2. TLS
IETF standard RFC 2246 similar to SSLv3
with minor differences
in record format version number
uses HMAC for MAC
a pseudo-random function expands secrets
based on HMAC using SHA-1 or MD5
has additional alert codes
some changes in supported ciphers
changes in certificate types & negotiations
changes in crypto computations & padding
3. Goals
The goals of TLS Protocol, in order of their priority, are:
Cryptographic security: TLS should be used to establish
a secure connection between two parties.
Interoperability: Independent programmers should be
able to develop applications utilizing TLS that will then be
able to successfully exchange cryptographic parameters
without knowledge of one another's code.
Extensibility: TLS seeks to provide a framework into
which new public key and bulk encryption methods can be
incorporated as necessary. This will also accomplish two
sub-goals: to prevent
5. Continue
The record layer encapsulates messages for transmission
over the underlying communications protocol, usually
TCP/IP.
A record begins with a header which includes the version
of the protocol, the length of the data in bytes and the type
of the message etc
6. After the header comes the message data. This is
compressed by the compression algorithm that has been
negotiated for the connection.
The MAC is then calculated for the compressed data and
appended to the record.
If a block cipher is in effect for the connection then then a
pad is added in order for the message size to be a multiple
of the block size of the cipher.
8. Version Number
The TSL record format is the same as that of SSL Record
format.
Record format and the fields in the header have the same
meanings.
The one difference is in the version values.
For major version of TLS
Major version = 3
Minor Version = 1
9. The Record Protocol
When the record protocol receives the data from the
application layer, it might perform the following tasks:
Fragments the data into blocks or reassembles fragmented data
into its original structure.
Numbers the sequence of data blocks in the message to protect
against attacks that attempt to reorder data.
Compresses or decompresses the data using the compression
algorithm negotiated in the handshake protocol.
Encrypts or decrypts the data using the encryption keys and
cryptographic algorithm negotiated during the handshake
protocol.
Applies an HMAC (or, for SSL 3.0, a MAC) to outgoing data. It
then computes the HMAC and verifies that it is identical to the
value that was transmitted in order to check data integrity when
a message is received.
10. Message Authentication Codes
A Message Authentication Codes (MAC) are used to
ensure that messages are not tampered with or otherwise
corrupted during transit.
This can be thought of as a digest of the message which
includes a secret key.
It is constructed when data is sent, and verified when it is
received.
It is not possible to reproduce the digest without knowing
both the input text and the key, and thus a would-be
attacker needs to know the secret in order to construct a
valid MAC for a message that has been altered.
11. Message Authentication Code
The Message Authentication Code (MAC) used for TLS is
HMAC
HMAC is expressed by the following equation,
HMACK(M) = H[(K+ opad)||H[(K+
ipad)||M]]
Where:
: is concatenation
M
: is the plain-text to be encrypted
H
: is the hashing function (either MD-5 or SHA-1)
K+ : secret key padded with zeros on the left so that the result
is equal to the block length of the hash code (for MD-5 and SHA1 block length is 512 bits)
ipad : 00110110 (36 in hexa decimal) repeated 64 times (512
bits)
opad : 01011101 (5c in hexa decimal) repeated 64 times (512
bits)
12. SSLv3 uses the same algorithm , except that
The padding bits are concatenated with the secret key
rather than being XORed with the secret key padded to
the block length.
The level of security is same in both the cases .
13. Generation Of Cryptographic Secrets
The generation of cryptographic secrets is more complex
in TSL than in SSL.
TSL first defines two functions
Pseudorandom Function
Data Expansion Function
14.
15. Data Expansion Function
First, we define a data expansion function, P_hash(secret,
data) which uses a single hash function to expand a secret
and seed into an arbitrary quantity of output.
This function can be considered as multiple section function,
where each section creates one hash value .
Each section uses HMAC , secret and seed
The second seed is the output of the first HMAC of previous
function.
P_hash can be iterated as many times as is necessary to
produce the required quantity of data.
For example, if P_SHA-1 was being used to create 64 bytes of
data,
it would have to be iterated 4 times , creating 80 bytes of
output data;
the last 16 bytes of the final iteration would then be
16. Pseudorandom Function
TLS makes use of a pseudo random function, referred to as PRF
to expand secrets into blocks of data for purpose of key
generation and validation.
It uses a relatively small shared secret value to generate longer
blocks of data in way that is secure from the kind of attacks
made on hash functions and MACs
The PRF is based on Data Expansion Function and is given as
P_hash(secret, seed) = HMAC_hash(secret, A(1) ||
seed)||
HMAC_hash(secret, A(2)
|| seed) ||
HMAC_hash(secret, A(3)
|| seed) || ... Where
+ indicates concatenation.
A() is defined as:
A(0) = seed
A(i) = HMAC_hash(secret, A(i-1))
17. Usually pseudo random function is the combination of two data
expansion functions one using MD-5 and other using SHA-1
PRF takes 3 inputs a secret , a label and a seed.
The label and seed are concatenated and serve as the seed for
each data expansion function.
The secret is divided into two halves; each half is used as the
secret for each data expansion function.
The output of two data expansion functions is exclusive or-ed
together to create the final expanded secret.
The PRF is then defined as
PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
P_SHA-1(S2, label + seed);
S1 and S2 are the two halves of the secret and each is the
same length. S1 is taken from the first half of the secret, S2
from the second half.
18.
19. Alert Codes
TSL supports all of the alert codes defined in SSLv3 with the
exception of no-certificate.
A number of additional codes are also defined :
20. Cipher Suites
Cipher suites define the encryption and hashing
functions that will be used by the connection once
the handshake concludes as well as the keyexchange method used during the handshake.
There are several small differences between the
cipher suites available under SSLv3 and under
TLS
Key Exchange :TLS supports all of the key
exchange techniques of SSLv3 with the exception
of Fortezza.
Symmetric Encryption Algorithms: TLS includes
all of the TLS encryption algorithms found in
SSLv3 with the exception of Fortezza.
21. Client Certificate Types
In TLS Client Authentication, the client (browser) uses a
certificate to authenticate itself during the TLS handshake.
When asking for client authentication, this server sends a
list of trusted certificate authorities to the client. The client
uses this list to choose a client certificate that is trusted by
the server.
TLS defines the following certificate types to be requested
in a certificate_request message:
Rsa_sign
Dss_sign
Rsa_fixed_dh
Dss_fixed_dh
These are all defined in SSLv3.
22. Certificate Verified and Finished
Messages
Certificate Verified : In TLS certificate_verify message ,
the MD5 and SHA-1 hashes are calculated only over
handshake_message
(master secret and pads are excluded because they
provide no additional security )
The finished message in TSL is a hash based on the shared
master_secret , previous handshake messages and a label
that identifies client or server
PRF(master_secret,finished_label,MD5(handshake_messa
ges)||SHA-1(handshake_messages))
Where
finished_label is the string “client finished” for client and
“server finished” for server
23. Cryptographic Computations
Pre-master Secret
The generation of the premaster secret in TLS is exactly same
as in SSL.
Master Secret
TLS uses the PRF function to create the master secret from
the pre-master secret.
This is achieved by using
Pre-master secret as the secret
The string “” as the label &
Concatenation of client random number and server random
number as seed
Note: label is actually ASCII code of the string “master
secret” i.e. label defines the output we want to create - the
master secret.
Master_secret = PRF(pre_master_secret,”master
secret”,Clienthello.random||serverhello.random)
24.
25. Key Material
TLS uses the PRF function to create the key material from the
master secret . This time
the secret is the master secret ,
the label is the string “key expansion” and
Seed is the concatenation of server random number and client random
number.
Key_block = PRF ( master_secret, “key expansion”,
SecurityParameters.server_random ||
SecurityParameters.client_random)