Transport Layer Security

Non-Actionable

Please do not make new edits to the text.    

Template:Cnote2 begin Template:Cnote2 Template:Cnote2 Template:Cnote2 end

A paper presented at the 2012 ACM conference on computer and communications security<ref>Template:Cite book</ref> showed that few applications used some of these SSL libraries incorrectly, leading to vulnerabilities. According to the authors

"the root cause of most of these vulnerabilities is the terrible design of the APIs to the underlying SSL libraries. Instead of expressing high-level security properties of network tunnels such as confidentiality and authentication, these APIs expose low-level details of the SSL protocol to application developers. As a consequence, developers often use SSL APIs incorrectly, misinterpreting and misunderstanding their manifold parameters, options, side effects, and return values."

Other uses

The Simple Mail Transfer Protocol (SMTP) can also be protected by TLS. These applications use public key certificates to verify the identity of endpoints.

TLS can also be used to tunnel an entire network stack to create a VPN, as is the case with OpenVPN and OpenConnect. Many vendors now marry TLS's encryption and authentication capabilities with authorization. There has also been substantial development since the late 1990s in creating client technology outside of the browser to enable support for client/server applications. When compared against traditional IPsec VPN technologies, TLS has some inherent advantages in firewall and NAT traversal that make it easier to administer for large remote-access populations.

TLS is also a standard method to protect Session Initiation Protocol (SIP) application signaling. TLS can be used to provide authentication and encryption of the SIP signaling associated with VoIP and other SIP-based applications.Template:Citation needed

Security

SSL 2.0

SSL 2.0 is flawed in a variety of ways:<ref>Template:Cite journal</ref>

• Identical cryptographic keys are used for message authentication and encryption.
• SSL 2.0 has a weak MAC construction that uses the MD5 hash function with a secret prefix, making it vulnerable to length extension attacks.
• SSL 2.0 does not have any protection for the handshake, meaning a man-in-the-middle downgrade attack can go undetected.
• SSL 2.0 uses the T***** connection close to indicate the end of data. This means that truncation attacks are possible: the attacker simply forges a T***** FIN, leaving the recipient unaware of an illegitimate end of data message (SSL 3.0 fixes this problem by having an explicit closure alert).
• SSL 2.0 assumes a single service and a fixed domain certificate, which clashes with the standard feature of virtual hosting in Web servers. This means that most websites are practically impaired from using SSL.

SSL 2.0 is disabled by default, beginning with Internet Explorer 7,<ref>Template:Cite web</ref> Mozilla Firefox 2,<ref>Template:Cite web</ref> Opera 9.5,<ref>"Opera 9.5 for Windows Changelog" at Opera.com: "Disabled SSL v2 and weak ciphers."</ref> and Safari. After it sends a TLS "ClientHello", if Mozilla Firefox finds that the server is unable to complete the handshake, it will attempt to fall back to using SSL 3.0 with an SSL 3.0 "ClientHello" in SSL 2.0 format to maximize the likelihood of successfully handshaking with older servers.<ref>Template:Cite web</ref> Support for SSL 2.0 (and weak 40-bit and 56-bit ciphers) has been removed completely from Opera as of version 10.<ref>"Opera 10 for Windows changelog" at Opera.com: "Removed support for SSL v2 and weak ciphers"</ref><ref>Template:Cite webTemplate:Dead link</ref>

SSL 3.0

SSL 3.0 improved upon SSL 2.0 by adding SHA-1–based ciphers and support for certificate authentication.

From a security standpoint, SSL 3.0 should be considered less desirable than TLS 1.0. The SSL 3.0 cipher suites have a weaker key derivation process; half of the master key that is established is fully dependent on the MD5 hash function, which is not resistant to collisions and is, therefore, not considered secure. Under TLS 1.0, the master key that is established depends on both MD5 and SHA-1 so its derivation process is not currently considered weak. It is for this reason that SSL 3.0 implementations cannot be validated under FIPS 140-2.<ref>Template:Cite web</ref>

TLS

TLS has a variety of security measures:

• Protection against a downgrade of the protocol to a previous (less secure) version or a weaker cipher suite.
• Numbering subsequent Application records with a sequence number and using this sequence number in the message authentication codes (MACs).
• Using a message digest enhanced with a key (so only a key-holder can check the MAC). The HMAC construction used by most TLS cipher suites is specified in RFC 2104 (SSL 3.0 used a different hash-based MAC).
• The message that ends the handshake ("Finished") sends a hash of all the exchanged handshake messages seen by both parties.
• The pseudorandom function splits the input data in half and processes each one with a different hashing algorithm (MD5 and SHA-1), then XORs them together to create the MAC. This provides protection even if one of these algorithms is found to be vulnerable.

Attacks against TLS/SSL

Significant attacks against TLS/SSL are listed below:

Renegotiation attack

A vulnerability of the renegotiation procedure was discovered in August 2009 that can lead to plaintext injection attacks against SSL 3.0 and all current versions of TLS. For example, it allows an attacker who can hijack an https connection to splice their own requests into the beginning of the conversation the client has with the web server. The attacker can't actually decrypt the client-server communication, so it is different from a typical man-in-the-middle attack. A short-term fix is for web servers to stop allowing renegotiation, which typically will not require other changes unless client certificate authentication is used. To fix the vulnerability, a renegotiation indication extension was proposed for TLS. It will require the client and server to include and verify information about previous handshakes in any renegotiation handshakes.<ref>Template:Cite web</ref> This extension has become a proposed standard and has been assigned the number RFC 5746. The RFC has been implemented by several libraries.<ref>Template:Cite web</ref><ref>Template:Cite web</ref><ref>Template:Cite web</ref>

Version rollback attacks

Modifications to the original protocols, like False Start<ref>Template:Cite web</ref> (adopted and enabled by Google Chrome<ref>Template:Cite web</ref>) or Snap Start, have reportedly introduced limited TLS protocol version rollback attacks<ref>Template:Cite web</ref> or allowed modifications to the cipher suite list sent by the client to the server (an attacker may succeed in influencing the cipher suite selection in an attempt to downgrade the cipher suite strength, to use either a weaker symmetric encryption algorithm or a weaker key exchange<ref> Template:Cite web</ref>). A paper presented at an Association for Computing Machinery (ACM) conference on computer and communications security in 2012 demonstrates that the False Start extension is at risk: in certain circumstances it could allow an attacker to recover the encryption keys offline and to access the encrypted data.<ref> Template:Cite book </ref>

BEAST attack

On September 23, 2011 researchers Thai Duong and Juliano Rizzo demonstrated a proof of concept called BEAST (Browser Exploit Against SSL/TLS)<ref name=DuongRizzo>Template:Cite web</ref> using a Java applet to violate same origin policy constraints, for a long-known cipher block chaining (CBC) vulnerability in TLS 1.0.<ref name=DanGoodin>Template:Cite web</ref><ref name=combinator>Template:Cite web</ref> Practical exploits had not been previously demonstrated for this vulnerability, which was originally discovered by Phillip Rogaway<ref>Template:Cite web</ref> in 2002. The vulnerability of the attack had been fixed with TLS 1.1 in 2006, but TLS 1.1 had not seen wide adoption prior to this attack demonstration.

Mozilla updated the development versions of their NSS libraries to mitigate BEAST-like attacks. NSS is used by Mozilla Firefox and Google Chrome to implement SSL. Some web servers that have a broken implementation of the SSL specification may stop working as a result.<ref>Template:Cite web</ref>

Microsoft released Security Bulletin MS12-006 on January 10, 2012, which fixed the BEAST vulnerability by changing the way that the Windows Secure Channel (SChannel) component transmits encrypted network packets.<ref>Template:Cite web</ref>

Users of Windows 7, Windows 8 and Windows Server 2008 R2 can enable use of TLS 1.1 and 1.2, but this workaround will fail if it is not supported by the other end of the connection and will result in a fall-back to TLS 1.0.

Template:Anchor CRIME and BREACH attacks

Template:Main The authors of the BEAST attack are also the creators of the later CRIME attack, which can allow an attacker to recover the content of web cookies when data compression is used along with TLS.<ref>Template:Cite web</ref><ref>Template:Cite webTemplate:Dead link</ref> When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking on an authenticated web session.

While the CRIME attack was presented as a general attack that could work effectively against a large number of protocols, including but not limited to TLS, and application-layer protocols such as SPDY or HTTP, only exploits against TLS and SPDY were demonstrated and largely mitigated in browsers and servers. The CRIME exploit against HTTP compression has not been mitigated at all, even though the authors of CRIME have warned that this vulnerability might be even more widespread than SPDY and TLS compression combined. In 2013 a new instance of the CRIME attack against HTTP compression, dubbed BREACH, was announced. Built based on the CRIME attack a BREACH attack can extract login tokens, email addresses or other sensitive information from TLS encrypted web traffic in as little as 30 seconds (depending on the number of bytes to be extracted), provided the attacker tricks the victim into visiting a malicious web link or is able to inject content into valid pages the user is visiting (ex: a wireless network under the control of the attacker).<ref name=Gooin20130801>Template:Cite web</ref> All versions of TLS and SSL are at risk from BREACH regardless of the encryption algorithm or cipher used.<ref>Template:Cite web</ref> Unlike previous instances of CRIME, which can be successfully defended against by turning off TLS compression or SPDY header compression, BREACH exploits HTTP compression which cannot realistically be turned off, as virtually all web servers rely upon it to improve data transmission speeds for users.<ref name=Gooin20130801/> This is a known limitation of TLS as it is susceptible to chosen-plaintext attack against the application-layer data it was meant to protect.

Padding attacks

Earlier TLS versions were vulnerable against the padding oracle attack discovered in 2002. A novel variant, called the Lucky Thir***** attack, was published in 2013. As of February 2013, TLS implementors were still working on developing fixes to protect against this form of attack.

RC4 attacks

In spite of existing attacks on RC4 that break it, the cipher suites based on RC4 in SSL and TLS were at one time considered secure because of the way the cipher was used in these protocols defeated the attacks that broke RC4 until new attacks disclosed in March 2013 allowed RC4 in TLS to be feasibly completely broken. In 2011 the RC4 suite was actually recommended as a work around for the BEAST attack.<ref>security – Safest ciphers to use with the BEAST? (TLS 1.0 exploit) I've read that RC4 is immune – Server Fault</ref> In 2013 a vulnerability was discovered in RC4 suggesting it was not a good workaround for BEAST.<ref name="community.qualys"/> An attack scenario was proposed by AlFardan, Bernstein, Paterson, Poettering and Schuldt that used newly discovered statistical biases in the RC4 key table<ref>Template:Cite journal</ref> to recover parts of the plaintext with a large number of TLS encryptions.<ref>Template:Cite web</ref><ref>Template:Cite web</ref> A double-byte bias attack on RC4 in TLS and SSL that requires 13 × 2²⁰ encryptions to break RC4 was unveiled on 8 July 2013, and it was described as "feasible" in the accompanying presentation at the 22nd USENIX Security Symposium on August 15, 2013.<ref>Template:Cite journal</ref><ref>Template:Cite conference</ref>

However, many modern browsers have been designed to defeat BEAST attacks (except Safari for Mac OS X 10.8 or earlier, for iOS 6 or earlier, and for Windows; see #Web browsers). As a result, RC4 is not the best choice for TLS 1.0 anymore. The CBC ciphers which were affected by the BEAST attack in the past are becoming a more popular choice for protection.<ref name="best-practices"/>

Microsoft recommends disabling RC4 where possible.<ref>Template:Cite web</ref><ref>Template:Cite web</ref>

Truncation attack

A TLS truncation attack blocks a victim's account logout requests so that the user unknowingly remains logged into a web service. When the request to sign out is sent, the attacker injects an unencrypted T***** FIN message (no more data from sender) to close the connection. The server therefore doesn't receive the logout request and is unaware of the abnormal termination.<ref name=register20130801>Template:Cite web</ref>

Published in July 2013,<ref>Template:Cite web</ref> the attack causes web services such as Gmail and Hotmail to display a page that informs the user that they have successfully signed-out, while ensuring that the user's browser maintains authorization with the service, allowing an attacker with subsequent access to the browser to access and take over control of the user's logged-in account. The attack does not rely on installing malware on the victim's computer; attackers need only place themselves between the victim and the web server (e.g., by setting up a rogue wireless hotspot).<ref name=register20130801/> This vulnerability also requires access to the victim's computer.

Heartbleed Bug

The Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library, affecting versions 1.0.1 to 1.0.1f. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the data payloads. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).<ref>Template:Cite web</ref>

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<ref>Template:Cite web</ref>

Survey of websites

Template:As of, Trustworthy Internet Movement estimate the ratio of websites that are vulnerable to TLS attacks.<ref name="trustworthy_ssl_pulse" />

Forward secrecy

Template:Main Forward secrecy is a property of cryptographic systems which ensures that a session key derived from a set of public and private keys will not be compromised if one of the private keys is compromised in the future.<ref>Template:Cite journal</ref> An implementation of TLS can provide forward secrecy by requiring the use of ephemeral Diffie-Hellman key exchange to establish session keys, and some notable TLS implementations do so exclusively: e.g., Gmail and other Google HTTPS services that use OpenSSL.<ref>Template:Cite web</ref> However, many clients and servers supporting TLS (including browsers and web servers) are not configured to implement such restrictions.<ref>Template:Cite web</ref><ref>Template:Cite web</ref> Without forward secrecy, if the server's private key is compromised, not only will all future TLS-encrypted sessions using that server certificate be compromised, but also any past sessions that used it as well (provided of course that these past sessions were intercepted and stored at the time of transmission).<ref>Discussion on the TLS mailing list in October 2007</ref> In practice, unless a web service uses Diffie-Hellman key exchange to implement forward secrecy, all of the encrypted web traffic to and from that service can be decrypted by a third party if it obtains the server's master (private) key; e.g., by means of a court order.<ref>Template:Cite web</ref>

Even where Diffie-Hellman key exchange is implemented, server-side session management mechanisms can impact forward secrecy. The use of TLS session tickets (a TLS extension) causes the session to be protected by AES128-CBC-SHA256 regardless of any other negotiated TLS parameters, including forward secrecy ciphersuites, and the long-lived TLS session ticket keys defeat the attempt to implement forward secrecy.<ref name="botchingpfs"/><ref name="ticketsecwp"/><ref name="ticketsecslides"/>

Since late 2011, Google has provided forward secrecy with TLS by default to users of its Gmail service, along with Google Docs and encrypted search among other services.<ref name="googleLongTerm">Template:Cite web</ref> Since November 2013, Twitter has provided forward secrecy with TLS to users of its service.<ref>Template:Cite web</ref> Template:As of, 12.6% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to web browsers.<ref name="trustworthy_ssl_pulse" />

Avoiding Triple-DES CBC

Some experts recommend avoiding Triple-DES CBC. Since the last supported ciphers developed to support any program using Windows XP's SSL/TLS library like Internet Explorer on Windows XP are RC4 and Triple-DES, this makes it difficult to support SSL for any program using this library on XP.<ref name="best-practices"/>

Dealing with MITM attacks

Template:Main

Certificate pinning

One way to detect and block many kinds of MITM attacks is "certificate pinning", sometimes called "SSL pinning".<ref> "Certificate Pinning". </ref> A client that does certificate pinning adds an extra step to the normal TLS protocol or SSL protocol: After obtaining the server's certificate in the standard way, the client checks the server's certificate against trusted validation data. Typically the trusted validation data is bundled with the application, in the form of a trusted copy of that certificate, or a trusted hash or fingerprint of that certificate or the certificate's public key. For example, Chromium and Google Chrome include validation data for the *.google.com certificate that detected fraudulent certificates in 2011.

In other systems the client hopes that the first time it obtains a server's certificate it is trustworthy and stores it; during later sessions with that server, the client checks the server's certificate against the stored certificate to guard against later MITM attacks.

Perspectives Project

The Perspectives Project<ref>Perspectives Project</ref> operates network notaries that clients can use to detect if a site's certificate has changed. By their nature, man-in-the-middle attacks place the attacker between the destination and a single specific target. As such, Perspectives would warn the target that the certificate delivered to the web browser does not match the certificate seen from other perspectives - the perspectives of other users in different times and places. Use of network notaries from a multitude of perspectives makes it possible for a target to detect an attack even if a certificate appears to be completely valid.

Protocol details

The TLS protocol exchanges records—which encapsulate the data to be exchanged in a specific format (see below). Each record can be compressed, padded, appended with a message authentication code (MAC), or encrypted, all depending on the state of the connection. Each record has a content type field that designates the type of data encapsulated, a length field and a TLS version field. The data encapsulated may be control or procedural messages of the TLS itself, or simply the application data needed to be transferred by TLS. The specifications (cipher suite, keys etc.) required to exchange application data by TLS, are agreed upon in the "TLS handshake" between the client requesting the data and the server responding to requests. The protocol therefore defines both the structure of payloads transferred in TLS and the procedure to establish and monitor the transfer.

TLS handshake

When the connection starts, the record encapsulates a "control" protocol—the handshake messaging protocol  (content type 22). This protocol is used to exchange all the information required by both sides for the exchange of the actual application data by TLS. It defines the messages formatting or containing this information and the order of their exchange. These may vary according to the demands of the client and server—i.e., there are several possible procedures to set up the connection. This initial exchange results in a successful TLS connection (both parties ready to transfer application data with TLS) or an alert message (as specified below).

Basic TLS handshake

A simple connection example follows, illustrating a handshake where the server (but not the client) is authenticated by its certificate:

1. Negotiation phase:
   • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested CipherSuites and suggested compression methods. If the client is attempting to perform a resumed handshake, it may send a session ID.
   • The server responds with a ServerHello message, containing the chosen protocol version, a random number, CipherSuite and compression method from the choices offered by the client. To confirm or allow resumed handshakes the server may send a session ID. The chosen protocol version should be the highest that both the client and server support. For example, if the client supports TLS1.1 and the server supports TLS1.2, TLS1.1 should be selected; SSL 3.0 should not be selected.
   • The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by the server).<ref name="openpgp">These certificates are currently X.509, but RFC 6091 also specifies the use of OpenPGP-based certificates.</ref>
   • The server sends its ServerKeyExchange message (depending on the selected cipher suite, this may be omitted by the server). This message is sent for all DHE and DH_anon ciphersuites.<ref name=RFC5246>Template:Cite web</ref>
   • The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
   • The client responds with a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.) This PreMasterSecret is encrypted using the public key of the server certificate.
   • The client and server then use the random numbers and PreMasterSecret to compute a common secret, called the "master secret". All other key data for this connection is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed pseudorandom function.
2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from now on will be authenticated (and encrypted if encryption parameters were present in the server certificate)." The ChangeCipherSpec is itself a record-level protocol with content type of 20.
   • Finally, the client sends an authenticated and encrypted Finished message, containing a hash and MAC over the previous handshake messages.
   • The server will attempt to decrypt the client's Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will be authenticated (and encrypted, if encryption was negotiated)."
   • The server sends its authenticated and encrypted Finished message.
   • The client performs the same decryption and verification.
4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be authenticated and optionally encrypted exactly like in their Finished message. Otherwise, the content type will return 25 and the client will not authenticate.

Client-authenticated TLS handshake

The following full example shows a client being authenticated (in addition to the server like above) via TLS using certificates exchanged between both peers.

1. Negotiation Phase:
   • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods.
   • The server responds with a ServerHello message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. The server may also send a session id as part of the message to perform a resumed handshake.
   • The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by the server).<ref name="openpgp"/>
   • The server sends its ServerKeyExchange message (depending on the selected cipher suite, this may be omitted by the server). This message is sent for all DHE and DH_anon ciphersuites.<ref name=RFC5246>Template:Cite web</ref>
   • The server requests a certificate from the client, so that the connection can be mutually authenticated, using a CertificateRequest message.
   • The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
   • The client responds with a Certificate message, which contains the client's certificate.
   • The client sends a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.) This PreMasterSecret is encrypted using the public key of the server certificate.
   • The client sends a CertificateVerify message, which is a signature over the previous handshake messages using the client's certificate's private key. This signature can be verified by using the client's certificate's public key. This lets the server know that the client has access to the private key of the certificate and thus owns the certificate.
   • The client and server then use the random numbers and PreMasterSecret to compute a common secret, called the "master secret". All other key data for this connection is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed pseudorandom function.
2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from now on will be authenticated (and encrypted if encryption was negotiated). " The ChangeCipherSpec is itself a record-level protocol and has type 20 and not 22.
   • Finally, the client sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
   • The server will attempt to decrypt the client's Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will be authenticated (and encrypted if encryption was negotiated). "
   • The server sends its own encrypted Finished message.
   • The client performs the same decryption and verification.
4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their Finished message.

Resumed TLS handshake

Public key operations (e.g., RSA) are relatively expensive in terms of computational power. TLS provides a secure shortcut in the handshake mechanism to avoid these operations: resumed sessions. Resumed sessions are implemented using session IDs or session tickets.

Apart from the performance benefit, resumed sessions can also be used for single sign-on as it is guaranteed that both the original session as well as any resumed session originate from the same client. This is of particular importance for the FTP over TLS/SSL protocol which would otherwise suffer from a man-in-the-middle attack in which an attacker could intercept the contents of the secondary data connections.<ref>Template:Cite web</ref>

Session IDs

In an ordinary full handshake, the server sends a session id as part of the ServerHello message. The client associates this session id with the server's IP address and T***** port, so that when the client connects again to that server, it can use the session id to shortcut the handshake. In the server, the session id maps to the cryptographic parameters previously negotiated, specifically the "master secret". Both sides must have the same "master secret" or the resumed handshake will fail (this prevents an eavesdropper from using a session id). The random data in the ClientHello and ServerHello messages virtually guarantee that the generated connection keys will be different from in the previous connection. In the RFCs, this type of handshake is called an abbreviated handshake. It is also described in the literature as a restart handshake.

1. Negotiation phase:
   • A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods. Included in the message is the session id from the previous TLS connection.
   • The server responds with a ServerHello message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. If the server recognizes the session id sent by the client, it responds with the same session id. The client uses this to recognize that a resumed handshake is being performed. If the server does not recognize the session id sent by the client, it sends a different value for its session id. This tells the client that a resumed handshake will not be performed. At this point, both the client and server have the "master secret" and random data to generate the key data to be used for this connection.
2. The server now sends a ChangeCipherSpec record, essentially telling the client, "Everything I tell you from now on will be encrypted." The ChangeCipherSpec is itself a record-level protocol and has type 20 and not 22.
   • Finally, the server sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
   • The client will attempt to decrypt the server's Finished message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
3. Finally, the client sends a ChangeCipherSpec, telling the server, "Everything I tell you from now on will be encrypted. "
   • The client sends its own encrypted Finished message.
   • The server performs the same decryption and verification.
4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their Finished message.

Session tickets

RFC 5077 extends TLS via use of session tickets, instead of session IDs. It defines a way to resume a TLS session without requiring that session-specific state is stored at the TLS server.

When using session tickets, the TLS server stores its session-specific state in a session ticket and sends the session ticket to the TLS client for storing. The client resumes a TLS session by sending the session ticket to the server, and the server resumes the TLS session according to the session-specific state in the ticket. The session ticket is encrypted and authenticated by the server, and the server verifies its validity before using its contents.

One particular weakness of this method is that it always limits encryption and authentication security of the transmitted TLS session ticket to AES128-CBC-SHA256, no matter what other TLS parameters were negotiated for the actual TLS session.<ref name="ticketsecwp">Template:Cite web</ref> This means that the state information (the TLS session ticket) is not as well protected as the TLS session itself. Of particular concern is OpenSSL's storage of the keys in an application-wide context (SSL_CTX), i.e. for the life of the application, and not allowing for re-keying of the AES128-CBC-SHA256 TLS session tickets without resetting the application-wide OpenSSL context (which is uncommon, error-prone and often requires manual administrative intervention).<ref name="ticketsecslides">Template:Cite web</ref><ref name="botchingpfs">Template:Cite web</ref>

TLS record

This is the general format of all TLS records.

Content type

This field identifies the Record Layer Protocol Type contained in this Record.

Version

This field identifies the major and minor version of TLS for the contained message. For a ClientHello message, this need not be the highest version supported by the client.

Length

The length of Protocol message(s), MAC and Padding, not to exceed 2¹⁴ bytes (16 KiB).

Protocol message(s)

One or more messages identified by the Protocol field. Note that this field may be encrypted depending on the state of the connection.

MAC and Padding

A message authentication code computed over the Protocol message, with additional key material included. Note that this field may be encrypted, or not included entirely, depending on the state of the connection.

No MAC or Padding can be present at end of TLS records before all cipher algorithms and parameters have been negotiated and handshaked and then confirmed by sending a CipherStateChange record (see below) for signalling that these parameters will take effect in all further records sent by the same peer.

Handshake protocol

Most messages exchanged during the setup of the TLS session are based on this record, unless an error or warning occurs and needs to be signaled by an Alert protocol record (see below), or the encryption mode of the session is modified by another record (see ChangeCipherSpec protocol below).

Message type

This field identifies the Handshake message type.

Handshake message data length

This is a 3-byte field indicating the length of the handshake data, not including the header.

Note that multiple Handshake messages may be combined within one record.

Alert protocol

This record should normally not be sent during normal handshaking or application exchanges. However, this message can be sent at any time during the handshake and up to the closure of the session. If this is used to signal a fatal error, the session will be closed immediately after sending this record, so this record is used to give a reason for this closure. If the alert level is flagged as a warning, the remote can decide to close the session if it decides that the session is not reliable enough for its needs (before doing so, the remote may also send its own signal).

Level

This field identifies the level of alert. If the level is fatal, the sender should close the session immediately. Otherwise, the recipient may decide to terminate the session itself, by sending its own fatal alert and closing the session itself immediately after sending it. The use of Alert records is optional, however if it is missing before the session closure, the session may be resumed automatically (with its handshakes).

Normal closure of a session after termination of the transported application should preferably be alerted with at least the Close notify Alert type (with a simple warning level) to prevent such automatic resume of a new session. Signalling explicitly the normal closure of a secure session before effectively closing its transport layer is useful to prevent or detect attacks (like attempts to truncate the securely transported data, if it intrinsically does not have a predetermined length or duration that the recipient of the secured data may expect).

Description

This field identifies which type of alert is being sent.

ChangeCipherSpec protocol

CCS protocol type

Currently only 1.

Application protocol

Length

Length of Application data (excluding the protocol header and including the MAC and padding trailers)

MAC

20 bytes for the SHA-1-based HMAC, 16 bytes for the MD5-based HMAC.

Padding

Variable length; last byte contains the padding length.

Support for name-based virtual servers

From the application protocol point of view, TLS belongs to a lower layer, although the T*****/IP model is too coarse to show it. This means that the TLS handshake is usually (except in the STARTTLS case) performed before the application protocol can start. In the name-based virtual server feature being provided by the application layer, all co-hosted virtual servers share the same certificate because the server has to select and send a certificate immediately after the ClientHello message. This is a big problem in hosting environments because it means either sharing the same certificate among all customers or using a different IP address for each of them.

There are two known workarounds provided by X.509:

• If all virtual servers belong to the same domain, a wildcard certificate can be used. Besides the loose host name selection that might be a problem or not, there is no common agreement about how to match wildcard certificates. Different rules are applied depending on the application protocol or software used.<ref name=SWITCH-vhosts>Template:Cite web</ref>
• Add every virtual host name in the subjectAltName extension. The major problem being that the certificate needs to be reissued whenever a new virtual server is added.

In order to provide the server name, RFC 4366 Transport Layer Security (TLS) Extensions allow clients to include a Server Name Indication extension (SNI) in the extended ClientHello message. This extension hints the server immediately which name the client wishes to connect to, so the server can select the appropriate certificate to send to the client.

Standards

The current approved version of TLS is version 1.2, which is specified in:

• RFC 5246: "The Transport Layer Security (TLS) Protocol Version 1.2".

The current standard replaces these former versions, which are now considered obsolete:

• RFC 2246: "The TLS Protocol Version 1.0".
• RFC 4346: "The Transport Layer Security (TLS) Protocol Version 1.1".

as well as the never standardized SSL 2.0 and 3.0:

• Template:Cite web This Internet Draft defines the now completely broken SSL 2.0.
• RFC 6101: "The Secure Sockets Layer (SSL) Protocol Version 3.0".

Other RFCs subsequently extended TLS.

Extensions to TLS 1.0 include:

• RFC 2595: "Using TLS with IMAP, POP3 and ACAP". Specifies an extension to the IMAP, POP3 and ACAP services that allow the server and client to use transport-layer security to provide private, authenticated communication over the Internet.
• RFC 2712: "Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)". The 40-bit cipher suites defined in this memo appear only for the purpose of documenting the fact that those cipher suite codes have already been assigned.
• RFC 2817: "Upgrading to TLS Within HTTP/1.1", explains how to use the Upgrade mechanism in HTTP/1.1 to initiate Transport Layer Security (TLS) over an existing T***** connection. This allows unsecured and secured HTTP traffic to share the same well known port (in this case, http: at 80 rather than https: at 443).
• RFC 2818: "HTTP Over TLS", distinguishes secured traffic from insecure traffic by the use of a different 'server port'.
• RFC 3207: "SMTP Service Extension for Secure SMTP over Transport Layer Security". Specifies an extension to the SMTP service that allows an SMTP server and client to use transport-layer security to provide private, authenticated communication over the Internet.
• RFC 3268: "AES Ciphersuites for TLS". Adds Advanced Encryption Standard (AES) cipher suites to the previously existing symmetric ciphers.
• RFC 3546: "Transport Layer Security (TLS) Extensions", adds a mechanism for negotiating protocol extensions during session initialisation and defines some extensions. Made obsolete by RFC 4366.
• RFC 3749: "Transport Layer Security Protocol Compression Methods", specifies the framework for compression methods and the DEFLATE compression method.
• RFC 3943: "Transport Layer Security (TLS) Protocol Compression Using Lempel-Ziv-Stac (LZS)".
• RFC 4132: "Addition of Camellia Cipher Suites to Transport Layer Security (TLS)".
• RFC 4162: "Addition of SEED Cipher Suites to Transport Layer Security (TLS)".
• RFC 4217: "Securing FTP with TLS".
• RFC 4279: "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)", adds three sets of new cipher suites for the TLS protocol to support authentication based on pre-shared keys.

Extensions to TLS 1.1 include:

• RFC 4347: "Datagram Transport Layer Security" specifies a TLS variant that works over datagram protocols (such as UDP).
• RFC 4366: "Transport Layer Security (TLS) Extensions" describes both a set of specific extensions and a generic extension mechanism.
• RFC 4492: "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)".
• RFC 4680: "TLS Handshake Message for Supplemental Data".
• RFC 4681: "TLS User Mapping Extension".
• RFC 4785: "Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)".
• RFC 5054: "Using the Secure Remote Password (SRP) Protocol for TLS Authentication". Defines the TLS-SRP ciphersuites.
• RFC 5077: "Transport Layer Security (TLS) Session Resumption without Server-Side State".
• RFC 5081: "Using OpenPGP Keys for Transport Layer Security (TLS) Authentication", obsoleted by RFC 6091.

Extensions to TLS 1.2 include:

• RFC 5288: "AES Galois Counter Mode (GCM) Cipher Suites for TLS".
• RFC 5289: "TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)".
• RFC 5746: "Transport Layer Security (TLS) Renegotiation Indication Extension".
• RFC 5878: "Transport Layer Security (TLS) Authorization Extensions".
• RFC 5932: "Camellia Cipher Suites for TLS"
• RFC 6066: "Transport Layer Security (TLS) Extensions: Extension Definitions", includes Server Name Indication and OCSP stapling.
• RFC 6091: "Using OpenPGP Keys for Transport Layer Security (TLS) Authentication".
• RFC 6176: "Prohibiting Secure Sockets Layer (SSL) Version 2.0".
• RFC 6209: "Addition of the ARIA Cipher Suites to Transport Layer Security (TLS)".
• RFC 6347: "Datagram Transport Layer Security Version 1.2".
• RFC 6367: "Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)"
• RFC 6460: "Suite B Profile for Transport Layer Security (TLS)".
• RFC 6655: "AES-CCM Cipher Suites for Transport Layer Security (TLS)"
• RFC 7027: "Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS)".

Encapsulations of TLS include:

• RFC 5216: "The EAP-TLS Authentication Protocol"

See also

Template:Portal

• Bullrun (decryption program) – a secret anti-encryption program run by the U.S. National Security Agency
• Datagram Transport Layer Security – specifies a TLS variant that works over datagram protocols (such as UDP)
• Extended Validation Certificate
• Heartbleed – bug in OpenSSL
• Key ring file
• Multiplexed Transport Layer Security
• Application-Layer Protocol Negotiation – a TLS extension used for SPDY and TLS False Start
• Obfuscated T*****
• RdRand
• Server gated cryptography
• SSL acceleration
• t*****crypt
• Transport Layer Security Channel ID – a proposed protocol extension that improves web browser security via self-signed browser certificates
• Wireless Transport Layer Security

References

Further reading

• Template:Cite conference
• Template:Cite book
• Template:Cite book
• Template:Cite journal
• Template:Cite web
• Template:Cite web
• Creating VPNs with IPsec and SSL/TLS Linux Journal article by Rami Rosen
• Template:Cite web

External links

Template:External links Template:Commons category

• SSL 2 specification (published 1994)
• Early drafts of SSL 3.0 specification (published 1995)
• The Secure Sockets Layer (SSL) Protocol Version 3.0 (2011)
• The IETF (Internet Engineering Task Force) TLS Workgroup
• SSL tutorial
• OWASP: Transport Layer Protection Cheat Sheet
• A talk on SSL/TLS that tries to explain things in terms that people might understand.
• SSL: Foundation for Web Security
• TLS Renegotiation Vulnerability – IETF Tools
• Qualys SSL Labs
• SSL Server Certificate Lookup
• Trustworthy Internet Movement – SSL Pulse – Survey of the SSL Implementation of the Most Popular Web Sites

Template:FOLDOC Template:- Template:VPN Template:Web browsers