| Network Working Group Request for Comments: 2246 Category: Standards Track |
T. Dierks |
The TLS Protocol Version 1.0
Status of this Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
This document specifies Version 1.0 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.
Table of Contents
4. Presentation language
4.1. Basic block size
4.2. Miscellaneous
4.3. Vectors
4.4. Numbers
4.5. Enumerateds
4.6. Constructed types
4.6.1. Variants
4.7. Cryptographic attributes
4.8. Constants5. HMAC and the pseudorandom function
6. The TLS Record Protocol
6.1. Connection states
6.2. Record layer
6.2.1. Fragmentation
6.2.2. Record compression and decompression
6.2.3. Record payload protection
6.2.3.1. Null or standard stream cipher
6.2.3.2. CBC block cipher
6.3. Key calculation
6.3.1. Export key generation example7. The TLS Handshake Protocol
7.1. Change cipher spec protocol
7.2. Alert protocol
7.2.1. Closure alerts
7.2.2. Error alerts
7.3. Handshake Protocol overview
7.4. Handshake protocol
7.4.1. Hello messages
7.4.1.1. Hello request
7.4.1.2. Client hello
7.4.1.3. Server hello
7.4.2. Server certificate
7.4.3. Server key exchange message
7.4.4. Certificate request
7.4.5. Server hello done
7.4.6. Client certificate
7.4.7. Client key exchange message
7.4.7.1. RSA encrypted premaster secret message
7.4.7.2. Client Diffie-Hellman public value
7.4.8. Certificate verify
7.4.9. Finished8. Cryptographic computations
8.1. Computing the master secret
8.1.1. RSA
8.1.2. Diffie-HellmanA. Protocol constant values
A.1. Record layer
A.2. Change cipher specs message
A.3. Alert messages
A.4. Handshake protocol
A.4.1. Hello messages
A.4.2. Server authentication and key exchange messages
A.4.3. Client authentication and key exchange messages
A.4.4. Handshake finalization message
A.5. The CipherSuite
A.6. The Security ParametersD. Implementation Notes
D.1. Temporary RSA keys
D.2. Random Number Generation and Seeding
D.3. Certificates and authentication
D.4. CipherSuitesE. Backward Compatibility With SSL
E.1. Version 2 client hello
E.2. Avoiding man-in-the-middle version rollbackF. Security analysis
F.1. Handshake protocol
F.1.1. Authentication and key exchange
F.1.1.1. Anonymous key exchange
F.1.1.2. RSA key exchange and authentication
F.1.1.3. Diffie-Hellman key exchange with authentication
F.1.2. Version rollback attacks
F.1.3. Detecting attacks against the handshake protocol
F.1.4. Resuming sessions
F.1.5. MD5 and SHA
F.2. Protecting application data
F.3. Final notes
Security issues are discussed throughout this memo.
[3DES] W. Tuchman, "Hellman Presents No Shortcut Solutions To DES,"IEEE Spectrum, v. 16, n. 7, July 1979, pp40-41.
[BLEI] Bleichenbacher D., "Chosen Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1" in Advances in Cryptology -- CRYPTO'98, LNCS vol. 1462, pages: 1--12, 1998.
[DES] ANSI X3.106, "American National Standard for Information Systems-Data Link Encryption," American National Standards Institute, 1983.
[DH1] W. Diffie and M. E. Hellman, "New Directions in Cryptography," IEEE Transactions on Information Theory, V. IT-22, n. 6, Jun 1977, pp. 74-84.
[DSS] NIST FIPS PUB 186, "Digital Signature Standard," National Institute of Standards and Technology, U.S. Department of Commerce, May 18, 1994.
[FTP] Postel J., and J. Reynolds, "File Transfer Protocol", STD 9, RFC 959, October 1985.
[HTTP] Berners-Lee, T., Fielding, R., and H. Frystyk, "Hypertext Transfer Protocol -- HTTP/1.0", RFC 1945, May 1996.
[HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication," RFC 2104, February 1997.
[IDEA] X. Lai, "On the Design and Security of Block Ciphers," ETH Series in Information Processing, v. 1, Konstanz: Hartung-Gorre Verlag, 1992.
[MD2] Kaliski, B., "The MD2 Message Digest Algorithm", RFC 1319, April 1992.
[MD5] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, April 1992.
[PKCS1] RSA Laboratories, "PKCS #1: RSA Encryption Standard," version 1.5, November 1993.
[PKCS6] RSA Laboratories, "PKCS #6: RSA Extended Certificate Syntax Standard," version 1.5, November 1993.
[PKCS7] RSA Laboratories, "PKCS #7: RSA Cryptographic Message Syntax Standard," version 1.5, November 1993.
[PKIX] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet Public Key Infrastructure: Part I: X.509 Certificate and CRL Profile", RFC 2459, January 1999.
[RC2] Rivest, R., "A Description of the RC2(r) Encryption Algorithm", RFC 2268, January 1998.
[RC4] Thayer, R. and K. Kaukonen, A Stream Cipher Encryption Algorithm, Work in Progress.
[RSA] R. Rivest, A. Shamir, and L. M. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of the ACM, v. 21, n. 2, Feb 1978, pp. 120-126.
[RSADSI] Contact RSA Data Security, Inc., Tel: 415-595-8782
[SCH] B. Schneier. Applied Cryptography: Protocols, Algorithms, and Source Code in C, Published by John Wiley & Sons, Inc. 1994.
[SHA] NIST FIPS PUB 180-1, "Secure Hash Standard," National Institute of Standards and Technology, U.S. Department of Commerce, Work in Progress, May 31, 1994.
[SSL2] Hickman, Kipp, "The SSL Protocol", Netscape Communications Corp., Feb 9, 1995.
[SSL3] A. Frier, P. Karlton, and P. Kocher, "The SSL 3.0 Protocol", Netscape Communications Corp., Nov 18, 1996.
[TCP] Postel, J., "Transmission Control Protocol," STD 7, RFC 793, September 1981.
[TEL] Postel J., and J. Reynolds, "Telnet Protocol Specifications", STD 8, RFC 854, May 1993.
[TEL] Postel J., and J. Reynolds, "Telnet Option Specifications", STD 8, RFC 855, May 1993.
[X509] CCITT. Recommendation X.509: "The Directory - Authentication Framework". 1988.
[XDR] R. Srinivansan, Sun Microsystems, RFC-1832: XDR: External Data Representation Standard, August 1995.
Win Treese
Open MarketEMail: treese@openmarket.com
Editors
Christopher Allen
CerticomEMail: callen@certicom.com
Tim Dierks
CerticomEMail: tdierks@certicom.com
Authors' Addresses
Tim Dierks
CerticomEMail: callen@certicom.com
Philip L. Karlton
Netscape CommunicationsAlan O. Freier
Netscape CommunicationsEMail: freier@netscape.com
Paul C. Kocher
Independent ConsultantEMail: pck@netcom.com
Other contributors
Martin Abadi
Digital Equipment CorporationEMail: ma@pa.dec.com
Robert Relyea
Netscape CommunicationsEMail: relyea@netscape.com
Ran Canetti
IBM Watson Research CenterEMail: canetti@watson.ibm.com
Jim Roskind
Netscape CommunicationsEMail: jar@netscape.com
Taher Elgamal
SecurifyEMail: elgamal@securify.com
Micheal J. Sabin, Ph. D.
Consulting EngineerEMail: msabin@netcom.com
Anil R. Gangolli
Structured Arts Computing Corp.EMail: gangolli@structuredarts.com
Dan Simon
MicrosoftEMail: dansimon@microsoft.com
Kipp E.B. Hickman
Netscape CommunicationsEMail: kipp@netscape.com
Tom Weinstein
Netscape CommunicationsEMail: tomw@netscape.com
Hugo Krawczyk
IBM Watson Research CenterEMail: hugo@watson.ibm.com
The discussion list for the IETF TLS working group is located at the e-mail address <ietf-tls@lists.consensus.com>. Information on the
group and information on how to subscribe to the list is at <http://lists.consensus.com/>.
Archives of the list can be found at:
<http://www.imc.org/ietf-tls/mail-archive/>
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.