Network Working Group
Request for Comments: 2246
Category: Standards Track

T. Dierks
Certicom
C. Allen
Certicom
January 1999

 

The TLS Protocol Version 1.0

Status of this Memo

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1999). All Rights Reserved.

Abstract

This document specifies Version 1.0 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.

Table of Contents

1. Introduction

2. Goals

3. Goals of this document

4. Presentation language
4.1. Basic block size
4.2. Miscellaneous
4.3. Vectors
4.4. Numbers
4.5. Enumerateds
4.6. Constructed types
4.6.1. Variants
4.7. Cryptographic attributes
4.8. Constants

5. HMAC and the pseudorandom function

6. The TLS Record Protocol
6.1. Connection states
6.2. Record layer
6.2.1. Fragmentation
6.2.2. Record compression and decompression
6.2.3. Record payload protection
6.2.3.1. Null or standard stream cipher
6.2.3.2. CBC block cipher
6.3. Key calculation
6.3.1. Export key generation example

7. The TLS Handshake Protocol
7.1. Change cipher spec protocol
7.2. Alert protocol
7.2.1. Closure alerts
7.2.2. Error alerts
7.3. Handshake Protocol overview
7.4. Handshake protocol
7.4.1. Hello messages
7.4.1.1. Hello request
7.4.1.2. Client hello
7.4.1.3. Server hello
7.4.2. Server certificate
7.4.3. Server key exchange message
7.4.4. Certificate request
7.4.5. Server hello done
7.4.6. Client certificate
7.4.7. Client key exchange message
7.4.7.1. RSA encrypted premaster secret message
7.4.7.2. Client Diffie-Hellman public value
7.4.8. Certificate verify
7.4.9. Finished

8. Cryptographic computations
8.1. Computing the master secret
8.1.1. RSA
8.1.2. Diffie-Hellman

9. Mandatory Cipher Suites

10. Application data protocol

A. Protocol constant values
A.1. Record layer
A.2. Change cipher specs message
A.3. Alert messages
A.4. Handshake protocol
A.4.1. Hello messages
A.4.2. Server authentication and key exchange messages
A.4.3. Client authentication and key exchange messages
A.4.4. Handshake finalization message
A.5. The CipherSuite
A.6. The Security Parameters

B. Glossary

C. CipherSuite definitions

D. Implementation Notes
D.1. Temporary RSA keys
D.2. Random Number Generation and Seeding
D.3. Certificates and authentication
D.4. CipherSuites

E. Backward Compatibility With SSL
E.1. Version 2 client hello
E.2. Avoiding man-in-the-middle version rollback

F. Security analysis
F.1. Handshake protocol
F.1.1. Authentication and key exchange
F.1.1.1. Anonymous key exchange
F.1.1.2. RSA key exchange and authentication
F.1.1.3. Diffie-Hellman key exchange with authentication
F.1.2. Version rollback attacks
F.1.3. Detecting attacks against the handshake protocol
F.1.4. Resuming sessions
F.1.5. MD5 and SHA
F.2. Protecting application data
F.3. Final notes

G. Patent Statement

Security Considerations

References

Credits

Comments

Full Copyright Statement


Security Considerations

Security issues are discussed throughout this memo.

References

[3DES] W. Tuchman, "Hellman Presents No Shortcut Solutions To DES,"IEEE Spectrum, v. 16, n. 7, July 1979, pp40-41.

[BLEI] Bleichenbacher D., "Chosen Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1" in Advances in Cryptology -- CRYPTO'98, LNCS vol. 1462, pages: 1--12, 1998.

[DES] ANSI X3.106, "American National Standard for Information Systems-Data Link Encryption," American National Standards Institute, 1983.

[DH1] W. Diffie and M. E. Hellman, "New Directions in Cryptography," IEEE Transactions on Information Theory, V. IT-22, n. 6, Jun 1977, pp. 74-84.

[DSS] NIST FIPS PUB 186, "Digital Signature Standard," National Institute of Standards and Technology, U.S. Department of Commerce, May 18, 1994.

[FTP] Postel J., and J. Reynolds, "File Transfer Protocol", STD 9, RFC 959, October 1985.

[HTTP] Berners-Lee, T., Fielding, R., and H. Frystyk, "Hypertext Transfer Protocol -- HTTP/1.0", RFC 1945, May 1996.

[HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication," RFC 2104, February 1997.

[IDEA] X. Lai, "On the Design and Security of Block Ciphers," ETH Series in Information Processing, v. 1, Konstanz: Hartung-Gorre Verlag, 1992.

[MD2] Kaliski, B., "The MD2 Message Digest Algorithm", RFC 1319, April 1992.

[MD5] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, April 1992.

[PKCS1] RSA Laboratories, "PKCS #1: RSA Encryption Standard," version 1.5, November 1993.

[PKCS6] RSA Laboratories, "PKCS #6: RSA Extended Certificate Syntax Standard," version 1.5, November 1993.

[PKCS7] RSA Laboratories, "PKCS #7: RSA Cryptographic Message Syntax Standard," version 1.5, November 1993.

[PKIX] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet Public Key Infrastructure: Part I: X.509 Certificate and CRL Profile", RFC 2459, January 1999.

[RC2] Rivest, R., "A Description of the RC2(r) Encryption Algorithm", RFC 2268, January 1998.

[RC4] Thayer, R. and K. Kaukonen, A Stream Cipher Encryption Algorithm, Work in Progress.

[RSA] R. Rivest, A. Shamir, and L. M. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of the ACM, v. 21, n. 2, Feb 1978, pp. 120-126.

[RSADSI] Contact RSA Data Security, Inc., Tel: 415-595-8782

[SCH] B. Schneier. Applied Cryptography: Protocols, Algorithms, and Source Code in C, Published by John Wiley & Sons, Inc. 1994.

[SHA] NIST FIPS PUB 180-1, "Secure Hash Standard," National Institute of Standards and Technology, U.S. Department of Commerce, Work in Progress, May 31, 1994.

[SSL2] Hickman, Kipp, "The SSL Protocol", Netscape Communications Corp., Feb 9, 1995.

[SSL3] A. Frier, P. Karlton, and P. Kocher, "The SSL 3.0 Protocol", Netscape Communications Corp., Nov 18, 1996.

[TCP] Postel, J., "Transmission Control Protocol," STD 7, RFC 793, September 1981.

[TEL] Postel J., and J. Reynolds, "Telnet Protocol Specifications", STD 8, RFC 854, May 1993.

[TEL] Postel J., and J. Reynolds, "Telnet Option Specifications", STD 8, RFC 855, May 1993.

[X509] CCITT. Recommendation X.509: "The Directory - Authentication Framework". 1988.

[XDR] R. Srinivansan, Sun Microsystems, RFC-1832: XDR: External Data Representation Standard, August 1995.

Credits

Win Treese
Open Market

EMail: treese@openmarket.com

Editors

Christopher Allen
Certicom

EMail: callen@certicom.com

Tim Dierks
Certicom

EMail: tdierks@certicom.com

Authors' Addresses

Tim Dierks
Certicom

EMail: callen@certicom.com
 

Philip L. Karlton
Netscape Communications
Alan O. Freier
Netscape Communications

EMail: freier@netscape.com

Paul C. Kocher
Independent Consultant

EMail: pck@netcom.com

Other contributors

Martin Abadi
Digital Equipment Corporation

EMail: ma@pa.dec.com
 

Robert Relyea
Netscape Communications

EMail: relyea@netscape.com
 

Ran Canetti
IBM Watson Research Center

EMail: canetti@watson.ibm.com
 

Jim Roskind
Netscape Communications

EMail: jar@netscape.com
 

Taher Elgamal
Securify

EMail: elgamal@securify.com
 

Micheal J. Sabin, Ph. D.
Consulting Engineer

EMail: msabin@netcom.com
 

Anil R. Gangolli
Structured Arts Computing Corp.

EMail: gangolli@structuredarts.com
 

Dan Simon
Microsoft

EMail: dansimon@microsoft.com
 

Kipp E.B. Hickman
Netscape Communications

EMail: kipp@netscape.com
 

Tom Weinstein
Netscape Communications

EMail: tomw@netscape.com
 

Hugo Krawczyk
IBM Watson Research Center

EMail: hugo@watson.ibm.com

Comments

The discussion list for the IETF TLS working group is located at the e-mail address <ietf-tls@lists.consensus.com>. Information on the
group and information on how to subscribe to the list is at <http://lists.consensus.com/>.

Archives of the list can be found at:
<http://www.imc.org/ietf-tls/mail-archive/>

Full Copyright Statement

Copyright (C) The Internet Society (1999). All Rights Reserved.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.