As per Relevance of the word connection, we have this rfc below:
Network Working Group T.
Request for Comments: 2246
Category: Standards Track C.
January 1999
The TLS
Version 1.0
Status of this
This document specifies an Internet standards track protocol for
Internet community, and requests discussion and suggestions
improvements. Please refer to the current edition of the "
Official Protocol Standards" (STD 1) for the standardization
and status of this protocol. Distribution of this memo is unlimited
Copyright
Copyright (C) The Internet Society (1999). All Rights Reserved
This document specifies Version 1.0 of the Transport Layer
(TLS) protocol. The TLS protocol provides communications privacy
the Internet. The protocol allows client/server applications
communicate in a way that is designed to prevent eavesdropping
tampering, or message forgery
Table of
1. Introduction 3
2. Goals 4
3. Goals of this document 5
4. Presentation language 5
4.1. Basic block size 6
4.2. Miscellaneous 6
4.3. Vectors 6
4.4. Numbers 7
4.5. Enumerateds 7
4.6. Constructed types 8
4.6.1. Variants 9
4.7. Cryptographic attributes 10
4.8. Constants 11
5. HMAC and the pseudorandom function 11
6. The TLS Record Protocol 13
6.1. Connection states 14
Dierks & Allen Standards Track [Page 1]
RFC 2246 The TLS Protocol Version 1.0 January 1999
6.2. Record layer 16
6.2.1. Fragmentation 16
6.2.2. Record compression and decompression 17
6.2.3. Record payload protection 18
6.2.3.1. Null or standard stream cipher 19
6.2.3.2. CBC block cipher 19
6.3. Key calculation 21
6.3.1. Export key generation example 22
7. The TLS Handshake Protocol 23
7.1. Change cipher spec protocol 24
7.2. Alert protocol 24
7.2.1. Closure alerts 25
7.2.2. Error alerts 26
7.3. Handshake Protocol overview 29
7.4. Handshake protocol 32
7.4.1. Hello messages 33
7.4.1.1. Hello request 33
7.4.1.2. Client hello 34
7.4.1.3. Server hello 36
7.4.2. Server certificate 37
7.4.3. Server key exchange message 39
7.4.4. Certificate request 41
7.4.5. Server hello done 42
7.4.6. Client certificate 43
7.4.7. Client key exchange message 43
7.4.7.1. RSA encrypted premaster secret message 44
7.4.7.2. Client Diffie-Hellman public value 45
7.4.8. Certificate verify 45
7.4.9. Finished 46
8. Cryptographic computations 47
8.1. Computing the master secret 47
8.1.1. RSA 48
8.1.2. Diffie-Hellman 48
9. Mandatory Cipher Suites 48
10. Application data protocol 48
A. Protocol constant values 49
A.1. Record layer 49
A.2. Change cipher specs message 50
A.3. Alert messages 50
A.4. Handshake protocol 51
A.4.1. Hello messages 51
A.4.2. Server authentication and key exchange messages 52
A.4.3. Client authentication and key exchange messages 53
A.4.4. Handshake finalization message 54
A.5. The CipherSuite 54
A.6. The Security Parameters 56
B. Glossary 57
C. CipherSuite definitions 61
Dierks & Allen Standards Track [Page 2]
RFC 2246 The TLS Protocol Version 1.0 January 1999
D. Implementation Notes 64
D.1. Temporary RSA keys 64
D.2. Random Number Generation and Seeding 64
D.3. Certificates and authentication 65
D.4. CipherSuites 65
E. Backward Compatibility With SSL 66
E.1. Version 2 client hello 67
E.2. Avoiding man-in-the-middle version rollback 68
F. Security analysis 69
F.1. Handshake protocol 69
F.1.1. Authentication and key exchange 69
F.1.1.1. Anonymous key exchange 69
F.1.1.2. RSA key exchange and authentication 70
F.1.1.3. Diffie-Hellman key exchange with authentication 71
F.1.2. Version rollback attacks 71
F.1.3. Detecting attacks against the handshake protocol 72
F.1.4. Resuming sessions 72
F.1.5. MD5 and SHA 72
F.2. Protecting application data 72
F.3. Final notes 73
G. Patent Statement 74
Security Considerations 75
References 75
Credits 77
Comments 78
Full Copyright Statement 80
1.
The primary goal of the TLS Protocol is to provide privacy and
integrity between two communicating applications. The protocol
composed of two layers: the TLS Record Protocol and the TLS
Protocol. At the lowest level, layered on top of some
transport protocol (e.g., TCP[TCP]), is the TLS Record Protocol.
TLS Record Protocol provides connection security that has two
properties
- The connection is private. Symmetric cryptography is used
data encryption (e.g., DES [DES], RC4 [RC4], etc.) The keys
this symmetric encryption are generated uniquely for
connection and are based on a secret negotiated by
protocol (such as the TLS Handshake Protocol). The
Protocol can also be used without encryption
- The connection is reliable. Message transport includes a
integrity check using a keyed MAC. Secure hash functions (e.g.,
SHA, MD5, etc.) are used for MAC computations. The
Protocol can operate without a MAC, but is generally only used
Dierks & Allen Standards Track [Page 3]
RFC 2246 The TLS Protocol Version 1.0 January 1999
this mode while another protocol is using the Record Protocol
a transport for negotiating security parameters
The TLS Record Protocol is used for encapsulation of various
level protocols. One such encapsulated protocol, the TLS
Protocol, allows the server and client to authenticate each other
to negotiate an encryption algorithm and cryptographic keys
the application protocol transmits or receives its first byte
data. The TLS Handshake Protocol provides connection security
has three basic properties
- The peer's identity can be authenticated using asymmetric,
public key, cryptography (e.g., RSA [RSA], DSS [DSS], etc.).
authentication can be made optional, but is generally
for at least one of the peers
- The negotiation of a shared secret is secure: the
secret is unavailable to eavesdroppers, and for any
connection the secret cannot be obtained, even by an attacker
can place himself in the middle of the connection
- The negotiation is reliable: no attacker can modify
negotiation communication without being detected by the
to the communication
One advantage of TLS is that it is application protocol independent
Higher level protocols can layer on top of the TLS
transparently. The TLS standard, however, does not specify
protocols add security with TLS; the decisions on how to initiate
handshaking and how to interpret the authentication
exchanged are left up to the judgment of the designers
implementors of protocols which run on top of TLS
2.
The goals of TLS Protocol, in order of their priority, are
1. Cryptographic security: TLS should be used to establish a
connection between two parties
2. Interoperability: Independent programmers should be able
develop applications utilizing TLS that will then be able
successfully exchange cryptographic parameters without
of one another's code
3. Extensibility: TLS seeks to provide a framework into which
public key and bulk encryption methods can be incorporated
necessary. This will also accomplish two sub-goals: to
Dierks & Allen Standards Track [Page 4]
RFC 2246 The TLS Protocol Version 1.0 January 1999
the need to create a new protocol (and risking the
of possible new weaknesses) and to avoid the need to implement
entire new security library
4. Relative efficiency: Cryptographic operations tend to be
CPU intensive, particularly public key operations. For
reason, the TLS protocol has incorporated an optional
caching scheme to reduce the number of connections that need
be established from scratch. Additionally, care has been taken
reduce network activity
3. Goals of this
This document and the TLS protocol itself are based on the SSL 3.0
Protocol Specification as published by Netscape. The
between this protocol and SSL 3.0 are not dramatic, but they
significant enough that TLS 1.0 and SSL 3.0 do not
(although TLS 1.0 does incorporate a mechanism by which a
implementation can back down to SSL 3.0). This document is
primarily for readers who will be implementing the protocol and
doing cryptographic analysis of it. The specification has
written with this in mind, and it is intended to reflect the needs
those two groups. For that reason, many of the algorithm-
data structures and rules are included in the body of the text (
opposed to in an appendix), providing easier access to them
This document is not intended to supply any details of
definition nor interface definition, although it does cover
areas of policy as they are required for the maintenance of
security
4. Presentation
This document deals with the formatting of data in an
representation. The following very basic and somewhat
defined presentation syntax will be used. The syntax draws
several sources in its structure. Although it resembles
programming language "C" in its syntax and XDR [XDR] in both
syntax and intent, it would be risky to draw too many parallels.
purpose of this presentation language is to document TLS only, not
have general application beyond that particular goal
Dierks & Allen Standards Track [Page 5]
RFC 2246 The TLS Protocol Version 1.0 January 1999
4.1. Basic block
The representation of all data items is explicitly specified.
basic data block size is one byte (i.e. 8 bits). Multiple byte
items are concatenations of bytes, from left to right, from top
bottom. From the bytestream a multi-byte item (a numeric in
example) is formed (using C notation) by
value = (byte[0] << 8*(n-1)) | (byte[1] << 8*(n-2)) |
... | byte[n-1];
This byte ordering for multi-byte values is the commonplace
byte order or big endian format
4.2.
Comments begin with "/*" and end with "*/".
Optional components are denoted by enclosing them in "[[ ]]"
brackets
Single byte entities containing uninterpreted data are of
opaque
4.3.
A vector (single dimensioned array) is a stream of homogeneous
elements. The size of the vector may be specified at
time or left unspecified until runtime. In either case the
declares the number of bytes, not the number of elements, in
vector. The syntax for specifying a new type T' that is a
length vector of type T
T T'[n];
Here T' occupies n bytes in the data stream, where n is a multiple
the size of T. The length of the vector is not included in
encoded stream
In the following example, Datum is defined to be three
bytes that the protocol does not interpret, while Data is
consecutive Datum, consuming a total of nine bytes
opaque Datum[3]; /* three uninterpreted bytes */
Datum Data[9]; /* 3 consecutive 3 byte vectors */
Dierks & Allen Standards Track [Page 6]
RFC 2246 The TLS Protocol Version 1.0 January 1999
Variable length vectors are defined by specifying a subrange of
lengths, inclusively, using the notation .
encoded, the actual length precedes the vector's contents in the
stream. The length will be in the form of a number consuming as
bytes as required to hold the vector's specified maximum (ceiling
length. A variable length vector with an actual length field of
is referred to as an empty vector
T T';
In the following example, mandatory is a vector that must
between 300 and 400 bytes of type opaque. It can never be empty.
actual length field consumes two bytes, a uint16, sufficient
represent the value 400 (see Section 4.4). On the other hand,
can represent up to 800 bytes of data, or 400 uint16 elements, and
may be empty. Its encoding will include a two byte actual
field prepended to the vector. The length of an encoded vector
be an even multiple of the length of a single element (for example,
17 byte vector of uint16 would be illegal).
opaque mandatory<300..400>;
/* length field is 2 bytes, cannot be empty */
uint16 longer<0..800>;
/* zero to 400 16-bit unsigned integers */
4.4.
The basic numeric data type is an unsigned byte (uint8). All
numeric data types are formed from fixed length series of
concatenated as described in Section 4.1 and are also unsigned.
following numeric types are predefined
uint8 uint16[2];
uint8 uint24[3];
uint8 uint32[4];
uint8 uint64[8];
All values, here and elsewhere in the specification, are stored
"network" or "big-endian" order; the uint32 represented by the
bytes 01 02 03 04 is equivalent to the decimal value 16909060.
4.5.
An additional sparse data type is available called enum. A field
type enum can only assume the values declared in the definition
Each definition is a different type. Only enumerateds of the
type may be assigned or compared. Every element of an enumerated
Dierks & Allen Standards Track [Page 7]
RFC 2246 The TLS Protocol Version 1.0 January 1999
be assigned a value, as demonstrated in the following example.
the elements of the enumerated are not ordered, they can be
any unique value, in any order
enum { e1(v1), e2(v2), ... , en(vn) [[, (n)]] } Te
Enumerateds occupy as much space in the byte stream as would
maximal defined ordinal value. The following definition would
one byte to be used to carry fields of type Color
enum { red(3), blue(5), white(7) } Color
One may optionally specify a value without its associated tag
force the width definition without defining a superfluous element
In the following example, Taste will consume two bytes in the
stream but can only assume the values 1, 2 or 4.
enum { sweet(1), sour(2), bitter(4), (32000) } Taste
The names of the elements of an enumeration are scoped within
defined type. In the first example, a fully qualified reference
the second element of the enumeration would be Color.blue.
qualification is not required if the target of the assignment is
specified
Color color = Color.blue; /* overspecified, legal */
Color color = blue; /* correct, type implicit */
For enumerateds that are never converted to external representation
the numerical information may be omitted
enum { low, medium, high } Amount
4.6. Constructed
Structure types may be constructed from primitive types
convenience. Each specification declares a new, unique type.
syntax for definition is much like that of C
struct {
T1 f1;
T2 f2;
...
Tn fn
} [[T]];
Dierks & Allen Standards Track [Page 8]
RFC 2246 The TLS Protocol Version 1.0 January 1999
The fields within a structure may be qualified using the type's
using a syntax much like that available for enumerateds. For example
T.f2 refers to the second field of the previous declaration
Structure definitions may be embedded
4.6.1.
Defined structures may have variants based on some knowledge that
available within the environment. The selector must be an
type that defines the possible variants the structure defines.
must be a case arm for every element of the enumeration declared
the select. The body of the variant structure may be given a
for reference. The mechanism by which the variant is selected
runtime is not prescribed by the presentation language
struct {
T1 f1;
T2 f2;
....
Tn fn
select (E) {
case e1: Te1;
case e2: Te2;
....
case en: Ten
} [[fv]];
} [[Tv]];
For example
enum { apple, orange } VariantTag
struct {
uint16 number
opaque string<0..10>; /* variable length */
} V1;
struct {
uint32 number
opaque string[10]; /* fixed length */
} V2;
struct {
select (VariantTag) { /* value of selector is implicit */
case apple: V1; /* VariantBody, tag = apple */
case orange: V2; /* VariantBody, tag = orange */
} variant_body; /* optional label on variant */
} VariantRecord
Variant structures may be qualified (narrowed) by specifying a
for the selector prior to the type. For example,
Dierks & Allen Standards Track [Page 9]
RFC 2246 The TLS Protocol Version 1.0 January 1999
orange
is a narrowed type of a VariantRecord containing a variant_body
type V2.
4.7. Cryptographic
The four cryptographic operations digital signing, stream
encryption, block cipher encryption, and public key encryption
designated digitally-signed, stream-ciphered, block-ciphered,
public-key-encrypted, respectively. A field's
processing is specified by prepending an appropriate key
designation before the field's type specification. Cryptographic
are implied by the current session state (see Section 6.1).
In digital signing, one-way hash functions are used as input for
signing algorithm. A digitally-signed element is encoded as an
vector <0..2^16-1>, where the length is specified by the
algorithm and key
In RSA signing, a 36-byte structure of two hashes (one SHA and
MD5) is signed (encrypted with the private key). It is encoded
PKCS #1 block type 0 or type 1 as described in [PKCS1].
In DSS, the 20 bytes of the SHA hash are run directly through
Digital Signing Algorithm with no additional hashing. This
two values, r and s. The DSS signature is an opaque vector, as above
the contents of which are the DER encoding of
Dss-Sig-Value ::= SEQUENCE {
r INTEGER
s
}
In stream cipher encryption, the plaintext is exclusive-ORed with
identical amount of output generated from a cryptographically-
keyed pseudorandom number generator
In block cipher encryption, every block of plaintext encrypts to
block of ciphertext. All block cipher encryption is done in
(Cipher Block Chaining) mode, and all items which are block-
will be an exact multiple of the cipher block length
In public key encryption, a public key algorithm is used to
data in such a way that it can be decrypted only with the
private key. A public-key-encrypted element is encoded as an
vector <0..2^16-1>, where the length is specified by the
algorithm and key
Dierks & Allen Standards Track [Page 10]
RFC 2246 The TLS Protocol Version 1.0 January 1999
An RSA encrypted value is encoded with PKCS #1 block type 2
described in [PKCS1].
In the following example
stream-ciphered struct {
uint8 field1;
uint8 field2;
digitally-signed opaque hash[20];
} UserType
The contents of hash are used as input for the signing algorithm
then the entire structure is encrypted with a stream cipher.
length of this structure, in bytes would be equal to 2 bytes
field1 and field2, plus two bytes for the length of the signature
plus the length of the output of the signing algorithm. This is
due to the fact that the algorithm and key used for the signing
known prior to encoding or decoding this structure
4.8.
Typed constants can be defined for purposes of specification
declaring a symbol of the desired type and assigning values to it
Under-specified types (opaque, variable length vectors,
structures that contain opaque) cannot be assigned values. No
of a multi-element structure or vector may be elided
For example
struct {
uint8 f1;
uint8 f2;
} Example1;
Example1 ex1 = {1, 4}; /* assigns f1 = 1, f2 = 4 */
5. HMAC and the pseudorandom
A number of operations in the TLS record and handshake layer
a keyed MAC; this is a secure digest of some data protected by
secret. Forging the MAC is infeasible without knowledge of the
secret. The construction we use for this operation is known as HMAC
described in [HMAC].
HMAC can be used with a variety of different hash algorithms.
uses it in the handshake with two different algorithms: MD5 and SHA
1, denoting these as HMAC_MD5(secret, data) and HMAC_SHA(secret
Dierks & Allen Standards Track [Page 11]
RFC 2246 The TLS Protocol Version 1.0 January 1999
data). Additional hash algorithms can be defined by cipher suites
used to protect record data, but MD5 and SHA-1 are hard coded
the description of the handshaking for this version of the protocol
In addition, a construction is required to do expansion of
into blocks of data for the purposes of key generation or validation
This pseudo-random function (PRF) takes as input a secret, a seed
and an identifying label and produces an output of arbitrary length
In order to make the PRF as secure as possible, it uses two
algorithms in a way which should guarantee its security if
algorithm remains secure
First, we define a data expansion function, P_hash(secret, data
which uses a single hash function to expand a secret and seed into
arbitrary quantity of output
P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
HMAC_hash(secret, A(2) + seed) +
HMAC_hash(secret, A(3) + seed) + ...
Where + indicates concatenation
A() is defined as
A(0) =
A(i) = HMAC_hash(secret, A(i-1))
P_hash can be iterated as many times as is necessary to produce
required quantity of data. For example, if P_SHA-1 was being used
create 64 bytes of data, it would have to be iterated 4
(through A(4)), creating 80 bytes of output data; the last 16
of the final iteration would then be discarded, leaving 64 bytes
output data
TLS's PRF is created by splitting the secret into two halves
using one half to generate data with P_MD5 and the other half
generate data with P_SHA-1, then exclusive-or'ing the outputs
these two expansion functions together
S1 and S2 are the two halves of the secret and each is the
length. S1 is taken from the first half of the secret, S2 from
second half. Their length is created by rounding up the length of
overall secret divided by two; thus, if the original secret is an
number of bytes long, the last byte of S1 will be the same as
first byte of S2.
L_S = length in bytes of secret
L_S1 = L_S2 = ceil(L_S / 2);
Dierks & Allen Standards Track [Page 12]
RFC 2246 The TLS Protocol Version 1.0 January 1999
The secret is partitioned into two halves (with the possibility
one shared byte) as described above, S1 taking the first L_S1
and S2 the last L_S2 bytes
The PRF is then defined as the result of mixing the two
streams by exclusive-or'ing them together
PRF(secret, label, seed) = P_MD5(S1, label + seed)
P_SHA-1(S2, label + seed);
The label is an ASCII string. It should be included in the exact
it is given without a length byte or trailing null character.
example, the label "slithy toves" would be processed by hashing
following bytes
73 6C 69 74 68 79 20 74 6F 76 65 73
Note that because MD5 produces 16 byte outputs and SHA-1 produces 20
byte outputs, the boundaries of their internal iterations will not
aligned; to generate a 80 byte output will involve P_MD5
iterated through A(5), while P_SHA-1 will only iterate through A(4).
6. The TLS Record
The TLS Record Protocol is a layered protocol. At each layer
messages may include fields for length, description, and content
The Record Protocol takes messages to be transmitted, fragments
data into manageable blocks, optionally compresses the data,
a MAC, encrypts, and transmits the result. Received data
decrypted, verified, decompressed, and reassembled, then delivered
higher level clients
Four record protocol clients are described in this document:
handshake protocol, the alert protocol, the change cipher
protocol, and the application data protocol. In order to
extension of the TLS protocol, additional record types can
supported by the record protocol. Any new record types
allocate type values immediately beyond the ContentType values
the four record types described here (see Appendix A.2). If a
implementation receives a record type it does not understand,
should just ignore it. Any protocol designed for use over TLS must
carefully designed to deal with all possible attacks against it
Note that because the type and length of a record are not
by encryption, care should be take to minimize the value of
analysis of these values
Dierks & Allen Standards Track [Page 13]
RFC 2246 The TLS Protocol Version 1.0 January 1999
6.1. Connection
A TLS connection state is the operating environment of the TLS
Protocol. It specifies a compression algorithm, encryption algorithm
and MAC algorithm. In addition, the parameters for these
are known: the MAC secret and the bulk encryption keys and IVs
the connection in both the read and the write directions. Logically
there are always four connection states outstanding: the current
and write states, and the pending read and write states. All
are processed under the current read and write states. The
parameters for the pending states can be set by the TLS
Protocol, and the Handshake Protocol can selectively make either
the pending states current, in which case the appropriate
state is disposed of and replaced with the pending state; the
state is then reinitialized to an empty state. It is illegal to
a state which has not been initialized with security parameters
current state. The initial current state always specifies that
encryption, compression, or MAC will be used
The security parameters for a TLS Connection read and write state
set by providing the following values
connection
Whether this entity is considered the "client" or the "server"
this connection
bulk encryption
An algorithm to be used for bulk encryption. This
includes the key size of this algorithm, how much of that key
secret, whether it is a block or stream cipher, the block size
the cipher (if appropriate), and whether it is considered
"export" cipher
MAC
An algorithm to be used for message authentication.
specification includes the size of the hash which is returned
the MAC algorithm
compression
An algorithm to be used for data compression. This
must include all information the algorithm requires to
compression
master
A 48 byte secret shared between the two peers in the connection
client
A 32 byte value provided by the client
Dierks & Allen Standards Track [Page 14]
RFC 2246 The TLS Protocol Version 1.0 January 1999
server
A 32 byte value provided by the server
These parameters are defined in the presentation language as
enum { server, client } ConnectionEnd
enum { null, rc4, rc2, des, 3des, des40 } BulkCipherAlgorithm
enum { stream, block } CipherType
enum { true, false } IsExportable
enum { null, md5, sha } MACAlgorithm
enum { null(0), (255) } CompressionMethod
/* The algorithms specified in CompressionMethod
BulkCipherAlgorithm, and MACAlgorithm may be added to. */
struct {
ConnectionEnd entity
BulkCipherAlgorithm bulk_cipher_algorithm
CipherType cipher_type
uint8 key_size
uint8 key_material_length
IsExportable is_exportable
MACAlgorithm mac_algorithm
uint8 hash_size
CompressionMethod compression_algorithm
opaque master_secret[48];
opaque client_random[32];
opaque server_random[32];
} SecurityParameters
The record layer will use the security parameters to generate
following six items
client write MAC
server write MAC
client write
server write
client write IV (for block ciphers only
server write IV (for block ciphers only
The client write parameters are used by the server when receiving
processing records and vice-versa. The algorithm used for
these items from the security parameters is described in section 6.3.
Dierks & Allen Standards Track [Page 15]
RFC 2246 The TLS Protocol Version 1.0 January 1999
Once the security parameters have been set and the keys have
generated, the connection states can be instantiated by making
the current states. These current states must be updated for
record processed. Each connection state includes the
elements
compression
The current state of the compression algorithm
cipher
The current state of the encryption algorithm. This will
of the scheduled key for that connection. In addition, for
ciphers running in CBC mode (the only mode specified for TLS),
this will initially contain the IV for that connection state
be updated to contain the ciphertext of the last block
or decrypted as records are processed. For stream ciphers,
will contain whatever the necessary state information is to
the stream to continue to encrypt or decrypt data
MAC
The MAC secret for this connection as generated above
sequence
Each connection state contains a sequence number, which
maintained separately for read and write states. The
number must be set to zero whenever a connection state is
the active state. Sequence numbers are of type uint64 and may
exceed 2^64-1. A sequence number is incremented after
record: specifically, the first record which is transmitted
a particular connection state should use sequence number 0.
6.2. Record
The TLS Record Layer receives uninterpreted data from higher
in non-empty blocks of arbitrary size
6.2.1.
The record layer fragments information blocks into
records carrying data in chunks of 2^14 bytes or less. Client
boundaries are not preserved in the record layer (i.e.,
client messages of the same ContentType may be coalesced into
single TLSPlaintext record, or a single message may be
across several records).
struct {
uint8 major, minor
} ProtocolVersion
Dierks & Allen Standards Track [Page 16]
RFC 2246 The TLS Protocol Version 1.0 January 1999
enum {
change_cipher_spec(20), alert(21), handshake(22),
application_data(23), (255)
} ContentType
struct {
ContentType type
ProtocolVersion version
uint16 length
opaque fragment[TLSPlaintext.length];
} TLSPlaintext
The higher level protocol used to process the enclosed fragment
The version of the protocol being employed. This
describes TLS Version 1.0, which uses the version { 3, 1 }.
version value 3.1 is historical: TLS version 1.0 is a
modification to the SSL 3.0 protocol, which bears the
value 3.0. (See Appendix A.1).
The length (in bytes) of the following TLSPlaintext.fragment
The length should not exceed 2^14.
The application data. This data is transparent and treated as
independent block to be dealt with by the higher level
specified by the type field
Note: Data of different TLS Record layer content types may
interleaved. Application data is generally of lower
for transmission than other content types
6.2.2. Record compression and
All records are compressed using the compression algorithm defined
the current session state. There is always an active
algorithm; however, initially it is defined
CompressionMethod.null. The compression algorithm translates
TLSPlaintext structure into a TLSCompressed structure.
functions are initialized with default state information whenever
connection state is made active
Dierks & Allen Standards Track [Page 17]
RFC 2246 The TLS Protocol Version 1.0 January 1999
Compression must be lossless and may not increase the content
by more than 1024 bytes. If the decompression function encounters
TLSCompressed.fragment that would decompress to a length in excess
2^14 bytes, it should report a fatal decompression failure error
struct {
ContentType type; /* same as TLSPlaintext.type */
ProtocolVersion version;/* same as TLSPlaintext.version */
uint16 length
opaque fragment[TLSCompressed.length];
} TLSCompressed
The length (in bytes) of the following TLSCompressed.fragment
The length should not exceed 2^14 + 1024.
The compressed form of TLSPlaintext.fragment
Note: A CompressionMethod.null operation is an identity operation;
fields are altered
Implementation note
Decompression functions are responsible for ensuring
messages cannot cause internal buffer overflows
6.2.3. Record payload
The encryption and MAC functions translate a TLSCompressed
into a TLSCiphertext. The decryption functions reverse the process
The MAC of the record also includes a sequence number so
missing, extra or repeated messages are detectable
struct {
ContentType type
ProtocolVersion version
uint16 length
select (CipherSpec.cipher_type) {
case stream: GenericStreamCipher
case block: GenericBlockCipher
} fragment
} TLSCiphertext
The type field is identical to TLSCompressed.type
The version field is identical to TLSCompressed.version
Dierks & Allen Standards Track [Page 18]
RFC 2246 The TLS Protocol Version 1.0 January 1999
The length (in bytes) of the following TLSCiphertext.fragment
The length may not exceed 2^14 + 2048.
The encrypted form of TLSCompressed.fragment, with the MAC
6.2.3.1. Null or standard stream
Stream ciphers (including BulkCipherAlgorithm.null - see
A.6) convert TLSCompressed.fragment structures to and from
TLSCiphertext.fragment structures
stream-ciphered struct {
opaque content[TLSCompressed.length];
opaque MAC[CipherSpec.hash_size];
} GenericStreamCipher
The MAC is generated as
HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type +
TLSCompressed.version + TLSCompressed.length +
TLSCompressed.fragment));
where "+" denotes concatenation
seq_
The sequence number for this record
The hashing algorithm specified
SecurityParameters.mac_algorithm
Note that the MAC is computed before encryption. The stream
encrypts the entire block, including the MAC. For stream ciphers
do not use a synchronization vector (such as RC4), the stream
state from the end of one record is simply used on the
packet. If the CipherSuite is TLS_NULL_WITH_NULL_NULL,
consists of the identity operation (i.e., the data is not
and the MAC size is zero implying that no MAC is used).
TLSCiphertext.length is TLSCompressed.length
CipherSpec.hash_size
6.2.3.2. CBC block
For block ciphers (such as RC2 or DES), the encryption and
functions convert TLSCompressed.fragment structures to and from
TLSCiphertext.fragment structures
Dierks & Allen Standards Track [Page 19]
RFC 2246 The TLS Protocol Version 1.0 January 1999
block-ciphered struct {
opaque content[TLSCompressed.length];
opaque MAC[CipherSpec.hash_size];
uint8 padding[GenericBlockCipher.padding_length];
uint8 padding_length
} GenericBlockCipher
The MAC is generated as described in Section 6.2.3.1.
Padding that is added to force the length of the plaintext to
an integral multiple of the block cipher's block length.
padding may be any length up to 255 bytes long, as long as
results in the TLSCiphertext.length being an integral multiple
the block length. Lengths longer than necessary might
desirable to frustrate attacks on a protocol based on analysis
the lengths of exchanged messages. Each uint8 in the padding
vector must be filled with the padding length value
padding_
The padding length should be such that the total size of
GenericBlockCipher structure is a multiple of the cipher's
length. Legal values range from zero to 255, inclusive.
length specifies the length of the padding field exclusive of
padding_length field itself
The encrypted data length (TLSCiphertext.length) is one more than
sum of TLSCompressed.length, CipherSpec.hash_size,
padding_length
Example: If the block length is 8 bytes, the content
(TLSCompressed.length) is 61 bytes, and the MAC length is 20
bytes, the length before padding is 82 bytes. Thus,
padding length modulo 8 must be equal to 6 in order to
the total length an even multiple of 8 bytes (the
length). The padding length can be 6, 14, 22, and so on
through 254. If the padding length were the minimum necessary
6, the padding would be 6 bytes, each containing the value 6.
Thus, the last 8 octets of the GenericBlockCipher before
encryption would be xx 06 06 06 06 06 06 06, where xx is
last octet of the MAC
Note: With block ciphers in CBC mode (Cipher Block Chaining)
initialization vector (IV) for the first record is generated
the other keys and secrets when the security parameters are set
The IV for subsequent records is the last ciphertext block
the previous record
Dierks & Allen Standards Track [Page 20]
RFC 2246 The TLS Protocol Version 1.0 January 1999
6.3. Key
The Record Protocol requires an algorithm to generate keys, IVs,
MAC secrets from the security parameters provided by the
protocol
The master secret is hashed into a sequence of secure bytes,
are assigned to the MAC secrets, keys, and non-export IVs required
the current connection state (see Appendix A.6). CipherSpecs
a client write MAC secret, a server write MAC secret, a client
key, a server write key, a client write IV, and a server write IV
which are generated from the master secret in that order.
values are empty
When generating keys and MAC secrets, the master secret is used as
entropy source, and the random values provide unencrypted
material and IVs for exportable ciphers
To generate the key material,
key_block = PRF(SecurityParameters.master_secret
"key expansion",
SecurityParameters.server_random +
SecurityParameters.client_random);
until enough output has been generated. Then the key_block
partitioned as follows
client_write_MAC_secret[SecurityParameters.hash_size
server_write_MAC_secret[SecurityParameters.hash_size
client_write_key[SecurityParameters.key_material_length
server_write_key[SecurityParameters.key_material_length
client_write_IV[SecurityParameters.IV_size
server_write_IV[SecurityParameters.IV_size
The client_write_IV and server_write_IV are only generated for non
export block ciphers. For exportable block ciphers,
initialization vectors are generated later, as described below.
extra key_block material is discarded
Implementation note
The cipher spec which is defined in this document which
the most material is 3DES_EDE_CBC_SHA: it requires 2 x 24
keys, 2 x 20 byte MAC secrets, and 2 x 8 byte IVs, for a total
104 bytes of key material
Dierks & Allen Standards Track [Page 21]
RFC 2246 The TLS Protocol Version 1.0 January 1999
Exportable encryption algorithms (for which CipherSpec.is_
is true) require additional processing as follows to derive
final write keys
final_client_write_key =
PRF(SecurityParameters.client_write_key
"client write key",
SecurityParameters.client_random +
SecurityParameters.server_random);
final_server_write_key =
PRF(SecurityParameters.server_write_key
"server write key",
SecurityParameters.client_random +
SecurityParameters.server_random);
Exportable encryption algorithms derive their IVs solely from
random values from the hello messages
iv_block = PRF("", "IV block", SecurityParameters.client_random +
SecurityParameters.server_random);
The iv_block is partitioned into two initialization vectors as
key_block was above
client_write_IV[SecurityParameters.IV_size
server_write_IV[SecurityParameters.IV_size
Note that the PRF is used without a secret in this case: this
means that the secret has a length of zero bytes and
nothing to the hashing in the PRF
6.3.1. Export key generation
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 requires five random bytes
each of the two encryption keys and 16 bytes for each of the
keys, for a total of 42 bytes of key material. The PRF output
stored in the key_block. The key_block is partitioned, and the
keys are salted because this is an exportable encryption algorithm
key_block = PRF(master_secret
"key expansion",
server_random +
client_random)[0..41]
client_write_MAC_secret = key_block[0..15]
server_write_MAC_secret = key_block[16..31]
client_write_key = key_block[32..36]
server_write_key = key_block[37..41]
Dierks & Allen Standards Track [Page 22]
RFC 2246 The TLS Protocol Version 1.0 January 1999
final_client_write_key = PRF(client_write_key
"client write key",
client_random +
server_random)[0..15]
final_server_write_key = PRF(server_write_key
"server write key",
client_random +
server_random)[0..15]
iv_block = PRF("", "IV block", client_random +
server_random)[0..15]
client_write_IV = iv_block[0..7]
server_write_IV = iv_block[8..15]
7. The TLS Handshake
The TLS Handshake Protocol consists of a suite of three sub-
which are used to allow peers to agree upon security parameters
the record layer, authenticate themselves, instantiate
security parameters, and report error conditions to each other
The Handshake Protocol is responsible for negotiating a session
which consists of the following items
session
An arbitrary byte sequence chosen by the server to identify
active or resumable session state
peer
X509v3 [X509] certificate of the peer. This element of the
may be null
compression
The algorithm used to compress data prior to encryption
cipher
Specifies the bulk data encryption algorithm (such as null, DES
etc.) and a MAC algorithm (such as MD5 or SHA). It also
cryptographic attributes such as the hash_size. (See Appendix A.6
for formal definition
master
48-byte secret shared between the client and server
is
A flag indicating whether the session can be used to initiate
connections
Dierks & Allen Standards Track [Page 23]
RFC 2246 The TLS Protocol Version 1.0 January 1999
These items are then used to create security parameters for use
the Record Layer when protecting application data. Many
can be instantiated using the same session through the
feature of the TLS Handshake Protocol
7.1. Change cipher spec
The change cipher spec protocol exists to signal transitions
ciphering strategies. The protocol consists of a single message
which is encrypted and compressed under the current (not the pending
connection state. The message consists of a single byte of value 1.
struct {
enum { change_cipher_spec(1), (255) } type
} ChangeCipherSpec
The change cipher spec message is sent by both the client and
to notify the receiving party that subsequent records will
protected under the newly negotiated CipherSpec and keys.
of this message causes the receiver to instruct the Record Layer
immediately copy the read pending state into the read current state
Immediately after sending this message, the sender should
the record layer to make the write pending state the write
state. (See section 6.1.) The change cipher spec message is
during the handshake after the security parameters have been
upon, but before the verifying finished message is sent (see
7.4.9).
7.2. Alert
One of the content types supported by the TLS Record layer is
alert type. Alert messages convey the severity of the message and
description of the alert. Alert messages with a level of fatal
in the immediate termination of the connection. In this case,
connections corresponding to the session may continue, but
session identifier must be invalidated, preventing the failed
from being used to establish new connections. Like other messages
alert messages are encrypted and compressed, as specified by
current connection state
enum { warning(1), fatal(2), (255) } AlertLevel
enum {
close_notify(0),
unexpected_message(10),
bad_record_mac(20),
decryption_failed(21),
record_overflow(22),
Dierks & Allen Standards Track [Page 24]
RFC 2246 The TLS Protocol Version 1.0 January 1999
decompression_failure(30),
handshake_failure(40),
bad_certificate(42),
unsupported_certificate(43),
certificate_revoked(44),
certificate_expired(45),
certificate_unknown(46),
illegal_parameter(47),
unknown_ca(48),
access_denied(49),
decode_error(50),
decrypt_error(51),
export_restriction(60),
protocol_version(70),
insufficient_security(71),
internal_error(80),
user_canceled(90),
no_renegotiation(100),
(255)
} AlertDescription
struct {
AlertLevel level
AlertDescription description
} Alert
7.2.1. Closure
The client and the server must share knowledge that the connection
ending in order to avoid a truncation attack. Either party
initiate the exchange of closing messages
close_
This message notifies the recipient that the sender will not
any more messages on this connection. The session
unresumable if any connection is terminated without
close_notify messages with level equal to warning
Either party may initiate a close by sending a close_notify alert
Any data received after a closure alert is ignored
Each party is required to send a close_notify alert before
the write side of the connection. It is required that the other
respond with a close_notify alert of its own and close down
connection immediately, discarding any pending writes. It is
required for the initiator of the close to wait for the
close_notify alert before closing the read side of the connection
Dierks & Allen Standards Track [Page 25]
RFC 2246 The TLS Protocol Version 1.0 January 1999
If the application protocol using TLS provides that any data may
carried over the underlying transport after the TLS connection
closed, the TLS implementation must receive the
close_notify alert before indicating to the application layer
the TLS connection has ended. If the application protocol will
transfer any additional data, but will only close the
transport connection, then the implementation may choose to close
transport without waiting for the responding close_notify. No part
this standard should be taken to dictate the manner in which a
profile for TLS manages its data transport, including
connections are opened or closed
NB: It is assumed that closing a connection reliably
pending data before destroying the transport
7.2.2. Error
Error handling in the TLS Handshake protocol is very simple. When
error is detected, the detecting party sends a message to the
party. Upon transmission or receipt of an fatal alert message,
parties immediately close the connection. Servers and clients
required to forget any session-identifiers, keys, and
associated with a failed connection. The following error alerts
defined
unexpected_
An inappropriate message was received. This alert is always
and should never be observed in communication between
implementations
bad_record_
This alert is returned if a record is received with an
MAC. This message is always fatal
decryption_
A TLSCiphertext decrypted in an invalid way: either it wasn`t
even multiple of the block length or its padding values,
checked, weren`t correct. This message is always fatal
record_
A TLSCiphertext record was received which had a length more
2^14+2048 bytes, or a record decrypted to a TLSCompressed
with more than 2^14+1024 bytes. This message is always fatal
decompression_
The decompression function received improper input (e.g.
that would expand to excessive length). This message is
fatal
Dierks & Allen Standards Track [Page 26]
RFC 2246 The TLS Protocol Version 1.0 January 1999
handshake_
Reception of a handshake_failure alert message indicates that
sender was unable to negotiate an acceptable set of
parameters given the options available. This is a fatal error
bad_
A certificate was corrupt, contained signatures that did
verify correctly, etc
unsupported_
A certificate was of an unsupported type
certificate_
A certificate was revoked by its signer
certificate_
A certificate has expired or is not currently valid
certificate_
Some other (unspecified) issue arose in processing
certificate, rendering it unacceptable
illegal_
A field in the handshake was out of range or inconsistent
other fields. This is always fatal
unknown_
A valid certificate chain or partial chain was received, but
certificate was not accepted because the CA certificate could
be located or couldn`t be matched with a known, trusted CA.
message is always fatal
access_
A valid certificate was received, but when access control
applied, the sender decided not to proceed with negotiation
This message is always fatal
decode_
A message could not be decoded because some field was out of
specified range or the length of the message was incorrect.
message is always fatal
decrypt_
A handshake cryptographic operation failed, including
unable to correctly verify a signature, decrypt a key exchange
or validate a finished message
Dierks & Allen Standards Track [Page 27]
RFC 2246 The TLS Protocol Version 1.0 January 1999
export_
A negotiation not in compliance with export restrictions
detected; for example, attempting to transfer a 1024
ephemeral RSA key for the RSA_EXPORT handshake method.
message is always fatal
protocol_
The protocol version the client has attempted to negotiate
recognized, but not supported. (For example, old
versions might be avoided for security reasons). This message
always fatal
insufficient_
Returned instead of handshake_failure when a negotiation
failed specifically because the server requires ciphers
secure than those supported by the client. This message is
fatal
internal_
An internal error unrelated to the peer or the correctness of
protocol makes it impossible to continue (such as a
allocation failure). This message is always fatal
user_
This handshake is being canceled for some reason unrelated to
protocol failure. If the user cancels an operation after
handshake is complete, just closing the connection by sending
close_notify is more appropriate. This alert should be
by a close_notify. This message is generally a warning
no_
Sent by the client in response to a hello request or by
server in response to a client hello after initial handshaking
Either of these would normally lead to renegotiation; when
is not appropriate, the recipient should respond with this alert
at that point, the original requester can decide whether
proceed with the connection. One case where this would
appropriate would be where a server has spawned a process
satisfy a request; the process might receive security
(key length, authentication, etc.) at startup and it might
difficult to communicate changes to these parameters after
point. This message is always a warning
For all errors where an alert level is not explicitly specified,
sending party may determine at its discretion whether this is a
error or not; if an alert with a level of warning is received,
Dierks & Allen Standards Track [Page 28]
RFC 2246 The TLS Protocol Version 1.0 January 1999
receiving party may decide at its discretion whether to treat this
a fatal error or not. However, all messages which are
with a level of fatal must be treated as fatal messages
7.3. Handshake Protocol
The cryptographic parameters of the session state are produced by
TLS Handshake Protocol, which operates on top of the TLS
Layer. When a TLS client and server first start communicating,
agree on a protocol version, select cryptographic algorithms
optionally authenticate each other, and use public-key
techniques to generate shared secrets
The TLS Handshake Protocol involves the following steps
- Exchange hello messages to agree on algorithms, exchange
values, and check for session resumption
- Exchange the necessary cryptographic parameters to allow
client and server to agree on a premaster secret
- Exchange certificates and cryptographic information to allow
client and server to authenticate themselves
- Generate a master secret from the premaster secret and
random values
- Provide security parameters to the record layer
- Allow the client and server to verify that their peer
calculated the same security parameters and that the
occurred without tampering by an attacker
Note that higher layers should not be overly reliant on TLS
negotiating the strongest possible connection between two peers
there are a number of ways a man in the middle attacker can
to make two entities drop down to the least secure method
support. The protocol has been designed to minimize this risk,
there are still attacks available: for example, an attacker
block access to the port a secure service runs on, or attempt to
the peers to negotiate an unauthenticated connection. The
rule is that higher levels must be cognizant of what their
requirements are and never transmit information over a channel
secure than what they require. The TLS protocol is secure, in
any cipher suite offers its promised level of security: if
negotiate 3DES with a 1024 bit RSA key exchange with a host
certificate you have verified, you can expect to be that secure
Dierks & Allen Standards Track [Page 29]
RFC 2246 The TLS Protocol Version 1.0 January 1999
However, you should never send data over a link encrypted with 40
security unless you feel that data is worth no more than the
required to break that encryption
These goals are achieved by the handshake protocol, which can
summarized as follows: The client sends a client hello message
which the server must respond with a server hello message, or else
fatal error will occur and the connection will fail. The client
and server hello are used to establish security
capabilities between client and server. The client hello and
hello establish the following attributes: Protocol Version,
ID, Cipher Suite, and Compression Method. Additionally, two
values are generated and exchanged: ClientHello.random
ServerHello.random
The actual key exchange uses up to four messages: the
certificate, the server key exchange, the client certificate, and
client key exchange. New key exchange methods can be created
specifying a format for these messages and defining the use of
messages to allow the client and server to agree upon a
secret. This secret should be quite long; currently defined
exchange methods exchange secrets which range from 48 to 128 bytes
length
Following the hello messages, the server will send its certificate
if it is to be authenticated. Additionally, a server key
message may be sent, if it is required (e.g. if their server has
certificate, or if its certificate is for signing only). If
server is authenticated, it may request a certificate from
client, if that is appropriate to the