TLS is the secure alternative/descendant of SSL which was developed by Netscape to secure internet connections. SSLv1.0 was extremely flawed and never released. However, later versions were widely adopted. In late 2014, Google discovered major flaw in SSLv3.0 which led to development of TLS. Although envisioned as a SSL upgrade,TLSv1.0 was significantly different from SSL but had option to fall back on SSLv3.0
Contents
TLSv1.2
- Higher performance and Improved reliability
- Added increased authentication and TLS extensions and AES cipher suites
- Replaced MD5/SHA-1 combination in the digitally signed element in a single hash
- Improvement in ability to designate hash and signature algorithm
- TLS v1.1 support ended in 2020
TLS Handshaking protocol
TLS has three subprotocols that are used to allow peers to agree upon security parameters for the record layer, to authenticate themselves, to instantiate negotiated security parameters, and to report error conditions to each other. It is responsible for negotaiating a session consisting of following. RFC link
- Session Identifier: Arbitrary byte sequence - for active or resumable session state
- Peer Certificate: x509v3 Certificate - may be null
- Compression Method: Algorithm for compression prior to encryption
- Cipher Spec: Pseudorandom function user to generate keying material
- Bulk data encryption algorithm like null, AES,etc.
- Mac algorithm like HMAC-SHA1,etc.
- Cryptographic attributes like mac_length
- Master Secret: 48-byte (352-bit) secret share between client and server
- is_resumable flag: Flag to indicate if the session can be used to initiate new connections
TLS Handshake Elements and Flow
- Hello message: Exchange hello messages to agree on algorithms, exchange random values, and check for session resumption
- Parameters Exchange and Premaster Secret Agreement: Exchange the necessary cryptographic parameters to allow the client and server to agree on a premaster secret
- Certificate and Crypto Information: Exchange certificates and cryptographic information to allow the client and server to authenticate themselves.
- Master Secret: Generate a master secret from the premaster secret and exchanged random values.
- Record Layer Security: Provide security parameters to the record layer.
- Verification of parameters: Allow the client and server to verify that their peer has calculated the same security parameters and that the handshake occurred without tampering by an attacker.
Client Server
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
Message flow for a full handshake. (*) Indicates optional or situation-dependent messages that are not always sent.
Hello Messages
|Client Hello|Server Hello| |-|-| |client_version: TLS Version|server_version: TLS Version| |random: Generated by client|random: Generated by server; different from Client Random| |session_id: ID of a session client wished to use|session_id: sent by client for resuming session| |cipher_suites: Supported by client and listed in order of preference|cipher_suite: Agreed upon request from client| |compression_methods: Supported by client and listed in order of preference|compression_method: Agreed with client| |extensions: Request for extended functionality from server|extensions: List of of extensions|
Closure and Error Alerts
- Clousure Alert: close_notify; Either party can initiate it
- Error Alerts: unexpected_message, bad_record_mac, decryption_failed_RESERVED, record_overflow, decompression_failure, handshake_failure, no_certificate_RESERVED, bad_certificate, unsupported_certificate, certificate_revoked, etc.