- Forward


Transport Layer Security
An Introduction


Prof. David Bernstein
James Madison University

Computer Science Department
bernstdh@jmu.edu

Print

Overview
Back Forward
  • Provide:
    • Confidentiality
    • Data Integrity
    • Server Authentication
    • Optional Client Authentication
    • Compression
  • Specification:
    • RFC 5246
History
Back Forward
  • Secure Sockets Layer (1995) -- Developed by Netscape
  • TLS v1.1 (2006) -- RFC 4346
  • TLS v1.2 (2008)
Handshaking
Back Forward
  • Establish Security Capabilities:
    • Client sends timestamp, pseudo-random number, supported cipher and compression suites
    • Server responds wih timestamp, pseudo-random number, selected cipher and compression algorithms
  • Server Authentication and Key Exchange:
    • Optional: Server sends certificate
    • Optional: Server sends key
    • Optional: Server requests certificate
  • Client Authentication and Key Exchange:
    • Optional: Client responds with certificate
    • Client sends key
    • Optional: Client sends verification of identity
  • Finish
Overhead
Back Forward
  • Handshake Phase:
    • Encryption on client (using the server's public key)
    • Decryption on server (using the server's private key)
    • Clients waiting on servers
  • Data Transfer Phase:
    • Symmetric key encryption
Overhead (cont.)
Back Forward

TCP over TLS can take 2-10 times as long as raw TCP!

Session State Information (Partial List)
Back Forward
  • Session ID:
    • Chosen by the server
  • Compression and Cipher Algorithms
  • Master Secret:
    • 48 bytes
  • Is Resumable Flag
Connection State Information (Partial List)
Back Forward
  • Server and Client Secret:
    • 32 bytes
  • Server-Write Key:
    • Server encryption and client decryption
  • Client-Write Key:
    • Client encryption and server decryption
  • Sequence Number
Records
Back Forward
  • Sender Process:
    • Fragment (if necessary)
    • Compress
    • Encrypt
  • Content:
    • Content Type
    • Version Number
    • Length
    • Payload
    • Originating MAC Address
Popular Applications
Back Forward
  • HTTPS
  • FTPS [which is an alternative to SFTP -- FTP over Secure Shell (SSH)]
  • OpenVPN
There's Always More to Learn
Back -