IETF standard RFC 2246 similar to SSLv3
with minor differences
in record format version number
uses HMAC for MAC
a pseudo-random function expands secrets
based on HMAC using SHA-1 or MD5
has additional alert codes
some changes in supported ciphers
changes in certificate types & negotiations
changes in crypto computations & padding
The goals of TLS Protocol, in order of their priority, are:
Cryptographic security: TLS should be used to establish
a secure connection between two parties.
Interoperability: Independent programmers should be
able to develop applications utilizing TLS that will then be
able to successfully exchange cryptographic parameters
without knowledge of one another's code.
Extensibility: TLS seeks to provide a framework into
which new public key and bulk encryption methods can be
incorporated as necessary. This will also accomplish two
sub-goals: to prevent
The record layer encapsulates messages for transmission
over the underlying communications protocol, usually
A record begins with a header which includes the version
of the protocol, the length of the data in bytes and the type
of the message etc
After the header comes the message data. This is
compressed by the compression algorithm that has been
negotiated for the connection.
The MAC is then calculated for the compressed data and
appended to the record.
If a block cipher is in effect for the connection then then a
pad is added in order for the message size to be a multiple
of the block size of the cipher.
The TSL record format is the same as that of SSL Record
Record format and the fields in the header have the same
The one difference is in the version values.
For major version of TLS
Major version = 3
Minor Version = 1
The Record Protocol
When the record protocol receives the data from the
application layer, it might perform the following tasks:
Fragments the data into blocks or reassembles fragmented data
into its original structure.
Numbers the sequence of data blocks in the message to protect
against attacks that attempt to reorder data.
Compresses or decompresses the data using the compression
algorithm negotiated in the handshake protocol.
Encrypts or decrypts the data using the encryption keys and
cryptographic algorithm negotiated during the handshake
Applies an HMAC (or, for SSL 3.0, a MAC) to outgoing data. It
then computes the HMAC and verifies that it is identical to the
value that was transmitted in order to check data integrity when
a message is received.
Message Authentication Codes
A Message Authentication Codes (MAC) are used to
ensure that messages are not tampered with or otherwise
corrupted during transit.
This can be thought of as a digest of the message which
includes a secret key.
It is constructed when data is sent, and verified when it is
It is not possible to reproduce the digest without knowing
both the input text and the key, and thus a would-be
attacker needs to know the secret in order to construct a
valid MAC for a message that has been altered.
Message Authentication Code
The Message Authentication Code (MAC) used for TLS is
HMAC is expressed by the following equation,
HMACK(M) = H[(K+ opad)||H[(K+
: is concatenation
: is the plain-text to be encrypted
: is the hashing function (either MD-5 or SHA-1)
K+ : secret key padded with zeros on the left so that the result
is equal to the block length of the hash code (for MD-5 and SHA1 block length is 512 bits)
ipad : 00110110 (36 in hexa decimal) repeated 64 times (512
opad : 01011101 (5c in hexa decimal) repeated 64 times (512
SSLv3 uses the same algorithm , except that
The padding bits are concatenated with the secret key
rather than being XORed with the secret key padded to
the block length.
The level of security is same in both the cases .
Generation Of Cryptographic Secrets
The generation of cryptographic secrets is more complex
in TSL than in SSL.
TSL first defines two functions
Data Expansion Function
Data Expansion Function
First, we define a data expansion function, P_hash(secret,
data) which uses a single hash function to expand a secret
and seed into an arbitrary quantity of output.
This function can be considered as multiple section function,
where each section creates one hash value .
Each section uses HMAC , secret and seed
The second seed is the output of the first HMAC of previous
P_hash can be iterated as many times as is necessary to
produce the required quantity of data.
For example, if P_SHA-1 was being used to create 64 bytes of
it would have to be iterated 4 times , creating 80 bytes of
the last 16 bytes of the final iteration would then be
TLS makes use of a pseudo random function, referred to as PRF
to expand secrets into blocks of data for purpose of key
generation and validation.
It uses a relatively small shared secret value to generate longer
blocks of data in way that is secure from the kind of attacks
made on hash functions and MACs
The PRF is based on Data Expansion Function and is given as
P_hash(secret, seed) = HMAC_hash(secret, A(1) ||
|| seed) ||
|| seed) || ... Where
+ indicates concatenation.
A() is defined as:
A(0) = seed
A(i) = HMAC_hash(secret, A(i-1))
Usually pseudo random function is the combination of two data
expansion functions one using MD-5 and other using SHA-1
PRF takes 3 inputs a secret , a label and a seed.
The label and seed are concatenated and serve as the seed for
each data expansion function.
The secret is divided into two halves; each half is used as the
secret for each data expansion function.
The output of two data expansion functions is exclusive or-ed
together to create the final expanded secret.
The PRF is then defined as
PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
P_SHA-1(S2, label + seed);
S1 and S2 are the two halves of the secret and each is the
same length. S1 is taken from the first half of the secret, S2
from the second half.
TSL supports all of the alert codes defined in SSLv3 with the
exception of no-certificate.
A number of additional codes are also defined :
Cipher suites define the encryption and hashing
functions that will be used by the connection once
the handshake concludes as well as the keyexchange method used during the handshake.
There are several small differences between the
cipher suites available under SSLv3 and under
Key Exchange :TLS supports all of the key
exchange techniques of SSLv3 with the exception
Symmetric Encryption Algorithms: TLS includes
all of the TLS encryption algorithms found in
SSLv3 with the exception of Fortezza.
Client Certificate Types
In TLS Client Authentication, the client (browser) uses a
certificate to authenticate itself during the TLS handshake.
When asking for client authentication, this server sends a
list of trusted certificate authorities to the client. The client
uses this list to choose a client certificate that is trusted by
TLS defines the following certificate types to be requested
in a certificate_request message:
These are all defined in SSLv3.
Certificate Verified and Finished
Certificate Verified : In TLS certificate_verify message ,
the MD5 and SHA-1 hashes are calculated only over
(master secret and pads are excluded because they
provide no additional security )
The finished message in TSL is a hash based on the shared
master_secret , previous handshake messages and a label
that identifies client or server
finished_label is the string “client finished” for client and
“server finished” for server
The generation of the premaster secret in TLS is exactly same
as in SSL.
TLS uses the PRF function to create the master secret from
the pre-master secret.
This is achieved by using
Pre-master secret as the secret
The string “” as the label &
Concatenation of client random number and server random
number as seed
Note: label is actually ASCII code of the string “master
secret” i.e. label defines the output we want to create - the
Master_secret = PRF(pre_master_secret,”master
TLS uses the PRF function to create the key material from the
master secret . This time
the secret is the master secret ,
the label is the string “key expansion” and
Seed is the concatenation of server random number and client random
Key_block = PRF ( master_secret, “key expansion”,