Transport Layer Security

Transport Layer Security (TLS) Protocol and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security and data integrity for communications over TCP/IP networks such as the Internet. Several versions of the protocols are in wide-spread use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP). TLS and SSL encrypt the datagrams of the Transport Layer protocols in use for an end-to-end connection across the network. TLS is an IETF standards track protocol, last updated in RFC 5246, that was based on the earlier SSL specifications developed by Netscape Corporation.[1]

The TCP/IP model (RFC 1122)
Application Layer
BGP · DHCP · DNS · FTP · Gopher · GTP · HTTP · IMAP · IRC · NNTP · NTP · POP · RIP · RPC · RTCP · RTP · RTSP · SDP · SIP · SMTP · SNMP · SOAP · SSH · STUN · Telnet · TIME · TLS/SSL · XMPP · (more)
Transport Layer
TCP · UDP · DCCP · SCTP · RSVP · ECN · (more)
Internet Layer
IP (IPv4, IPv6) · ICMP · ICMPv6 · IGMP · IPsec · (more)
Link Layer
ARP · RARP · NDP · OSPF · Tunnels (L2TP)  · Media Access Control (Ethernet, DSL, ISDN, FDDI)  · Device Drivers · (more)

Contents

Description

The TLS protocol allows applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications privacy over the Internet using cryptography. Typically, only the server is authenticated (i.e., its identity is ensured) while the client remains unauthenticated; this means that the end user (whether an individual or an application, such as a Web browser) can be sure with whom it is communicating. The next level of security — in which both ends of the "conversation" are sure with whom they are communicating — is known as mutual authentication. Mutual authentication requires public key infrastructure (PKI) deployment to clients unless TLS-PSK or the Secure Remote Password (SRP) protocol are used, which provide strong mutual authentication without needing to deploy a PKI.

TLS involves three basic phases:

  1. Peer negotiation for algorithm support
  2. Key exchange and authentication
  3. Symmetric cipher encryption and message authentication

During the first phase, the client and server negotiate cipher suites, which determine the ciphers to be used, the key exchange and authentication algorithms, as well as the message authentication codes (MACs). The key exchange and authentication algorithms are typically public key algorithms, or as in TLS-PSK preshared keys could be used. The message authentication codes are made up from cryptographic hash functions using the HMAC construction for TLS, and a non-standard pseudorandom function for SSL.

Typical algorithms are:

History and development

Early research efforts toward transport layer security included the Secure Network Programming (SNP) API, which in 1993 explored the approach of having a secure transport layer API closely resembling sockets, to facilitate retrofitting preexisting network applications with security measures. [2] The SNP project received the 2004 ACM Software System Award. [3]

The SSL protocol was originally developed by Netscape. Version 1.0 was never publicly released; version 2.0 was released in 1994 but "contained a number of security flaws which ultimately led to the design of SSL version 3.0", which was released in 1996 (Rescorla 2001). This later served as the basis for TLS version 1.0, an Internet Engineering Task Force (IETF) standard protocol first defined in RFC 2246 in January 1999. Visa, MasterCard, American Express and many leading financial institutions have endorsed SSL for commerce over the Internet.

SSL operates in modular fashion. It is extensible by design, with support for forward and backward compatibility and negotiation between peers.

Applications

TLS runs on layers beneath application protocols such as HTTP, FTP, SMTP, NNTP, and XMPP and above a reliable transport protocol, TCP for example. While it can add security to any protocol that uses reliable connections (such as TCP), it is most commonly used with HTTP to form HTTPS. HTTPS is used to secure World Wide Web pages for applications such as electronic commerce and asset management. SMTP is also an area in which TLS has been growing and is specified in RFC 3207. These applications use public key certificates to verify the identity of endpoints.

An increasing number of client and server products support TLS natively, but many still lack support. As an alternative, users may wish to use standalone TLS products like Stunnel. Wrappers such as Stunnel rely on being able to obtain a TLS connection immediately, by simply connecting to a separate port reserved for the purpose. For example, by default the TCP port for HTTPS is 443, to distinguish it from HTTP on port 80.

TLS can also be used to tunnel an entire network stack to create a VPN, as is the case with OpenVPN. Many vendors now marry TLS's encryption and authentication capabilities with authorization. There has also been substantial development since the late 1990s in creating client technology outside of the browser to enable support for client/server applications. When compared against traditional IPsec VPN technologies, TLS has some inherent advantages in firewall and NAT traversal that make it easier to administer for large remote-access populations.

TLS is also increasingly being used as the standard method for protecting SIP application signaling. TLS can be used to provide authentication and encryption of the SIP signalling associated with VoIP and other SIP-based applications.

Security

TLS/SSL have a variety of security measures:

SSL v2 is flawed in a variety of ways:

SSL v2 is disabled by default in Internet Explorer 7,[4] Mozilla Firefox 2 and Mozilla Firefox 3,[5] and Safari. After it sends a TLS ClientHello, if Mozilla Firefox finds that the server is unable to complete the handshake, it will attempt to fall back to using SSL 3.0 with an SSL 3.0 ClientHello in SSL v2 format to maximize the likelihood of successfully handshaking with older servers.[6] Support for SSL v2 (and weak 40-bit and 56-bit ciphers) has been removed completely from Opera as of version 9.5.[7]

How it works

[8]A TLS client and server negotiate a stateful connection by using a handshaking procedure. During this handshake, the client and server agree on various parameters used to establish the connection's security.

The client may contact the server that issued the certificate (the trusted CA as above) and confirm that the certificate is authentic before proceeding.

This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the key material until the connection closes.

If any one of the above steps fails, the TLS handshake fails, and the connection is not created.

TLS handshake in detail

The TLS protocol exchanges records, which encapsulate the data to be exchanged. Each record can be compressed, padded, appended with a message authentication code (MAC), or encrypted, all depending on the state of the connection. Each record has a content type field that specifies the record, a length field, and a TLS version field.

When the connection starts, the record encapsulates another protocol - the handshake messaging protocol - which has content type 22.

Simple TLS handshake

A simple connection example, illustrating a full handshake, follows:

Client-authenticated TLS handshake

The following example shows a client being authenticated via TLS using certificates.

Resumed TLS handshake

Public key operations (e.g., RSA) are relatively expensive in terms of computational power. TLS provides a secure shortcut in the handshake mechanism to avoid these operations. In an ordinary full handshake, the Server sends a session id as part of the ServerHello message. The Client associates this session id with the Server's IP address and TCP port, so that when the Client connects again to that Server, it can use the session id to shortcut the handshake. In the server, the session id maps to the cryptographic parameters previously negotiated, specifically the "master secret". Both sides must have the same "master secret" or the resumed handshake will fail (this prevents an eavesdropper from using a session id). The random data in the ClientHello and ServerHello messages virtually guarantee that the generated connection keys will be different than in the previous connection. In the RFCs, this type of handshake is called an abbreviated handshake. It is also described in the literature as a restart handshake.

TLS record protocol

+ Bits 0–7 8-15 16-23 24–31
0 Content Type Version (MSB) Version (LSB) Length (MSB)
32 Length (LSB) Protocol Message(s)
... Protocol Message (cont.)
... MAC (optional)
... Padding (block ciphers only)
Content Type
This field identifies the Record Layer Protocol Type contained in this Record.
Content Types
Hex Dec Type
0x14 20 ChangeCipherSpec
0x15 21 Alert
0x16 22 Handshake
0x17 23 Application
Version
This field identifies the major and minor version of TLS for the contained message. For a ClientHello message, this need not be the highest version supported by the client.
Versions
Major Version Minor Version Version Type
3 0 SSLv3
3 1 TLS 1.0
3 2 TLS 1.1
3 3 TLS 1.2
Length
The length of Protocol message(s), not to exceed 214 bytes (16 KiB).
Protocol message(s)
One or more messages identified by the Protocol field. Note that this field may be encrypted depending on the state of the connection.
MAC
A message authentication code computed over the Protocol message, with additional key material included. Note that this field may be encrypted, or not included entirely, depending on the state of the connection.

ChangeCipherSpec protocol

+ Bits 0–7 8-15 16-23 24–31
0 20 Version (MSB) Version (LSB) 0
32 1 1 (CCS protocol type)

Alert protocol

+ Bits 0–7 8-15 16-23 24–31
0 21 Version (MSB) Version (LSB) 0
32 2 Level Description
Level
This field identifies the level of alert.
Level Types
Code Description
1 Warning - connection or security may be unstable
2 Fatal - connection or security may be compromised, or an unrecoverable error has occurred
Description
This field identifies which type of alert is being sent.
Description Types
Code Description
0 Close notify (warning or fatal)
10 Unexpected message (fatal)
20 Bad record MAC (fatal)
21 Decryption failed (fatal, TLS only)
22 Record overflow (fatal, TLS only)
30 Decompression failure (fatal)
40 Handshake failure (fatal)
41 No certificate (SSL v3 only) (warning or fatal)
42 Bad certificate (warning or fatal)
43 Unsupported certificate (warning or fatal)
44 Certificate revoked (warning or fatal)
45 Certificate expired (warning or fatal)
46 Certificate unknown (warning or fatal)
47 Illegal parameter (fatal)
48 Unknown CA (fatal, TLS only)
49 Access denied (fatal, TLS only)
50 Decode error (fatal, TLS only)
51 Decrypt error (TLS only) (warning or fatal)
60 Export restriction (fatal, TLS only)
70 Protocol version (fatal, TLS only)
71 Insufficient security (fatal, TLS only)
80 Internal error (fatal, TLS only)
90 User cancelled (fatal, TLS only)
100 No renegotiation (warning, TLS only)

Handshake protocol

+ Bits 0–7 8-15 16-23 24–31
0 22 Version (MSB) Version (LSB) Length (MSB)
32 Length (LSB) Message type Message length
64 Message length (cont.) Handshake message
... Handshake message Message type Message length
... Message length (cont.) Handshake message
Message type
This field identifies the Handshake message type.
Message Types
Code Description
0 HelloRequest
1 ClientHello
2 ServerHello
11 Certificate
12 ServerKeyExchange
13 CertificateRequest
14 ServerHelloDone
15 CertificateVerify
16 ClientKeyExchange
20 Finished
Message length
This is a 3-byte field indicating the length of the handshake data, not including the header.

Note that multiple Handshake messages may be combined within one record.

Application protocol

+ Bits 0–7 8-15 16-23 24–31
0 23 Version (MSB) Version (LSB) Length (MSB)
32 Length (LSB) Application data
64 Application data (cont.)
... MAC (20B for SHA-1, 16B for MD5)
... Variable length padding (block ciphers only) Padding length, (block ciphers only)(1B)

Support for name-based virtual servers

From the application protocol point of view, TLS belongs to a lower layer, although the TCP/IP model is too coarse to show it. This means that the TLS handshake is usually (except in the STARTTLS case) performed before the application protocol can start. The name-based virtual server feature being provided by the application layer, all co-hosted virtual servers share the same certificate because the server has to select and send a certificate immediately after the ClientHello message. This is a big problem in hosting environments because it means either sharing the same certificate among all customers or using a different IP address for each of them.

There are two known workarounds provided by X.509:

In order to provide the server name, RFC 4366 Transport Layer Security (TLS) Extensions allow clients to include a Server Name Indication extension (SNI) in the extended ClientHello message. This extension hints the server immediately which name the client wishes to connect to, so the server can select the appropriate certificate to send to the client.

Government-imposed protocol limitations

Some early implementations of SSL used 40-bit symmetric keys because of US government restrictions on the export of cryptographic technology. A similar limitation applied to Lotus Notes in export versions. After several years of public controversy, a series of lawsuits, and eventual US government recognition of cryptographic products with longer key sizes produced outside the US, the authorities relaxed some aspects of the export restrictions.

Implementations

SSL and TLS have been widely implemented in several open source software projects. Programmers may use the OpenSSL, NSS, or GnuTLS libraries for SSL/TLS functionality. Microsoft Windows includes an implementation of SSL and TLS as part of its Secure Channel package. Delphi programmers may use a library called Indy.

Standards

The current approved version is 1.2, which is specified in:

The current standard obsoletes these former versions:

Other RFCs subsequently extended TLS, including:

See also

Software

References and footnotes

  1. The SSL Protocol: Version 3.0 Netscape's final SSL 3.0 draft (November 18, 1996)
  2. Woo, Thomas Y. C. and Bindignavle, Raghuram and Su, Shaowen and Lam, Simon S. 1994. SNP: An interface for secure network programming In Usenix Summer Technical Conference
  3. Association for Computing Machinery, "ACM: Press Release, March 15, 2005", campus.acm.org, accessed December 26, 2007. (English version).
  4. Lawrence, Eric (2005-10-22). "IEBlog : Upcoming HTTPS Improvements in Internet Explorer 7 Beta 2". MSDN Blogs. Retrieved on 2007-11-25.
  5. "Bugzilla@Mozilla - Bug 236933 - Disable SSL2 and other weak ciphers". Mozilla Corporation. Retrieved on 2007-11-25.
  6. "Firefox still sends SSLv2 handshake even though the protocol is disabled" (2008-09-11).
  7. Pettersen, Yngve (2007-04-30). "10 years of SSL in Opera - Implementer's notes". Opera Software. Retrieved on 2007-11-25.
  8. "SSL/TLS in Detail". Microsoft TechNet. Updated July 31, 2003.
  9. 9.0 9.1 These certificates are currently X.509, but there is also a draft specifying the use of OpenPGP based certificates.
  10. Named-based SSL virtual hosts: how to tackle the problem, SWITCH.

Further reading

External links

This article was originally based on material from the Free On-line Dictionary of Computing, which is licensed under the GFDL.