Transport Layer Security (TLS) is a standard security protocol that ensures secure connections on the Internet. It is based on the earlier SSL protocol with minor differences in record format version numbers, use of HMAC for message authentication codes, and additional alert codes. The goals of TLS are to establish a secure connection through cryptographic security, allow for interoperability between independent implementations, and provide an extensible framework to incorporate new encryption methods. TLS uses the record layer to encapsulate and process messages through steps like fragmentation, encryption, integrity checks. It generates cryptographic secrets through pseudorandom functions and data expansion functions.

1. Transport Layer Security
Presented By
Hrudya

2. TLS
 IETF standard RFC 2246 similar to SSLv3
 with minor differences
 in record format version number
 uses HMAC for MAC
 a pseudo-random function expands secrets
 based on HMAC using SHA-1 or MD5
 has additional alert codes
 some changes in supported ciphers
 changes in certificate types & negotiations
 changes in crypto computations & padding

3. Goals
 The goals of TLS Protocol, in order of their priority, are:
Cryptographic security: TLS should be used to establish
a secure connection between two parties.
 Interoperability: Independent programmers should be
able to develop applications utilizing TLS that will then be
able to successfully exchange cryptographic parameters
without knowledge of one another's code.
 Extensibility: TLS seeks to provide a framework into
which new public key and bulk encryption methods can be
incorporated as necessary. This will also accomplish two
sub-goals: to prevent

4. Record Layer

5. Continue
 The record layer encapsulates messages for transmission
over the underlying communications protocol, usually
TCP/IP.
 A record begins with a header which includes the version
of the protocol, the length of the data in bytes and the type
of the message etc

6.  After the header comes the message data. This is
compressed by the compression algorithm that has been
negotiated for the connection.
The MAC is then calculated for the compressed data and
appended to the record.
 If a block cipher is in effect for the connection then then a
pad is added in order for the message size to be a multiple
of the block size of the cipher.

7. General format of all TLS records

8. Version Number
 The TSL record format is the same as that of SSL Record
format.
 Record format and the fields in the header have the same
meanings.
 The one difference is in the version values.
 For major version of TLS
 Major version = 3
 Minor Version = 1

9. The Record Protocol

When the record protocol receives the data from the
application layer, it might perform the following tasks:
 Fragments the data into blocks or reassembles fragmented data
into its original structure.
 Numbers the sequence of data blocks in the message to protect
against attacks that attempt to reorder data.
 Compresses or decompresses the data using the compression
algorithm negotiated in the handshake protocol.
 Encrypts or decrypts the data using the encryption keys and
cryptographic algorithm negotiated during the handshake
protocol.
 Applies an HMAC (or, for SSL 3.0, a MAC) to outgoing data. It
then computes the HMAC and verifies that it is identical to the
value that was transmitted in order to check data integrity when
a message is received.

10. Message Authentication Codes
 A Message Authentication Codes (MAC) are used to
ensure that messages are not tampered with or otherwise
corrupted during transit.
 This can be thought of as a digest of the message which
includes a secret key.
 It is constructed when data is sent, and verified when it is
received.
 It is not possible to reproduce the digest without knowing
both the input text and the key, and thus a would-be
attacker needs to know the secret in order to construct a
valid MAC for a message that has been altered.

11. Message Authentication Code
 The Message Authentication Code (MAC) used for TLS is
HMAC
 HMAC is expressed by the following equation,
HMACK(M) = H[(K+ opad)||H[(K+
ipad)||M]]
Where:
: is concatenation
M
: is the plain-text to be encrypted
H
: is the hashing function (either MD-5 or SHA-1)
K+ : secret key padded with zeros on the left so that the result
is equal to the block length of the hash code (for MD-5 and SHA1 block length is 512 bits)
ipad : 00110110 (36 in hexa decimal) repeated 64 times (512
bits)
opad : 01011101 (5c in hexa decimal) repeated 64 times (512
bits)

12.  SSLv3 uses the same algorithm , except that
 The padding bits are concatenated with the secret key
rather than being XORed with the secret key padded to
the block length.
 The level of security is same in both the cases .

13. Generation Of Cryptographic Secrets
 The generation of cryptographic secrets is more complex
in TSL than in SSL.
 TSL first defines two functions
 Pseudorandom Function
 Data Expansion Function

15. Data Expansion Function
 First, we define a data expansion function, P_hash(secret,





data) which uses a single hash function to expand a secret
and seed into an arbitrary quantity of output.
This function can be considered as multiple section function,
where each section creates one hash value .
Each section uses HMAC , secret and seed
The second seed is the output of the first HMAC of previous
function.
P_hash can be iterated as many times as is necessary to
produce the required quantity of data.
For example, if P_SHA-1 was being used to create 64 bytes of
data,
 it would have to be iterated 4 times , creating 80 bytes of
output data;
 the last 16 bytes of the final iteration would then be

16. Pseudorandom Function
 TLS makes use of a pseudo random function, referred to as PRF
to expand secrets into blocks of data for purpose of key
generation and validation.
 It uses a relatively small shared secret value to generate longer
blocks of data in way that is secure from the kind of attacks
made on hash functions and MACs
 The PRF is based on Data Expansion Function and is given as
 P_hash(secret, seed) = HMAC_hash(secret, A(1) ||
seed)||
HMAC_hash(secret, A(2)
|| seed) ||
HMAC_hash(secret, A(3)
|| seed) || ... Where
+ indicates concatenation.
A() is defined as:
A(0) = seed
A(i) = HMAC_hash(secret, A(i-1))

17.  Usually pseudo random function is the combination of two data




expansion functions one using MD-5 and other using SHA-1
PRF takes 3 inputs a secret , a label and a seed.
The label and seed are concatenated and serve as the seed for
each data expansion function.
The secret is divided into two halves; each half is used as the
secret for each data expansion function.
The output of two data expansion functions is exclusive or-ed
together to create the final expanded secret.
The PRF is then defined as
 PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
P_SHA-1(S2, label + seed);
 S1 and S2 are the two halves of the secret and each is the
same length. S1 is taken from the first half of the secret, S2
from the second half.

19. Alert Codes
 TSL supports all of the alert codes defined in SSLv3 with the
exception of no-certificate.
 A number of additional codes are also defined :

20. Cipher Suites
 Cipher suites define the encryption and hashing
functions that will be used by the connection once
the handshake concludes as well as the keyexchange method used during the handshake.
 There are several small differences between the
cipher suites available under SSLv3 and under
TLS
 Key Exchange :TLS supports all of the key
exchange techniques of SSLv3 with the exception
of Fortezza.
 Symmetric Encryption Algorithms: TLS includes
all of the TLS encryption algorithms found in
SSLv3 with the exception of Fortezza.

21. Client Certificate Types
 In TLS Client Authentication, the client (browser) uses a
certificate to authenticate itself during the TLS handshake.
 When asking for client authentication, this server sends a
list of trusted certificate authorities to the client. The client
uses this list to choose a client certificate that is trusted by
the server.
 TLS defines the following certificate types to be requested
in a certificate_request message:
 Rsa_sign
 Dss_sign
 Rsa_fixed_dh
 Dss_fixed_dh
 These are all defined in SSLv3.

22. Certificate Verified and Finished
Messages
 Certificate Verified : In TLS certificate_verify message ,
the MD5 and SHA-1 hashes are calculated only over
handshake_message

(master secret and pads are excluded because they
provide no additional security )
 The finished message in TSL is a hash based on the shared
master_secret , previous handshake messages and a label
that identifies client or server
 PRF(master_secret,finished_label,MD5(handshake_messa
ges)||SHA-1(handshake_messages))
 Where
 finished_label is the string “client finished” for client and
“server finished” for server

23. Cryptographic Computations





Pre-master Secret
The generation of the premaster secret in TLS is exactly same
as in SSL.
Master Secret
TLS uses the PRF function to create the master secret from
the pre-master secret.
This is achieved by using
 Pre-master secret as the secret
 The string “” as the label &
 Concatenation of client random number and server random
number as seed
 Note: label is actually ASCII code of the string “master
secret” i.e. label defines the output we want to create - the
master secret.
 Master_secret = PRF(pre_master_secret,”master
secret”,Clienthello.random||serverhello.random)

25. Key Material
 TLS uses the PRF function to create the key material from the
master secret . This time
 the secret is the master secret ,
 the label is the string “key expansion” and
 Seed is the concatenation of server random number and client random
number.
 Key_block = PRF ( master_secret, “key expansion”,
SecurityParameters.server_random ||
SecurityParameters.client_random)

26. MASTER
SECRET
Secret
“KEY
EXPANSION”
Label
SR| CR
Seed
PSEUDORANDOM FUNCTION
(PRF)
KEY MATERIAL