transport layer security

Information about transport layer security

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers. There are slight differences between SSL and TLS, but the protocol remains substantially the same.

Description

The TLS protocol allows applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications privacy over the Internet using cryptography. Typically, only the server is authenticated (i.e., its identity is ensured) while the client remains unauthenticated; this means that the end user (whether an individual or an application, such as a Web browser) can be sure with whom they are communicating. The next level of security—in which both ends of the "conversation" are sure with whom they are communicating—is known as mutual authentication. Mutual authentication requires public key infrastructure (PKI) deployment to clients unless TLS-PSK or TLS-SRP are used, which provide strong mutual authentication without needing to deploy a PKI.

TLS involves three basic phases:
  1. Peer negotiation for''' algorithm support
  2. Public key exchange and certificate-based authentication
  3. Symmetric cipher encryption


During the first phase, the client and server negotiate cipher suites, which combine one cipher from each of the following:

How it works

Enlarge picture
SSL handshake with two way authentication with certificates
A TLS client and server negotiate a stateful connection by using a handshaking procedure. During this handshake, the client and server agree on various parameters used to establish the connection's security.
  • The handshake begins when a client connects to a TLS-enabled server requesting a secure connection, and presents a list of supported ciphers and hash functions.
  • From this list, the server picks the strongest cipher and hash function that it also supports and notifies the client of the decision.
  • The server sends back its identification in the form of a digital certificate. The certificate usually contains the server name, the trusted certificate authority (CA), and the server's public encryption key.
The client may contact the server that issued the certificate (the trusted CA as above) and confirm that the certificate is authentic before proceeding.
  • In order to generate the session keys used for the secure connection, the client encrypts a random number with the server's public key, and sends the result to the server. Only the server can decrypt it (with its private key): this is the one fact that makes the keys hidden from third parties, since only the server and the client have access to this data.
  • Both parties generate key material for encryption and decryption.
This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the key material until the connection closes.

If any one of the above steps fails, the TLS handshake fails, and the connection is not created.

TLS Handshake in Detail

The TLS protocol exchanges records that encapsulate the data to be exchanged. Each record can be compressed, padded, appended with a message authentication code (MAC), or encrypted, all depending on the state of the connection. Each record has a content type field that specifies the record, a length field, and a TLS version field.

When the connection starts, the record encapsulates another protocol, the handshake protocol, which has content type 22.

A simple connection example follows:
  • A Client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods.
  • The Server responds with a ServerHello, containing the chosen protocol version, a random number, cipher suite, and compression method from the choices offered by the client.
  • The Server sends its Certificate (depending on the selected cipher suite, this may be omitted by the Server).
: These certificates are currently X.509, but there is also a draft specifying the use of OpenPGP based certificates.
  • The server may request a certificate from the client, so that the connection can be mutually authenticated, using a CertificateRequest.
  • The Server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
  • The Client responds with a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher.)
  • The Client and Server then use the random numbers and PreMasterSecret to compute a common secret, called the "master secret". All other key data is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed "pseudorandom function".
  • The Client now sends a ChangeCipherSpec message, essentially telling the Server, "Everything I tell you from now on will be encrypted." Note that the ChangeCipherSpec is itself a record-level protocol, and has type 20, and not 22.
  • Finally, the Client sends an encrypted Finished message, containing a hash and MAC over the previous handshake messages.
  • The Server will attempt to decrypt the Client's Finished message, and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
  • Finally, the Server sends a ChangeCipherSpec and its encrypted Finished message, and the Client performs the same decryption and verification.
  • At this point, the "handshake" is complete and the Application protocol is enabled, with content type of 23. Application messages exchanged between Client and Server will be encrypted.

TLS Record Protocol

+ Bits 0–7 8-15 16-23 24–31
0Content TypeVersion (MSB)Version (LSB)Length (MSB)
32 Length (LSB)Protocol Message(s)
... Protocol Message (cont.)
... MAC (optional)
... Padding (optional)


Content Type: This field identifies the Record Layer Protocol Type contained in this Record.


Content Types
20ChangeCipherSpec
21Alert
22Handshake
23Application


Version: This field identifies the major and minor version of TLS for the contained message. For a ClientHello message, this need not be the highest version supported by the client.


Versions
Major Version Minor Version Version Type
30SSLv3
31TLS 1.0
32TLS 1.1
33TLS 1.2


Length: The length of Protocol message(s), not to exceed 214 bytes.
Protocol message(s): One or more messages identified by the Protocol field. Note that this field may be encrypted depending on the state of the connection.
MAC: A message authentication code computed over the Protocol message, with additional key material included. Note that this field may be encrypted, or not included entirely, depending on the state of the connection.

ChangeCipherSpec Protocol

+ Bits 0–7 8-15 16-23 24–31
0 20Version (MSB)Version (LSB)0
32 11 (CCS protocol type)

Alert Protocol

+ Bits 0–7 8-15 16-23 24–31
0 21Version (MSB)Version (LSB)0
32 2LevelDescription


Level: This field identifies the level of alert.


Level Types
Code Description
1Warning - connection or security may be unstable
2Fatal - connection or security may be compromised, or an unrecoverable error has occurred


Description: This field identifies which type of alert is being sent.


Description Types
Code Description
0Close notify (warning or fatal)
10Unexpected message (fatal)
20Bad record MAC (fatal)
21Decryption failed (fatal, TLS only)
22Record overflow (fatal, TLS only)
30Decompression failure (fatal)
40Handshake failure (fatal)
41No certificate (SSL v3 only) (warning or fatal)
42Bad certificate (warning or fatal)
43Unsupported certificate (warning or fatal)
44Certificate revoked (warning or fatal)
45Certificate expired (warning or fatal)
46Certificate unknown (warning or fatal)
47Illegal parameter (fatal)
48Unknown CA (fatal, TLS only)
49Access denied (fatal, TLS only)
50Decode error (fatal, TLS only)
51Decrypt error (TLS only) (warning or fatal)
60Export restriction (fatal, TLS only)
70Protocol version (fatal, TLS only)
71Insufficient security (fatal, TLS only)
80Internal error (fatal, TLS only)
90User cancelled (fatal, TLS only)
100No renegotiation (warning, TLS only)

Handshake Protocol

+ Bits 0–7 8-15 16-23 24–31
0 22Version (MSB)Version (LSB)Length (MSB)
32 Length (LSB)Message typeMessage length
64 Message length (cont.)Handshake message
... Handshake messageMessage typeMessage length
... Message lengthHandshake message


Message type: This field identifies the Handshake message type.


Handshake Types are: 0 HelloRequest 1 ClientHello 2 ServerHello 11 Certificate 12 ServerKeyExchange 13 CertificateRequest 14 ServerHelloDone 15 CertificateVerify 16 ClientKeyExchange 20 Finished

Message length: This is a 3-byte field indicating the length of the handshake data, not including the header.


Note that multiple Handshake messages may be combined within one record.

Application Protocol

+ Bits 0–7 8-15 16-23 24–31
0 23Version (MSB)Version (LSB)Length (MSB)
32 Length (LSB)Application data
64 Application data (cont.)
... MAC (20B for SHA-1, 16B for MD5)
... Variable length padding (block ciphers only)Padding length, (block ciphers only)(1B)

Security

TLS/SSL have a variety of security measures:
  • The client may use the CA's public key to validate the CA's digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA.
  • The client verifies that the issuing Certificate Authority (CA) is on its list of trusted CAs.
  • The client checks the server's certificate validity period. The authentication process stops if the current date and time fall outside of the validity period.
  • To protect against Man-in-the-Middle attacks, the client compares the actual DNS name of the server to the DNS name on the certificate. Browser-dependent, not defined by TLS.
  • Protection against a downgrade of the protocol to a previous (less secure) version or a weaker cipher suite.
  • Numbering all the Application records with a sequence number, and using this sequence number in the MACs.
  • Using a message digest enhanced with a key (so only a key-holder can check the MAC). This is specified in RFC 2104. TLS only.
  • The message that ends the handshake ("Finished") sends a hash of all the exchanged handshake messages seen by both parties.
  • The pseudorandom function splits the input data in half and processes each one with a different hashing algorithm (MD5 and SHA-1), then XORs them together. This provides protection if one of these algorithms is found to be vulnerable. TLS only.
  • SSL v3 improved upon SSL v2 by adding SHA-1 based ciphers, and support for certificate authentication. Additional improvements in SSL v3 include better handshake protocol flow and increased resistance to man-in-the-middle attacks.

Applications

TLS runs on layers beneath application protocols such as HTTP, FTP, SMTP, NNTP, and XMPP and above a reliable transport protocol, TCP for example. While it can add security to any protocol that uses reliable connections (such as TCP), it is most commonly used with HTTP to form HTTPS. HTTPS is used to secure World Wide Web pages for applications such as electronic commerce and asset management. SMTP is also an area in which TLS has been growing and is specified in RFC 3207. These applications use public key certificates to verify the identity of endpoints.

An increasing number of client and server products support TLS natively, but many still lack support. As an alternative, users may wish to use standalone TLS products like Stunnel. Wrappers such as Stunnel rely on being able to obtain a TLS connection immediately, by simply connecting to a separate port reserved for the purpose. For example, by default the TCP port for HTTPS is 443, to distinguish it from HTTP on port 80.

TLS can also be used to tunnel an entire network stack to create a VPN, as is the case with OpenVPN. Many vendors now marry TLS's encryption and authentication capabilities with authorization. There has also been substantial development since the late 1990s in creating client technology outside of the browser to enable support for client/server applications. When compared against traditional IPsec VPN technologies, TLS has some inherent advantages in firewall and NAT traversal that make it easier to administer for large remote-access populations.

TLS is also increasingly being used as the standard method for protecting SIP application signaling. TLS can be used to provide authentication and encryption of the SIP signalling associated with VOIP (Voice over IP) and other SIP-based applications.

History and development

The SSL protocol was originally developed by Netscape. Version 1.0 was never publicly released; version 2.0 was released in 1994 but "contained a number of security flaws which ultimately led to the design of SSL version 3.0", which was released in 1996 (Rescorla 2001). This later served as the basis for TLS version 1.0, an IETF standard protocol first defined in RFC 2246 in January 1999. Visa, MasterCard, American Express and many leading financial institutions have endorsed SSL for commerce over the Internet.

SSL operates in modular fashion. It is extensible by design, with support for forward and backward compatibility and negotiation between peers.

Early short keys

Some early implementations of SSL used 40-bit symmetric keys because of US government restrictions on the export of cryptographic technology. The US government explicitly imposed a 40-bit keyspace, which was small enough to be broken by brute-force search by law enforcement agencies wishing to read the encrypted traffic, while still presenting obstacles to less-well-funded attackers. A similar limitation applied to Lotus Notes in export versions. After several years of public controversy, a series of lawsuits, and eventual US government recognition of cryptographic products with longer key sizes produced outside the US, the authorities relaxed some aspects of the export restrictions. The 40-bit key size limitation has mostly gone away, and modern implementations use 128-bit (or longer) keys for symmetric key ciphers.

Standards

The first definition of TLS appeared in:
  • RFC 2246: “The TLS Protocol Version 1.0”.
The current approved version is 1.1, which is specified in
  • RFC 4346: “The Transport Layer Security (TLS) Protocol Version 1.1”.
The next version is proposed: Other RFCs subsequently extended TLS, including:
  • RFC 2595: “Using TLS with IMAP, POP3 and ACAP”. Specifies an extension to the IMAP, POP3 and ACAP services that allow the server and client to use transport-layer security to provide private, authenticated communication over the Internet.
  • RFC 2712: “Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)”. The 40-bit ciphersuites defined in this memo appear only for the purpose of documenting the fact that those ciphersuite codes have already been assigned.
  • RFC 2817: “Upgrading to TLS Within HTTP/1.1”, explains how to use the Upgrade mechanism in HTTP/1.1 to initiate Transport Layer Security (TLS) over an existing TCP connection. This allows unsecured and secured HTTP traffic to share the same well known port (in this case, http: at 80 rather than https: at 443).
  • RFC 2818: “HTTP Over TLS”, distinguishes secured traffic from insecure traffic by the use of a different 'server port'.
  • RFC 3207: “SMTP Service Extension for Secure SMTP over Transport Layer Security”. Specifies an extension to the SMTP service that allows an SMTP server and client to use transport-layer security to provide private, authenticated communication over the Internet.
  • RFC 3268: “AES Ciphersuites for TLS”. Adds Advanced Encryption Standard (AES) ciphersuites to the previously existing symmetric ciphers.
  • RFC 3546: “Transport Layer Security (TLS) Extensions”, adds a mechanism for negotiating protocol extensions during session initialisation and defines some extensions. Made obsolete by RFC 4366.
  • RFC 3749: “Transport Layer Security Protocol Compression Methods”, specifies the framework for compression methods and the DEFLATE compression method.
  • RFC 3943: “Transport Layer Security (TLS) Protocol Compression Using Lempel-Ziv-Stac (LZS)”.
  • RFC 4132: “Addition of Camellia Cipher Suites to Transport Layer Security (TLS)”.
  • RFC 4162: “Addition of SEED Cipher Suites to Transport Layer Security (TLS)”.
  • RFC 4279: “Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)”, adds three sets of new ciphersuites for the TLS protocol to support authentication based on pre-shared keys.
  • RFC 4347: “Datagram Transport Layer Security” specifies a TLS variant that works over datagram protocols (such as UDP).
  • RFC 4366: “Transport Layer Security (TLS) Extensions” describes both a set of specific extensions, and a generic extension mechanism.
  • RFC 4492: “Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)”.
  • RFC 4507: “Transport Layer Security (TLS) Session Resumption without Server-Side State”.
  • RFC 4680: “TLS Handshake Message for Supplemental Data”.
  • RFC 4681: “TLS User Mapping Extension”.
  • RFC 4785: “Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)”.

Implementation

Programmers may use the OpenSSL, NSS, or GnuTLS libraries for SSL/TLS functionality. Microsoft Windows includes an implementation of SSL and TLS as part of its Secure Channel package. Delphi programmers may use a library called Indy.

TLS 1.1

As noted above, TLS 1.1 is the current approved version of the TLS protocol. TLS 1.1 clarifies some ambiguities and adds a number of recommendations, but remains very similar to TLS 1.0. A full list of differences is provided in RFC 4346 (Section 1.1).

Certificate providers

A 2005 Netcraft survey determined that VeriSign and its acquisitions such as Thawte have a 53% share of the certificate authority market, followed by GeoTrust (25%), Comodo (12%), GoDaddy (4%) and Entrust (2%).[1] (GeoTrust has since been acquired by VeriSign.)

A more recent market share report from Security Space as of April 2007 determined that VeriSign and its acquisitions (including GeoTrust) have a 59.6% share of the certificate authority market, followed by Comodo (8.3%), GoDaddy (5.3%), DigiCert (2.1%), Entrust (1.3%) and Network Solutions (1.1%).

CAcert.org is a community-driven certificate authority that issues free public key certificates.

See also

Software

References

  • Wagner, David; Schneier, Bruce (November 1996). "Analysis of the SSL 3.0 Protocol". The Second USENIX Workshop on Electronic Commerce Proceedings, USENIX Press. 
  • Eric Rescorla,. SSL and TLS: Designing and Building Secure Systems. United States: Addison-Wesley Pub Co. ISBN 0-201-61598-3. 
  • Stephen A. Thomas (2000). SSL and TLS essentials securing the Web. New York: Wiley. ISBN 0-471-38354-6. 
  • Bard, Gregory (2006). "A Challenging But Feasible Blockwise-Adaptive Chosen-Plaintext Attack On Ssl". International Association for Cryptologic Research (136). Retrieved on 2007-04-20. 
  • Canvel, Brice
. Password Interception in a SSL/TLS Channel. Retrieved on 2007-04-20.

External links

This article was originally based on material from the Free On-line Dictionary of Computing, which is licensed under the GFDL.
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers.
..... Click the link for more information.
A security protocol (cryptographic protocol or encryption protocol) is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods.

A protocol describes how the algorithms should be used.
..... Click the link for more information.
Security is the condition of being protected against danger or loss. In the general sense, security is a concept similar to safety. The nuance between the two is an added emphasis on being protected from dangers that originate from outside.
..... Click the link for more information.
Internet is a worldwide, publicly accessible series of interconnected computer networks that transmit data by packet switching using the standard Internet Protocol (IP). It is a "network of networks" that consists of millions of smaller domestic, academic, business, and government
..... Click the link for more information.
A web browser is a software application that enables a user to display and interact with text, images, videos, music and other information typically located on a Web page at a website on the World Wide Web or a local area network.
..... Click the link for more information.
E-mail (short for electronic mail; often also abbreviated as e-mail, email or simply mail) is a store and forward method of composing, sending, storing, and receiving messages over electronic communication systems.
..... Click the link for more information.
Internet fax uses the internet to receive and send faxes.

Traditional faxing involves sending a scanned copy of a document (a facsimile) from one fax machine to another, over the phone network.
..... Click the link for more information.
Instant messaging (IM) is a form of real-time communication between two or more people based on typed text. The text is conveyed via computers connected over a network such as the Internet.
..... Click the link for more information.
eavesdrop is to surreptitiously overhear a private conversation.

History

Ancient Anglo-Saxon law punished eavesdroppers, who skulked in the Eavesdrip of another's home, with a fine.
..... Click the link for more information.
Tampering may refer to:
  • Tampering (sport), the practice, often illegal, of professional sports teams negotiating with athletes of other teams
  • Tamper-evident, a device or process that makes unauthorised access to a protected object easily detected

..... Click the link for more information.
In cryptography, message forgery is the sending of a message to deceive the recipient as to whom the real sender is. A common example is sending a spam e-mail as if it were originated from an address other than the one which was really used.
..... Click the link for more information.
Authentication (from Greek αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true.
..... Click the link for more information.
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.[1] The terms information security
..... Click the link for more information.
Internet is a worldwide, publicly accessible series of interconnected computer networks that transmit data by packet switching using the standard Internet Protocol (IP). It is a "network of networks" that consists of millions of smaller domestic, academic, business, and government
..... Click the link for more information.
Cryptography (or cryptology; derived from Greek κρυπτός kryptós "hidden," and the verb γράφω gráfo "write" or λεγειν legein
..... Click the link for more information.
Mutual authentication or two-way authentication refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both
..... Click the link for more information.
The external links in this article or section may require cleanup to comply with Wikipedia's content policies.
Please [ improve this article] by removing excessive or inappropriate external links. Please remove this tag when this is done.
..... Click the link for more information.
Public-key cryptography, also known as asymmetric cryptography, is a form of cryptography in which a user has a pair of cryptographic keys - a public key and a private key. The private key is kept secret, while the public key may be widely distributed.
..... Click the link for more information.
Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both decryption and encryption.
..... Click the link for more information.
RSA is an algorithm for public-key cryptography. It was the first algorithm known to be suitable for signing as well as encryption, and one of the first great advances in public key cryptography.
..... Click the link for more information.
The Digital Signature Algorithm (DSA) is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology (NIST) in August 1991 for use in their Digital Signature Standard (DSS)
..... Click the link for more information.
RC2
The MIX transformation of RC2; four of these comprise a MIXING round

General
Ron Rivest
leaked in 1996, designed in 1987

Cipher detail
Key size(s):| 8–128 bits, in steps of 8 bits; default 64 bits

Block size(s):| 64 bits
..... Click the link for more information.
RC4 (also known as ARC4 or ARCFOUR) is the most widely-used software stream cipher and is used in popular protocols such as Secure Sockets Layer (SSL) (to protect Internet traffic) and WEP (to secure wireless networks).
..... Click the link for more information.
IDEA
An encryption round of IDEA

General
James Massey, Xuejia Lai
1991

PES
MMB, MESH, Akelarre,
IDEA NXT (FOX)

Cipher detail
Key size(s):| 128 bits

Block size(s):| 64 bits
Substitution-permutation network
8.
..... Click the link for more information.
Data Encryption Standard
The Feistel function (F function) of DES

General
IBM
1975 (standardized on January 1977)

Lucifer
Triple DES, G-DES, DES-X, LOKI89, ICE

Cipher detail
Key size(s):| 56 bits

Block size(s):| 64 bits
..... Click the link for more information.
Triple DES
Three successive invocations of DES

General
IBM
1978

DES

Cipher detail
Key size(s):| 112 (2TDES) or 168 bits (3TDES)

Block size(s):| 64 bits
Feistel network
48 DES-equivalent rounds
..... Click the link for more information.
AES
The SubBytes step, one of four stages in a round of AES

General
Vincent Rijmen, Joan Daemen
1998

Square
Anubis, Grand Cru

AES winner, CRYPTREC, NESSIE
Cipher detail
Key size(s):| 128, 192 or 256 bits[1]
..... Click the link for more information.
Camellia

General
Mitsubishi, NTT
2000

E2, MISTY1

CRYPTREC, NESSIE
Cipher detail
Key size(s):| 128, 192 or 256 bits

Block size(s):| 128 bits
Feistel network
18 or 24

In cryptography, Camellia
..... Click the link for more information.
In cryptography, a cryptographic hash function is a transformation that takes an input and returns a fixed-size string, which is called the hash value. Hash functions with this property are used for a variety of computational purposes, including cryptography.
..... Click the link for more information.
MD2

General
Ronald Rivest
April 1992
MD, MD2, MD3, MD4, MD5

Detail
128 bits

18

Message Digest Algorithm 2 (MD2) is a cryptographic hash function developed by Ronald Rivest in 1989. The algorithm is optimized for 8-bit computers.
..... Click the link for more information.

This article is copied from an article on Wikipedia.org - the free encyclopedia created and edited by online user community. The text was not checked or edited by anyone on our staff. Although the vast majority of the wikipedia encyclopedia articles provide accurate and timely information please do not assume the accuracy of any particular article. This article is distributed under the terms of GNU Free Documentation License.