idnits 2.17.1 draft-ietf-tls-tls13-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC3268, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document obsoletes RFC4346, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document obsoletes RFC5246, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document obsoletes RFC4366, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC4492, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 821 has weird spacing: '...gorithm bul...' == Line 2474 has weird spacing: '...ixed_dh a c...' == Line 2475 has weird spacing: '...ixed_dh a c...' == Line 2611 has weird spacing: '...ed_ecdh sam...' == Line 3736 has weird spacing: '...gorithm bul...' == (1 more instance...) (Using the creation date from RFC4492, updated by this document, for RFC5378 checks: 1998-03-18) -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 17, 2014) is 3661 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '0' is mentioned on line 345, but not defined == Missing Reference: '3' is mentioned on line 4242, but not defined == Missing Reference: '9' is mentioned on line 381, but not defined == Missing Reference: '2' is mentioned on line 3455, but not defined == Missing Reference: '4' is mentioned on line 417, but not defined == Missing Reference: '8' is mentioned on line 418, but not defined == Missing Reference: '10' is mentioned on line 528, but not defined == Missing Reference: '48' is mentioned on line 3746, but not defined == Missing Reference: '32' is mentioned on line 3748, but not defined == Missing Reference: 'ChangeCipherSpec' is mentioned on line 1703, but not defined == Missing Reference: '28' is mentioned on line 3450, but not defined == Missing Reference: '46' is mentioned on line 3583, but not defined == Missing Reference: 'TLSECC' is mentioned on line 3521, but not defined -- Possible downref: Non-RFC (?) normative reference: ref. 'AES' -- Possible downref: Non-RFC (?) normative reference: ref. 'DSS' ** Downref: Normative reference to an Informational RFC: RFC 1321 ** Downref: Normative reference to an Informational RFC: RFC 2104 ** Obsolete normative reference: RFC 2434 (Obsoleted by RFC 5226) ** Obsolete normative reference: RFC 3280 (Obsoleted by RFC 5280) ** Obsolete normative reference: RFC 3447 (Obsoleted by RFC 8017) -- Possible downref: Non-RFC (?) normative reference: ref. 'SCH' -- Possible downref: Non-RFC (?) normative reference: ref. 'SHS' -- Possible downref: Non-RFC (?) normative reference: ref. 'TRIPLEDES' -- Possible downref: Non-RFC (?) normative reference: ref. 'X680' -- Possible downref: Non-RFC (?) normative reference: ref. 'X690' -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 1948 (Obsoleted by RFC 6528) -- Obsolete informational reference (is this intentional?): RFC 2246 (Obsoleted by RFC 4346) -- Obsolete informational reference (is this intentional?): RFC 3268 (Obsoleted by RFC 5246) -- Obsolete informational reference (is this intentional?): RFC 4307 (Obsoleted by RFC 8247) -- Obsolete informational reference (is this intentional?): RFC 4346 (Obsoleted by RFC 5246) -- Obsolete informational reference (is this intentional?): RFC 4366 (Obsoleted by RFC 5246, RFC 6066) -- Obsolete informational reference (is this intentional?): RFC 4492 (Obsoleted by RFC 8422) -- Obsolete informational reference (is this intentional?): RFC 5081 (Obsoleted by RFC 6091) Summary: 5 errors (**), 0 flaws (~~), 20 warnings (==), 24 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group T. Dierks 3 Internet-Draft Independent 4 Obsoletes: 3268, 4346, 4366, 5246 E. Rescorla 5 (if approved) RTFM, Inc. 6 Updates: 4492 (if approved) April 17, 2014 7 Intended status: Standards Track 8 Expires: October 19, 2014 10 The Transport Layer Security (TLS) Protocol Version 1.3 11 draft-ietf-tls-tls13-01 13 Abstract 15 This document specifies Version 1.3 of the Transport Layer Security 16 (TLS) protocol. The TLS protocol provides communications security 17 over the Internet. The protocol allows client/server applications to 18 communicate in a way that is designed to prevent eavesdropping, 19 tampering, or message forgery. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on October 19, 2014. 38 Copyright Notice 40 Copyright (c) 2014 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 This document may contain material from IETF Documents or IETF 54 Contributions published or made publicly available before November 55 10, 2008. The person(s) controlling the copyright in some of this 56 material may not have granted the IETF Trust the right to allow 57 modifications of such material outside the IETF Standards Process. 58 Without obtaining an adequate license from the person(s) controlling 59 the copyright in such materials, this document may not be modified 60 outside the IETF Standards Process, and derivative works of it may 61 not be created outside the IETF Standards Process, except to format 62 it for publication as an RFC or to translate it into languages other 63 than English. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 68 1.1. Requirements Terminology . . . . . . . . . . . . . . . . 6 69 1.2. Major Differences from TLS 1.1 . . . . . . . . . . . . . 6 70 2. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 71 3. Goals of This Document . . . . . . . . . . . . . . . . . . . 8 72 4. Presentation Language . . . . . . . . . . . . . . . . . . . . 8 73 4.1. Basic Block Size . . . . . . . . . . . . . . . . . . . . 8 74 4.2. Miscellaneous . . . . . . . . . . . . . . . . . . . . . . 9 75 4.3. Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 9 76 4.4. Numbers . . . . . . . . . . . . . . . . . . . . . . . . . 10 77 4.5. Enumerateds . . . . . . . . . . . . . . . . . . . . . . . 10 78 4.6. Constructed Types . . . . . . . . . . . . . . . . . . . . 11 79 4.6.1. Variants . . . . . . . . . . . . . . . . . . . . . . 12 80 4.7. Cryptographic Attributes . . . . . . . . . . . . . . . . 13 81 4.8. Constants . . . . . . . . . . . . . . . . . . . . . . . . 15 82 5. HMAC and the Pseudorandom Function . . . . . . . . . . . . . 15 83 6. The TLS Record Protocol . . . . . . . . . . . . . . . . . . . 17 84 6.1. Connection States . . . . . . . . . . . . . . . . . . . . 17 85 6.2. Record Layer . . . . . . . . . . . . . . . . . . . . . . 20 86 6.2.1. Fragmentation . . . . . . . . . . . . . . . . . . . . 20 87 6.2.2. Record Compression and Decompression . . . . . . . . 22 88 6.2.3. Record Payload Protection . . . . . . . . . . . . . . 22 89 6.3. Key Calculation . . . . . . . . . . . . . . . . . . . . . 27 90 7. The TLS Handshaking Protocols . . . . . . . . . . . . . . . . 28 91 7.1. Change Cipher Spec Protocol . . . . . . . . . . . . . . . 29 92 7.2. Alert Protocol . . . . . . . . . . . . . . . . . . . . . 29 93 7.2.1. Closure Alerts . . . . . . . . . . . . . . . . . . . 30 94 7.2.2. Error Alerts . . . . . . . . . . . . . . . . . . . . 31 95 7.3. Handshake Protocol Overview . . . . . . . . . . . . . . . 35 96 7.4. Handshake Protocol . . . . . . . . . . . . . . . . . . . 38 97 7.4.1. Hello Messages . . . . . . . . . . . . . . . . . . . 39 98 7.4.2. Server Certificate . . . . . . . . . . . . . . . . . 49 99 7.4.3. Server Key Exchange Message . . . . . . . . . . . . . 51 100 7.4.4. Certificate Request . . . . . . . . . . . . . . . . . 54 101 7.4.5. Server Hello Done . . . . . . . . . . . . . . . . . . 56 102 7.4.6. Client Certificate . . . . . . . . . . . . . . . . . 57 103 7.4.7. Client Key Exchange Message . . . . . . . . . . . . . 58 104 7.4.8. Certificate Verify . . . . . . . . . . . . . . . . . 63 105 7.4.9. Finished . . . . . . . . . . . . . . . . . . . . . . 64 106 8. Cryptographic Computations . . . . . . . . . . . . . . . . . 66 107 8.1. Computing the Master Secret . . . . . . . . . . . . . . . 66 108 8.1.1. RSA . . . . . . . . . . . . . . . . . . . . . . . . . 66 109 8.1.2. Diffie-Hellman . . . . . . . . . . . . . . . . . . . 67 110 9. Mandatory Cipher Suites . . . . . . . . . . . . . . . . . . . 67 111 10. Application Data Protocol . . . . . . . . . . . . . . . . . . 67 112 11. Security Considerations . . . . . . . . . . . . . . . . . . . 67 113 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67 114 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 69 115 13.1. Normative References . . . . . . . . . . . . . . . . . . 69 116 13.2. Informative References . . . . . . . . . . . . . . . . . 70 117 Appendix A. Protocol Data Structures and Constant Values . . . . 73 118 A.1. Record Layer . . . . . . . . . . . . . . . . . . . . . . 73 119 A.2. Change Cipher Specs Message . . . . . . . . . . . . . . . 74 120 A.3. Alert Messages . . . . . . . . . . . . . . . . . . . . . 75 121 A.4. Handshake Protocol . . . . . . . . . . . . . . . . . . . 76 122 A.4.1. Hello Messages . . . . . . . . . . . . . . . . . . . 76 123 A.4.2. Server Authentication and Key Exchange Messages . . . 78 124 A.4.3. Client Authentication and Key Exchange Messages . . . 79 125 A.4.4. Handshake Finalization Message . . . . . . . . . . . 80 126 A.5. The Cipher Suite . . . . . . . . . . . . . . . . . . . . 80 127 A.6. The Security Parameters . . . . . . . . . . . . . . . . . 82 128 A.7. Changes to RFC 4492 . . . . . . . . . . . . . . . . . . . 83 129 Appendix B. Glossary . . . . . . . . . . . . . . . . . . . . . . 83 130 Appendix C. Cipher Suite Definitions . . . . . . . . . . . . . . 87 131 Appendix D. Implementation Notes . . . . . . . . . . . . . . . . 89 132 D.1. Random Number Generation and Seeding . . . . . . . . . . 89 133 D.2. Certificates and Authentication . . . . . . . . . . . . . 89 134 D.3. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . 90 135 D.4. Implementation Pitfalls . . . . . . . . . . . . . . . . . 90 136 Appendix E. Backward Compatibility . . . . . . . . . . . . . . . 91 137 E.1. Compatibility with TLS 1.0/1.1 and SSL 3.0 . . . . . . . 91 138 E.2. Compatibility with SSL 2.0 . . . . . . . . . . . . . . . 93 139 E.3. Avoiding Man-in-the-Middle Version Rollback . . . . . . . 94 140 Appendix F. Security Analysis . . . . . . . . . . . . . . . . . 95 141 F.1. Handshake Protocol . . . . . . . . . . . . . . . . . . . 95 142 F.1.1. Authentication and Key Exchange . . . . . . . . . . . 95 143 F.1.2. Version Rollback Attacks . . . . . . . . . . . . . . 98 144 F.1.3. Detecting Attacks Against the Handshake Protocol . . 98 145 F.1.4. Resuming Sessions . . . . . . . . . . . . . . . . . . 98 146 F.2. Protecting Application Data . . . . . . . . . . . . . . . 99 147 F.3. Explicit IVs . . . . . . . . . . . . . . . . . . . . . . 99 148 F.4. Security of Composite Cipher Modes . . . . . . . . . . . 99 149 F.5. Denial of Service . . . . . . . . . . . . . . . . . . . . 100 150 F.6. Final Notes . . . . . . . . . . . . . . . . . . . . . . . 101 151 Appendix G. Working Group Information . . . . . . . . . . . . . 101 152 Appendix H. Contributors . . . . . . . . . . . . . . . . . . . . 101 154 1. Introduction 156 DISCLAIMER: This document is simply a copy of RFC 5246 translated 157 into markdown format with no intentional technical or editorial 158 changes beyond updating the references and minor reformatting 159 introduced by the translation. It is being submitted as-is to create 160 a clearer revision history for future versions. Any errata in TLS 161 1.2 remain in this version. Thanks to Mark Nottingham for doing the 162 markdown translation. 164 The primary goal of the TLS protocol is to provide privacy and data 165 integrity between two communicating applications. The protocol is 166 composed of two layers: the TLS Record Protocol and the TLS Handshake 167 Protocol. At the lowest level, layered on top of some reliable 168 transport protocol (e.g., TCP [RFC0793]), is the TLS Record Protocol. 169 The TLS Record Protocol provides connection security that has two 170 basic properties: 172 - The connection is private. Symmetric cryptography is used for 173 data encryption (e.g., AES [AES], RC4 [SCH], etc.). The keys for 174 this symmetric encryption are generated uniquely for each 175 connection and are based on a secret negotiated by another 176 protocol (such as the TLS Handshake Protocol). The Record 177 Protocol can also be used without encryption. 179 - The connection is reliable. Message transport includes a message 180 integrity check using a keyed MAC. Secure hash functions (e.g., 181 SHA-1, etc.) are used for MAC computations. The Record Protocol 182 can operate without a MAC, but is generally only used in this mode 183 while another protocol is using the Record Protocol as a transport 184 for negotiating security parameters. 186 The TLS Record Protocol is used for encapsulation of various higher- 187 level protocols. One such encapsulated protocol, the TLS Handshake 188 Protocol, allows the server and client to authenticate each other and 189 to negotiate an encryption algorithm and cryptographic keys before 190 the application protocol transmits or receives its first byte of 191 data. The TLS Handshake Protocol provides connection security that 192 has three basic properties: 194 - The peer's identity can be authenticated using asymmetric, or 195 public key, cryptography (e.g., RSA [RSA], DSA [DSS], etc.). This 196 authentication can be made optional, but is generally required for 197 at least one of the peers. 199 - The negotiation of a shared secret is secure: the negotiated 200 secret is unavailable to eavesdroppers, and for any authenticated 201 connection the secret cannot be obtained, even by an attacker who 202 can place himself in the middle of the connection. 204 - The negotiation is reliable: no attacker can modify the 205 negotiation communication without being detected by the parties to 206 the communication. 208 One advantage of TLS is that it is application protocol independent. 209 Higher-level protocols can layer on top of the TLS protocol 210 transparently. The TLS standard, however, does not specify how 211 protocols add security with TLS; the decisions on how to initiate TLS 212 handshaking and how to interpret the authentication certificates 213 exchanged are left to the judgment of the designers and implementors 214 of protocols that run on top of TLS. 216 1.1. Requirements Terminology 218 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 219 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 220 document are to be interpreted as described in RFC 2119 [RFC2119]. 222 1.2. Major Differences from TLS 1.1 224 This document is a revision of the TLS 1.1 [RFC4346] protocol which 225 contains improved flexibility, particularly for negotiation of 226 cryptographic algorithms. The major changes are: 228 - The MD5/SHA-1 combination in the pseudorandom function (PRF) has 229 been replaced with cipher-suite-specified PRFs. All cipher suites 230 in this document use P_SHA256. 232 - The MD5/SHA-1 combination in the digitally-signed element has been 233 replaced with a single hash. Signed elements now include a field 234 that explicitly specifies the hash algorithm used. 236 - Substantial cleanup to the client's and server's ability to 237 specify which hash and signature algorithms they will accept. 238 Note that this also relaxes some of the constraints on signature 239 and hash algorithms from previous versions of TLS. 241 - Addition of support for authenticated encryption with additional 242 data modes. 244 - TLS Extensions definition and AES Cipher Suites were merged in 245 from external [TLSEXT] and [RFC3268]. 247 - Tighter checking of EncryptedPreMasterSecret version numbers. 249 - Tightened up a number of requirements. 251 - Verify_data length now depends on the cipher suite (default is 252 still 12). 254 - Cleaned up description of Bleichenbacher/Klima attack defenses. 256 - Alerts MUST now be sent in many cases. 258 - After a certificate_request, if no certificates are available, 259 clients now MUST send an empty certificate list. 261 - TLS_RSA_WITH_AES_128_CBC_SHA is now the mandatory to implement 262 cipher suite. 264 - Added HMAC-SHA256 cipher suites. 266 - Removed IDEA and DES cipher suites. They are now deprecated and 267 will be documented in a separate document. 269 - Support for the SSLv2 backward-compatible hello is now a MAY, not 270 a SHOULD, with sending it a SHOULD NOT. Support will probably 271 become a SHOULD NOT in the future. 273 - Added limited "fall-through" to the presentation language to allow 274 multiple case arms to have the same encoding. 276 - Added an Implementation Pitfalls sections 278 - The usual clarifications and editorial work. 280 2. Goals 282 The goals of the TLS protocol, in order of priority, are as follows: 284 1. Cryptographic security: TLS should be used to establish a secure 285 connection between two parties. 287 2. Interoperability: Independent programmers should be able to 288 develop applications utilizing TLS that can successfully exchange 289 cryptographic parameters without knowledge of one another's code. 291 3. Extensibility: TLS seeks to provide a framework into which new 292 public key and bulk encryption methods can be incorporated as 293 necessary. This will also accomplish two sub-goals: preventing 294 the need to create a new protocol (and risking the introduction 295 of possible new weaknesses) and avoiding the need to implement an 296 entire new security library. 298 4. Relative efficiency: Cryptographic operations tend to be highly 299 CPU intensive, particularly public key operations. For this 300 reason, the TLS protocol has incorporated an optional session 301 caching scheme to reduce the number of connections that need to 302 be established from scratch. Additionally, care has been taken 303 to reduce network activity. 305 3. Goals of This Document 307 This document and the TLS protocol itself are based on the SSL 3.0 308 Protocol Specification as published by Netscape. The differences 309 between this protocol and SSL 3.0 are not dramatic, but they are 310 significant enough that the various versions of TLS and SSL 3.0 do 311 not interoperate (although each protocol incorporates a mechanism by 312 which an implementation can back down to prior versions). This 313 document is intended primarily for readers who will be implementing 314 the protocol and for those doing cryptographic analysis of it. The 315 specification has been written with this in mind, and it is intended 316 to reflect the needs of those two groups. For that reason, many of 317 the algorithm-dependent data structures and rules are included in the 318 body of the text (as opposed to in an appendix), providing easier 319 access to them. 321 This document is not intended to supply any details of service 322 definition or of interface definition, although it does cover select 323 areas of policy as they are required for the maintenance of solid 324 security. 326 4. Presentation Language 328 This document deals with the formatting of data in an external 329 representation. The following very basic and somewhat casually 330 defined presentation syntax will be used. The syntax draws from 331 several sources in its structure. Although it resembles the 332 programming language "C" in its syntax and XDR [RFC4506] in both its 333 syntax and intent, it would be risky to draw too many parallels. The 334 purpose of this presentation language is to document TLS only; it has 335 no general application beyond that particular goal. 337 4.1. Basic Block Size 339 The representation of all data items is explicitly specified. The 340 basic data block size is one byte (i.e., 8 bits). Multiple byte data 341 items are concatenations of bytes, from left to right, from top to 342 bottom. From the byte stream, a multi-byte item (a numeric in the 343 example) is formed (using C notation) by: 345 value = (byte[0] << 8*(n-1)) | (byte[1] << 8*(n-2)) | 346 ... | byte[n-1]; 348 This byte ordering for multi-byte values is the commonplace network 349 byte order or big-endian format. 351 4.2. Miscellaneous 353 Comments begin with "/*" and end with "*/". 355 Optional components are denoted by enclosing them in "[[ ]]" double 356 brackets. 358 Single-byte entities containing uninterpreted data are of type 359 opaque. 361 4.3. Vectors 363 A vector (single-dimensioned array) is a stream of homogeneous data 364 elements. The size of the vector may be specified at documentation 365 time or left unspecified until runtime. In either case, the length 366 declares the number of bytes, not the number of elements, in the 367 vector. The syntax for specifying a new type, T', that is a fixed- 368 length vector of type T is 370 T T'[n]; 372 Here, T' occupies n bytes in the data stream, where n is a multiple 373 of the size of T. The length of the vector is not included in the 374 encoded stream. 376 In the following example, Datum is defined to be three consecutive 377 bytes that the protocol does not interpret, while Data is three 378 consecutive Datum, consuming a total of nine bytes. 380 opaque Datum[3]; /* three uninterpreted bytes */ 381 Datum Data[9]; /* 3 consecutive 3 byte vectors */ 383 Variable-length vectors are defined by specifying a subrange of legal 384 lengths, inclusively, using the notation . When 385 these are encoded, the actual length precedes the vector's contents 386 in the byte stream. The length will be in the form of a number 387 consuming as many bytes as required to hold the vector's specified 388 maximum (ceiling) length. A variable-length vector with an actual 389 length field of zero is referred to as an empty vector. 391 T T'; 393 In the following example, mandatory is a vector that must contain 394 between 300 and 400 bytes of type opaque. It can never be empty. 395 The actual length field consumes two bytes, a uint16, which is 396 sufficient to represent the value 400 (see Section 4.4). On the 397 other hand, longer can represent up to 800 bytes of data, or 400 398 uint16 elements, and it may be empty. Its encoding will include a 399 two-byte actual length field prepended to the vector. The length of 400 an encoded vector must be an even multiple of the length of a single 401 element (for example, a 17-byte vector of uint16 would be illegal). 403 opaque mandatory<300..400>; 404 /* length field is 2 bytes, cannot be empty */ 405 uint16 longer<0..800>; 406 /* zero to 400 16-bit unsigned integers */ 408 4.4. Numbers 410 The basic numeric data type is an unsigned byte (uint8). All larger 411 numeric data types are formed from fixed-length series of bytes 412 concatenated as described in Section 4.1 and are also unsigned. The 413 following numeric types are predefined. 415 uint8 uint16[2]; 416 uint8 uint24[3]; 417 uint8 uint32[4]; 418 uint8 uint64[8]; 420 All values, here and elsewhere in the specification, are stored in 421 network byte (big-endian) order; the uint32 represented by the hex 422 bytes 01 02 03 04 is equivalent to the decimal value 16909060. 424 Note that in some cases (e.g., DH parameters) it is necessary to 425 represent integers as opaque vectors. In such cases, they are 426 represented as unsigned integers (i.e., leading zero octets are not 427 required even if the most significant bit is set). 429 4.5. Enumerateds 431 An additional sparse data type is available called enum. A field of 432 type enum can only assume the values declared in the definition. 433 Each definition is a different type. Only enumerateds of the same 434 type may be assigned or compared. Every element of an enumerated 435 must be assigned a value, as demonstrated in the following example. 436 Since the elements of the enumerated are not ordered, they can be 437 assigned any unique value, in any order. 439 enum { e1(v1), e2(v2), ... , en(vn) [[, (n)]] } Te; 441 An enumerated occupies as much space in the byte stream as would its 442 maximal defined ordinal value. The following definition would cause 443 one byte to be used to carry fields of type Color. 445 enum { red(3), blue(5), white(7) } Color; 447 One may optionally specify a value without its associated tag to 448 force the width definition without defining a superfluous element. 450 In the following example, Taste will consume two bytes in the data 451 stream but can only assume the values 1, 2, or 4. 453 enum { sweet(1), sour(2), bitter(4), (32000) } Taste; 455 The names of the elements of an enumeration are scoped within the 456 defined type. In the first example, a fully qualified reference to 457 the second element of the enumeration would be Color.blue. Such 458 qualification is not required if the target of the assignment is well 459 specified. 461 Color color = Color.blue; /* overspecified, legal */ 462 Color color = blue; /* correct, type implicit */ 464 For enumerateds that are never converted to external representation, 465 the numerical information may be omitted. 467 enum { low, medium, high } Amount; 469 4.6. Constructed Types 471 Structure types may be constructed from primitive types for 472 convenience. Each specification declares a new, unique type. The 473 syntax for definition is much like that of C. 475 struct { 476 T1 f1; 477 T2 f2; 478 ... 479 Tn fn; 480 } [[T]]; 482 The fields within a structure may be qualified using the type's name, 483 with a syntax much like that available for enumerateds. For example, 484 T.f2 refers to the second field of the previous declaration. 485 Structure definitions may be embedded. 487 4.6.1. Variants 489 Defined structures may have variants based on some knowledge that is 490 available within the environment. The selector must be an enumerated 491 type that defines the possible variants the structure defines. There 492 must be a case arm for every element of the enumeration declared in 493 the select. Case arms have limited fall-through: if two case arms 494 follow in immediate succession with no fields in between, then they 495 both contain the same fields. Thus, in the example below, "orange" 496 and "banana" both contain V2. Note that this is a new piece of 497 syntax in TLS 1.2. 499 The body of the variant structure may be given a label for reference. 500 The mechanism by which the variant is selected at runtime is not 501 prescribed by the presentation language. 503 struct { 504 T1 f1; 505 T2 f2; 506 .... 507 Tn fn; 508 select (E) { 509 case e1: Te1; 510 case e2: Te2; 511 case e3: case e4: Te3; 512 .... 513 case en: Ten; 514 } [[fv]]; 515 } [[Tv]]; 517 For example: 519 enum { apple, orange, banana } VariantTag; 521 struct { 522 uint16 number; 523 opaque string<0..10>; /* variable length */ 524 } V1; 526 struct { 527 uint32 number; 528 opaque string[10]; /* fixed length */ 529 } V2; 531 struct { 532 select (VariantTag) { /* value of selector is implicit */ 533 case apple: 534 V1; /* VariantBody, tag = apple */ 535 case orange: 536 case banana: 537 V2; /* VariantBody, tag = orange or banana */ 538 } variant_body; /* optional label on variant */ 539 } VariantRecord; 541 4.7. Cryptographic Attributes 543 The five cryptographic operations -- digital signing, stream cipher 544 encryption, block cipher encryption, authenticated encryption with 545 additional data (AEAD) encryption, and public key encryption -- are 546 designated digitally-signed, stream-ciphered, block-ciphered, aead- 547 ciphered, and public-key-encrypted, respectively. A field's 548 cryptographic processing is specified by prepending an appropriate 549 key word designation before the field's type specification. 550 Cryptographic keys are implied by the current session state (see 551 Section 6.1). 553 A digitally-signed element is encoded as a struct DigitallySigned: 555 struct { 556 SignatureAndHashAlgorithm algorithm; 557 opaque signature<0..2^16-1>; 558 } DigitallySigned; 560 The algorithm field specifies the algorithm used (see 561 Section 7.4.1.4.1 for the definition of this field). Note that the 562 introduction of the algorithm field is a change from previous 563 versions. The signature is a digital signature using those 564 algorithms over the contents of the element. The contents themselves 565 do not appear on the wire but are simply calculated. The length of 566 the signature is specified by the signing algorithm and key. 568 In RSA signing, the opaque vector contains the signature generated 569 using the RSASSA-PKCS1-v1_5 signature scheme defined in [RFC3447]. 570 As discussed in [RFC3447], the DigestInfo MUST be DER-encoded [X680] 571 [X690]. For hash algorithms without parameters (which includes 572 SHA-1), the DigestInfo.AlgorithmIdentifier.parameters field MUST be 573 NULL, but implementations MUST accept both without parameters and 574 with NULL parameters. Note that earlier versions of TLS used a 575 different RSA signature scheme that did not include a DigestInfo 576 encoding. 578 In DSA, the 20 bytes of the SHA-1 hash are run directly through the 579 Digital Signing Algorithm with no additional hashing. This produces 580 two values, r and s. The DSA signature is an opaque vector, as 581 above, the contents of which are the DER encoding of: 583 Dss-Sig-Value ::= SEQUENCE { 584 r INTEGER, 585 s INTEGER 586 } 588 Note: In current terminology, DSA refers to the Digital Signature 589 Algorithm and DSS refers to the NIST standard. In the original SSL 590 and TLS specs, "DSS" was used universally. This document uses "DSA" 591 to refer to the algorithm, "DSS" to refer to the standard, and it 592 uses "DSS" in the code point definitions for historical continuity. 594 In stream cipher encryption, the plaintext is exclusive-ORed with an 595 identical amount of output generated from a cryptographically secure 596 keyed pseudorandom number generator. 598 In block cipher encryption, every block of plaintext encrypts to a 599 block of ciphertext. All block cipher encryption is done in CBC 600 (Cipher Block Chaining) mode, and all items that are block-ciphered 601 will be an exact multiple of the cipher block length. 603 In AEAD encryption, the plaintext is simultaneously encrypted and 604 integrity protected. The input may be of any length, and aead- 605 ciphered output is generally larger than the input in order to 606 accommodate the integrity check value. 608 In public key encryption, a public key algorithm is used to encrypt 609 data in such a way that it can be decrypted only with the matching 610 private key. A public-key-encrypted element is encoded as an opaque 611 vector <0..2^16-1>, where the length is specified by the encryption 612 algorithm and key. 614 RSA encryption is done using the RSAES-PKCS1-v1_5 encryption scheme 615 defined in [RFC3447]. 617 In the following example 619 stream-ciphered struct { 620 uint8 field1; 621 uint8 field2; 622 digitally-signed opaque { 623 uint8 field3<0..255>; 624 uint8 field4; 625 }; 626 } UserType; 628 The contents of the inner struct (field3 and field4) are used as 629 input for the signature/hash algorithm, and then the entire structure 630 is encrypted with a stream cipher. The length of this structure, in 631 bytes, would be equal to two bytes for field1 and field2, plus two 632 bytes for the signature and hash algorithm, plus two bytes for the 633 length of the signature, plus the length of the output of the signing 634 algorithm. The length of the signature is known because the 635 algorithm and key used for the signing are known prior to encoding or 636 decoding this structure. 638 4.8. Constants 640 Typed constants can be defined for purposes of specification by 641 declaring a symbol of the desired type and assigning values to it. 643 Under-specified types (opaque, variable-length vectors, and 644 structures that contain opaque) cannot be assigned values. No fields 645 of a multi-element structure or vector may be elided. 647 For example: 649 struct { 650 uint8 f1; 651 uint8 f2; 652 } Example1; 654 Example1 ex1 = {1, 4}; /* assigns f1 = 1, f2 = 4 */ 656 5. HMAC and the Pseudorandom Function 658 The TLS record layer uses a keyed Message Authentication Code (MAC) 659 to protect message integrity. The cipher suites defined in this 660 document use a construction known as HMAC, described in [RFC2104], 661 which is based on a hash function. Other cipher suites MAY define 662 their own MAC constructions, if needed. 664 In addition, a construction is required to do expansion of secrets 665 into blocks of data for the purposes of key generation or validation. 666 This pseudorandom function (PRF) takes as input a secret, a seed, and 667 an identifying label and produces an output of arbitrary length. 669 In this section, we define one PRF, based on HMAC. This PRF with the 670 SHA-256 hash function is used for all cipher suites defined in this 671 document and in TLS documents published prior to this document when 672 TLS 1.2 is negotiated. New cipher suites MUST explicitly specify a 673 PRF and, in general, SHOULD use the TLS PRF with SHA-256 or a 674 stronger standard hash function. 676 First, we define a data expansion function, P_hash(secret, data), 677 that uses a single hash function to expand a secret and seed into an 678 arbitrary quantity of output: 680 P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) + 681 HMAC_hash(secret, A(2) + seed) + 682 HMAC_hash(secret, A(3) + seed) + ... 684 where + indicates concatenation. 686 A() is defined as: 688 A(0) = seed 689 A(i) = HMAC_hash(secret, A(i-1)) 691 P_hash can be iterated as many times as necessary to produce the 692 required quantity of data. For example, if P_SHA256 is being used to 693 create 80 bytes of data, it will have to be iterated three times 694 (through A(3)), creating 96 bytes of output data; the last 16 bytes 695 of the final iteration will then be discarded, leaving 80 bytes of 696 output data. 698 TLS's PRF is created by applying P_hash to the secret as: 700 PRF(secret, label, seed) = P_(secret, label + seed) 702 The label is an ASCII string. It should be included in the exact 703 form it is given without a length byte or trailing null character. 704 For example, the label "slithy toves" would be processed by hashing 705 the following bytes: 707 73 6C 69 74 68 79 20 74 6F 76 65 73 709 6. The TLS Record Protocol 711 The TLS Record Protocol is a layered protocol. At each layer, 712 messages may include fields for length, description, and content. 713 The Record Protocol takes messages to be transmitted, fragments the 714 data into manageable blocks, optionally compresses the data, applies 715 a MAC, encrypts, and transmits the result. Received data is 716 decrypted, verified, decompressed, reassembled, and then delivered to 717 higher-level clients. 719 Four protocols that use the record protocol are described in this 720 document: the handshake protocol, the alert protocol, the change 721 cipher spec protocol, and the application data protocol. In order to 722 allow extension of the TLS protocol, additional record content types 723 can be supported by the record protocol. New record content type 724 values are assigned by IANA in the TLS Content Type Registry as 725 described in Section 12. 727 Implementations MUST NOT send record types not defined in this 728 document unless negotiated by some extension. If a TLS 729 implementation receives an unexpected record type, it MUST send an 730 unexpected_message alert. 732 Any protocol designed for use over TLS must be carefully designed to 733 deal with all possible attacks against it. As a practical matter, 734 this means that the protocol designer must be aware of what security 735 properties TLS does and does not provide and cannot safely rely on 736 the latter. 738 Note in particular that type and length of a record are not protected 739 by encryption. If this information is itself sensitive, application 740 designers may wish to take steps (padding, cover traffic) to minimize 741 information leakage. 743 6.1. Connection States 745 A TLS connection state is the operating environment of the TLS Record 746 Protocol. It specifies a compression algorithm, an encryption 747 algorithm, and a MAC algorithm. In addition, the parameters for 748 these algorithms are known: the MAC key and the bulk encryption keys 749 for the connection in both the read and the write directions. 750 Logically, there are always four connection states outstanding: the 751 current read and write states, and the pending read and write states. 752 All records are processed under the current read and write states. 753 The security parameters for the pending states can be set by the TLS 754 Handshake Protocol, and the ChangeCipherSpec can selectively make 755 either of the pending states current, in which case the appropriate 756 current state is disposed of and replaced with the pending state; the 757 pending state is then reinitialized to an empty state. It is illegal 758 to make a state that has not been initialized with security 759 parameters a current state. The initial current state always 760 specifies that no encryption, compression, or MAC will be used. 762 The security parameters for a TLS Connection read and write state are 763 set by providing the following values: 765 connection end 766 Whether this entity is considered the "client" or the "server" in 767 this connection. 769 PRF algorithm 770 An algorithm used to generate keys from the master secret (see 771 Section 5 and Section 6.3). 773 bulk encryption algorithm 774 An algorithm to be used for bulk encryption. This specification 775 includes the key size of this algorithm, whether it is a block, 776 stream, or AEAD cipher, the block size of the cipher (if 777 appropriate), and the lengths of explicit and implicit 778 initialization vectors (or nonces). 780 MAC algorithm 781 An algorithm to be used for message authentication. This 782 specification includes the size of the value returned by the MAC 783 algorithm. 785 compression algorithm 786 An algorithm to be used for data compression. This specification 787 must include all information the algorithm requires to do 788 compression. 790 master secret 791 A 48-byte secret shared between the two peers in the connection. 793 client random 794 A 32-byte value provided by the client. 796 server random 797 A 32-byte value provided by the server. 799 These parameters are defined in the presentation language as: 801 enum { server, client } ConnectionEnd; 803 enum { tls_prf_sha256 } PRFAlgorithm; 805 enum { null, rc4, 3des, aes } 806 BulkCipherAlgorithm; 808 enum { stream, block, aead } CipherType; 810 enum { null, hmac_md5, hmac_sha1, hmac_sha256, 811 hmac_sha384, hmac_sha512} MACAlgorithm; 813 enum { null(0), (255) } CompressionMethod; 815 /* The algorithms specified in CompressionMethod, PRFAlgorithm, 816 BulkCipherAlgorithm, and MACAlgorithm may be added to. */ 818 struct { 819 ConnectionEnd entity; 820 PRFAlgorithm prf_algorithm; 821 BulkCipherAlgorithm bulk_cipher_algorithm; 822 CipherType cipher_type; 823 uint8 enc_key_length; 824 uint8 block_length; 825 uint8 fixed_iv_length; 826 uint8 record_iv_length; 827 MACAlgorithm mac_algorithm; 828 uint8 mac_length; 829 uint8 mac_key_length; 830 CompressionMethod compression_algorithm; 831 opaque master_secret[48]; 832 opaque client_random[32]; 833 opaque server_random[32]; 834 } SecurityParameters; 836 The record layer will use the security parameters to generate the 837 following six items (some of which are not required by all ciphers, 838 and are thus empty): 840 client write MAC key 841 server write MAC key 842 client write encryption key 843 server write encryption key 844 client write IV 845 server write IV 847 The client write parameters are used by the server when receiving and 848 processing records and vice versa. The algorithm used for generating 849 these items from the security parameters is described in Section 6.3 851 Once the security parameters have been set and the keys have been 852 generated, the connection states can be instantiated by making them 853 the current states. These current states MUST be updated for each 854 record processed. Each connection state includes the following 855 elements: 857 compression state 858 The current state of the compression algorithm. 860 cipher state 861 The current state of the encryption algorithm. This will consist 862 of the scheduled key for that connection. For stream ciphers, 863 this will also contain whatever state information is necessary to 864 allow the stream to continue to encrypt or decrypt data. 866 MAC key 867 The MAC key for this connection, as generated above. 869 sequence number 870 Each connection state contains a sequence number, which is 871 maintained separately for read and write states. The sequence 872 number MUST be set to zero whenever a connection state is made the 873 active state. Sequence numbers are of type uint64 and may not 874 exceed 2^64-1. Sequence numbers do not wrap. If a TLS 875 implementation would need to wrap a sequence number, it must 876 renegotiate instead. A sequence number is incremented after each 877 record: specifically, the first record transmitted under a 878 particular connection state MUST use sequence number 0. 880 6.2. Record Layer 882 The TLS record layer receives uninterpreted data from higher layers 883 in non-empty blocks of arbitrary size. 885 6.2.1. Fragmentation 887 The record layer fragments information blocks into TLSPlaintext 888 records carrying data in chunks of 2^14 bytes or less. Client 889 message boundaries are not preserved in the record layer (i.e., 890 multiple client messages of the same ContentType MAY be coalesced 891 into a single TLSPlaintext record, or a single message MAY be 892 fragmented across several records). 894 struct { 895 uint8 major; 896 uint8 minor; 897 } ProtocolVersion; 899 enum { 900 change_cipher_spec(20), alert(21), handshake(22), 901 application_data(23), (255) 902 } ContentType; 904 struct { 905 ContentType type; 906 ProtocolVersion version; 907 uint16 length; 908 opaque fragment[TLSPlaintext.length]; 909 } TLSPlaintext; 911 type 912 The higher-level protocol used to process the enclosed fragment. 914 version 915 The version of the protocol being employed. This document 916 describes TLS Version 1.2, which uses the version { 3, 3 }. The 917 version value 3.3 is historical, deriving from the use of {3, 1} 918 for TLS 1.0. (See Appendix A.1.) Note that a client that 919 supports multiple versions of TLS may not know what version will 920 be employed before it receives the ServerHello. See Appendix E 921 for discussion about what record layer version number should be 922 employed for ClientHello. 924 length 925 The length (in bytes) of the following TLSPlaintext.fragment. The 926 length MUST NOT exceed 2^14. 928 fragment 929 The application data. This data is transparent and treated as an 930 independent block to be dealt with by the higher-level protocol 931 specified by the type field. 933 Implementations MUST NOT send zero-length fragments of Handshake, 934 Alert, or ChangeCipherSpec content types. Zero-length fragments of 935 Application data MAY be sent as they are potentially useful as a 936 traffic analysis countermeasure. 938 Note: Data of different TLS record layer content types MAY be 939 interleaved. Application data is generally of lower precedence for 940 transmission than other content types. However, records MUST be 941 delivered to the network in the same order as they are protected by 942 the record layer. Recipients MUST receive and process interleaved 943 application layer traffic during handshakes subsequent to the first 944 one on a connection. 946 6.2.2. Record Compression and Decompression 948 All records are compressed using the compression algorithm defined in 949 the current session state. There is always an active compression 950 algorithm; however, initially it is defined as 951 CompressionMethod.null. The compression algorithm translates a 952 TLSPlaintext structure into a TLSCompressed structure. Compression 953 functions are initialized with default state information whenever a 954 connection state is made active. [RFC3749] describes compression 955 algorithms for TLS. 957 Compression must be lossless and may not increase the content length 958 by more than 1024 bytes. If the decompression function encounters a 959 TLSCompressed.fragment that would decompress to a length in excess of 960 2^14 bytes, it MUST report a fatal decompression failure error. 962 struct { 963 ContentType type; /* same as TLSPlaintext.type */ 964 ProtocolVersion version;/* same as TLSPlaintext.version */ 965 uint16 length; 966 opaque fragment[TLSCompressed.length]; 967 } TLSCompressed; 969 length 970 The length (in bytes) of the following TLSCompressed.fragment. 971 The length MUST NOT exceed 2^14 + 1024. 973 fragment 974 The compressed form of TLSPlaintext.fragment. 976 Note: A CompressionMethod.null operation is an identity operation; no 977 fields are altered. 979 Implementation note: Decompression functions are responsible for 980 ensuring that messages cannot cause internal buffer overflows. 982 6.2.3. Record Payload Protection 984 The encryption and MAC functions translate a TLSCompressed structure 985 into a TLSCiphertext. The decryption functions reverse the process. 986 The MAC of the record also includes a sequence number so that 987 missing, extra, or repeated messages are detectable. 989 struct { 990 ContentType type; 991 ProtocolVersion version; 992 uint16 length; 993 select (SecurityParameters.cipher_type) { 994 case stream: GenericStreamCipher; 995 case block: GenericBlockCipher; 996 case aead: GenericAEADCipher; 997 } fragment; 998 } TLSCiphertext; 1000 type 1001 The type field is identical to TLSCompressed.type. 1003 version 1004 The version field is identical to TLSCompressed.version. 1006 length 1007 The length (in bytes) of the following TLSCiphertext.fragment. 1008 The length MUST NOT exceed 2^14 + 2048. 1010 fragment 1011 The encrypted form of TLSCompressed.fragment, with the MAC. 1013 6.2.3.1. Null or Standard Stream Cipher 1015 Stream ciphers (including BulkCipherAlgorithm.null; see Appendix A.6) 1016 convert TLSCompressed.fragment structures to and from stream 1017 TLSCiphertext.fragment structures. 1019 stream-ciphered struct { 1020 opaque content[TLSCompressed.length]; 1021 opaque MAC[SecurityParameters.mac_length]; 1022 } GenericStreamCipher; 1024 The MAC is generated as: 1026 MAC(MAC_write_key, seq_num + 1027 TLSCompressed.type + 1028 TLSCompressed.version + 1029 TLSCompressed.length + 1030 TLSCompressed.fragment); 1032 where "+" denotes concatenation. 1034 seq_num 1035 The sequence number for this record. 1037 MAC 1038 The MAC algorithm specified by SecurityParameters.mac_algorithm. 1040 Note that the MAC is computed before encryption. The stream cipher 1041 encrypts the entire block, including the MAC. For stream ciphers 1042 that do not use a synchronization vector (such as RC4), the stream 1043 cipher state from the end of one record is simply used on the 1044 subsequent packet. If the cipher suite is TLS_NULL_WITH_NULL_NULL, 1045 encryption consists of the identity operation (i.e., the data is not 1046 encrypted, and the MAC size is zero, implying that no MAC is used). 1047 For both null and stream ciphers, TLSCiphertext.length is 1048 TLSCompressed.length plus SecurityParameters.mac_length. 1050 6.2.3.2. CBC Block Cipher 1052 For block ciphers (such as 3DES or AES), the encryption and MAC 1053 functions convert TLSCompressed.fragment structures to and from block 1054 TLSCiphertext.fragment structures. 1056 struct { 1057 opaque IV[SecurityParameters.record_iv_length]; 1058 block-ciphered struct { 1059 opaque content[TLSCompressed.length]; 1060 opaque MAC[SecurityParameters.mac_length]; 1061 uint8 padding[GenericBlockCipher.padding_length]; 1062 uint8 padding_length; 1063 }; 1064 } GenericBlockCipher; 1066 The MAC is generated as described in Section 6.2.3.1. 1068 IV 1069 The Initialization Vector (IV) SHOULD be chosen at random, and 1070 MUST be unpredictable. Note that in versions of TLS prior to 1.1, 1071 there was no IV field, and the last ciphertext block of the 1072 previous record (the "CBC residue") was used as the IV. This was 1073 changed to prevent the attacks described in [CBCATT]. For block 1074 ciphers, the IV length is of length 1075 SecurityParameters.record_iv_length, which is equal to the 1076 SecurityParameters.block_size. 1078 padding 1079 Padding that is added to force the length of the plaintext to be 1080 an integral multiple of the block cipher's block length. The 1081 padding MAY be any length up to 255 bytes, as long as it results 1082 in the TLSCiphertext.length being an integral multiple of the 1083 block length. Lengths longer than necessary might be desirable to 1084 frustrate attacks on a protocol that are based on analysis of the 1085 lengths of exchanged messages. Each uint8 in the padding data 1086 vector MUST be filled with the padding length value. The receiver 1087 MUST check this padding and MUST use the bad_record_mac alert to 1088 indicate padding errors. 1090 padding_length 1091 The padding length MUST be such that the total size of the 1092 GenericBlockCipher structure is a multiple of the cipher's block 1093 length. Legal values range from zero to 255, inclusive. This 1094 length specifies the length of the padding field exclusive of the 1095 padding_length field itself. 1097 The encrypted data length (TLSCiphertext.length) is one more than the 1098 sum of SecurityParameters.block_length, TLSCompressed.length, 1099 SecurityParameters.mac_length, and padding_length. 1101 Example: If the block length is 8 bytes, the content length 1102 (TLSCompressed.length) is 61 bytes, and the MAC length is 20 bytes, 1103 then the length before padding is 82 bytes (this does not include the 1104 IV. Thus, the padding length modulo 8 must be equal to 6 in order to 1105 make the total length an even multiple of 8 bytes (the block length). 1106 The padding length can be 6, 14, 22, and so on, through 254. If the 1107 padding length were the minimum necessary, 6, the padding would be 6 1108 bytes, each containing the value 6. Thus, the last 8 octets of the 1109 GenericBlockCipher before block encryption would be xx 06 06 06 06 06 1110 06 06, where xx is the last octet of the MAC. 1112 Note: With block ciphers in CBC mode (Cipher Block Chaining), it is 1113 critical that the entire plaintext of the record be known before any 1114 ciphertext is transmitted. Otherwise, it is possible for the 1115 attacker to mount the attack described in [CBCATT]. 1117 Implementation note: Canvel et al. [CBCTIME] have demonstrated a 1118 timing attack on CBC padding based on the time required to compute 1119 the MAC. In order to defend against this attack, implementations 1120 MUST ensure that record processing time is essentially the same 1121 whether or not the padding is correct. In general, the best way to 1122 do this is to compute the MAC even if the padding is incorrect, and 1123 only then reject the packet. For instance, if the pad appears to be 1124 incorrect, the implementation might assume a zero-length pad and then 1125 compute the MAC. This leaves a small timing channel, since MAC 1126 performance depends to some extent on the size of the data fragment, 1127 but it is not believed to be large enough to be exploitable, due to 1128 the large block size of existing MACs and the small size of the 1129 timing signal. 1131 6.2.3.3. AEAD Ciphers 1133 For AEAD [RFC5116] ciphers (such as [CCM] or [GCM]), the AEAD 1134 function converts TLSCompressed.fragment structures to and from AEAD 1135 TLSCiphertext.fragment structures. 1137 struct { 1138 opaque nonce_explicit[SecurityParameters.record_iv_length]; 1139 aead-ciphered struct { 1140 opaque content[TLSCompressed.length]; 1141 }; 1142 } GenericAEADCipher; 1144 AEAD ciphers take as input a single key, a nonce, a plaintext, and 1145 "additional data" to be included in the authentication check, as 1146 described in Section 2.1 of [RFC5116]. The key is either the 1147 client_write_key or the server_write_key. No MAC key is used. 1149 Each AEAD cipher suite MUST specify how the nonce supplied to the 1150 AEAD operation is constructed, and what is the length of the 1151 GenericAEADCipher.nonce_explicit part. In many cases, it is 1152 appropriate to use the partially implicit nonce technique described 1153 in Section 3.2.1 of [RFC5116]; with record_iv_length being the length 1154 of the explicit part. In this case, the implicit part SHOULD be 1155 derived from key_block as client_write_iv and server_write_iv (as 1156 described in Section 6.3), and the explicit part is included in 1157 GenericAEAEDCipher.nonce_explicit. 1159 The plaintext is the TLSCompressed.fragment. 1161 The additional authenticated data, which we denote as 1162 additional_data, is defined as follows: 1164 additional_data = seq_num + TLSCompressed.type + 1165 TLSCompressed.version + TLSCompressed.length; 1167 where "+" denotes concatenation. 1169 The aead_output consists of the ciphertext output by the AEAD 1170 encryption operation. The length will generally be larger than 1171 TLSCompressed.length, but by an amount that varies with the AEAD 1172 cipher. Since the ciphers might incorporate padding, the amount of 1173 overhead could vary with different TLSCompressed.length values. Each 1174 AEAD cipher MUST NOT produce an expansion of greater than 1024 bytes. 1175 Symbolically, 1177 AEADEncrypted = AEAD-Encrypt(write_key, nonce, plaintext, 1178 additional_data) 1180 In order to decrypt and verify, the cipher takes as input the key, 1181 nonce, the "additional_data", and the AEADEncrypted value. The 1182 output is either the plaintext or an error indicating that the 1183 decryption failed. There is no separate integrity check. That is: 1185 TLSCompressed.fragment = AEAD-Decrypt(write_key, nonce, 1186 AEADEncrypted, 1187 additional_data) 1189 If the decryption fails, a fatal bad_record_mac alert MUST be 1190 generated. 1192 6.3. Key Calculation 1194 The Record Protocol requires an algorithm to generate keys required 1195 by the current connection state (see Appendix A.6) from the security 1196 parameters provided by the handshake protocol. 1198 The master secret is expanded into a sequence of secure bytes, which 1199 is then split to a client write MAC key, a server write MAC key, a 1200 client write encryption key, and a server write encryption key. Each 1201 of these is generated from the byte sequence in that order. Unused 1202 values are empty. Some AEAD ciphers may additionally require a 1203 client write IV and a server write IV (see Section 6.2.3.3). 1205 When keys and MAC keys are generated, the master secret is used as an 1206 entropy source. 1208 To generate the key material, compute 1210 key_block = PRF(SecurityParameters.master_secret, 1211 "key expansion", 1212 SecurityParameters.server_random + 1213 SecurityParameters.client_random); 1215 until enough output has been generated. Then, the key_block is 1216 partitioned as follows: 1218 client_write_MAC_key[SecurityParameters.mac_key_length] 1219 server_write_MAC_key[SecurityParameters.mac_key_length] 1220 client_write_key[SecurityParameters.enc_key_length] 1221 server_write_key[SecurityParameters.enc_key_length] 1222 client_write_IV[SecurityParameters.fixed_iv_length] 1223 server_write_IV[SecurityParameters.fixed_iv_length] 1225 Currently, the client_write_IV and server_write_IV are only generated 1226 for implicit nonce techniques as described in Section 3.2.1 of 1227 [RFC5116]. 1229 Implementation note: The currently defined cipher suite which 1230 requires the most material is AES_256_CBC_SHA256. It requires 2 x 32 1231 byte keys and 2 x 32 byte MAC keys, for a total 128 bytes of key 1232 material. 1234 7. The TLS Handshaking Protocols 1236 TLS has three subprotocols that are used to allow peers to agree upon 1237 security parameters for the record layer, to authenticate themselves, 1238 to instantiate negotiated security parameters, and to report error 1239 conditions to each other. 1241 The Handshake Protocol is responsible for negotiating a session, 1242 which consists of the following items: 1244 session identifier 1245 An arbitrary byte sequence chosen by the server to identify an 1246 active or resumable session state. 1248 peer certificate 1249 X509v3 [RFC3280] certificate of the peer. This element of the 1250 state may be null. 1252 compression method 1253 The algorithm used to compress data prior to encryption. 1255 cipher spec 1256 Specifies the pseudorandom function (PRF) used to generate keying 1257 material, the bulk data encryption algorithm (such as null, AES, 1258 etc.) and the MAC algorithm (such as HMAC-SHA1). It also defines 1259 cryptographic attributes such as the mac_length. (See 1260 Appendix A.6 for formal definition.) 1262 master secret 1263 48-byte secret shared between the client and server. 1265 is resumable 1266 A flag indicating whether the session can be used to initiate new 1267 connections. 1269 These items are then used to create security parameters for use by 1270 the record layer when protecting application data. Many connections 1271 can be instantiated using the same session through the resumption 1272 feature of the TLS Handshake Protocol. 1274 7.1. Change Cipher Spec Protocol 1276 The change cipher spec protocol exists to signal transitions in 1277 ciphering strategies. The protocol consists of a single message, 1278 which is encrypted and compressed under the current (not the pending) 1279 connection state. The message consists of a single byte of value 1. 1281 struct { 1282 enum { change_cipher_spec(1), (255) } type; 1283 } ChangeCipherSpec; 1285 The ChangeCipherSpec message is sent by both the client and the 1286 server to notify the receiving party that subsequent records will be 1287 protected under the newly negotiated CipherSpec and keys. Reception 1288 of this message causes the receiver to instruct the record layer to 1289 immediately copy the read pending state into the read current state. 1290 Immediately after sending this message, the sender MUST instruct the 1291 record layer to make the write pending state the write active state. 1292 (See Section 6.1.) The ChangeCipherSpec message is sent during the 1293 handshake after the security parameters have been agreed upon, but 1294 before the verifying Finished message is sent. 1296 Note: If a rehandshake occurs while data is flowing on a connection, 1297 the communicating parties may continue to send data using the old 1298 CipherSpec. However, once the ChangeCipherSpec has been sent, the 1299 new CipherSpec MUST be used. The first side to send the 1300 ChangeCipherSpec does not know that the other side has finished 1301 computing the new keying material (e.g., if it has to perform a time- 1302 consuming public key operation). Thus, a small window of time, 1303 during which the recipient must buffer the data, MAY exist. In 1304 practice, with modern machines this interval is likely to be fairly 1305 short. 1307 7.2. Alert Protocol 1309 One of the content types supported by the TLS record layer is the 1310 alert type. Alert messages convey the severity of the message 1311 (warning or fatal) and a description of the alert. Alert messages 1312 with a level of fatal result in the immediate termination of the 1313 connection. In this case, other connections corresponding to the 1314 session may continue, but the session identifier MUST be invalidated, 1315 preventing the failed session from being used to establish new 1316 connections. Like other messages, alert messages are encrypted and 1317 compressed, as specified by the current connection state. 1319 enum { warning(1), fatal(2), (255) } AlertLevel; 1321 enum { 1322 close_notify(0), 1323 unexpected_message(10), 1324 bad_record_mac(20), 1325 decryption_failed_RESERVED(21), 1326 record_overflow(22), 1327 decompression_failure(30), 1328 handshake_failure(40), 1329 no_certificate_RESERVED(41), 1330 bad_certificate(42), 1331 unsupported_certificate(43), 1332 certificate_revoked(44), 1333 certificate_expired(45), 1334 certificate_unknown(46), 1335 illegal_parameter(47), 1336 unknown_ca(48), 1337 access_denied(49), 1338 decode_error(50), 1339 decrypt_error(51), 1340 export_restriction_RESERVED(60), 1341 protocol_version(70), 1342 insufficient_security(71), 1343 internal_error(80), 1344 user_canceled(90), 1345 no_renegotiation(100), 1346 unsupported_extension(110), 1347 (255) 1348 } AlertDescription; 1350 struct { 1351 AlertLevel level; 1352 AlertDescription description; 1353 } Alert; 1355 7.2.1. Closure Alerts 1357 The client and the server must share knowledge that the connection is 1358 ending in order to avoid a truncation attack. Either party may 1359 initiate the exchange of closing messages. 1361 close_notify 1362 This message notifies the recipient that the sender will not send 1363 any more messages on this connection. Note that as of TLS 1.1, 1364 failure to properly close a connection no longer requires that a 1365 session not be resumed. This is a change from TLS 1.0 to conform 1366 with widespread implementation practice. 1368 Either party may initiate a close by sending a close_notify alert. 1369 Any data received after a closure alert is ignored. 1371 Unless some other fatal alert has been transmitted, each party is 1372 required to send a close_notify alert before closing the write side 1373 of the connection. The other party MUST respond with a close_notify 1374 alert of its own and close down the connection immediately, 1375 discarding any pending writes. It is not required for the initiator 1376 of the close to wait for the responding close_notify alert before 1377 closing the read side of the connection. 1379 If the application protocol using TLS provides that any data may be 1380 carried over the underlying transport after the TLS connection is 1381 closed, the TLS implementation must receive the responding 1382 close_notify alert before indicating to the application layer that 1383 the TLS connection has ended. If the application protocol will not 1384 transfer any additional data, but will only close the underlying 1385 transport connection, then the implementation MAY choose to close the 1386 transport without waiting for the responding close_notify. No part 1387 of this standard should be taken to dictate the manner in which a 1388 usage profile for TLS manages its data transport, including when 1389 connections are opened or closed. 1391 Note: It is assumed that closing a connection reliably delivers 1392 pending data before destroying the transport. 1394 7.2.2. Error Alerts 1396 Error handling in the TLS Handshake protocol is very simple. When an 1397 error is detected, the detecting party sends a message to the other 1398 party. Upon transmission or receipt of a fatal alert message, both 1399 parties immediately close the connection. Servers and clients MUST 1400 forget any session-identifiers, keys, and secrets associated with a 1401 failed connection. Thus, any connection terminated with a fatal 1402 alert MUST NOT be resumed. 1404 Whenever an implementation encounters a condition which is defined as 1405 a fatal alert, it MUST send the appropriate alert prior to closing 1406 the connection. For all errors where an alert level is not 1407 explicitly specified, the sending party MAY determine at its 1408 discretion whether to treat this as a fatal error or not. If the 1409 implementation chooses to send an alert but intends to close the 1410 connection immediately afterwards, it MUST send that alert at the 1411 fatal alert level. 1413 If an alert with a level of warning is sent and received, generally 1414 the connection can continue normally. If the receiving party decides 1415 not to proceed with the connection (e.g., after having received a 1416 no_renegotiation alert that it is not willing to accept), it SHOULD 1417 send a fatal alert to terminate the connection. Given this, the 1418 sending party cannot, in general, know how the receiving party will 1419 behave. Therefore, warning alerts are not very useful when the 1420 sending party wants to continue the connection, and thus are 1421 sometimes omitted. For example, if a peer decides to accept an 1422 expired certificate (perhaps after confirming this with the user) and 1423 wants to continue the connection, it would not generally send a 1424 certificate_expired alert. 1426 The following error alerts are defined: 1428 unexpected_message 1429 An inappropriate message was received. This alert is always fatal 1430 and should never be observed in communication between proper 1431 implementations. 1433 bad_record_mac 1434 This alert is returned if a record is received with an incorrect 1435 MAC. This alert also MUST be returned if an alert is sent because 1436 a TLSCiphertext decrypted in an invalid way: either it wasn't an 1437 even multiple of the block length, or its padding values, when 1438 checked, weren't correct. This message is always fatal and should 1439 never be observed in communication between proper implementations 1440 (except when messages were corrupted in the network). 1442 decryption_failed_RESERVED 1443 This alert was used in some earlier versions of TLS, and may have 1444 permitted certain attacks against the CBC mode [CBCATT]. It MUST 1445 NOT be sent by compliant implementations. 1447 record_overflow 1448 A TLSCiphertext record was received that had a length more than 1449 2^14+2048 bytes, or a record decrypted to a TLSCompressed record 1450 with more than 2^14+1024 bytes. This message is always fatal and 1451 should never be observed in communication between proper 1452 implementations (except when messages were corrupted in the 1453 network). 1455 decompression_failure 1456 The decompression function received improper input (e.g., data 1457 that would expand to excessive length). This message is always 1458 fatal and should never be observed in communication between proper 1459 implementations. 1461 handshake_failure 1462 Reception of a handshake_failure alert message indicates that the 1463 sender was unable to negotiate an acceptable set of security 1464 parameters given the options available. This is a fatal error. 1466 no_certificate_RESERVED 1467 This alert was used in SSLv3 but not any version of TLS. It MUST 1468 NOT be sent by compliant implementations. 1470 bad_certificate 1471 A certificate was corrupt, contained signatures that did not 1472 verify correctly, etc. 1474 unsupported_certificate 1475 A certificate was of an unsupported type. 1477 certificate_revoked 1478 A certificate was revoked by its signer. 1480 certificate_expired 1481 A certificate has expired or is not currently valid. 1483 certificate_unknown 1484 Some other (unspecified) issue arose in processing the 1485 certificate, rendering it unacceptable. 1487 illegal_parameter 1488 A field in the handshake was out of range or inconsistent with 1489 other fields. This message is always fatal. 1491 unknown_ca 1492 A valid certificate chain or partial chain was received, but the 1493 certificate was not accepted because the CA certificate could not 1494 be located or couldn't be matched with a known, trusted CA. This 1495 message is always fatal. 1497 access_denied 1498 A valid certificate was received, but when access control was 1499 applied, the sender decided not to proceed with negotiation. This 1500 message is always fatal. 1502 decode_error 1503 A message could not be decoded because some field was out of the 1504 specified range or the length of the message was incorrect. This 1505 message is always fatal and should never be observed in 1506 communication between proper implementations (except when messages 1507 were corrupted in the network). 1509 decrypt_error 1510 A handshake cryptographic operation failed, including being unable 1511 to correctly verify a signature or validate a Finished message. 1512 This message is always fatal. 1514 export_restriction_RESERVED 1515 This alert was used in some earlier versions of TLS. It MUST NOT 1516 be sent by compliant implementations. 1518 protocol_version 1519 The protocol version the client has attempted to negotiate is 1520 recognized but not supported. (For example, old protocol versions 1521 might be avoided for security reasons.) This message is always 1522 fatal. 1524 insufficient_security 1525 Returned instead of handshake_failure when a negotiation has 1526 failed specifically because the server requires ciphers more 1527 secure than those supported by the client. This message is always 1528 fatal. 1530 internal_error 1531 An internal error unrelated to the peer or the correctness of the 1532 protocol (such as a memory allocation failure) makes it impossible 1533 to continue. This message is always fatal. 1535 user_canceled 1536 This handshake is being canceled for some reason unrelated to a 1537 protocol failure. If the user cancels an operation after the 1538 handshake is complete, just closing the connection by sending a 1539 close_notify is more appropriate. This alert should be followed 1540 by a close_notify. This message is generally a warning. 1542 no_renegotiation 1543 Sent by the client in response to a hello request or by the server 1544 in response to a client hello after initial handshaking. Either 1545 of these would normally lead to renegotiation; when that is not 1546 appropriate, the recipient should respond with this alert. At 1547 that point, the original requester can decide whether to proceed 1548 with the connection. One case where this would be appropriate is 1549 where a server has spawned a process to satisfy a request; the 1550 process might receive security parameters (key length, 1551 authentication, etc.) at startup, and it might be difficult to 1552 communicate changes to these parameters after that point. This 1553 message is always a warning. 1555 unsupported_extension 1556 sent by clients that receive an extended server hello containing 1557 an extension that they did not put in the corresponding client 1558 hello. This message is always fatal. 1560 New Alert values are assigned by IANA as described in Section 12. 1562 7.3. Handshake Protocol Overview 1564 The cryptographic parameters of the session state are produced by the 1565 TLS Handshake Protocol, which operates on top of the TLS record 1566 layer. When a TLS client and server first start communicating, they 1567 agree on a protocol version, select cryptographic algorithms, 1568 optionally authenticate each other, and use public-key encryption 1569 techniques to generate shared secrets. 1571 The TLS Handshake Protocol involves the following steps: 1573 - Exchange hello messages to agree on algorithms, exchange random 1574 values, and check for session resumption. 1576 - Exchange the necessary cryptographic parameters to allow the 1577 client and server to agree on a premaster secret. 1579 - Exchange certificates and cryptographic information to allow the 1580 client and server to authenticate themselves. 1582 - Generate a master secret from the premaster secret and exchanged 1583 random values. 1585 - Provide security parameters to the record layer. 1587 - Allow the client and server to verify that their peer has 1588 calculated the same security parameters and that the handshake 1589 occurred without tampering by an attacker. 1591 Note that higher layers should not be overly reliant on whether TLS 1592 always negotiates the strongest possible connection between two 1593 peers. There are a number of ways in which a man-in-the-middle 1594 attacker can attempt to make two entities drop down to the least 1595 secure method they support. The protocol has been designed to 1596 minimize this risk, but there are still attacks available: for 1597 example, an attacker could block access to the port a secure service 1598 runs on, or attempt to get the peers to negotiate an unauthenticated 1599 connection. The fundamental rule is that higher levels must be 1600 cognizant of what their security requirements are and never transmit 1601 information over a channel less secure than what they require. The 1602 TLS protocol is secure in that any cipher suite offers its promised 1603 level of security: if you negotiate 3DES with a 1024-bit RSA key 1604 exchange with a host whose certificate you have verified, you can 1605 expect to be that secure. 1607 These goals are achieved by the handshake protocol, which can be 1608 summarized as follows: The client sends a ClientHello message to 1609 which the server must respond with a ServerHello message, or else a 1610 fatal error will occur and the connection will fail. The ClientHello 1611 and ServerHello are used to establish security enhancement 1612 capabilities between client and server. The ClientHello and 1613 ServerHello establish the following attributes: Protocol Version, 1614 Session ID, Cipher Suite, and Compression Method. Additionally, two 1615 random values are generated and exchanged: ClientHello.random and 1616 ServerHello.random. 1618 The actual key exchange uses up to four messages: the server 1619 Certificate, the ServerKeyExchange, the client Certificate, and the 1620 ClientKeyExchange. New key exchange methods can be created by 1621 specifying a format for these messages and by defining the use of the 1622 messages to allow the client and server to agree upon a shared 1623 secret. This secret MUST be quite long; currently defined key 1624 exchange methods exchange secrets that range from 46 bytes upwards. 1626 Following the hello messages, the server will send its certificate in 1627 a Certificate message if it is to be authenticated. Additionally, a 1628 ServerKeyExchange message may be sent, if it is required (e.g., if 1629 the server has no certificate, or if its certificate is for signing 1630 only). If the server is authenticated, it may request a certificate 1631 from the client, if that is appropriate to the cipher suite selected. 1632 Next, the server will send the ServerHelloDone message, indicating 1633 that the hello-message phase of the handshake is complete. The 1634 server will then wait for a client response. If the server has sent 1635 a CertificateRequest message, the client MUST send the Certificate 1636 message. The ClientKeyExchange message is now sent, and the content 1637 of that message will depend on the public key algorithm selected 1638 between the ClientHello and the ServerHello. If the client has sent 1639 a certificate with signing ability, a digitally-signed 1640 CertificateVerify message is sent to explicitly verify possession of 1641 the private key in the certificate. 1643 At this point, a ChangeCipherSpec message is sent by the client, and 1644 the client copies the pending Cipher Spec into the current Cipher 1645 Spec. The client then immediately sends the Finished message under 1646 the new algorithms, keys, and secrets. In response, the server will 1647 send its own ChangeCipherSpec message, transfer the pending to the 1648 current Cipher Spec, and send its Finished message under the new 1649 Cipher Spec. At this point, the handshake is complete, and the 1650 client and server may begin to exchange application layer data. (See 1651 flow chart below.) Application data MUST NOT be sent prior to the 1652 completion of the first handshake (before a cipher suite other than 1653 TLS_NULL_WITH_NULL_NULL is established). 1655 Client Server 1657 ClientHello --------> 1658 ServerHello 1659 Certificate* 1660 ServerKeyExchange* 1661 CertificateRequest* 1662 <-------- ServerHelloDone 1663 Certificate* 1664 ClientKeyExchange 1665 CertificateVerify* 1666 [ChangeCipherSpec] 1667 Finished --------> 1668 [ChangeCipherSpec] 1669 <-------- Finished 1670 Application Data <-------> Application Data 1672 Figure 1. Message flow for a full handshake 1674 * Indicates optional or situation-dependent messages that are not 1675 always sent. 1677 Note: To help avoid pipeline stalls, ChangeCipherSpec is an 1678 independent TLS protocol content type, and is not actually a TLS 1679 handshake message. 1681 When the client and server decide to resume a previous session or 1682 duplicate an existing session (instead of negotiating new security 1683 parameters), the message flow is as follows: 1685 The client sends a ClientHello using the Session ID of the session to 1686 be resumed. The server then checks its session cache for a match. 1687 If a match is found, and the server is willing to re-establish the 1688 connection under the specified session state, it will send a 1689 ServerHello with the same Session ID value. At this point, both 1690 client and server MUST send ChangeCipherSpec messages and proceed 1691 directly to Finished messages. Once the re-establishment is 1692 complete, the client and server MAY begin to exchange application 1693 layer data. (See flow chart below.) If a Session ID match is not 1694 found, the server generates a new session ID, and the TLS client and 1695 server perform a full handshake. 1697 Client Server 1699 ClientHello --------> 1700 ServerHello 1701 [ChangeCipherSpec] 1702 <-------- Finished 1703 [ChangeCipherSpec] 1704 Finished --------> 1705 Application Data <-------> Application Data 1707 Figure 2. Message flow for an abbreviated handshake 1709 The contents and significance of each message will be presented in 1710 detail in the following sections. 1712 7.4. Handshake Protocol 1714 The TLS Handshake Protocol is one of the defined higher-level clients 1715 of the TLS Record Protocol. This protocol is used to negotiate the 1716 secure attributes of a session. Handshake messages are supplied to 1717 the TLS record layer, where they are encapsulated within one or more 1718 TLSPlaintext structures, which are processed and transmitted as 1719 specified by the current active session state. 1721 enum { 1722 hello_request(0), client_hello(1), server_hello(2), 1723 certificate(11), server_key_exchange (12), 1724 certificate_request(13), server_hello_done(14), 1725 certificate_verify(15), client_key_exchange(16), 1726 finished(20), (255) 1727 } HandshakeType; 1729 struct { 1730 HandshakeType msg_type; /* handshake type */ 1731 uint24 length; /* bytes in message */ 1732 select (HandshakeType) { 1733 case hello_request: HelloRequest; 1734 case client_hello: ClientHello; 1735 case server_hello: ServerHello; 1736 case certificate: Certificate; 1737 case server_key_exchange: ServerKeyExchange; 1738 case certificate_request: CertificateRequest; 1739 case server_hello_done: ServerHelloDone; 1740 case certificate_verify: CertificateVerify; 1741 case client_key_exchange: ClientKeyExchange; 1742 case finished: Finished; 1743 } body; 1744 } Handshake; 1746 The handshake protocol messages are presented below in the order they 1747 MUST be sent; sending handshake messages in an unexpected order 1748 results in a fatal error. Unneeded handshake messages can be 1749 omitted, however. Note one exception to the ordering: the 1750 Certificate message is used twice in the handshake (from server to 1751 client, then from client to server), but described only in its first 1752 position. The one message that is not bound by these ordering rules 1753 is the HelloRequest message, which can be sent at any time, but which 1754 SHOULD be ignored by the client if it arrives in the middle of a 1755 handshake. 1757 New handshake message types are assigned by IANA as described in 1758 Section 12. 1760 7.4.1. Hello Messages 1762 The hello phase messages are used to exchange security enhancement 1763 capabilities between the client and server. When a new session 1764 begins, the record layer's connection state encryption, hash, and 1765 compression algorithms are initialized to null. The current 1766 connection state is used for renegotiation messages. 1768 7.4.1.1. Hello Request 1770 When this message will be sent: 1772 The HelloRequest message MAY be sent by the server at any time. 1774 Meaning of this message: 1776 HelloRequest is a simple notification that the client should begin 1777 the negotiation process anew. In response, the client should send 1778 a ClientHello message when convenient. This message is not 1779 intended to establish which side is the client or server but 1780 merely to initiate a new negotiation. Servers SHOULD NOT send a 1781 HelloRequest immediately upon the client's initial connection. It 1782 is the client's job to send a ClientHello at that time. 1784 This message will be ignored by the client if the client is 1785 currently negotiating a session. This message MAY be ignored by 1786 the client if it does not wish to renegotiate a session, or the 1787 client may, if it wishes, respond with a no_renegotiation alert. 1788 Since handshake messages are intended to have transmission 1789 precedence over application data, it is expected that the 1790 negotiation will begin before no more than a few records are 1791 received from the client. If the server sends a HelloRequest but 1792 does not receive a ClientHello in response, it may close the 1793 connection with a fatal alert. 1795 After sending a HelloRequest, servers SHOULD NOT repeat the 1796 request until the subsequent handshake negotiation is complete. 1798 Structure of this message: 1800 struct { } HelloRequest; 1802 This message MUST NOT be included in the message hashes that are 1803 maintained throughout the handshake and used in the Finished messages 1804 and the certificate verify message. 1806 7.4.1.2. Client Hello 1808 When this message will be sent: 1810 When a client first connects to a server, it is required to send 1811 the ClientHello as its first message. The client can also send a 1812 ClientHello in response to a HelloRequest or on its own initiative 1813 in order to renegotiate the security parameters in an existing 1814 connection. 1816 Structure of this message: 1818 The ClientHello message includes a random structure, which is used 1819 later in the protocol. 1821 struct { 1822 uint32 gmt_unix_time; 1823 opaque random_bytes[28]; 1824 } Random; 1826 gmt_unix_time 1827 The current time and date in standard UNIX 32-bit format (seconds 1828 since the midnight starting Jan 1, 1970, UTC, ignoring leap 1829 seconds) according to the sender's internal clock. Clocks are not 1830 required to be set correctly by the basic TLS protocol; higher- 1831 level or application protocols may define additional requirements. 1832 Note that, for historical reasons, the data element is named using 1833 GMT, the predecessor of the current worldwide time base, UTC. 1835 random_bytes 1836 28 bytes generated by a secure random number generator. 1838 The ClientHello message includes a variable-length session 1839 identifier. If not empty, the value identifies a session between the 1840 same client and server whose security parameters the client wishes to 1841 reuse. The session identifier MAY be from an earlier connection, 1842 this connection, or from another currently active connection. The 1843 second option is useful if the client only wishes to update the 1844 random structures and derived values of a connection, and the third 1845 option makes it possible to establish several independent secure 1846 connections without repeating the full handshake protocol. These 1847 independent connections may occur sequentially or simultaneously; a 1848 SessionID becomes valid when the handshake negotiating it completes 1849 with the exchange of Finished messages and persists until it is 1850 removed due to aging or because a fatal error was encountered on a 1851 connection associated with the session. The actual contents of the 1852 SessionID are defined by the server. 1854 opaque SessionID<0..32>; 1856 Warning: Because the SessionID is transmitted without encryption or 1857 immediate MAC protection, servers MUST NOT place confidential 1858 information in session identifiers or let the contents of fake 1859 session identifiers cause any breach of security. (Note that the 1860 content of the handshake as a whole, including the SessionID, is 1861 protected by the Finished messages exchanged at the end of the 1862 handshake.) 1864 The cipher suite list, passed from the client to the server in the 1865 ClientHello message, contains the combinations of cryptographic 1866 algorithms supported by the client in order of the client's 1867 preference (favorite choice first). Each cipher suite defines a key 1868 exchange algorithm, a bulk encryption algorithm (including secret key 1869 length), a MAC algorithm, and a PRF. The server will select a cipher 1870 suite or, if no acceptable choices are presented, return a handshake 1871 failure alert and close the connection. If the list contains cipher 1872 suites the server does not recognize, support, or wish to use, the 1873 server MUST ignore those cipher suites, and process the remaining 1874 ones as usual. 1876 uint8 CipherSuite[2]; /* Cryptographic suite selector */ 1878 The ClientHello includes a list of compression algorithms supported 1879 by the client, ordered according to the client's preference. 1881 enum { null(0), (255) } CompressionMethod; 1883 struct { 1884 ProtocolVersion client_version; 1885 Random random; 1886 SessionID session_id; 1887 CipherSuite cipher_suites<2..2^16-2>; 1888 CompressionMethod compression_methods<1..2^8-1>; 1889 select (extensions_present) { 1890 case false: 1891 struct {}; 1892 case true: 1893 Extension extensions<0..2^16-1>; 1894 }; 1895 } ClientHello; 1897 TLS allows extensions to follow the compression_methods field in an 1898 extensions block. The presence of extensions can be detected by 1899 determining whether there are bytes following the compression_methods 1900 at the end of the ClientHello. Note that this method of detecting 1901 optional data differs from the normal TLS method of having a 1902 variable-length field, but it is used for compatibility with TLS 1903 before extensions were defined. 1905 client_version 1906 The version of the TLS protocol by which the client wishes to 1907 communicate during this session. This SHOULD be the latest 1908 (highest valued) version supported by the client. For this 1909 version of the specification, the version will be 3.3 (see 1910 Appendix E for details about backward compatibility). 1912 random 1913 A client-generated random structure. 1915 session_id 1916 The ID of a session the client wishes to use for this connection. 1917 This field is empty if no session_id is available, or if the 1918 client wishes to generate new security parameters. 1920 cipher_suites 1921 This is a list of the cryptographic options supported by the 1922 client, with the client's first preference first. If the 1923 session_id field is not empty (implying a session resumption 1924 request), this vector MUST include at least the cipher_suite from 1925 that session. Values are defined in Appendix A.5. 1927 compression_methods 1928 This is a list of the compression methods supported by the client, 1929 sorted by client preference. If the session_id field is not empty 1930 (implying a session resumption request), it MUST include the 1931 compression_method from that session. This vector MUST contain, 1932 and all implementations MUST support, CompressionMethod.null. 1933 Thus, a client and server will always be able to agree on a 1934 compression method. 1936 extensions 1937 Clients MAY request extended functionality from servers by sending 1938 data in the extensions field. The actual "Extension" format is 1939 defined in Section 7.4.1.4. 1941 In the event that a client requests additional functionality using 1942 extensions, and this functionality is not supplied by the server, the 1943 client MAY abort the handshake. A server MUST accept ClientHello 1944 messages both with and without the extensions field, and (as for all 1945 other messages) it MUST check that the amount of data in the message 1946 precisely matches one of these formats; if not, then it MUST send a 1947 fatal "decode_error" alert. 1949 After sending the ClientHello message, the client waits for a 1950 ServerHello message. Any handshake message returned by the server, 1951 except for a HelloRequest, is treated as a fatal error. 1953 7.4.1.3. Server Hello 1955 When this message will be sent: 1957 The server will send this message in response to a ClientHello 1958 message when it was able to find an acceptable set of algorithms. 1959 If it cannot find such a match, it will respond with a handshake 1960 failure alert. 1962 Structure of this message: 1964 struct { 1965 ProtocolVersion server_version; 1966 Random random; 1967 SessionID session_id; 1968 CipherSuite cipher_suite; 1969 CompressionMethod compression_method; 1970 select (extensions_present) { 1971 case false: 1972 struct {}; 1973 case true: 1974 Extension extensions<0..2^16-1>; 1975 }; 1976 } ServerHello; 1978 The presence of extensions can be detected by determining whether 1979 there are bytes following the compression_method field at the end of 1980 the ServerHello. 1982 server_version 1983 This field will contain the lower of that suggested by the client 1984 in the client hello and the highest supported by the server. For 1985 this version of the specification, the version is 3.3. (See 1986 Appendix E for details about backward compatibility.) 1988 random 1989 This structure is generated by the server and MUST be 1990 independently generated from the ClientHello.random. 1992 session_id 1993 This is the identity of the session corresponding to this 1994 connection. If the ClientHello.session_id was non-empty, the 1995 server will look in its session cache for a match. If a match is 1996 found and the server is willing to establish the new connection 1997 using the specified session state, the server will respond with 1998 the same value as was supplied by the client. This indicates a 1999 resumed session and dictates that the parties must proceed 2000 directly to the Finished messages. Otherwise, this field will 2001 contain a different value identifying the new session. The server 2002 may return an empty session_id to indicate that the session will 2003 not be cached and therefore cannot be resumed. If a session is 2004 resumed, it must be resumed using the same cipher suite it was 2005 originally negotiated with. Note that there is no requirement 2006 that the server resume any session even if it had formerly 2007 provided a session_id. Clients MUST be prepared to do a full 2008 negotiation -- including negotiating new cipher suites -- during 2009 any handshake. 2011 cipher_suite 2012 The single cipher suite selected by the server from the list in 2013 ClientHello.cipher_suites. For resumed sessions, this field is 2014 the value from the state of the session being resumed. 2016 compression_method 2017 The single compression algorithm selected by the server from the 2018 list in ClientHello.compression_methods. For resumed sessions, 2019 this field is the value from the resumed session state. 2021 extensions 2022 A list of extensions. Note that only extensions offered by the 2023 client can appear in the server's list. 2025 7.4.1.4. Hello Extensions 2027 The extension format is: 2029 struct { 2030 ExtensionType extension_type; 2031 opaque extension_data<0..2^16-1>; 2032 } Extension; 2034 enum { 2035 signature_algorithms(13), (65535) 2036 } ExtensionType; 2038 Here: 2040 - "extension_type" identifies the particular extension type. 2042 - "extension_data" contains information specific to the particular 2043 extension type. 2045 The initial set of extensions is defined in a companion document 2046 [TLSEXT]. The list of extension types is maintained by IANA as 2047 described in Section 12. 2049 An extension type MUST NOT appear in the ServerHello unless the same 2050 extension type appeared in the corresponding ClientHello. If a 2051 client receives an extension type in ServerHello that it did not 2052 request in the associated ClientHello, it MUST abort the handshake 2053 with an unsupported_extension fatal alert. 2055 Nonetheless, "server-oriented" extensions may be provided in the 2056 future within this framework. Such an extension (say, of type x) 2057 would require the client to first send an extension of type x in a 2058 ClientHello with empty extension_data to indicate that it supports 2059 the extension type. In this case, the client is offering the 2060 capability to understand the extension type, and the server is taking 2061 the client up on its offer. 2063 When multiple extensions of different types are present in the 2064 ClientHello or ServerHello messages, the extensions MAY appear in any 2065 order. There MUST NOT be more than one extension of the same type. 2067 Finally, note that extensions can be sent both when starting a new 2068 session and when requesting session resumption. Indeed, a client 2069 that requests session resumption does not in general know whether the 2070 server will accept this request, and therefore it SHOULD send the 2071 same extensions as it would send if it were not attempting 2072 resumption. 2074 In general, the specification of each extension type needs to 2075 describe the effect of the extension both during full handshake and 2076 session resumption. Most current TLS extensions are relevant only 2077 when a session is initiated: when an older session is resumed, the 2078 server does not process these extensions in Client Hello, and does 2079 not include them in Server Hello. However, some extensions may 2080 specify different behavior during session resumption. 2082 There are subtle (and not so subtle) interactions that may occur in 2083 this protocol between new features and existing features which may 2084 result in a significant reduction in overall security. The following 2085 considerations should be taken into account when designing new 2086 extensions: 2088 - Some cases where a server does not agree to an extension are error 2089 conditions, and some are simply refusals to support particular 2090 features. In general, error alerts should be used for the former, 2091 and a field in the server extension response for the latter. 2093 - Extensions should, as far as possible, be designed to prevent any 2094 attack that forces use (or non-use) of a particular feature by 2095 manipulation of handshake messages. This principle should be 2096 followed regardless of whether the feature is believed to cause a 2097 security problem. 2099 Often the fact that the extension fields are included in the 2100 inputs to the Finished message hashes will be sufficient, but 2101 extreme care is needed when the extension changes the meaning of 2102 messages sent in the handshake phase. Designers and implementors 2103 should be aware of the fact that until the handshake has been 2104 authenticated, active attackers can modify messages and insert, 2105 remove, or replace extensions. 2107 - It would be technically possible to use extensions to change major 2108 aspects of the design of TLS; for example the design of cipher 2109 suite negotiation. This is not recommended; it would be more 2110 appropriate to define a new version of TLS -- particularly since 2111 the TLS handshake algorithms have specific protection against 2112 version rollback attacks based on the version number, and the 2113 possibility of version rollback should be a significant 2114 consideration in any major design change. 2116 7.4.1.4.1. Signature Algorithms 2118 The client uses the "signature_algorithms" extension to indicate to 2119 the server which signature/hash algorithm pairs may be used in 2120 digital signatures. The "extension_data" field of this extension 2121 contains a "supported_signature_algorithms" value. 2123 enum { 2124 none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 2125 sha512(6), (255) 2126 } HashAlgorithm; 2128 enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 2129 SignatureAlgorithm; 2131 struct { 2132 HashAlgorithm hash; 2133 SignatureAlgorithm signature; 2134 } SignatureAndHashAlgorithm; 2136 SignatureAndHashAlgorithm 2137 supported_signature_algorithms<2..2^16-2>; 2139 Each SignatureAndHashAlgorithm value lists a single hash/signature 2140 pair that the client is willing to verify. The values are indicated 2141 in descending order of preference. 2143 Note: Because not all signature algorithms and hash algorithms may be 2144 accepted by an implementation (e.g., DSA with SHA-1, but not SHA- 2145 256), algorithms here are listed in pairs. 2147 hash 2148 This field indicates the hash algorithm which may be used. The 2149 values indicate support for unhashed data, MD5 [RFC1321], SHA-1, 2150 SHA-224, SHA-256, SHA-384, and SHA-512 [SHS], respectively. The 2151 "none" value is provided for future extensibility, in case of a 2152 signature algorithm which does not require hashing before signing. 2154 signature 2155 This field indicates the signature algorithm that may be used. 2156 The values indicate anonymous signatures, RSASSA-PKCS1-v1_5 2157 [RFC3447] and DSA [DSS], and ECDSA [ECDSA], respectively. The 2158 "anonymous" value is meaningless in this context but used in 2159 Section 7.4.3. It MUST NOT appear in this extension. 2161 The semantics of this extension are somewhat complicated because the 2162 cipher suite indicates permissible signature algorithms but not hash 2163 algorithms. Section 7.4.2 and Section 7.4.3 describe the appropriate 2164 rules. 2166 If the client supports only the default hash and signature algorithms 2167 (listed in this section), it MAY omit the signature_algorithms 2168 extension. If the client does not support the default algorithms, or 2169 supports other hash and signature algorithms (and it is willing to 2170 use them for verifying messages sent by the server, i.e., server 2171 certificates and server key exchange), it MUST send the 2172 signature_algorithms extension, listing the algorithms it is willing 2173 to accept. 2175 If the client does not send the signature_algorithms extension, the 2176 server MUST do the following: 2178 - If the negotiated key exchange algorithm is one of (RSA, DHE_RSA, 2179 DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA), behave as if client had 2180 sent the value {sha1,rsa}. 2182 - If the negotiated key exchange algorithm is one of (DHE_DSS, 2183 DH_DSS), behave as if the client had sent the value {sha1,dsa}. 2185 - If the negotiated key exchange algorithm is one of (ECDH_ECDSA, 2186 ECDHE_ECDSA), behave as if the client had sent value {sha1,ecdsa}. 2188 Note: this is a change from TLS 1.1 where there are no explicit 2189 rules, but as a practical matter one can assume that the peer 2190 supports MD5 and SHA-1. 2192 Note: this extension is not meaningful for TLS versions prior to 1.2. 2193 Clients MUST NOT offer it if they are offering prior versions. 2194 However, even if clients do offer it, the rules specified in [TLSEXT] 2195 require servers to ignore extensions they do not understand. 2197 Servers MUST NOT send this extension. TLS servers MUST support 2198 receiving this extension. 2200 When performing session resumption, this extension is not included in 2201 Server Hello, and the server ignores the extension in Client Hello 2202 (if present). 2204 7.4.2. Server Certificate 2206 When this message will be sent: 2208 The server MUST send a Certificate message whenever the agreed- 2209 upon key exchange method uses certificates for authentication 2210 (this includes all key exchange methods defined in this document 2211 except DH_anon). This message will always immediately follow the 2212 ServerHello message. 2214 Meaning of this message: 2216 This message conveys the server's certificate chain to the client. 2218 The certificate MUST be appropriate for the negotiated cipher 2219 suite's key exchange algorithm and any negotiated extensions. 2221 Structure of this message: 2223 opaque ASN.1Cert<1..2^24-1>; 2225 struct { 2226 ASN.1Cert certificate_list<0..2^24-1>; 2227 } Certificate; 2229 certificate_list 2230 This is a sequence (chain) of certificates. The sender's 2231 certificate MUST come first in the list. Each following 2232 certificate MUST directly certify the one preceding it. Because 2233 certificate validation requires that root keys be distributed 2234 independently, the self-signed certificate that specifies the root 2235 certificate authority MAY be omitted from the chain, under the 2236 assumption that the remote end must already possess it in order to 2237 validate it in any case. 2239 The same message type and structure will be used for the client's 2240 response to a certificate request message. Note that a client MAY 2241 send no certificates if it does not have an appropriate certificate 2242 to send in response to the server's authentication request. 2244 Note: PKCS #7 [PKCS7] is not used as the format for the certificate 2245 vector because PKCS #6 [PKCS6] extended certificates are not used. 2246 Also, PKCS #7 defines a SET rather than a SEQUENCE, making the task 2247 of parsing the list more difficult. 2249 The following rules apply to the certificates sent by the server: 2251 - The certificate type MUST be X.509v3, unless explicitly negotiated 2252 otherwise (e.g., [RFC5081]). 2254 - The end entity certificate's public key (and associated 2255 restrictions) MUST be compatible with the selected key exchange 2256 algorithm. 2258 Key Exchange Alg. Certificate Key Type 2260 RSA RSA public key; the certificate MUST allow the 2261 RSA_PSK key to be used for encryption (the 2262 keyEncipherment bit MUST be set if the key 2263 usage extension is present). 2264 Note: RSA_PSK is defined in [RFC4279]. 2266 DHE_RSA RSA public key; the certificate MUST allow the 2267 ECDHE_RSA key to be used for signing (the 2268 digitalSignature bit MUST be set if the key 2269 usage extension is present) with the signature 2270 scheme and hash algorithm that will be employed 2271 in the server key exchange message. 2272 Note: ECDHE_RSA is defined in [RFC4492]. 2274 DHE_DSS DSA public key; the certificate MUST allow the 2275 key to be used for signing with the hash 2276 algorithm that will be employed in the server 2277 key exchange message. 2279 DH_DSS Diffie-Hellman public key; the keyAgreement bit 2280 DH_RSA MUST be set if the key usage extension is 2281 present. 2283 ECDH_ECDSA ECDH-capable public key; the public key MUST 2284 ECDH_RSA use a curve and point format supported by the 2285 client, as described in [RFC4492]. 2287 ECDHE_ECDSA ECDSA-capable public key; the certificate MUST 2288 allow the key to be used for signing with the 2289 hash algorithm that will be employed in the 2290 server key exchange message. The public key 2291 MUST use a curve and point format supported by 2292 the client, as described in [RFC4492]. 2294 - The "server_name" and "trusted_ca_keys" extensions [TLSEXT] are 2295 used to guide certificate selection. 2297 If the client provided a "signature_algorithms" extension, then all 2298 certificates provided by the server MUST be signed by a hash/ 2299 signature algorithm pair that appears in that extension. Note that 2300 this implies that a certificate containing a key for one signature 2301 algorithm MAY be signed using a different signature algorithm (for 2302 instance, an RSA key signed with a DSA key). This is a departure 2303 from TLS 1.1, which required that the algorithms be the same. Note 2304 that this also implies that the DH_DSS, DH_RSA, ECDH_ECDSA, and 2305 ECDH_RSA key exchange algorithms do not restrict the algorithm used 2306 to sign the certificate. Fixed DH certificates MAY be signed with 2307 any hash/signature algorithm pair appearing in the extension. The 2308 names DH_DSS, DH_RSA, ECDH_ECDSA, and ECDH_RSA are historical. 2310 If the server has multiple certificates, it chooses one of them based 2311 on the above-mentioned criteria (in addition to other criteria, such 2312 as transport layer endpoint, local configuration and preferences, 2313 etc.). If the server has a single certificate, it SHOULD attempt to 2314 validate that it meets these criteria. 2316 Note that there are certificates that use algorithms and/or algorithm 2317 combinations that cannot be currently used with TLS. For example, a 2318 certificate with RSASSA-PSS signature key (id-RSASSA-PSS OID in 2319 SubjectPublicKeyInfo) cannot be used because TLS defines no 2320 corresponding signature algorithm. 2322 As cipher suites that specify new key exchange methods are specified 2323 for the TLS protocol, they will imply the certificate format and the 2324 required encoded keying information. 2326 7.4.3. Server Key Exchange Message 2328 When this message will be sent: 2330 This message will be sent immediately after the server Certificate 2331 message (or the ServerHello message, if this is an anonymous 2332 negotiation). 2334 The ServerKeyExchange message is sent by the server only when the 2335 server Certificate message (if sent) does not contain enough data 2336 to allow the client to exchange a premaster secret. This is true 2337 for the following key exchange methods: 2339 DHE_DSS 2340 DHE_RSA 2341 DH_anon 2343 It is not legal to send the ServerKeyExchange message for the 2344 following key exchange methods: 2346 RSA 2347 DH_DSS 2348 DH_RSA 2350 Other key exchange algorithms, such as those defined in [RFC4492], 2351 MUST specify whether the ServerKeyExchange message is sent or not; 2352 and if the message is sent, its contents. 2354 Meaning of this message: 2356 This message conveys cryptographic information to allow the client 2357 to communicate the premaster secret: a Diffie-Hellman public key 2358 with which the client can complete a key exchange (with the result 2359 being the premaster secret) or a public key for some other 2360 algorithm. 2362 Structure of this message: 2364 enum { dhe_dss, dhe_rsa, dh_anon, rsa, dh_dss, dh_rsa 2365 /* may be extended, e.g., for ECDH -- see [RFC4492] */ 2366 } KeyExchangeAlgorithm; 2368 struct { 2369 opaque dh_p<1..2^16-1>; 2370 opaque dh_g<1..2^16-1>; 2371 opaque dh_Ys<1..2^16-1>; 2372 } ServerDHParams; /* Ephemeral DH parameters */ 2374 dh_p 2375 The prime modulus used for the Diffie-Hellman operation. 2377 dh_g 2378 The generator used for the Diffie-Hellman operation. 2380 dh_Ys 2381 The server's Diffie-Hellman public value (g^X mod p). 2383 struct { 2384 select (KeyExchangeAlgorithm) { 2385 case dh_anon: 2386 ServerDHParams params; 2387 case dhe_dss: 2388 case dhe_rsa: 2389 ServerDHParams params; 2390 digitally-signed struct { 2391 opaque client_random[32]; 2392 opaque server_random[32]; 2393 ServerDHParams params; 2394 } signed_params; 2395 case rsa: 2396 case dh_dss: 2397 case dh_rsa: 2398 struct {} ; 2399 /* message is omitted for rsa, dh_dss, and dh_rsa */ 2400 /* may be extended, e.g., for ECDH -- see [RFC4492] */ 2401 }; 2402 } ServerKeyExchange; 2404 params 2405 The server's key exchange parameters. 2407 signed_params 2408 For non-anonymous key exchanges, a signature over the server's key 2409 exchange parameters. 2411 If the client has offered the "signature_algorithms" extension, the 2412 signature algorithm and hash algorithm MUST be a pair listed in that 2413 extension. Note that there is a possibility for inconsistencies 2414 here. For instance, the client might offer DHE_DSS key exchange but 2415 omit any DSA pairs from its "signature_algorithms" extension. In 2416 order to negotiate correctly, the server MUST check any candidate 2417 cipher suites against the "signature_algorithms" extension before 2418 selecting them. This is somewhat inelegant but is a compromise 2419 designed to minimize changes to the original cipher suite design. 2421 In addition, the hash and signature algorithms MUST be compatible 2422 with the key in the server's end-entity certificate. RSA keys MAY be 2423 used with any permitted hash algorithm, subject to restrictions in 2424 the certificate, if any. 2426 Because DSA signatures do not contain any secure indication of hash 2427 algorithm, there is a risk of hash substitution if multiple hashes 2428 may be used with any key. Currently, DSA [DSS] may only be used with 2429 SHA-1. Future revisions of DSS [DSS-3] are expected to allow the use 2430 of other digest algorithms with DSA, as well as guidance as to which 2431 digest algorithms should be used with each key size. In addition, 2432 future revisions of [RFC3280] may specify mechanisms for certificates 2433 to indicate which digest algorithms are to be used with DSA. 2435 As additional cipher suites are defined for TLS that include new key 2436 exchange algorithms, the server key exchange message will be sent if 2437 and only if the certificate type associated with the key exchange 2438 algorithm does not provide enough information for the client to 2439 exchange a premaster secret. 2441 7.4.4. Certificate Request 2443 When this message will be sent: 2445 A non-anonymous server can optionally request a certificate from 2446 the client, if appropriate for the selected cipher suite. This 2447 message, if sent, will immediately follow the ServerKeyExchange 2448 message (if it is sent; otherwise, this message follows the 2449 server's Certificate message). 2451 Structure of this message: 2453 enum { 2454 rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), 2455 rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6), 2456 fortezza_dms_RESERVED(20), (255) 2457 } ClientCertificateType; 2459 opaque DistinguishedName<1..2^16-1>; 2461 struct { 2462 ClientCertificateType certificate_types<1..2^8-1>; 2463 SignatureAndHashAlgorithm 2464 supported_signature_algorithms<2^16-1>; 2465 DistinguishedName certificate_authorities<0..2^16-1>; 2466 } CertificateRequest; 2468 certificate_types 2469 A list of the types of certificate types that the client may 2470 offer. 2472 rsa_sign a certificate containing an RSA key 2473 dss_sign a certificate containing a DSA key 2474 rsa_fixed_dh a certificate containing a static DH key. 2475 dss_fixed_dh a certificate containing a static DH key 2477 supported_signature_algorithms 2478 A list of the hash/signature algorithm pairs that the server is 2479 able to verify, listed in descending order of preference. 2481 certificate_authorities 2482 A list of the distinguished names [X501] of acceptable 2483 certificate_authorities, represented in DER-encoded format. These 2484 distinguished names may specify a desired distinguished name for a 2485 root CA or for a subordinate CA; thus, this message can be used to 2486 describe known roots as well as a desired authorization space. If 2487 the certificate_authorities list is empty, then the client MAY 2488 send any certificate of the appropriate ClientCertificateType, 2489 unless there is some external arrangement to the contrary. 2491 The interaction of the certificate_types and 2492 supported_signature_algorithms fields is somewhat complicated. 2493 certificate_types has been present in TLS since SSLv3, but was 2494 somewhat underspecified. Much of its functionality is superseded by 2495 supported_signature_algorithms. The following rules apply: 2497 - Any certificates provided by the client MUST be signed using a 2498 hash/signature algorithm pair found in 2499 supported_signature_algorithms. 2501 - The end-entity certificate provided by the client MUST contain a 2502 key that is compatible with certificate_types. If the key is a 2503 signature key, it MUST be usable with some hash/signature 2504 algorithm pair in supported_signature_algorithms. 2506 - For historical reasons, the names of some client certificate types 2507 include the algorithm used to sign the certificate. For example, 2508 in earlier versions of TLS, rsa_fixed_dh meant a certificate 2509 signed with RSA and containing a static DH key. In TLS 1.2, this 2510 functionality has been obsoleted by the 2511 supported_signature_algorithms, and the certificate type no longer 2512 restricts the algorithm used to sign the certificate. For 2513 example, if the server sends dss_fixed_dh certificate type and 2514 {{sha1, dsa}, {sha1, rsa}} signature types, the client MAY reply 2515 with a certificate containing a static DH key, signed with RSA- 2516 SHA1. 2518 New ClientCertificateType values are assigned by IANA as described in 2519 Section 12. 2521 Note: Values listed as RESERVED may not be used. They were used in 2522 SSLv3. 2524 Note: It is a fatal handshake_failure alert for an anonymous server 2525 to request client authentication. 2527 7.4.5. Server Hello Done 2529 When this message will be sent: 2531 The ServerHelloDone message is sent by the server to indicate the 2532 end of the ServerHello and associated messages. After sending 2533 this message, the server will wait for a client response. 2535 Meaning of this message: 2537 This message means that the server is done sending messages to 2538 support the key exchange, and the client can proceed with its 2539 phase of the key exchange. 2541 Upon receipt of the ServerHelloDone message, the client SHOULD 2542 verify that the server provided a valid certificate, if required, 2543 and check that the server hello parameters are acceptable. 2545 Structure of this message: 2547 struct { } ServerHelloDone; 2549 7.4.6. Client Certificate 2551 When this message will be sent: 2553 This is the first message the client can send after receiving a 2554 ServerHelloDone message. This message is only sent if the server 2555 requests a certificate. If no suitable certificate is available, 2556 the client MUST send a certificate message containing no 2557 certificates. That is, the certificate_list structure has a 2558 length of zero. If the client does not send any certificates, the 2559 server MAY at its discretion either continue the handshake without 2560 client authentication, or respond with a fatal handshake_failure 2561 alert. Also, if some aspect of the certificate chain was 2562 unacceptable (e.g., it was not signed by a known, trusted CA), the 2563 server MAY at its discretion either continue the handshake 2564 (considering the client unauthenticated) or send a fatal alert. 2566 Client certificates are sent using the Certificate structure 2567 defined in Section 7.4.2. 2569 Meaning of this message: 2571 This message conveys the client's certificate chain to the server; 2572 the server will use it when verifying the CertificateVerify 2573 message (when the client authentication is based on signing) or 2574 calculating the premaster secret (for non-ephemeral Diffie- 2575 Hellman). The certificate MUST be appropriate for the negotiated 2576 cipher suite's key exchange algorithm, and any negotiated 2577 extensions. 2579 In particular: 2581 - The certificate type MUST be X.509v3, unless explicitly negotiated 2582 otherwise (e.g., [RFC5081]). 2584 - The end-entity certificate's public key (and associated 2585 restrictions) has to be compatible with the certificate types 2586 listed in CertificateRequest: 2588 Client Cert. Type Certificate Key Type 2590 rsa_sign RSA public key; the certificate MUST allow the 2591 key to be used for signing with the signature 2592 scheme and hash algorithm that will be 2593 employed in the certificate verify message. 2595 dss_sign DSA public key; the certificate MUST allow the 2596 key to be used for signing with the hash 2597 algorithm that will be employed in the 2598 certificate verify message. 2600 ecdsa_sign ECDSA-capable public key; the certificate MUST 2601 allow the key to be used for signing with the 2602 hash algorithm that will be employed in the 2603 certificate verify message; the public key 2604 MUST use a curve and point format supported by 2605 the server. 2607 rsa_fixed_dh Diffie-Hellman public key; MUST use the same 2608 dss_fixed_dh parameters as server's key. 2610 rsa_fixed_ecdh ECDH-capable public key; MUST use the 2611 ecdsa_fixed_ecdh same curve as the server's key, and MUST use a 2612 point format supported by the server. 2614 - If the certificate_authorities list in the certificate request 2615 message was non-empty, one of the certificates in the certificate 2616 chain SHOULD be issued by one of the listed CAs. 2618 - The certificates MUST be signed using an acceptable hash/ 2619 signature algorithm pair, as described in Section 7.4.4. Note 2620 that this relaxes the constraints on certificate-signing 2621 algorithms found in prior versions of TLS. 2623 Note that, as with the server certificate, there are certificates 2624 that use algorithms/algorithm combinations that cannot be currently 2625 used with TLS. 2627 7.4.7. Client Key Exchange Message 2629 When this message will be sent: 2631 This message is always sent by the client. It MUST immediately 2632 follow the client certificate message, if it is sent. Otherwise, 2633 it MUST be the first message sent by the client after it receives 2634 the ServerHelloDone message. 2636 Meaning of this message: 2638 With this message, the premaster secret is set, either by direct 2639 transmission of the RSA-encrypted secret or by the transmission of 2640 Diffie-Hellman parameters that will allow each side to agree upon 2641 the same premaster secret. 2643 When the client is using an ephemeral Diffie-Hellman exponent, 2644 then this message contains the client's Diffie-Hellman public 2645 value. If the client is sending a certificate containing a static 2646 DH exponent (i.e., it is doing fixed_dh client authentication), 2647 then this message MUST be sent but MUST be empty. 2649 Structure of this message: 2651 The choice of messages depends on which key exchange method has 2652 been selected. See Section 7.4.3 for the KeyExchangeAlgorithm 2653 definition. 2655 struct { 2656 select (KeyExchangeAlgorithm) { 2657 case rsa: 2658 EncryptedPreMasterSecret; 2659 case dhe_dss: 2660 case dhe_rsa: 2661 case dh_dss: 2662 case dh_rsa: 2663 case dh_anon: 2664 ClientDiffieHellmanPublic; 2665 } exchange_keys; 2666 } ClientKeyExchange; 2668 7.4.7.1. RSA-Encrypted Premaster Secret Message 2670 Meaning of this message: 2672 If RSA is being used for key agreement and authentication, the 2673 client generates a 48-byte premaster secret, encrypts it using the 2674 public key from the server's certificate, and sends the result in 2675 an encrypted premaster secret message. This structure is a 2676 variant of the ClientKeyExchange message and is not a message in 2677 itself. 2679 Structure of this message: 2681 struct { 2682 ProtocolVersion client_version; 2683 opaque random[46]; 2684 } PreMasterSecret; 2686 client_version 2687 The latest (newest) version supported by the client. This is 2688 used to detect version rollback attacks. 2690 random 2691 46 securely-generated random bytes. 2693 struct { 2694 public-key-encrypted PreMasterSecret pre_master_secret; 2695 } EncryptedPreMasterSecret; 2697 pre_master_secret 2698 This random value is generated by the client and is used to 2699 generate the master secret, as specified in 2700 [Section 8.1]. 2702 Note: The version number in the PreMasterSecret is the version 2703 offered by the client in the ClientHello.client_version, not the 2704 version negotiated for the connection. This feature is designed to 2705 prevent rollback attacks. Unfortunately, some old implementations 2706 use the negotiated version instead, and therefore checking the 2707 version number may lead to failure to interoperate with such 2708 incorrect client implementations. 2710 Client implementations MUST always send the correct version number in 2711 PreMasterSecret. If ClientHello.client_version is TLS 1.1 or higher, 2712 server implementations MUST check the version number as described in 2713 the note below. If the version number is TLS 1.0 or earlier, server 2714 implementations SHOULD check the version number, but MAY have a 2715 configuration option to disable the check. Note that if the check 2716 fails, the PreMasterSecret SHOULD be randomized as described below. 2718 Note: Attacks discovered by Bleichenbacher [BLEI] and Klima et al. 2719 [KPR03] can be used to attack a TLS server that reveals whether a 2720 particular message, when decrypted, is properly PKCS#1 formatted, 2721 contains a valid PreMasterSecret structure, or has the correct 2722 version number. 2724 As described by Klima [KPR03], these vulnerabilities can be avoided 2725 by treating incorrectly formatted message blocks and/or mismatched 2726 version numbers in a manner indistinguishable from correctly 2727 formatted RSA blocks. In other words: 2729 1. Generate a string R of 46 random bytes 2731 2. Decrypt the message to recover the plaintext M 2733 3. If the PKCS#1 padding is not correct, or the length of message M 2734 is not exactly 48 bytes: 2736 pre_master_secret = ClientHello.client_version || R 2738 else If ClientHello.client_version <= TLS 1.0, and version number 2739 check is explicitly disabled: 2741 pre_master_secret = M 2743 else: 2745 pre_master_secret = ClientHello.client_version || M[2..47] 2747 Note that explicitly constructing the pre_master_secret with the 2748 ClientHello.client_version produces an invalid master_secret if the 2749 client has sent the wrong version in the original pre_master_secret. 2751 An alternative approach is to treat a version number mismatch as a 2752 PKCS-1 formatting error and randomize the premaster secret 2753 completely: 2755 1. Generate a string R of 48 random bytes 2757 2. Decrypt the message to recover the plaintext M 2759 3. If the PKCS#1 padding is not correct, or the length of message M 2760 is not exactly 48 bytes: 2762 pre_master_secret = R 2764 else If ClientHello.client_version <= TLS 1.0, and version number 2765 check is explicitly disabled: 2767 premaster secret = M 2768 else If M[0..1] != ClientHello.client_version: 2770 premaster secret = R 2772 else: 2774 premaster secret = M 2776 Although no practical attacks against this construction are known, 2777 Klima et al. [KPR03] describe some theoretical attacks, and 2778 therefore the first construction described is RECOMMENDED. 2780 In any case, a TLS server MUST NOT generate an alert if processing an 2781 RSA-encrypted premaster secret message fails, or the version number 2782 is not as expected. Instead, it MUST continue the handshake with a 2783 randomly generated premaster secret. It may be useful to log the 2784 real cause of failure for troubleshooting purposes; however, care 2785 must be taken to avoid leaking the information to an attacker 2786 (through, e.g., timing, log files, or other channels.) 2788 The RSAES-OAEP encryption scheme defined in [RFC3447] is more secure 2789 against the Bleichenbacher attack. However, for maximal 2790 compatibility with earlier versions of TLS, this specification uses 2791 the RSAES-PKCS1-v1_5 scheme. No variants of the Bleichenbacher 2792 attack are known to exist provided that the above recommendations are 2793 followed. 2795 Implementation note: Public-key-encrypted data is represented as an 2796 opaque vector <0..2^16-1> (see Section 4.7). Thus, the RSA-encrypted 2797 PreMasterSecret in a ClientKeyExchange is preceded by two length 2798 bytes. These bytes are redundant in the case of RSA because the 2799 EncryptedPreMasterSecret is the only data in the ClientKeyExchange 2800 and its length can therefore be unambiguously determined. The SSLv3 2801 specification was not clear about the encoding of public-key- 2802 encrypted data, and therefore many SSLv3 implementations do not 2803 include the length bytes -- they encode the RSA-encrypted data 2804 directly in the ClientKeyExchange message. 2806 This specification requires correct encoding of the 2807 EncryptedPreMasterSecret complete with length bytes. The resulting 2808 PDU is incompatible with many SSLv3 implementations. Implementors 2809 upgrading from SSLv3 MUST modify their implementations to generate 2810 and accept the correct encoding. Implementors who wish to be 2811 compatible with both SSLv3 and TLS should make their implementation's 2812 behavior dependent on the protocol version. 2814 Implementation note: It is now known that remote timing-based attacks 2815 on TLS are possible, at least when the client and server are on the 2816 same LAN. Accordingly, implementations that use static RSA keys MUST 2817 use RSA blinding or some other anti-timing technique, as described in 2818 [TIMING]. 2820 7.4.7.2. Client Diffie-Hellman Public Value 2822 Meaning of this message: 2824 This structure conveys the client's Diffie-Hellman public value 2825 (Yc) if it was not already included in the client's certificate. 2826 The encoding used for Yc is determined by the enumerated 2827 PublicValueEncoding. This structure is a variant of the client 2828 key exchange message, and not a message in itself. 2830 Structure of this message: 2832 enum { implicit, explicit } PublicValueEncoding; 2834 implicit 2835 If the client has sent a certificate which contains a suitable 2836 Diffie-Hellman key (for fixed_dh client authentication), then 2837 Yc is implicit and does not need to be sent again. In this 2838 case, the client key exchange message will be sent, but it MUST 2839 be empty. 2841 explicit 2842 Yc needs to be sent. 2844 struct { 2845 select (PublicValueEncoding) { 2846 case implicit: struct { }; 2847 case explicit: opaque dh_Yc<1..2^16-1>; 2848 } dh_public; 2849 } ClientDiffieHellmanPublic; 2851 dh_Yc 2852 The client's Diffie-Hellman public value (Yc). 2854 7.4.8. Certificate Verify 2856 When this message will be sent: 2858 This message is used to provide explicit verification of a client 2859 certificate. This message is only sent following a client 2860 certificate that has signing capability (i.e., all certificates 2861 except those containing fixed Diffie-Hellman parameters). When 2862 sent, it MUST immediately follow the client key exchange message. 2864 Structure of this message: 2866 struct { 2867 digitally-signed struct { 2868 opaque handshake_messages[handshake_messages_length]; 2869 } 2870 } CertificateVerify; 2872 Here handshake_messages refers to all handshake messages sent or 2873 received, starting at client hello and up to, but not including, 2874 this message, including the type and length fields of the 2875 handshake messages. This is the concatenation of all the 2876 Handshake structures (as defined in Section 7.4) exchanged thus 2877 far. Note that this requires both sides to either buffer the 2878 messages or compute running hashes for all potential hash 2879 algorithms up to the time of the CertificateVerify computation. 2880 Servers can minimize this computation cost by offering a 2881 restricted set of digest algorithms in the CertificateRequest 2882 message. 2884 The hash and signature algorithms used in the signature MUST be 2885 one of those present in the supported_signature_algorithms field 2886 of the CertificateRequest message. In addition, the hash and 2887 signature algorithms MUST be compatible with the key in the 2888 client's end-entity certificate. RSA keys MAY be used with any 2889 permitted hash algorithm, subject to restrictions in the 2890 certificate, if any. 2892 Because DSA signatures do not contain any secure indication of 2893 hash algorithm, there is a risk of hash substitution if multiple 2894 hashes may be used with any key. Currently, DSA [DSS] may only be 2895 used with SHA-1. Future revisions of DSS [DSS-3] are expected to 2896 allow the use of other digest algorithms with DSA, as well as 2897 guidance as to which digest algorithms should be used with each 2898 key size. In addition, future revisions of [RFC3280] may specify 2899 mechanisms for certificates to indicate which digest algorithms 2900 are to be used with DSA. 2902 7.4.9. Finished 2904 When this message will be sent: 2906 A Finished message is always sent immediately after a change 2907 cipher spec message to verify that the key exchange and 2908 authentication processes were successful. It is essential that a 2909 change cipher spec message be received between the other handshake 2910 messages and the Finished message. 2912 Meaning of this message: 2914 The Finished message is the first one protected with the just 2915 negotiated algorithms, keys, and secrets. Recipients of Finished 2916 messages MUST verify that the contents are correct. Once a side 2917 has sent its Finished message and received and validated the 2918 Finished message from its peer, it may begin to send and receive 2919 application data over the connection. 2921 Structure of this message: 2923 struct { 2924 opaque verify_data[verify_data_length]; 2925 } Finished; 2927 verify_data 2928 PRF(master_secret, finished_label, Hash(handshake_messages)) 2929 [0..verify_data_length-1]; 2931 finished_label 2932 For Finished messages sent by the client, the string 2933 "client finished". For Finished messages sent by the server, 2934 the string "server finished". 2936 Hash denotes a Hash of the handshake messages. For the PRF 2937 defined in Section 5, the Hash MUST be the Hash used as the basis 2938 for the PRF. Any cipher suite which defines a different PRF MUST 2939 also define the Hash to use in the Finished computation. 2941 In previous versions of TLS, the verify_data was always 12 octets 2942 long. In the current version of TLS, it depends on the cipher 2943 suite. Any cipher suite which does not explicitly specify 2944 verify_data_length has a verify_data_length equal to 12. This 2945 includes all existing cipher suites. Note that this 2946 representation has the same encoding as with previous versions. 2947 Future cipher suites MAY specify other lengths but such length 2948 MUST be at least 12 bytes. 2950 handshake_messages 2951 All of the data from all messages in this handshake (not including 2952 any HelloRequest messages) up to, but not including, this message. 2953 This is only data visible at the handshake layer and does not 2954 include record layer headers. This is the concatenation of all 2955 the Handshake structures as defined in Section 7.4, exchanged thus 2956 far. 2958 It is a fatal error if a Finished message is not preceded by a 2959 ChangeCipherSpec message at the appropriate point in the handshake. 2961 The value handshake_messages includes all handshake messages starting 2962 at ClientHello up to, but not including, this Finished message. This 2963 may be different from handshake_messages in Section 7.4.8 because it 2964 would include the CertificateVerify message (if sent). Also, the 2965 handshake_messages for the Finished message sent by the client will 2966 be different from that for the Finished message sent by the server, 2967 because the one that is sent second will include the prior one. 2969 Note: ChangeCipherSpec messages, alerts, and any other record types 2970 are not handshake messages and are not included in the hash 2971 computations. Also, HelloRequest messages are omitted from handshake 2972 hashes. 2974 8. Cryptographic Computations 2976 In order to begin connection protection, the TLS Record Protocol 2977 requires specification of a suite of algorithms, a master secret, and 2978 the client and server random values. The authentication, encryption, 2979 and MAC algorithms are determined by the cipher_suite selected by the 2980 server and revealed in the ServerHello message. The compression 2981 algorithm is negotiated in the hello messages, and the random values 2982 are exchanged in the hello messages. All that remains is to 2983 calculate the master secret. 2985 8.1. Computing the Master Secret 2987 For all key exchange methods, the same algorithm is used to convert 2988 the pre_master_secret into the master_secret. The pre_master_secret 2989 should be deleted from memory once the master_secret has been 2990 computed. 2992 master_secret = PRF(pre_master_secret, "master secret", 2993 ClientHello.random + ServerHello.random) 2994 [0..47]; 2996 The master secret is always exactly 48 bytes in length. The length 2997 of the premaster secret will vary depending on key exchange method. 2999 8.1.1. RSA 3001 When RSA is used for server authentication and key exchange, a 48- 3002 byte pre_master_secret is generated by the client, encrypted under 3003 the server's public key, and sent to the server. The server uses its 3004 private key to decrypt the pre_master_secret. Both parties then 3005 convert the pre_master_secret into the master_secret, as specified 3006 above. 3008 8.1.2. Diffie-Hellman 3010 A conventional Diffie-Hellman computation is performed. The 3011 negotiated key (Z) is used as the pre_master_secret, and is converted 3012 into the master_secret, as specified above. Leading bytes of Z that 3013 contain all zero bits are stripped before it is used as the 3014 pre_master_secret. 3016 Note: Diffie-Hellman parameters are specified by the server and may 3017 be either ephemeral or contained within the server's certificate. 3019 9. Mandatory Cipher Suites 3021 In the absence of an application profile standard specifying 3022 otherwise, a TLS-compliant application MUST implement the cipher 3023 suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5 for the 3024 definition). 3026 10. Application Data Protocol 3028 Application data messages are carried by the record layer and are 3029 fragmented, compressed, and encrypted based on the current connection 3030 state. The messages are treated as transparent data to the record 3031 layer. 3033 11. Security Considerations 3035 Security issues are discussed throughout this memo, especially in 3036 Appendices D, E, and F. 3038 12. IANA Considerations 3040 This document uses several registries that were originally created in 3041 [RFC4346]. IANA has updated these to reference this document. The 3042 registries and their allocation policies (unchanged from [RFC4346]) 3043 are listed below. 3045 - TLS ClientCertificateType Identifiers Registry: Future values in 3046 the range 0-63 (decimal) inclusive are assigned via Standards 3047 Action [RFC2434]. Values in the range 64-223 (decimal) inclusive 3048 are assigned via Specification Required [RFC2434]. Values from 3049 224-255 (decimal) inclusive are reserved for Private Use 3050 [RFC2434]. 3052 - TLS Cipher Suite Registry: Future values with the first byte in 3053 the range 0-191 (decimal) inclusive are assigned via Standards 3054 Action [RFC2434]. Values with the first byte in the range 192-254 3055 (decimal) are assigned via Specification Required [RFC2434]. 3056 Values with the first byte 255 (decimal) are reserved for Private 3057 Use [RFC2434]. 3059 - This document defines several new HMAC-SHA256-based cipher suites, 3060 whose values (in Appendix A.5) have been allocated from the TLS 3061 Cipher Suite registry. 3063 - TLS ContentType Registry: Future values are allocated via 3064 Standards Action [RFC2434]. 3066 - TLS Alert Registry: Future values are allocated via Standards 3067 Action [RFC2434]. 3069 - TLS HandshakeType Registry: Future values are allocated via 3070 Standards Action [RFC2434]. 3072 This document also uses a registry originally created in [RFC4366]. 3073 IANA has updated it to reference this document. The registry and its 3074 allocation policy (unchanged from [RFC4366]) is listed below: 3076 - TLS ExtensionType Registry: Future values are allocated via IETF 3077 Consensus [RFC2434]. IANA has updated this registry to include 3078 the signature_algorithms extension and its corresponding value 3079 (see Section 7.4.1.4). 3081 In addition, this document defines two new registries to be 3082 maintained by IANA: 3084 - TLS SignatureAlgorithm Registry: The registry has been initially 3085 populated with the values described in Section 7.4.1.4.1. Future 3086 values in the range 0-63 (decimal) inclusive are assigned via 3087 Standards Action [RFC2434]. Values in the range 64-223 (decimal) 3088 inclusive are assigned via Specification Required [RFC2434]. 3089 Values from 224-255 (decimal) inclusive are reserved for Private 3090 Use [RFC2434]. 3092 - TLS HashAlgorithm Registry: The registry has been initially 3093 populated with the values described in Section 7.4.1.4.1. Future 3094 values in the range 0-63 (decimal) inclusive are assigned via 3095 Standards Action [RFC2434]. Values in the range 64-223 (decimal) 3096 inclusive are assigned via Specification Required [RFC2434]. 3097 Values from 224-255 (decimal) inclusive are reserved for Private 3098 Use [RFC2434]. 3100 This document also uses the TLS Compression Method Identifiers 3101 Registry, defined in [RFC3749]. IANA has allocated value 0 for the 3102 "null" compression method. 3104 13. References 3106 13.1. Normative References 3108 [AES] National Institute of Standards and Technology, 3109 "Specification for the Advanced Encryption Standard 3110 (AES)", NIST FIPS 197, November 2001. 3112 [DSS] National Institute of Standards and Technology, U.S. 3113 Department of Commerce, "Digital Signature Standard", 3114 NIST FIPS PUB 186-2, 2000. 3116 [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", 3117 RFC 1321, April 1992. 3119 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 3120 Hashing for Message Authentication", RFC 2104, 3121 February 1997. 3123 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3124 Requirement Levels", BCP 14, RFC 2119, March 1997. 3126 [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an 3127 IANA Considerations Section in RFCs", BCP 26, RFC 2434, 3128 October 1998. 3130 [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet 3131 X.509 Public Key Infrastructure Certificate and 3132 Certificate Revocation List (CRL) Profile", RFC 3280, 3133 April 2002. 3135 [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography 3136 Standards (PKCS) #1: RSA Cryptography Specifications 3137 Version 2.1", RFC 3447, February 2003. 3139 [SCH] Schneier, B., "Applied Cryptography: Protocols, 3140 Algorithms, and Source Code in C, 2nd ed.", 1996. 3142 [SHS] National Institute of Standards and Technology, U.S. 3143 Department of Commerce, "Secure Hash Standard", 3144 NIST FIPS PUB 180-2, August 2002. 3146 [TRIPLEDES] National Institute of Standards and Technology, 3147 "Recommendation for the Triple Data Encryption Algorithm 3148 (TDEA) Block Cipher", NIST Special Publication 800-67, 3149 May 2004. 3151 [X680] ITU-T, "Information technology - Abstract Syntax 3152 Notation One (ASN.1): Specification of basic notation", 3153 ISO/IEC 8824-1:2002, 2002. 3155 [X690] ITU-T, "Information technology - ASN.1 encoding Rules: 3156 Specification of Basic Encoding Rules (BER), Canonical 3157 Encoding Rules (CER) and Distinguished Encoding Rules 3158 (DER)", ISO/IEC 8825-1:2002, 2002. 3160 13.2. Informative References 3162 [BLEI] Bleichenbacher, D., "Chosen Ciphertext Attacks against 3163 Protocols Based on RSA Encryption Standard PKCS", 3164 CRYPTO98 LNCS vol. 1462, pages: 1-12, 1998, Advances in 3165 Cryptology, 1998. 3167 [CBCATT] Moeller, B., "Security of CBC Ciphersuites in SSL/TLS: 3168 Problems and Countermeasures", May 2004, 3169 . 3171 [CBCTIME] Canvel, B., Hiltgen, A., Vaudenay, S., and M. Vuagnoux, 3172 "Password Interception in a SSL/TLS Channel", CRYPTO 3173 2003 LNCS vol. 2729, 2003. 3175 [CCM] "NIST Special Publication 800-38C: The CCM Mode for 3176 Authentication and Confidentiality", May 2004, . 3180 [DES] "Data Encryption Standard (DES)", NIST FIPS PUB 46-3, 3181 October 1999. 3183 [DSS-3] National Institute of Standards and Technology, U.S., 3184 "Digital Signature Standard", NIST FIPS PUB 186-3 Draft, 3185 2006. 3187 [ECDSA] American National Standards Institute, "Public Key 3188 Cryptography for the Financial Services Industry: The 3189 Elliptic Curve Digital Signature Algorithm (ECDSA)", 3190 ANSI ANS X9.62-2005, November 2005. 3192 [ENCAUTH] Krawczyk, H., "The Order of Encryption and 3193 Authentication for Protecting Communications (Or: How 3194 Secure is SSL?)", 2001. 3196 [FI06] "Bleichenbacher's RSA signature forgery based on 3197 implementation error", August 2006, . 3200 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 3201 Operation: Galois/Counter Mode (GCM) and GMAC", 3202 NIST Special Publication 800-38D, November 2007. 3204 [KPR03] Klima, V., Pokorny, O., and T. Rosa, "Attacking RSA- 3205 based Sessions in SSL/TLS", March 2003, 3206 . 3208 [PKCS6] RSA Laboratories, "PKCS #6: RSA Extended Certificate 3209 Syntax Standard, version 1.5", November 1993. 3211 [PKCS7] RSA Laboratories, "PKCS #7: RSA Cryptographic Message 3212 Syntax Standard, version 1.5", November 1993. 3214 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 3215 RFC 793, September 1981. 3217 [RFC1948] Bellovin, S., "Defending Against Sequence Number 3218 Attacks", RFC 1948, May 1996. 3220 [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", 3221 RFC 2246, January 1999. 3223 [RFC2785] Zuccherato, R., "Methods for Avoiding the "Small- 3224 Subgroup" Attacks on the Diffie-Hellman Key Agreement 3225 Method for S/MIME", RFC 2785, March 2000. 3227 [RFC3268] Chown, P., "Advanced Encryption Standard (AES) 3228 Ciphersuites for Transport Layer Security (TLS)", 3229 RFC 3268, June 2002. 3231 [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential 3232 (MODP) Diffie-Hellman groups for Internet Key Exchange 3233 (IKE)", RFC 3526, May 2003. 3235 [RFC3749] Hollenbeck, S., "Transport Layer Security Protocol 3236 Compression Methods", RFC 3749, May 2004. 3238 [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For 3239 Public Keys Used For Exchanging Symmetric Keys", BCP 86, 3240 RFC 3766, April 2004. 3242 [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness 3243 Requirements for Security", BCP 106, RFC 4086, 3244 June 2005. 3246 [RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key 3247 Ciphersuites for Transport Layer Security (TLS)", 3248 RFC 4279, December 2005. 3250 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, 3251 December 2005. 3253 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", 3254 RFC 4303, December 2005. 3256 [RFC4307] Schiller, J., "Cryptographic Algorithms for Use in the 3257 Internet Key Exchange Version 2 (IKEv2)", RFC 4307, 3258 December 2005. 3260 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer 3261 Security (TLS) Protocol Version 1.1", RFC 4346, 3262 April 2006. 3264 [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, 3265 J., and T. Wright, "Transport Layer Security (TLS) 3266 Extensions", RFC 4366, April 2006. 3268 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and 3269 B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher 3270 Suites for Transport Layer Security (TLS)", RFC 4492, 3271 May 2006. 3273 [RFC4506] Eisler, M., "XDR: External Data Representation 3274 Standard", STD 67, RFC 4506, May 2006. 3276 [RFC5081] Mavrogiannopoulos, N., "Using OpenPGP Keys for Transport 3277 Layer Security (TLS) Authentication", RFC 5081, 3278 November 2007. 3280 [RFC5116] McGrew, D., "An Interface and Algorithms for 3281 Authenticated Encryption", RFC 5116, January 2008. 3283 [RSA] Rivest, R., Shamir, A., and L. Adleman, "A Method for 3284 Obtaining Digital Signatures and Public-Key 3285 Cryptosystems", Communications of the ACM v. 21, n. 2, 3286 pp. 120-126., February 1978. 3288 [SSL2] Netscape Communications Corp., "The SSL Protocol", 3289 February 1995. 3291 [SSL3] Freier, A., Karlton, P., and P. Kocher, "The SSL 3.0 3292 Protocol", November 1996. 3294 [TIMING] Boneh, D. and D. Brumley, "Remote timing attacks are 3295 practical", USENIX Security Symposium, 2003. 3297 [TLSEXT] Eastlake 3rd, D., "Transport Layer Security (TLS) 3298 Extensions: Extension Definitions", February 2008. 3300 [X501] "Information Technology - Open Systems Interconnection - 3301 The Directory: Models", ITU-T X.501, 1993. 3303 URIs 3305 [1] 3307 Appendix A. Protocol Data Structures and Constant Values 3309 This section describes protocol types and constants. 3311 A.1. Record Layer 3313 struct { 3314 uint8 major; 3315 uint8 minor; 3316 } ProtocolVersion; 3318 ProtocolVersion version = { 3, 3 }; /* TLS v1.2*/ 3320 enum { 3321 change_cipher_spec(20), alert(21), handshake(22), 3322 application_data(23), (255) 3323 } ContentType; 3325 struct { 3326 ContentType type; 3327 ProtocolVersion version; 3328 uint16 length; 3329 opaque fragment[TLSPlaintext.length]; 3330 } TLSPlaintext; 3332 struct { 3333 ContentType type; 3334 ProtocolVersion version; 3335 uint16 length; 3336 opaque fragment[TLSCompressed.length]; 3337 } TLSCompressed; 3339 struct { 3340 ContentType type; 3341 ProtocolVersion version; 3342 uint16 length; 3343 select (SecurityParameters.cipher_type) { 3344 case stream: GenericStreamCipher; 3345 case block: GenericBlockCipher; 3346 case aead: GenericAEADCipher; 3347 } fragment; 3348 } TLSCiphertext; 3350 stream-ciphered struct { 3351 opaque content[TLSCompressed.length]; 3352 opaque MAC[SecurityParameters.mac_length]; 3353 } GenericStreamCipher; 3355 struct { 3356 opaque IV[SecurityParameters.record_iv_length]; 3357 block-ciphered struct { 3358 opaque content[TLSCompressed.length]; 3359 opaque MAC[SecurityParameters.mac_length]; 3360 uint8 padding[GenericBlockCipher.padding_length]; 3361 uint8 padding_length; 3362 }; 3363 } GenericBlockCipher; 3365 struct { 3366 opaque nonce_explicit[SecurityParameters.record_iv_length]; 3367 aead-ciphered struct { 3368 opaque content[TLSCompressed.length]; 3369 }; 3370 } GenericAEADCipher; 3372 A.2. Change Cipher Specs Message 3374 struct { 3375 enum { change_cipher_spec(1), (255) } type; 3376 } ChangeCipherSpec; 3378 A.3. Alert Messages 3380 enum { warning(1), fatal(2), (255) } AlertLevel; 3382 enum { 3383 close_notify(0), 3384 unexpected_message(10), 3385 bad_record_mac(20), 3386 decryption_failed_RESERVED(21), 3387 record_overflow(22), 3388 decompression_failure(30), 3389 handshake_failure(40), 3390 no_certificate_RESERVED(41), 3391 bad_certificate(42), 3392 unsupported_certificate(43), 3393 certificate_revoked(44), 3394 certificate_expired(45), 3395 certificate_unknown(46), 3396 illegal_parameter(47), 3397 unknown_ca(48), 3398 access_denied(49), 3399 decode_error(50), 3400 decrypt_error(51), 3401 export_restriction_RESERVED(60), 3402 protocol_version(70), 3403 insufficient_security(71), 3404 internal_error(80), 3405 user_canceled(90), 3406 no_renegotiation(100), 3407 unsupported_extension(110), /* new */ 3408 (255) 3409 } AlertDescription; 3411 struct { 3412 AlertLevel level; 3413 AlertDescription description; 3414 } Alert; 3416 A.4. Handshake Protocol 3418 enum { 3419 hello_request(0), client_hello(1), server_hello(2), 3420 certificate(11), server_key_exchange (12), 3421 certificate_request(13), server_hello_done(14), 3422 certificate_verify(15), client_key_exchange(16), 3423 finished(20) 3424 (255) 3425 } HandshakeType; 3427 struct { 3428 HandshakeType msg_type; 3429 uint24 length; 3430 select (HandshakeType) { 3431 case hello_request: HelloRequest; 3432 case client_hello: ClientHello; 3433 case server_hello: ServerHello; 3434 case certificate: Certificate; 3435 case server_key_exchange: ServerKeyExchange; 3436 case certificate_request: CertificateRequest; 3437 case server_hello_done: ServerHelloDone; 3438 case certificate_verify: CertificateVerify; 3439 case client_key_exchange: ClientKeyExchange; 3440 case finished: Finished; 3441 } body; 3442 } Handshake; 3444 A.4.1. Hello Messages 3446 struct { } HelloRequest; 3448 struct { 3449 uint32 gmt_unix_time; 3450 opaque random_bytes[28]; 3451 } Random; 3453 opaque SessionID<0..32>; 3455 uint8 CipherSuite[2]; 3457 enum { null(0), (255) } CompressionMethod; 3459 struct { 3460 ProtocolVersion client_version; 3461 Random random; 3462 SessionID session_id; 3463 CipherSuite cipher_suites<2..2^16-2>; 3464 CompressionMethod compression_methods<1..2^8-1>; 3465 select (extensions_present) { 3466 case false: 3467 struct {}; 3468 case true: 3469 Extension extensions<0..2^16-1>; 3470 }; 3471 } ClientHello; 3473 struct { 3474 ProtocolVersion server_version; 3475 Random random; 3476 SessionID session_id; 3477 CipherSuite cipher_suite; 3478 CompressionMethod compression_method; 3479 select (extensions_present) { 3480 case false: 3481 struct {}; 3482 case true: 3483 Extension extensions<0..2^16-1>; 3484 }; 3485 } ServerHello; 3487 struct { 3488 ExtensionType extension_type; 3489 opaque extension_data<0..2^16-1>; 3490 } Extension; 3492 enum { 3493 signature_algorithms(13), (65535) 3494 } ExtensionType; 3496 enum{ 3497 none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 3498 sha512(6), (255) 3499 } HashAlgorithm; 3500 enum { 3501 anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) 3502 } SignatureAlgorithm; 3504 struct { 3505 HashAlgorithm hash; 3506 SignatureAlgorithm signature; 3507 } SignatureAndHashAlgorithm; 3509 SignatureAndHashAlgorithm 3510 supported_signature_algorithms<2..2^16-1>; 3512 A.4.2. Server Authentication and Key Exchange Messages 3514 opaque ASN.1Cert<2^24-1>; 3516 struct { 3517 ASN.1Cert certificate_list<0..2^24-1>; 3518 } Certificate; 3520 enum { dhe_dss, dhe_rsa, dh_anon, rsa,dh_dss, dh_rsa 3521 /* may be extended, e.g., for ECDH -- see [TLSECC] */ 3522 } KeyExchangeAlgorithm; 3524 struct { 3525 opaque dh_p<1..2^16-1>; 3526 opaque dh_g<1..2^16-1>; 3527 opaque dh_Ys<1..2^16-1>; 3528 } ServerDHParams; /* Ephemeral DH parameters */ 3530 struct { 3531 select (KeyExchangeAlgorithm) { 3532 case dh_anon: 3533 ServerDHParams params; 3534 case dhe_dss: 3535 case dhe_rsa: 3536 ServerDHParams params; 3537 digitally-signed struct { 3538 opaque client_random[32]; 3539 opaque server_random[32]; 3540 ServerDHParams params; 3541 } signed_params; 3542 case rsa: 3543 case dh_dss: 3544 case dh_rsa: 3545 struct {} ; 3546 /* message is omitted for rsa, dh_dss, and dh_rsa */ 3547 /* may be extended, e.g., for ECDH --- see [RFC4492] */ 3548 } ServerKeyExchange; 3550 enum { 3551 rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4), 3552 rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6), 3553 fortezza_dms_RESERVED(20), 3554 (255) 3555 } ClientCertificateType; 3557 opaque DistinguishedName<1..2^16-1>; 3559 struct { 3560 ClientCertificateType certificate_types<1..2^8-1>; 3561 DistinguishedName certificate_authorities<0..2^16-1>; 3562 } CertificateRequest; 3564 struct { } ServerHelloDone; 3566 A.4.3. Client Authentication and Key Exchange Messages 3568 struct { 3569 select (KeyExchangeAlgorithm) { 3570 case rsa: 3571 EncryptedPreMasterSecret; 3572 case dhe_dss: 3573 case dhe_rsa: 3574 case dh_dss: 3575 case dh_rsa: 3576 case dh_anon: 3577 ClientDiffieHellmanPublic; 3578 } exchange_keys; 3579 } ClientKeyExchange; 3581 struct { 3582 ProtocolVersion client_version; 3583 opaque random[46]; 3584 } PreMasterSecret; 3586 struct { 3587 public-key-encrypted PreMasterSecret pre_master_secret; 3588 } EncryptedPreMasterSecret; 3590 enum { implicit, explicit } PublicValueEncoding; 3592 struct { 3593 select (PublicValueEncoding) { 3594 case implicit: struct {}; 3595 case explicit: opaque DH_Yc<1..2^16-1>; 3596 } dh_public; 3597 } ClientDiffieHellmanPublic; 3599 struct { 3600 digitally-signed struct { 3601 opaque handshake_messages[handshake_messages_length]; 3602 } 3603 } CertificateVerify; 3605 A.4.4. Handshake Finalization Message 3607 struct { 3608 opaque verify_data[verify_data_length]; 3609 } Finished; 3611 A.5. The Cipher Suite 3613 The following values define the cipher suite codes used in the 3614 ClientHello and ServerHello messages. 3616 A cipher suite defines a cipher specification supported in TLS 3617 Version 1.2. 3619 TLS_NULL_WITH_NULL_NULL is specified and is the initial state of a 3620 TLS connection during the first handshake on that channel, but MUST 3621 NOT be negotiated, as it provides no more protection than an 3622 unsecured connection. 3624 CipherSuite TLS_NULL_WITH_NULL_NULL = { 0x00,0x00 }; 3626 The following CipherSuite definitions require that the server provide 3627 an RSA certificate that can be used for key exchange. The server may 3628 request any signature-capable certificate in the certificate request 3629 message. 3631 CipherSuite TLS_RSA_WITH_NULL_MD5 = { 0x00,0x01 }; 3632 CipherSuite TLS_RSA_WITH_NULL_SHA = { 0x00,0x02 }; 3633 CipherSuite TLS_RSA_WITH_NULL_SHA256 = { 0x00,0x3B }; 3634 CipherSuite TLS_RSA_WITH_RC4_128_MD5 = { 0x00,0x04 }; 3635 CipherSuite TLS_RSA_WITH_RC4_128_SHA = { 0x00,0x05 }; 3636 CipherSuite TLS_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0A }; 3637 CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00,0x2F }; 3638 CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00,0x35 }; 3639 CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256 = { 0x00,0x3C }; 3640 CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA256 = { 0x00,0x3D }; 3642 The following cipher suite definitions are used for server- 3643 authenticated (and optionally client-authenticated) Diffie-Hellman. 3644 DH denotes cipher suites in which the server's certificate contains 3645 the Diffie-Hellman parameters signed by the certificate authority 3646 (CA). DHE denotes ephemeral Diffie-Hellman, where the Diffie-Hellman 3647 parameters are signed by a signature-capable certificate, which has 3648 been signed by the CA. The signing algorithm used by the server is 3649 specified after the DHE component of the CipherSuite name. The 3650 server can request any signature-capable certificate from the client 3651 for client authentication, or it may request a Diffie-Hellman 3652 certificate. Any Diffie-Hellman certificate provided by the client 3653 must use the parameters (group and generator) described by the 3654 server. 3656 CipherSuite TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0D }; 3657 CipherSuite TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x10 }; 3658 CipherSuite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x13 }; 3659 CipherSuite TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x16 }; 3660 CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00,0x30 }; 3661 CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00,0x31 }; 3662 CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00,0x32 }; 3663 CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00,0x33 }; 3664 CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00,0x36 }; 3665 CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00,0x37 }; 3666 CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00,0x38 }; 3667 CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00,0x39 }; 3668 CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = { 0x00,0x3E }; 3669 CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = { 0x00,0x3F }; 3670 CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = { 0x00,0x40 }; 3671 CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = { 0x00,0x67 }; 3672 CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = { 0x00,0x68 }; 3673 CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = { 0x00,0x69 }; 3674 CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = { 0x00,0x6A }; 3675 CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = { 0x00,0x6B }; 3677 The following cipher suites are used for completely anonymous Diffie- 3678 Hellman communications in which neither party is authenticated. Note 3679 that this mode is vulnerable to man-in-the- middle attacks. Using 3680 this mode therefore is of limited use: These cipher suites MUST NOT 3681 be used by TLS 1.2 implementations unless the application layer has 3682 specifically requested to allow anonymous key exchange. (Anonymous 3683 key exchange may sometimes be acceptable, for example, to support 3684 opportunistic encryption when no set-up for authentication is in 3685 place, or when TLS is used as part of more complex security protocols 3686 that have other means to ensure authentication.) 3688 CipherSuite TLS_DH_anon_WITH_RC4_128_MD5 = { 0x00,0x18 }; 3689 CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1B }; 3690 CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00,0x34 }; 3691 CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00,0x3A }; 3692 CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA256 = { 0x00,0x6C }; 3693 CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA256 = { 0x00,0x6D }; 3695 Note that using non-anonymous key exchange without actually verifying 3696 the key exchange is essentially equivalent to anonymous key exchange, 3697 and the same precautions apply. While non-anonymous key exchange 3698 will generally involve a higher computational and communicational 3699 cost than anonymous key exchange, it may be in the interest of 3700 interoperability not to disable non-anonymous key exchange when the 3701 application layer is allowing anonymous key exchange. 3703 New cipher suite values have been assigned by IANA as described in 3704 Section 12. 3706 Note: The cipher suite values { 0x00, 0x1C } and { 0x00, 0x1D } are 3707 reserved to avoid collision with Fortezza-based cipher suites in SSL 3708 3. 3710 A.6. The Security Parameters 3712 These security parameters are determined by the TLS Handshake 3713 Protocol and provided as parameters to the TLS record layer in order 3714 to initialize a connection state. SecurityParameters includes: 3716 enum { null(0), (255) } CompressionMethod; 3718 enum { server, client } ConnectionEnd; 3720 enum { tls_prf_sha256 } PRFAlgorithm; 3722 enum { null, rc4, 3des, aes } BulkCipherAlgorithm; 3724 enum { stream, block, aead } CipherType; 3726 enum { null, hmac_md5, hmac_sha1, hmac_sha256, hmac_sha384, 3727 hmac_sha512} MACAlgorithm; 3729 /* Other values may be added to the algorithms specified in 3730 CompressionMethod, PRFAlgorithm, BulkCipherAlgorithm, and 3731 MACAlgorithm. */ 3733 struct { 3734 ConnectionEnd entity; 3735 PRFAlgorithm prf_algorithm; 3736 BulkCipherAlgorithm bulk_cipher_algorithm; 3737 CipherType cipher_type; 3738 uint8 enc_key_length; 3739 uint8 block_length; 3740 uint8 fixed_iv_length; 3741 uint8 record_iv_length; 3742 MACAlgorithm mac_algorithm; 3743 uint8 mac_length; 3744 uint8 mac_key_length; 3745 CompressionMethod compression_algorithm; 3746 opaque master_secret[48]; 3747 opaque client_random[32]; 3748 opaque server_random[32]; 3750 } SecurityParameters; 3752 A.7. Changes to RFC 4492 3754 RFC 4492 [RFC4492] adds Elliptic Curve cipher suites to TLS. This 3755 document changes some of the structures used in that document. This 3756 section details the required changes for implementors of both RFC 3757 4492 and TLS 1.2. Implementors of TLS 1.2 who are not implementing 3758 RFC 4492 do not need to read this section. 3760 This document adds a "signature_algorithm" field to the digitally- 3761 signed element in order to identify the signature and digest 3762 algorithms used to create a signature. This change applies to 3763 digital signatures formed using ECDSA as well, thus allowing ECDSA 3764 signatures to be used with digest algorithms other than SHA-1, 3765 provided such use is compatible with the certificate and any 3766 restrictions imposed by future revisions of [RFC3280]. 3768 As described in Section 7.4.2 and Section 7.4.6, the restrictions on 3769 the signature algorithms used to sign certificates are no longer tied 3770 to the cipher suite (when used by the server) or the 3771 ClientCertificateType (when used by the client). Thus, the 3772 restrictions on the algorithm used to sign certificates specified in 3773 Sections 2 and 3 of RFC 4492 are also relaxed. As in this document, 3774 the restrictions on the keys in the end-entity certificate remain. 3776 Appendix B. Glossary 3778 Advanced Encryption Standard (AES) 3779 AES [AES] is a widely used symmetric encryption algorithm. AES is 3780 a block cipher with a 128-, 192-, or 256-bit keys and a 16-byte 3781 block size. TLS currently only supports the 128- and 256-bit key 3782 sizes. 3784 application protocol 3785 An application protocol is a protocol that normally layers 3786 directly on top of the transport layer (e.g., TCP/IP). Examples 3787 include HTTP, TELNET, FTP, and SMTP. 3789 asymmetric cipher 3790 See public key cryptography. 3792 authenticated encryption with additional data (AEAD) 3793 A symmetric encryption algorithm that simultaneously provides 3794 confidentiality and message integrity. 3796 authentication 3797 Authentication is the ability of one entity to determine the 3798 identity of another entity. 3800 block cipher 3801 A block cipher is an algorithm that operates on plaintext in 3802 groups of bits, called blocks. 64 bits was, and 128 bits is, a 3803 common block size. 3805 bulk cipher 3806 A symmetric encryption algorithm used to encrypt large quantities 3807 of data. 3809 cipher block chaining (CBC) 3810 CBC is a mode in which every plaintext block encrypted with a 3811 block cipher is first exclusive-ORed with the previous ciphertext 3812 block (or, in the case of the first block, with the initialization 3813 vector). For decryption, every block is first decrypted, then 3814 exclusive-ORed with the previous ciphertext block (or IV). 3816 certificate 3817 As part of the X.509 protocol (a.k.a. ISO Authentication 3818 framework), certificates are assigned by a trusted Certificate 3819 Authority and provide a strong binding between a party's identity 3820 or some other attributes and its public key. 3822 client 3823 The application entity that initiates a TLS connection to a 3824 server. This may or may not imply that the client initiated the 3825 underlying transport connection. The primary operational 3826 difference between the server and client is that the server is 3827 generally authenticated, while the client is only optionally 3828 authenticated. 3830 client write key 3831 The key used to encrypt data written by the client. 3833 client write MAC key 3834 The secret data used to authenticate data written by the client. 3836 connection 3837 A connection is a transport (in the OSI layering model definition) 3838 that provides a suitable type of service. For TLS, such 3839 connections are peer-to-peer relationships. The connections are 3840 transient. Every connection is associated with one session. 3842 Data Encryption Standard 3843 DES [DES] still is a very widely used symmetric encryption 3844 algorithm although it is considered as rather weak now. DES is a 3845 block cipher with a 56-bit key and an 8-byte block size. Note 3846 that in TLS, for key generation purposes, DES is treated as having 3847 an 8-byte key length (64 bits), but it still only provides 56 bits 3848 of protection. (The low bit of each key byte is presumed to be 3849 set to produce odd parity in that key byte.) DES can also be 3850 operated in a mode [TRIPLEDES] where three independent keys and 3851 three encryptions are used for each block of data; this uses 168 3852 bits of key (24 bytes in the TLS key generation method) and 3853 provides the equivalent of 112 bits of security. 3855 Digital Signature Standard (DSS) 3856 A standard for digital signing, including the Digital Signing 3857 Algorithm, approved by the National Institute of Standards and 3858 Technology, defined in NIST FIPS PUB 186-2, "Digital Signature 3859 Standard", published January 2000 by the U.S. Department of 3860 Commerce [DSS]. A significant update [DSS-3] has been drafted and 3861 was published in March 2006. 3863 digital signatures 3864 Digital signatures utilize public key cryptography and one-way 3865 hash functions to produce a signature of the data that can be 3866 authenticated, and is difficult to forge or repudiate. 3868 handshake 3869 An initial negotiation between client and server that establishes 3870 the parameters of their transactions. 3872 Initialization Vector (IV) 3873 When a block cipher is used in CBC mode, the initialization vector 3874 is exclusive-ORed with the first plaintext block prior to 3875 encryption. 3877 Message Authentication Code (MAC) 3878 A Message Authentication Code is a one-way hash computed from a 3879 message and some secret data. It is difficult to forge without 3880 knowing the secret data. Its purpose is to detect if the message 3881 has been altered. 3883 master secret 3884 Secure secret data used for generating encryption keys, MAC 3885 secrets, and IVs. 3887 MD5 3888 MD5 [RFC1321] is a hashing function that converts an arbitrarily 3889 long data stream into a hash of fixed size (16 bytes). Due to 3890 significant progress in cryptanalysis, at the time of publication 3891 of this document, MD5 no longer can be considered a 'secure' 3892 hashing function. 3894 public key cryptography 3895 A class of cryptographic techniques employing two-key ciphers. 3896 Messages encrypted with the public key can only be decrypted with 3897 the associated private key. Conversely, messages signed with the 3898 private key can be verified with the public key. 3900 one-way hash function 3901 A one-way transformation that converts an arbitrary amount of data 3902 into a fixed-length hash. It is computationally hard to reverse 3903 the transformation or to find collisions. MD5 and SHA are 3904 examples of one-way hash functions. 3906 RC4 3907 A stream cipher invented by Ron Rivest. A compatible cipher is 3908 described in [SCH]. 3910 RSA 3911 A very widely used public key algorithm that can be used for 3912 either encryption or digital signing. [RSA] 3914 server 3915 The server is the application entity that responds to requests for 3916 connections from clients. See also "client". 3918 session 3919 A TLS session is an association between a client and a server. 3920 Sessions are created by the handshake protocol. Sessions define a 3921 set of cryptographic security parameters that can be shared among 3922 multiple connections. Sessions are used to avoid the expensive 3923 negotiation of new security parameters for each connection. 3925 session identifier 3926 A session identifier is a value generated by a server that 3927 identifies a particular session. 3929 server write key 3930 The key used to encrypt data written by the server. 3932 server write MAC key 3933 The secret data used to authenticate data written by the server. 3935 SHA 3936 The Secure Hash Algorithm [SHS] is defined in FIPS PUB 180-2. It 3937 produces a 20-byte output. Note that all references to SHA 3938 (without a numerical suffix) actually use the modified SHA-1 3939 algorithm. 3941 SHA-256 3942 The 256-bit Secure Hash Algorithm is defined in FIPS PUB 180-2. 3943 It produces a 32-byte output. 3945 SSL 3946 Netscape's Secure Socket Layer protocol [SSL3]. TLS is based on 3947 SSL Version 3.0. 3949 stream cipher 3950 An encryption algorithm that converts a key into a 3951 cryptographically strong keystream, which is then exclusive-ORed 3952 with the plaintext. 3954 symmetric cipher 3955 See bulk cipher. 3957 Transport Layer Security (TLS) 3958 This protocol; also, the Transport Layer Security working group of 3959 the Internet Engineering Task Force (IETF). See "Working Group 3960 Information" at the end of this document (see page 99). 3962 Appendix C. Cipher Suite Definitions 3964 Cipher Suite Key Cipher Mac 3965 Exchange 3967 TLS_NULL_WITH_NULL_NULL NULL NULL NULL 3968 TLS_RSA_WITH_NULL_MD5 RSA NULL MD5 3969 TLS_RSA_WITH_NULL_SHA RSA NULL SHA 3970 TLS_RSA_WITH_NULL_SHA256 RSA NULL SHA256 3971 TLS_RSA_WITH_RC4_128_MD5 RSA RC4_128 MD5 3972 TLS_RSA_WITH_RC4_128_SHA RSA RC4_128 SHA 3973 TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES_EDE_CBC SHA 3974 TLS_RSA_WITH_AES_128_CBC_SHA RSA AES_128_CBC SHA 3975 TLS_RSA_WITH_AES_256_CBC_SHA RSA AES_256_CBC SHA 3976 TLS_RSA_WITH_AES_128_CBC_SHA256 RSA AES_128_CBC SHA256 3977 TLS_RSA_WITH_AES_256_CBC_SHA256 RSA AES_256_CBC SHA256 3978 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA DH_DSS 3DES_EDE_CBC SHA 3979 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA DH_RSA 3DES_EDE_CBC SHA 3980 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE_DSS 3DES_EDE_CBC SHA 3981 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA 3DES_EDE_CBC SHA 3982 TLS_DH_anon_WITH_RC4_128_MD5 DH_anon RC4_128 MD5 3983 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA DH_anon 3DES_EDE_CBC SHA 3984 TLS_DH_DSS_WITH_AES_128_CBC_SHA DH_DSS AES_128_CBC SHA 3985 TLS_DH_RSA_WITH_AES_128_CBC_SHA DH_RSA AES_128_CBC SHA 3986 TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS AES_128_CBC SHA 3987 TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA AES_128_CBC SHA 3988 TLS_DH_anon_WITH_AES_128_CBC_SHA DH_anon AES_128_CBC SHA 3989 TLS_DH_DSS_WITH_AES_256_CBC_SHA DH_DSS AES_256_CBC SHA 3990 TLS_DH_RSA_WITH_AES_256_CBC_SHA DH_RSA AES_256_CBC SHA 3991 TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE_DSS AES_256_CBC SHA 3992 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA AES_256_CBC SHA 3993 TLS_DH_anon_WITH_AES_256_CBC_SHA DH_anon AES_256_CBC SHA 3994 TLS_DH_DSS_WITH_AES_128_CBC_SHA256 DH_DSS AES_128_CBC SHA256 3995 TLS_DH_RSA_WITH_AES_128_CBC_SHA256 DH_RSA AES_128_CBC SHA256 3996 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE_DSS AES_128_CBC SHA256 3997 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE_RSA AES_128_CBC SHA256 3998 TLS_DH_anon_WITH_AES_128_CBC_SHA256 DH_anon AES_128_CBC SHA256 3999 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 DH_DSS AES_256_CBC SHA256 4000 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 DH_RSA AES_256_CBC SHA256 4001 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE_DSS AES_256_CBC SHA256 4002 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE_RSA AES_256_CBC SHA256 4003 TLS_DH_anon_WITH_AES_256_CBC_SHA256 DH_anon AES_256_CBC SHA256 4005 Key IV Block 4006 Cipher Type Material Size Size 4007 ------------ ------ -------- ---- ----- 4008 NULL Stream 0 0 N/A 4009 RC4_128 Stream 16 0 N/A 4010 3DES_EDE_CBC Block 24 8 8 4011 AES_128_CBC Block 16 16 16 4012 AES_256_CBC Block 32 16 16 4014 MAC Algorithm mac_length mac_key_length 4015 -------- ----------- ---------- -------------- 4016 NULL N/A 0 0 4017 MD5 HMAC-MD5 16 16 4018 SHA HMAC-SHA1 20 20 4019 SHA256 HMAC-SHA256 32 32 4021 Type 4022 Indicates whether this is a stream cipher or a block cipher 4023 running in CBC mode. 4025 Key Material 4026 The number of bytes from the key_block that are used for 4027 generating the write keys. 4029 IV Size 4030 The amount of data needed to be generated for the initialization 4031 vector. Zero for stream ciphers; equal to the block size for 4032 block ciphers (this is equal to 4033 SecurityParameters.record_iv_length). 4035 Block Size 4036 The amount of data a block cipher enciphers in one chunk; a block 4037 cipher running in CBC mode can only encrypt an even multiple of 4038 its block size. 4040 Appendix D. Implementation Notes 4042 The TLS protocol cannot prevent many common security mistakes. This 4043 section provides several recommendations to assist implementors. 4045 D.1. Random Number Generation and Seeding 4047 TLS requires a cryptographically secure pseudorandom number generator 4048 (PRNG). Care must be taken in designing and seeding PRNGs. PRNGs 4049 based on secure hash operations, most notably SHA-1, are acceptable, 4050 but cannot provide more security than the size of the random number 4051 generator state. 4053 To estimate the amount of seed material being produced, add the 4054 number of bits of unpredictable information in each seed byte. For 4055 example, keystroke timing values taken from a PC compatible's 18.2 Hz 4056 timer provide 1 or 2 secure bits each, even though the total size of 4057 the counter value is 16 bits or more. Seeding a 128-bit PRNG would 4058 thus require approximately 100 such timer values. 4060 [RFC4086] provides guidance on the generation of random values. 4062 D.2. Certificates and Authentication 4064 Implementations are responsible for verifying the integrity of 4065 certificates and should generally support certificate revocation 4066 messages. Certificates should always be verified to ensure proper 4067 signing by a trusted Certificate Authority (CA). The selection and 4068 addition of trusted CAs should be done very carefully. Users should 4069 be able to view information about the certificate and root CA. 4071 D.3. Cipher Suites 4073 TLS supports a range of key sizes and security levels, including some 4074 that provide no or minimal security. A proper implementation will 4075 probably not support many cipher suites. For instance, anonymous 4076 Diffie-Hellman is strongly discouraged because it cannot prevent man- 4077 in-the-middle attacks. Applications should also enforce minimum and 4078 maximum key sizes. For example, certificate chains containing 512- 4079 bit RSA keys or signatures are not appropriate for high-security 4080 applications. 4082 D.4. Implementation Pitfalls 4084 Implementation experience has shown that certain parts of earlier TLS 4085 specifications are not easy to understand, and have been a source of 4086 interoperability and security problems. Many of these areas have 4087 been clarified in this document, but this appendix contains a short 4088 list of the most important things that require special attention from 4089 implementors. 4091 TLS protocol issues: 4093 - Do you correctly handle handshake messages that are fragmented to 4094 multiple TLS records (see Section 6.2.1)? Including corner cases 4095 like a ClientHello that is split to several small fragments? Do 4096 you fragment handshake messages that exceed the maximum fragment 4097 size? In particular, the certificate and certificate request 4098 handshake messages can be large enough to require fragmentation. 4100 - Do you ignore the TLS record layer version number in all TLS 4101 records before ServerHello (see Appendix E.1)? 4103 - Do you handle TLS extensions in ClientHello correctly, including 4104 omitting the extensions field completely? 4106 - Do you support renegotiation, both client and server initiated? 4107 While renegotiation is an optional feature, supporting it is 4108 highly recommended. 4110 - When the server has requested a client certificate, but no 4111 suitable certificate is available, do you correctly send an empty 4112 Certificate message, instead of omitting the whole message (see 4113 Section 7.4.6)? 4115 Cryptographic details: 4117 - In the RSA-encrypted Premaster Secret, do you correctly send and 4118 verify the version number? When an error is encountered, do you 4119 continue the handshake to avoid the Bleichenbacher attack (see 4120 Section 7.4.7.1)? 4122 - What countermeasures do you use to prevent timing attacks against 4123 RSA decryption and signing operations (see Section 7.4.7.1)? 4125 - When verifying RSA signatures, do you accept both NULL and missing 4126 parameters (see Section 4.7)? Do you verify that the RSA padding 4127 doesn't have additional data after the hash value? [FI06] 4129 - When using Diffie-Hellman key exchange, do you correctly strip 4130 leading zero bytes from the negotiated key (see Section 8.1.2)? 4132 - Does your TLS client check that the Diffie-Hellman parameters sent 4133 by the server are acceptable (see Appendix F.1.1.3)? 4135 - How do you generate unpredictable IVs for CBC mode ciphers (see 4136 Section 6.2.3.2)? 4138 - Do you accept long CBC mode padding (up to 255 bytes; see 4139 Section 6.2.3.2? 4141 - How do you address CBC mode timing attacks (Section 6.2.3.2)? 4143 - Do you use a strong and, most importantly, properly seeded random 4144 number generator (see Appendix D.1) for generating the premaster 4145 secret (for RSA key exchange), Diffie-Hellman private values, the 4146 DSA "k" parameter, and other security-critical values? 4148 Appendix E. Backward Compatibility 4150 E.1. Compatibility with TLS 1.0/1.1 and SSL 3.0 4152 Since there are various versions of TLS (1.0, 1.1, 1.2, and any 4153 future versions) and SSL (2.0 and 3.0), means are needed to negotiate 4154 the specific protocol version to use. The TLS protocol provides a 4155 built-in mechanism for version negotiation so as not to bother other 4156 protocol components with the complexities of version selection. 4158 TLS versions 1.0, 1.1, and 1.2, and SSL 3.0 are very similar, and use 4159 compatible ClientHello messages; thus, supporting all of them is 4160 relatively easy. Similarly, servers can easily handle clients trying 4161 to use future versions of TLS as long as the ClientHello format 4162 remains compatible, and the client supports the highest protocol 4163 version available in the server. 4165 A TLS 1.2 client who wishes to negotiate with such older servers will 4166 send a normal TLS 1.2 ClientHello, containing { 3, 3 } (TLS 1.2) in 4167 ClientHello.client_version. If the server does not support this 4168 version, it will respond with a ServerHello containing an older 4169 version number. If the client agrees to use this version, the 4170 negotiation will proceed as appropriate for the negotiated protocol. 4172 If the version chosen by the server is not supported by the client 4173 (or not acceptable), the client MUST send a "protocol_version" alert 4174 message and close the connection. 4176 If a TLS server receives a ClientHello containing a version number 4177 greater than the highest version supported by the server, it MUST 4178 reply according to the highest version supported by the server. 4180 A TLS server can also receive a ClientHello containing a version 4181 number smaller than the highest supported version. If the server 4182 wishes to negotiate with old clients, it will proceed as appropriate 4183 for the highest version supported by the server that is not greater 4184 than ClientHello.client_version. For example, if the server supports 4185 TLS 1.0, 1.1, and 1.2, and client_version is TLS 1.0, the server will 4186 proceed with a TLS 1.0 ServerHello. If server supports (or is 4187 willing to use) only versions greater than client_version, it MUST 4188 send a "protocol_version" alert message and close the connection. 4190 Whenever a client already knows the highest protocol version known to 4191 a server (for example, when resuming a session), it SHOULD initiate 4192 the connection in that native protocol. 4194 Note: some server implementations are known to implement version 4195 negotiation incorrectly. For example, there are buggy TLS 1.0 4196 servers that simply close the connection when the client offers a 4197 version newer than TLS 1.0. Also, it is known that some servers will 4198 refuse the connection if any TLS extensions are included in 4199 ClientHello. Interoperability with such buggy servers is a complex 4200 topic beyond the scope of this document, and may require multiple 4201 connection attempts by the client. 4203 Earlier versions of the TLS specification were not fully clear on 4204 what the record layer version number (TLSPlaintext.version) should 4205 contain when sending ClientHello (i.e., before it is known which 4206 version of the protocol will be employed). Thus, TLS servers 4207 compliant with this specification MUST accept any value {03,XX} as 4208 the record layer version number for ClientHello. 4210 TLS clients that wish to negotiate with older servers MAY send any 4211 value {03,XX} as the record layer version number. Typical values 4212 would be {03,00}, the lowest version number supported by the client, 4213 and the value of ClientHello.client_version. No single value will 4214 guarantee interoperability with all old servers, but this is a 4215 complex topic beyond the scope of this document. 4217 E.2. Compatibility with SSL 2.0 4219 TLS 1.2 clients that wish to support SSL 2.0 servers MUST send 4220 version 2.0 CLIENT-HELLO messages defined in [SSL2]. The message 4221 MUST contain the same version number as would be used for ordinary 4222 ClientHello, and MUST encode the supported TLS cipher suites in the 4223 CIPHER-SPECS-DATA field as described below. 4225 Warning: The ability to send version 2.0 CLIENT-HELLO messages will 4226 be phased out with all due haste, since the newer ClientHello format 4227 provides better mechanisms for moving to newer versions and 4228 negotiating extensions. TLS 1.2 clients SHOULD NOT support SSL 2.0. 4230 However, even TLS servers that do not support SSL 2.0 MAY accept 4231 version 2.0 CLIENT-HELLO messages. The message is presented below in 4232 sufficient detail for TLS server implementors; the true definition is 4233 still assumed to be [SSL2]. 4235 For negotiation purposes, 2.0 CLIENT-HELLO is interpreted the same 4236 way as a ClientHello with a "null" compression method and no 4237 extensions. Note that this message MUST be sent directly on the 4238 wire, not wrapped as a TLS record. For the purposes of calculating 4239 Finished and CertificateVerify, the msg_length field is not 4240 considered to be a part of the handshake message. 4242 uint8 V2CipherSpec[3]; 4243 struct { 4244 uint16 msg_length; 4245 uint8 msg_type; 4246 Version version; 4247 uint16 cipher_spec_length; 4248 uint16 session_id_length; 4249 uint16 challenge_length; 4250 V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length]; 4251 opaque session_id[V2ClientHello.session_id_length]; 4252 opaque challenge[V2ClientHello.challenge_length; 4253 } V2ClientHello; 4255 msg_length 4256 The highest bit MUST be 1; the remaining bits contain the length 4257 of the following data in bytes. 4259 msg_type 4260 This field, in conjunction with the version field, identifies a 4261 version 2 ClientHello message. The value MUST be 1. 4263 version 4264 Equal to ClientHello.client_version. 4266 cipher_spec_length 4267 This field is the total length of the field cipher_specs. It 4268 cannot be zero and MUST be a multiple of the V2CipherSpec length 4269 (3). 4271 session_id_length 4272 This field MUST have a value of zero for a client that claims to 4273 support TLS 1.2. 4275 challenge_length 4276 The length in bytes of the client's challenge to the server to 4277 authenticate itself. Historically, permissible values are between 4278 16 and 32 bytes inclusive. When using the SSLv2 backward- 4279 compatible handshake the client SHOULD use a 32-byte challenge. 4281 cipher_specs 4282 This is a list of all CipherSpecs the client is willing and able 4283 to use. In addition to the 2.0 cipher specs defined in [SSL2], 4284 this includes the TLS cipher suites normally sent in 4285 ClientHello.cipher_suites, with each cipher suite prefixed by a 4286 zero byte. For example, the TLS cipher suite {0x00,0x0A} would be 4287 sent as {0x00,0x00,0x0A}. 4289 session_id 4290 This field MUST be empty. 4292 challenge 4293 Corresponds to ClientHello.random. If the challenge length is 4294 less than 32, the TLS server will pad the data with leading (note: 4295 not trailing) zero bytes to make it 32 bytes long. 4297 Note: Requests to resume a TLS session MUST use a TLS client hello. 4299 E.3. Avoiding Man-in-the-Middle Version Rollback 4301 When TLS clients fall back to Version 2.0 compatibility mode, they 4302 MUST use special PKCS#1 block formatting. This is done so that TLS 4303 servers will reject Version 2.0 sessions with TLS-capable clients. 4305 When a client negotiates SSL 2.0 but also supports TLS, it MUST set 4306 the right-hand (least-significant) 8 random bytes of the PKCS padding 4307 (not including the terminal null of the padding) for the RSA 4308 encryption of the ENCRYPTED-KEY-DATA field of the CLIENT-MASTER-KEY 4309 to 0x03 (the other padding bytes are random). 4311 When a TLS-capable server negotiates SSL 2.0 it SHOULD, after 4312 decrypting the ENCRYPTED-KEY-DATA field, check that these 8 padding 4313 bytes are 0x03. If they are not, the server SHOULD generate a random 4314 value for SECRET-KEY-DATA, and continue the handshake (which will 4315 eventually fail since the keys will not match). Note that reporting 4316 the error situation to the client could make the server vulnerable to 4317 attacks described in [BLEI]. 4319 Appendix F. Security Analysis 4321 The TLS protocol is designed to establish a secure connection between 4322 a client and a server communicating over an insecure channel. This 4323 document makes several traditional assumptions, including that 4324 attackers have substantial computational resources and cannot obtain 4325 secret information from sources outside the protocol. Attackers are 4326 assumed to have the ability to capture, modify, delete, replay, and 4327 otherwise tamper with messages sent over the communication channel. 4328 This appendix outlines how TLS has been designed to resist a variety 4329 of attacks. 4331 F.1. Handshake Protocol 4333 The handshake protocol is responsible for selecting a cipher spec and 4334 generating a master secret, which together comprise the primary 4335 cryptographic parameters associated with a secure session. The 4336 handshake protocol can also optionally authenticate parties who have 4337 certificates signed by a trusted certificate authority. 4339 F.1.1. Authentication and Key Exchange 4341 TLS supports three authentication modes: authentication of both 4342 parties, server authentication with an unauthenticated client, and 4343 total anonymity. Whenever the server is authenticated, the channel 4344 is secure against man-in-the-middle attacks, but completely anonymous 4345 sessions are inherently vulnerable to such attacks. Anonymous 4346 servers cannot authenticate clients. If the server is authenticated, 4347 its certificate message must provide a valid certificate chain 4348 leading to an acceptable certificate authority. Similarly, 4349 authenticated clients must supply an acceptable certificate to the 4350 server. Each party is responsible for verifying that the other's 4351 certificate is valid and has not expired or been revoked. 4353 The general goal of the key exchange process is to create a 4354 pre_master_secret known to the communicating parties and not to 4355 attackers. The pre_master_secret will be used to generate the 4356 master_secret (see Section 8.1). The master_secret is required to 4357 generate the Finished messages, encryption keys, and MAC keys (see 4358 Section 7.4.9 and Section 6.3). By sending a correct Finished 4359 message, parties thus prove that they know the correct 4360 pre_master_secret. 4362 F.1.1.1. Anonymous Key Exchange 4364 Completely anonymous sessions can be established using Diffie-Hellman 4365 for key exchange. The server's public parameters are contained in 4366 the server key exchange message, and the client's are sent in the 4367 client key exchange message. Eavesdroppers who do not know the 4368 private values should not be able to find the Diffie-Hellman result 4369 (i.e., the pre_master_secret). 4371 Warning: Completely anonymous connections only provide protection 4372 against passive eavesdropping. Unless an independent tamper-proof 4373 channel is used to verify that the Finished messages were not 4374 replaced by an attacker, server authentication is required in 4375 environments where active man-in-the-middle attacks are a concern. 4377 F.1.1.2. RSA Key Exchange and Authentication 4379 With RSA, key exchange and server authentication are combined. The 4380 public key is contained in the server's certificate. Note that 4381 compromise of the server's static RSA key results in a loss of 4382 confidentiality for all sessions protected under that static key. 4383 TLS users desiring Perfect Forward Secrecy should use DHE cipher 4384 suites. The damage done by exposure of a private key can be limited 4385 by changing one's private key (and certificate) frequently. 4387 After verifying the server's certificate, the client encrypts a 4388 pre_master_secret with the server's public key. By successfully 4389 decoding the pre_master_secret and producing a correct Finished 4390 message, the server demonstrates that it knows the private key 4391 corresponding to the server certificate. 4393 When RSA is used for key exchange, clients are authenticated using 4394 the certificate verify message (see Section 7.4.8). The client signs 4395 a value derived from all preceding handshake messages. These 4396 handshake messages include the server certificate, which binds the 4397 signature to the server, and ServerHello.random, which binds the 4398 signature to the current handshake process. 4400 F.1.1.3. Diffie-Hellman Key Exchange with Authentication 4402 When Diffie-Hellman key exchange is used, the server can either 4403 supply a certificate containing fixed Diffie-Hellman parameters or 4404 use the server key exchange message to send a set of temporary 4405 Diffie-Hellman parameters signed with a DSA or RSA certificate. 4406 Temporary parameters are hashed with the hello.random values before 4407 signing to ensure that attackers do not replay old parameters. In 4408 either case, the client can verify the certificate or signature to 4409 ensure that the parameters belong to the server. 4411 If the client has a certificate containing fixed Diffie-Hellman 4412 parameters, its certificate contains the information required to 4413 complete the key exchange. Note that in this case the client and 4414 server will generate the same Diffie-Hellman result (i.e., 4415 pre_master_secret) every time they communicate. To prevent the 4416 pre_master_secret from staying in memory any longer than necessary, 4417 it should be converted into the master_secret as soon as possible. 4418 Client Diffie-Hellman parameters must be compatible with those 4419 supplied by the server for the key exchange to work. 4421 If the client has a standard DSA or RSA certificate or is 4422 unauthenticated, it sends a set of temporary parameters to the server 4423 in the client key exchange message, then optionally uses a 4424 certificate verify message to authenticate itself. 4426 If the same DH keypair is to be used for multiple handshakes, either 4427 because the client or server has a certificate containing a fixed DH 4428 keypair or because the server is reusing DH keys, care must be taken 4429 to prevent small subgroup attacks. Implementations SHOULD follow the 4430 guidelines found in [RFC2785]. 4432 Small subgroup attacks are most easily avoided by using one of the 4433 DHE cipher suites and generating a fresh DH private key (X) for each 4434 handshake. If a suitable base (such as 2) is chosen, g^X mod p can 4435 be computed very quickly; therefore, the performance cost is 4436 minimized. Additionally, using a fresh key for each handshake 4437 provides Perfect Forward Secrecy. Implementations SHOULD generate a 4438 new X for each handshake when using DHE cipher suites. 4440 Because TLS allows the server to provide arbitrary DH groups, the 4441 client should verify that the DH group is of suitable size as defined 4442 by local policy. The client SHOULD also verify that the DH public 4443 exponent appears to be of adequate size. [RFC3766] provides a useful 4444 guide to the strength of various group sizes. The server MAY choose 4445 to assist the client by providing a known group, such as those 4446 defined in [RFC4307] or [RFC3526]. These can be verified by simple 4447 comparison. 4449 F.1.2. Version Rollback Attacks 4451 Because TLS includes substantial improvements over SSL Version 2.0, 4452 attackers may try to make TLS-capable clients and servers fall back 4453 to Version 2.0. This attack can occur if (and only if) two TLS- 4454 capable parties use an SSL 2.0 handshake. 4456 Although the solution using non-random PKCS #1 block type 2 message 4457 padding is inelegant, it provides a reasonably secure way for Version 4458 3.0 servers to detect the attack. This solution is not secure 4459 against attackers who can brute-force the key and substitute a new 4460 ENCRYPTED-KEY-DATA message containing the same key (but with normal 4461 padding) before the application-specified wait threshold has expired. 4462 Altering the padding of the least-significant 8 bytes of the PKCS 4463 padding does not impact security for the size of the signed hashes 4464 and RSA key lengths used in the protocol, since this is essentially 4465 equivalent to increasing the input block size by 8 bytes. 4467 F.1.3. Detecting Attacks Against the Handshake Protocol 4469 An attacker might try to influence the handshake exchange to make the 4470 parties select different encryption algorithms than they would 4471 normally choose. 4473 For this attack, an attacker must actively change one or more 4474 handshake messages. If this occurs, the client and server will 4475 compute different values for the handshake message hashes. As a 4476 result, the parties will not accept each others' Finished messages. 4477 Without the master_secret, the attacker cannot repair the Finished 4478 messages, so the attack will be discovered. 4480 F.1.4. Resuming Sessions 4482 When a connection is established by resuming a session, new 4483 ClientHello.random and ServerHello.random values are hashed with the 4484 session's master_secret. Provided that the master_secret has not 4485 been compromised and that the secure hash operations used to produce 4486 the encryption keys and MAC keys are secure, the connection should be 4487 secure and effectively independent from previous connections. 4488 Attackers cannot use known encryption keys or MAC secrets to 4489 compromise the master_secret without breaking the secure hash 4490 operations. 4492 Sessions cannot be resumed unless both the client and server agree. 4493 If either party suspects that the session may have been compromised, 4494 or that certificates may have expired or been revoked, it should 4495 force a full handshake. An upper limit of 24 hours is suggested for 4496 session ID lifetimes, since an attacker who obtains a master_secret 4497 may be able to impersonate the compromised party until the 4498 corresponding session ID is retired. Applications that may be run in 4499 relatively insecure environments should not write session IDs to 4500 stable storage. 4502 F.2. Protecting Application Data 4504 The master_secret is hashed with the ClientHello.random and 4505 ServerHello.random to produce unique data encryption keys and MAC 4506 secrets for each connection. 4508 Outgoing data is protected with a MAC before transmission. To 4509 prevent message replay or modification attacks, the MAC is computed 4510 from the MAC key, the sequence number, the message length, the 4511 message contents, and two fixed character strings. The message type 4512 field is necessary to ensure that messages intended for one TLS 4513 record layer client are not redirected to another. The sequence 4514 number ensures that attempts to delete or reorder messages will be 4515 detected. Since sequence numbers are 64 bits long, they should never 4516 overflow. Messages from one party cannot be inserted into the 4517 other's output, since they use independent MAC keys. Similarly, the 4518 server write and client write keys are independent, so stream cipher 4519 keys are used only once. 4521 If an attacker does break an encryption key, all messages encrypted 4522 with it can be read. Similarly, compromise of a MAC key can make 4523 message-modification attacks possible. Because MACs are also 4524 encrypted, message-alteration attacks generally require breaking the 4525 encryption algorithm as well as the MAC. 4527 Note: MAC keys may be larger than encryption keys, so messages can 4528 remain tamper resistant even if encryption keys are broken. 4530 F.3. Explicit IVs 4532 [CBCATT] describes a chosen plaintext attack on TLS that depends on 4533 knowing the IV for a record. Previous versions of TLS [RFC2246] used 4534 the CBC residue of the previous record as the IV and therefore 4535 enabled this attack. This version uses an explicit IV in order to 4536 protect against this attack. 4538 F.4. Security of Composite Cipher Modes 4540 TLS secures transmitted application data via the use of symmetric 4541 encryption and authentication functions defined in the negotiated 4542 cipher suite. The objective is to protect both the integrity and 4543 confidentiality of the transmitted data from malicious actions by 4544 active attackers in the network. It turns out that the order in 4545 which encryption and authentication functions are applied to the data 4546 plays an important role for achieving this goal [ENCAUTH]. 4548 The most robust method, called encrypt-then-authenticate, first 4549 applies encryption to the data and then applies a MAC to the 4550 ciphertext. This method ensures that the integrity and 4551 confidentiality goals are obtained with ANY pair of encryption and 4552 MAC functions, provided that the former is secure against chosen 4553 plaintext attacks and that the MAC is secure against chosen-message 4554 attacks. TLS uses another method, called authenticate-then-encrypt, 4555 in which first a MAC is computed on the plaintext and then the 4556 concatenation of plaintext and MAC is encrypted. This method has 4557 been proven secure for CERTAIN combinations of encryption functions 4558 and MAC functions, but it is not guaranteed to be secure in general. 4559 In particular, it has been shown that there exist perfectly secure 4560 encryption functions (secure even in the information-theoretic sense) 4561 that combined with any secure MAC function, fail to provide the 4562 confidentiality goal against an active attack. Therefore, new cipher 4563 suites and operation modes adopted into TLS need to be analyzed under 4564 the authenticate-then-encrypt method to verify that they achieve the 4565 stated integrity and confidentiality goals. 4567 Currently, the security of the authenticate-then-encrypt method has 4568 been proven for some important cases. One is the case of stream 4569 ciphers in which a computationally unpredictable pad of the length of 4570 the message, plus the length of the MAC tag, is produced using a 4571 pseudorandom generator and this pad is exclusive-ORed with the 4572 concatenation of plaintext and MAC tag. The other is the case of CBC 4573 mode using a secure block cipher. In this case, security can be 4574 shown if one applies one CBC encryption pass to the concatenation of 4575 plaintext and MAC and uses a new, independent, and unpredictable IV 4576 for each new pair of plaintext and MAC. In versions of TLS prior to 4577 1.1, CBC mode was used properly EXCEPT that it used a predictable IV 4578 in the form of the last block of the previous ciphertext. This made 4579 TLS open to chosen plaintext attacks. This version of the protocol 4580 is immune to those attacks. For exact details in the encryption 4581 modes proven secure, see [ENCAUTH]. 4583 F.5. Denial of Service 4585 TLS is susceptible to a number of denial-of-service (DoS) attacks. 4586 In particular, an attacker who initiates a large number of TCP 4587 connections can cause a server to consume large amounts of CPU for 4588 doing RSA decryption. However, because TLS is generally used over 4589 TCP, it is difficult for the attacker to hide his point of origin if 4590 proper TCP SYN randomization is used [RFC1948] by the TCP stack. 4592 Because TLS runs over TCP, it is also susceptible to a number of DoS 4593 attacks on individual connections. In particular, attackers can 4594 forge RSTs, thereby terminating connections, or forge partial TLS 4595 records, thereby causing the connection to stall. These attacks 4596 cannot in general be defended against by a TCP-using protocol. 4597 Implementors or users who are concerned with this class of attack 4598 should use IPsec AH [RFC4302] or ESP [RFC4303]. 4600 F.6. Final Notes 4602 For TLS to be able to provide a secure connection, both the client 4603 and server systems, keys, and applications must be secure. In 4604 addition, the implementation must be free of security errors. 4606 The system is only as strong as the weakest key exchange and 4607 authentication algorithm supported, and only trustworthy 4608 cryptographic functions should be used. Short public keys and 4609 anonymous servers should be used with great caution. Implementations 4610 and users must be careful when deciding which certificates and 4611 certificate authorities are acceptable; a dishonest certificate 4612 authority can do tremendous damage. 4614 Appendix G. Working Group Information 4616 The discussion list for the IETF TLS working group is located at the 4617 e-mail address tls@ietf.org [1]. Information on the group and 4618 information on how to subscribe to the list is at 4619 https://www1.ietf.org/mailman/listinfo/tls 4621 Archives of the list can be found at: 4622 http://www.ietf.org/mail-archive/web/tls/current/index.html 4624 Appendix H. Contributors 4626 Christopher Allen (co-editor of TLS 1.0) 4627 Alacrity Ventures 4628 ChristopherA@AlacrityManagement.com 4630 Martin Abadi 4631 University of California, Santa Cruz 4632 abadi@cs.ucsc.edu 4634 Steven M. Bellovin 4635 Columbia University 4636 smb@cs.columbia.edu 4638 Simon Blake-Wilson 4639 BCI 4640 sblakewilson@bcisse.com 4641 Ran Canetti 4642 IBM 4643 canetti@watson.ibm.com 4645 Pete Chown 4646 Skygate Technology Ltd 4647 pc@skygate.co.uk 4649 Taher Elgamal 4650 taher@securify.com 4651 Securify 4653 Pasi Eronen 4654 pasi.eronen@nokia.com 4655 Nokia 4657 Anil Gangolli 4658 anil@busybuddha.org 4660 Kipp Hickman 4662 Alfred Hoenes 4664 David Hopwood 4665 Independent Consultant 4666 david.hopwood@blueyonder.co.uk 4668 Phil Karlton (co-author of SSLv3) 4670 Paul Kocher (co-author of SSLv3) 4671 Cryptography Research 4672 paul@cryptography.com 4674 Hugo Krawczyk 4675 IBM 4676 hugo@ee.technion.ac.il 4678 Jan Mikkelsen 4679 Transactionware 4680 janm@transactionware.com 4682 Magnus Nystrom 4683 RSA Security 4684 magnus@rsasecurity.com 4686 Robert Relyea 4687 Netscape Communications 4688 relyea@netscape.com 4689 Jim Roskind 4690 Netscape Communications 4691 jar@netscape.com 4693 Michael Sabin 4695 Dan Simon 4696 Microsoft, Inc. 4697 dansimon@microsoft.com 4699 Tom Weinstein 4701 Tim Wright 4702 Vodafone 4703 timothy.wright@vodafone.com 4705 Authors' Addresses 4707 Tim Dierks 4708 Independent 4710 EMail: tim@dierks.org 4712 Eric Rescorla 4713 RTFM, Inc. 4715 EMail: ekr@rtfm.com