Transport Layer Security (TLS)
- TLS is an IETF standardization initiative whose goal is to produce an Internet standard version of SSL.
- Moreover, TLS is defined as a Proposed Internet Standard in RFC 5246. Which is very similar to SSLv3.
- We highlight the differences.
- The one difference is in version values. For the current version of TLS, the major version is 3 and the minor version is 3.
Message Authentication Code: Transport Layer Security
- There are two differences between the SSLv3 and TLS MAC schemes:
- The actual algorithm and the scope of the MAC calculation.
- TLS makes use of the HMAC algorithm defined in RFC 2104.
- SSLv3 uses the same algorithm, except that the padding bytes are concatenated with the secret key rather than being XORed with the secret key padded to the block length.
- Moreover, The level of security should be about the same in both cases.
- For TLS, the MAC calculation encompasses the fields indicated in the following expression:
- MAC(MAC_write_secret,seq_num || TLSCompressed.type ||
- TLSCompressed.version || TLSCompressed.length || TLSCompressed.fragment)
- The MAC calculation covers all of the fields covered by the SSLv3 calculation, plus the field version, which is the version of the protocol being employed.
Pseudorandom Function: Transport Layer Security
- TLS makes use of a pseudorandom function referred to as PRF to expand secrets into blocks of data for purposes of key generation or validation.
- Moreover, The objective is to make use of a relatively small shared secret value but to generate longer blocks of data in a way that is secure from the kinds of attacks made on hash functions and MACs.
- The PRF is based on the data expansion function (Figure) given as
P_hash(secret, seed)= HMAC_hash(secret,A(1) || seed) || HMAC_hash(secret, A(2) || seed) || HMAC_hash(secret, A(3) || seed) ||… where A() is defined as
A(0) = seed
A(i) = HMAC_hash(secret,A(i – 1))
- PRF defined as
PRF(secret, label, seed) = P_hash(S1,label || seed)
PRF takes as input a secret value, an identifying label, and a seed value and produces an output of arbitrary length.
Alert Codes: Transport Layer Security
- TLS supports all of the alert codes defined in SSLv3 with the exception of no_certificate.
- A number of additional codes defined in TLS; of these, the following are always fatal.
- protocol_version nsufficient_security
- Moreover, There are several small differences between the cipher suites available under SSLv3 and under TLS:
- Key Exchange: TLS supports all of the key exchange techniques of SSLv3 with the exception of Fortezza.
- Symmetric Encryption Algorithms: TLS includes all of the symmetric encryption algorithms found in SSLv3, with the exception of Fortezza.
Client Certificate Types: Transport Layer Security
- TLS defines the following certificate types to requeste in a certificate_request message: rsa_sign, dss_sign, rsa_fixed_dh, and dss_fixed_dh.
- These all defined in, In addition, SSLv3 includes rsa_ephemeral_dh, dss_ephemeral_dh, and fortezza_kea.
- Ephemeral Diffie-Hellman involves signing the Diffie-Hellman parameters with either RSA or DSS.
- For TLS, the rsa_sign and dss_sign types used for that function; a separate signing type not needed to sign Diffie-Hellman parameters.
- TLS does not include the Fortezza scheme.
certificate_verify and Finished Messages: Transport Layer Security
- In the TLS certificate_verify message, the MD5 and SHA-1 hashes calculated only over handshake_messages.
- The hash calculation also included the master secret and pads.
- Moreover, These extra fields felt to add no additional security.
- As with the finished message in SSLv3, the finished message in TLS a hash based on the shared master_secret, the previous handshake messages, and a label that identifies client or server.
Cryptographic Computations: Transport Layer Security
- The pre_master_secret for TLS calculated in the same way as in SSLv3.
- As in SSLv3, the master_secret in TLS calculated as a hash function of the pre_master_secret and the two hello random numbers.
- Moreover, The form of the TLS calculation is different from that of SSLv3 and defined as
- master_secret=PRF(pre_master_secret,”master secret”,ClientHello.random ||ServerHello.random)
- The algorithm performed until 48 bytes of pseudorandom output produced.
- The calculation of the key block material (MAC secret keys, session encryption keys, and IVs) defined as
key_block = PRF(master_secret,”key expansion”, SecurityParameters. server_random || SecurityParameters.client_random)
- As with SSLv3, the key_block is a function of the master_secret and the client and server random numbers, but for TLS, the actual algorithm is different.
- In SSL, the padding added prior to encryption of user data the minimum amount required so that the total size of the data to be encrypted a multiple of the cipher’s block length.
- Moreover, In TLS, the padding can be any amount that results in a total that a multiple of the cipher’s block length, up to a maximum of 255 bytes.
- A variable padding length may use to frustrate attacks based on an analysis of the lengths of exchanged messages.