX 32-bit format (seconds
1975 since the midnight starting Jan 1, 1970, GMT, ignoring leap
1976 seconds) according to the sender's internal clock. Clocks are not
1977 required to be set correctly by the basic TLS Protocol; higher
1978 level or application protocols may define additional
1979 requirements.
1981 random_bytes
1982 28 bytes generated by a secure random number generator.
1984 The client hello message includes a variable length session
1985 identifier. If not empty, the value identifies a session between the
1986 same client and server whose security parameters the client wishes to
1987 reuse. The session identifier MAY be from an earlier connection, this
1988 connection, or another currently active connection. The second option
1989 is useful if the client only wishes to update the random structures
1990 and derived values of a connection, while the third option makes it
1991 possible to establish several independent secure connections without
1992 repeating the full handshake protocol. These independent connections
1993 may occur sequentially or simultaneously; a SessionID becomes valid
1994 when the handshake negotiating it completes with the exchange of
1995 Finished messages and persists until removed due to aging or because
1999 Dierks & Rescorla Standards Track [Page 37]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2002 a fatal error was encountered on a connection associated with the
2003 session. The actual contents of the SessionID are defined by the
2004 server.
2006 opaque SessionID<0..32>;
2008 Warning:
2009 Because the SessionID is transmitted without encryption or
2010 immediate MAC protection, servers MUST not place confidential
2011 information in session identifiers or let the contents of fake
2012 session identifiers cause any breach of security. (Note that the
2013 content of the handshake as a whole, including the SessionID, is
2014 protected by the Finished messages exchanged at the end of the
2015 handshake.)
2017 The CipherSuite list, passed from the client to the server in the
2018 client hello message, contains the combinations of cryptographic
2019 algorithms supported by the client in order of the client's
2020 preference (favorite choice first). Each CipherSuite defines a key
2021 exchange algorithm, a bulk encryption algorithm (including secret key
2022 length) and a MAC algorithm. The server will select a cipher suite
2023 or, if no acceptable choices are presented, return a handshake
2024 failure alert and close the connection.
2026 uint8 CipherSuite[2]; /* Cryptographic suite selector */
2028 The client hello includes a list of compression algorithms supported
2029 by the client, ordered according to the client's preference.
2031 enum { null(0), (255) } CompressionMethod;
2033 struct {
2034 ProtocolVersion client_version;
2035 Random random;
2036 SessionID session_id;
2037 CipherSuite cipher_suites<2..2^16-1>;
2038 CompressionMethod compression_methods<1..2^8-1>;
2039 } ClientHello;
2041 If the client wishes to use extensions (see Section XXX),
2042 it may send an ExtendedClientHello:
2044 struct {
2045 ProtocolVersion client_version;
2046 Random random;
2047 SessionID session_id;
2048 CipherSuite cipher_suites<2..2^16-1>;
2049 CompressionMethod compression_methods<1..2^8-1>;
2053 Dierks & Rescorla Standards Track [Page 38]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2056 Extension client_hello_extension_list<0..2^16-1>;
2057 } ExtendedClientHello;
2059 These two messages can be distinguished by determining whether there
2060 are bytes following what would be the end of the ClientHello.
2063 client_version
2064 The version of the TLS protocol by which the client wishes to
2065 communicate during this session. This SHOULD be the latest
2066 (highest valued) version supported by the client. For this
2067 version of the specification, the version will be 3.2 (See
2068 Appendix E for details about backward compatibility).
2070 random
2071 A client-generated random structure.
2073 session_id
2074 The ID of a session the client wishes to use for this connection.
2075 This field should be empty if no session_id is available or the
2076 client wishes to generate new security parameters.
2078 cipher_suites
2079 This is a list of the cryptographic options supported by the
2080 client, with the client's first preference first. If the
2081 session_id field is not empty (implying a session resumption
2082 request) this vector MUST include at least the cipher_suite from
2083 that session. Values are defined in Appendix A.5.
2085 compression_methods
2086 This is a list of the compression methods supported by the
2087 client, sorted by client preference. If the session_id field is
2088 not empty (implying a session resumption request) it must include
2089 the compression_method from that session. This vector must
2090 contain, and all implementations must support,
2091 CompressionMethod.null. Thus, a client and server will always be
2092 able to agree on a compression method.
2094 client_hello_extension_list
2095 Clients MAY request extended functionality from servers by
2096 sending data in the client_hello_extension_list. Here the new
2097 "client_hello_extension_list" field contains a list of
2098 extensions. The actual "Extension" format is defined in Section
2099 XXX.
2101 In the event that a client requests additional functionality
2102 using the extended client hello, and this functionality is not
2103 supplied by the server, the client MAY abort the handshake.
2107 Dierks & Rescorla Standards Track [Page 39]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2110 A server that supports the extensions mechanism MUST accept only
2111 client hello messages in either the original or extended
2112 ClientHello ormat, and (as for all other messages) MUST check
2113 that the amount of data in the message precisely matches one of
2114 these formats; if not then it MUST send a fatal "decode_error"
2115 alert.
2118 After sending the client hello message, the client waits for a server
2119 hello message. Any other handshake message returned by the server
2120 except for a hello request is treated as a fatal error.
2123 7.4.1.3. Server hello
2125 When this message will be sent:
2126 The server will send this message in response to a client hello
2127 message when it was able to find an acceptable set of algorithms. If
2128 it cannot find such a match, it will respond with a handshake failure
2129 alert.
2131 Structure of this message:
2132 struct {
2133 ProtocolVersion server_version;
2134 Random random;
2135 SessionID session_id;
2136 CipherSuite cipher_suite;
2137 CompressionMethod compression_method;
2138 } ServerHello;
2140 If the server is sending an extension, it should use the
2141 ExtendedServerHello:
2143 struct {
2144 ProtocolVersion server_version;
2145 Random random;
2146 SessionID session_id;
2147 CipherSuite cipher_suite;
2148 CompressionMethod compression_method;
2149 Extension server_hello_extension_list<0..2^16-1>;
2150 } ExtendedServerHello;
2152 These two messages can be distinguished by determining whether there
2153 are bytes following what would be the end of the ServerHello.
2161 Dierks & Rescorla Standards Track [Page 40]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2164 server_version
2165 This field will contain the lower of that suggested by the client in
2166 the client hello and the highest supported by the server. For this
2167 version of the specification, the version is 3.2 (See Appendix E for
2168 details about backward compatibility).
2170 random
2171 This structure is generated by the server and MUST be independently
2172 generated from the ClientHello.random.
2174 session_id
2175 This is the identity of the session corresponding to this connection.
2176 If the ClientHello.session_id was non-empty, the server will look in
2177 its session cache for a match. If a match is found and the server is
2178 willing to establish the new connection using the specified session
2179 state, the server will respond with the same value as was supplied by
2180 the client. This indicates a resumed session and dictates that the
2181 parties must proceed directly to the finished messages. Otherwise
2182 this field will contain a different value identifying the new
2183 session. The server may return an empty session_id to indicate that
2184 the session will not be cached and therefore cannot be resumed. If a
2185 session is resumed, it must be resumed using the same cipher suite it
2186 was originally negotiated with.
2188 cipher_suite
2189 The single cipher suite selected by the server from the list in
2190 ClientHello.cipher_suites. For resumed sessions this field is the
2191 value from the state of the session being resumed.
2193 compression_method
2194 The single compression algorithm selected by the server from the list
2195 in ClientHello.compression_methods. For resumed sessions this field
2196 is the value from the resumed session state.
2198 server_hello_extension_list
2199 A list of extensions. Note that only extensions offered by the client
2200 can appear in the server's list.
2202 7.4.1.4 Hello Extensions
2204 The extension format for extended client hellos and extended server
2205 hellos is:
2207 struct {
2208 ExtensionType extension_type;
2209 opaque extension_data<0..2^16-1>;
2210 } Extension;
2215 Dierks & Rescorla Standards Track [Page 41]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2218 Here:
2220 - "extension_type" identifies the particular extension type.
2222 - "extension_data" contains information specific to the particular
2223 extension type.
2225 The extension types defined in this document are:
2227 enum {
2228 server_name(0), max_fragment_length(1),
2229 client_certificate_url(2), trusted_ca_keys(3),
2230 truncated_hmac(4), status_request(5),
2231 cert_hash_types(6), (65535)
2232 } ExtensionType;
2234 The list of defined extension types is maintained by the IANA. The
2235 current list can be found at (http://www.iana.org/assignments/tls-
2236 extensions). See sections 7.4.1.4.8 and 11.1 for more information on
2237 how new values are added.
2239 Note that for all extension types (including those defined in
2240 future), the extension type MUST NOT appear in the extended server
2241 hello unless the same extension type appeared in the corresponding
2242 client hello. Thus clients MUST abort the handshake if they receive
2243 an extension type in the extended server hello that they did not
2244 request in the associated (extended) client hello.
2246 Nonetheless "server oriented" extensions may be provided in the
2247 future within this framework - such an extension, say of type x,
2248 would require the client to first send an extension of type x in the
2249 (extended) client hello with empty extension_data to indicate that it
2250 supports the extension type. In this case the client is offering the
2251 capability to understand the extension type, and the server is taking
2252 the client up on its offer.
2254 Also note that when multiple extensions of different types are
2255 present in the extended client hello or the extended server hello,
2256 the extensions may appear in any order. There MUST NOT be more than
2257 one extension of the same type.
2259 An extended client hello may be sent both when starting a new session
2260 and when requesting session resumption. Indeed a client that
2261 requests resumption of a session does not in general know whether the
2262 server will accept this request, and therefore it SHOULD send an
2263 extended client hello if it would normally do so for a new session.
2264 In general the specification of each extension type must include a
2265 discussion of the effect of the extension both during new sessions
2269 Dierks & Rescorla Standards Track [Page 42]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2272 and during resumed sessions.
2274 Note also that all the extensions defined in this document are
2275 relevant only when a session is initiated. When a client includes one
2276 or more of the defined extension types in an extended client hello
2277 while requesting session resumption:
2279 - If the resumption request is denied, the use of the extensions
2280 is negotiated as normal.
2282 - If, on the other hand, the older session is resumed, then the
2283 server MUST ignore the extensions and send a server hello
2284 containing none of the extension types; in this case the
2285 functionality of these extensions negotiated during the original
2286 session initiation is applied to the resumed session.
2288 7.4.1.4.1 Server Name Indication
2290 [TLS1.1] does not provide a mechanism for a client to tell a server
2291 the name of the server it is contacting. It may be desirable for
2292 clients to provide this information to facilitate secure connections
2293 to servers that host multiple 'virtual' servers at a single
2294 underlying network address.
2296 In order to provide the server name, clients MAY include an extension
2297 of type "server_name" in the (extended) client hello. The
2298 "extension_data" field of this extension SHALL contain
2299 "ServerNameList" where:
2301 struct {
2302 NameType name_type;
2303 select (name_type) {
2304 case host_name: HostName;
2305 } name;
2306 } ServerName;
2308 enum {
2309 host_name(0), (255)
2310 } NameType;
2312 opaque HostName<1..2^16-1>;
2314 struct {
2315 ServerName server_name_list<1..2^16-1>
2316 } ServerNameList;
2318 Currently the only server names supported are DNS hostnames, however
2319 this does not imply any dependency of TLS on DNS, and other name
2323 Dierks & Rescorla Standards Track [Page 43]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2326 types may be added in the future (by an RFC that Updates this
2327 document). TLS MAY treat provided server names as opaque data and
2328 pass the names and types to the application.
2330 "HostName" contains the fully qualified DNS hostname of the server,
2331 as understood by the client. The hostname is represented as a byte
2332 string using UTF-8 encoding [UTF8], without a trailing dot.
2334 If the hostname labels contain only US-ASCII characters, then the
2335 client MUST ensure that labels are separated only by the byte 0x2E,
2336 representing the dot character U+002E (requirement 1 in section 3.1
2337 of [IDNA] notwithstanding). If the server needs to match the HostName
2338 against names that contain non-US-ASCII characters, it MUST perform
2339 the conversion operation described in section 4 of [IDNA], treating
2340 the HostName as a "query string" (i.e. the AllowUnassigned flag MUST
2341 be set). Note that IDNA allows labels to be separated by any of the
2342 Unicode characters U+002E, U+3002, U+FF0E, and U+FF61, therefore
2343 servers MUST accept any of these characters as a label separator. If
2344 the server only needs to match the HostName against names containing
2345 exclusively ASCII characters, it MUST compare ASCII names case-
2346 insensitively.
2348 Literal IPv4 and IPv6 addresses are not permitted in "HostName". It
2349 is RECOMMENDED that clients include an extension of type
2350 "server_name" in the client hello whenever they locate a server by a
2351 supported name type.
2353 A server that receives a client hello containing the "server_name"
2354 extension, MAY use the information contained in the extension to
2355 guide its selection of an appropriate certificate to return to the
2356 client, and/or other aspects of security policy. In this event, the
2357 server SHALL include an extension of type "server_name" in the
2358 (extended) server hello. The "extension_data" field of this
2359 extension SHALL be empty.
2361 If the server understood the client hello extension but does not
2362 recognize the server name, it SHOULD send an "unrecognized_name"
2363 alert (which MAY be fatal).
2365 If an application negotiates a server name using an application
2366 protocol, then upgrades to TLS, and a server_name extension is sent,
2367 then the extension SHOULD contain the same name that was negotiated
2368 in the application protocol. If the server_name is established in
2369 the TLS session handshake, the client SHOULD NOT attempt to request a
2370 different server name at the application layer.
2372 7.4.1.4.2 Maximum Fragment Length Negotiation
2377 Dierks & Rescorla Standards Track [Page 44]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2380 By default, TLS uses fixed maximum plaintext fragment length of 2^14
2381 bytes. It may be desirable for constrained clients to negotiate a
2382 smaller maximum fragment length due to memory limitations or
2383 bandwidth limitations.
2385 In order to negotiate smaller maximum fragment lengths, clients MAY
2386 include an extension of type "max_fragment_length" in the (extended)
2387 client hello. The "extension_data" field of this extension SHALL
2388 contain:
2390 enum{
2391 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
2392 } MaxFragmentLength;
2394 whose value is the desired maximum fragment length. The allowed
2395 values for this field are: 2^9, 2^10, 2^11, and 2^12.
2397 Servers that receive an extended client hello containing a
2398 "max_fragment_length" extension, MAY accept the requested maximum
2399 fragment length by including an extension of type
2400 "max_fragment_length" in the (extended) server hello. The
2401 "extension_data" field of this extension SHALL contain
2402 "MaxFragmentLength" whose value is the same as the requested maximum
2403 fragment length.
2405 If a server receives a maximum fragment length negotiation request
2406 for a value other than the allowed values, it MUST abort the
2407 handshake with an "illegal_parameter" alert. Similarly, if a client
2408 receives a maximum fragment length negotiation response that differs
2409 from the length it requested, it MUST also abort the handshake with
2410 an "illegal_parameter" alert.
2412 Once a maximum fragment length other than 2^14 has been successfully
2413 negotiated, the client and server MUST immediately begin fragmenting
2414 messages (including handshake messages), to ensure that no fragment
2415 larger than the negotiated length is sent. Note that TLS already
2416 requires clients and servers to support fragmentation of handshake
2417 messages.
2419 The negotiated length applies for the duration of the session
2420 including session resumptions.
2422 The negotiated length limits the input that the record layer may
2423 process without fragmentation (that is, the maximum value of
2424 TLSPlaintext.length; see [TLS] section 6.2.1). Note that the output
2425 of the record layer may be larger. For example, if the negotiated
2426 length is 2^9=512, then for currently defined cipher suites and when
2427 null compression is used, the record layer output can be at most 793
2431 Dierks & Rescorla Standards Track [Page 45]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2434 bytes: 5 bytes of headers, 512 bytes of application data, 256 bytes
2435 of padding, and 20 bytes of MAC. That means that in this event a TLS
2436 record layer peer receiving a TLS record layer message larger than
2437 793 bytes may discard the message and send a "record_overflow" alert,
2438 without decrypting the message.
2440 7.4.1.4.3 Client Certificate URLs
2442 Ordinarily, when client authentication is performed, client
2443 certificates are sent by clients to servers during the TLS handshake.
2444 It may be desirable for constrained clients to send certificate URLs
2445 in place of certificates, so that they do not need to store their
2446 certificates and can therefore save memory.
2448 In order to negotiate to send certificate URLs to a server, clients
2449 MAY include an extension of type "client_certificate_url" in the
2450 (extended) client hello. The "extension_data" field of this
2451 extension SHALL be empty.
2453 (Note that it is necessary to negotiate use of client certificate
2454 URLs in order to avoid "breaking" existing TLS 1.0 servers.)
2456 Servers that receive an extended client hello containing a
2457 "client_certificate_url" extension, MAY indicate that they are
2458 willing to accept certificate URLs by including an extension of type
2459 "client_certificate_url" in the (extended) server hello. The
2460 "extension_data" field of this extension SHALL be empty.
2462 After negotiation of the use of client certificate URLs has been
2463 successfully completed (by exchanging hellos including
2464 "client_certificate_url" extensions), clients MAY send a
2465 "CertificateURL" message in place of a "Certificate" message. See
2466 Section XXX.
2468 7.4.1.4.4 Trusted CA Indication
2470 Constrained clients that, due to memory limitations, possess only a
2471 small number of CA root keys, may wish to indicate to servers which
2472 root keys they possess, in order to avoid repeated handshake
2473 failures.
2475 In order to indicate which CA root keys they possess, clients MAY
2476 include an extension of type "trusted_ca_keys" in the (extended)
2477 client hello. The "extension_data" field of this extension SHALL
2478 contain "TrustedAuthorities" where:
2480 struct {
2481 TrustedAuthority trusted_authorities_list<0..2^16-1>;
2485 Dierks & Rescorla Standards Track [Page 46]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2488 } TrustedAuthorities;
2490 struct {
2491 IdentifierType identifier_type;
2492 select (identifier_type) {
2493 case pre_agreed: struct {};
2494 case key_sha1_hash: SHA1Hash;
2495 case x509_name: DistinguishedName;
2496 case cert_sha1_hash: SHA1Hash;
2497 } identifier;
2498 } TrustedAuthority;
2500 enum {
2501 pre_agreed(0), key_sha1_hash(1), x509_name(2),
2502 cert_sha1_hash(3), (255)
2503 } IdentifierType;
2505 opaque DistinguishedName<1..2^16-1>;
2507 Here "TrustedAuthorities" provides a list of CA root key identifiers
2508 that the client possesses. Each CA root key is identified via
2509 either:
2511 - "pre_agreed" - no CA root key identity supplied.
2513 - "key_sha1_hash" - contains the SHA-1 hash of the CA root key.
2514 For
2515 DSA and ECDSA keys, this is the hash of the "subjectPublicKey"
2516 value. For RSA keys, the hash is of the big-endian byte string
2517 representation of the modulus without any initial 0-valued bytes.
2518 (This copies the key hash formats deployed in other
2519 environments.)
2521 - "x509_name" - contains the DER-encoded X.509 DistinguishedName
2522 of
2523 the CA.
2525 - "cert_sha1_hash" - contains the SHA-1 hash of a DER-encoded
2526 Certificate containing the CA root key.
2528 Note that clients may include none, some, or all of the CA root keys
2529 they possess in this extension.
2531 Note also that it is possible that a key hash or a Distinguished Name
2532 alone may not uniquely identify a certificate issuer - for example if
2533 a particular CA has multiple key pairs - however here we assume this
2534 is the case following the use of Distinguished Names to identify
2535 certificate issuers in TLS.
2539 Dierks & Rescorla Standards Track [Page 47]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2542 The option to include no CA root keys is included to allow the client
2543 to indicate possession of some pre-defined set of CA root keys.
2545 Servers that receive a client hello containing the "trusted_ca_keys"
2546 extension, MAY use the information contained in the extension to
2547 guide their selection of an appropriate certificate chain to return
2548 to the client. In this event, the server SHALL include an extension
2549 of type "trusted_ca_keys" in the (extended) server hello. The
2550 "extension_data" field of this extension SHALL be empty.
2552 7.4.1.4.5 Truncated HMAC
2554 Currently defined TLS cipher suites use the MAC construction HMAC
2555 with either MD5 or SHA-1 [HMAC] to authenticate record layer
2556 communications. In TLS the entire output of the hash function is
2557 used as the MAC tag. However it may be desirable in constrained
2558 environments to save bandwidth by truncating the output of the hash
2559 function to 80 bits when forming MAC tags.
2561 In order to negotiate the use of 80-bit truncated HMAC, clients MAY
2562 include an extension of type "truncated_hmac" in the extended client
2563 hello. The "extension_data" field of this extension SHALL be empty.
2565 Servers that receive an extended hello containing a "truncated_hmac"
2566 extension, MAY agree to use a truncated HMAC by including an
2567 extension of type "truncated_hmac", with empty "extension_data", in
2568 the extended server hello.
2570 Note that if new cipher suites are added that do not use HMAC, and
2571 the session negotiates one of these cipher suites, this extension
2572 will have no effect. It is strongly recommended that any new cipher
2573 suites using other MACs consider the MAC size as an integral part of
2574 the cipher suite definition, taking into account both security and
2575 bandwidth considerations.
2577 If HMAC truncation has been successfully negotiated during a TLS
2578 handshake, and the negotiated cipher suite uses HMAC, both the client
2579 and the server pass this fact to the TLS record layer along with the
2580 other negotiated security parameters. Subsequently during the
2581 session, clients and servers MUST use truncated HMACs, calculated as
2582 specified in [HMAC]. That is, CipherSpec.hash_size is 10 bytes, and
2583 only the first 10 bytes of the HMAC output are transmitted and
2584 checked. Note that this extension does not affect the calculation of
2585 the PRF as part of handshaking or key derivation.
2587 The negotiated HMAC truncation size applies for the duration of the
2588 session including session resumptions.
2593 Dierks & Rescorla Standards Track [Page 48]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2596 7.4.1.4.6 Certificate Status Request
2598 Constrained clients may wish to use a certificate-status protocol
2599 such as OCSP [OCSP] to check the validity of server certificates, in
2600 order to avoid transmission of CRLs and therefore save bandwidth on
2601 constrained networks. This extension allows for such information to
2602 be sent in the TLS handshake, saving roundtrips and resources.
2604 In order to indicate their desire to receive certificate status
2605 information, clients MAY include an extension of type
2606 "status_request" in the (extended) client hello. The
2607 "extension_data" field of this extension SHALL contain
2608 "CertificateStatusRequest" where:
2610 struct {
2611 CertificateStatusType status_type;
2612 select (status_type) {
2613 case ocsp: OCSPStatusRequest;
2614 } request;
2615 } CertificateStatusRequest;
2617 enum { ocsp(1), (255) } CertificateStatusType;
2619 struct {
2620 ResponderID responder_id_list<0..2^16-1>;
2621 Extensions request_extensions;
2622 } OCSPStatusRequest;
2624 opaque ResponderID<1..2^16-1>;
2626 In the OCSPStatusRequest, the "ResponderIDs" provides a list of OCSP
2627 responders that the client trusts. A zero-length "responder_id_list"
2628 sequence has the special meaning that the responders are implicitly
2629 known to the server - e.g., by prior arrangement. "Extensions" is a
2630 DER encoding of OCSP request extensions.
2632 Both "ResponderID" and "Extensions" are DER-encoded ASN.1 types as
2633 defined in [OCSP]. "Extensions" is imported from [PKIX]. A zero-
2634 length "request_extensions" value means that there are no extensions
2635 (as opposed to a zero-length ASN.1 SEQUENCE, which is not valid for
2636 the "Extensions" type).
2638 In the case of the "id-pkix-ocsp-nonce" OCSP extension, [OCSP] is
2639 unclear about its encoding; for clarification, the nonce MUST be a
2640 DER-encoded OCTET STRING, which is encapsulated as another OCTET
2641 STRING (note that implementations based on an existing OCSP client
2642 will need to be checked for conformance to this requirement).
2647 Dierks & Rescorla Standards Track [Page 49]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2650 Servers that receive a client hello containing the "status_request"
2651 extension, MAY return a suitable certificate status response to the
2652 client along with their certificate. If OCSP is requested, they
2653 SHOULD use the information contained in the extension when selecting
2654 an OCSP responder, and SHOULD include request_extensions in the OCSP
2655 request.
2657 Servers return a certificate response along with their certificate by
2658 sending a "CertificateStatus" message immediately after the
2659 "Certificate" message (and before any "ServerKeyExchange" or
2660 "CertificateRequest" messages). Section XXX describes the
2661 CertificateStatus message.
2663 7.4.1.4.7 Cert Hash Types
2665 The client MAY use the "cert_hash_types" to indicate to the server
2666 which hash functions may be used in the signature on the server's
2667 certificate. The "extension_data" field of this extension contains:
2669 enum{
2670 md5(0), sha1(1), sha256(2), sha384(3), sha512(4), (255)
2671 } HashType;
2673 struct {
2674 HashType<255> types;
2675 } CertHashTypes;
2677 These values indicate support for MD5 [MD5], SHA-1, SHA-256, SHA-384,
2678 and SHA-512 [SHA] respectively. The server MUST NOT send this
2679 extension.
2681 Clients SHOULD send this extension if they support any algorithm
2682 other than SHA-1. If this extension is not used, servers SHOULD
2683 assume that the client supports only SHA-1. Note: this is a change
2684 from TLS 1.1 where there are no explicit rules but as a practical
2685 matter one can assume that the peer supports MD5 and SHA-1.
2687 HashType values are divided into three groups:
2689 1. Values from 0 (zero) through 63 decimal (0x3F) inclusive are
2690 reserved for IETF Standards Track protocols.
2692 2. Values from 64 decimal (0x40) through 223 decimal (0xDF) inclusive
2693 are reserved for assignment for non-Standards Track methods.
2695 3. Values from 224 decimal (0xE0) through 255 decimal (0xFF)
2696 inclusive are reserved for private use.
2701 Dierks & Rescorla Standards Track [Page 50]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2704 Additional information describing the role of IANA in the
2705 allocation of HashType code points is described
2706 in Section 11.
2709 7.4.1.4.8 Procedure for Defining New Extensions
2711 The list of extension types, as defined in Section 2.3, is
2712 maintained by the Internet Assigned Numbers Authority (IANA). Thus
2713 an application needs to be made to the IANA in order to obtain a new
2714 extension type value. Since there are subtle (and not so subtle)
2715 interactions that may occur in this protocol between new features and
2716 existing features which may result in a significant reduction in
2717 overall security, new values SHALL be defined only through the IETF
2718 Consensus process specified in [IANA].
2720 (This means that new assignments can be made only via RFCs approved
2721 by the IESG.)
2723 The following considerations should be taken into account when
2724 designing new extensions:
2726 - All of the extensions defined in this document follow the
2727 convention that for each extension that a client requests and that
2728 the server understands, the server replies with an extension of
2729 the same type.
2731 - Some cases where a server does not agree to an extension are error
2732 conditions, and some simply a refusal to support a particular
2733 feature. In general error alerts should be used for the former,
2734 and a field in the server extension response for the latter.
2736 - Extensions should as far as possible be designed to prevent any
2737 attack that forces use (or non-use) of a particular feature by
2738 manipulation of handshake messages. This principle should be
2739 followed regardless of whether the feature is believed to cause a
2740 security problem.
2742 Often the fact that the extension fields are included in the
2743 inputs to the Finished message hashes will be sufficient, but
2744 extreme care is needed when the extension changes the meaning of
2745 messages sent in the handshake phase. Designers and implementors
2746 should be aware of the fact that until the handshake has been
2747 authenticated, active attackers can modify messages and insert,
2748 remove, or replace extensions.
2750 - It would be technically possible to use extensions to change major
2751 aspects of the design of TLS; for example the design of cipher
2755 Dierks & Rescorla Standards Track [Page 51]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2758 suite negotiation. This is not recommended; it would be more
2759 appropriate to define a new version of TLS - particularly since
2760 the TLS handshake algorithms have specific protection against
2761 version rollback attacks based on the version number, and the
2762 possibility of version rollback should be a significant
2763 consideration in any major design change.
2766 7.4.2. Server certificate
2768 When this message will be sent:
2769 The server MUST send a certificate whenever the agreed-upon key
2770 exchange method is not an anonymous one. This message will
2771 always immediately follow the server hello message.
2773 Meaning of this message:
2774 The certificate type MUST be appropriate for the selected cipher
2775 suite's key exchange algorithm, and is generally an X.509v3
2776 certificate. It MUST contain a key which matches the key
2777 exchange method, as follows. Unless otherwise specified, the
2778 signing
2779 algorithm for the certificate MUST be the same as the
2780 algorithm for the certificate key. Unless otherwise specified,
2781 the public key MAY be of any length.
2783 Key Exchange Algorithm Certificate Key Type
2785 RSA RSA public key; the certificate MUST
2786 allow the key to be used for encryption.
2788 DHE_DSS DSS public key.
2790 DHE_RSA RSA public key which can be used for
2791 signing.
2793 DH_DSS Diffie-Hellman key. The algorithm used
2794 to sign the certificate MUST be DSS.
2796 DH_RSA Diffie-Hellman key. The algorithm used
2797 to sign the certificate MUST be RSA.
2799 All certificate profiles, key and cryptographic formats are defined
2800 by the IETF PKIX working group [PKIX]. When a key usage extension is
2801 present, the digitalSignature bit MUST be set for the key to be
2802 eligible for signing, as described above, and the keyEncipherment bit
2803 MUST be present to allow encryption, as described above. The
2804 keyAgreement bit must be set on Diffie-Hellman certificates.
2809 Dierks & Rescorla Standards Track [Page 52]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2812 As CipherSuites which specify new key exchange methods are specified
2813 for the TLS Protocol, they will imply certificate format and the
2814 required encoded keying information.
2816 Structure of this message:
2817 opaque ASN.1Cert<1..2^24-1>;
2819 struct {
2820 ASN.1Cert certificate_list<0..2^24-1>;
2821 } Certificate;
2823 certificate_list
2824 This is a sequence (chain) of X.509v3 certificates. The sender's
2825 certificate must come first in the list. Each following
2826 certificate must directly certify the one preceding it. Because
2827 certificate validation requires that root keys be distributed
2828 independently, the self-signed certificate which specifies the
2829 root certificate authority may optionally be omitted from the
2830 chain, under the assumption that the remote end must already
2831 possess it in order to validate it in any case.
2833 The same message type and structure will be used for the client's
2834 response to a certificate request message. Note that a client MAY
2835 send no certificates if it does not have an appropriate certificate
2836 to send in response to the server's authentication request.
2838 Note: PKCS #7 [PKCS7] is not used as the format for the certificate
2839 vector because PKCS #6 [PKCS6] extended certificates are not
2840 used. Also PKCS #7 defines a SET rather than a SEQUENCE, making
2841 the task of parsing the list more difficult.
2843 7.4.3. Server key exchange message
2845 When this message will be sent:
2846 This message will be sent immediately after the server
2847 certificate message (or the server hello message, if this is an
2848 anonymous negotiation).
2850 The server key exchange message is sent by the server only when
2851 the server certificate message (if sent) does not contain enough
2852 data to allow the client to exchange a premaster secret. This is
2853 true for the following key exchange methods:
2855 DHE_DSS
2856 DHE_RSA
2857 DH_anon
2859 It is not legal to send the server key exchange message for the
2863 Dierks & Rescorla Standards Track [Page 53]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2866 following key exchange methods:
2868 RSA
2869 DH_DSS
2870 DH_RSA
2872 Meaning of this message:
2873 This message conveys cryptographic information to allow the
2874 client to communicate the premaster secret: either an RSA public
2875 key to encrypt the premaster secret with, or a Diffie-Hellman
2876 public key with which the client can complete a key exchange
2877 (with the result being the premaster secret.)
2879 As additional CipherSuites are defined for TLS which include new key
2880 exchange algorithms, the server key exchange message will be sent if
2881 and only if the certificate type associated with the key exchange
2882 algorithm does not provide enough information for the client to
2883 exchange a premaster secret.
2885 If the SignatureAlgorithm being used to sign the ServerKeyExchange
2886 message is DSA, the hash function used MUST be SHA-1. If the
2887 SignatureAlgorithm it must be the same hash function used in the
2888 signature of the server's certificate (found in the Certificate)
2889 message. This algorithm is denoted Hash below. Hash.length is the
2890 length of the output of that algorithm.
2892 Structure of this message:
2893 enum { rsa, diffie_hellman } KeyExchangeAlgorithm;
2895 struct {
2896 opaque rsa_modulus<1..2^16-1>;
2897 opaque rsa_exponent<1..2^16-1>;
2898 } ServerRSAParams;
2900 rsa_modulus
2901 The modulus of the server's temporary RSA key.
2903 rsa_exponent
2904 The public exponent of the server's temporary RSA key.
2906 struct {
2907 opaque dh_p<1..2^16-1>;
2908 opaque dh_g<1..2^16-1>;
2909 opaque dh_Ys<1..2^16-1>;
2910 } ServerDHParams; /* Ephemeral DH parameters */
2912 dh_p
2913 The prime modulus used for the Diffie-Hellman operation.
2917 Dierks & Rescorla Standards Track [Page 54]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2920 dh_g
2921 The generator used for the Diffie-Hellman operation.
2923 dh_Ys
2924 The server's Diffie-Hellman public value (g^X mod p).
2926 struct {
2927 select (KeyExchangeAlgorithm) {
2928 case diffie_hellman:
2929 ServerDHParams params;
2930 Signature signed_params;
2931 case rsa:
2932 ServerRSAParams params;
2933 Signature signed_params;
2934 };
2935 } ServerKeyExchange;
2937 struct {
2938 select (KeyExchangeAlgorithm) {
2939 case diffie_hellman:
2940 ServerDHParams params;
2941 case rsa:
2942 ServerRSAParams params;
2943 };
2944 } ServerParams;
2946 params
2947 The server's key exchange parameters.
2949 signed_params
2950 For non-anonymous key exchanges, a hash of the corresponding
2951 params value, with the signature appropriate to that hash
2952 applied.
2954 hash
2955 Hash(ClientHello.random + ServerHello.random + ServerParams)
2957 sha_hash
2958 SHA1(ClientHello.random + ServerHello.random + ServerParams)
2960 enum { anonymous, rsa, dsa } SignatureAlgorithm;
2963 struct {
2964 select (SignatureAlgorithm) {
2965 case anonymous: struct { };
2966 case rsa:
2967 digitally-signed struct {
2971 Dierks & Rescorla Standards Track [Page 55]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
2974 opaque hash[Hash.length];
2975 };
2976 case dsa:
2977 digitally-signed struct {
2978 opaque sha_hash[20];
2979 };
2980 };
2981 };
2982 } Signature;
2984 7.4.4. CertificateStatus
2986 If a server returns a
2987 "CertificateStatus" message, then the server MUST have included an
2988 extension of type "status_request" with empty "extension_data" in the
2989 extended server hello.
2991 struct {
2992 CertificateStatusType status_type;
2993 select (status_type) {
2994 case ocsp: OCSPResponse;
2995 } response;
2996 } CertificateStatus;
2998 opaque OCSPResponse<1..2^24-1>;
3000 An "ocsp_response" contains a complete, DER-encoded OCSP response
3001 (using the ASN.1 type OCSPResponse defined in [OCSP]). Note that
3002 only one OCSP response may be sent.
3004 The "CertificateStatus" message is conveyed using the handshake
3005 message type "certificate_status".
3007 Note that a server MAY also choose not to send a "CertificateStatus"
3008 message, even if it receives a "status_request" extension in the
3009 client hello message.
3011 Note in addition that servers MUST NOT send the "CertificateStatus"
3012 message unless it received a "status_request" extension in the client
3013 hello message.
3015 Clients requesting an OCSP response, and receiving an OCSP response
3016 in a "CertificateStatus" message MUST check the OCSP response and
3017 abort the handshake if the response is not satisfactory.
3020 7.4.5. Certificate request
3025 Dierks & Rescorla Standards Track [Page 56]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3028 When this message will be sent:
3029 A non-anonymous server can optionally request a certificate from
3030 the client, if appropriate for the selected cipher suite. This
3031 message, if sent, will immediately follow the Server Key Exchange
3032 message (if it is sent; otherwise, the Server Certificate
3033 message).
3035 Structure of this message:
3036 enum {
3037 rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
3038 rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
3039 fortezza_dms_RESERVED(20),
3040 (255)
3041 } ClientCertificateType;
3044 opaque DistinguishedName<1..2^16-1>;
3046 struct {
3047 ClientCertificateType certificate_types<1..2^8-1>;
3048 HashType certificate_hash<1..2^8-1>;
3049 DistinguishedName certificate_authorities<0..2^16-1>;
3050 } CertificateRequest;
3052 certificate_types
3053 This field is a list of the types of certificates requested,
3054 sorted in order of the server's preference.
3056 certificate_types
3057 A list of the types of certificate types which the client may
3058 offer.
3059 rsa_sign a certificate containing an RSA key
3060 dss_sign a certificate containing a DSS key
3061 rsa_fixed_dh a certificate signed with RSA and containing
3062 a static DH key.
3063 dss_fixed_dh a certificate signed with DSS and containing
3064 a static DH key
3066 Certificate types rsa_sign and dss_sign SHOULD contain
3067 certificates signed with the same algorithm. However, this is
3068 not required. This is a holdover from TLS 1.0 and 1.1.
3071 certificate_hash
3072 A list of acceptable hash algorithms to be used in
3073 certificate signatures.
3075 certificate_authorities
3079 Dierks & Rescorla Standards Track [Page 57]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3082 A list of the distinguished names of acceptable certificate
3083 authorities. These distinguished names may specify a desired
3084 distinguished name for a root CA or for a subordinate CA;
3085 thus, this message can be used both to describe known roots
3086 and a desired authorization space. If the
3087 certificate_authorities list is empty then the client MAY
3088 send any certificate of the appropriate
3089 ClientCertificateType, unless there is some external
3090 arrangement to the contrary.
3092 ClientCertificateType values are divided into three groups:
3094 1. Values from 0 (zero) through 63 decimal (0x3F) inclusive are
3095 reserved for IETF Standards Track protocols.
3097 2. Values from 64 decimal (0x40) through 223 decimal (0xDF)
3098 inclusive are reserved for assignment for non-Standards
3099 Track methods.
3101 3. Values from 224 decimal (0xE0) through 255 decimal (0xFF)
3102 inclusive are reserved for private use.
3104 Additional information describing the role of IANA in the
3105 allocation of ClientCertificateType code points is described
3106 in Section 11.
3108 Note: Values listed as RESERVED may not be used. They were used in
3109 SSLv3.
3112 Note: DistinguishedName is derived from [X501]. DistinguishedNames are
3113 represented in DER-encoded format.
3115 Note: It is a fatal handshake_failure alert for an anonymous server to
3116 request client authentication.
3118 7.4.6. Server hello done
3120 When this message will be sent:
3121 The server hello done message is sent by the server to indicate
3122 the end of the server hello and associated messages. After
3123 sending this message the server will wait for a client response.
3125 Meaning of this message:
3126 This message means that the server is done sending messages to
3127 support the key exchange, and the client can proceed with its
3128 phase of the key exchange.
3133 Dierks & Rescorla Standards Track [Page 58]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3136 Upon receipt of the server hello done message the client SHOULD
3137 verify that the server provided a valid certificate if required
3138 and check that the server hello parameters are acceptable.
3140 Structure of this message:
3141 struct { } ServerHelloDone;
3143 7.4.7. Client certificate
3145 When this message will be sent:
3146 This is the first message the client can send after receiving a
3147 server hello done message. This message is only sent if the
3148 server requests a certificate. If no suitable certificate is
3149 available, the client SHOULD send a certificate message
3150 containing no certificates. That is, the certificate_list
3151 structure has a length of zero. If client authentication is
3152 required by the server for the handshake to continue, it may
3153 respond with a fatal handshake failure alert. Client certificates
3154 are sent using the Certificate structure defined in Section
3155 7.4.2.
3158 Note: When using a static Diffie-Hellman based key exchange method
3159 (DH_DSS or DH_RSA), if client authentication is requested, the
3160 Diffie-Hellman group and generator encoded in the client's
3161 certificate MUST match the server specified Diffie-Hellman
3162 parameters if the client's parameters are to be used for the key
3163 exchange.
3165 7.4.8. Client Certificate URLs
3167 After negotiation of the use of client certificate URLs has been
3168 successfully completed (by exchanging hellos including
3169 "client_certificate_url" extensions), clients MAY send a
3170 "CertificateURL" message in place of a "Certificate" message.
3172 enum {
3173 individual_certs(0), pkipath(1), (255)
3174 } CertChainType;
3176 enum {
3177 false(0), true(1)
3178 } Boolean;
3180 struct {
3181 CertChainType type;
3182 URLAndOptionalHash url_and_hash_list<1..2^16-1>;
3183 } CertificateURL;
3187 Dierks & Rescorla Standards Track [Page 59]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3190 struct {
3191 opaque url<1..2^16-1>;
3192 Boolean hash_present;
3193 select (hash_present) {
3194 case false: struct {};
3195 case true: SHA1Hash;
3196 } hash;
3197 } URLAndOptionalHash;
3199 opaque SHA1Hash[20];
3201 Here "url_and_hash_list" contains a sequence of URLs and optional
3202 hashes.
3204 When X.509 certificates are used, there are two possibilities:
3206 - if CertificateURL.type is "individual_certs", each URL refers to
3207 a single DER-encoded X.509v3 certificate, with the URL for the
3208 client's certificate first, or
3210 - if CertificateURL.type is "pkipath", the list contains a single
3211 URL referring to a DER-encoded certificate chain, using the type
3212 PkiPath described in Section 8.
3214 When any other certificate format is used, the specification that
3215 describes use of that format in TLS should define the encoding format
3216 of certificates or certificate chains, and any constraint on their
3217 ordering.
3219 The hash corresponding to each URL at the client's discretion is
3220 either not present or is the SHA-1 hash of the certificate or
3221 certificate chain (in the case of X.509 certificates, the DER-encoded
3222 certificate or the DER-encoded PkiPath).
3224 Note that when a list of URLs for X.509 certificates is used, the
3225 ordering of URLs is the same as that used in the TLS Certificate
3226 message (see [TLS] Section 7.4.2), but opposite to the order in which
3227 certificates are encoded in PkiPath. In either case, the self-signed
3228 root certificate MAY be omitted from the chain, under the assumption
3229 that the server must already possess it in order to validate it.
3231 Servers receiving "CertificateURL" SHALL attempt to retrieve the
3232 client's certificate chain from the URLs, and then process the
3233 certificate chain as usual. A cached copy of the content of any URL
3234 in the chain MAY be used, provided that a SHA-1 hash is present for
3235 that URL and it matches the hash of the cached copy.
3237 Servers that support this extension MUST support the http: URL scheme
3241 Dierks & Rescorla Standards Track [Page 60]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3244 for certificate URLs, and MAY support other schemes. Use of other
3245 schemes than "http", "https", or "ftp" may create unexpected
3246 problems.
3248 If the protocol used is HTTP, then the HTTP server can be configured
3249 to use the Cache-Control and Expires directives described in [HTTP]
3250 to specify whether and for how long certificates or certificate
3251 chains should be cached.
3253 The TLS server is not required to follow HTTP redirects when
3254 retrieving the certificates or certificate chain. The URLs used in
3255 this extension SHOULD therefore be chosen not to depend on such
3256 redirects.
3258 If the protocol used to retrieve certificates or certificate chains
3259 returns a MIME formatted response (as HTTP does), then the following
3260 MIME Content-Types SHALL be used: when a single X.509v3 certificate
3261 is returned, the Content-Type is "application/pkix-cert" [PKIOP], and
3262 when a chain of X.509v3 certificates is returned, the Content-Type is
3263 "application/pkix-pkipath" (see Section XXX).
3265 If a SHA-1 hash is present for an URL, then the server MUST check
3266 that the SHA-1 hash of the contents of the object retrieved from that
3267 URL (after decoding any MIME Content-Transfer-Encoding) matches the
3268 given hash. If any retrieved object does not have the correct SHA-1
3269 hash, the server MUST abort the handshake with a
3270 "bad_certificate_hash_value" alert.
3272 Note that clients may choose to send either "Certificate" or
3273 "CertificateURL" after successfully negotiating the option to send
3274 certificate URLs. The option to send a certificate is included to
3275 provide flexibility to clients possessing multiple certificates.
3277 If a server encounters an unreasonable delay in obtaining
3278 certificates in a given CertificateURL, it SHOULD time out and signal
3279 a "certificate_unobtainable" error alert.
3281 7.4.9. Client key exchange message
3283 When this message will be sent:
3284 This message is always sent by the client. It MUST immediately follow
3285 the client certificate message, if it is sent. Otherwise it MUST be
3286 the first message sent by the client after it receives the server
3287 hello done message.
3289 Meaning of this message:
3290 With this message, the premaster secret is set, either though direct
3291 transmission of the RSA-encrypted secret, or by the transmission of
3295 Dierks & Rescorla Standards Track [Page 61]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3298 Diffie-Hellman parameters which will allow each side to agree upon
3299 the same premaster secret. When the key exchange method is DH_RSA or
3300 DH_DSS, client certification has been requested, and the client was
3301 able to respond with a certificate which contained a Diffie-Hellman
3302 public key whose parameters (group and generator) matched those
3303 specified by the server in its certificate, this message MUST not
3304 contain any data.
3306 Structure of this message:
3307 The choice of messages depends on which key exchange method has been
3308 selected. See Section 7.4.3 for the KeyExchangeAlgorithm definition.
3310 struct {
3311 select (KeyExchangeAlgorithm) {
3312 case rsa: EncryptedPreMasterSecret;
3313 case diffie_hellman: ClientDiffieHellmanPublic;
3314 } exchange_keys;
3315 } ClientKeyExchange;
3317 7.4.9.1. RSA encrypted premaster secret message
3319 Meaning of this message:
3320 If RSA is being used for key agreement and authentication, the client
3321 generates a 48-byte premaster secret, encrypts it using the public
3322 key from the server's certificate or the temporary RSA key provided
3323 in a server key exchange message, and sends the result in an
3324 encrypted premaster secret message. This structure is a variant of
3325 the client key exchange message, not a message in itself.
3327 Structure of this message:
3328 struct {
3329 ProtocolVersion client_version;
3330 opaque random[46];
3331 } PreMasterSecret;
3333 client_version
3334 The latest (newest) version supported by the client. This is
3335 used to detect version roll-back attacks. Upon receiving the
3336 premaster secret, the server SHOULD check that this value
3337 matches the value transmitted by the client in the client
3338 hello message.
3340 random
3341 46 securely-generated random bytes.
3343 struct {
3344 public-key-encrypted PreMasterSecret pre_master_secret;
3345 } EncryptedPreMasterSecret;
3349 Dierks & Rescorla Standards Track [Page 62]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3352 pre_master_secret
3353 This random value is generated by the client and is used to
3354 generate the master secret, as specified in Section 8.1.
3356 Note: An attack discovered by Daniel Bleichenbacher [BLEI] can be used
3357 to attack a TLS server which is using PKCS#1 v 1.5 encoded RSA.
3358 The attack takes advantage of the fact that by failing in
3359 different ways, a TLS server can be coerced into revealing
3360 whether a particular message, when decrypted, is properly PKCS#1
3361 v1.5 formatted or not.
3363 The best way to avoid vulnerability to this attack is to treat
3364 incorrectly formatted messages in a manner indistinguishable from
3365 correctly formatted RSA blocks. Thus, when it receives an
3366 incorrectly formatted RSA block, a server should generate a
3367 random 48-byte value and proceed using it as the premaster
3368 secret. Thus, the server will act identically whether the
3369 received RSA block is correctly encoded or not.
3371 [PKCS1B] defines a newer version of PKCS#1 encoding that is more
3372 secure against the Bleichenbacher attack. However, for maximal
3373 compatibility with TLS 1.0, TLS 1.1 retains the original
3374 encoding. No variants of the Bleichenbacher attack are known to
3375 exist provided that the above recommendations are followed.
3377 Implementation Note: public-key-encrypted data is represented as an
3378 opaque vector <0..2^16-1> (see section 4.7). Thus the RSA-
3379 encrypted PreMasterSecret in a ClientKeyExchange is preceded by
3380 two length bytes. These bytes are redundant in the case of RSA
3381 because the EncryptedPreMasterSecret is the only data in the
3382 ClientKeyExchange and its length can therefore be unambiguously
3383 determined. The SSLv3 specification was not clear about the
3384 encoding of public-key-encrypted data and therefore many SSLv3
3385 implementations do not include the the length bytes, encoding the
3386 RSA encrypted data directly in the ClientKeyExchange message.
3388 This specification requires correct encoding of the
3389 EncryptedPreMasterSecret complete with length bytes. The
3390 resulting PDU is incompatible with many SSLv3 implementations.
3391 Implementors upgrading from SSLv3 must modify their
3392 implementations to generate and accept the correct encoding.
3393 Implementors who wish to be compatible with both SSLv3 and TLS
3394 should make their implementation's behavior dependent on the
3395 protocol version.
3397 Implementation Note: It is now known that remote timing-based attacks
3398 on SSL are possible, at least when the client and server are on
3399 the same LAN. Accordingly, implementations which use static RSA
3403 Dierks & Rescorla Standards Track [Page 63]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3406 keys SHOULD use RSA blinding or some other anti-timing technique,
3407 as described in [TIMING].
3409 Note: The version number in the PreMasterSecret MUST be the version
3410 offered by the client in the ClientHello.version, not the version
3411 negotiated for the connection. This feature is designed to
3412 prevent rollback attacks. Unfortunately, many implementations use
3413 the negotiated version instead and therefore checking the version
3414 number may lead to failure to interoperate with such incorrect
3415 client implementations. Client implementations MUST and Server
3416 implementations MAY check the version number. In practice, since
3417 the TLS handshake MACs prevent downgrade and no good attacks are
3418 known on those MACs, ambiguity is not considered a serious
3419 security risk. Note that if servers choose to to check the
3420 version number, they should randomize the PreMasterSecret in case
3421 of error, rather than generate an alert, in order to avoid
3422 variants on the Bleichenbacher attack. [KPR03]
3424 7.4.9.2. Client Diffie-Hellman public value
3426 Meaning of this message:
3427 This structure conveys the client's Diffie-Hellman public value
3428 (Yc) if it was not already included in the client's certificate.
3429 The encoding used for Yc is determined by the enumerated
3430 PublicValueEncoding. This structure is a variant of the client
3431 key exchange message, not a message in itself.
3433 Structure of this message:
3434 enum { implicit, explicit } PublicValueEncoding;
3436 implicit
3437 If the client certificate already contains a suitable Diffie-
3438 Hellman key, then Yc is implicit and does not need to be sent
3439 again. In this case, the client key exchange message will be
3440 sent, but MUST be empty.
3442 explicit
3443 Yc needs to be sent.
3445 struct {
3446 select (PublicValueEncoding) {
3447 case implicit: struct { };
3448 case explicit: opaque dh_Yc<1..2^16-1>;
3449 } dh_public;
3450 } ClientDiffieHellmanPublic;
3452 dh_Yc
3453 The client's Diffie-Hellman public value (Yc).
3457 Dierks & Rescorla Standards Track [Page 64]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3460 7.4.10. Certificate verify
3462 When this message will be sent:
3463 This message is used to provide explicit verification of a client
3464 certificate. This message is only sent following a client
3465 certificate that has signing capability (i.e. all certificates
3466 except those containing fixed Diffie-Hellman parameters). When
3467 sent, it MUST immediately follow the client key exchange message.
3469 Structure of this message:
3470 struct {
3471 Signature signature;
3472 } CertificateVerify;
3474 The Signature type is defined in 7.4.3. If the SignatureAlgorithm
3475 is DSA, then the sha_hash value must be used. If it is RSA,
3476 the same function (denoted Hash) must be used as was used to
3477 create the signature for the client's certificate.
3479 CertificateVerify.signature.hash
3480 Hash(handshake_messages);
3482 CertificateVerify.signature.sha_hash
3483 SHA(handshake_messages);
3485 Here handshake_messages refers to all handshake messages sent or
3486 received starting at client hello up to but not including this
3487 message, including the type and length fields of the handshake
3488 messages. This is the concatenation of all the Handshake structures
3489 as defined in 7.4 exchanged thus far.
3491 7.4.10. Finished
3493 When this message will be sent:
3494 A finished message is always sent immediately after a change
3495 cipher spec message to verify that the key exchange and
3496 authentication processes were successful. It is essential that a
3497 change cipher spec message be received between the other
3498 handshake messages and the Finished message.
3500 Meaning of this message:
3501 The finished message is the first protected with the just-
3502 negotiated algorithms, keys, and secrets. Recipients of finished
3503 messages MUST verify that the contents are correct. Once a side
3504 has sent its Finished message and received and validated the
3505 Finished message from its peer, it may begin to send and receive
3506 application data over the connection.
3511 Dierks & Rescorla Standards Track [Page 65]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3514 struct {
3515 opaque verify_data[12];
3516 } Finished;
3518 verify_data
3519 PRF(master_secret, finished_label, Hash(handshake_messages))[0..11];
3521 finished_label
3522 For Finished messages sent by the client, the string "client
3523 finished". For Finished messages sent by the server, the
3524 string "server finished".
3526 Hash denotes the negotiated hash used for the PRF. If a new
3527 PRF is defined, then this hash MUST be specified.
3529 handshake_messages
3530 All of the data from all messages in this handshake (not
3531 including any HelloRequest messages) up to but not including
3532 this message. This is only data visible at the handshake
3533 layer and does not include record layer headers. This is the
3534 concatenation of all the Handshake structures as defined in
3535 7.4 exchanged thus far.
3537 It is a fatal error if a finished message is not preceded by a change
3538 cipher spec message at the appropriate point in the handshake.
3540 The value handshake_messages includes all handshake messages starting
3541 at client hello up to, but not including, this finished message. This
3542 may be different from handshake_messages in Section 7.4.10 because it
3543 would include the certificate verify message (if sent). Also, the
3544 handshake_messages for the finished message sent by the client will
3545 be different from that for the finished message sent by the server,
3546 because the one which is sent second will include the prior one.
3548 Note: Change cipher spec messages, alerts and any other record types
3549 are not handshake messages and are not included in the hash
3550 computations. Also, Hello Request messages are omitted from
3551 handshake hashes.
3553 8. Cryptographic computations
3555 In order to begin connection protection, the TLS Record Protocol
3556 requires specification of a suite of algorithms, a master secret, and
3557 the client and server random values. The authentication, encryption,
3558 and MAC algorithms are determined by the cipher_suite selected by the
3559 server and revealed in the server hello message. The compression
3560 algorithm is negotiated in the hello messages, and the random values
3561 are exchanged in the hello messages. All that remains is to calculate
3565 Dierks & Rescorla Standards Track [Page 66]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3568 the master secret.
3570 8.1. Computing the master secret
3572 For all key exchange methods, the same algorithm is used to convert
3573 the pre_master_secret into the master_secret. The pre_master_secret
3574 should be deleted from memory once the master_secret has been
3575 computed.
3577 master_secret = PRF(pre_master_secret, "master secret",
3578 ClientHello.random + ServerHello.random)
3579 [0..47];
3581 The master secret is always exactly 48 bytes in length. The length of
3582 the premaster secret will vary depending on key exchange method.
3584 8.1.1. RSA
3586 When RSA is used for server authentication and key exchange, a
3587 48-byte pre_master_secret is generated by the client, encrypted under
3588 the server's public key, and sent to the server. The server uses its
3589 private key to decrypt the pre_master_secret. Both parties then
3590 convert the pre_master_secret into the master_secret, as specified
3591 above.
3593 RSA digital signatures are performed using PKCS #1 [PKCS1] block type
3594 1. RSA public key encryption is performed using PKCS #1 block type 2.
3596 8.1.2. Diffie-Hellman
3598 A conventional Diffie-Hellman computation is performed. The
3599 negotiated key (Z) is used as the pre_master_secret, and is converted
3600 into the master_secret, as specified above. Leading bytes of Z that
3601 contain all zero bits are stripped before it is used as the
3602 pre_master_secret.
3604 Note: Diffie-Hellman parameters are specified by the server, and may
3605 be either ephemeral or contained within the server's certificate.
3607 9. Mandatory Cipher Suites
3609 In the absence of an application profile standard specifying
3610 otherwise, a TLS compliant application MUST implement the cipher
3611 suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.
3613 10. Application data protocol
3615 Application data messages are carried by the Record Layer and are
3619 Dierks & Rescorla Standards Track [Page 67]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3622 fragmented, compressed and encrypted based on the current connection
3623 state. The messages are treated as transparent data to the record
3624 layer.
3626 11. IANA Considerations
3628 This document describes a number of new registries to be created by
3629 IANA. We recommend that they be placed as individual registries items
3630 under a common TLS category.
3632 Section 7.4.5 describes a TLS HashType Registry to be maintained by
3633 the IANA, as defining a number of such code point identifiers.
3634 HashType identifiers with values in the range 0-63 (decimal)
3635 inclusive are assigned via RFC 2434 Standards Action. Values from the
3636 range 64-223 (decimal) inclusive are assigned via [RFC 2434]
3637 Specification Required. Identifier values from 224-255 (decimal)
3638 inclusive are reserved for RFC 2434 Private Use. The registry will be
3639 initially populated with the values in this document, Section 7.4.5.
3641 Section 7.4.5 describes a TLS ClientCertificateType Registry to be
3642 maintained by the IANA, as defining a number of such code point
3643 identifiers. ClientCertificateType identifiers with values in the
3644 range 0-63 (decimal) inclusive are assigned via RFC 2434 Standards
3645 Action. Values from the range 64-223 (decimal) inclusive are assigned
3646 via [RFC 2434] Specification Required. Identifier values from
3647 224-255 (decimal) inclusive are reserved for RFC 2434 Private Use.
3648 The registry will be initially populated with the values in this
3649 document, Section 7.4.5.
3651 Section A.5 describes a TLS Cipher Suite Registry to be maintained by
3652 the IANA, as well as defining a number of such cipher suite
3653 identifiers. Cipher suite values with the first byte in the range
3654 0-191 (decimal) inclusive are assigned via RFC 2434 Standards Action.
3655 Values with the first byte in the range 192-254 (decimal) are
3656 assigned via RFC 2434 Specification Required. Values with the first
3657 byte 255 (decimal) are reserved for RFC 2434 Private Use. The
3658 registry will be initially populated with the values from Section A.5
3659 of this document, [TLSAES], and Section 3 of [TLSKRB].
3661 Section 6 requires that all ContentType values be defined by RFC 2434
3662 Standards Action. IANA SHOULD create a TLS ContentType registry,
3663 initially populated with values from Section 6.2.1 of this document.
3664 Future values MUST be allocated via Standards Action as described in
3665 [RFC 2434].
3667 Section 7.2.2 requires that all Alert values be defined by RFC 2434
3668 Standards Action. IANA SHOULD create a TLS Alert registry, initially
3669 populated with values from Section 7.2 of this document and Section 4
3673 Dierks & Rescorla Standards Track [Page 68]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3676 of [TLSEXT]. Future values MUST be allocated via Standards Action as
3677 described in [RFC 2434].
3679 Section 7.4 requires that all HandshakeType values be defined by RFC
3680 2434 Standards Action. IANA SHOULD create a TLS HandshakeType
3681 registry, initially populated with values from Section 7.4 of this
3682 document and Section 2.4 of [TLSEXT]. Future values MUST be
3683 allocated via Standards Action as described in [RFC2434].
3686 11.1 Extensions
3688 Sections XXX and XXX describes a registry of ExtensionType values to
3689 be maintained by the IANA. ExtensionType values are to be assigned
3690 via IETF Consensus as defined in RFC 2434 [IANA]. The initial
3691 registry corresponds to the definition of "ExtensionType" in Section
3692 2.3.
3694 The MIME type "application/pkix-pkipath" has been registered by the
3695 IANA with the following template:
3697 To: ietf-types@iana.org Subject: Registration of MIME media type
3698 application/pkix-pkipath
3700 MIME media type name: application
3701 MIME subtype name: pkix-pkipath
3703 Optional parameters: version (default value is "1")
3705 Encoding considerations:
3706 This MIME type is a DER encoding of the ASN.1 type PkiPath,
3707 defined as follows:
3708 PkiPath ::= SEQUENCE OF Certificate
3709 PkiPath is used to represent a certification path. Within the
3710 sequence, the order of certificates is such that the subject of
3711 the first certificate is the issuer of the second certificate,
3712 etc.
3714 This is identical to the definition published in [X509-4th-TC1];
3715 note that it is different from that in [X509-4th].
3717 All Certificates MUST conform to [PKIX]. (This should be
3718 interpreted as a requirement to encode only PKIX-conformant
3719 certificates using this type. It does not necessarily require
3720 that all certificates that are not strictly PKIX-conformant must
3721 be rejected by relying parties, although the security consequences
3722 of accepting any such certificates should be considered
3723 carefully.)
3727 Dierks & Rescorla Standards Track [Page 69]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3730 DER (as opposed to BER) encoding MUST be used. If this type is
3731 sent over a 7-bit transport, base64 encoding SHOULD be used.
3733 Security considerations:
3734 The security considerations of [X509-4th] and [PKIX] (or any
3735 updates to them) apply, as well as those of any protocol that uses
3736 this type (e.g., TLS).
3738 Note that this type only specifies a certificate chain that can be
3739 assessed for validity according to the relying party's existing
3740 configuration of trusted CAs; it is not intended to be used to
3741 specify any change to that configuration.
3743 Interoperability considerations:
3744 No specific interoperability problems are known with this type,
3745 but for recommendations relating to X.509 certificates in general,
3746 see [PKIX].
3748 Published specification: this memo, and [PKIX].
3750 Applications which use this media type: TLS. It may also be used by
3751 other protocols, or for general interchange of PKIX certificate
3753 Additional information:
3754 Magic number(s): DER-encoded ASN.1 can be easily recognized.
3755 Further parsing is required to distinguish from other ASN.1
3756 types.
3757 File extension(s): .pkipath
3758 Macintosh File Type Code(s): not specified
3760 Person & email address to contact for further information:
3761 Magnus Nystrom <magnus@rsasecurity.com>
3763 Intended usage: COMMON
3765 Change controller:
3766 IESG <iesg@ietf.org>
3781 Dierks & Rescorla Standards Track [Page 70]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3784 A. Protocol constant values
3786 This section describes protocol types and constants.
3788 A.1. Record layer
3790 struct {
3791 uint8 major, minor;
3792 } ProtocolVersion;
3794 ProtocolVersion version = { 3, 3 }; /* TLS v1.2*/
3796 enum {
3797 change_cipher_spec(20), alert(21), handshake(22),
3798 application_data(23), (255)
3799 } ContentType;
3801 struct {
3802 ContentType type;
3803 ProtocolVersion version;
3804 uint16 length;
3805 opaque fragment[TLSPlaintext.length];
3806 } TLSPlaintext;
3808 struct {
3809 ContentType type;
3810 ProtocolVersion version;
3811 uint16 length;
3812 opaque fragment[TLSCompressed.length];
3813 } TLSCompressed;
3815 struct {
3816 ContentType type;
3817 ProtocolVersion version;
3818 uint16 length;
3819 select (CipherSpec.cipher_type) {
3820 case stream: GenericStreamCipher;
3821 case block: GenericBlockCipher;
3822 } fragment;
3823 } TLSCiphertext;
3825 stream-ciphered struct {
3826 opaque content[TLSCompressed.length];
3827 opaque MAC[CipherSpec.hash_size];
3828 } GenericStreamCipher;
3830 block-ciphered struct {
3831 opaque IV[CipherSpec.block_length];
3835 Dierks & Rescorla Standards Track [Page 71]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3838 opaque content[TLSCompressed.length];
3839 opaque MAC[CipherSpec.hash_size];
3840 uint8 padding[GenericBlockCipher.padding_length];
3841 uint8 padding_length;
3842 } GenericBlockCipher;
3844 aead-ciphered struct {
3845 opaque IV[CipherSpec.iv_length];
3846 opaque aead_output[AEADEncrypted.length];
3847 } GenericAEADCipher;
3849 A.2. Change cipher specs message
3851 struct {
3852 enum { change_cipher_spec(1), (255) } type;
3853 } ChangeCipherSpec;
3855 A.3. Alert messages
3857 enum { warning(1), fatal(2), (255) } AlertLevel;
3859 enum {
3860 close_notify(0),
3861 unexpected_message(10),
3862 bad_record_mac(20),
3863 decryption_failed(21),
3864 record_overflow(22),
3865 decompression_failure(30),
3866 handshake_failure(40),
3867 no_certificate_RESERVED (41),
3868 bad_certificate(42),
3869 unsupported_certificate(43),
3870 certificate_revoked(44),
3871 certificate_expired(45),
3872 certificate_unknown(46),
3873 illegal_parameter(47),
3874 unknown_ca(48),
3875 access_denied(49),
3876 decode_error(50),
3877 decrypt_error(51),
3878 export_restriction_RESERVED(60),
3879 protocol_version(70),
3880 insufficient_security(71),
3881 internal_error(80),
3882 user_canceled(90),
3883 no_renegotiation(100),
3884 unsupported_extension(110), /* new */
3885 certificate_unobtainable(111), /* new */
3889 Dierks & Rescorla Standards Track [Page 72]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3892 unrecognized_name(112), /* new */
3893 bad_certificate_status_response(113), /* new */
3894 bad_certificate_hash_value(114), /* new */
3895 (255)
3896 } AlertDescription;
3898 struct {
3899 AlertLevel level;
3900 AlertDescription description;
3901 } Alert;
3943 Dierks & Rescorla Standards Track [Page 73]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
3946 A.4. Handshake protocol
3948 enum {
3949 hello_request(0), client_hello(1), server_hello(2),
3950 certificate(11), server_key_exchange (12),
3951 certificate_request(13), server_hello_done(14),
3952 certificate_verify(15), client_key_exchange(16),
3953 finished(20), certificate_url(21), certificate_status(22),
3954 (255)
3955 } HandshakeType;
3957 struct {
3958 HandshakeType msg_type;
3959 uint24 length;
3960 select (HandshakeType) {
3961 case hello_request: HelloRequest;
3962 case client_hello: ClientHello;
3963 case server_hello: ServerHello;
3964 case certificate: Certificate;
3965 case server_key_exchange: ServerKeyExchange;
3966 case certificate_request: CertificateRequest;
3967 case server_hello_done: ServerHelloDone;
3968 case certificate_verify: CertificateVerify;
3969 case client_key_exchange: ClientKeyExchange;
3970 case finished: Finished;
3971 case certificate_url: CertificateURL;
3972 case certificate_status: CertificateStatus;
3973 } body;
3974 } Handshake;
3976 A.4.1. Hello messages
3978 struct { } HelloRequest;
3980 struct {
3981 uint32 gmt_unix_time;
3982 opaque random_bytes[28];
3983 } Random;
3985 opaque SessionID<0..32>;
3987 uint8 CipherSuite[2];
3989 enum { null(0), (255) } CompressionMethod;
3991 struct {
3992 ProtocolVersion client_version;
3993 Random random;
3997 Dierks & Rescorla Standards Track [Page 74]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4000 SessionID session_id;
4001 CipherSuite cipher_suites<2..2^16-1>;
4002 CompressionMethod compression_methods<1..2^8-1>;
4003 Extension client_hello_extension_list<0..2^16-1>;
4004 } ClientHello;
4006 struct {
4007 ProtocolVersion client_version;
4008 Random random;
4009 SessionID session_id;
4010 CipherSuite cipher_suites<2..2^16-1>;
4011 CompressionMethod compression_methods<1..2^8-1>;
4012 Extension client_hello_extension_list<0..2^16-1>;
4013 } ExtendedClientHello;
4015 struct {
4016 ProtocolVersion server_version;
4017 Random random;
4018 SessionID session_id;
4019 CipherSuite cipher_suite;
4020 CompressionMethod compression_method;
4021 } ServerHello;
4023 struct {
4024 ProtocolVersion server_version;
4025 Random random;
4026 SessionID session_id;
4027 CipherSuite cipher_suite;
4028 CompressionMethod compression_method;
4029 Extension server_hello_extension_list<0..2^16-1>;
4030 } ExtendedServerHello;
4032 struct {
4033 ExtensionType extension_type;
4034 opaque extension_data<0..2^16-1>;
4035 } Extension;
4037 enum {
4038 server_name(0), max_fragment_length(1),
4039 client_certificate_url(2), trusted_ca_keys(3),
4040 truncated_hmac(4), status_request(5),
4041 cert_hash_types(6), (65535)
4042 } ExtensionType;
4044 struct {
4045 NameType name_type;
4046 select (name_type) {
4047 case host_name: HostName;
4051 Dierks & Rescorla Standards Track [Page 75]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4054 } name;
4055 } ServerName;
4057 enum {
4058 host_name(0), (255)
4059 } NameType;
4061 opaque HostName<1..2^16-1>;
4063 struct {
4064 ServerName server_name_list<1..2^16-1>
4065 } ServerNameList;
4067 enum{
4068 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
4069 } MaxFragmentLength;
4071 struct {
4072 TrustedAuthority trusted_authorities_list<0..2^16-1>;
4073 } TrustedAuthorities;
4075 struct {
4076 IdentifierType identifier_type;
4077 select (identifier_type) {
4078 case pre_agreed: struct {};
4079 case key_sha1_hash: SHA1Hash;
4080 case x509_name: DistinguishedName;
4081 case cert_sha1_hash: SHA1Hash;
4082 } identifier;
4083 } TrustedAuthority;
4085 enum {
4086 pre_agreed(0), key_sha1_hash(1), x509_name(2),
4087 cert_sha1_hash(3), (255)
4088 } IdentifierType;
4090 struct {
4091 CertificateStatusType status_type;
4092 select (status_type) {
4093 case ocsp: OCSPStatusRequest;
4094 } request;
4095 } CertificateStatusRequest;
4097 enum { ocsp(1), (255) } CertificateStatusType;
4099 struct {
4100 ResponderID responder_id_list<0..2^16-1>;
4101 Extensions request_extensions;
4105 Dierks & Rescorla Standards Track [Page 76]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4108 } OCSPStatusRequest;
4110 opaque ResponderID<1..2^16-1>;
4111 A.4.2. Server authentication and key exchange messages
4113 opaque ASN.1Cert<2^24-1>;
4115 struct {
4116 ASN.1Cert certificate_list<0..2^24-1>;
4117 } Certificate;
4119 struct {
4120 CertificateStatusType status_type;
4121 select (status_type) {
4122 case ocsp: OCSPResponse;
4123 } response;
4124 } CertificateStatus;
4126 opaque OCSPResponse<1..2^24-1>;
4128 enum { rsa, diffie_hellman } KeyExchangeAlgorithm;
4130 struct {
4131 opaque rsa_modulus<1..2^16-1>;
4132 opaque rsa_exponent<1..2^16-1>;
4133 } ServerRSAParams;
4135 struct {
4136 opaque dh_p<1..2^16-1>;
4137 opaque dh_g<1..2^16-1>;
4138 opaque dh_Ys<1..2^16-1>;
4139 } ServerDHParams;
4141 struct {
4142 select (KeyExchangeAlgorithm) {
4143 case diffie_hellman:
4144 ServerDHParams params;
4145 Signature signed_params;
4146 case rsa:
4147 ServerRSAParams params;
4148 Signature signed_params;
4149 };
4150 } ServerKeyExchange;
4152 enum { anonymous, rsa, dsa } SignatureAlgorithm;
4154 struct {
4155 select (KeyExchangeAlgorithm) {
4159 Dierks & Rescorla Standards Track [Page 77]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4162 case diffie_hellman:
4163 ServerDHParams params;
4164 case rsa:
4165 ServerRSAParams params;
4166 };
4167 } ServerParams;
4169 struct {
4170 select (SignatureAlgorithm) {
4171 case anonymous: struct { };
4172 case rsa:
4173 digitally-signed struct {
4174 opaque hash[Hash.length];
4175 };
4176 case dsa:
4177 digitally-signed struct {
4178 opaque sha_hash[20];
4179 };
4180 };
4181 };
4182 } Signature;
4184 enum {
4185 rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
4186 rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
4187 fortezza_dms_RESERVED(20),
4188 (255)
4189 } ClientCertificateType;
4191 opaque DistinguishedName<1..2^16-1>;
4193 struct {
4194 ClientCertificateType certificate_types<1..2^8-1>;
4195 DistinguishedName certificate_authorities<0..2^16-1>;
4196 } CertificateRequest;
4198 struct { } ServerHelloDone;
4200 A.4.3. Client authentication and key exchange messages
4202 struct {
4203 select (KeyExchangeAlgorithm) {
4204 case rsa: EncryptedPreMasterSecret;
4205 case diffie_hellman: ClientDiffieHellmanPublic;
4206 } exchange_keys;
4207 } ClientKeyExchange;
4209 struct {
4213 Dierks & Rescorla Standards Track [Page 78]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4216 ProtocolVersion client_version;
4217 opaque random[46];
4218 } PreMasterSecret;
4220 struct {
4221 public-key-encrypted PreMasterSecret pre_master_secret;
4222 } EncryptedPreMasterSecret;
4224 enum { implicit, explicit } PublicValueEncoding;
4226 struct {
4227 select (PublicValueEncoding) {
4228 case implicit: struct {};
4229 case explicit: opaque DH_Yc<1..2^16-1>;
4230 } dh_public;
4231 } ClientDiffieHellmanPublic;
4233 enum {
4234 individual_certs(0), pkipath(1), (255)
4235 } CertChainType;
4237 enum {
4238 false(0), true(1)
4239 } Boolean;
4241 struct {
4242 CertChainType type;
4243 URLAndOptionalHash url_and_hash_list<1..2^16-1>;
4244 } CertificateURL;
4246 struct {
4247 opaque url<1..2^16-1>;
4248 Boolean hash_present;
4249 select (hash_present) {
4250 case false: struct {};
4251 case true: SHA1Hash;
4252 } hash;
4253 } URLAndOptionalHash;
4255 opaque SHA1Hash[20];
4257 struct {
4258 Signature signature;
4259 } CertificateVerify;
4261 A.4.4. Handshake finalization message
4263 struct {
4267 Dierks & Rescorla Standards Track [Page 79]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4270 opaque verify_data[12];
4271 } Finished;
4273 A.5. The CipherSuite
4275 The following values define the CipherSuite codes used in the client
4276 hello and server hello messages.
4278 A CipherSuite defines a cipher specification supported in TLS Version
4279 1.1.
4281 TLS_NULL_WITH_NULL_NULL is specified and is the initial state of a
4282 TLS connection during the first handshake on that channel, but must
4283 not be negotiated, as it provides no more protection than an
4284 unsecured connection.
4286 CipherSuite TLS_NULL_WITH_NULL_NULL = { 0x00,0x00 };
4288 The following CipherSuite definitions require that the server provide
4289 an RSA certificate that can be used for key exchange. The server may
4290 request either an RSA or a DSS signature-capable certificate in the
4291 certificate request message.
4293 CipherSuite TLS_RSA_WITH_NULL_MD5 = { 0x00,0x01 };
4294 CipherSuite TLS_RSA_WITH_NULL_SHA = { 0x00,0x02 };
4295 CipherSuite TLS_RSA_WITH_RC4_128_MD5 = { 0x00,0x04 };
4296 CipherSuite TLS_RSA_WITH_RC4_128_SHA = { 0x00,0x05 };
4297 CipherSuite TLS_RSA_WITH_IDEA_CBC_SHA = { 0x00,0x07 };
4298 CipherSuite TLS_RSA_WITH_DES_CBC_SHA = { 0x00,0x09 };
4299 CipherSuite TLS_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0A };
4300 CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F };
4301 CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x35 };
4302 The following CipherSuite definitions are used for server-
4303 authenticated (and optionally client-authenticated) Diffie-Hellman.
4304 DH denotes cipher suites in which the server's certificate contains
4305 the Diffie-Hellman parameters signed by the certificate authority
4306 (CA). DHE denotes ephemeral Diffie-Hellman, where the Diffie-Hellman
4307 parameters are signed by a DSS or RSA certificate, which has been
4308 signed by the CA. The signing algorithm used is specified after the
4309 DH or DHE parameter. The server can request an RSA or DSS signature-
4310 capable certificate from the client for client authentication or it
4311 may request a Diffie-Hellman certificate. Any Diffie-Hellman
4312 certificate provided by the client must use the parameters (group and
4313 generator) described by the server.
4315 CipherSuite TLS_DH_DSS_WITH_DES_CBC_SHA = { 0x00,0x0C };
4316 CipherSuite TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0D };
4317 CipherSuite TLS_DH_RSA_WITH_DES_CBC_SHA = { 0x00,0x0F };
4321 Dierks & Rescorla Standards Track [Page 80]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4324 CipherSuite TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x10 };
4325 CipherSuite TLS_DHE_DSS_WITH_DES_CBC_SHA = { 0x00,0x12 };
4326 CipherSuite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x13 };
4327 CipherSuite TLS_DHE_RSA_WITH_DES_CBC_SHA = { 0x00,0x15 };
4328 CipherSuite TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x16 };
4329 CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 };
4330 CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 };
4331 CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 };
4332 CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 };
4333 CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 };
4334 CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x36 };
4335 CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 };
4336 CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x38 };
4337 CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x39 };
4338 CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00, 0x3A };
4340 The following cipher suites are used for completely anonymous Diffie-
4341 Hellman communications in which neither party is authenticated. Note
4342 that this mode is vulnerable to man-in-the-middle attacks and is
4343 therefore deprecated.
4345 CipherSuite TLS_DH_anon_WITH_RC4_128_MD5 = { 0x00,0x18 };
4346 CipherSuite TLS_DH_anon_WITH_DES_CBC_SHA = { 0x00,0x1A };
4347 CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1B };
4349 When SSLv3 and TLS 1.0 were designed, the United States restricted
4350 the export of cryptographic software containing certain strong
4351 encryption algorithms. A series of cipher suites were designed to
4352 operate at reduced key lengths in order to comply with those
4353 regulations. Due to advances in computer performance, these
4354 algorithms are now unacceptably weak and export restrictions have
4355 since been loosened. TLS 1.1 implementations MUST NOT negotiate these
4356 cipher suites in TLS 1.1 mode. However, for backward compatibility
4357 they may be offered in the ClientHello for use with TLS 1.0 or SSLv3
4358 only servers. TLS 1.1 clients MUST check that the server did not
4359 choose one of these cipher suites during the handshake. These
4360 ciphersuites are listed below for informational purposes and to
4361 reserve the numbers.
4363 CipherSuite TLS_RSA_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x03 };
4364 CipherSuite TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x06 };
4365 CipherSuite TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x08 };
4366 CipherSuite TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x0B };
4367 CipherSuite TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x0E };
4368 CipherSuite TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x11 };
4369 CipherSuite TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x14 };
4370 CipherSuite TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x17 };
4371 CipherSuite TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x19 };
4375 Dierks & Rescorla Standards Track [Page 81]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4378 The following cipher suites were defined in [TLSKRB] and are included
4379 here for completeness. See [TLSKRB] for details:
4381 CipherSuite TLS_KRB5_WITH_DES_CBC_SHA = { 0x00,0x1E };
4382 CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1F };
4383 CipherSuite TLS_KRB5_WITH_RC4_128_SHA = { 0x00,0x20 };
4384 CipherSuite TLS_KRB5_WITH_IDEA_CBC_SHA = { 0x00,0x21 };
4385 CipherSuite TLS_KRB5_WITH_DES_CBC_MD5 = { 0x00,0x22 };
4386 CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = { 0x00,0x23 };
4387 CipherSuite TLS_KRB5_WITH_RC4_128_MD5 = { 0x00,0x24 };
4388 CipherSuite TLS_KRB5_WITH_IDEA_CBC_MD5 = { 0x00,0x25 };
4390 The following exportable cipher suites were defined in [TLSKRB] and
4391 are included here for completeness. TLS 1.1 implementations MUST NOT
4392 negotiate these cipher suites.
4394 CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = { 0x00,0x26
4395 };
4396 CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = { 0x00,0x27
4397 };
4398 CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_SHA = { 0x00,0x28
4399 };
4400 CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = { 0x00,0x29
4401 };
4402 CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x2A
4403 };
4404 CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x2B
4405 };
4408 The cipher suite space is divided into three regions:
4410 1. Cipher suite values with first byte 0x00 (zero)
4411 through decimal 191 (0xBF) inclusive are reserved for the IETF
4412 Standards Track protocols.
4414 2. Cipher suite values with first byte decimal 192 (0xC0)
4415 through decimal 254 (0xFE) inclusive are reserved
4416 for assignment for non-Standards Track methods.
4418 3. Cipher suite values with first byte 0xFF are
4419 reserved for private use.
4420 Additional information describing the role of IANA in the allocation
4421 of cipher suite code points is described in Section 11.
4423 Note: The cipher suite values { 0x00, 0x1C } and { 0x00, 0x1D } are
4424 reserved to avoid collision with Fortezza-based cipher suites in SSL
4425 3.
4429 Dierks & Rescorla Standards Track [Page 82]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4432 A.6. The Security Parameters
4434 These security parameters are determined by the TLS Handshake
4435 Protocol and provided as parameters to the TLS Record Layer in order
4436 to initialize a connection state. SecurityParameters includes:
4438 enum { null(0), (255) } CompressionMethod;
4440 enum { server, client } ConnectionEnd;
4442 enum { null, rc4, rc2, des, 3des, des40, aes, idea }
4443 BulkCipherAlgorithm;
4445 enum { stream, block } CipherType;
4447 enum { null, md5, sha } MACAlgorithm;
4449 /* The algorithms specified in CompressionMethod,
4450 BulkCipherAlgorithm, and MACAlgorithm may be added to. */
4452 struct {
4453 ConnectionEnd entity;
4454 BulkCipherAlgorithm bulk_cipher_algorithm;
4455 CipherType cipher_type;
4456 uint8 key_size;
4457 uint8 key_material_length;
4458 MACAlgorithm mac_algorithm;
4459 uint8 hash_size;
4460 CompressionMethod compression_algorithm;
4461 opaque master_secret[48];
4462 opaque client_random[32];
4463 opaque server_random[32];
4464 } SecurityParameters;
4483 Dierks & Rescorla Standards Track [Page 83]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4486 B. Glossary
4488 Advanced Encryption Standard (AES)
4489 AES is a widely used symmetric encryption algorithm.
4490 AES is
4491 a block cipher with a 128, 192, or 256 bit keys and a 16 byte
4492 block size. [AES] TLS currently only supports the 128 and 256
4493 bit key sizes.
4495 application protocol
4496 An application protocol is a protocol that normally layers
4497 directly on top of the transport layer (e.g., TCP/IP). Examples
4498 include HTTP, TELNET, FTP, and SMTP.
4500 asymmetric cipher
4501 See public key cryptography.
4503 authentication
4504 Authentication is the ability of one entity to determine the
4505 identity of another entity.
4507 block cipher
4508 A block cipher is an algorithm that operates on plaintext in
4509 groups of bits, called blocks. 64 bits is a common block size.
4511 bulk cipher
4512 A symmetric encryption algorithm used to encrypt large quantities
4513 of data.
4515 cipher block chaining (CBC)
4516 CBC is a mode in which every plaintext block encrypted with a
4517 block cipher is first exclusive-ORed with the previous ciphertext
4518 block (or, in the case of the first block, with the
4519 initialization vector). For decryption, every block is first
4520 decrypted, then exclusive-ORed with the previous ciphertext block
4521 (or IV).
4523 certificate
4524 As part of the X.509 protocol (a.k.a. ISO Authentication
4525 framework), certificates are assigned by a trusted Certificate
4526 Authority and provide a strong binding between a party's identity
4527 or some other attributes and its public key.
4529 client
4530 The application entity that initiates a TLS connection to a
4531 server. This may or may not imply that the client initiated the
4532 underlying transport connection. The primary operational
4533 difference between the server and client is that the server is
4537 Dierks & Rescorla Standards Track [Page 84]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4540 generally authenticated, while the client is only optionally
4541 authenticated.
4543 client write key
4544 The key used to encrypt data written by the client.
4546 client write MAC secret
4547 The secret data used to authenticate data written by the client.
4549 connection
4550 A connection is a transport (in the OSI layering model
4551 definition) that provides a suitable type of service. For TLS,
4552 such connections are peer to peer relationships. The connections
4553 are transient. Every connection is associated with one session.
4555 Data Encryption Standard
4556 DES is a very widely used symmetric encryption algorithm. DES is
4557 a block cipher with a 56 bit key and an 8 byte block size. Note
4558 that in TLS, for key generation purposes, DES is treated as
4559 having an 8 byte key length (64 bits), but it still only provides
4560 56 bits of protection. (The low bit of each key byte is presumed
4561 to be set to produce odd parity in that key byte.) DES can also
4562 be operated in a mode where three independent keys and three
4563 encryptions are used for each block of data; this uses 168 bits
4564 of key (24 bytes in the TLS key generation method) and provides
4565 the equivalent of 112 bits of security. [DES], [3DES]
4567 Digital Signature Standard (DSS)
4568 A standard for digital signing, including the Digital Signing
4569 Algorithm, approved by the National Institute of Standards and
4570 Technology, defined in NIST FIPS PUB 186, "Digital Signature
4571 Standard," published May, 1994 by the U.S. Dept. of Commerce.
4572 [DSS]
4574 digital signatures
4575 Digital signatures utilize public key cryptography and one-way
4576 hash functions to produce a signature of the data that can be
4577 authenticated, and is difficult to forge or repudiate.
4579 handshake
4580 An initial negotiation between client and server that establishes
4581 the parameters of their transactions.
4583 Initialization Vector (IV)
4584 When a block cipher is used in CBC mode, the initialization
4585 vector is exclusive-ORed with the first plaintext block prior to
4586 encryption.
4591 Dierks & Rescorla Standards Track [Page 85]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4594 IDEA
4595 A 64-bit block cipher designed by Xuejia Lai and James Massey.
4596 [IDEA]
4598 Message Authentication Code (MAC)
4599 A Message Authentication Code is a one-way hash computed from a
4600 message and some secret data. It is difficult to forge without
4601 knowing the secret data. Its purpose is to detect if the message
4602 has been altered.
4604 master secret
4605 Secure secret data used for generating encryption keys, MAC
4606 secrets, and IVs.
4608 MD5
4609 MD5 is a secure hashing function that converts an arbitrarily
4610 long data stream into a digest of fixed size (16 bytes). [MD5]
4612 public key cryptography
4613 A class of cryptographic techniques employing two-key ciphers.
4614 Messages encrypted with the public key can only be decrypted with
4615 the associated private key. Conversely, messages signed with the
4616 private key can be verified with the public key.
4618 one-way hash function
4619 A one-way transformation that converts an arbitrary amount of
4620 data into a fixed-length hash. It is computationally hard to
4621 reverse the transformation or to find collisions. MD5 and SHA are
4622 examples of one-way hash functions.
4624 RC2
4625 A block cipher developed by Ron Rivest at RSA Data Security, Inc.
4626 [RSADSI] described in [RC2].
4628 RC4
4629 A stream cipher invented by Ron Rivest. A compatible cipher is
4630 described in [SCH].
4632 RSA
4633 A very widely used public-key algorithm that can be used for
4634 either encryption or digital signing. [RSA]
4636 server
4637 The server is the application entity that responds to requests
4638 for connections from clients. See also under client.
4645 Dierks & Rescorla Standards Track [Page 86]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4648 session
4649 A TLS session is an association between a client and a server.
4650 Sessions are created by the handshake protocol. Sessions define a
4651 set of cryptographic security parameters, which can be shared
4652 among multiple connections. Sessions are used to avoid the
4653 expensive negotiation of new security parameters for each
4654 connection.
4656 session identifier
4657 A session identifier is a value generated by a server that
4658 identifies a particular session.
4660 server write key
4661 The key used to encrypt data written by the server.
4663 server write MAC secret
4664 The secret data used to authenticate data written by the server.
4666 SHA
4667 The Secure Hash Algorithm is defined in FIPS PUB 180-2. It
4668 produces a 20-byte output. Note that all references to SHA
4669 actually use the modified SHA-1 algorithm. [SHA]
4671 SSL
4672 Netscape's Secure Socket Layer protocol [SSL3]. TLS is based on
4673 SSL Version 3.0
4675 stream cipher
4676 An encryption algorithm that converts a key into a
4677 cryptographically-strong keystream, which is then exclusive-ORed
4678 with the plaintext.
4680 symmetric cipher
4681 See bulk cipher.
4683 Transport Layer Security (TLS)
4684 This protocol; also, the Transport Layer Security working group
4685 of the Internet Engineering Task Force (IETF). See "Comments" at
4686 the end of this document.
4699 Dierks & Rescorla Standards Track [Page 87]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4702 C. CipherSuite definitions
4704 CipherSuite Key Cipher Hash
4705 Exchange
4707 TLS_NULL_WITH_NULL_NULL NULL NULL NULL
4708 TLS_RSA_WITH_NULL_MD5 RSA NULL MD5
4709 TLS_RSA_WITH_NULL_SHA RSA NULL SHA
4710 TLS_RSA_WITH_RC4_128_MD5 RSA RC4_128 MD5
4711 TLS_RSA_WITH_RC4_128_SHA RSA RC4_128 SHA
4712 TLS_RSA_WITH_IDEA_CBC_SHA RSA IDEA_CBC SHA
4713 TLS_RSA_WITH_DES_CBC_SHA RSA DES_CBC SHA
4714 TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES_EDE_CBC SHA
4715 TLS_RSA_WITH_AES_128_CBC_SHA RSA AES_128_CBC SHA
4716 TLS_RSA_WITH_AES_256_SHA RSA AES_256_CBC SHA
4717 TLS_DH_DSS_WITH_DES_CBC_SHA DH_DSS DES_CBC SHA
4718 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA DH_DSS 3DES_EDE_CBC SHA
4719 TLS_DH_RSA_WITH_DES_CBC_SHA DH_RSA DES_CBC SHA
4720 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA DH_RSA 3DES_EDE_CBC SHA
4721 TLS_DHE_DSS_WITH_DES_CBC_SHA DHE_DSS DES_CBC SHA
4722 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE_DSS 3DES_EDE_CBC SHA
4723 TLS_DHE_RSA_WITH_DES_CBC_SHA DHE_RSA DES_CBC SHA
4724 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA 3DES_EDE_CBC SHA
4725 TLS_DH_anon_WITH_RC4_128_MD5 DH_anon RC4_128 MD5
4726 TLS_DH_anon_WITH_DES_CBC_SHA DH_anon DES_CBC SHA
4727 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA DH_anon 3DES_EDE_CBC SHA
4728 TLS_DH_DSS_WITH_AES_128_CBC_SHA DH_DSS AES_128_CBC SHA
4729 TLS_DH_RSA_WITH_AES_128_CBC_SHA DH_RSA AES_128_CBC SHA
4730 TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS AES_128_CBC SHA
4731 TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA AES_128_CBC SHA
4732 TLS_DH_anon_WITH_AES_128_CBC_SHA DH_anon AES_128_CBC SHA
4733 TLS_DH_DSS_WITH_AES_256_CBC_SHA DH_DSS AES_256_CBC SHA
4734 TLS_DH_RSA_WITH_AES_256_CBC_SHA DH_RSA AES_256_CBC SHA
4735 TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE_DSS AES_256_CBC SHA
4736 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA AES_256_CBC SHA
4737 TLS_DH_anon_WITH_AES_256_CBC_SHA DH_anon AES_256_CBC SHA
4739 Key
4740 Exchange
4741 Algorithm Description Key size limit
4743 DHE_DSS Ephemeral DH with DSS signatures None
4744 DHE_RSA Ephemeral DH with RSA signatures None
4745 DH_anon Anonymous DH, no signatures None
4746 DH_DSS DH with DSS-based certificates None
4747 DH_RSA DH with RSA-based certificates None
4748 RSA = none
4749 NULL No key exchange N/A
4753 Dierks & Rescorla Standards Track [Page 88]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4756 RSA RSA key exchange None
4758 Key Expanded IV Block
4759 Cipher Type Material Key Material Size Size
4761 NULL Stream 0 0 0 N/A
4762 IDEA_CBC Block 16 16 8 8
4763 RC2_CBC_40 Block 5 16 8 8
4764 RC4_40 Stream 5 16 0 N/A
4765 RC4_128 Stream 16 16 0 N/A
4766 DES40_CBC Block 5 8 8 8
4767 DES_CBC Block 8 8 8 8
4768 3DES_EDE_CBC Block 24 24 8 8
4770 Type
4771 Indicates whether this is a stream cipher or a block cipher
4772 running in CBC mode.
4774 Key Material
4775 The number of bytes from the key_block that are used for
4776 generating the write keys.
4778 Expanded Key Material
4779 The number of bytes actually fed into the encryption algorithm
4781 IV Size
4782 How much data needs to be generated for the initialization
4783 vector. Zero for stream ciphers; equal to the block size for
4784 block ciphers.
4786 Block Size
4787 The amount of data a block cipher enciphers in one chunk; a
4788 block cipher running in CBC mode can only encrypt an even
4789 multiple of its block size.
4791 Hash Hash Padding
4792 function Size Size
4793 NULL 0 0
4794 MD5 16 48
4795 SHA 20 40
4807 Dierks & Rescorla Standards Track [Page 89]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4810 D. Implementation Notes
4812 The TLS protocol cannot prevent many common security mistakes. This
4813 section provides several recommendations to assist implementors.
4815 D.1 Random Number Generation and Seeding
4817 TLS requires a cryptographically-secure pseudorandom number generator
4818 (PRNG). Care must be taken in designing and seeding PRNGs. PRNGs
4819 based on secure hash operations, most notably MD5 and/or SHA, are
4820 acceptable, but cannot provide more security than the size of the
4821 random number generator state. (For example, MD5-based PRNGs usually
4822 provide 128 bits of state.)
4824 To estimate the amount of seed material being produced, add the
4825 number of bits of unpredictable information in each seed byte. For
4826 example, keystroke timing values taken from a PC compatible's 18.2 Hz
4827 timer provide 1 or 2 secure bits each, even though the total size of
4828 the counter value is 16 bits or more. To seed a 128-bit PRNG, one
4829 would thus require approximately 100 such timer values.
4831 [RANDOM] provides guidance on the generation of random values.
4833 D.2 Certificates and authentication
4835 Implementations are responsible for verifying the integrity of
4836 certificates and should generally support certificate revocation
4837 messages. Certificates should always be verified to ensure proper
4838 signing by a trusted Certificate Authority (CA). The selection and
4839 addition of trusted CAs should be done very carefully. Users should
4840 be able to view information about the certificate and root CA.
4842 D.3 CipherSuites
4844 TLS supports a range of key sizes and security levels, including some
4845 which provide no or minimal security. A proper implementation will
4846 probably not support many cipher suites. For example, 40-bit
4847 encryption is easily broken, so implementations requiring strong
4848 security should not allow 40-bit keys. Similarly, anonymous Diffie-
4849 Hellman is strongly discouraged because it cannot prevent man-in-the-
4850 middle attacks. Applications should also enforce minimum and maximum
4851 key sizes. For example, certificate chains containing 512-bit RSA
4852 keys or signatures are not appropriate for high-security
4853 applications.
4861 Dierks & Rescorla Standards Track [Page 90]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4864 E. Backward Compatibility
4866 For historical reasons and in order to avoid a profligate consumption
4867 of reserved port numbers, application protocols which are secured by
4868 TLS, SSL 3.0, and SSL 2.0 all frequently share the same connection
4869 port: for example, the https protocol (HTTP secured by SSL or TLS)
4870 uses port 443 regardless of which security protocol it is using.
4871 Thus, some mechanism must be determined to distinguish and negotiate
4872 among the various protocols.
4874 TLS versions 1.2, 1.1, 1.0, and SSL 3.0 are very similar; thus,
4875 supporting them all at the same time is relatively easy. TLS clients
4876 who wish to negotiate with such older servers SHOULD send client
4877 hello messages using the SSL 3.0 record format and client hello
4878 structure, sending {3, 3} for the client version field to note that
4879 they support TLS 1.2 and {3, 0} for the record version field (because
4880 the SSLv3 record format is being used--although the cleartext record
4881 format is the same for all versions). If the server supports only a
4882 downrev version it will respond with a downrev 3.0 server hello; if
4883 it supports TLS 1.2 it will respond with a TLS 1.2 server hello. The
4884 negotiation then proceeds as appropriate for the negotiated protocol.
4886 Similarly, a TLS 1.2 server which wishes to interoperate with
4887 downrev clients SHOULD accept downrev client hello messages and
4888 respond with appropriate version fields. Note that the version in the
4889 server hello message and in the record header are the same.
4891 Whenever a client already knows the highest protocol known to a
4892 server (for example, when resuming a session), it SHOULD initiate the
4893 connection in that native protocol.
4895 TLS 1.1 clients that support SSL Version 2.0 servers MUST send SSL
4896 Version 2.0 client hello messages [SSL2]. TLS servers SHOULD accept
4897 either client hello format if they wish to support SSL 2.0 clients on
4898 the same connection port. The only deviations from the Version 2.0
4899 specification are the ability to specify a version with a value of
4900 three and the support for more ciphering types in the CipherSpec.
4902 Warning: The ability to send Version 2.0 client hello messages will be
4903 phased out with all due haste. Implementors SHOULD make every
4904 effort to move forward as quickly as possible. Version 3.0
4905 provides better mechanisms for moving to newer versions.
4907 The following cipher specifications are carryovers from SSL Version
4908 2.0. These are assumed to use RSA for key exchange and
4909 authentication.
4911 V2CipherSpec TLS_RC4_128_WITH_MD5 = { 0x01,0x00,0x80 };
4915 Dierks & Rescorla Standards Track [Page 91]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4918 V2CipherSpec TLS_RC4_128_EXPORT40_WITH_MD5 = { 0x02,0x00,0x80 };
4919 V2CipherSpec TLS_RC2_CBC_128_CBC_WITH_MD5 = { 0x03,0x00,0x80 };
4920 V2CipherSpec TLS_RC2_CBC_128_CBC_EXPORT40_WITH_MD5
4921 = { 0x04,0x00,0x80 };
4922 V2CipherSpec TLS_IDEA_128_CBC_WITH_MD5 = { 0x05,0x00,0x80 };
4923 V2CipherSpec TLS_DES_64_CBC_WITH_MD5 = { 0x06,0x00,0x40 };
4924 V2CipherSpec TLS_DES_192_EDE3_CBC_WITH_MD5 = { 0x07,0x00,0xC0 };
4926 Cipher specifications native to TLS can be included in Version 2.0
4927 client hello messages using the syntax below. Any V2CipherSpec
4928 element with its first byte equal to zero will be ignored by Version
4929 2.0 servers. Clients sending any of the above V2CipherSpecs SHOULD
4930 also include the TLS equivalent (see Appendix A.5):
4932 V2CipherSpec (see TLS name) = { 0x00, CipherSuite };
4934 Note: TLS 1.2 clients may generate the SSLv2 EXPORT cipher suites in
4935 handshakes for backward compatibility but MUST NOT negotiate them in
4936 TLS 1.2 mode.
4938 E.1. Version 2 client hello
4940 The Version 2.0 client hello message is presented below using this
4941 document's presentation model. The true definition is still assumed
4942 to be the SSL Version 2.0 specification. Note that this message MUST
4943 be sent directly on the wire, not wrapped as an SSLv3 record
4945 uint8 V2CipherSpec[3];
4947 struct {
4948 uint16 msg_length;
4949 uint8 msg_type;
4950 Version version;
4951 uint16 cipher_spec_length;
4952 uint16 session_id_length;
4953 uint16 challenge_length;
4954 V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length];
4955 opaque session_id[V2ClientHello.session_id_length];
4956 opaque challenge[V2ClientHello.challenge_length;
4957 } V2ClientHello;
4959 msg_length
4960 This field is the length of the following data in bytes. The high
4961 bit MUST be 1 and is not part of the length.
4963 msg_type
4964 This field, in conjunction with the version field, identifies a
4965 version 2 client hello message. The value SHOULD be one (1).
4969 Dierks & Rescorla Standards Track [Page 92]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
4972 version
4973 The highest version of the protocol supported by the client
4974 (equals ProtocolVersion.version, see Appendix A.1).
4976 cipher_spec_length
4977 This field is the total length of the field cipher_specs. It
4978 cannot be zero and MUST be a multiple of the V2CipherSpec length
4979 (3).
4981 session_id_length
4982 This field MUST have a value of zero.
4984 challenge_length
4985 The length in bytes of the client's challenge to the server to
4986 authenticate itself. When using the SSLv2 backward compatible
4987 handshake the client MUST use a 32-byte challenge.
4989 cipher_specs
4990 This is a list of all CipherSpecs the client is willing and able
4991 to use. There MUST be at least one CipherSpec acceptable to the
4992 server.
4994 session_id
4995 This field MUST be empty.
4997 challenge
4998 The client challenge to the server for the server to identify
4999 itself is a (nearly) arbitrary length random. The TLS server will
5000 right justify the challenge data to become the ClientHello.random
5001 data (padded with leading zeroes, if necessary), as specified in
5002 this protocol specification. If the length of the challenge is
5003 greater than 32 bytes, only the last 32 bytes are used. It is
5004 legitimate (but not necessary) for a V3 server to reject a V2
5005 ClientHello that has fewer than 16 bytes of challenge data.
5007 Note: Requests to resume a TLS session MUST use a TLS client hello.
5009 E.2. Avoiding man-in-the-middle version rollback
5011 When TLS clients fall back to Version 2.0 compatibility mode, they
5012 SHOULD use special PKCS #1 block formatting. This is done so that TLS
5013 servers will reject Version 2.0 sessions with TLS-capable clients.
5015 When TLS clients are in Version 2.0 compatibility mode, they set the
5016 right-hand (least-significant) 8 random bytes of the PKCS padding
5017 (not including the terminal null of the padding) for the RSA
5018 encryption of the ENCRYPTED-KEY-DATA field of the CLIENT-MASTER-KEY
5019 to 0x03 (the other padding bytes are random). After decrypting the
5023 Dierks & Rescorla Standards Track [Page 93]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5026 ENCRYPTED-KEY-DATA field, servers that support TLS SHOULD issue an
5027 error if these eight padding bytes are 0x03. Version 2.0 servers
5028 receiving blocks padded in this manner will proceed normally.
5077 Dierks & Rescorla Standards Track [Page 94]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5080 F. Security analysis
5082 The TLS protocol is designed to establish a secure connection between
5083 a client and a server communicating over an insecure channel. This
5084 document makes several traditional assumptions, including that
5085 attackers have substantial computational resources and cannot obtain
5086 secret information from sources outside the protocol. Attackers are
5087 assumed to have the ability to capture, modify, delete, replay, and
5088 otherwise tamper with messages sent over the communication channel.
5089 This appendix outlines how TLS has been designed to resist a variety
5090 of attacks.
5092 F.1. Handshake protocol
5094 The handshake protocol is responsible for selecting a CipherSpec and
5095 generating a Master Secret, which together comprise the primary
5096 cryptographic parameters associated with a secure session. The
5097 handshake protocol can also optionally authenticate parties who have
5098 certificates signed by a trusted certificate authority.
5100 F.1.1. Authentication and key exchange
5102 TLS supports three authentication modes: authentication of both
5103 parties, server authentication with an unauthenticated client, and
5104 total anonymity. Whenever the server is authenticated, the channel is
5105 secure against man-in-the-middle attacks, but completely anonymous
5106 sessions are inherently vulnerable to such attacks. Anonymous
5107 servers cannot authenticate clients. If the server is authenticated,
5108 its certificate message must provide a valid certificate chain
5109 leading to an acceptable certificate authority. Similarly,
5110 authenticated clients must supply an acceptable certificate to the
5111 server. Each party is responsible for verifying that the other's
5112 certificate is valid and has not expired or been revoked.
5114 The general goal of the key exchange process is to create a
5115 pre_master_secret known to the communicating parties and not to
5116 attackers. The pre_master_secret will be used to generate the
5117 master_secret (see Section 8.1). The master_secret is required to
5118 generate the finished messages, encryption keys, and MAC secrets (see
5119 Sections 7.4.10, 7.4.11 and 6.3). By sending a correct finished
5120 message, parties thus prove that they know the correct
5121 pre_master_secret.
5123 F.1.1.1. Anonymous key exchange
5125 Completely anonymous sessions can be established using RSA or Diffie-
5126 Hellman for key exchange. With anonymous RSA, the client encrypts a
5127 pre_master_secret with the server's uncertified public key extracted
5131 Dierks & Rescorla Standards Track [Page 95]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5134 from the server key exchange message. The result is sent in a client
5135 key exchange message. Since eavesdroppers do not know the server's
5136 private key, it will be infeasible for them to decode the
5137 pre_master_secret.
5139 Note: No anonymous RSA Cipher Suites are defined in this document.
5141 With Diffie-Hellman, the server's public parameters are contained in
5142 the server key exchange message and the client's are sent in the
5143 client key exchange message. Eavesdroppers who do not know the
5144 private values should not be able to find the Diffie-Hellman result
5145 (i.e. the pre_master_secret).
5147 Warning: Completely anonymous connections only provide protection
5148 against passive eavesdropping. Unless an independent tamper-
5149 proof channel is used to verify that the finished messages
5150 were not replaced by an attacker, server authentication is
5151 required in environments where active man-in-the-middle
5152 attacks are a concern.
5154 F.1.1.2. RSA key exchange and authentication
5156 With RSA, key exchange and server authentication are combined. The
5157 public key may be either contained in the server's certificate or may
5158 be a temporary RSA key sent in a server key exchange message. When
5159 temporary RSA keys are used, they are signed by the server's RSA
5160 certificate. The signature includes the current ClientHello.random,
5161 so old signatures and temporary keys cannot be replayed. Servers may
5162 use a single temporary RSA key for multiple negotiation sessions.
5164 Note: The temporary RSA key option is useful if servers need large
5165 certificates but must comply with government-imposed size limits
5166 on keys used for key exchange.
5168 Note that if ephemeral RSA is not used, compromise of the server's
5169 static RSA key results in a loss of confidentiality for all sessions
5170 protected under that static key. TLS users desiring Perfect Forward
5171 Secrecy should use DHE cipher suites. The damage done by exposure of
5172 a private key can be limited by changing one's private key (and
5173 certificate) frequently.
5175 After verifying the server's certificate, the client encrypts a
5176 pre_master_secret with the server's public key. By successfully
5177 decoding the pre_master_secret and producing a correct finished
5178 message, the server demonstrates that it knows the private key
5179 corresponding to the server certificate.
5181 When RSA is used for key exchange, clients are authenticated using
5185 Dierks & Rescorla Standards Track [Page 96]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5188 the certificate verify message (see Section 7.4.10). The client signs
5189 a value derived from the master_secret and all preceding handshake
5190 messages. These handshake messages include the server certificate,
5191 which binds the signature to the server, and ServerHello.random,
5192 which binds the signature to the current handshake process.
5194 F.1.1.3. Diffie-Hellman key exchange with authentication
5196 When Diffie-Hellman key exchange is used, the server can either
5197 supply a certificate containing fixed Diffie-Hellman parameters or
5198 can use the server key exchange message to send a set of temporary
5199 Diffie-Hellman parameters signed with a DSS or RSA certificate.
5200 Temporary parameters are hashed with the hello.random values before
5201 signing to ensure that attackers do not replay old parameters. In
5202 either case, the client can verify the certificate or signature to
5203 ensure that the parameters belong to the server.
5205 If the client has a certificate containing fixed Diffie-Hellman
5206 parameters, its certificate contains the information required to
5207 complete the key exchange. Note that in this case the client and
5208 server will generate the same Diffie-Hellman result (i.e.,
5209 pre_master_secret) every time they communicate. To prevent the
5210 pre_master_secret from staying in memory any longer than necessary,
5211 it should be converted into the master_secret as soon as possible.
5212 Client Diffie-Hellman parameters must be compatible with those
5213 supplied by the server for the key exchange to work.
5215 If the client has a standard DSS or RSA certificate or is
5216 unauthenticated, it sends a set of temporary parameters to the server
5217 in the client key exchange message, then optionally uses a
5218 certificate verify message to authenticate itself.
5220 If the same DH keypair is to be used for multiple handshakes, either
5221 because the client or server has a certificate containing a fixed DH
5222 keypair or because the server is reusing DH keys, care must be taken
5223 to prevent small subgroup attacks. Implementations SHOULD follow the
5224 guidelines found in [SUBGROUP].
5226 Small subgroup attacks are most easily avoided by using one of the
5227 DHE ciphersuites and generating a fresh DH private key (X) for each
5228 handshake. If a suitable base (such as 2) is chosen, g^X mod p can be
5229 computed very quickly so the performance cost is minimized.
5230 Additionally, using a fresh key for each handshake provides Perfect
5231 Forward Secrecy. Implementations SHOULD generate a new X for each
5232 handshake when using DHE ciphersuites.
5234 F.1.2. Version rollback attacks
5239 Dierks & Rescorla Standards Track [Page 97]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5242 Because TLS includes substantial improvements over SSL Version 2.0,
5243 attackers may try to make TLS-capable clients and servers fall back
5244 to Version 2.0. This attack can occur if (and only if) two TLS-
5245 capable parties use an SSL 2.0 handshake.
5247 Although the solution using non-random PKCS #1 block type 2 message
5248 padding is inelegant, it provides a reasonably secure way for Version
5249 3.0 servers to detect the attack. This solution is not secure against
5250 attackers who can brute force the key and substitute a new ENCRYPTED-
5251 KEY-DATA message containing the same key (but with normal padding)
5252 before the application specified wait threshold has expired. Parties
5253 concerned about attacks of this scale should not be using 40-bit
5254 encryption keys anyway. Altering the padding of the least-significant
5255 8 bytes of the PKCS padding does not impact security for the size of
5256 the signed hashes and RSA key lengths used in the protocol, since
5257 this is essentially equivalent to increasing the input block size by
5258 8 bytes.
5260 F.1.3. Detecting attacks against the handshake protocol
5262 An attacker might try to influence the handshake exchange to make the
5263 parties select different encryption algorithms than they would
5264 normally chooses.
5266 For this attack, an attacker must actively change one or more
5267 handshake messages. If this occurs, the client and server will
5268 compute different values for the handshake message hashes. As a
5269 result, the parties will not accept each others' finished messages.
5270 Without the master_secret, the attacker cannot repair the finished
5271 messages, so the attack will be discovered.
5273 F.1.4. Resuming sessions
5275 When a connection is established by resuming a session, new
5276 ClientHello.random and ServerHello.random values are hashed with the
5277 session's master_secret. Provided that the master_secret has not been
5278 compromised and that the secure hash operations used to produce the
5279 encryption keys and MAC secrets are secure, the connection should be
5280 secure and effectively independent from previous connections.
5281 Attackers cannot use known encryption keys or MAC secrets to
5282 compromise the master_secret without breaking the secure hash
5283 operations (which use both SHA and MD5).
5285 Sessions cannot be resumed unless both the client and server agree.
5286 If either party suspects that the session may have been compromised,
5287 or that certificates may have expired or been revoked, it should
5288 force a full handshake. An upper limit of 24 hours is suggested for
5289 session ID lifetimes, since an attacker who obtains a master_secret
5293 Dierks & Rescorla Standards Track [Page 98]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5296 may be able to impersonate the compromised party until the
5297 corresponding session ID is retired. Applications that may be run in
5298 relatively insecure environments should not write session IDs to
5299 stable storage.
5301 F.1.5 Extensions
5303 Security considerations for the extension mechanism in general, and
5304 the design of new extensions, are described in the previous section.
5305 A security analysis of each of the extensions defined in this
5306 document is given below.
5308 In general, implementers should continue to monitor the state of the
5309 art, and address any weaknesses identified.
5312 F.1.5.1 Security of server_name
5314 If a single server hosts several domains, then clearly it is
5315 necessary for the owners of each domain to ensure that this satisfies
5316 their security needs. Apart from this, server_name does not appear
5317 to introduce significant security issues.
5319 Implementations MUST ensure that a buffer overflow does not occur
5320 whatever the values of the length fields in server_name.
5322 Although this document specifies an encoding for internationalized
5323 hostnames in the server_name extension, it does not address any
5324 security issues associated with the use of internationalized
5325 hostnames in TLS - in particular, the consequences of "spoofed" names
5326 that are indistinguishable from another name when displayed or
5327 printed. It is recommended that server certificates not be issued
5328 for internationalized hostnames unless procedures are in place to
5329 mitigate the risk of spoofed hostnames.
5331 6.2. Security of max_fragment_length
5333 The maximum fragment length takes effect immediately, including for
5334 handshake messages. However, that does not introduce any security
5335 complications that are not already present in TLS, since [TLS]
5336 requires implementations to be able to handle fragmented handshake
5337 messages.
5339 Note that as described in section XXX, once a non-null cipher suite
5340 has been activated, the effective maximum fragment length depends on
5341 the cipher suite and compression method, as well as on the negotiated
5342 max_fragment_length. This must be taken into account when sizing
5343 buffers, and checking for buffer overflow.
5347 Dierks & Rescorla Standards Track [Page 99]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5350 F.1.5.2 Security of client_certificate_url
5352 There are two major issues with this extension.
5354 The first major issue is whether or not clients should include
5355 certificate hashes when they send certificate URLs.
5357 When client authentication is used *without* the
5358 client_certificate_url extension, the client certificate chain is
5359 covered by the Finished message hashes. The purpose of including
5360 hashes and checking them against the retrieved certificate chain, is
5361 to ensure that the same property holds when this extension is used -
5362 i.e., that all of the information in the certificate chain retrieved
5363 by the server is as the client intended.
5365 On the other hand, omitting certificate hashes enables functionality
5366 that is desirable in some circumstances - for example clients can be
5367 issued daily certificates that are stored at a fixed URL and need not
5368 be provided to the client. Clients that choose to omit certificate
5369 hashes should be aware of the possibility of an attack in which the
5370 attacker obtains a valid certificate on the client's key that is
5371 different from the certificate the client intended to provide.
5372 Although TLS uses both MD5 and SHA-1 hashes in several other places,
5373 this was not believed to be necessary here. The property required of
5374 SHA-1 is second pre-image resistance.
5376 The second major issue is that support for client_certificate_url
5377 involves the server acting as a client in another URL protocol. The
5378 server therefore becomes subject to many of the same security
5379 concerns that clients of the URL scheme are subject to, with the
5380 added concern that the client can attempt to prompt the server to
5381 connect to some, possibly weird-looking URL.
5383 In general this issue means that an attacker might use the server to
5384 indirectly attack another host that is vulnerable to some security
5385 flaw. It also introduces the possibility of denial of service
5386 attacks in which an attacker makes many connections to the server,
5387 each of which results in the server attempting a connection to the
5388 target of the attack.
5390 Note that the server may be behind a firewall or otherwise able to
5391 access hosts that would not be directly accessible from the public
5392 Internet; this could exacerbate the potential security and denial of
5393 service problems described above, as well as allowing the existence
5394 of internal hosts to be confirmed when they would otherwise be
5395 hidden.
5397 The detailed security concerns involved will depend on the URL
5401 Dierks & Rescorla Standards Track [Page 100]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5404 schemes supported by the server. In the case of HTTP, the concerns
5405 are similar to those that apply to a publicly accessible HTTP proxy
5406 server. In the case of HTTPS, the possibility for loops and
5407 deadlocks to be created exists and should be addressed. In the case
5408 of FTP, attacks similar to FTP bounce attacks arise.
5410 As a result of this issue, it is RECOMMENDED that the
5411 client_certificate_url extension should have to be specifically
5412 enabled by a server administrator, rather than being enabled by
5413 default. It is also RECOMMENDED that URI protocols be enabled by the
5414 administrator individually, and only a minimal set of protocols be
5415 enabled, with unusual protocols offering limited security or whose
5416 security is not well-understood being avoided.
5418 As discussed in [URI], URLs that specify ports other than the default
5419 may cause problems, as may very long URLs (which are more likely to
5420 be useful in exploiting buffer overflow bugs).
5422 Also note that HTTP caching proxies are common on the Internet, and
5423 some proxies do not check for the latest version of an object
5424 correctly. If a request using HTTP (or another caching protocol)
5425 goes through a misconfigured or otherwise broken proxy, the proxy may
5426 return an out-of-date response.
5428 F.1.5.4. Security of trusted_ca_keys
5430 It is possible that which CA root keys a client possesses could be
5431 regarded as confidential information. As a result, the CA root key
5432 indication extension should be used with care.
5434 The use of the SHA-1 certificate hash alternative ensures that each
5435 certificate is specified unambiguously. As for the previous
5436 extension, it was not believed necessary to use both MD5 and SHA-1
5437 hashes.
5439 F.1.5.5. Security of truncated_hmac
5441 It is possible that truncated MACs are weaker than "un-truncated"
5442 MACs. However, no significant weaknesses are currently known or
5443 expected to exist for HMAC with MD5 or SHA-1, truncated to 80 bits.
5445 Note that the output length of a MAC need not be as long as the
5446 length of a symmetric cipher key, since forging of MAC values cannot
5447 be done off-line: in TLS, a single failed MAC guess will cause the
5448 immediate termination of the TLS session.
5450 Since the MAC algorithm only takes effect after the handshake
5451 messages have been authenticated by the hashes in the Finished
5455 Dierks & Rescorla Standards Track [Page 101]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5458 messages, it is not possible for an active attacker to force
5459 negotiation of the truncated HMAC extension where it would not
5460 otherwise be used (to the extent that the handshake authentication is
5461 secure). Therefore, in the event that any security problem were
5462 found with truncated HMAC in future, if either the client or the
5463 server for a given session were updated to take into account the
5464 problem, they would be able to veto use of this extension.
5466 F.1.5.6. Security of status_request
5468 If a client requests an OCSP response, it must take into account that
5469 an attacker's server using a compromised key could (and probably
5470 would) pretend not to support the extension. A client that requires
5471 OCSP validation of certificates SHOULD either contact the OCSP server
5472 directly in this case, or abort the handshake.
5474 Use of the OCSP nonce request extension (id-pkix-ocsp-nonce) may
5475 improve security against attacks that attempt to replay OCSP
5476 responses; see section 4.4.1 of [OCSP] for further details.
5479 F.2. Protecting application data
5481 The master_secret is hashed with the ClientHello.random and
5482 ServerHello.random to produce unique data encryption keys and MAC
5483 secrets for each connection.
5485 Outgoing data is protected with a MAC before transmission. To prevent
5486 message replay or modification attacks, the MAC is computed from the
5487 MAC secret, the sequence number, the message length, the message
5488 contents, and two fixed character strings. The message type field is
5489 necessary to ensure that messages intended for one TLS Record Layer
5490 client are not redirected to another. The sequence number ensures
5491 that attempts to delete or reorder messages will be detected. Since
5492 sequence numbers are 64-bits long, they should never overflow.
5493 Messages from one party cannot be inserted into the other's output,
5494 since they use independent MAC secrets. Similarly, the server-write
5495 and client-write keys are independent so stream cipher keys are used
5496 only once.
5498 If an attacker does break an encryption key, all messages encrypted
5499 with it can be read. Similarly, compromise of a MAC key can make
5500 message modification attacks possible. Because MACs are also
5501 encrypted, message-alteration attacks generally require breaking the
5502 encryption algorithm as well as the MAC.
5504 Note: MAC secrets may be larger than encryption keys, so messages can
5505 remain tamper resistant even if encryption keys are broken.
5509 Dierks & Rescorla Standards Track [Page 102]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5512 F.3. Explicit IVs
5514 [CBCATT] describes a chosen plaintext attack on TLS that depends
5515 on knowing the IV for a record. Previous versions of TLS [TLS1.0]
5516 used the CBC residue of the previous record as the IV and
5517 therefore enabled this attack. This version uses an explicit IV
5518 in order to protect against this attack.
5520 F.4 Security of Composite Cipher Modes
5522 TLS secures transmitted application data via the use of symmetric
5523 encryption and authentication functions defined in the negotiated
5524 ciphersuite. The objective is to protect both the integrity and
5525 confidentiality of the transmitted data from malicious actions by
5526 active attackers in the network. It turns out that the order in
5527 which encryption and authentication functions are applied to the
5528 data plays an important role for achieving this goal [ENCAUTH].
5530 The most robust method, called encrypt-then-authenticate, first
5531 applies encryption to the data and then applies a MAC to the
5532 ciphertext. This method ensures that the integrity and
5533 confidentiality goals are obtained with ANY pair of encryption
5534 and MAC functions provided that the former is secure against
5535 chosen plaintext attacks and the MAC is secure against chosen-
5536 message attacks. TLS uses another method, called authenticate-
5537 then-encrypt, in which first a MAC is computed on the plaintext
5538 and then the concatenation of plaintext and MAC is encrypted.
5539 This method has been proven secure for CERTAIN combinations of
5540 encryption functions and MAC functions, but is not guaranteed to
5541 be secure in general. In particular, it has been shown that there
5542 exist perfectly secure encryption functions (secure even in the
5543 information theoretic sense) that combined with any secure MAC
5544 function fail to provide the confidentiality goal against an
5545 active attack. Therefore, new ciphersuites and operation modes
5546 adopted into TLS need to be analyzed under the authenticate-then-
5547 encrypt method to verify that they achieve the stated integrity
5548 and confidentiality goals.
5550 Currently, the security of the authenticate-then-encrypt method
5551 has been proven for some important cases. One is the case of
5552 stream ciphers in which a computationally unpredictable pad of
5553 the length of the message plus the length of the MAC tag is
5554 produced using a pseudo-random generator and this pad is xor-ed
5555 with the concatenation of plaintext and MAC tag. The other is
5556 the case of CBC mode using a secure block cipher. In this case,
5557 security can be shown if one applies one CBC encryption pass to
5558 the concatenation of plaintext and MAC and uses a new,
5559 independent and unpredictable, IV for each new pair of plaintext
5563 Dierks & Rescorla Standards Track [Page 103]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5566 and MAC. In previous versions of SSL, CBC mode was used properly
5567 EXCEPT that it used a predictable IV in the form of the last
5568 block of the previous ciphertext. This made TLS open to chosen
5569 plaintext attacks. This verson of the protocol is immune to
5570 those attacks. For exact details in the encryption modes proven
5571 secure see [ENCAUTH].
5573 F.5 Denial of Service
5575 TLS is susceptible to a number of denial of service (DoS)
5576 attacks. In particular, an attacker who initiates a large number
5577 of TCP connections can cause a server to consume large amounts of
5578 CPU doing RSA decryption. However, because TLS is generally used
5579 over TCP, it is difficult for the attacker to hide his point of
5580 origin if proper TCP SYN randomization is used [SEQNUM] by the
5581 TCP stack.
5583 Because TLS runs over TCP, it is also susceptible to a number of
5584 denial of service attacks on individual connections. In
5585 particular, attackers can forge RSTs, terminating connections, or
5586 forge partial TLS records, causing the connection to stall.
5587 These attacks cannot in general be defended against by a TCP-
5588 using protocol. Implementors or users who are concerned with this
5589 class of attack should use IPsec AH [AH] or ESP [ESP].
5591 F.6. Final notes
5593 For TLS to be able to provide a secure connection, both the client
5594 and server systems, keys, and applications must be secure. In
5595 addition, the implementation must be free of security errors.
5597 The system is only as strong as the weakest key exchange and
5598 authentication algorithm supported, and only trustworthy
5599 cryptographic functions should be used. Short public keys, 40-bit
5600 bulk encryption keys, and anonymous servers should be used with great
5601 caution. Implementations and users must be careful when deciding
5602 which certificates and certificate authorities are acceptable; a
5603 dishonest certificate authority can do tremendous damage.
5617 Dierks & Rescorla Standards Track [Page 104]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5620 Security Considerations
5622 Security issues are discussed throughout this memo, especially in
5623 Appendices D, E, and F.
5625 Normative References
5626 [AES] National Institute of Standards and Technology,
5627 "Specification for the Advanced Encryption Standard (AES)"
5628 FIPS 197. November 26, 2001.
5630 [3DES] W. Tuchman, "Hellman Presents No Shortcut Solutions To DES,"
5631 IEEE Spectrum, v. 16, n. 7, July 1979, pp40-41.
5633 [DES] ANSI X3.106, "American National Standard for Information
5634 Systems-Data Link Encryption," American National Standards
5635 Institute, 1983.
5637 [DSS] NIST FIPS PUB 186-2, "Digital Signature Standard," National
5638 Institute of Standards and Technology, U.S. Department of
5639 Commerce, 2000.
5642 [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
5643 Hashing for Message Authentication," RFC 2104, February
5644 1997.
5646 [HTTP] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter,
5647 L., Leach, P. and T. Berners-Lee, "Hypertext Transfer
5648 Protocol -- HTTP/1.1", RFC 2616, June 1999.
5650 [IDEA] X. Lai, "On the Design and Security of Block Ciphers," ETH
5651 Series in Information Processing, v. 1, Konstanz: Hartung-
5652 Gorre Verlag, 1992.
5654 [IDNA] Faltstrom, P., Hoffman, P. and A. Costello,
5655 "Internationalizing Domain Names in Applications (IDNA)",
5656 RFC 3490, March 2003.
5658 [MD5] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321,
5659 April 1992.
5661 [OCSP] Myers, M., Ankney, R., Malpani, A., Galperin, S. and C.
5662 Adams, "Internet X.509 Public Key Infrastructure: Online
5663 Certificate Status Protocol - OCSP", RFC 2560, June 1999.
5665 [PKCS1A] B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1:
5666 RSA Cryptography Specifications Version 1.5", RFC 2313,
5667 March 1998.
5671 Dierks & Rescorla Standards Track [Page 105]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5674 [PKCS1B] J. Jonsson, B. Kaliski, "Public-Key Cryptography Standards
5675 (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC
5676 3447, February 2003.
5678 [PKIOP] Housley, R. and P. Hoffman, "Internet X.509 Public Key
5679 Infrastructure - Operation Protocols: FTP and HTTP", RFC
5680 2585, May 1999.
5683 [PKIX] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet
5684 Public Key Infrastructure: Part I: X.509 Certificate and CRL
5685 Profile", RFC 3280, April 2002.
5687 [RC2] Rivest, R., "A Description of the RC2(r) Encryption
5688 Algorithm", RFC 2268, January 1998.
5690 [SCH] B. Schneier. "Applied Cryptography: Protocols, Algorithms,
5691 and Source Code in C, 2ed", Published by John Wiley & Sons,
5692 Inc. 1996.
5694 [SHA] NIST FIPS PUB 180-2, "Secure Hash Standard," National
5695 Institute of Standards and Technology, U.S. Department of
5696 Commerce., August 2001.
5698 [REQ] Bradner, S., "Key words for use in RFCs to Indicate
5699 Requirement Levels", BCP 14, RFC 2119, March 1997.
5701 [RFC2434] T. Narten, H. Alvestrand, "Guidelines for Writing an IANA
5702 Considerations Section in RFCs", RFC 3434, October 1998.
5704 [TLSAES] Chown, P. "Advanced Encryption Standard (AES) Ciphersuites
5705 for Transport Layer Security (TLS)", RFC 3268, June 2002.
5707 [TLSEXT] Blake-Wilson, S., Nystrom, M, Hopwood, D., Mikkelsen, J.,
5708 Wright, T., "Transport Layer Security (TLS) Extensions", RFC
5709 3546, June 2003.
5710 [TLSKRB] A. Medvinsky, M. Hur, "Addition of Kerberos Cipher Suites to
5711 Transport Layer Security (TLS)", RFC 2712, October 1999.
5714 [URI] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform
5715 Resource Identifiers (URI): Generic Syntax", RFC 2396,
5716 August 1998.
5718 [UTF8] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
5719 RFC 3629, November 2003.
5721 [X509-4th] ITU-T Recommendation X.509 (2000) | ISO/IEC 9594- 8:2001,
5725 Dierks & Rescorla Standards Track [Page 106]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5728 "Information Systems - Open Systems Interconnection - The
5729 Directory: Public key and Attribute certificate
5730 frameworks."
5732 [X509-4th-TC1] ITU-T Recommendation X.509(2000) Corrigendum 1(2001) |
5733 ISO/IEC 9594-8:2001/Cor.1:2002, Technical Corrigendum 1 to
5734 ISO/IEC 9594:8:2001.
5736 Informative References
5738 [AEAD] Mcgrew, D., "Authenticated Encryption", July 2006, draft-
5739 mcgrew-auth-enc-00.txt.
5741 [AH] Kent, S., and Atkinson, R., "IP Authentication Header", RFC
5742 2402, November 1998.
5744 [BLEI] Bleichenbacher D., "Chosen Ciphertext Attacks against
5745 Protocols Based on RSA Encryption Standard PKCS #1" in
5746 Advances in Cryptology -- CRYPTO'98, LNCS vol. 1462, pages:
5747 1-12, 1998.
5749 [CBCATT] Moeller, B., "Security of CBC Ciphersuites in SSL/TLS:
5750 Problems and Countermeasures",
5751 http://www.openssl.org/~bodo/tls-cbc.txt.
5753 [CBCTIME] Canvel, B., "Password Interception in a SSL/TLS Channel",
5754 http://lasecwww.epfl.ch/memo_ssl.shtml, 2003.
5756 [CCM] "NIST Special Publication 800-38C: The CCM Mode for
5757 Authentication and Confidentiality",
5758 http://csrc.nist.gov/publications/nistpubs/SP800-38C.pdf.
5760 [ENCAUTH] Krawczyk, H., "The Order of Encryption and Authentication
5761 for Protecting Communications (Or: How Secure is SSL?)",
5762 Crypto 2001.
5764 [ESP] Kent, S., and Atkinson, R., "IP Encapsulating Security
5765 Payload (ESP)", RFC 2406, November 1998.
5767 [GCM] "NIST Special Publication 800-38C: The CCM Mode for
5768 Authentication and Confidentiality",
5769 http://csrc.nist.gov/publications/nistpubs/SP800-38C.pdf.
5771 [KPR03] Klima, V., Pokorny, O., Rosa, T., "Attacking RSA-based
5772 Sessions in SSL/TLS", http://eprint.iacr.org/2003/052/,
5773 March 2003.
5775 [PKCS6] RSA Laboratories, "PKCS #6: RSA Extended Certificate Syntax
5779 Dierks & Rescorla Standards Track [Page 107]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5782 Standard," version 1.5, November 1993.
5784 [PKCS7] RSA Laboratories, "PKCS #7: RSA Cryptographic Message Syntax
5785 Standard," version 1.5, November 1993.
5787 [RANDOM] D. Eastlake 3rd, S. Crocker, J. Schiller. "Randomness
5788 Recommendations for Security", RFC 1750, December 1994.
5790 [RSA] R. Rivest, A. Shamir, and L. M. Adleman, "A Method for
5791 Obtaining Digital Signatures and Public-Key Cryptosystems,"
5792 Communications of the ACM, v. 21, n. 2, Feb 1978, pp.
5793 120-126.
5795 [SEQNUM] Bellovin. S., "Defending Against Sequence Number Attacks",
5796 RFC 1948, May 1996.
5798 [SSL2] Hickman, Kipp, "The SSL Protocol", Netscape Communications
5799 Corp., Feb 9, 1995.
5801 [SSL3] A. Frier, P. Karlton, and P. Kocher, "The SSL 3.0 Protocol",
5802 Netscape Communications Corp., Nov 18, 1996.
5804 [SUBGROUP] R. Zuccherato, "Methods for Avoiding the Small-Subgroup
5805 Attacks on the Diffie-Hellman Key Agreement Method for
5806 S/MIME", RFC 2785, March 2000.
5808 [TCP] Postel, J., "Transmission Control Protocol," STD 7, RFC 793,
5809 September 1981.
5811 [TIMING] Boneh, D., Brumley, D., "Remote timing attacks are
5812 practical", USENIX Security Symposium 2003.
5814 [TLS1.0] Dierks, T., and Allen, C., "The TLS Protocol, Version 1.0",
5815 RFC 2246, January 1999.
5817 [TLS1.1] Dierks, T., and Rescorla, E., "The TLS Protocol, Version
5818 1.1", RFC 4346, April, 2006.
5820 [X501] ITU-T Recommendation X.501: Information Technology - Open
5821 Systems Interconnection - The Directory: Models, 1993.
5823 [X509] ITU-T Recommendation X.509 (1997 E): Information Technology -
5824 Open Systems Interconnection - "The Directory -
5825 Authentication Framework". 1988.
5827 [XDR] R. Srinivansan, Sun Microsystems, "XDR: External Data
5828 Representation Standard", RFC 1832, August 1995.
5833 Dierks & Rescorla Standards Track [Page 108]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5836 Credits
5838 Working Group Chairs
5839 Eric Rescorla
5840 EMail: ekr@networkresonance.com
5842 Pasi Eronen
5843 pasi.eronen@nokia.com
5846 Editors
5848 Tim Dierks Eric Rescorla
5849 Independent Network Resonance, Inc.
5851 EMail: tim@dierks.org EMail: ekr@networkresonance.com
5855 Other contributors
5857 Christopher Allen (co-editor of TLS 1.0)
5858 Alacrity Ventures
5859 ChristopherA@AlacrityManagement.com
5861 Martin Abadi
5862 University of California, Santa Cruz
5863 abadi@cs.ucsc.edu
5865 Steven M. Bellovin
5866 Columbia University
5867 smb@cs.columbia.edu
5869 Simon Blake-Wilson
5870 BCI
5871 EMail: sblakewilson@bcisse.com
5873 Ran Canetti
5874 IBM
5875 canetti@watson.ibm.com
5877 Pete Chown
5878 Skygate Technology Ltd
5879 pc@skygate.co.uk
5881 Taher Elgamal
5882 taher@securify.com
5883 Securify
5887 Dierks & Rescorla Standards Track [Page 109]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5890 Anil Gangolli
5891 anil@busybuddha.org
5893 Kipp Hickman
5895 David Hopwood
5896 Independent Consultant
5897 EMail: david.hopwood@blueyonder.co.uk
5899 Phil Karlton (co-author of SSLv3)
5901 Paul Kocher (co-author of SSLv3)
5902 Cryptography Research
5903 paul@cryptography.com
5905 Hugo Krawczyk
5906 Technion Israel Institute of Technology
5907 hugo@ee.technion.ac.il
5909 Jan Mikkelsen
5910 Transactionware
5911 EMail: janm@transactionware.com
5913 Magnus Nystrom
5914 RSA Security
5915 EMail: magnus@rsasecurity.com
5917 Robert Relyea
5918 Netscape Communications
5919 relyea@netscape.com
5921 Jim Roskind
5922 Netscape Communications
5923 jar@netscape.com
5925 Michael Sabin
5927 Dan Simon
5928 Microsoft, Inc.
5929 dansimon@microsoft.com
5931 Tom Weinstein
5933 Tim Wright
5934 Vodafone
5935 EMail: timothy.wright@vodafone.com
5937 Comments
5941 Dierks & Rescorla Standards Track [Page 110]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5944 The discussion list for the IETF TLS working group is located at the
5945 e-mail address <tls@ietf.org>. Information on the group and
5946 information on how to subscribe to the list is at
5947 <https://www1.ietf.org/mailman/listinfo/tls>
5949 Archives of the list can be found at:
5950 <http://www.ietf.org/mail-archive/web/tls/current/index.html>
5995 Dierks & Rescorla Standards Track [Page 111]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
5998 Intellectual Property Statement
6000 The IETF takes no position regarding the validity or scope of any
6001 Intellectual Property Rights or other rights that might be claimed to
6002 pertain to the implementation or use of the technology described in
6003 this document or the extent to which any license under such rights
6004 might or might not be available; nor does it represent that it has
6005 made any independent effort to identify any such rights. Information
6006 on the procedures with respect to rights in RFC documents can be
6007 found in BCP 78 and BCP 79.
6009 Copies of IPR disclosures made to the IETF Secretariat and any
6010 assurances of licenses to be made available, or the result of an
6011 attempt made to obtain a general license or permission for the use of
6012 such proprietary rights by implementers or users of this
6013 specification can be obtained from the IETF on-line IPR repository at
6014 http://www.ietf.org/ipr.
6016 The IETF invites any interested party to bring to its attention any
6017 copyrights, patents or patent applications, or other proprietary
6018 rights that may cover technology that may be required to implement
6019 this standard. Please address the information to the IETF at
6020 ietf-ipr@ietf.org.
6023 Disclaimer of Validity
6025 This document and the information contained herein are provided on an
6026 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
6027 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
6028 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
6029 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
6030 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
6031 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
6034 Copyright Statement
6036 Copyright (C) The Internet Society (2006). This document is subject
6037 to the rights, licenses and restrictions contained in BCP 78, and
6038 except as set forth therein, the authors retain all their rights.
6041 Acknowledgment
6043 Funding for the RFC Editor function is currently provided by the
6044 Internet Society.
6049 Dierks & Rescorla Standards Track [Page 112]\fdraft-ietf-tls-rfc4346-bis-02.txt TLS October 2006
6103 Dierks & Rescorla Standards Track [Page 113]\f