TLS (Transport Layer Security)

From Bauman National Library
This page was last modified on 28 June 2016, at 09:26.

TLS (Transport Layer Security - Transport Layer Security) - a cryptographic protocol for a more secure transmission of information created in 1999 based on the SSL protocol. This protocol is widely used in applications working with the Internet. TLS uses asymmetric cryptography for authentication, symmetric encryption for confidentiality and authenticity of the message codes to preserve the integrity of messages.

Algorithm

This protocol operates at the application layer. Here is its algorithm:

  1. The client connects to a server that supports the TLS, and requests a secure connection.
  2. The client provides a list of supported encryption algorithms and hash functions
  3. The server selects from a list provided by the client the most reliable algorithms which are among those that are supported by the server, and informs the client of their choice.
  4. The server sends the client a digital certificate to authenticate itself. Typically, a digital certificate contains the server name, the name of the certifying CA, and the server's public key.
  5. The client can contact the trusted CA and confirm the authenticity of the certificate transferred before the start of data transmission.
  6. To generate a session key for secure connection client encrypts a randomly generated numeric sequence with the server's public key and sends the result to the server. Due to the specifics of an asymmetric encryption algorithm that is used to establish a connection, only the server can decrypt the received sequence by using his private key.

Before the beginning of communication through the TLS, the client and server must agree on the parameters of the connection, namely version of the protocol used, encryption method, and verify certificates, if necessary. Connection starts with the procedure called TLS Handshake. It is worth noting that key exchange based on the RSA algorithm is mostly used: the client generates a symmetric key, signs it with the server's public key and sends it to the server. At the server, client's key is decrypted using the private key. The disadvantage of this system is the fact that this is the same pair which is used to authenticate the server. Therefore, all the browsers installing TLS connections give preference to a combination of Diffie-Hellman and the use of temporary keys.

TLS Handshake procedure is quite time-consuming and requires a lot of computing power, so the technology of resuming the session is also used. Since the first public version of the protocol (SSL 2.0) server within the TLS Handshake (the initial report ServerHello) can generate and send a 32-byte session ID. Naturally, in such case, the cache server stores the generated session IDs and parameters for each client. The client stores received ID and includes it (of course, if there is one) into the original message ClientHello. If both the client and server have identical session IDs, setting a common connection occurs on the simplified algorithm.

TLS False Start technology is an optional extension protocol, and allows you to send data when the TLS Handshake completed only partially. In contrast to the resumption of the session, it can transmit data when the session expired, or when the initial connection is established.

Technology TLS Chain of trust is used for authentication. Chain of trust is created. In TLS, the chain of trust are based on certificates of authenticity provided by special certificate authorities (CA). CAs check if a certificate is compromised, and if yes, it is revoked.

Development

  1. 'SSL 1.0' - it has not been published
  2. 'SSL 2.0' - released in 1995, had multiple vulnerabilities
  3. 'SSL 3.0' - released in 1996
  4. 'TLS 1.0' - released in 1999, based on SSL 3.0
  5. 'TLS 1.1' - released in 2006
  6. 'TLS 1.2' - released in 2008

It is worth noting that version 1.1 and 1.2, which are considered to be safe, are supported by a small number of Web sites. Currently, a TLS 1.3 version is being developed.

Links

  1. IETF
  2. Wiki (really useful)