| blob | 7b2208a1bba27385d95d1b3e13864aab222a4ec8 |
6 INTERNET-DRAFT Tim Dierks
7 Obsoletes (if approved): RFC 3268, 4346, 4366 Independent
8 Intended status: Proposed Standard Eric Rescorla
9 Network Resonance, Inc.
10 <draft-ietf-tls-rfc4346-bis-06.txt> October 2007 (Expires April 2008)
12 The Transport Layer Security (TLS) Protocol
13 Version 1.2
15 Status of this Memo
16 By submitting this Internet-Draft, each author represents that any
17 applicable patent or other IPR claims of which he or she is aware
18 have been or will be disclosed, and any of which he or she becomes
19 aware will be disclosed, in accordance with Section 6 of BCP 79.
21 Internet-Drafts are working documents of the Internet Engineering
22 Task Force (IETF), its areas, and its working groups. Note that
23 other groups may also distribute working documents as Internet-
24 Drafts.
26 Internet-Drafts are draft documents valid for a maximum of six months
27 and may be updated, replaced, or obsoleted by other documents at any
28 time. It is inappropriate to use Internet-Drafts as reference
29 material or to cite them other than as "work in progress."
31 The list of current Internet-Drafts can be accessed at
32 http://www.ietf.org/ietf/1id-abstracts.txt.
34 The list of Internet-Draft Shadow Directories can be accessed at
35 http://www.ietf.org/shadow.html.
37 Copyright Notice
39 Copyright (C) The IETF Trust (2007).
41 Abstract
43 This document specifies Version 1.2 of the Transport Layer Security
44 (TLS) protocol. The TLS protocol provides communications security
45 over the Internet. The protocol allows client/server applications to
46 communicate in a way that is designed to prevent eavesdropping,
47 tampering, or message forgery.
49 Table of Contents
51 1. Introduction 3
52 1.1 Requirements Terminology 5
53 1.2 Major Differences from TLS 1.1 5
57 Dierks & Rescorla Standards Track [Page 1]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
60 2. Goals 6
61 3. Goals of This Document 6
62 4. Presentation Language 7
63 4.1. Basic Block Size 7
64 4.2. Miscellaneous 7
65 4.3. Vectors 7
66 4.4. Numbers 8
67 4.5. Enumerateds 9
68 4.6. Constructed Types 10
69 4.6.1. Variants 10
70 4.7. Cryptographic Attributes 11
71 4.8. Constants 13
72 5. HMAC and the Pseudorandom Function 13
73 6. The TLS Record Protocol 14
74 6.1. Connection States 15
75 6.2. Record layer 17
76 6.2.1. Fragmentation 17
77 6.2.2. Record Compression and Decompression 19
78 6.2.3. Record Payload Protection 19
79 6.2.3.1. Null or Standard Stream Cipher 20
80 6.2.3.2. CBC Block Cipher 21
81 6.2.3.3. AEAD ciphers 23
82 6.3. Key Calculation 24
83 7. The TLS Handshaking Protocols 25
84 7.1. Change Cipher Spec Protocol 25
85 7.2. Alert Protocol 26
86 7.2.1. Closure Alerts 27
87 7.2.2. Error Alerts 28
88 7.3. Handshake Protocol Overview 31
89 7.4. Handshake Protocol 34
90 7.4.1. Hello Messages 35
91 7.4.1.1. Hello Request 36
92 7.4.1.2. Client Hello 36
93 7.4.1.3. Server Hello 39
94 7.4.1.4 Hello Extensions 41
95 7.4.1.4.1 Signature Hash Algorithms 42
96 7.4.2. Server Certificate 43
97 7.4.3. Server Key Exchange Message 46
98 7.4.4. Certificate Request 49
99 7.4.5 Server hello done 50
100 7.4.6. Client Certificate 51
101 7.4.7. Client Key Exchange Message 52
102 7.4.7.1. RSA Encrypted Premaster Secret Message 53
103 7.4.7.2. Client Diffie-Hellman Public Value 55
104 7.4.8. Certificate verify 56
105 7.4.9. Finished 57
106 8. Cryptographic Computations 58
107 8.1. Computing the Master Secret 58
111 Dierks & Rescorla Standards Track [Page 2]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
114 8.1.1. RSA 59
115 8.1.2. Diffie-Hellman 59
116 9. Mandatory Cipher Suites 59
117 10. Application Data Protocol 59
118 11. Security Considerations 59
119 12. IANA Considerations 59
120 A. Protocol Constant Values 62
121 A.1. Record Layer 62
122 A.2. Change Cipher Specs Message 63
123 A.3. Alert Messages 63
124 A.4. Handshake Protocol 65
125 A.4.1. Hello Messages 65
126 A.4.2. Server Authentication and Key Exchange Messages 67
127 A.4.3. Client Authentication and Key Exchange Messages 68
128 A.4.4. Handshake Finalization Message 68
129 A.5. The CipherSuite 69
130 A.6. The Security Parameters 71
131 B. Glossary 73
132 C. CipherSuite Definitions 77
133 D. Implementation Notes 79
134 D.1 Random Number Generation and Seeding 79
135 D.2 Certificates and Authentication 79
136 D.3 CipherSuites 79
137 D.4 Implementation Pitfalls 79
138 E. Backward Compatibility 82
139 E.1 Compatibility with TLS 1.0/1.1 and SSL 3.0 82
140 E.2 Compatibility with SSL 2.0 83
141 E.3. Avoiding Man-in-the-Middle Version Rollback 85
142 F. Security Analysis 86
143 F.1. Handshake Protocol 86
144 F.1.1. Authentication and Key Exchange 86
145 F.1.1.1. Anonymous Key Exchange 86
146 F.1.1.2. RSA Key Exchange and Authentication 87
147 F.1.1.3. Diffie-Hellman Key Exchange with Authentication 87
148 F.1.2. Version Rollback Attacks 88
149 F.1.3. Detecting Attacks Against the Handshake Protocol 89
150 F.1.4. Resuming Sessions 89
151 F.2. Protecting Application Data 89
152 F.3. Explicit IVs 90
153 F.4. Security of Composite Cipher Modes 90
154 F.5 Denial of Service 91
155 F.6 Final Notes 92
158 1. Introduction
160 The primary goal of the TLS Protocol is to provide privacy and data
161 integrity between two communicating applications. The protocol is
165 Dierks & Rescorla Standards Track [Page 3]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
168 composed of two layers: the TLS Record Protocol and the TLS Handshake
169 Protocol. At the lowest level, layered on top of some reliable
170 transport protocol (e.g., TCP[TCP]), is the TLS Record Protocol. The
171 TLS Record Protocol provides connection security that has two basic
172 properties:
174 - The connection is private. Symmetric cryptography is used for
175 data encryption (e.g., DES [DES], RC4 [SCH] etc.). The keys for
176 this symmetric encryption are generated uniquely for each
177 connection and are based on a secret negotiated by another
178 protocol (such as the TLS Handshake Protocol). The Record
179 Protocol can also be used without encryption.
181 - The connection is reliable. Message transport includes a message
182 integrity check using a keyed MAC. Secure hash functions (e.g.,
183 SHA, MD5, etc.) are used for MAC computations. The Record
184 Protocol can operate without a MAC, but is generally only used in
185 this mode while another protocol is using the Record Protocol as
186 a transport for negotiating security parameters.
188 The TLS Record Protocol is used for encapsulation of various higher-
189 level protocols. One such encapsulated protocol, the TLS Handshake
190 Protocol, allows the server and client to authenticate each other and
191 to negotiate an encryption algorithm and cryptographic keys before
192 the application protocol transmits or receives its first byte of
193 data. The TLS Handshake Protocol provides connection security that
194 has three basic properties:
196 - The peer's identity can be authenticated using asymmetric, or
197 public key, cryptography (e.g., RSA [RSA], DSS [DSS], etc.). This
198 authentication can be made optional, but is generally required
199 for at least one of the peers.
201 - The negotiation of a shared secret is secure: the negotiated
202 secret is unavailable to eavesdroppers, and for any authenticated
203 connection the secret cannot be obtained, even by an attacker who
204 can place himself in the middle of the connection.
206 - The negotiation is reliable: no attacker can modify the
207 negotiation communication without being detected by the parties
208 to the communication.
210 One advantage of TLS is that it is application protocol independent.
211 Higher-level protocols can layer on top of the TLS Protocol
212 transparently. The TLS standard, however, does not specify how
213 protocols add security with TLS; the decisions on how to initiate TLS
214 handshaking and how to interpret the authentication certificates
215 exchanged are left to the judgment of the designers and implementors
219 Dierks & Rescorla Standards Track [Page 4]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
222 of protocols that run on top of TLS.
224 1.1 Requirements Terminology
226 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
227 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
228 document are to be interpreted as described in RFC 2119 [REQ].
230 1.2 Major Differences from TLS 1.1
232 This document is a revision of the TLS 1.1 [TLS1.1] protocol which
233 contains improved flexibility, particularly for negotiation of
234 cryptographic algorithms. The major changes are:
236 - Merged in TLS Extensions definition and AES Cipher Suites from
237 external documents [TLSEXT] and [TLSAES].
239 - Replacement of MD5/SHA-1 combination in the PRF. Addition
240 of cipher-suite specified PRFs.
242 - Replacement of MD5/SHA-1 combination in the digitally-signed
243 element.
245 - Substantial cleanup to the clients and servers ability to
246 specify which digest and signature algorithms they will
247 accept. Note that this also relaxes some of the constraints
248 on signature and digest algorithms from previous versions of
249 TLS.
251 - Addition of support for authenticated encryption with additional
252 data modes.
254 - Tightened up a number of requirements.
256 - Added some guidance that DH groups should be checked for size.
258 - Cleaned up description of Bleichenbacher/Klima attack defenses.
260 - Tighter checking of EncryptedPreMasterSecret version numbers.
262 - Stronger language about when alerts MUST be sent.
264 - Added an Implementation Pitfalls sections
266 - Harmonized the requirement to send an empty certificate list
267 after certificate_request even when no certs are available.
269 - Made the verify_data length depend on the cipher suite.
273 Dierks & Rescorla Standards Track [Page 5]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
276 - TLS_RSA_WITH_AES_128_CBC_SHA is now the mandatory to implement
277 cipher suite.
279 - The usual clarifications and editorial work.
281 2. Goals
283 The goals of TLS Protocol, in order of their priority, are as
284 follows:
286 1. Cryptographic security: TLS should be used to establish a secure
287 connection between two parties.
289 2. Interoperability: Independent programmers should be able to
290 develop applications utilizing TLS that can successfully exchange
291 cryptographic parameters without knowledge of one another's code.
293 3. Extensibility: TLS seeks to provide a framework into which new
294 public key and bulk encryption methods can be incorporated as
295 necessary. This will also accomplish two sub-goals: preventing
296 the need to create a new protocol (and risking the introduction
297 of possible new weaknesses) and avoiding the need to implement an
298 entire new security library.
300 4. Relative efficiency: Cryptographic operations tend to be highly
301 CPU intensive, particularly public key operations. For this
302 reason, the TLS protocol has incorporated an optional session
303 caching scheme to reduce the number of connections that need to
304 be established from scratch. Additionally, care has been taken to
305 reduce network activity.
307 3. Goals of This Document
309 This document and the TLS protocol itself are based on the SSL 3.0
310 Protocol Specification as published by Netscape. The differences
311 between this protocol and SSL 3.0 are not dramatic, but they are
312 significant enough that the various versions of TLS and SSL 3.0 do
313 not interoperate (although each protocol incorporates a mechanism by
314 which an implementation can back down to prior versions). This
315 document is intended primarily for readers who will be implementing
316 the protocol and for those doing cryptographic analysis of it. The
317 specification has been written with this in mind, and it is intended
318 to reflect the needs of those two groups. For that reason, many of
319 the algorithm-dependent data structures and rules are included in the
320 body of the text (as opposed to in an appendix), providing easier
321 access to them.
323 This document is not intended to supply any details of service
327 Dierks & Rescorla Standards Track [Page 6]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
330 definition or of interface definition, although it does cover select
331 areas of policy as they are required for the maintenance of solid
332 security.
334 4. Presentation Language
336 This document deals with the formatting of data in an external
337 representation. The following very basic and somewhat casually
338 defined presentation syntax will be used. The syntax draws from
339 several sources in its structure. Although it resembles the
340 programming language "C" in its syntax and XDR [XDR] in both its
341 syntax and intent, it would be risky to draw too many parallels. The
342 purpose of this presentation language is to document TLS only; it has
343 no general application beyond that particular goal.
345 4.1. Basic Block Size
347 The representation of all data items is explicitly specified. The
348 basic data block size is one byte (i.e., 8 bits). Multiple byte data
349 items are concatenations of bytes, from left to right, from top to
350 bottom. From the bytestream, a multi-byte item (a numeric in the
351 example) is formed (using C notation) by:
353 value = (byte[0] << 8*(n-1)) | (byte[1] << 8*(n-2)) |
354 ... | byte[n-1];
356 This byte ordering for multi-byte values is the commonplace network
357 byte order or big endian format.
359 4.2. Miscellaneous
361 Comments begin with "/*" and end with "*/".
363 Optional components are denoted by enclosing them in "[[ ]]" double
364 brackets.
366 Single-byte entities containing uninterpreted data are of type
367 opaque.
369 4.3. Vectors
371 A vector (single dimensioned array) is a stream of homogeneous data
372 elements. The size of the vector may be specified at documentation
373 time or left unspecified until runtime. In either case, the length
374 declares the number of bytes, not the number of elements, in the
375 vector. The syntax for specifying a new type, T', that is a fixed-
376 length vector of type T is
381 Dierks & Rescorla Standards Track [Page 7]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
384 T T'[n];
386 Here, T' occupies n bytes in the data stream, where n is a multiple
387 of the size of T. The length of the vector is not included in the
388 encoded stream.
390 In the following example, Datum is defined to be three consecutive
391 bytes that the protocol does not interpret, while Data is three
392 consecutive Datum, consuming a total of nine bytes.
394 opaque Datum[3]; /* three uninterpreted bytes */
395 Datum Data[9]; /* 3 consecutive 3 byte vectors */
397 Variable-length vectors are defined by specifying a subrange of legal
398 lengths, inclusively, using the notation <floor..ceiling>. When
399 these are encoded, the actual length precedes the vector's contents
400 in the byte stream. The length will be in the form of a number
401 consuming as many bytes as required to hold the vector's specified
402 maximum (ceiling) length. A variable-length vector with an actual
403 length field of zero is referred to as an empty vector.
405 T T'<floor..ceiling>;
407 In the following example, mandatory is a vector that must contain
408 between 300 and 400 bytes of type opaque. It can never be empty. The
409 actual length field consumes two bytes, a uint16, sufficient to
410 represent the value 400 (see Section 4.4). On the other hand, longer
411 can represent up to 800 bytes of data, or 400 uint16 elements, and it
412 may be empty. Its encoding will include a two-byte actual length
413 field prepended to the vector. The length of an encoded vector must
414 be an even multiple of the length of a single element (for example, a
415 17-byte vector of uint16 would be illegal).
417 opaque mandatory<300..400>;
418 /* length field is 2 bytes, cannot be empty */
419 uint16 longer<0..800>;
420 /* zero to 400 16-bit unsigned integers */
422 4.4. Numbers
424 The basic numeric data type is an unsigned byte (uint8). All larger
425 numeric data types are formed from fixed-length series of bytes
426 concatenated as described in Section 4.1 and are also unsigned. The
427 following numeric types are predefined.
429 uint8 uint16[2];
430 uint8 uint24[3];
431 uint8 uint32[4];
435 Dierks & Rescorla Standards Track [Page 8]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
438 uint8 uint64[8];
440 All values, here and elsewhere in the specification, are stored in
441 "network" or "big-endian" order; the uint32 represented by the hex
442 bytes 01 02 03 04 is equivalent to the decimal value 16909060.
444 Note that in some cases (e.g., DH parameters) it is necessary to
445 represent integers as opaque vectors. In such cases, they are
446 represented as unsigned integers (i.e., leading zero octets are not
447 required even if the most significant bit is set).
449 4.5. Enumerateds
451 An additional sparse data type is available called enum. A field of
452 type enum can only assume the values declared in the definition.
453 Each definition is a different type. Only enumerateds of the same
454 type may be assigned or compared. Every element of an enumerated must
455 be assigned a value, as demonstrated in the following example. Since
456 the elements of the enumerated are not ordered, they can be assigned
457 any unique value, in any order.
459 enum { e1(v1), e2(v2), ... , en(vn) [[, (n)]] } Te;
461 Enumerateds occupy as much space in the byte stream as would its
462 maximal defined ordinal value. The following definition would cause
463 one byte to be used to carry fields of type Color.
465 enum { red(3), blue(5), white(7) } Color;
467 One may optionally specify a value without its associated tag to
468 force the width definition without defining a superfluous element.
469 In the following example, Taste will consume two bytes in the data
470 stream but can only assume the values 1, 2, or 4.
472 enum { sweet(1), sour(2), bitter(4), (32000) } Taste;
474 The names of the elements of an enumeration are scoped within the
475 defined type. In the first example, a fully qualified reference to
476 the second element of the enumeration would be Color.blue. Such
477 qualification is not required if the target of the assignment is well
478 specified.
480 Color color = Color.blue; /* overspecified, legal */
481 Color color = blue; /* correct, type implicit */
483 For enumerateds that are never converted to external representation,
484 the numerical information may be omitted.
489 Dierks & Rescorla Standards Track [Page 9]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
492 enum { low, medium, high } Amount;
494 4.6. Constructed Types
496 Structure types may be constructed from primitive types for
497 convenience. Each specification declares a new, unique type. The
498 syntax for definition is much like that of C.
500 struct {
501 T1 f1;
502 T2 f2;
503 ...
504 Tn fn;
505 } [[T]];
507 The fields within a structure may be qualified using the type's name,
508 with a syntax much like that available for enumerateds. For example,
509 T.f2 refers to the second field of the previous declaration.
510 Structure definitions may be embedded.
512 4.6.1. Variants
514 Defined structures may have variants based on some knowledge that is
515 available within the environment. The selector must be an enumerated
516 type that defines the possible variants the structure defines. There
517 must be a case arm for every element of the enumeration declared in
518 the select. The body of the variant structure may be given a label
519 for reference. The mechanism by which the variant is selected at
520 runtime is not prescribed by the presentation language.
522 struct {
523 T1 f1;
524 T2 f2;
525 ....
526 Tn fn;
527 select (E) {
528 case e1: Te1;
529 case e2: Te2;
530 ....
531 case en: Ten;
532 } [[fv]];
533 } [[Tv]];
535 For example:
537 enum { apple, orange } VariantTag;
538 struct {
539 uint16 number;
543 Dierks & Rescorla Standards Track [Page 10]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
546 opaque string<0..10>; /* variable length */
547 } V1;
548 struct {
549 uint32 number;
550 opaque string[10]; /* fixed length */
551 } V2;
552 struct {
553 select (VariantTag) { /* value of selector is implicit */
554 case apple: V1; /* VariantBody, tag = apple */
555 case orange: V2; /* VariantBody, tag = orange */
556 } variant_body; /* optional label on variant */
557 } VariantRecord;
559 Variant structures may be qualified (narrowed) by specifying a value
560 for the selector prior to the type. For example, an
562 orange VariantRecord
564 is a narrowed type of a VariantRecord containing a variant_body of
565 type V2.
567 4.7. Cryptographic Attributes
569 The five cryptographic operations digital signing, stream cipher
570 encryption, block cipher encryption, authenticated encryption with
571 additional data (AEAD) encryption and public key encryption are
572 designated digitally-signed, stream-ciphered, block-ciphered, aead-
573 ciphered, and public-key-encrypted, respectively. A field's
574 cryptographic processing is specified by prepending an appropriate
575 key word designation before the field's type specification.
576 Cryptographic keys are implied by the current session state (see
577 Section 6.1).
579 In digital signing, one-way hash functions are used as input for a
580 signing algorithm. A digitally-signed element is encoded as an opaque
581 vector <0..2^16-1>, where the length is specified by the signing
582 algorithm and key.
584 In RSA signing, the opaque vector contains the signature generated
585 using the RSASSA-PKCS1-v1_5 signature scheme defined in [PKCS1]. As
586 discussed in [PKCS1], the DigestInfo MUST be DER encoded and for
587 digest algorithms without parameters (which include SHA-1) the
588 DigestInfo.AlgorithmIdentifier.parameters field MUST be NULL but
589 implementations MUST accept both without parameters and with NULL
590 parameters. Note that earlier versions of TLS used a different RSA
591 signature scheme which did not include a DigestInfo encoding.
593 In DSS, the 20 bytes of the SHA-1 hash are run directly through the
597 Dierks & Rescorla Standards Track [Page 11]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
600 Digital Signing Algorithm with no additional hashing. This produces
601 two values, r and s. The DSS signature is an opaque vector, as above,
602 the contents of which are the DER encoding of:
604 Dss-Sig-Value ::= SEQUENCE {
605 r INTEGER,
606 s INTEGER
607 }
609 Note: In current terminology, DSA refers to the Digital Signature
610 Algorithm and DSS refers to the NIST standard. For historical
611 reasons, this document uses DSS and DSA interchangeably
612 to refer to the DSA algorithm, as was done in SSLv3.
614 In stream cipher encryption, the plaintext is exclusive-ORed with an
615 identical amount of output generated from a cryptographically secure
616 keyed pseudorandom number generator.
618 In block cipher encryption, every block of plaintext encrypts to a
619 block of ciphertext. All block cipher encryption is done in CBC
620 (Cipher Block Chaining) mode, and all items that are block-ciphered
621 will be an exact multiple of the cipher block length.
623 In AEAD encryption, the plaintext is simultaneously encrypted and
624 integrity protected. The input may be of any length and the output is
625 generally larger than the input in order to accomodate the integrity
626 check value.
628 In public key encryption, a public key algorithm is used to encrypt
629 data in such a way that it can be decrypted only with the matching
630 private key. A public-key-encrypted element is encoded as an opaque
631 vector <0..2^16-1>, where the length is specified by the encryption
632 algorithm and key.
634 RSA encryption is done using the RSAES-PKCS1-v1_5 encryption scheme
635 defined in [PKCS1].
637 In the following example
639 stream-ciphered struct {
640 uint8 field1;
641 uint8 field2;
642 digitally-signed opaque hash[20];
643 } UserType;
645 the contents of hash are used as input for the signing algorithm, and
646 then the entire structure is encrypted with a stream cipher. The
647 length of this structure, in bytes, would be equal to two bytes for
651 Dierks & Rescorla Standards Track [Page 12]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
654 field1 and field2, plus two bytes for the length of the signature,
655 plus the length of the output of the signing algorithm. This is known
656 because the algorithm and key used for the signing are known prior to
657 encoding or decoding this structure.
659 4.8. Constants
661 Typed constants can be defined for purposes of specification by
662 declaring a symbol of the desired type and assigning values to it.
663 Under-specified types (opaque, variable length vectors, and
664 structures that contain opaque) cannot be assigned values. No fields
665 of a multi-element structure or vector may be elided.
667 For example:
669 struct {
670 uint8 f1;
671 uint8 f2;
672 } Example1;
674 Example1 ex1 = {1, 4}; /* assigns f1 = 1, f2 = 4 */
676 5. HMAC and the Pseudorandom Function
678 The TLS record layer uses a keyed Message Authentication Code (MAC)
679 to protect message integrity. The cipher suites defined in this
680 document use a construction known as HMAC, described in [HMAC], which
681 is based on a hash function. Other cipher suites MAY define their own
682 MAC constructions, if needed.
684 In addition, a construction is required to do expansion of secrets
685 into blocks of data for the purposes of key generation or validation.
686 This pseudo-random function (PRF) takes as input a secret, a seed,
687 and an identifying label and produces an output of arbitrary length.
689 In this section, we define one PRF, based on HMAC. This PRF with the
690 SHA-256 hash function is used for all cipher suites defined in this
691 document and in TLS documents published prior to this document when
692 TLS 1.2 is negotiated. New cipher suites MUST explicitly specify a
693 PRF and in general SHOULD use the TLS PRF with SHA-256 or a stronger
694 standard hash function.
696 First, we define a data expansion function, P_hash(secret, data) that
697 uses a single hash function to expand a secret and seed into an
698 arbitrary quantity of output:
700 P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
701 HMAC_hash(secret, A(2) + seed) +
705 Dierks & Rescorla Standards Track [Page 13]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
708 HMAC_hash(secret, A(3) + seed) + ...
710 Where + indicates concatenation.
712 A() is defined as:
713 A(0) = seed
714 A(i) = HMAC_hash(secret, A(i-1))
716 P_hash can be iterated as many times as is necessary to produce the
717 required quantity of data. For example, if P_SHA-1 is being used to
718 create 64 bytes of data, it will have to be iterated 4 times (through
719 A(4)), creating 80 bytes of output data; the last 16 bytes of the
720 final iteration will then be discarded, leaving 64 bytes of output
721 data.
723 TLS's PRF is created by applying P_hash to the secret as:
725 PRF(secret, label, seed) = P_<hash>(secret, label + seed)
727 The label is an ASCII string. It should be included in the exact form
728 it is given without a length byte or trailing null character. For
729 example, the label "slithy toves" would be processed by hashing the
730 following bytes:
732 73 6C 69 74 68 79 20 74 6F 76 65 73
735 6. The TLS Record Protocol
737 The TLS Record Protocol is a layered protocol. At each layer,
738 messages may include fields for length, description, and content.
739 The Record Protocol takes messages to be transmitted, fragments the
740 data into manageable blocks, optionally compresses the data, applies
741 a MAC, encrypts, and transmits the result. Received data is
742 decrypted, verified, decompressed, reassembled, and then delivered to
743 higher-level clients.
745 Four record protocol clients are described in this document: the
746 handshake protocol, the alert protocol, the change cipher spec
747 protocol, and the application data protocol. In order to allow
748 extension of the TLS protocol, additional record types can be
749 supported by the record protocol. New record type values are assigned
750 by IANA as described in Section 12.
752 Implementations MUST NOT send record types not defined in this
753 document unless negotiated by some extension. If a TLS
754 implementation receives an unexpected record type, it MUST send an
755 unexpected_message alert.
759 Dierks & Rescorla Standards Track [Page 14]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
762 Any protocol designed for use over TLS MUST be carefully designed to
763 deal with all possible attacks against it. Note that because the
764 type and length of a record are not protected by encryption, care
765 SHOULD be taken to minimize the value of traffic analysis of these
766 values.
768 6.1. Connection States
770 A TLS connection state is the operating environment of the TLS Record
771 Protocol. It specifies a compression algorithm, an encryption
772 algorithm, and a MAC algorithm. In addition, the parameters for these
773 algorithms are known: the MAC secret and the bulk encryption keys for
774 the connection in both the read and the write directions. Logically,
775 there are always four connection states outstanding: the current read
776 and write states, and the pending read and write states. All records
777 are processed under the current read and write states. The security
778 parameters for the pending states can be set by the TLS Handshake
779 Protocol, and the Change Cipher Spec can selectively make either of
780 the pending states current, in which case the appropriate current
781 state is disposed of and replaced with the pending state; the pending
782 state is then reinitialized to an empty state. It is illegal to make
783 a state that has not been initialized with security parameters a
784 current state. The initial current state always specifies that no
785 encryption, compression, or MAC will be used.
787 The security parameters for a TLS Connection read and write state are
788 set by providing the following values:
790 connection end
791 Whether this entity is considered the "client" or the "server" in
792 this connection.
794 bulk encryption algorithm
795 An algorithm to be used for bulk encryption. This specification
796 includes the key size of this algorithm, how much of that key is
797 secret, whether it is a block, stream, or AEAD cipher, and the
798 block size and fixed initialization vector size of the cipher (if
799 appropriate).
801 MAC algorithm
802 An algorithm to be used for message authentication. This
803 specification includes the size of the value returned by the MAC
804 algorithm.
806 compression algorithm
807 An algorithm to be used for data compression. This specification
808 must include all information the algorithm requires to do
809 compression.
813 Dierks & Rescorla Standards Track [Page 15]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
816 master secret
817 A 48-byte secret shared between the two peers in the connection.
819 client random
820 A 32-byte value provided by the client.
822 server random
823 A 32-byte value provided by the server.
825 These parameters are defined in the presentation language as:
827 enum { server, client } ConnectionEnd;
829 enum { null, rc4, rc2, des, 3des, idea, aes }
830 BulkCipherAlgorithm;
832 enum { stream, block, aead } CipherType;
834 enum { null, hmac_md5, hmac_sha, hmac_sha256, hmac_sha384,
835 hmac_sha512} MACAlgorithm;
837 /* The use of "sha" above is historical and denotes SHA-1 */
839 enum { null(0), (255) } CompressionMethod;
841 /* The algorithms specified in CompressionMethod,
842 BulkCipherAlgorithm, and MACAlgorithm may be added to. */
844 struct {
845 ConnectionEnd entity;
846 BulkCipherAlgorithm bulk_cipher_algorithm;
847 CipherType cipher_type;
848 uint8 enc_key_length;
849 uint8 block_length;
850 uint8 fixed_iv_length;
851 uint8 record_iv_length;
852 MACAlgorithm mac_algorithm;
853 uint8 mac_length;
854 uint8 mac_key_length;
855 uint8 verify_data_length;
856 CompressionMethod compression_algorithm;
857 opaque master_secret[48];
858 opaque client_random[32];
859 opaque server_random[32];
860 } SecurityParameters;
862 The record layer will use the security parameters to generate the
863 following six items:
867 Dierks & Rescorla Standards Track [Page 16]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
870 client write MAC secret
871 server write MAC secret
872 client write key
873 server write key
874 client write IV
875 server write IV
877 The client write parameters are used by the server when receiving and
878 processing records and vice-versa. The algorithm used for generating
879 these items from the security parameters is described in Section 6.3.
881 Once the security parameters have been set and the keys have been
882 generated, the connection states can be instantiated by making them
883 the current states. These current states MUST be updated for each
884 record processed. Each connection state includes the following
885 elements:
887 compression state
888 The current state of the compression algorithm.
890 cipher state
891 The current state of the encryption algorithm. This will consist
892 of the scheduled key for that connection. For stream ciphers,
893 this will also contain whatever state information is necessary to
894 allow the stream to continue to encrypt or decrypt data.
896 MAC secret
897 The MAC secret for this connection, as generated above.
899 sequence number
900 Each connection state contains a sequence number, which is
901 maintained separately for read and write states. The sequence
902 number MUST be set to zero whenever a connection state is made
903 the active state. Sequence numbers are of type uint64 and may not
904 exceed 2^64-1. Sequence numbers do not wrap. If a TLS
905 implementation would need to wrap a sequence number, it must
906 renegotiate instead. A sequence number is incremented after each
907 record: specifically, the first record transmitted under a
908 particular connection state MUST use sequence number 0.
910 6.2. Record layer
912 The TLS Record Layer receives uninterpreted data from higher layers
913 in non-empty blocks of arbitrary size.
915 6.2.1. Fragmentation
917 The record layer fragments information blocks into TLSPlaintext
921 Dierks & Rescorla Standards Track [Page 17]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
924 records carrying data in chunks of 2^14 bytes or less. Client message
925 boundaries are not preserved in the record layer (i.e., multiple
926 client messages of the same ContentType MAY be coalesced into a
927 single TLSPlaintext record, or a single message MAY be fragmented
928 across several records).
931 struct {
932 uint8 major, minor;
933 } ProtocolVersion;
935 enum {
936 change_cipher_spec(20), alert(21), handshake(22),
937 application_data(23), (255)
938 } ContentType;
940 struct {
941 ContentType type;
942 ProtocolVersion version;
943 uint16 length;
944 opaque fragment[TLSPlaintext.length];
945 } TLSPlaintext;
947 type
948 The higher-level protocol used to process the enclosed fragment.
950 version
951 The version of the protocol being employed. This document
952 describes TLS Version 1.2, which uses the version { 3, 3 }. The
953 version value 3.3 is historical, deriving from the use of 3.1 for
954 TLS 1.0. (See Appendix A.1). Note that a client that supports
955 multiple versions of TLS may not know what version will be
956 employed before it receives ServerHello. See Appendix E for
957 discussion about what record layer version number should be
958 employed for ClientHello.
960 length
961 The length (in bytes) of the following TLSPlaintext.fragment.
962 The length MUST NOT exceed 2^14.
964 fragment
965 The application data. This data is transparent and treated as an
966 independent block to be dealt with by the higher-level protocol
967 specified by the type field.
969 Implementations MUST NOT send zero-length fragments of Handshake,
970 Alert, or Change Cipher Spec content types. Zero-length fragments
971 of Application data MAY be sent as they are potentially useful as
975 Dierks & Rescorla Standards Track [Page 18]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
978 a traffic analysis countermeasure.
980 Note: Data of different TLS Record layer content types MAY be
981 interleaved. Application data is generally of lower precedence
982 for transmission than other content types. However, records MUST
983 be delivered to the network in the same order as they are
984 protected by the record layer. Recipients MUST receive and
985 process interleaved application layer traffic during handshakes
986 subsequent to the first one on a connection.
989 6.2.2. Record Compression and Decompression
991 All records are compressed using the compression algorithm defined in
992 the current session state. There is always an active compression
993 algorithm; however, initially it is defined as
994 CompressionMethod.null. The compression algorithm translates a
995 TLSPlaintext structure into a TLSCompressed structure. Compression
996 functions are initialized with default state information whenever a
997 connection state is made active.
999 Compression must be lossless and may not increase the content length
1000 by more than 1024 bytes. If the decompression function encounters a
1001 TLSCompressed.fragment that would decompress to a length in excess of
1002 2^14 bytes, it MUST report a fatal decompression failure error.
1004 struct {
1005 ContentType type; /* same as TLSPlaintext.type */
1006 ProtocolVersion version;/* same as TLSPlaintext.version */
1007 uint16 length;
1008 opaque fragment[TLSCompressed.length];
1009 } TLSCompressed;
1011 length
1012 The length (in bytes) of the following TLSCompressed.fragment.
1013 The length MUST NOT exceed 2^14 + 1024.
1015 fragment
1016 The compressed form of TLSPlaintext.fragment.
1018 Note: A CompressionMethod.null operation is an identity operation; no
1019 fields are altered.
1021 Implementation note:
1022 Decompression functions are responsible for ensuring that
1023 messages cannot cause internal buffer overflows.
1025 6.2.3. Record Payload Protection
1029 Dierks & Rescorla Standards Track [Page 19]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1032 The encryption and MAC functions translate a TLSCompressed structure
1033 into a TLSCiphertext. The decryption functions reverse the process.
1034 The MAC of the record also includes a sequence number so that
1035 missing, extra, or repeated messages are detectable.
1037 struct {
1038 ContentType type;
1039 ProtocolVersion version;
1040 uint16 length;
1041 select (SecurityParameters.cipher_type) {
1042 case stream: GenericStreamCipher;
1043 case block: GenericBlockCipher;
1044 case aead: GenericAEADCipher;
1045 } fragment;
1046 } TLSCiphertext;
1048 type
1049 The type field is identical to TLSCompressed.type.
1051 version
1052 The version field is identical to TLSCompressed.version.
1054 length
1055 The length (in bytes) of the following TLSCiphertext.fragment.
1056 The length MUST NOT exceed 2^14 + 2048.
1058 fragment
1059 The encrypted form of TLSCompressed.fragment, with the MAC.
1061 6.2.3.1. Null or Standard Stream Cipher
1063 Stream ciphers (including BulkCipherAlgorithm.null, see Appendix A.6)
1064 convert TLSCompressed.fragment structures to and from stream
1065 TLSCiphertext.fragment structures.
1067 stream-ciphered struct {
1068 opaque content[TLSCompressed.length];
1069 opaque MAC[SecurityParameters.mac_length];
1070 } GenericStreamCipher;
1072 The MAC is generated as:
1074 MAC(MAC_write_secret, seq_num + TLSCompressed.type +
1075 TLSCompressed.version + TLSCompressed.length +
1076 TLSCompressed.fragment);
1078 where "+" denotes concatenation.
1083 Dierks & Rescorla Standards Track [Page 20]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1086 seq_num
1087 The sequence number for this record.
1089 MAC
1090 The MAC algorithm specified by SecurityParameters.mac_algorithm.
1092 Note that the MAC is computed before encryption. The stream cipher
1093 encrypts the entire block, including the MAC. For stream ciphers that
1094 do not use a synchronization vector (such as RC4), the stream cipher
1095 state from the end of one record is simply used on the subsequent
1096 packet. If the CipherSuite is TLS_NULL_WITH_NULL_NULL, encryption
1097 consists of the identity operation (i.e., the data is not encrypted,
1098 and the MAC size is zero, implying that no MAC is used).
1099 TLSCiphertext.length is TLSCompressed.length plus
1100 SecurityParameters.mac_length.
1102 6.2.3.2. CBC Block Cipher
1104 For block ciphers (such as RC2, DES, or AES), the encryption and MAC
1105 functions convert TLSCompressed.fragment structures to and from block
1106 TLSCiphertext.fragment structures.
1108 struct {
1109 opaque IV[SecurityParameters.record_iv_length];
1110 block-ciphered struct {
1111 opaque content[TLSCompressed.length];
1112 opaque MAC[SecurityParameters.mac_length];
1113 uint8 padding[GenericBlockCipher.padding_length];
1114 uint8 padding_length;
1115 };
1116 } GenericBlockCipher;
1118 The MAC is generated as described in Section 6.2.3.1.
1120 IV
1121 The Initialization Vector (IV) SHOULD be chosen at random, and
1122 MUST be unpredictable. Note that in versions of TLS prior to 1.1,
1123 there was no IV field, and the last ciphertext block of the
1124 previous record (the "CBC residue") was used as the IV. This was
1125 changed to prevent the attacks described in [CBCATT]. For block
1126 ciphers, the IV length is of length
1127 SecurityParameters.record_iv_length which is equal to the
1128 SecurityParameters.block_size.
1130 padding
1131 Padding that is added to force the length of the plaintext to be
1132 an integral multiple of the block cipher's block length. The
1133 padding MAY be any length up to 255 bytes, as long as it results
1137 Dierks & Rescorla Standards Track [Page 21]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1140 in the TLSCiphertext.length being an integral multiple of the
1141 block length. Lengths longer than necessary might be desirable to
1142 frustrate attacks on a protocol that are based on analysis of the
1143 lengths of exchanged messages. Each uint8 in the padding data
1144 vector MUST be filled with the padding length value. The receiver
1145 MUST check this padding and MUST use the bad_record_mac alert to
1146 indicate padding errors.
1148 padding_length
1149 The padding length MUST be such that the total size of the
1150 GenericBlockCipher structure is a multiple of the cipher's block
1151 length. Legal values range from zero to 255, inclusive. This
1152 length specifies the length of the padding field exclusive of the
1153 padding_length field itself.
1155 The encrypted data length (TLSCiphertext.length) is one more than the
1156 sum of SecurityParameters.block_length, TLSCompressed.length,
1157 SecurityParameters.mac_length, and padding_length.
1159 Example: If the block length is 8 bytes, the content length
1160 (TLSCompressed.length) is 61 bytes, and the MAC length is 20
1161 bytes, then the length before padding is 82 bytes (this does
1162 not include the IV. Thus, the padding length modulo 8 must be
1163 equal to 6 in order to make the total length an even multiple
1164 of 8 bytes (the block length). The padding length can be 6,
1165 14, 22, and so on, through 254. If the padding length were the
1166 minimum necessary, 6, the padding would be 6 bytes, each
1167 containing the value 6. Thus, the last 8 octets of the
1168 GenericBlockCipher before block encryption would be xx 06 06
1169 06 06 06 06 06, where xx is the last octet of the MAC.
1171 Note: With block ciphers in CBC mode (Cipher Block Chaining),
1172 it is critical that the entire plaintext of the record be known
1173 before any ciphertext is transmitted. Otherwise, it is possible
1174 for the attacker to mount the attack described in [CBCATT].
1176 Implementation Note: Canvel et al. [CBCTIME] have demonstrated a timing
1177 attack on CBC padding based on the time required to compute the
1178 MAC. In order to defend against this attack, implementations MUST
1179 ensure that record processing time is essentially the same
1180 whether or not the padding is correct. In general, the best way
1181 to do this is to compute the MAC even if the padding is
1182 incorrect, and only then reject the packet. For instance, if the
1183 pad appears to be incorrect, the implementation might assume a
1184 zero-length pad and then compute the MAC. This leaves a small
1185 timing channel, since MAC performance depends to some extent on
1186 the size of the data fragment, but it is not believed to be large
1187 enough to be exploitable, due to the large block size of existing
1191 Dierks & Rescorla Standards Track [Page 22]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1194 MACs and the small size of the timing signal.
1196 6.2.3.3. AEAD ciphers
1198 For AEAD [AEAD] ciphers (such as [CCM] or [GCM]) the AEAD function
1199 converts TLSCompressed.fragment structures to and from AEAD
1200 TLSCiphertext.fragment structures.
1202 struct {
1203 opaque nonce_explicit[SecurityParameters.record_iv_length];
1205 aead-ciphered struct {
1206 opaque content[TLSCompressed.length];
1207 };
1208 } GenericAEADCipher;
1210 AEAD ciphers take as input a single key, a nonce, a plaintext, and
1211 "additional data" to be included in the authentication check, as
1212 described in Section 2.1 of [AEAD]. The key is either the
1213 client_write_key or the server_write_key. No MAC key is used.
1215 Each AEAD cipher suite has to specify how the nonce supplied to the
1216 AEAD operation is constructed, and what is the length of the
1217 GenericAEADCipher.nonce_explicit part. In many cases, it is
1218 appropriate to use the partially implicit nonce technique described
1219 in Section 3.2.1 of [AEAD]; in this case, the implicit part SHOULD be
1220 derived from key_block as client_write_iv and server_write_iv (as
1221 described in Section 6.3), and the explicit part is included in
1222 GenericAEAEDCipher.nonce_explicit.
1224 The plaintext is the TLSCompressed.fragment.
1226 The additional authenticated data, which we denote as
1227 additional_data, is defined as follows:
1229 additional_data = seq_num + TLSCompressed.type +
1230 TLSCompressed.version + TLSCompressed.length;
1232 Where "+" denotes concatenation.
1234 The aead_output consists of the ciphertext output by the AEAD
1235 encryption operation. The length will generally be larger than
1236 TLSCompressed.length, but by an amount that varies with the AEAD
1237 cipher. Since the ciphers might incorporate padding, the amount of
1238 overhead could vary with different TLSCompressed.length values. Each
1239 AEAD cipher MUST NOT produce an expansion of greater than 1024 bytes.
1240 Symbolically,
1245 Dierks & Rescorla Standards Track [Page 23]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1248 AEADEncrypted = AEAD-Encrypt(key, IV, plaintext,
1249 additional_data)
1252 In order to decrypt and verify, the cipher takes as input the key,
1253 IV, the "additional_data", and the AEADEncrypted value. The output is
1254 either the plaintext or an error indicating that the decryption
1255 failed. There is no separate integrity check. I.e.,
1257 TLSCompressed.fragment = AEAD-Decrypt(write_key, IV, AEADEncrypted,
1258 additional_data)
1261 If the decryption fails, a fatal bad_record_mac alert MUST be
1262 generated.
1264 6.3. Key Calculation
1266 The Record Protocol requires an algorithm to generate keys, and MAC
1267 secrets from the security parameters provided by the handshake
1268 protocol.
1270 The master secret is hashed into a sequence of secure bytes, which
1271 are assigned to the MAC secrets and keys required by the current
1272 connection state (see Appendix A.6). CipherSpecs require a client
1273 write MAC secret, a server write MAC secret, a client write key, and
1274 a server write key, each of which is generated from the master secret
1275 in that order. Unused values are empty.
1277 When keys and MAC secrets are generated, the master secret is used as
1278 an entropy source.
1280 To generate the key material, compute
1282 key_block = PRF(SecurityParameters.master_secret,
1283 "key expansion",
1284 SecurityParameters.server_random +
1285 SecurityParameters.client_random);
1287 until enough output has been generated. Then the key_block is
1288 partitioned as follows:
1290 client_write_MAC_secret[SecurityParameters.mac_key_length]
1291 server_write_MAC_secret[SecurityParameters.mac_key_length]
1292 client_write_key[SecurityParameters.enc_key_length]
1293 server_write_key[SecurityParameters.enc_key_length]
1294 client_write_IV[SecurityParameters.fixed_iv_length]
1295 server_write_IV[SecurityParameters.fixed_iv_length]
1299 Dierks & Rescorla Standards Track [Page 24]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1302 The client_write_IV and server_write_IV are only generated for
1303 implicit nonce techniques as described in Section 3.2.1 of [AEAD].
1305 Implementation note:
1306 The currently defined cipher suite which requires the most
1307 material is AES_256_CBC_SHA. It requires 2 x 32 byte keys and 2 x
1308 20 byte MAC secrets, for a total 104 bytes of key material.
1310 7. The TLS Handshaking Protocols
1312 TLS has three subprotocols that are used to allow peers to agree
1313 upon security parameters for the record layer, to authenticate
1314 themselves, to instantiate negotiated security parameters, and to
1315 report error conditions to each other.
1317 The Handshake Protocol is responsible for negotiating a session,
1318 which consists of the following items:
1320 session identifier
1321 An arbitrary byte sequence chosen by the server to identify an
1322 active or resumable session state.
1324 peer certificate
1325 X509v3 [PKIX] certificate of the peer. This element of the
1326 state may be null.
1328 compression method
1329 The algorithm used to compress data prior to encryption.
1331 cipher spec
1332 Specifies the bulk data encryption algorithm (such as null,
1333 DES, etc.) and a MAC algorithm (such as MD5 or SHA). It also
1334 defines cryptographic attributes such as the mac_length. (See
1335 Appendix A.6 for formal definition.)
1337 master secret
1338 48-byte secret shared between the client and server.
1340 is resumable
1341 A flag indicating whether the session can be used to initiate
1342 new connections.
1344 These items are then used to create security parameters for use by
1345 the Record Layer when protecting application data. Many connections
1346 can be instantiated using the same session through the resumption
1347 feature of the TLS Handshake Protocol.
1349 7.1. Change Cipher Spec Protocol
1353 Dierks & Rescorla Standards Track [Page 25]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1356 The change cipher spec protocol exists to signal transitions in
1357 ciphering strategies. The protocol consists of a single message,
1358 which is encrypted and compressed under the current (not the pending)
1359 connection state. The message consists of a single byte of value 1.
1361 struct {
1362 enum { change_cipher_spec(1), (255) } type;
1363 } ChangeCipherSpec;
1365 The change cipher spec message is sent by both the client and the
1366 server to notify the receiving party that subsequent records will be
1367 protected under the newly negotiated CipherSpec and keys. Reception
1368 of this message causes the receiver to instruct the Record Layer to
1369 immediately copy the read pending state into the read current state.
1370 Immediately after sending this message, the sender MUST instruct the
1371 record layer to make the write pending state the write active state.
1372 (See Section 6.1.) The change cipher spec message is sent during the
1373 handshake after the security parameters have been agreed upon, but
1374 before the verifying finished message is sent.
1376 Note: If a rehandshake occurs while data is flowing on a connection,
1377 the communicating parties may continue to send data using the old
1378 CipherSpec. However, once the ChangeCipherSpec has been sent, the new
1379 CipherSpec MUST be used. The first side to send the ChangeCipherSpec
1380 does not know that the other side has finished computing the new
1381 keying material (e.g., if it has to perform a time consuming public
1382 key operation). Thus, a small window of time, during which the
1383 recipient must buffer the data, MAY exist. In practice, with modern
1384 machines this interval is likely to be fairly short.
1386 7.2. Alert Protocol
1388 One of the content types supported by the TLS Record layer is the
1389 alert type. Alert messages convey the severity of the message and a
1390 description of the alert. Alert messages with a level of fatal result
1391 in the immediate termination of the connection. In this case, other
1392 connections corresponding to the session may continue, but the
1393 session identifier MUST be invalidated, preventing the failed session
1394 from being used to establish new connections. Like other messages,
1395 alert messages are encrypted and compressed, as specified by the
1396 current connection state.
1398 enum { warning(1), fatal(2), (255) } AlertLevel;
1400 enum {
1401 close_notify(0),
1402 unexpected_message(10),
1403 bad_record_mac(20),
1407 Dierks & Rescorla Standards Track [Page 26]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1410 decryption_failed_RESERVED(21),
1411 record_overflow(22),
1412 decompression_failure(30),
1413 handshake_failure(40),
1414 no_certificate_RESERVED(41),
1415 bad_certificate(42),
1416 unsupported_certificate(43),
1417 certificate_revoked(44),
1418 certificate_expired(45),
1419 certificate_unknown(46),
1420 illegal_parameter(47),
1421 unknown_ca(48),
1422 access_denied(49),
1423 decode_error(50),
1424 decrypt_error(51),
1425 export_restriction_RESERVED(60),
1426 protocol_version(70),
1427 insufficient_security(71),
1428 internal_error(80),
1429 user_canceled(90),
1430 no_renegotiation(100),
1431 unsupported_extension(110),
1432 (255)
1433 } AlertDescription;
1435 struct {
1436 AlertLevel level;
1437 AlertDescription description;
1438 } Alert;
1440 7.2.1. Closure Alerts
1442 The client and the server must share knowledge that the connection is
1443 ending in order to avoid a truncation attack. Either party may
1444 initiate the exchange of closing messages.
1446 close_notify
1447 This message notifies the recipient that the sender will not send
1448 any more messages on this connection. Note that as of TLS 1.1,
1449 failure to properly close a connection no longer requires that a
1450 session not be resumed. This is a change from TLS 1.0 to conform
1451 with widespread implementation practice.
1453 Either party may initiate a close by sending a close_notify alert.
1454 Any data received after a closure alert is ignored.
1456 Unless some other fatal alert has been transmitted, each party is
1457 required to send a close_notify alert before closing the write side
1461 Dierks & Rescorla Standards Track [Page 27]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1464 of the connection. The other party MUST respond with a close_notify
1465 alert of its own and close down the connection immediately,
1466 discarding any pending writes. It is not required for the initiator
1467 of the close to wait for the responding close_notify alert before
1468 closing the read side of the connection.
1470 If the application protocol using TLS provides that any data may be
1471 carried over the underlying transport after the TLS connection is
1472 closed, the TLS implementation must receive the responding
1473 close_notify alert before indicating to the application layer that
1474 the TLS connection has ended. If the application protocol will not
1475 transfer any additional data, but will only close the underlying
1476 transport connection, then the implementation MAY choose to close the
1477 transport without waiting for the responding close_notify. No part of
1478 this standard should be taken to dictate the manner in which a usage
1479 profile for TLS manages its data transport, including when
1480 connections are opened or closed.
1482 Note: It is assumed that closing a connection reliably delivers
1483 pending data before destroying the transport.
1485 7.2.2. Error Alerts
1487 Error handling in the TLS Handshake protocol is very simple. When an
1488 error is detected, the detecting party sends a message to the other
1489 party. Upon transmission or receipt of a fatal alert message, both
1490 parties immediately close the connection. Servers and clients MUST
1491 forget any session-identifiers, keys, and secrets associated with a
1492 failed connection. Thus, any connection terminated with a fatal alert
1493 MUST NOT be resumed.
1495 Whenever an implementation encounters a condition which is defined as
1496 a fatal alert, it MUST send the appropriate alert prior to closing
1497 the connection. In cases where an implementation chooses to send an
1498 alert which may be a warning alert but intends to close the
1499 connection immediately afterwards, it MUST send that alert at the
1500 fatal alert level.
1502 If an alert with a level of warning is sent and received, generally
1503 the connection can continue normally. If the receiving party decides
1504 not to proceed with the connection (e.g., after having received a
1505 no_renegotiation alert that it is not willing to accept), it SHOULD
1506 send a fatal alert to terminate the connection.
1509 The following error alerts are defined:
1511 unexpected_message
1515 Dierks & Rescorla Standards Track [Page 28]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1518 An inappropriate message was received. This alert is always fatal
1519 and should never be observed in communication between proper
1520 implementations.
1522 bad_record_mac
1523 This alert is returned if a record is received with an incorrect
1524 MAC. This alert also MUST be returned if an alert is sent because
1525 a TLSCiphertext decrypted in an invalid way: either it wasn't an
1526 even multiple of the block length, or its padding values, when
1527 checked, weren't correct. This message is always fatal.
1529 decryption_failed_RESERVED
1530 This alert was used in some earlier versions of TLS, and may have
1531 permitted certain attacks against the CBC mode [CBCATT]. It MUST
1532 NOT be sent by compliant implementations.
1534 record_overflow
1535 A TLSCiphertext record was received that had a length more than
1536 2^14+2048 bytes, or a record decrypted to a TLSCompressed record
1537 with more than 2^14+1024 bytes. This message is always fatal.
1539 decompression_failure
1540 The decompression function received improper input (e.g., data
1541 that would expand to excessive length). This message is always
1542 fatal.
1544 handshake_failure
1545 Reception of a handshake_failure alert message indicates that the
1546 sender was unable to negotiate an acceptable set of security
1547 parameters given the options available. This is a fatal error.
1549 no_certificate_RESERVED
1550 This alert was used in SSLv3 but not any version of TLS. It MUST
1551 NOT be sent by compliant implementations.
1553 bad_certificate
1554 A certificate was corrupt, contained signatures that did not
1555 verify correctly, etc.
1557 unsupported_certificate
1558 A certificate was of an unsupported type.
1560 certificate_revoked
1561 A certificate was revoked by its signer.
1563 certificate_expired
1564 A certificate has expired or is not currently valid.
1569 Dierks & Rescorla Standards Track [Page 29]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1572 certificate_unknown
1573 Some other (unspecified) issue arose in processing the
1574 certificate, rendering it unacceptable.
1576 illegal_parameter
1577 A field in the handshake was out of range or inconsistent with
1578 other fields. This message is always fatal.
1580 unknown_ca
1581 A valid certificate chain or partial chain was received, but the
1582 certificate was not accepted because the CA certificate could not
1583 be located or couldn't be matched with a known, trusted CA. This
1584 message is always fatal.
1586 access_denied
1587 A valid certificate was received, but when access control was
1588 applied, the sender decided not to proceed with negotiation.
1589 This message is always fatal.
1591 decode_error
1592 A message could not be decoded because some field was out of the
1593 specified range or the length of the message was incorrect. This
1594 message is always fatal.
1596 decrypt_error
1597 A handshake cryptographic operation failed, including being
1598 unable to correctly verify a signature, decrypt a key exchange,
1599 or validate a finished message.
1601 export_restriction_RESERVED
1602 This alert was used in some earlier versions of TLS. It MUST NOT
1603 be sent by compliant implementations.
1605 protocol_version
1606 The protocol version the client has attempted to negotiate is
1607 recognized but not supported. (For example, old protocol versions
1608 might be avoided for security reasons). This message is always
1609 fatal.
1611 insufficient_security
1612 Returned instead of handshake_failure when a negotiation has
1613 failed specifically because the server requires ciphers more
1614 secure than those supported by the client. This message is always
1615 fatal.
1617 internal_error
1618 An internal error unrelated to the peer or the correctness of the
1619 protocol (such as a memory allocation failure) makes it
1623 Dierks & Rescorla Standards Track [Page 30]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1626 impossible to continue. This message is always fatal.
1628 user_canceled
1629 This handshake is being canceled for some reason unrelated to a
1630 protocol failure. If the user cancels an operation after the
1631 handshake is complete, just closing the connection by sending a
1632 close_notify is more appropriate. This alert should be followed
1633 by a close_notify. This message is generally a warning.
1635 no_renegotiation
1636 Sent by the client in response to a hello request or by the
1637 server in response to a client hello after initial handshaking.
1638 Either of these would normally lead to renegotiation; when that
1639 is not appropriate, the recipient should respond with this alert.
1640 At that point, the original requester can decide whether to
1641 proceed with the connection. One case where this would be
1642 appropriate is where a server has spawned a process to satisfy a
1643 request; the process might receive security parameters (key
1644 length, authentication, etc.) at startup and it might be
1645 difficult to communicate changes to these parameters after that
1646 point. This message is always a warning.
1648 unsupported_extension
1649 sent by clients that receive an extended server hello containing
1650 an extension that they did not put in the corresponding client
1651 hello. This message is always fatal.
1653 For all errors where an alert level is not explicitly specified, the
1654 sending party MAY determine at its discretion whether this is a fatal
1655 error or not; if an alert with a level of warning is received, the
1656 receiving party MAY decide at its discretion whether to treat this as
1657 a fatal error or not. However, all messages that are transmitted
1658 with a level of fatal MUST be treated as fatal messages.
1660 New Alert values are assigned by IANA as described in Section 12.
1662 7.3. Handshake Protocol Overview
1664 The cryptographic parameters of the session state are produced by the
1665 TLS Handshake Protocol, which operates on top of the TLS Record
1666 Layer. When a TLS client and server first start communicating, they
1667 agree on a protocol version, select cryptographic algorithms,
1668 optionally authenticate each other, and use public-key encryption
1669 techniques to generate shared secrets.
1671 The TLS Handshake Protocol involves the following steps:
1673 - Exchange hello messages to agree on algorithms, exchange random
1677 Dierks & Rescorla Standards Track [Page 31]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1680 values, and check for session resumption.
1682 - Exchange the necessary cryptographic parameters to allow the
1683 client and server to agree on a premaster secret.
1685 - Exchange certificates and cryptographic information to allow the
1686 client and server to authenticate themselves.
1688 - Generate a master secret from the premaster secret and exchanged
1689 random values.
1691 - Provide security parameters to the record layer.
1693 - Allow the client and server to verify that their peer has
1694 calculated the same security parameters and that the handshake
1695 occurred without tampering by an attacker.
1697 Note that higher layers should not be overly reliant on whether TLS
1698 always negotiates the strongest possible connection between two
1699 peers. There are a number of ways in which a man in the middle
1700 attacker can attempt to make two entities drop down to the least
1701 secure method they support. The protocol has been designed to
1702 minimize this risk, but there are still attacks available: for
1703 example, an attacker could block access to the port a secure service
1704 runs on, or attempt to get the peers to negotiate an unauthenticated
1705 connection. The fundamental rule is that higher levels must be
1706 cognizant of what their security requirements are and never transmit
1707 information over a channel less secure than what they require. The
1708 TLS protocol is secure in that any cipher suite offers its promised
1709 level of security: if you negotiate 3DES with a 1024 bit RSA key
1710 exchange with a host whose certificate you have verified, you can
1711 expect to be that secure.
1713 These goals are achieved by the handshake protocol, which can be
1714 summarized as follows: The client sends a client hello message to
1715 which the server must respond with a server hello message, or else a
1716 fatal error will occur and the connection will fail. The client hello
1717 and server hello are used to establish security enhancement
1718 capabilities between client and server. The client hello and server
1719 hello establish the following attributes: Protocol Version, Session
1720 ID, Cipher Suite, and Compression Method. Additionally, two random
1721 values are generated and exchanged: ClientHello.random and
1722 ServerHello.random.
1724 The actual key exchange uses up to four messages: the server
1725 certificate, the server key exchange, the client certificate, and the
1726 client key exchange. New key exchange methods can be created by
1727 specifying a format for these messages and by defining the use of the
1731 Dierks & Rescorla Standards Track [Page 32]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1734 messages to allow the client and server to agree upon a shared
1735 secret. This secret MUST be quite long; currently defined key
1736 exchange methods exchange secrets that range from 46 bytes upwards.
1738 Following the hello messages, the server will send its certificate,
1739 if it is to be authenticated. Additionally, a server key exchange
1740 message may be sent, if it is required (e.g., if their server has no
1741 certificate, or if its certificate is for signing only). If the
1742 server is authenticated, it may request a certificate from the
1743 client, if that is appropriate to the cipher suite selected. Next,
1744 the server will send the server hello done message, indicating that
1745 the hello-message phase of the handshake is complete. The server will
1746 then wait for a client response. If the server has sent a certificate
1747 request message, the client MUST send the certificate message. The
1748 client key exchange message is now sent, and the content of that
1749 message will depend on the public key algorithm selected between the
1750 client hello and the server hello. If the client has sent a
1751 certificate with signing ability, a digitally-signed certificate
1752 verify message is sent to explicitly verify possession of the private
1753 key in the certificate.
1755 At this point, a change cipher spec message is sent by the client,
1756 and the client copies the pending Cipher Spec into the current Cipher
1757 Spec. The client then immediately sends the finished message under
1758 the new algorithms, keys, and secrets. In response, the server will
1759 send its own change cipher spec message, transfer the pending to the
1760 current Cipher Spec, and send its finished message under the new
1761 Cipher Spec. At this point, the handshake is complete, and the client
1762 and server may begin to exchange application layer data. (See flow
1763 chart below.) Application data MUST NOT be sent prior to the
1764 completion of the first handshake (before a cipher suite other than
1765 TLS_NULL_WITH_NULL_NULL is established).
1767 Client Server
1769 ClientHello -------->
1770 ServerHello
1771 Certificate*
1772 ServerKeyExchange*
1773 CertificateRequest*
1774 <-------- ServerHelloDone
1775 Certificate*
1776 ClientKeyExchange
1777 CertificateVerify*
1778 [ChangeCipherSpec]
1779 Finished -------->
1780 [ChangeCipherSpec]
1781 <-------- Finished
1785 Dierks & Rescorla Standards Track [Page 33]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1788 Application Data <-------> Application Data
1790 Fig. 1. Message flow for a full handshake
1792 * Indicates optional or situation-dependent messages that are not
1793 always sent.
1795 Note: To help avoid pipeline stalls, ChangeCipherSpec is an
1796 independent TLS Protocol content type, and is not actually a TLS
1797 handshake message.
1799 When the client and server decide to resume a previous session or
1800 duplicate an existing session (instead of negotiating new security
1801 parameters), the message flow is as follows:
1803 The client sends a ClientHello using the Session ID of the session to
1804 be resumed. The server then checks its session cache for a match. If
1805 a match is found, and the server is willing to re-establish the
1806 connection under the specified session state, it will send a
1807 ServerHello with the same Session ID value. At this point, both
1808 client and server MUST send change cipher spec messages and proceed
1809 directly to finished messages. Once the re-establishment is complete,
1810 the client and server MAY begin to exchange application layer data.
1811 (See flow chart below.) If a Session ID match is not found, the
1812 server generates a new session ID and the TLS client and server
1813 perform a full handshake.
1815 Client Server
1817 ClientHello -------->
1818 ServerHello
1819 [ChangeCipherSpec]
1820 <-------- Finished
1821 [ChangeCipherSpec]
1822 Finished -------->
1823 Application Data <-------> Application Data
1825 Fig. 2. Message flow for an abbreviated handshake
1827 The contents and significance of each message will be presented in
1828 detail in the following sections.
1830 7.4. Handshake Protocol
1832 The TLS Handshake Protocol is one of the defined higher-level clients
1833 of the TLS Record Protocol. This protocol is used to negotiate the
1834 secure attributes of a session. Handshake messages are supplied to
1835 the TLS Record Layer, where they are encapsulated within one or more
1839 Dierks & Rescorla Standards Track [Page 34]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1842 TLSPlaintext structures, which are processed and transmitted as
1843 specified by the current active session state.
1845 enum {
1846 hello_request(0), client_hello(1), server_hello(2),
1847 certificate(11), server_key_exchange (12),
1848 certificate_request(13), server_hello_done(14),
1849 certificate_verify(15), client_key_exchange(16),
1850 finished(20), (255)
1851 } HandshakeType;
1853 struct {
1854 HandshakeType msg_type; /* handshake type */
1855 uint24 length; /* bytes in message */
1856 select (HandshakeType) {
1857 case hello_request: HelloRequest;
1858 case client_hello: ClientHello;
1859 case server_hello: ServerHello;
1860 case certificate: Certificate;
1861 case server_key_exchange: ServerKeyExchange;
1862 case certificate_request: CertificateRequest;
1863 case server_hello_done: ServerHelloDone;
1864 case certificate_verify: CertificateVerify;
1865 case client_key_exchange: ClientKeyExchange;
1866 case finished: Finished;
1867 } body;
1868 } Handshake;
1870 The handshake protocol messages are presented below in the order they
1871 MUST be sent; sending handshake messages in an unexpected order
1872 results in a fatal error. Unneeded handshake messages can be omitted,
1873 however. Note one exception to the ordering: the Certificate message
1874 is used twice in the handshake (from server to client, then from
1875 client to server), but described only in its first position. The one
1876 message that is not bound by these ordering rules is the Hello
1877 Request message, which can be sent at any time, but which SHOULD be
1878 ignored by the client if it arrives in the middle of a handshake.
1880 New Handshake message types are assigned by IANA as described in
1881 Section 12.
1883 7.4.1. Hello Messages
1885 The hello phase messages are used to exchange security enhancement
1886 capabilities between the client and server. When a new session
1887 begins, the Record Layer's connection state encryption, hash, and
1888 compression algorithms are initialized to null. The current
1889 connection state is used for renegotiation messages.
1893 Dierks & Rescorla Standards Track [Page 35]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1896 7.4.1.1. Hello Request
1898 When this message will be sent:
1899 The hello request message MAY be sent by the server at any time.
1901 Meaning of this message:
1902 Hello request is a simple notification that the client should
1903 begin the negotiation process anew by sending a client hello
1904 message when convenient. This message is not intended to
1905 establish which side is the client or server but merely to
1906 initiate a new negotiation. Servers SHOULD NOT send a
1907 HelloRequest immediately upon the client's initial connection.
1908 It is the client's job to send a ClientHello at that time.
1910 This message will be ignored by the client if the client is
1911 currently negotiating a session. This message may be ignored by
1912 the client if it does not wish to renegotiate a session, or the
1913 client may, if it wishes, respond with a no_renegotiation alert.
1914 Since handshake messages are intended to have transmission
1915 precedence over application data, it is expected that the
1916 negotiation will begin before no more than a few records are
1917 received from the client. If the server sends a hello request but
1918 does not receive a client hello in response, it may close the
1919 connection with a fatal alert.
1921 After sending a hello request, servers SHOULD NOT repeat the request
1922 until the subsequent handshake negotiation is complete.
1924 Structure of this message:
1925 struct { } HelloRequest;
1927 Note: This message MUST NOT be included in the message hashes that are
1928 maintained throughout the handshake and used in the finished
1929 messages and the certificate verify message.
1931 7.4.1.2. Client Hello
1933 When this message will be sent:
1934 When a client first connects to a server it is required to send
1935 the client hello as its first message. The client can also send a
1936 client hello in response to a hello request or on its own
1937 initiative in order to renegotiate the security parameters in an
1938 existing connection.
1940 Structure of this message:
1941 The client hello message includes a random structure, which is
1942 used later in the protocol.
1947 Dierks & Rescorla Standards Track [Page 36]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
1950 struct {
1951 uint32 gmt_unix_time;
1952 opaque random_bytes[28];
1953 } Random;
1955 gmt_unix_time
1956 The current time and date in standard UNIX 32-bit format (seconds
1957 since the midnight starting Jan 1, 1970, GMT, ignoring leap
1958 seconds) according to the sender's internal clock. Clocks are not
1959 required to be set correctly by the basic TLS Protocol; higher-
1960 level or application protocols may define additional
1961 requirements.
1963 random_bytes
1964 28 bytes generated by a secure random number generator.
1966 The client hello message includes a variable-length session
1967 identifier. If not empty, the value identifies a session between the
1968 same client and server whose security parameters the client wishes to
1969 reuse. The session identifier MAY be from an earlier connection, this
1970 connection, or from another currently active connection. The second
1971 option is useful if the client only wishes to update the random
1972 structures and derived values of a connection, and the third option
1973 makes it possible to establish several independent secure connections
1974 without repeating the full handshake protocol. These independent
1975 connections may occur sequentially or simultaneously; a SessionID
1976 becomes valid when the handshake negotiating it completes with the
1977 exchange of Finished messages and persists until it is removed due to
1978 aging or because a fatal error was encountered on a connection
1979 associated with the session. The actual contents of the SessionID are
1980 defined by the server.
1982 opaque SessionID<0..32>;
1984 Warning:
1985 Because the SessionID is transmitted without encryption or
1986 immediate MAC protection, servers MUST NOT place confidential
1987 information in session identifiers or let the contents of fake
1988 session identifiers cause any breach of security. (Note that the
1989 content of the handshake as a whole, including the SessionID, is
1990 protected by the Finished messages exchanged at the end of the
1991 handshake.)
1993 The CipherSuite list, passed from the client to the server in the
1994 client hello message, contains the combinations of cryptographic
1995 algorithms supported by the client in order of the client's
1996 preference (favorite choice first). Each CipherSuite defines a key
1997 exchange algorithm, a bulk encryption algorithm (including secret key
2001 Dierks & Rescorla Standards Track [Page 37]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2004 length), a MAC algorithm, and a PRF. The server will select a cipher
2005 suite or, if no acceptable choices are presented, return a handshake
2006 failure alert and close the connection.
2008 uint8 CipherSuite[2]; /* Cryptographic suite selector */
2010 The client hello includes a list of compression algorithms supported
2011 by the client, ordered according to the client's preference.
2013 enum { null(0), (255) } CompressionMethod;
2015 struct {
2016 ProtocolVersion client_version;
2017 Random random;
2018 SessionID session_id;
2019 CipherSuite cipher_suites<2..2^16-2>;
2020 CompressionMethod compression_methods<1..2^8-1>;
2021 select (extensions_present) {
2022 case false:
2023 struct {};
2024 case true:
2025 Extension extensions<0..2^16-1>;
2026 };
2027 } ClientHello;
2029 TLS allows extensions to follow the compression_methods field in an
2030 extensions block. The presence of extensions can be detected by
2031 determining whether there are bytes following the compression_methods
2032 at the end of the ClientHello. Note that this method of detecting
2033 optional data differs from the normal TLS method of having a
2034 variable-length field but is used for compatibility with TLS before
2035 extensions were defined.
2037 client_version
2038 The version of the TLS protocol by which the client wishes to
2039 communicate during this session. This SHOULD be the latest
2040 (highest valued) version supported by the client. For this
2041 version of the specification, the version will be 3.3 (See
2042 Appendix E for details about backward compatibility).
2044 random
2045 A client-generated random structure.
2047 session_id
2048 The ID of a session the client wishes to use for this connection.
2049 This field is empty if no session_id is available, or it the
2050 client wishes to generate new security parameters.
2055 Dierks & Rescorla Standards Track [Page 38]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2058 cipher_suites
2059 This is a list of the cryptographic options supported by the
2060 client, with the client's first preference first. If the
2061 session_id field is not empty (implying a session resumption
2062 request) this vector MUST include at least the cipher_suite from
2063 that session. Values are defined in Appendix A.5.
2065 compression_methods
2066 This is a list of the compression methods supported by the
2067 client, sorted by client preference. If the session_id field is
2068 not empty (implying a session resumption request) it MUST include
2069 the compression_method from that session. This vector MUST
2070 contain, and all implementations MUST support,
2071 CompressionMethod.null. Thus, a client and server will always be
2072 able to agree on a compression method.
2074 client_hello_extension_list
2075 Clients MAY request extended functionality from servers by
2076 sending data in the client_hello_extension_list. Here the new
2077 "client_hello_extension_list" field contains a list of
2078 extensions. The actual "Extension" format is defined in Section
2079 7.4.1.4.
2081 In the event that a client requests additional functionality using
2082 extensions, and this functionality is not supplied by the server, the
2083 client MAY abort the handshake. A server that supports the
2084 extensions mechanism MUST accept client hello messages in either the
2085 original (TLS 1.0/TLS 1.1) ClientHello or the extended ClientHello
2086 format defined in this document, and (as for all other messages) MUST
2087 check that the amount of data in the message precisely matches one of
2088 these formats; if not then it MUST send a fatal "decode_error" alert.
2090 After sending the client hello message, the client waits for a server
2091 hello message. Any other handshake message returned by the server
2092 except for a hello request is treated as a fatal error.
2095 7.4.1.3. Server Hello
2098 When this message will be sent:
2099 The server will send this message in response to a client hello
2100 message when it was able to find an acceptable set of algorithms.
2101 If it cannot find such a match, it will respond with a handshake
2102 failure alert.
2104 Structure of this message:
2105 struct {
2109 Dierks & Rescorla Standards Track [Page 39]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2112 ProtocolVersion server_version;
2113 Random random;
2114 SessionID session_id;
2115 CipherSuite cipher_suite;
2116 CompressionMethod compression_method;
2117 select (extensions_present) {
2118 case false:
2119 struct {};
2120 case true:
2121 Extension extensions<0..2^16-1>;
2122 };
2123 } ServerHello;
2125 The presence of extensions can be detected by determining whether
2126 there are bytes following the compression_method field at the end of
2127 the ServerHello.
2129 server_version
2130 This field will contain the lower of that suggested by the client
2131 in the client hello and the highest supported by the server. For
2132 this version of the specification, the version is 3.3. (See
2133 Appendix E for details about backward compatibility.)
2135 random
2136 This structure is generated by the server and MUST be
2137 independently generated from the ClientHello.random.
2139 session_id
2140 This is the identity of the session corresponding to this
2141 connection. If the ClientHello.session_id was non-empty, the
2142 server will look in its session cache for a match. If a match is
2143 found and the server is willing to establish the new connection
2144 using the specified session state, the server will respond with
2145 the same value as was supplied by the client. This indicates a
2146 resumed session and dictates that the parties must proceed
2147 directly to the finished messages. Otherwise this field will
2148 contain a different value identifying the new session. The server
2149 may return an empty session_id to indicate that the session will
2150 not be cached and therefore cannot be resumed. If a session is
2151 resumed, it must be resumed using the same cipher suite it was
2152 originally negotiated with. Note that there is no requirement
2153 that the server resume any session even if it had formerly
2154 provided a session_id. Client MUST be prepared to do a full
2155 negotiation -- including negotiating new cipher suites -- during
2156 any handshake.
2158 cipher_suite
2159 The single cipher suite selected by the server from the list in
2163 Dierks & Rescorla Standards Track [Page 40]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2166 ClientHello.cipher_suites. For resumed sessions, this field is
2167 the value from the state of the session being resumed.
2169 compression_method
2170 The single compression algorithm selected by the server from the
2171 list in ClientHello.compression_methods. For resumed sessions
2172 this field is the value from the resumed session state.
2174 server_hello_extension_list
2175 A list of extensions. Note that only extensions offered by the
2176 client can appear in the server's list.
2178 7.4.1.4 Hello Extensions
2180 The extension format is:
2182 struct {
2183 ExtensionType extension_type;
2184 opaque extension_data<0..2^16-1>;
2185 } Extension;
2187 enum {
2188 signature_hash_algorithms(TBD-BY-IANA), (65535)
2189 } ExtensionType;
2192 Here:
2194 - "extension_type" identifies the particular extension type.
2196 - "extension_data" contains information specific to the particular
2197 extension type.
2199 The initial set of extensions is defined in a companion document
2200 [TLSEXT]. The list of extension types is maintained by IANA as
2201 described in Section 12.
2203 There are subtle (and not so subtle) interactions that may occur in
2204 this protocol between new features and existing features which may
2205 result in a significant reduction in overall security, The following
2206 considerations should be taken into account when designing new
2207 extensions:
2209 - Some cases where a server does not agree to an extension are
2210 error conditions, and some simply a refusal to support a
2211 particular feature. In general error alerts should be used for
2212 the former, and a field in the server extension response for the
2213 latter.
2217 Dierks & Rescorla Standards Track [Page 41]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2220 - Extensions should as far as possible be designed to prevent any
2221 attack that forces use (or non-use) of a particular feature by
2222 manipulation of handshake messages. This principle should be
2223 followed regardless of whether the feature is believed to cause a
2224 security problem.
2226 Often the fact that the extension fields are included in the
2227 inputs to the Finished message hashes will be sufficient, but
2228 extreme care is needed when the extension changes the meaning of
2229 messages sent in the handshake phase. Designers and implementors
2230 should be aware of the fact that until the handshake has been
2231 authenticated, active attackers can modify messages and insert,
2232 remove, or replace extensions.
2234 - It would be technically possible to use extensions to change
2235 major aspects of the design of TLS; for example the design of
2236 cipher suite negotiation. This is not recommended; it would be
2237 more appropriate to define a new version of TLS - particularly
2238 since the TLS handshake algorithms have specific protection
2239 against version rollback attacks based on the version number, and
2240 the possibility of version rollback should be a significant
2241 consideration in any major design change.
2243 7.4.1.4.1 Signature Hash Algorithms
2245 The client MAY use the "signature_hash_algorithms" to indicate to the
2246 server which signature/hash algorithm pairs may be used in digital
2247 signatures. The "extension_data" field of this extension contains a
2248 "supported_signature_algorithms" value.
2250 enum{
2251 none(0), md5(1), sha1(2), sha256(3), sha384(4),
2252 sha512(5), (255)
2253 } HashAlgorithm;
2255 enum { anonymous(0), rsa(1), dsa(2), (255) } SignatureAlgorithm;
2257 struct {
2258 HashAlgorithm hash;
2259 SignatureAlgorithm signature;
2260 } SignatureAndHashAlgorithm;
2262 SignatureAndHashAlgorithm
2263 supported_signature_algorithms<2..2^16-1>;
2265 Each SignatureAndHashAlgorithm value lists a single digest/signature
2266 pair which the client is willing to verify. The values are indicated
2267 in descending order of preference.
2271 Dierks & Rescorla Standards Track [Page 42]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2274 Note: Because not all signature algorithms and hash algorithms may be
2275 accepted by an implementation (e.g., DSA with SHA-1, but not
2276 SHA-256), algorithms here are listed in pairs.
2278 hash
2279 This field indicates the hash algorithm which may be used. The
2280 values indicate support for undigested data, MD5 [MD5], SHA-1,
2281 SHA-256, SHA-384, and SHA-512 [SHA] respectively. The "none"
2282 value is provided for future extensibility, in case of a
2283 signature algorithm which does not require hashing before
2284 signing.
2286 signature
2287 This field indicates the signature algorithm which may be used.
2288 The values indicate anonymous signatures, RSA [PKCS1] and DSA
2289 [DSS] respectively. The "anonymous" value is meaningless in this
2290 context but used later in the specification. It MUST NOT appear
2291 in this extension.
2293 The semantics of this extension are somewhat complicated because the
2294 cipher suite indicates permissible signature algorithms but not
2295 digest algorithm. Sections 7.4.2 and 7.4.3 describe the appropriate
2296 rules.
2298 Clients SHOULD send this extension if they support any digest
2299 algorithm other than SHA-1. If this extension is not used, servers
2300 SHOULD assume that the client supports only SHA-1. Note: this is a
2301 change from TLS 1.1 where there are no explicit rules but as a
2302 practical matter one can assume that the peer supports MD5 and SHA-1.
2304 Servers MUST NOT send this extension.
2306 7.4.2. Server Certificate
2308 When this message will be sent:
2309 The server MUST send a certificate whenever the agreed-upon key
2310 exchange method uses certificates for authentication (this
2311 includes all key exchange methods defined in this document except
2312 DH_anon). This message will always immediately follow the server
2313 hello message.
2315 Meaning of this message:
2316 This message conveys the server's certificate to the client. The
2317 certificate MUST be appropriate for the negotiated cipher suite's
2318 key exchange algorithm, and any negotiated extensions.
2320 Structure of this message:
2321 opaque ASN.1Cert<1..2^24-1>;
2325 Dierks & Rescorla Standards Track [Page 43]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2328 struct {
2329 ASN.1Cert certificate_list<0..2^24-1>;
2330 } Certificate;
2332 certificate_list
2334 This is a sequence (chain) of certificates. The sender's
2335 certificate MUST come first in the list. Each following
2336 certificate MUST directly certify the one preceding it. Because
2337 certificate validation requires that root keys be distributed
2338 independently, the self-signed certificate that specifies the
2339 root certificate authority MAY optionally be omitted from the
2340 chain, under the assumption that the remote end must already
2341 possess it in order to validate it in any case.
2343 The same message type and structure will be used for the client's
2344 response to a certificate request message. Note that a client MAY
2345 send no certificates if it does not have an appropriate certificate
2346 to send in response to the server's authentication request.
2348 Note: PKCS #7 [PKCS7] is not used as the format for the certificate
2349 vector because PKCS #6 [PKCS6] extended certificates are not
2350 used. Also, PKCS #7 defines a SET rather than a SEQUENCE, making
2351 the task of parsing the list more difficult.
2353 The following rules apply to the certificates sent by the server:
2355 - The certificate type MUST be X.509v3, unless explicitly
2356 negotiated otherwise (e.g., [TLSPGP]).
2358 - The certificate's public key (and associated restrictions)
2359 MUST be compatible with the selected key exchange
2360 algorithm.
2362 Key Exchange Alg. Certificate Key Type
2364 RSA RSA public key; the certificate MUST
2365 RSA_PSK allow the key to be used for encryption
2366 (the keyEncipherment bit MUST be set
2367 if the key usage extension is present).
2368 Note: RSA_PSK is defined in [TLSPSK].
2370 DHE_RSA RSA public key; the certificate MUST
2371 ECDHE_RSA allow the key to be used for signing
2372 (the digitalSignature bit MUST be set
2373 if the key usage extension is present)
2374 with the signature scheme and hash
2375 algorithm that will be employed in the
2379 Dierks & Rescorla Standards Track [Page 44]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2382 server key exchange message.
2384 DHE_DSS DSA public key; the certificate MUST
2385 allow the key to be used for signing with
2386 the hash algorithm that will be employed
2387 in the server key exchange message.
2389 DH_DSS Diffie-Hellman public key; the
2390 DH_RSA keyAgreement bit MUST be set if the
2391 key usage extension is present.
2393 ECDH_ECDSA ECDH-capable public key; the public key
2394 ECDH_RSA MUST use a curve and point format supported
2395 by the client, as described in [TLSECC].
2397 ECDHE_ECDSA ECDSA-capable public key; the certificate
2398 MUST allow the key to be used for signing
2399 with the hash algorithm that will be
2400 employed in the server key exchange
2401 message. The public key MUST use a curve
2402 and point format supported by the client,
2403 as described in [TLSECC].
2405 - The "server_name" and "trusted_ca_keys" extensions
2406 [4366bis] are used to guide certificate selection.
2408 If the client provided a "signature_algorithms" extension, then all
2409 certificates provided by the server MUST be signed by a
2410 digest/signature algorithm pair that appears in that extension. Note
2411 that this implies that a certificate containing a key for one
2412 signature algorithm MAY be signed using a different signature
2413 algorithm (for instance, an RSA key signed with a DSA key.) This is a
2414 departure from TLS 1.1, which required that the algorithms be the
2415 same. Note that this also implies that the DH_DS, DH_RSA,
2416 ECDH_ECDSA, and ECDH_RSA key exchange algorithms do not restrict the
2417 algorithm used to sign the certificate. Fixed DH certificates MAY be
2418 signed with any digest/signature algorithm pair appearing in the
2419 extension. The naming is historical.
2421 If no "signature_algorithms" extension is present, the end-entity
2422 certificate MUST be signed as follows:
2424 Key Exchange Alg. Signature Algorithm Used by Issuer
2426 RSA RSA (RSASSA-PKCS1-v1_5)
2427 DHE_RSA
2428 DH_RSA
2429 RSA_PSK
2433 Dierks & Rescorla Standards Track [Page 45]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2436 ECDH_RSA
2437 ECDHE_RSA
2439 DHE_DSS DSA
2440 DH_DSS
2442 ECDH_ECDSA ECDSA
2443 ECDHE_ECDSA
2445 If the server has multiple certificates, it chooses one of them based
2446 on the above-mentioned criteria (in addition to other criteria, such
2447 as transport layer endpoint, local configuration and preferences,
2448 etc.).
2450 Note that there are certificates that use algorithms and/or algorithm
2451 combinations that cannot be currently used with TLS. For example, a
2452 certificate with RSASSA-PSS signature key (id-RSASSA-PSS OID in
2453 SubjectPublicKeyInfo) cannot be used because TLS defines no
2454 corresponding signature algorithm.
2456 As CipherSuites that specify new key exchange methods are specified
2457 for the TLS Protocol, they will imply certificate format and the
2458 required encoded keying information.
2461 7.4.3. Server Key Exchange Message
2463 When this message will be sent:
2464 This message will be sent immediately after the server
2465 certificate message (or the server hello message, if this is an
2466 anonymous negotiation).
2468 The server key exchange message is sent by the server only when
2469 the server certificate message (if sent) does not contain enough
2470 data to allow the client to exchange a premaster secret. This is
2471 true for the following key exchange methods:
2473 DHE_DSS
2474 DHE_RSA
2475 DH_anon
2477 It is not legal to send the server key exchange message for the
2478 following key exchange methods:
2480 RSA
2481 DH_DSS
2482 DH_RSA
2487 Dierks & Rescorla Standards Track [Page 46]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2490 Meaning of this message:
2491 This message conveys cryptographic information to allow the
2492 client to communicate the premaster secret: a Diffie-Hellman
2493 public key with which the client can complete a key exchange
2494 (with the result being the premaster secret) or a public key for
2495 some other algorithm.
2497 Structure of this message:
2498 enum { diffie_hellman, rsa} KeyExchangeAlgorithm;
2500 struct {
2501 opaque dh_p<1..2^16-1>;
2502 opaque dh_g<1..2^16-1>;
2503 opaque dh_Ys<1..2^16-1>;
2504 } ServerDHParams; /* Ephemeral DH parameters */
2506 dh_p
2507 The prime modulus used for the Diffie-Hellman operation.
2509 dh_g
2510 The generator used for the Diffie-Hellman operation.
2512 dh_Ys
2513 The server's Diffie-Hellman public value (g^X mod p).
2515 struct {
2516 select (KeyExchangeAlgorithm) {
2517 case diffie_hellman:
2518 ServerDHParams params;
2519 Signature signed_params;
2520 };
2521 } ServerKeyExchange;
2523 struct {
2524 select (KeyExchangeAlgorithm) {
2525 case diffie_hellman:
2526 ServerDHParams params;
2527 };
2528 } ServerParams;
2531 params
2532 The server's key exchange parameters.
2534 signed_params
2535 For non-anonymous key exchanges, a hash of the corresponding
2536 params value, with the signature appropriate to that hash
2537 applied.
2541 Dierks & Rescorla Standards Track [Page 47]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2544 hash
2545 Hash(ClientHello.random + ServerHello.random + ServerParams)
2548 struct {
2549 select (SignatureAlgorithm) {
2550 case anonymous: struct { };
2551 case rsa:
2552 SignatureAndHashAlgorithm signature_algorithm; /*NEW*/
2553 digitally-signed struct {
2554 opaque hash[Hash.length];
2555 };
2556 case dsa:
2557 SignatureAndHashAlgorithm signature_algorithm; /*NEW*/
2558 digitally-signed struct {
2559 opaque hash[Hash.length];
2560 };
2561 };
2562 };
2563 } Signature;
2565 If the client has offered the "signature_algorithms" extension, the
2566 signature algorithm and digest algorithm MUST be a pair listed in
2567 that extension. Note that there is a possibility for inconsistencies
2568 here. For instance, the client might offer DHE_DSS key exchange but
2569 omit any DSS pairs from its "signature_algorithms" extension. In
2570 order to negotiate correctly, the server MUST check any candidate
2571 cipher suites against the "signature_algorithms" extension before
2572 selecting them. This is somewhat inelegant but is a compromise
2573 designed to minimize changes to the original cipher suite design.
2575 If no "signature_algorithms" extension is present, the server MUST
2576 use SHA-1 as the hash algorithm.
2578 In addition, the digest and signature algorithms MUST be compatible
2579 with the key in the client's end-entity certificate. RSA keys MAY be
2580 used with any permitted digest algorithm.
2582 Because DSA signatures do not contain any secure indication of digest
2583 algorithm, it must be unambiguous which digest algorithm is to be
2584 used with any key. DSA keys specified with Object Identifier
2585 1 2 840 10040 4 1 MUST only be used with SHA-1. Future revisions of
2586 [PKIX] MAY define new object identifiers for DSA with other digest
2587 algorithms.
2589 The hash algorithm is denoted Hash below. Hash.length is the length
2590 of the output of that algorithm.
2595 Dierks & Rescorla Standards Track [Page 48]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2598 As additional CipherSuites are defined for TLS that include new key
2599 exchange algorithms, the server key exchange message will be sent if
2600 and only if the certificate type associated with the key exchange
2601 algorithm does not provide enough information for the client to
2602 exchange a premaster secret.
2604 7.4.4. Certificate Request
2606 When this message will be sent:
2607 A non-anonymous server can optionally request a certificate from
2608 the client, if appropriate for the selected cipher suite. This
2609 message, if sent, will immediately follow the Server Key Exchange
2610 message (if it is sent; otherwise, the Server Certificate
2611 message).
2613 Structure of this message:
2614 enum {
2615 rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
2616 rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
2617 fortezza_dms_RESERVED(20), (255)
2618 } ClientCertificateType;
2621 opaque DistinguishedName<1..2^16-1>;
2623 struct {
2624 ClientCertificateType certificate_types<1..2^8-1>;
2625 SignatureAndHashAlgorithm
2626 supported_signature_algorithms<2^16-1>;
2627 DistinguishedName certificate_authorities<0..2^16-1>;
2628 } CertificateRequest;
2631 certificate_types
2632 A list of the types of certificate types which the client may
2633 offer.
2634 rsa_sign a certificate containing an RSA key
2635 dss_sign a certificate containing a DSS key
2636 rsa_fixed_dh a certificate containing a static DH key.
2637 dss_fixed_dh a certificate containing a static DH key
2639 supported_signature_algorithms
2640 A list of the digest/signature algorithm pairs that the server is
2641 able to verify, listed in descending order of preference.
2643 certificate_authorities
2644 A list of the distinguished names [X501] of acceptable
2645 certificate_authorities, represented in DER-encoded format. These
2649 Dierks & Rescorla Standards Track [Page 49]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2652 distinguished names may specify a desired distinguished name for
2653 a root CA or for a subordinate CA; thus, this message can be used
2654 both to describe known roots and a desired authorization space.
2655 If the certificate_authorities list is empty then the client MAY
2656 send any certificate of the appropriate ClientCertificateType,
2657 unless there is some external arrangement to the contrary.
2659 The interaction of the certificate_types and
2660 supported_signature_algorithms fields is somewhat complicated.
2661 certificate_types has been present in TLS since SSLv3, but was
2662 somewhat underspecified. Much of its functionality is superseded by
2663 supported_signature_algorithms. The following rules apply:
2665 - Any certificates provided by the client MUST be signed using
2666 a digest/signature algorithm pair found in
2667 supported_signature_types.
2669 - The end-entity certificate provided by the client MUST contain a
2670 key which is compatible with certificate_types. If the key is a
2671 signature key, it MUST be usable with some digest/signature
2672 algorithm pair in supported_signature_types.
2674 - For historical reasons, the names of some client certificate
2675 types include the algorithm used to sign the certificate. For
2676 example, in earlier versions of TLS, rsa_fixed_dh meant a
2677 certificate signed with RSA and containing a static DH key. In
2678 TLS 1.2, this functionality has been obsoleted by the
2679 signature_types field, and the certificate type no longer
2680 restricts the algorithm used to sign the certificate. For
2681 example, if the server sends dss_fixed_dh certificate type and
2682 {dss_sha1, rsa_sha1} signature types, the client MAY to reply
2683 with a certificate containing a static DH key, signed with RSA-
2684 SHA1.
2686 New ClientCertificateType values are assigned by IANA as described in
2687 Section 12.
2689 Note: Values listed as RESERVED may not be used. They were used in
2690 SSLv3.
2692 Note: It is a fatal handshake_failure alert for an anonymous server to
2693 request client authentication.
2696 7.4.5 Server hello done
2698 When this message will be sent:
2699 The server hello done message is sent by the server to indicate
2703 Dierks & Rescorla Standards Track [Page 50]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2706 the end of the server hello and associated messages. After
2707 sending this message, the server will wait for a client response.
2709 Meaning of this message:
2710 This message means that the server is done sending messages to
2711 support the key exchange, and the client can proceed with its
2712 phase of the key exchange.
2714 Upon receipt of the server hello done message, the client SHOULD
2715 verify that the server provided a valid certificate, if required
2716 and check that the server hello parameters are acceptable.
2718 Structure of this message:
2719 struct { } ServerHelloDone;
2721 7.4.6. Client Certificate
2723 When this message will be sent:
2724 This is the first message the client can send after receiving a
2725 server hello done message. This message is only sent if the
2726 server requests a certificate. If no suitable certificate is
2727 available, the client SHOULD send a certificate message
2728 containing no certificates. That is, the certificate_list
2729 structure has a length of zero. If client authentication is
2730 required by the server for the handshake to continue, it may
2731 respond with a fatal handshake failure alert. Client certificates
2732 are sent using the Certificate structure defined in Section
2733 7.4.2.
2735 Meaning of this message:
2736 This message conveys the client's certificate to the server; the
2737 server will use it when verifying the certificate verify message
2738 (when the client authentication is based on signing), or
2739 calculate the premaster secret (for non-ephemeral Diffie-
2740 Hellman). The certificate MUST be appropriate for the negotiated
2741 cipher suite's key exchange algorithm, and any negotiated
2742 extensions.
2744 In particular:
2746 - The certificate type MUST be X.509v3, unless explicitly
2747 negotiated otherwise (e.g. [TLSPGP]).
2749 - The certificate's public key (and associated restrictions)
2750 has to be compatible with the certificate types listed in
2751 CertificateRequest:
2753 Client Cert. Type Certificate Key Type
2757 Dierks & Rescorla Standards Track [Page 51]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2760 rsa_sign RSA public key; the certificate MUST allow
2761 the key to be used for signing with the
2762 signature scheme and hash algorithm that
2763 will be employed in the certificate verify
2764 message.
2766 dss_sign DSA public key; the certificate MUST allow
2767 the key to be used for signing with the
2768 hash algorithm that will be employed in
2769 the certificate verify message.
2771 ecdsa_sign ECDSA-capable public key; the certificate
2772 MUST allow the key to be used for signing
2773 with the hash algorithm that will be
2774 employed in the certificate verify
2775 message; the public key MUST use a
2776 curve and point format supported by the
2777 server.
2779 rsa_fixed_dh Diffie-Hellman public key; MUST use
2780 dss_fixed_dh the same parameters as server's key.
2782 rsa_fixed_ecdh ECDH-capable public key; MUST use
2783 ecdsa_fixed_ecdh the same curve as server's key, and
2784 MUST use a point format supported by
2786 - If the certificate_authorities list in the certificate
2787 request message was non-empty, the certificate SHOULD be
2788 issued by one of the listed CAs.
2790 - The certificates MUST be signed using an acceptable digest/
2791 signature algorithm pair, as described in Section 7.4.4. Note
2792 that this relaxes the constraints on certificate signing
2793 algorithms found in prior versions of TLS.
2795 Note that as with the server certificate, there are certificates that
2796 use algorithms/algorithm combinations that cannot be currently used
2797 with TLS.
2799 7.4.7. Client Key Exchange Message
2801 When this message will be sent:
2802 This message is always sent by the client. It MUST immediately follow
2803 the client certificate message, if it is sent. Otherwise it MUST be
2804 the first message sent by the client after it receives the server
2805 hello done message.
2807 Meaning of this message:
2811 Dierks & Rescorla Standards Track [Page 52]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2814 With this message, the premaster secret is set, either though direct
2815 transmission of the RSA-encrypted secret, or by the transmission of
2816 Diffie-Hellman parameters that will allow each side to agree upon the
2817 same premaster secret. When the key exchange method is DH_RSA or
2818 DH_DSS, client certification has been requested, and the client was
2819 able to respond with a certificate that contained a Diffie-Hellman
2820 public key whose parameters (group and generator) matched those
2821 specified by the server in its certificate, this message MUST NOT
2822 contain any data.
2824 Structure of this message:
2825 The choice of messages depends on which key exchange method has been
2826 selected. See Section 7.4.3 for the KeyExchangeAlgorithm definition.
2828 struct {
2829 select (KeyExchangeAlgorithm) {
2830 case rsa: EncryptedPreMasterSecret;
2831 case diffie_hellman: ClientDiffieHellmanPublic;
2832 } exchange_keys;
2833 } ClientKeyExchange;
2835 7.4.7.1. RSA Encrypted Premaster Secret Message
2837 Meaning of this message:
2838 If RSA is being used for key agreement and authentication, the client
2839 generates a 48-byte premaster secret, encrypts it using the public
2840 key from the server's certificate and sends the result in an
2841 encrypted premaster secret message. This structure is a variant of
2842 the client key exchange message and is not a message in itself.
2844 Structure of this message:
2845 struct {
2846 ProtocolVersion client_version;
2847 opaque random[46];
2848 } PreMasterSecret;
2850 client_version
2852 The latest (newest) version supported by the client. This is
2853 used to detect version roll-back attacks.
2855 random
2856 46 securely-generated random bytes.
2859 struct {
2860 public-key-encrypted PreMasterSecret pre_master_secret;
2861 } EncryptedPreMasterSecret;
2865 Dierks & Rescorla Standards Track [Page 53]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2868 pre_master_secret
2870 This random value is generated by the client and is used to
2871 generate the master secret, as specified in Section 8.1.
2873 Note: The version number in the PreMasterSecret is the version
2874 offered by the client in the ClientHello.client_version, not the
2875 version negotiated for the connection. This feature is designed
2876 to prevent rollback attacks. Unfortunately, some old
2877 implementations use the negotiated version instead and therefore
2878 checking the version number may lead to failure to interoperate
2879 with such incorrect client implementations.
2881 Client implementations MUST always send the correct version
2882 number in PreMasterSecret. If ClientHello.client_version is TLS
2883 1.1 or higher, server implementations MUST check the version
2884 number as described in the note below. If the version number is
2885 earlier than 1.0, server implementations SHOULD check the version
2886 number, but MAY have a configuration option to disable the check.
2887 Note that if the check fails, the PreMasterSecret SHOULD be
2888 randomized as described below.
2890 Note: Attacks discovered by Bleichenbacher [BLEI] and Klima et al.
2891 [KPR03] can be used to attack a TLS server that reveals whether a
2892 particular message, when decrypted, is properly PKCS#1 formatted,
2893 contains a valid PreMasterSecret structure, or has the correct
2894 version number.
2896 The best way to avoid these vulnerabilities is to treat incorrectly
2897 formatted messages in a manner indistinguishable from correctly
2898 formatted RSA blocks. In other words:
2900 1. Generate a string R of 46 random bytes
2902 2. Decrypt the message M
2904 3. If the PKCS#1 padding is not correct, or the length of
2905 message M is not exactly 48 bytes:
2906 premaster secret = ClientHello.client_version || R
2907 else If ClientHello.client_version <= TLS 1.0, and
2908 version number check is explicitly disabled:
2909 premaster secret = M
2910 else:
2911 premaster secret = ClientHello.client_version || M[2..47]
2913 In any case, a TLS server MUST NOT generate an alert if processing an
2914 RSA-encrypted premaster secret message fails, or the version number
2915 is not as expected. Instead, it MUST continue the handshake with a
2919 Dierks & Rescorla Standards Track [Page 54]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2922 randomly generated premaster secret. It may be useful to log the
2923 real cause of failure for troubleshooting purposes; however, care
2924 must be taken to avoid leaking the information to an attacker
2925 (though, e.g., timing, log files, or other channels.)
2927 The RSAES-OAEP encryption scheme defined in [PKCS1] is more secure
2928 against the Bleichenbacher attack. However, for maximal compatibility
2929 with earlier versions of TLS, this specification uses the RSAES-
2930 PKCS1-v1_5 scheme. No variants of the Bleichenbacher attack are known
2931 to exist provided that the above recommendations are followed.
2933 Implementation Note: Public-key-encrypted data is represented as an
2934 opaque vector <0..2^16-1> (see Section 4.7). Thus, the RSA-encrypted
2935 PreMasterSecret in a ClientKeyExchange is preceded by two length
2936 bytes. These bytes are redundant in the case of RSA because the
2937 EncryptedPreMasterSecret is the only data in the ClientKeyExchange
2938 and its length can therefore be unambiguously determined. The SSLv3
2939 specification was not clear about the encoding of public-key-
2940 encrypted data, and therefore many SSLv3 implementations do not
2941 include the the length bytes, encoding the RSA encrypted data
2942 directly in the ClientKeyExchange message.
2944 This specification requires correct encoding of the
2945 EncryptedPreMasterSecret complete with length bytes. The resulting
2946 PDU is incompatible with many SSLv3 implementations. Implementors
2947 upgrading from SSLv3 MUST modify their implementations to generate
2948 and accept the correct encoding. Implementors who wish to be
2949 compatible with both SSLv3 and TLS should make their implementation's
2950 behavior dependent on the protocol version.
2952 Implementation Note: It is now known that remote timing-based attacks
2953 on TLS are possible, at least when the client and server are on the
2954 same LAN. Accordingly, implementations that use static RSA keys MUST
2955 use RSA blinding or some other anti-timing technique, as described in
2956 [TIMING].
2959 7.4.7.2. Client Diffie-Hellman Public Value
2961 Meaning of this message:
2962 This structure conveys the client's Diffie-Hellman public value
2963 (Yc) if it was not already included in the client's certificate.
2964 The encoding used for Yc is determined by the enumerated
2965 PublicValueEncoding. This structure is a variant of the client
2966 key exchange message, and not a message in itself.
2968 Structure of this message:
2969 enum { implicit, explicit } PublicValueEncoding;
2973 Dierks & Rescorla Standards Track [Page 55]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
2976 implicit
2977 If the client certificate already contains a suitable Diffie-
2978 Hellman key, then Yc is implicit and does not need to be sent
2979 again. In this case, the client key exchange message will be
2980 sent, but it MUST be empty.
2982 explicit
2983 Yc needs to be sent.
2985 struct {
2986 select (PublicValueEncoding) {
2987 case implicit: struct { };
2988 case explicit: opaque dh_Yc<1..2^16-1>;
2989 } dh_public;
2990 } ClientDiffieHellmanPublic;
2992 dh_Yc
2993 The client's Diffie-Hellman public value (Yc).
2995 7.4.8. Certificate verify
2997 When this message will be sent:
2998 This message is used to provide explicit verification of a client
2999 certificate. This message is only sent following a client
3000 certificate that has signing capability (i.e. all certificates
3001 except those containing fixed Diffie-Hellman parameters). When
3002 sent, it MUST immediately follow the client key exchange message.
3004 Structure of this message:
3005 struct {
3006 Signature signature;
3007 } CertificateVerify;
3009 The Signature type is defined in 7.4.3.
3011 The hash algorithm is denoted Hash below.
3013 CertificateVerify.signature.hash = Hash(handshake_messages);
3015 The digest and signature algorithms MUST be one of those present
3016 in the supported_signature_algorithms field of the
3017 CertificateRequest message. In addition, the digest and signature
3018 algorithms MUST be compatible with the key in the client's end-
3019 entity certificate. RSA keys MAY be used with any permitted
3020 digest algorithm.
3022 Because DSA signatures do not contain any secure indication of
3023 digest algorithm, it must be unambiguous which digest algorithm
3027 Dierks & Rescorla Standards Track [Page 56]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3030 is to be used with any key. DSA keys specified with Object
3031 Identifier 1 2 840 10040 4 1 MUST only be used with SHA-1.
3032 Future revisions of [PKIX] MAY define new object identifiers for
3033 DSA with other digest algorithms.
3035 Here handshake_messages refers to all handshake messages sent or
3036 received starting at client hello up to but not including this
3037 message, including the type and length fields of the handshake
3038 messages. This is the concatenation of all the Handshake structures
3039 as defined in 7.4 exchanged thus far.
3041 7.4.9. Finished
3043 When this message will be sent:
3044 A finished message is always sent immediately after a change
3045 cipher spec message to verify that the key exchange and
3046 authentication processes were successful. It is essential that a
3047 change cipher spec message be received between the other
3048 handshake messages and the Finished message.
3050 Meaning of this message:
3051 The finished message is the first protected with the just-
3052 negotiated algorithms, keys, and secrets. Recipients of finished
3053 messages MUST verify that the contents are correct. Once a side
3054 has sent its Finished message and received and validated the
3055 Finished message from its peer, it may begin to send and receive
3056 application data over the connection.
3058 struct {
3059 opaque verify_data[SecurityParameters.verify_data_length];
3060 } Finished;
3062 verify_data
3063 PRF(master_secret, finished_label, Hash(handshake_messages))
3064 [0..SecurityParameters.verify_data_length-1];
3066 finished_label
3067 For Finished messages sent by the client, the string "client
3068 finished". For Finished messages sent by the server, the
3069 string "server finished".
3071 Hash denotes the negotiated hash used for the PRF. If a new
3072 PRF is defined, then this hash MUST be specified.
3074 In previous versions of TLS, the verify_data was always 12
3075 octets long. In the current version of TLS, it depends on the
3076 cipher suite. Any cipher suite which does not explicitly
3077 specify SecurityParameters.verify_data_length has a
3081 Dierks & Rescorla Standards Track [Page 57]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3084 SecurityParameters.verify_data_length equal to 12. This
3085 includes all existing cipher suites. Note that this
3086 representation has the same encoding as with previous
3087 versions. Future cipher suites MAY specify other lengths but
3088 such length MUST be at least 12 bytes.
3090 handshake_messages
3091 All of the data from all messages in this handshake (not
3092 including any HelloRequest messages) up to but not including
3093 this message. This is only data visible at the handshake
3094 layer and does not include record layer headers. This is the
3095 concatenation of all the Handshake structures as defined in
3096 7.4, exchanged thus far.
3098 It is a fatal error if a finished message is not preceded by a change
3099 cipher spec message at the appropriate point in the handshake.
3101 The value handshake_messages includes all handshake messages starting
3102 at client hello up to, but not including, this finished message. This
3103 may be different from handshake_messages in Section 7.4.8 because it
3104 would include the certificate verify message (if sent). Also, the
3105 handshake_messages for the finished message sent by the client will
3106 be different from that for the finished message sent by the server,
3107 because the one that is sent second will include the prior one.
3109 Note: Change cipher spec messages, alerts, and any other record types
3110 are not handshake messages and are not included in the hash
3111 computations. Also, Hello Request messages are omitted from
3112 handshake hashes.
3114 8. Cryptographic Computations
3116 In order to begin connection protection, the TLS Record Protocol
3117 requires specification of a suite of algorithms, a master secret, and
3118 the client and server random values. The authentication, encryption,
3119 and MAC algorithms are determined by the cipher_suite selected by the
3120 server and revealed in the server hello message. The compression
3121 algorithm is negotiated in the hello messages, and the random values
3122 are exchanged in the hello messages. All that remains is to calculate
3123 the master secret.
3125 8.1. Computing the Master Secret
3127 For all key exchange methods, the same algorithm is used to convert
3128 the pre_master_secret into the master_secret. The pre_master_secret
3129 should be deleted from memory once the master_secret has been
3130 computed.
3135 Dierks & Rescorla Standards Track [Page 58]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3138 master_secret = PRF(pre_master_secret, "master secret",
3139 ClientHello.random + ServerHello.random)
3140 [0..47];
3142 The master secret is always exactly 48 bytes in length. The length of
3143 the premaster secret will vary depending on key exchange method.
3145 8.1.1. RSA
3147 When RSA is used for server authentication and key exchange, a
3148 48-byte pre_master_secret is generated by the client, encrypted under
3149 the server's public key, and sent to the server. The server uses its
3150 private key to decrypt the pre_master_secret. Both parties then
3151 convert the pre_master_secret into the master_secret, as specified
3152 above.
3154 8.1.2. Diffie-Hellman
3156 A conventional Diffie-Hellman computation is performed. The
3157 negotiated key (Z) is used as the pre_master_secret, and is converted
3158 into the master_secret, as specified above. Leading bytes of Z that
3159 contain all zero bits are stripped before it is used as the
3160 pre_master_secret.
3162 Note: Diffie-Hellman parameters are specified by the server and may
3163 be either ephemeral or contained within the server's certificate.
3165 9. Mandatory Cipher Suites
3167 In the absence of an application profile standard specifying
3168 otherwise, a TLS compliant application MUST implement the cipher
3169 suite TLS_RSA_WITH_AES_128_CBC_SHA.
3171 10. Application Data Protocol
3173 Application data messages are carried by the Record Layer and are
3174 fragmented, compressed, and encrypted based on the current connection
3175 state. The messages are treated as transparent data to the record
3176 layer.
3178 11. Security Considerations
3180 Security issues are discussed throughout this memo, especially in
3181 Appendices D, E, and F.
3183 12. IANA Considerations
3185 This document uses several registries that were originally created in
3189 Dierks & Rescorla Standards Track [Page 59]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3192 [TLS1.1]. IANA is requested to update (has updated) these to
3193 reference this document. The registries and their allocation policies
3194 (unchanged from [TLS1.1]) are listed below.
3196 - TLS ClientCertificateType Identifiers Registry: Future
3197 values in the range 0-63 (decimal) inclusive are assigned via
3198 Standards Action [RFC2434]. Values in the range 64-223
3199 (decimal) inclusive are assigned Specification Required
3200 [RFC2434]. Values from 224-255 (decimal) inclusive are
3201 reserved for Private Use [RFC2434].
3203 - TLS Cipher Suite Registry: Future values with the first byte
3204 in the range 0-191 (decimal) inclusive are assigned via
3205 Standards Action [RFC2434]. Values with the first byte in
3206 the range 192-254 (decimal) are assigned via Specification
3207 Required [RFC2434]. Values with the first byte 255 (decimal)
3208 are reserved for Private Use [RFC2434].
3210 - TLS ContentType Registry: Future values are allocated via
3211 Standards Action [RFC2434].
3213 - TLS Alert Registry: Future values are allocated via
3214 Standards Action [RFC2434].
3216 - TLS HandshakeType Registry: Future values are allocated via
3217 Standards Action [RFC2434].
3219 This document also uses a registry originally created in [RFC4366].
3220 IANA is requested to update (has updated) it to reference this
3221 document. The registry and its allocation policy (unchanged from
3222 [RFC4366]) is listed below:.
3224 - TLS ExtensionType Registry: Future values are allocated
3225 via IETF Consensus [RFC2434]
3227 In addition, this document defines one new registry to be maintained
3228 by IANA:
3230 - TLS SignatureAlgorithm Registry: The registry will be initially
3231 populated with the values described in Section 7.4.1.4.1.
3232 Future values in the range 0-63 (decimal) inclusive are
3233 assigned via Standards Action [RFC2434]. Values in the
3234 range 64-223 (decimal) inclusive are assigned via
3235 Specification Required [RFC2434]. Values from 224-255
3236 (decimal) inclusive are reserved for Private Use [RFC2434].
3238 - TLS HashAlgorithm Registry: The registry will be initially
3239 populated with the values described in Section 7.4.1.4.1.
3243 Dierks & Rescorla Standards Track [Page 60]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3246 Future values in the range 0-63 (decimal) inclusive are
3247 assigned via Standards Action [RFC2434]. Values in the
3248 range 64-223 (decimal) inclusive are assigned via
3249 Specification Required [RFC2434]. Values from 224-255
3250 (decimal) inclusive are reserved for Private Use [RFC2434].
3252 This document defines one new TLS extension, cert_hash_type, which is
3253 to be (has been) allocated value TBD-BY-IANA in the TLS ExtensionType
3254 registry.
3256 This document also uses the TLS Compression Method Identifiers
3257 Registry, defined in [RFC3749]. IANA is requested to allocate value
3258 0 for the "null" compression method.
3297 Dierks & Rescorla Standards Track [Page 61]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3300 Appendix A. Protocol Constant Values
3302 This section describes protocol types and constants.
3304 A.1. Record Layer
3306 struct {
3307 uint8 major, minor;
3308 } ProtocolVersion;
3310 ProtocolVersion version = { 3, 3 }; /* TLS v1.2*/
3312 enum {
3313 change_cipher_spec(20), alert(21), handshake(22),
3314 application_data(23), (255)
3315 } ContentType;
3317 struct {
3318 ContentType type;
3319 ProtocolVersion version;
3320 uint16 length;
3321 opaque fragment[TLSPlaintext.length];
3322 } TLSPlaintext;
3324 struct {
3325 ContentType type;
3326 ProtocolVersion version;
3327 uint16 length;
3328 opaque fragment[TLSCompressed.length];
3329 } TLSCompressed;
3331 struct {
3332 ContentType type;
3333 ProtocolVersion version;
3334 uint16 length;
3335 select (SecurityParameters.cipher_type) {
3336 case stream: GenericStreamCipher;
3337 case block: GenericBlockCipher;
3338 case aead: GenericAEADCipher;
3339 } fragment;
3340 } TLSCiphertext;
3342 stream-ciphered struct {
3343 opaque content[TLSCompressed.length];
3344 opaque MAC[SecurityParameters.mac_length];
3345 } GenericStreamCipher;
3347 struct {
3351 Dierks & Rescorla Standards Track [Page 62]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3354 opaque IV[SecurityParameters.record_iv_length];
3355 block-ciphered struct {
3356 opaque content[TLSCompressed.length];
3357 opaque MAC[SecurityParameters.mac_length];
3358 uint8 padding[GenericBlockCipher.padding_length];
3359 uint8 padding_length;
3360 };
3361 } GenericBlockCipher;
3363 aead-ciphered struct {
3364 opaque IV[SecurityParameters.record_iv_length];
3365 opaque aead_output[AEADEncrypted.length];
3366 } GenericAEADCipher;
3368 A.2. Change Cipher Specs Message
3370 struct {
3371 enum { change_cipher_spec(1), (255) } type;
3372 } ChangeCipherSpec;
3374 A.3. Alert Messages
3376 enum { warning(1), fatal(2), (255) } AlertLevel;
3378 enum {
3379 close_notify(0),
3380 unexpected_message(10),
3381 bad_record_mac(20),
3382 decryption_failed_RESERVED(21),
3383 record_overflow(22),
3384 decompression_failure(30),
3385 handshake_failure(40),
3386 no_certificate_RESERVED(41),
3387 bad_certificate(42),
3388 unsupported_certificate(43),
3389 certificate_revoked(44),
3390 certificate_expired(45),
3391 certificate_unknown(46),
3392 illegal_parameter(47),
3393 unknown_ca(48),
3394 access_denied(49),
3395 decode_error(50),
3396 decrypt_error(51),
3397 export_restriction_RESERVED(60),
3398 protocol_version(70),
3399 insufficient_security(71),
3400 internal_error(80),
3401 user_canceled(90),
3405 Dierks & Rescorla Standards Track [Page 63]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3408 no_renegotiation(100),
3409 unsupported_extension(110), /* new */
3410 (255)
3411 } AlertDescription;
3413 struct {
3414 AlertLevel level;
3415 AlertDescription description;
3416 } Alert;
3459 Dierks & Rescorla Standards Track [Page 64]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3462 A.4. Handshake Protocol
3464 enum {
3465 hello_request(0), client_hello(1), server_hello(2),
3466 certificate(11), server_key_exchange (12),
3467 certificate_request(13), server_hello_done(14),
3468 certificate_verify(15), client_key_exchange(16),
3469 finished(20)
3470 (255)
3471 } HandshakeType;
3473 struct {
3474 HandshakeType msg_type;
3475 uint24 length;
3476 select (HandshakeType) {
3477 case hello_request: HelloRequest;
3478 case client_hello: ClientHello;
3479 case server_hello: ServerHello;
3480 case certificate: Certificate;
3481 case server_key_exchange: ServerKeyExchange;
3482 case certificate_request: CertificateRequest;
3483 case server_hello_done: ServerHelloDone;
3484 case certificate_verify: CertificateVerify;
3485 case client_key_exchange: ClientKeyExchange;
3486 case finished: Finished;
3487 } body;
3488 } Handshake;
3490 A.4.1. Hello Messages
3492 struct { } HelloRequest;
3494 struct {
3495 uint32 gmt_unix_time;
3496 opaque random_bytes[28];
3497 } Random;
3499 opaque SessionID<0..32>;
3501 uint8 CipherSuite[2];
3503 enum { null(0), (255) } CompressionMethod;
3505 struct {
3506 ProtocolVersion client_version;
3507 Random random;
3508 SessionID session_id;
3509 CipherSuite cipher_suites<2..2^16-1>;
3513 Dierks & Rescorla Standards Track [Page 65]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3516 CompressionMethod compression_methods<1..2^8-1>;
3517 select (extensions_present) {
3518 case false:
3519 struct {};
3520 case true:
3521 Extension extensions<0..2^16-1>;
3522 };
3523 } ClientHello;
3525 struct {
3526 ProtocolVersion server_version;
3527 Random random;
3528 SessionID session_id;
3529 CipherSuite cipher_suite;
3530 CompressionMethod compression_method;
3531 select (extensions_present) {
3532 case false:
3533 struct {};
3534 case true:
3535 Extension extensions<0..2^16-1>;
3536 };
3537 } ServerHello;
3539 struct {
3540 ExtensionType extension_type;
3541 opaque extension_data<0..2^16-1>;
3542 } Extension;
3544 enum {
3545 signature_hash_algorithms(TBD-BY-IANA), (65535)
3546 } ExtensionType;
3548 enum{
3549 none(0), md5(1), sha1(2), sha256(3), sha384(4),
3550 sha512(5), (255)
3551 } HashAlgorithm;
3553 enum { anonymous(0), rsa(1), dsa(2), (255) } SignatureAlgorithm;
3555 struct {
3556 HashAlgorithm hash;
3557 SignatureAlgorithm signature;
3558 } SignatureAndHashAlgorithm;
3560 SignatureAndHashAlgorithm
3561 supported_signature_algorithms<2..2^16-1>;
3567 Dierks & Rescorla Standards Track [Page 66]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3570 A.4.2. Server Authentication and Key Exchange Messages
3572 opaque ASN.1Cert<2^24-1>;
3574 struct {
3575 ASN.1Cert certificate_list<0..2^24-1>;
3576 } Certificate;
3578 enum { rsa, diffie_hellman } KeyExchangeAlgorithm;
3580 struct {
3581 opaque dh_p<1..2^16-1>;
3582 opaque dh_g<1..2^16-1>;
3583 opaque dh_Ys<1..2^16-1>;
3584 } ServerDHParams;
3586 struct {
3587 select (KeyExchangeAlgorithm) {
3588 case diffie_hellman:
3589 ServerDHParams params;
3590 Signature signed_params;
3591 }
3592 } ServerKeyExchange;
3594 struct {
3595 select (KeyExchangeAlgorithm) {
3596 case diffie_hellman:
3597 ServerDHParams params;
3598 };
3599 } ServerParams;
3601 struct {
3602 select (SignatureAlgorithm) {
3603 case anonymous: struct { };
3604 case rsa:
3605 SignatureAndHashAlgorithm signature_algorithm; /*NEW*/
3606 digitally-signed struct {
3607 opaque hash[Hash.length];
3608 };
3609 case dsa:
3610 SignatureAndHashAlgorithm signature_algorithm; /*NEW*/
3611 digitally-signed struct {
3612 opaque hash[Hash.length];
3613 };
3614 };
3615 };
3616 } Signature;
3621 Dierks & Rescorla Standards Track [Page 67]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3624 enum {
3625 rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
3626 rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
3627 fortezza_dms_RESERVED(20),
3628 (255)
3629 } ClientCertificateType;
3631 opaque DistinguishedName<1..2^16-1>;
3633 struct {
3634 ClientCertificateType certificate_types<1..2^8-1>;
3635 DistinguishedName certificate_authorities<0..2^16-1>;
3636 } CertificateRequest;
3638 struct { } ServerHelloDone;
3640 A.4.3. Client Authentication and Key Exchange Messages
3642 struct {
3643 select (KeyExchangeAlgorithm) {
3644 case rsa: EncryptedPreMasterSecret;
3645 case diffie_hellman: ClientDiffieHellmanPublic;
3646 } exchange_keys;
3647 } ClientKeyExchange;
3649 struct {
3650 ProtocolVersion client_version;
3651 opaque random[46];
3652 } PreMasterSecret;
3654 struct {
3655 public-key-encrypted PreMasterSecret pre_master_secret;
3656 } EncryptedPreMasterSecret;
3658 enum { implicit, explicit } PublicValueEncoding;
3660 struct {
3661 select (PublicValueEncoding) {
3662 case implicit: struct {};
3663 case explicit: opaque DH_Yc<1..2^16-1>;
3664 } dh_public;
3665 } ClientDiffieHellmanPublic;
3667 struct {
3668 Signature signature;
3669 } CertificateVerify;
3671 A.4.4. Handshake Finalization Message
3675 Dierks & Rescorla Standards Track [Page 68]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3678 struct {
3679 opaque verify_data[SecurityParameters.verify_data_length];
3680 } Finished;
3682 A.5. The CipherSuite
3684 The following values define the CipherSuite codes used in the client
3685 hello and server hello messages.
3687 A CipherSuite defines a cipher specification supported in TLS Version
3688 1.2.
3690 TLS_NULL_WITH_NULL_NULL is specified and is the initial state of a
3691 TLS connection during the first handshake on that channel, but MUST
3692 not be negotiated, as it provides no more protection than an
3693 unsecured connection.
3695 CipherSuite TLS_NULL_WITH_NULL_NULL = { 0x00,0x00 };
3697 The following CipherSuite definitions require that the server provide
3698 an RSA certificate that can be used for key exchange. The server may
3699 request either an RSA or a DSS signature-capable certificate in the
3700 certificate request message.
3702 CipherSuite TLS_RSA_WITH_NULL_MD5 = { 0x00,0x01 };
3703 CipherSuite TLS_RSA_WITH_NULL_SHA = { 0x00,0x02 };
3704 CipherSuite TLS_RSA_WITH_RC4_128_MD5 = { 0x00,0x04 };
3705 CipherSuite TLS_RSA_WITH_RC4_128_SHA = { 0x00,0x05 };
3706 CipherSuite TLS_RSA_WITH_IDEA_CBC_SHA = { 0x00,0x07 };
3707 CipherSuite TLS_RSA_WITH_DES_CBC_SHA = { 0x00,0x09 };
3708 CipherSuite TLS_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0A };
3709 CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F };
3710 CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x35 };
3712 The following CipherSuite definitions are used for server-
3713 authenticated (and optionally client-authenticated) Diffie-Hellman.
3714 DH denotes cipher suites in which the server's certificate contains
3715 the Diffie-Hellman parameters signed by the certificate authority
3716 (CA). DHE denotes ephemeral Diffie-Hellman, where the Diffie-Hellman
3717 parameters are signed by a DSS or RSA certificate, which has been
3718 signed by the CA. The signing algorithm used is specified after the
3719 DH or DHE parameter. The server can request an RSA or DSS signature-
3720 capable certificate from the client for client authentication or it
3721 may request a Diffie-Hellman certificate. Any Diffie-Hellman
3722 certificate provided by the client must use the parameters (group and
3723 generator) described by the server.
3725 CipherSuite TLS_DH_DSS_WITH_DES_CBC_SHA = { 0x00,0x0C };
3729 Dierks & Rescorla Standards Track [Page 69]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3732 CipherSuite TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0D };
3733 CipherSuite TLS_DH_RSA_WITH_DES_CBC_SHA = { 0x00,0x0F };
3734 CipherSuite TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x10 };
3735 CipherSuite TLS_DHE_DSS_WITH_DES_CBC_SHA = { 0x00,0x12 };
3736 CipherSuite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x13 };
3737 CipherSuite TLS_DHE_RSA_WITH_DES_CBC_SHA = { 0x00,0x15 };
3738 CipherSuite TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x16 };
3739 CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 };
3740 CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 };
3741 CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 };
3742 CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 };
3743 CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x36 };
3744 CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 };
3745 CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x38 };
3746 CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x39 };
3748 The following cipher suites are used for completely anonymous Diffie-
3749 Hellman communications in which neither party is authenticated. Note
3750 that this mode is vulnerable to man-in-the-middle attacks. Using
3751 this mode therefore is of limited use: These ciphersuites MUST NOT be
3752 used by TLS 1.2 implementations unless the application layer has
3753 specifically requested to allow anonymous key exchange. (Anonymous
3754 key exchange may sometimes be acceptable, for example, to support
3755 opportunistic encryption when no set-up for authentication is in
3756 place, or when TLS is used as part of more complex security protocols
3757 that have other means to ensure authentication.)
3759 CipherSuite TLS_DH_anon_WITH_RC4_128_MD5 = { 0x00, 0x18 };
3760 CipherSuite TLS_DH_anon_WITH_DES_CBC_SHA = { 0x00, 0x1A };
3761 CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = { 0x00, 0x1B };
3762 CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 };
3763 CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00, 0x3A };
3765 Note that using non-anonymous key exchange without actually verifying
3766 the key exchange is essentially equivalent to anonymous key exchange,
3767 and the same precautions apply. While non-anonymous key exchange
3768 will generally involve a higher computational and communicational
3769 cost than anonymous key exchange, it may be in the interest of
3770 interoperability not to disable non-anonymous key exchange when the
3771 application layer is allowing anonymous key exchange.
3773 When SSLv3 and TLS 1.0 were designed, the United States restricted
3774 the export of cryptographic software containing certain strong
3775 encryption algorithms. A series of cipher suites were designed to
3776 operate at reduced key lengths in order to comply with those
3777 regulations. Due to advances in computer performance, these
3778 algorithms are now unacceptably weak and export restrictions have
3779 since been loosened. TLS 1.2 implementations MUST NOT negotiate these
3783 Dierks & Rescorla Standards Track [Page 70]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3786 cipher suites in TLS 1.2 mode. However, for backward compatibility
3787 they may be offered in the ClientHello for use with TLS 1.0 or SSLv3
3788 only servers. TLS 1.2 clients MUST check that the server did not
3789 choose one of these cipher suites during the handshake. These
3790 ciphersuites are listed below for informational purposes and to
3791 reserve the numbers.
3793 CipherSuite TLS_RSA_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x03 };
3794 CipherSuite TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x06 };
3795 CipherSuite TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x08 };
3796 CipherSuite TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x0B };
3797 CipherSuite TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x0E };
3798 CipherSuite TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x11 };
3799 CipherSuite TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x14 };
3800 CipherSuite TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x17 };
3801 CipherSuite TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x19 };
3803 New cipher suite values are assigned by IANA as described in Section
3804 12.
3806 Note: The cipher suite values { 0x00, 0x1C } and { 0x00, 0x1D } are
3807 reserved to avoid collision with Fortezza-based cipher suites in SSL
3808 3.
3810 A.6. The Security Parameters
3812 These security parameters are determined by the TLS Handshake
3813 Protocol and provided as parameters to the TLS Record Layer in order
3814 to initialize a connection state. SecurityParameters includes:
3816 enum { null(0), (255) } CompressionMethod;
3818 enum { server, client } ConnectionEnd;
3820 enum { null, rc4, rc2, des, 3des, des40, aes, idea }
3821 BulkCipherAlgorithm;
3823 enum { stream, block, aead } CipherType;
3825 enum { null, hmac_md5, hmac_sha, hmac_sha256, hmac_sha384,
3826 hmac_sha512} MACAlgorithm;
3829 /* The algorithms specified in CompressionMethod,
3830 BulkCipherAlgorithm, and MACAlgorithm may be added to. */
3832 struct {
3833 ConnectionEnd entity;
3837 Dierks & Rescorla Standards Track [Page 71]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3840 BulkCipherAlgorithm bulk_cipher_algorithm;
3841 CipherType cipher_type;
3842 uint8 enc_key_length;
3843 uint8 block_length;
3844 uint8 fixed_iv_length;
3845 uint8 record_iv_length;
3846 MACAlgorithm mac_algorithm;
3847 uint8 mac_length;
3848 uint8 mac_key_length;
3849 uint8 verify_data_length;
3850 CompressionMethod compression_algorithm;
3851 opaque master_secret[48];
3852 opaque client_random[32];
3853 opaque server_random[32];
3854 } SecurityParameters;
3891 Dierks & Rescorla Standards Track [Page 72]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3894 Appendix B. Glossary
3896 Advanced Encryption Standard (AES)
3897 AES is a widely used symmetric encryption algorithm. AES is a
3898 block cipher with a 128, 192, or 256 bit keys and a 16 byte block
3899 size. [AES] TLS currently only supports the 128 and 256 bit key
3900 sizes.
3902 application protocol
3903 An application protocol is a protocol that normally layers
3904 directly on top of the transport layer (e.g., TCP/IP). Examples
3905 include HTTP, TELNET, FTP, and SMTP.
3907 asymmetric cipher
3908 See public key cryptography.
3910 authenticated encryption with additional data (AEAD)
3911 A symmetric encryption algorithm that simultaneously provides
3912 confidentiality and message integrity.
3914 authentication
3915 Authentication is the ability of one entity to determine the
3916 identity of another entity.
3918 block cipher
3919 A block cipher is an algorithm that operates on plaintext in
3920 groups of bits, called blocks. 64 bits is a common block size.
3922 bulk cipher
3923 A symmetric encryption algorithm used to encrypt large quantities
3924 of data.
3926 cipher block chaining (CBC)
3927 CBC is a mode in which every plaintext block encrypted with a
3928 block cipher is first exclusive-ORed with the previous ciphertext
3929 block (or, in the case of the first block, with the
3930 initialization vector). For decryption, every block is first
3931 decrypted, then exclusive-ORed with the previous ciphertext block
3932 (or IV).
3934 certificate
3935 As part of the X.509 protocol (a.k.a. ISO Authentication
3936 framework), certificates are assigned by a trusted Certificate
3937 Authority and provide a strong binding between a party's identity
3938 or some other attributes and its public key.
3940 client
3941 The application entity that initiates a TLS connection to a
3945 Dierks & Rescorla Standards Track [Page 73]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
3948 server. This may or may not imply that the client initiated the
3949 underlying transport connection. The primary operational
3950 difference between the server and client is that the server is
3951 generally authenticated, while the client is only optionally
3952 authenticated.
3954 client write key
3955 The key used to encrypt data written by the client.
3957 client write MAC secret
3958 The secret data used to authenticate data written by the client.
3960 connection
3961 A connection is a transport (in the OSI layering model
3962 definition) that provides a suitable type of service. For TLS,
3963 such connections are peer-to-peer relationships. The connections
3964 are transient. Every connection is associated with one session.
3966 Data Encryption Standard
3967 DES is a very widely used symmetric encryption algorithm. DES is
3968 a block cipher with a 56 bit key and an 8 byte block size. Note
3969 that in TLS, for key generation purposes, DES is treated as
3970 having an 8 byte key length (64 bits), but it still only provides
3971 56 bits of protection. (The low bit of each key byte is presumed
3972 to be set to produce odd parity in that key byte.) DES can also
3973 be operated in a mode where three independent keys and three
3974 encryptions are used for each block of data; this uses 168 bits
3975 of key (24 bytes in the TLS key generation method) and provides
3976 the equivalent of 112 bits of security. [DES], [3DES]
3978 Digital Signature Standard (DSS)
3979 A standard for digital signing, including the Digital Signing
3980 Algorithm, approved by the National Institute of Standards and
3981 Technology, defined in NIST FIPS PUB 186, "Digital Signature
3982 Standard", published May, 1994 by the U.S. Dept. of Commerce.
3983 [DSS]
3985 digital signatures
3986 Digital signatures utilize public key cryptography and one-way
3987 hash functions to produce a signature of the data that can be
3988 authenticated, and is difficult to forge or repudiate.
3990 handshake
3991 An initial negotiation between client and server that establishes
3992 the parameters of their transactions.
3994 Initialization Vector (IV)
3995 When a block cipher is used in CBC mode, the initialization
3999 Dierks & Rescorla Standards Track [Page 74]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4002 vector is exclusive-ORed with the first plaintext block prior to
4003 encryption.
4005 IDEA
4006 A 64-bit block cipher designed by Xuejia Lai and James Massey.
4007 [IDEA]
4009 Message Authentication Code (MAC)
4010 A Message Authentication Code is a one-way hash computed from a
4011 message and some secret data. It is difficult to forge without
4012 knowing the secret data. Its purpose is to detect if the message
4013 has been altered.
4015 master secret
4016 Secure secret data used for generating encryption keys, MAC
4017 secrets, and IVs.
4019 MD5
4020 MD5 is a secure hashing function that converts an arbitrarily
4021 long data stream into a digest of fixed size (16 bytes). [MD5]
4023 public key cryptography
4024 A class of cryptographic techniques employing two-key ciphers.
4025 Messages encrypted with the public key can only be decrypted with
4026 the associated private key. Conversely, messages signed with the
4027 private key can be verified with the public key.
4029 one-way hash function
4030 A one-way transformation that converts an arbitrary amount of
4031 data into a fixed-length hash. It is computationally hard to
4032 reverse the transformation or to find collisions. MD5 and SHA are
4033 examples of one-way hash functions.
4035 RC2
4036 A block cipher developed by Ron Rivest, described in [RC2].
4038 RC4
4039 A stream cipher invented by Ron Rivest. A compatible cipher is
4040 described in [SCH].
4042 RSA
4043 A very widely used public-key algorithm that can be used for
4044 either encryption or digital signing. [RSA]
4046 server
4047 The server is the application entity that responds to requests
4048 for connections from clients. See also under client.
4053 Dierks & Rescorla Standards Track [Page 75]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4056 session
4057 A TLS session is an association between a client and a server.
4058 Sessions are created by the handshake protocol. Sessions define a
4059 set of cryptographic security parameters that can be shared among
4060 multiple connections. Sessions are used to avoid the expensive
4061 negotiation of new security parameters for each connection.
4063 session identifier
4064 A session identifier is a value generated by a server that
4065 identifies a particular session.
4067 server write key
4068 The key used to encrypt data written by the server.
4070 server write MAC secret
4071 The secret data used to authenticate data written by the server.
4073 SHA
4074 The Secure Hash Algorithm is defined in FIPS PUB 180-2. It
4075 produces a 20-byte output. Note that all references to SHA
4076 actually use the modified SHA-1 algorithm. [SHA]
4078 SSL
4079 Netscape's Secure Socket Layer protocol [SSL3]. TLS is based on
4080 SSL Version 3.0
4082 stream cipher
4083 An encryption algorithm that converts a key into a
4084 cryptographically strong keystream, which is then exclusive-ORed
4085 with the plaintext.
4087 symmetric cipher
4088 See bulk cipher.
4090 Transport Layer Security (TLS)
4091 This protocol; also, the Transport Layer Security working group
4092 of the Internet Engineering Task Force (IETF). See "Comments" at
4093 the end of this document.
4107 Dierks & Rescorla Standards Track [Page 76]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4110 Appendix C. CipherSuite Definitions
4112 CipherSuite Key Cipher Hash
4113 Exchange
4115 TLS_NULL_WITH_NULL_NULL NULL NULL NULL
4116 TLS_RSA_WITH_NULL_MD5 RSA NULL MD5
4117 TLS_RSA_WITH_NULL_SHA RSA NULL SHA
4118 TLS_RSA_WITH_RC4_128_MD5 RSA RC4_128 MD5
4119 TLS_RSA_WITH_RC4_128_SHA RSA RC4_128 SHA
4120 TLS_RSA_WITH_IDEA_CBC_SHA RSA IDEA_CBC SHA
4121 TLS_RSA_WITH_DES_CBC_SHA RSA DES_CBC SHA
4122 TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES_EDE_CBC SHA
4123 TLS_RSA_WITH_AES_128_CBC_SHA RSA AES_128_CBC SHA
4124 TLS_RSA_WITH_AES_256_CBC_SHA RSA AES_256_CBC SHA
4125 TLS_DH_DSS_WITH_DES_CBC_SHA DH_DSS DES_CBC SHA
4126 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA DH_DSS 3DES_EDE_CBC SHA
4127 TLS_DH_RSA_WITH_DES_CBC_SHA DH_RSA DES_CBC SHA
4128 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA DH_RSA 3DES_EDE_CBC SHA
4129 TLS_DHE_DSS_WITH_DES_CBC_SHA DHE_DSS DES_CBC SHA
4130 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE_DSS 3DES_EDE_CBC SHA
4131 TLS_DHE_RSA_WITH_DES_CBC_SHA DHE_RSA DES_CBC SHA
4132 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA 3DES_EDE_CBC SHA
4133 TLS_DH_anon_WITH_RC4_128_MD5 DH_anon RC4_128 MD5
4134 TLS_DH_anon_WITH_DES_CBC_SHA DH_anon DES_CBC SHA
4135 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA DH_anon 3DES_EDE_CBC SHA
4136 TLS_DH_DSS_WITH_AES_128_CBC_SHA DH_DSS AES_128_CBC SHA
4137 TLS_DH_RSA_WITH_AES_128_CBC_SHA DH_RSA AES_128_CBC SHA
4138 TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS AES_128_CBC SHA
4139 TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA AES_128_CBC SHA
4140 TLS_DH_anon_WITH_AES_128_CBC_SHA DH_anon AES_128_CBC SHA
4141 TLS_DH_DSS_WITH_AES_256_CBC_SHA DH_DSS AES_256_CBC SHA
4142 TLS_DH_RSA_WITH_AES_256_CBC_SHA DH_RSA AES_256_CBC SHA
4143 TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE_DSS AES_256_CBC SHA
4144 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA AES_256_CBC SHA
4145 TLS_DH_anon_WITH_AES_256_CBC_SHA DH_anon AES_256_CBC SHA
4147 Key
4148 Exchange
4149 Algorithm Description Key size limit
4151 DHE_DSS Ephemeral DH with DSS signatures None
4152 DHE_RSA Ephemeral DH with RSA signatures None
4153 DH_anon Anonymous DH, no signatures None
4154 DH_DSS DH with DSS-based certificates None
4155 DH_RSA DH with RSA-based certificates None
4156 NULL No key exchange N/A
4157 RSA RSA key exchange None
4161 Dierks & Rescorla Standards Track [Page 77]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4164 Key Expanded IV Block
4165 Cipher Type Material Key Material Size Size
4167 NULL Stream 0 0 0 N/A
4168 IDEA_CBC Block 16 16 8 8
4169 RC4_128 Stream 16 16 0 N/A
4170 DES_CBC Block 8 8 8 8
4171 3DES_EDE_CBC Block 24 24 8 8
4173 Type
4174 Indicates whether this is a stream cipher or a block cipher
4175 running in CBC mode.
4177 Key Material
4178 The number of bytes from the key_block that are used for
4179 generating the write keys.
4181 Expanded Key Material
4182 The number of bytes actually fed into the encryption algorithm.
4184 IV Size
4185 The amount of data needed to be generated for the initialization
4186 vector. Zero for stream ciphers; equal to the block size for
4187 block ciphers (this is equal to
4188 SecurityParameters.record_iv_length).
4190 Block Size
4191 The amount of data a block cipher enciphers in one chunk; a
4192 block cipher running in CBC mode can only encrypt an even
4193 multiple of its block size.
4195 Hash Hash Padding
4196 function Size Size
4197 NULL 0 0
4198 MD5 16 48
4199 SHA 20 40
4215 Dierks & Rescorla Standards Track [Page 78]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4218 Appendix D. Implementation Notes
4220 The TLS protocol cannot prevent many common security mistakes. This
4221 section provides several recommendations to assist implementors.
4223 D.1 Random Number Generation and Seeding
4225 TLS requires a cryptographically secure pseudorandom number generator
4226 (PRNG). Care must be taken in designing and seeding PRNGs. PRNGs
4227 based on secure hash operations, most notably SHA-1, are acceptable,
4228 but cannot provide more security than the size of the random number
4229 generator state.
4231 To estimate the amount of seed material being produced, add the
4232 number of bits of unpredictable information in each seed byte. For
4233 example, keystroke timing values taken from a PC compatible's 18.2 Hz
4234 timer provide 1 or 2 secure bits each, even though the total size of
4235 the counter value is 16 bits or more. Seeding a 128-bit PRNG would
4236 thus require approximately 100 such timer values.
4238 [RANDOM] provides guidance on the generation of random values.
4240 D.2 Certificates and Authentication
4242 Implementations are responsible for verifying the integrity of
4243 certificates and should generally support certificate revocation
4244 messages. Certificates should always be verified to ensure proper
4245 signing by a trusted Certificate Authority (CA). The selection and
4246 addition of trusted CAs should be done very carefully. Users should
4247 be able to view information about the certificate and root CA.
4249 D.3 CipherSuites
4251 TLS supports a range of key sizes and security levels, including some
4252 that provide no or minimal security. A proper implementation will
4253 probably not support many cipher suites. For instance, anonymous
4254 Diffie-Hellman is strongly discouraged because it cannot prevent man-
4255 in-the-middle attacks. Applications should also enforce minimum and
4256 maximum key sizes. For example, certificate chains containing 512-bit
4257 RSA keys or signatures are not appropriate for high-security
4258 applications.
4260 D.4 Implementation Pitfalls
4262 Implementation experience has shown that certain parts of earlier TLS
4263 specifications are not easy to understand, and have been a source of
4264 interoperability and security problems. Many of these areas have been
4265 clarified in this document, but this appendix contains a short list
4269 Dierks & Rescorla Standards Track [Page 79]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4272 of the most important things that require special attention from
4273 implementors.
4275 TLS protocol issues:
4277 - Do you correctly handle handshake messages that are fragmented
4278 to multiple TLS records (see Section 6.2.1)? Including corner
4279 cases like a ClientHello that is split to several small
4280 fragments?
4282 - Do you ignore the TLS record layer version number in all TLS
4283 records before ServerHello (see Appendix E.1)?
4285 - Do you handle TLS extensions in ClientHello correctly,
4286 including omitting the extensions field completely?
4288 - Do you support renegotiation, both client and server initiated?
4289 While renegotiation this is an optional feature, supporting
4290 it is highly recommended.
4292 - When the server has requested a client certificate, but no
4293 suitable certificate is available, do you correctly send
4294 an empty Certificate message, instead of omitting the whole
4295 message (see Section 7.4.6)?
4297 Cryptographic details:
4299 - In RSA-encrypted Premaster Secret, do you correctly send and
4300 verify the version number? When an error is encountered, do
4301 you continue the handshake to avoid the Bleichenbacher
4302 attack (see Section 7.4.7.1)?
4304 - What countermeasures do you use to prevent timing attacks against
4305 RSA decryption and signing operations (see Section 7.4.7.1)?
4307 - When verifying RSA signatures, do you accept both NULL and
4308 missing parameters (see Section 4.7)? Do you verify that the
4309 RSA padding doesn't have additional data after the hash value?
4310 [FI06]
4312 - When using Diffie-Hellman key exchange, do you correctly strip
4313 leading zero bytes from the negotiated key (see Section 8.1.2)?
4315 - Does your TLS client check that the Diffie-Hellman parameters
4316 sent by the server are acceptable (see Section F.1.1.3)?
4318 - How do you generate unpredictable IVs for CBC mode ciphers
4319 (see Section 6.2.3.2)?
4323 Dierks & Rescorla Standards Track [Page 80]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4326 - How do you address CBC mode timing attacks (Section 6.2.3.2)?
4328 - Do you use a strong and, most importantly, properly seeded
4329 random number generator (see Appendix D.1) for generating the
4330 premaster secret (for RSA key exchange), Diffie-Hellman private
4331 values, the DSA "k" parameter, and other security-critical
4332 values?
4377 Dierks & Rescorla Standards Track [Page 81]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4380 Appendix E. Backward Compatibility
4382 E.1 Compatibility with TLS 1.0/1.1 and SSL 3.0
4384 Since there are various versions of TLS (1.0, 1.1, 1.2, and any
4385 future versions) and SSL (2.0 and 3.0), means are needed to negotiate
4386 the specific protocol version to use. The TLS protocol provides a
4387 built-in mechanism for version negotiation so as not to bother other
4388 protocol components with the complexities of version selection.
4390 TLS versions 1.0, 1.1, and 1.2, and SSL 3.0 are very similar, and use
4391 compatible ClientHello messages; thus, supporting all of them is
4392 relatively easy. Similarly, servers can easily handle clients trying
4393 to use future versions of TLS as long as the ClientHello format
4394 remains compatible, and the client support the highest protocol
4395 version available in the server.
4397 A TLS 1.2 client who wishes to negotiate with such older servers will
4398 send a normal TLS 1.2 ClientHello, containing { 3, 3 } (TLS 1.2) in
4399 ClientHello.client_version. If the server does not support this
4400 version, it will respond with ServerHello containing an older version
4401 number. If the client agrees to use this version, the negotiation
4402 will proceed as appropriate for the negotiated protocol.
4404 If the version chosen by the server is not supported by the client
4405 (or not acceptable), the client MUST send a "protocol_version" alert
4406 message and close the connection.
4408 If a TLS server receives a ClientHello containing a version number
4409 greater than the highest version supported by the server, it MUST
4410 reply according to the highest version supported by the server.
4412 A TLS server can also receive a ClientHello containing version number
4413 smaller than the highest supported version. If the server wishes to
4414 negotiate with old clients, it will proceed as appropriate for the
4415 highest version supported by the server that is not greater than
4416 ClientHello.client_version. For example, if the server supports TLS
4417 1.0, 1.1, and 1.2, and client_version is TLS 1.0, the server will
4418 proceed with a TLS 1.0 ServerHello. If server supports (or is willing
4419 to use) only versions greater than client_version, it MUST send a
4420 "protocol_version" alert message and close the connection.
4422 Whenever a client already knows the highest protocol known to a
4423 server (for example, when resuming a session), it SHOULD initiate the
4424 connection in that native protocol.
4426 Note: some server implementations are known to implement version
4427 negotiation incorrectly. For example, there are buggy TLS 1.0 servers
4431 Dierks & Rescorla Standards Track [Page 82]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4434 that simply close the connection when the client offers a version
4435 newer than TLS 1.0. Also, it is known that some servers will refuse
4436 connection if any TLS extensions are included in ClientHello.
4437 Interoperability with such buggy servers is a complex topic beyond
4438 the scope of this document, and may require multiple connection
4439 attempts by the client.
4441 Earlier versions of the TLS specification were not fully clear on
4442 what the record layer version number (TLSPlaintext.version) should
4443 contain when sending ClientHello (i.e., before it is known which
4444 version of the protocol will be employed). Thus, TLS servers
4445 compliant with this specification MUST accept any value {03,XX} as
4446 the record layer version number for ClientHello.
4448 TLS clients that wish to negotiate with older servers MAY send any
4449 value {03,XX} as the record layer version number. Typical values
4450 would be {03,00}, the lowest version number supported by the client,
4451 and the value of ClientHello.client_version. No single value will
4452 guarantee interoperability with all old servers, but this is a
4453 complex topic beyond the scope of this document.
4455 E.2 Compatibility with SSL 2.0
4457 TLS 1.2 clients that wish to support SSL 2.0 servers MUST send
4458 version 2.0 CLIENT-HELLO messages defined in [SSL2]. The message MUST
4459 contain the same version number as would be used for ordinary
4460 ClientHello, and MUST encode the supported TLS ciphersuites in the
4461 CIPHER-SPECS-DATA field as described below.
4463 Warning: The ability to send version 2.0 CLIENT-HELLO messages will be
4464 phased out with all due haste, since the newer ClientHello format
4465 provides better mechanisms for moving to newer versions and
4466 negotiating extensions. TLS 1.2 clients SHOULD NOT support SSL 2.0.
4468 However, even TLS servers that do not support SSL 2.0 SHOULD accept
4469 version 2.0 CLIENT-HELLO messages. The message is presented below in
4470 sufficient detail for TLS server implementors; the true definition is
4471 still assumed to be [SSL2].
4473 For negotiation purposes, 2.0 CLIENT-HELLO is interpreted the same
4474 way as a ClientHello with a "null" compression method and no
4475 extensions. Note that this message MUST be sent directly on the wire,
4476 not wrapped as a TLS record. For the purposes of calculating Finished
4477 and CertificateVerify, the msg_length field is not considered to be a
4478 part of the handshake message.
4480 uint8 V2CipherSpec[3];
4485 Dierks & Rescorla Standards Track [Page 83]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4488 struct {
4489 uint16 msg_length;
4490 uint8 msg_type;
4491 Version version;
4492 uint16 cipher_spec_length;
4493 uint16 session_id_length;
4494 uint16 challenge_length;
4495 V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length];
4496 opaque session_id[V2ClientHello.session_id_length];
4497 opaque challenge[V2ClientHello.challenge_length;
4498 } V2ClientHello;
4500 msg_length
4501 The highest bit MUST be 1; the remaining bits contain the
4502 length of the following data in bytes.
4504 msg_type
4505 This field, in conjunction with the version field, identifies a
4506 version 2 client hello message. The value MUST be one (1).
4508 version
4509 Equal to ClientHello.client_version.
4511 cipher_spec_length
4512 This field is the total length of the field cipher_specs. It
4513 cannot be zero and MUST be a multiple of the V2CipherSpec length
4514 (3).
4516 session_id_length
4517 This field MUST have a value of zero for a client that claims to
4518 support TLS 1.2.
4520 challenge_length
4521 The length in bytes of the client's challenge to the server to
4522 authenticate itself. Historically, permissible values are between
4523 16 and 32 bytes inclusive. When using the SSLv2 backward
4524 compatible handshake the client SHOULD use a 32 byte challenge.
4526 cipher_specs
4527 This is a list of all CipherSpecs the client is willing and able
4528 to use. In addition to the 2.0 cipher specs defined in [SSL2],
4529 this includes the TLS cipher suites normally sent in
4530 ClientHello.cipher_suites, each cipher suite prefixed by a zero
4531 byte. For example, TLS ciphersuite {0x00,0x0A} would be sent as
4532 {0x00,0x00,0x0A}.
4534 session_id
4535 This field MUST be empty.
4539 Dierks & Rescorla Standards Track [Page 84]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4542 challenge
4543 Corresponds to ClientHello.random. If the challenge length is
4544 less than 32, the TLS server will pad the data with leading
4545 (note: not trailing) zero bytes to make it 32 bytes long.
4547 Note: Requests to resume a TLS session MUST use a TLS client hello.
4549 E.3. Avoiding Man-in-the-Middle Version Rollback
4551 When TLS clients fall back to Version 2.0 compatibility mode, they
4552 MUST use special PKCS#1 block formatting. This is done so that TLS
4553 servers will reject Version 2.0 sessions with TLS-capable clients.
4555 When a client negotiates SSL 2.0 but also supports TLS, it MUST set
4556 the right-hand (least-significant) 8 random bytes of the PKCS padding
4557 (not including the terminal null of the padding) for the RSA
4558 encryption of the ENCRYPTED-KEY-DATA field of the CLIENT-MASTER-KEY
4559 to 0x03 (the other padding bytes are random).
4561 When a TLS-capable server negotiates SSL 2.0 it SHOULD, after
4562 decrypting the ENCRYPTED-KEY-DATA field, check that these eight
4563 padding bytes are 0x03. If they are not, the server SHOULD generate a
4564 random value for SECRET-KEY-DATA, and continue the handshake (which
4565 will eventually fail since the keys will not match). Note that
4566 reporting the error situation to the client could make the server
4567 vulnerable to attacks described in [BLEI].
4593 Dierks & Rescorla Standards Track [Page 85]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4596 Appendix F. Security Analysis
4598 The TLS protocol is designed to establish a secure connection between
4599 a client and a server communicating over an insecure channel. This
4600 document makes several traditional assumptions, including that
4601 attackers have substantial computational resources and cannot obtain
4602 secret information from sources outside the protocol. Attackers are
4603 assumed to have the ability to capture, modify, delete, replay, and
4604 otherwise tamper with messages sent over the communication channel.
4605 This appendix outlines how TLS has been designed to resist a variety
4606 of attacks.
4608 F.1. Handshake Protocol
4610 The handshake protocol is responsible for selecting a CipherSpec and
4611 generating a Master Secret, which together comprise the primary
4612 cryptographic parameters associated with a secure session. The
4613 handshake protocol can also optionally authenticate parties who have
4614 certificates signed by a trusted certificate authority.
4616 F.1.1. Authentication and Key Exchange
4618 TLS supports three authentication modes: authentication of both
4619 parties, server authentication with an unauthenticated client, and
4620 total anonymity. Whenever the server is authenticated, the channel is
4621 secure against man-in-the-middle attacks, but completely anonymous
4622 sessions are inherently vulnerable to such attacks. Anonymous
4623 servers cannot authenticate clients. If the server is authenticated,
4624 its certificate message must provide a valid certificate chain
4625 leading to an acceptable certificate authority. Similarly,
4626 authenticated clients must supply an acceptable certificate to the
4627 server. Each party is responsible for verifying that the other's
4628 certificate is valid and has not expired or been revoked.
4630 The general goal of the key exchange process is to create a
4631 pre_master_secret known to the communicating parties and not to
4632 attackers. The pre_master_secret will be used to generate the
4633 master_secret (see Section 8.1). The master_secret is required to
4634 generate the finished messages, encryption keys, and MAC secrets (see
4635 Sections 7.4.9 and 6.3). By sending a correct finished message,
4636 parties thus prove that they know the correct pre_master_secret.
4638 F.1.1.1. Anonymous Key Exchange
4640 Completely anonymous sessions can be established using Diffie-Hellman
4641 for key exchange. The server's public parameters are contained in the
4642 server key exchange message and the client's are sent in the client
4643 key exchange message. Eavesdroppers who do not know the private
4647 Dierks & Rescorla Standards Track [Page 86]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4650 values should not be able to find the Diffie-Hellman result (i.e. the
4651 pre_master_secret).
4654 Warning: Completely anonymous connections only provide protection
4655 against passive eavesdropping. Unless an independent tamper-
4656 proof channel is used to verify that the finished messages
4657 were not replaced by an attacker, server authentication is
4658 required in environments where active man-in-the-middle
4659 attacks are a concern.
4661 F.1.1.2. RSA Key Exchange and Authentication
4663 With RSA, key exchange and server authentication are combined. The
4664 public key is contained in the server's certificate. Note that
4665 compromise of the server's static RSA key results in a loss of
4666 confidentiality for all sessions protected under that static key. TLS
4667 users desiring Perfect Forward Secrecy should use DHE cipher suites.
4668 The damage done by exposure of a private key can be limited by
4669 changing one's private key (and certificate) frequently.
4671 After verifying the server's certificate, the client encrypts a
4672 pre_master_secret with the server's public key. By successfully
4673 decoding the pre_master_secret and producing a correct finished
4674 message, the server demonstrates that it knows the private key
4675 corresponding to the server certificate.
4677 When RSA is used for key exchange, clients are authenticated using
4678 the certificate verify message (see Section 7.4.8). The client signs
4679 a value derived from all preceding handshake messages. These
4680 handshake messages include the server certificate, which binds the
4681 signature to the server, and ServerHello.random, which binds the
4682 signature to the current handshake process.
4684 F.1.1.3. Diffie-Hellman Key Exchange with Authentication
4686 When Diffie-Hellman key exchange is used, the server can either
4687 supply a certificate containing fixed Diffie-Hellman parameters or
4688 use the server key exchange message to send a set of temporary
4689 Diffie-Hellman parameters signed with a DSS or RSA certificate.
4690 Temporary parameters are hashed with the hello.random values before
4691 signing to ensure that attackers do not replay old parameters. In
4692 either case, the client can verify the certificate or signature to
4693 ensure that the parameters belong to the server.
4695 If the client has a certificate containing fixed Diffie-Hellman
4696 parameters, its certificate contains the information required to
4697 complete the key exchange. Note that in this case the client and
4701 Dierks & Rescorla Standards Track [Page 87]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4704 server will generate the same Diffie-Hellman result (i.e.,
4705 pre_master_secret) every time they communicate. To prevent the
4706 pre_master_secret from staying in memory any longer than necessary,
4707 it should be converted into the master_secret as soon as possible.
4708 Client Diffie-Hellman parameters must be compatible with those
4709 supplied by the server for the key exchange to work.
4711 If the client has a standard DSS or RSA certificate or is
4712 unauthenticated, it sends a set of temporary parameters to the server
4713 in the client key exchange message, then optionally uses a
4714 certificate verify message to authenticate itself.
4716 If the same DH keypair is to be used for multiple handshakes, either
4717 because the client or server has a certificate containing a fixed DH
4718 keypair or because the server is reusing DH keys, care must be taken
4719 to prevent small subgroup attacks. Implementations SHOULD follow the
4720 guidelines found in [SUBGROUP].
4722 Small subgroup attacks are most easily avoided by using one of the
4723 DHE ciphersuites and generating a fresh DH private key (X) for each
4724 handshake. If a suitable base (such as 2) is chosen, g^X mod p can be
4725 computed very quickly, therefore the performance cost is minimized.
4726 Additionally, using a fresh key for each handshake provides Perfect
4727 Forward Secrecy. Implementations SHOULD generate a new X for each
4728 handshake when using DHE ciphersuites.
4730 Because TLS allows the server to provide arbitrary DH groups, the
4731 client should verify that the DH group is of suitable size as defined
4732 by local policy. The client SHOULD also verify that the DH public
4733 exponent appears to be of adequate size. [KEYSIZ] provides a useful
4734 guide to the strength of various group sizes. The server MAY choose
4735 to assist the client by providing a known group, such as those
4736 defined in [IKEALG] or [MODP]. These can be verified by simple
4737 comparison.
4739 F.1.2. Version Rollback Attacks
4741 Because TLS includes substantial improvements over SSL Version 2.0,
4742 attackers may try to make TLS-capable clients and servers fall back
4743 to Version 2.0. This attack can occur if (and only if) two TLS-
4744 capable parties use an SSL 2.0 handshake.
4746 Although the solution using non-random PKCS #1 block type 2 message
4747 padding is inelegant, it provides a reasonably secure way for Version
4748 3.0 servers to detect the attack. This solution is not secure against
4749 attackers who can brute force the key and substitute a new ENCRYPTED-
4750 KEY-DATA message containing the same key (but with normal padding)
4751 before the application specified wait threshold has expired. Altering
4755 Dierks & Rescorla Standards Track [Page 88]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4758 the padding of the least significant 8 bytes of the PKCS padding does
4759 not impact security for the size of the signed hashes and RSA key
4760 lengths used in the protocol, since this is essentially equivalent to
4761 increasing the input block size by 8 bytes.
4763 F.1.3. Detecting Attacks Against the Handshake Protocol
4765 An attacker might try to influence the handshake exchange to make the
4766 parties select different encryption algorithms than they would
4767 normally chooses.
4769 For this attack, an attacker must actively change one or more
4770 handshake messages. If this occurs, the client and server will
4771 compute different values for the handshake message hashes. As a
4772 result, the parties will not accept each others' finished messages.
4773 Without the master_secret, the attacker cannot repair the finished
4774 messages, so the attack will be discovered.
4776 F.1.4. Resuming Sessions
4778 When a connection is established by resuming a session, new
4779 ClientHello.random and ServerHello.random values are hashed with the
4780 session's master_secret. Provided that the master_secret has not been
4781 compromised and that the secure hash operations used to produce the
4782 encryption keys and MAC secrets are secure, the connection should be
4783 secure and effectively independent from previous connections.
4784 Attackers cannot use known encryption keys or MAC secrets to
4785 compromise the master_secret without breaking the secure hash
4786 operations.
4788 Sessions cannot be resumed unless both the client and server agree.
4789 If either party suspects that the session may have been compromised,
4790 or that certificates may have expired or been revoked, it should
4791 force a full handshake. An upper limit of 24 hours is suggested for
4792 session ID lifetimes, since an attacker who obtains a master_secret
4793 may be able to impersonate the compromised party until the
4794 corresponding session ID is retired. Applications that may be run in
4795 relatively insecure environments should not write session IDs to
4796 stable storage.
4798 F.2. Protecting Application Data
4800 The master_secret is hashed with the ClientHello.random and
4801 ServerHello.random to produce unique data encryption keys and MAC
4802 secrets for each connection.
4809 Dierks & Rescorla Standards Track [Page 89]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4812 Outgoing data is protected with a MAC before transmission. To prevent
4813 message replay or modification attacks, the MAC is computed from the
4814 MAC secret, the sequence number, the message length, the message
4815 contents, and two fixed character strings. The message type field is
4816 necessary to ensure that messages intended for one TLS Record Layer
4817 client are not redirected to another. The sequence number ensures
4818 that attempts to delete or reorder messages will be detected. Since
4819 sequence numbers are 64 bits long, they should never overflow.
4820 Messages from one party cannot be inserted into the other's output,
4821 since they use independent MAC secrets. Similarly, the server-write
4822 and client-write keys are independent, so stream cipher keys are used
4823 only once.
4825 If an attacker does break an encryption key, all messages encrypted
4826 with it can be read. Similarly, compromise of a MAC key can make
4827 message modification attacks possible. Because MACs are also
4828 encrypted, message-alteration attacks generally require breaking the
4829 encryption algorithm as well as the MAC.
4831 Note: MAC secrets may be larger than encryption keys, so messages can
4832 remain tamper resistant even if encryption keys are broken.
4834 F.3. Explicit IVs
4836 [CBCATT] describes a chosen plaintext attack on TLS that depends on
4837 knowing the IV for a record. Previous versions of TLS [TLS1.0] used
4838 the CBC residue of the previous record as the IV and therefore
4839 enabled this attack. This version uses an explicit IV in order to
4840 protect against this attack.
4842 F.4. Security of Composite Cipher Modes
4844 TLS secures transmitted application data via the use of symmetric
4845 encryption and authentication functions defined in the negotiated
4846 ciphersuite. The objective is to protect both the integrity and
4847 confidentiality of the transmitted data from malicious actions by
4848 active attackers in the network. It turns out that the order in
4849 which encryption and authentication functions are applied to the data
4850 plays an important role for achieving this goal [ENCAUTH].
4852 The most robust method, called encrypt-then-authenticate, first
4853 applies encryption to the data and then applies a MAC to the
4854 ciphertext. This method ensures that the integrity and
4855 confidentiality goals are obtained with ANY pair of encryption and
4856 MAC functions, provided that the former is secure against chosen
4857 plaintext attacks and that the MAC is secure against chosen-message
4858 attacks. TLS uses another method, called authenticate-then-encrypt,
4859 in which first a MAC is computed on the plaintext and then the
4863 Dierks & Rescorla Standards Track [Page 90]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4866 concatenation of plaintext and MAC is encrypted. This method has
4867 been proven secure for CERTAIN combinations of encryption functions
4868 and MAC functions, but it is not guaranteed to be secure in general.
4869 In particular, it has been shown that there exist perfectly secure
4870 encryption functions (secure even in the information-theoretic sense)
4871 that combined with any secure MAC function, fail to provide the
4872 confidentiality goal against an active attack. Therefore, new
4873 ciphersuites and operation modes adopted into TLS need to be analyzed
4874 under the authenticate-then-encrypt method to verify that they
4875 achieve the stated integrity and confidentiality goals.
4877 Currently, the security of the authenticate-then-encrypt method has
4878 been proven for some important cases. One is the case of stream
4879 ciphers in which a computationally unpredictable pad of the length of
4880 the message, plus the length of the MAC tag, is produced using a
4881 pseudo-random generator and this pad is xor-ed with the concatenation
4882 of plaintext and MAC tag. The other is the case of CBC mode using a
4883 secure block cipher. In this case, security can be shown if one
4884 applies one CBC encryption pass to the concatenation of plaintext and
4885 MAC and uses a new, independent, and unpredictable IV for each new
4886 pair of plaintext and MAC. In versions of TLS prior to 1.1, CBC mode
4887 was used properly EXCEPT that it used a predictable IV in the form of
4888 the last block of the previous ciphertext. This made TLS open to
4889 chosen plaintext attacks. This version of the protocol is immune to
4890 those attacks. For exact details in the encryption modes proven
4891 secure, see [ENCAUTH].
4893 F.5 Denial of Service
4895 TLS is susceptible to a number of denial of service (DoS) attacks.
4896 In particular, an attacker who initiates a large number of TCP
4897 connections can cause a server to consume large amounts of CPU doing
4898 RSA decryption. However, because TLS is generally used over TCP, it
4899 is difficult for the attacker to hide his point of origin if proper
4900 TCP SYN randomization is used [SEQNUM] by the TCP stack.
4902 Because TLS runs over TCP, it is also susceptible to a number of
4903 denial of service attacks on individual connections. In particular,
4904 attackers can forge RSTs, thereby terminating connections, or forge
4905 partial TLS records, thereby causing the connection to stall. These
4906 attacks cannot in general be defended against by a TCP-using
4907 protocol. Implementors or users who are concerned with this class of
4908 attack should use IPsec AH [AH] or ESP [ESP].
4917 Dierks & Rescorla Standards Track [Page 91]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4920 F.6 Final Notes
4922 For TLS to be able to provide a secure connection, both the client
4923 and server systems, keys, and applications must be secure. In
4924 addition, the implementation must be free of security errors.
4926 The system is only as strong as the weakest key exchange and
4927 authentication algorithm supported, and only trustworthy
4928 cryptographic functions should be used. Short public keys and
4929 anonymous servers should be used with great caution. Implementations
4930 and users must be careful when deciding which certificates and
4931 certificate authorities are acceptable; a dishonest certificate
4932 authority can do tremendous damage.
4934 Changes in This Version
4936 [RFC Editor: Please delete this]
4938 - Redid the hash function advertisements for CertificateRequest
4939 and the client-side extension. They are now pairs of
4940 hash/signature and the semantics are clearly defined for
4941 all uses of signatures (hopefully). [Issue 41]
4943 - Clarified the DH group checking per list discussion [Issue 35]
4945 - Added a note about DSS vs. DSA [Issue 58]
4947 - Editorial issues [Issue 59]
4949 - Cleaned up certificate text in 7.4.2 and 7.4.6 [Issue 57]
4951 Normative References
4952 [AES] National Institute of Standards and Technology,
4953 "Specification for the Advanced Encryption Standard (AES)"
4954 FIPS 197. November 26, 2001.
4956 [3DES] National Institute of Standards and Technology,
4957 "Recommendation for the Triple Data Encryption Algorithm
4958 (TDEA) Block Cipher", NIST Special Publication 800-67, May
4959 2004.
4961 [DES] National Institute of Standards and Technology, "Data
4962 Encryption Standard (DES)", FIPS PUB 46-3, October 1999.
4964 [DSS] NIST FIPS PUB 186-2, "Digital Signature Standard," National
4965 Institute of Standards and Technology, U.S. Department of
4966 Commerce, 2000.
4971 Dierks & Rescorla Standards Track [Page 92]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
4974 [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
4975 Hashing for Message Authentication", RFC 2104, February
4976 1997.
4978 [IDEA] X. Lai, "On the Design and Security of Block Ciphers," ETH
4979 Series in Information Processing, v. 1, Konstanz: Hartung-
4980 Gorre Verlag, 1992.
4982 [MD5] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321,
4983 April 1992.
4985 [PKCS1] J. Jonsson, B. Kaliski, "Public-Key Cryptography Standards
4986 (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC
4987 3447, February 2003.
4989 [PKIX] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet X.509
4990 Public Key Infrastructure Certificate and Certificate
4991 Revocation List (CRL) Profile", RFC 3280, April 2002.
4993 [RC2] Rivest, R., "A Description of the RC2(r) Encryption
4994 Algorithm", RFC 2268, March 1998.
4996 [SCH] B. Schneier. "Applied Cryptography: Protocols, Algorithms,
4997 and Source Code in C, 2nd ed.", Published by John Wiley &
4998 Sons, Inc. 1996.
5000 [SHA] NIST FIPS PUB 180-2, "Secure Hash Standard," National
5001 Institute of Standards and Technology, U.S. Department of
5002 Commerce., August 2001.
5004 [REQ] Bradner, S., "Key words for use in RFCs to Indicate
5005 Requirement Levels", BCP 14, RFC 2119, March 1997.
5007 [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
5008 IANA Considerations Section in RFCs", BCP 25, RFC 2434,
5009 October 1998.
5011 Informative References
5013 [AEAD] Mcgrew, D., "Authenticated Encryption", February 2007,
5014 draft-mcgrew-auth-enc-02.txt.
5016 [AH] Kent, S., and Atkinson, R., "IP Authentication Header", RFC
5017 4302, December 2005.
5019 [BLEI] Bleichenbacher D., "Chosen Ciphertext Attacks against
5020 Protocols Based on RSA Encryption Standard PKCS #1" in
5021 Advances in Cryptology -- CRYPTO'98, LNCS vol. 1462, pages:
5025 Dierks & Rescorla Standards Track [Page 93]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
5028 1-12, 1998.
5030 [CBCATT] Moeller, B., "Security of CBC Ciphersuites in SSL/TLS:
5031 Problems and Countermeasures",
5032 http://www.openssl.org/~bodo/tls-cbc.txt.
5034 [CBCTIME] Canvel, B., Hiltgen, A., Vaudenay, S., and M. Vuagnoux,
5035 "Password Interception in a SSL/TLS Channel", Advances in
5036 Cryptology -- CRYPTO 2003, LNCS vol. 2729, 2003.
5038 [CCM] "NIST Special Publication 800-38C: The CCM Mode for
5039 Authentication and Confidentiality",
5040 http://csrc.nist.gov/publications/nistpubs/800-38C/
5041 SP800-38C.pdf
5043 [ENCAUTH] Krawczyk, H., "The Order of Encryption and Authentication
5044 for Protecting Communications (Or: How Secure is SSL?)",
5045 Crypto 2001.
5047 [ESP] Kent, S., and Atkinson, R., "IP Encapsulating Security
5048 Payload (ESP)", RFC 4303, December 2005.
5050 [FI06] Hal Finney, "Bleichenbacher's RSA signature forgery based on
5051 implementation error", ietf-openpgp@imc.org mailing list, 27
5052 August 2006, http://www.imc.org/ietf-openpgp/mail-
5053 archive/msg14307.html.
5055 [GCM] "NIST Special Publication 800-38D DRAFT (June, 2007):
5056 Recommendation for Block Cipher Modes of Operation:
5057 Galois/Counter Mode (GCM) and GMAC"
5059 [IKEALG] Schiller, J., "Cryptographic Algorithms for Use in the
5060 Internet Key Exchange Version 2 (IKEv2)", RFC 4307, December
5061 2005.
5063 [KEYSIZ] Orman, H., and Hoffman, P., "Determining Strengths For
5064 Public Keys Used For Exchanging Symmetric Keys" RFC 3766,
5065 April 2004.
5067 [KPR03] Klima, V., Pokorny, O., Rosa, T., "Attacking RSA-based
5068 Sessions in SSL/TLS", http://eprint.iacr.org/2003/052/,
5069 March 2003.
5071 [MODP] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
5072 Diffie-Hellman groups for Internet Key Exchange (IKE)", RFC
5073 3526, May 2003.
5075 [PKCS6] RSA Laboratories, "PKCS #6: RSA Extended Certificate Syntax
5079 Dierks & Rescorla Standards Track [Page 94]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
5082 Standard," version 1.5, November 1993.
5084 [PKCS7] RSA Laboratories, "PKCS #7: RSA Cryptographic Message Syntax
5085 Standard," version 1.5, November 1993.
5087 [RANDOM] Eastlake, D., 3rd, Schiller, J., and S. Crocker,
5088 "Randomness Requirements for Security", BCP 106, RFC 4086,
5089 June 2005.
5091 [RFC3749] Hollenbeck, S., "Transport Layer Security Protocol
5092 Compression Methods", RFC 3749, May 2004.
5094 [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
5095 Wright, T., "Transport Layer Security (TLS) Extensions", RFC
5096 4366, April 2006.
5098 [RSA] R. Rivest, A. Shamir, and L. M. Adleman, "A Method for
5099 Obtaining Digital Signatures and Public-Key Cryptosystems,"
5100 Communications of the ACM, v. 21, n. 2, Feb 1978, pp.
5101 120-126.
5103 [SEQNUM] Bellovin. S., "Defending Against Sequence Number Attacks",
5104 RFC 1948, May 1996.
5106 [SSL2] Hickman, Kipp, "The SSL Protocol", Netscape Communications
5107 Corp., Feb 9, 1995.
5109 [SSL3] A. Freier, P. Karlton, and P. Kocher, "The SSL 3.0
5110 Protocol", Netscape Communications Corp., Nov 18, 1996.
5112 [SUBGROUP] Zuccherato, R., "Methods for Avoiding the "Small-Subgroup"
5113 Attacks on the Diffie-Hellman Key Agreement Method for
5114 S/MIME", RFC 2785, March 2000.
5116 [TCP] Postel, J., "Transmission Control Protocol," STD 7, RFC 793,
5117 September 1981.
5119 [TIMING] Boneh, D., Brumley, D., "Remote timing attacks are
5120 practical", USENIX Security Symposium 2003.
5122 [TLSAES] Chown, P., "Advanced Encryption Standard (AES) Ciphersuites
5123 for Transport Layer Security (TLS)", RFC 3268, June 2002.
5125 [TLSECC] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and
5126 Moeller, B., "Elliptic Curve Cryptography (ECC) Cipher
5127 Suites for Transport Layer Security (TLS)", RFC 4492, May
5128 2006.
5133 Dierks & Rescorla Standards Track [Page 95]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
5136 [TLSEXT] Eastlake, D.E., "Transport Layer Security (TLS) Extensions:
5137 Extension Definitions", July 2007, draft-ietf-tls-
5138 rfc4366-bis-00.txt.
5140 [TLSPGP] Mavrogiannopoulos, N., "Using OpenPGP keys for TLS
5141 authentication", draft-ietf-tls-openpgp-keys-11, July 2006.
5143 [TLSPSK] Eronen, P., Tschofenig, H., "Pre-Shared Key Ciphersuites
5144 for Transport Layer Security (TLS)", RFC 4279, December
5145 2005.
5147 [TLS1.0] Dierks, T., and C. Allen, "The TLS Protocol, Version 1.0",
5148 RFC 2246, January 1999.
5150 [TLS1.1] Dierks, T., and E. Rescorla, "The TLS Protocol, Version
5151 1.1", RFC 4346, April, 2006.
5153 [X501] ITU-T Recommendation X.501: Information Technology - Open
5154 Systems Interconnection - The Directory: Models, 1993.
5156 [XDR] Eisler, M., "External Data Representation Standard", RFC
5157 4506, May 2006.
5160 Credits
5162 Working Group Chairs
5163 Eric Rescorla
5164 EMail: ekr@networkresonance.com
5166 Pasi Eronen
5167 pasi.eronen@nokia.com
5170 Editors
5172 Tim Dierks Eric Rescorla
5173 Independent Network Resonance, Inc.
5175 EMail: tim@dierks.org EMail: ekr@networkresonance.com
5179 Other contributors
5181 Christopher Allen (co-editor of TLS 1.0)
5182 Alacrity Ventures
5183 ChristopherA@AlacrityManagement.com
5187 Dierks & Rescorla Standards Track [Page 96]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
5190 Martin Abadi
5191 University of California, Santa Cruz
5192 abadi@cs.ucsc.edu
5194 Steven M. Bellovin
5195 Columbia University
5196 smb@cs.columbia.edu
5198 Simon Blake-Wilson
5199 BCI
5200 EMail: sblakewilson@bcisse.com
5202 Ran Canetti
5203 IBM
5204 canetti@watson.ibm.com
5206 Pete Chown
5207 Skygate Technology Ltd
5208 pc@skygate.co.uk
5210 Taher Elgamal
5211 taher@securify.com
5212 Securify
5214 Anil Gangolli
5215 anil@busybuddha.org
5217 Kipp Hickman
5219 Alfred Hoenes
5221 David Hopwood
5222 Independent Consultant
5223 EMail: david.hopwood@blueyonder.co.uk
5225 Phil Karlton (co-author of SSLv3)
5227 Paul Kocher (co-author of SSLv3)
5228 Cryptography Research
5229 paul@cryptography.com
5231 Hugo Krawczyk
5232 Technion Israel Institute of Technology
5233 hugo@ee.technion.ac.il
5235 Jan Mikkelsen
5236 Transactionware
5237 EMail: janm@transactionware.com
5241 Dierks & Rescorla Standards Track [Page 97]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
5244 Magnus Nystrom
5245 RSA Security
5246 EMail: magnus@rsasecurity.com
5248 Robert Relyea
5249 Netscape Communications
5250 relyea@netscape.com
5252 Jim Roskind
5253 Netscape Communications
5254 jar@netscape.com
5256 Michael Sabin
5258 Dan Simon
5259 Microsoft, Inc.
5260 dansimon@microsoft.com
5262 Tom Weinstein
5264 Tim Wright
5265 Vodafone
5266 EMail: timothy.wright@vodafone.com
5268 Comments
5270 The discussion list for the IETF TLS working group is located at the
5271 e-mail address <tls@ietf.org>. Information on the group and
5272 information on how to subscribe to the list is at
5273 <https://www1.ietf.org/mailman/listinfo/tls>
5275 Archives of the list can be found at:
5276 <http://www.ietf.org/mail-archive/web/tls/current/index.html>
5295 Dierks & Rescorla Standards Track [Page 98]\fdraft-ietf-tls-rfc4346-bis-06.txt TLS October 2007
5298 Full Copyright Statement
5300 Copyright (C) The IETF Trust (2007).
5302 This document is subject to the rights, licenses and restrictions
5303 contained in BCP 78, and except as set forth therein, the authors
5304 retain all their rights.
5306 This document and the information contained herein are provided on an
5307 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
5308 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
5309 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
5310 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
5311 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
5312 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
5315 Intellectual Property
5317 The IETF takes no position regarding the validity or scope of any
5318 Intellectual Property Rights or other rights that might be claimed to
5319 pertain to the implementation or use of the technology described in
5320 this document or the extent to which any license under such rights
5321 might or might not be available; nor does it represent that it has
5322 made any independent effort to identify any such rights. Information
5323 on the procedures with respect to rights in RFC documents can be
5324 found in BCP 78 and BCP 79.
5326 Copies of IPR disclosures made to the IETF Secretariat and any
5327 assurances of licenses to be made available, or the result of an
5328 attempt made to obtain a general license or permission for the use of
5329 such proprietary rights by implementers or users of this
5330 specification can be obtained from the IETF on-line IPR repository at
5331 http://www.ietf.org/ipr.
5333 The IETF invites any interested party to bring to its attention any
5334 copyrights, patents or patent applications, or other proprietary
5335 rights that may cover technology that may be required to implement
5336 this standard. Please address the information to the IETF at
5337 ietf-ipr@ietf.org.
5340 Acknowledgment
5342 Funding for the RFC Editor function is provided by the IETF
5343 Administrative Support Activity (IASA).
5349 Dierks & Rescorla Standards Track [Page 99]\f