summaryrefslogtreecommitdiff
path: root/doc/protocol/ssl-version2.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/protocol/ssl-version2.txt')
-rw-r--r--doc/protocol/ssl-version2.txt1486
1 files changed, 0 insertions, 1486 deletions
diff --git a/doc/protocol/ssl-version2.txt b/doc/protocol/ssl-version2.txt
deleted file mode 100644
index 9ce3d2ac5c..0000000000
--- a/doc/protocol/ssl-version2.txt
+++ /dev/null
@@ -1,1486 +0,0 @@
- [Documentation]
-
- SSL 2.0 PROTOCOL SPECIFICATION
-
-If you have questions about this protocol specification, please ask them in
-Netscape's newsgroup for SSL developers, netscape.dev.ssl. More information
-about the netscape.dev.ssl newsgroup may be found at this URL:
-http://home.netscape.com/eng/ssl3/ssl-talk.html
- ------------------------------------------------------------------------
-
-THIS PROTOCOL SPECIFICATION WAS REVISED ON NOVEMBER 29TH, 1994:
-
- * a fundamental correction to the client-certificate authentication
- protocol,
- * the removal of the username/password messages,
- * corrections in some of the cryptographic terminology,
- * the addition of a MAC to the messages [see section 1.2],
- * the allowance for different kinds of message digest algorithms.
-
-THIS DOCUMENT WAS REVISED ON DECEMBER 22ND, 1994:
-
- * The spec now defines the order the clear key data and secret key data
- are combined to produce the master key.
- * The spec now explicitly states the size of the MAC instead of making
- the reader figure it out.
- * The spec is more clear on the actual values used to produce the session
- read and write keys.
- * The spec is more clear on how many bits of the session key are used
- after they are produced from the hash function.
-
-THIS DOCUMENT WAS REVISED ON JANUARY 17TH, 1995:
-
- * Defined the category to be informational.
- * Clarified ordering of data elements in various places.
- * Defined DES-CBC cipher kind and key construction.
- * Defined DES-EDE3-CBC cipher kind and key construction.
-
-THIS DOCUMENT WAS REVISED ON JANUARY 24TH, 1995:
-
- * Fixed bug in definition of CIPHER-CHOICE in CLIENT-MASTER-KEY message.
- The previous spec erroneously indicated that the CIPHER-CHOICE was an
- index into the servers CIPHER-SPECS-DATA array, when it was actually
- supposed to be the CIPHER-KIND value chosen by the client.
- * Clarified the values of the KEY-ARG-DATA.
-
-THIS DOCUMENT WAS REVISED ON FEBRUARY 9TH, 1995:
-
- The spec has been clarified to indicate the byte order of sequence
- numbers when they are being applied to the MAC hash function.
- * The spec now defines the acceptable length range of the CONNECTION-ID
- parameter (sent by the server in the SERVER-HELLO message).
- * Simplified the specification of the CIPHER-KIND data. The spec language
- has been changed yet the format remains compatible with all existing
- implementations. The CIPHER-KIND information is now a three byte value
- which defines the type of cipher and the length of the key. The key
- length is no longer separable from the CIPHER-KIND.
- * Explained how the KEY-ARG-DATA is retained with the SESSION-ID when the
- session-identifier cache is used.
-
- ------------------------------------------------------------------------
-
-Experimental Kipp E.B. Hickman
-Request For Comments: XXXX Netscape Communications Corp.
-Category: Informational Last Update: Feb. 9th, 1995
-
- The SSL Protocol
-
-Status of this Memo
-
- This is a DRAFT specification.
-
- This RFC specifies a security protocol for the Internet community, and
- requests discussion and suggestions for improvements. Distribution of
- this memo is unlimited.
-
-Abstract
-
- This document specifies the Secure Sockets Layer (SSL) protocol, a
- security protocol that provides privacy over the Internet. The protocol
- allows client/server applications to communicate in a way that cannot
- be eavesdropped. Server's are always authenticated and clients are
- optionally authenticated.
-
-Motivation
-
- The SSL Protocol is designed to provide privacy between two
- communicating applications (a client and a server). Second, the
- protocol is designed to authenticate the server, and optionally the
- client. SSL requires a reliable transport protocol (e.g. TCP) for data
- transmission and reception.
-
- The advantage of the SSL Protocol is that it is application protocol
- independent. A "higher level" application protocol (e.g. HTTP, FTP,
- TELNET, etc.) can layer on top of the SSL Protocol transparently. The
- SSL Protocol can negotiate an encryption algorithm and session key as
- well as authenticate a server before the application protocol transmits
- or receives its first byte of data. All of the application protocol
- data is transmitted encrypted, ensuring privacy.
-
- The SSL protocol provides "channel security" which has three basic
- properties:
-
- * The channel is private. Encryption is used for all messages after
- a simple handshake is used to define a secret key.
-
- * The channel is authenticated. The server endpoint of the
- conversation is always authenticated, while the client endpoint is
- optionally authenticated.
-
- * The channel is reliable. The message transport includes a message
- integrity check (using a MAC).
-
-1. SSL Record Protocol Specification
-
- 1.1 SSL Record Header Format
-
- In SSL, all data sent is encapsulated in a record, an object which is
- composed of a header and some non-zero amount of data. Each record
- header contains a two or three byte length code. If the most
- significant bit is set in the first byte of the record length code then
- the record has no padding and the total header length will be 2 bytes,
- otherwise the record has padding and the total header length will be 3
- bytes. The record header is transmitted before the data portion of the
- record.
-
- Note that in the long header case (3 bytes total), the second most
- significant bit in the first byte has special meaning. When zero, the
- record being sent is a data record. When one, the record being sent is
- a security escape (there are currently no examples of security escapes;
- this is reserved for future versions of the protocol). In either case,
- the length code describes how much data is in the record.
-
- The record length code does not include the number of bytes consumed by
- the record header (2 or 3). For the 2 byte header, the record length is
- computed by (using a "C"-like notation):
-
- RECORD-LENGTH = ((byte[0] & 0x7f) << 8)) | byte[1];
-
- Where byte[0] represents the first byte received and byte[1] the second
- byte received. When the 3 byte header is used, the record length is
- computed as follows (using a "C"-like notation):
-
- RECORD-LENGTH = ((byte[0] & 0x3f) << 8)) | byte[1];
- IS-ESCAPE = (byte[0] & 0x40) != 0;
- PADDING = byte[2];
-
- The record header defines a value called PADDING. The PADDING value
- specifies how many bytes of data were appended to the original record
- by the sender. The padding data is used to make the record length be a
- multiple of the block ciphers block size when a block cipher is used
- for encryption.
-
- The sender of a "padded" record appends the padding data to the end of
- its normal data and then encrypts the total amount (which is now a
- multiple of the block cipher's block size). The actual value of the
- padding data is unimportant, but the encrypted form of it must be
- transmitted for the receiver to properly decrypt the record. Once the
- total amount being transmitted is known the header can be properly
- constructed with the PADDING value set appropriately.
-
- The receiver of a padded record decrypts the entire record data (sans
- record length and the optional padding) to get the clear data, then
- subtracts the PADDING value from the RECORD-LENGTH to determine the
- final RECORD-LENGTH. The clear form of the padding data must be
- discarded.
-
- 1.2 SSL Record Data Format
-
- The data portion of an SSL record is composed of three components
- (transmitted and received in the order shown):
-
- MAC-DATA[MAC-SIZE]
- ACTUAL-DATA[N]
- PADDING-DATA[PADDING]
-
- ACTUAL-DATA is the actual data being transmitted (the message payload).
- PADDING-DATA is the padding data sent when a block cipher is used and
- padding is needed. Finally, MAC-DATA is the Message Authentication
- Code.
-
- When SSL records are sent in the clear, no cipher is used. Consequently
- the amount of PADDING-DATA will be zero and the amount of MAC-DATA will
- be zero. When encryption is in effect, the PADDING-DATA will be a
- function of the cipher block size. The MAC-DATA is a function of the
- CIPHER-CHOICE (more about that later).
-
- The MAC-DATA is computed as follows:
-
- MAC-DATA = HASH[ SECRET, ACTUAL-DATA, PADDING-DATA, SEQUENCE-NUMBER ]
-
- Where the SECRET data is fed to the hash function first, followed by
- the ACTUAL-DATA, which is followed by the PADDING-DATA which is finally
- followed by the SEQUENCE-NUMBER. The SEQUENCE-NUMBER is a 32 bit value
- which is presented to the hash function as four bytes, with the first
- byte being the most significant byte of the sequence number, the second
- byte being the next most significant byte of the sequence number, the
- third byte being the third most significant byte, and the fourth byte
- being the least significant byte (that is, in network byte order or
- "big endian" order).
-
- MAC-SIZE is a function of the digest algorithm being used. For MD2 and
- MD5 the MAC-SIZE will be 16 bytes (128 bits).
-
- The SECRET value is a function of which party is sending the message.
- If the client is sending the message then the SECRET is the
- CLIENT-WRITE-KEY (the server will use the SERVER-READ-KEY to verify the
- MAC). If the client is receiving the message then the SECRET is the
- CLIENT-READ-KEY (the server will use the SERVER-WRITE-KEY to generate
- the MAC).
-
- The SEQUENCE-NUMBER is a counter which is incremented by both the
- sender and the receiver. For each transmission direction, a pair of
- counters is kept (one by the sender, one by the receiver). Every time a
- message is sent by a sender the counter is incremented. Sequence
- numbers are 32 bit unsigned quantities and must wrap to zero after
- incrementing past 0xFFFFFFFF.
-
- The receiver of a message uses the expected value of the sequence
- number as input into the MAC HASH function (the HASH function is chosen
- from the CIPHER-CHOICE). The computed MAC-DATA must agree bit for bit
- with the transmitted MAC-DATA. If the comparison is not identity then
- the record is considered damaged, and it is to be treated as if an "I/O
- Error" had occurred (i.e. an unrecoverable error is asserted and the
- connection is closed).
-
- A final consistency check is done when a block cipher is used and the
- protocol is using encryption. The amount of data present in a record
- (RECORD-LENGTH))must be a multiple of the cipher's block size. If the
- received record is not a multiple of the cipher's block size then the
- record is considered damaged, and it is to be treated as if an "I/O
- Error" had occurred (i.e. an unrecoverable error is asserted and the
- connection is closed).
-
- The SSL Record Layer is used for all SSL communications, including
- handshake messages, security escapes and application data transfers.
- The SSL Record Layer is used by both the client and the server at all
- times.
-
- For a two byte header, the maximum record length is 32767 bytes. For
- the three byte header, the maximum record length is 16383 bytes. The
- SSL Handshake Protocol messages are constrained to fit in a single SSL
- Record Protocol record. Application protocol messages are allowed to
- consume multiple SSL Record Protocol record's.
-
- Before the first record is sent using SSL all sequence numbers are
- initialized to zero. The transmit sequence number is incremented after
- every message sent, starting with the CLIENT-HELLO and SERVER-HELLO
- messages.
-
-2. SSL Handshake Protocol Specification
-
- 2.1 SSL Handshake Protocol Flow
-
- The SSL Handshake Protocol has two major phases. The first phase
- is used to establish private communications. The second phase is
- used for client authentication.
-
- Phase 1
-
- The first phase is the initial connection phase where both parties
- communicate their "hello" messages. The client initiates the
- conversation by sending the CLIENT-HELLO message. The server
- receives the CLIENT-HELLO message and processes it responding with
- the SERVER-HELLO message.
-
- At this point both the client and server have enough information
- to know whether or not a new master key is needed. When a new
- master key is not needed, both the client and the server proceed
- immediately to phase 2.
-
- When a new master key is needed, the SERVER-HELLO message will
- contain enough information for the client to generate it. This
- includes the server's signed certificate (more about that later),
- a list of bulk cipher specifications (see below), and a
- connection-id (a connection-id is a randomly generated value
- generated by the server that is used by the client and server
- during a single connection). The client generates the master key
- and responds with a CLIENT-MASTER-KEY message (or an ERROR message
- if the server information indicates that the client and server
- cannot agree on a bulk cipher).
-
- It should be noted here that each SSL endpoint uses a pair of
- ciphers per connection (for a total of four ciphers). At each
- endpoint, one cipher is used for outgoing communications, and one
- is used for incoming communications. When the client or server
- generate a session key, they actually generate two keys, the
- SERVER-READ-KEY (also known as the CLIENT-WRITE-KEY) and the
- SERVER-WRITE-KEY (also known as the CLIENT-READ-KEY). The master
- key is used by the client and server to generate the various
- session keys (more about that later).
-
- Finally, the server sends a SERVER-VERIFY message to the client
- after the master key has been determined. This final step
- authenticates the server, because only a server which has the
- appropriate public key can know the master key.
-
- Phase 2
-
- The second phase is the authentication phase. The server has
- already been authenticated by the client in the first phase, so
- this phase is primarily used to authenticate the client. In a
- typical scenario, the server will require something from the
- client and send a request. The client will answer in the positive
- if it has the needed information, or send an ERROR message if it
- does not. This protocol specification does not define the
- semantics of an ERROR response to a server request (e.g., an
- implementation can ignore the error, close the connection, etc.
- and still conform to this specification).
-
- When a party is done authenticating the other party, it sends its
- finished message. For the client, the CLIENT-FINISHED message
- contains the encrypted form of the CONNECTION-ID for the server to
- verify. If the verification fails, the server sends an ERROR
- message.
-
- Once a party has sent its finished message it must continue to
- listen to its peers messages until it too receives a finished
- message. Once a party has both sent a finished message and
- received its peers finished message, the SSL handshake protocol is
- done. At this point the application protocol begins to operate
- (Note: the application protocol continues to be layered on the SSL
- Record Protocol).
-
- 2.2 Typical Protocol Message Flow
-
- The following sequences define several typical protocol message
- flows for the SSL Handshake Protocol. In these examples we have
- two principals in the conversation: the client and the server. We
- use a notation commonly found in the literature [10]. When
- something is enclosed in curly braces "{something}key" then the
- something has been encrypted using "key".
-
- 2.2.1 Assuming no session-identifier
-
- client-hello C -> S: challenge, cipher_specs
- server-hello S -> C: connection-id,server_certificate,cipher_specs
- client-master-key C -> S: {master_key}server_public_key
- client-finish C -> S: {connection-id}client_write_key
- server-verify S -> C: {challenge}server_write_key
- server-finish S -> C: {new_session_id}server_write_key
-
- 2.2.2 Assuming a session-identifier was found by both client &
- server
-
- client-hello C -> S: challenge, session_id, cipher_specs
- server-hello S -> C: connection-id, session_id_hit
- client-finish C -> S: {connection-id}client_write_key
- server-verify S -> C: {challenge}server_write_key
- server-finish S -> C: {session_id}server_write_key
-
- 2.2.3 Assuming a session-identifier was used and client
- authentication is used
-
- client-hello C -> S: challenge, session_id, cipher_specs
- server-hello S -> C: connection-id, session_id_hit
- client-finish C -> S: {connection-id}client_write_key
- server-verify S -> C: {challenge}server_write_key
- request-certificate S -> C: {auth_type,challenge'}server_write_key
- client-certificate C -> S: {cert_type,client_cert,
- response_data}client_write_key
- server-finish S -> C: {session_id}server_write_key
-
- In this last exchange, the response_data is a function of the
- auth_type.
-
- 2.3 Errors
-
- Error handling in the SSL connection protocol is very simple. When
- an error is detected, the detecting party sends a message to the
- other party. Errors that are not recoverable cause the client and
- server to abort the secure connection. Servers and client are
- required to "forget" any session-identifiers associated with a
- failing connection.
-
- The SSL Handshake Protocol defines the following errors:
-
- NO-CIPHER-ERROR
- This error is returned by the client to the server when it
- cannot find a cipher or key size that it supports that is
- also supported by the server. This error is not recoverable.
-
- NO-CERTIFICATE-ERROR
- When a REQUEST-CERTIFICATE message is sent, this error may be
- returned if the client has no certificate to reply with. This
- error is recoverable (for client authentication only).
-
- BAD-CERTIFICATE-ERROR
- This error is returned when a certificate is deemed bad by
- the receiving party. Bad means that either the signature of
- the certificate was bad or that the values in the certificate
- were inappropriate (e.g. a name in the certificate did not
- match the expected name). This error is recoverable (for
- client authentication only).
-
- UNSUPPORTED-CERTIFICATE-TYPE-ERROR
- This error is returned when a client/server receives a
- certificate type that it can't support. This error is
- recoverable (for client authentication only).
-
- 2.4 SSL Handshake Protocol Messages
-
- The SSL Handshake Protocol messages are encapsulated in the SSL
- Record Protocol and are composed of two parts: a single byte
- message type code, and some data. The client and server exchange
- messages until both ends have sent their "finished" message,
- indicating that they are satisfied with the SSL Handshake Protocol
- conversation. While one end may be finished, the other may not,
- therefore the finished end must continue to receive SSL Handshake
- Protocol messages until it too receives a "finished" message.
-
- After the pair of session keys has been determined by each party,
- the message bodies are encrypted using it. For the client, this
- happens after it verifies the session-identifier or creates a new
- session key and has sent it to the server. For the server, this
- happens after the session-identifier is found to be good, or the
- server receives the client's session key message.
-
- The following notation is used for SSLHP messages:
-
- char MSG-EXAMPLE
- char FIELD1
- char FIELD2
- char THING-MSB
- char THING-LSB
- char THING-DATA[(MSB<<8)|LSB];
- ...
-
- This notation defines the data in the protocol message, including
- the message type code. The order is presented top to bottom, with
- the top most element being transmitted first, and the bottom most
- element transferred last.
-
- For the "THING-DATA" entry, the MSB and LSB values are actually
- THING-MSB and THING-LSB (respectively) and define the number of
- bytes of data actually present in the message. For example, if
- THING-MSB were zero and THING-LSB were 8 then the THING-DATA array
- would be exactly 8 bytes long. This shorthand is used below.
-
- Length codes are unsigned values, and when the MSB and LSB are
- combined the result is an unsigned value. Unless otherwise
- specified lengths values are "length in bytes".
-
- 2.5 Client Only Protocol Messages
-
- There are several messages that are only generated by clients.
- These messages are never generated by correctly functioning
- servers. A client receiving such a message closes the connection
- to the server and returns an error status to the application
- through some unspecified mechanism.
-
- CLIENT-HELLO (Phase 1; Sent in the clear)
-
- char MSG-CLIENT-HELLO
- char CLIENT-VERSION-MSB
- char CLIENT-VERSION-LSB
- char CIPHER-SPECS-LENGTH-MSB
- char CIPHER-SPECS-LENGTH-LSB
- char SESSION-ID-LENGTH-MSB
- char SESSION-ID-LENGTH-LSB
- char CHALLENGE-LENGTH-MSB
- char CHALLENGE-LENGTH-LSB
- char CIPHER-SPECS-DATA[(MSB<<8)|LSB]
- char SESSION-ID-DATA[(MSB<<8)|LSB]
- char CHALLENGE-DATA[(MSB<<8)|LSB]
-
- When a client first connects to a server it is required to send
- the CLIENT-HELLO message. The server is expecting this message
- from the client as its first message. It is an error for a client
- to send anything else as its first message.
-
- The client sends to the server its SSL version, its cipher specs
- (see below), some challenge data, and the session-identifier data.
- The session-identifier data is only sent if the client found a
- session-identifier in its cache for the server, and the
- SESSION-ID-LENGTH will be non-zero. When there is no
- session-identifier for the server SESSION-ID-LENGTH must be zero.
- The challenge data is used to authenticate the server. After the
- client and server agree on a pair of session keys, the server
- returns a SERVER-VERIFY message with the encrypted form of the
- CHALLENGE-DATA.
-
- Also note that the server will not send its SERVER-HELLO message
- until it has received the CLIENT-HELLO message. This is done so
- that the server can indicate the status of the client's
- session-identifier back to the client in the server's first
- message (i.e. to increase protocol efficiency and reduce the
- number of round trips required).
-
- The server examines the CLIENT-HELLO message and will verify that
- it can support the client version and one of the client cipher
- specs. The server can optionally edit the cipher specs, removing
- any entries it doesn't choose to support. The edited version will
- be returned in the SERVER-HELLO message if the session-identifier
- is not in the server's cache.
-
- The CIPHER-SPECS-LENGTH must be greater than zero and a multiple
- of 3. The SESSION-ID-LENGTH must either be zero or 16. The
- CHALLENGE-LENGTH must be greater than or equal to 16 and less than
- or equal to 32.
-
- This message must be the first message sent by the client to the
- server. After the message is sent the client waits for a
- SERVER-HELLO message. Any other message returned by the server
- (other than ERROR) is disallowed.
-
- CLIENT-MASTER-KEY (Phase 1; Sent primarily in the clear)
-
- char MSG-CLIENT-MASTER-KEY
- char CIPHER-KIND[3]
- char CLEAR-KEY-LENGTH-MSB
- char CLEAR-KEY-LENGTH-LSB
- char ENCRYPTED-KEY-LENGTH-MSB
- char ENCRYPTED-KEY-LENGTH-LSB
- char KEY-ARG-LENGTH-MSB
- char KEY-ARG-LENGTH-LSB
- char CLEAR-KEY-DATA[MSB<<8|LSB]
- char ENCRYPTED-KEY-DATA[MSB<<8|LSB]
- char KEY-ARG-DATA[MSB<<8|LSB]
-
- The client sends this message when it has determined a master key
- for the server to use. Note that when a session-identifier has
- been agreed upon, this message is not sent.
-
- The CIPHER-KIND field indicates which cipher was chosen from the
- server's CIPHER-SPECS.
-
- The CLEAR-KEY-DATA contains the clear portion of the MASTER-KEY.
- The CLEAR-KEY-DATA is combined with the SECRET-KEY-DATA (described
- shortly) to form the MASTER-KEY, with the SECRET-KEY-DATA being
- the least significant bytes of the final MASTER-KEY. The
- ENCRYPTED-KEY-DATA contains the secret portions of the MASTER-KEY,
- encrypted using the server's public key. The encryption block is
- formatted using block type 2 from PKCS#1 [5]. The data portion of
- the block is formatted as follows:
-
- char SECRET-KEY-DATA[SECRET-LENGTH]
-
- SECRET-LENGTH is the number of bytes of each session key that is
- being transmitted encrypted. The SECRET-LENGTH plus the
- CLEAR-KEY-LENGTH equals the number of bytes present in the cipher
- key (as defined by the CIPHER-KIND). It is an error if the
- SECRET-LENGTH found after decrypting the PKCS#1 formatted
- encryption block doesn't match the expected value. It is also an
- error if CLEAR-KEY-LENGTH is non-zero and the CIPHER-KIND is not
- an export cipher.
-
- If the key algorithm needs an argument (for example, DES-CBC's
- initialization vector) then the KEY-ARG-LENGTH fields will be
- non-zero and the KEY-ARG-DATA will contain the relevant data. For
- the SSL_CK_RC2_128_CBC_WITH_MD5,
- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
- SSL_CK_IDEA_128_CBC_WITH_MD5, SSL_CK_DES_64_CBC_WITH_MD5 and
- SSL_CK_DES_192_EDE3_CBC_WITH_MD5 algorithms the KEY-ARG data must
- be present and be exactly 8 bytes long.
-
- Client and server session key production is a function of the
- CIPHER-CHOICE:
-
- SSL_CK_RC4_128_WITH_MD5
- SSL_CK_RC4_128_EXPORT40_WITH_MD5
- SSL_CK_RC2_128_CBC_WITH_MD5
- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
- SSL_CK_IDEA_128_CBC_WITH_MD5
-
- KEY-MATERIAL-0 = MD5[ MASTER-KEY, "0", CHALLENGE, CONNECTION-ID ]
- KEY-MATERIAL-1 = MD5[ MASTER-KEY, "1", CHALLENGE, CONNECTION-ID ]
-
- CLIENT-READ-KEY = KEY-MATERIAL-0[0-15]
- CLIENT-WRITE-KEY = KEY-MATERIAL-1[0-15]
-
- Where KEY-MATERIAL-0[0-15] means the first 16 bytes of the
- KEY-MATERIAL-0 data, with KEY-MATERIAL-0[0] becoming the most
- significant byte of the CLIENT-READ-KEY.
-
- Data is fed to the MD5 hash function in the order shown, from
- left to right: first the MASTER-KEY, then the "0" or "1",
- then the CHALLENGE and then finally the CONNECTION-ID.
-
- Note that the "0" means the ascii zero character (0x30), not
- a zero value. "1" means the ascii 1 character (0x31). MD5
- produces 128 bits of output data which are used directly as
- the key to the cipher algorithm (The most significant byte of
- the MD5 output becomes the most significant byte of the key
- material).
-
- SSL_CK_DES_64_CBC_WITH_MD5
-
- KEY-MATERIAL-0 = MD5[ MASTER-KEY, CHALLENGE, CONNECTION-ID ]
-
- CLIENT-READ-KEY = KEY-MATERIAL-0[0-7]
- CLIENT-WRITE-KEY = KEY-MATERIAL-0[8-15]
-
- For DES-CBC, a single 16 bytes of key material are produced
- using MD5. The first 8 bytes of the MD5 digest are used as
- the CLIENT-READ-KEY while the remaining 8 bytes are used as
- the CLIENT-WRITE-KEY. The initialization vector is provided
- in the KEY-ARG-DATA. Note that the raw key data is not parity
- adjusted and that this step must be performed before the keys
- are legitimate DES keys.
-
- SSL_CK_DES_192_EDE3_CBC_WITH_MD5
-
- KEY-MATERIAL-0 = MD5[ MASTER-KEY, "0", CHALLENGE, CONNECTION-ID ]
- KEY-MATERIAL-1 = MD5[ MASTER-KEY, "1", CHALLENGE, CONNECTION-ID ]
- KEY-MATERIAL-2 = MD5[ MASTER-KEY, "2", CHALLENGE, CONNECTION-ID ]
-
- CLIENT-READ-KEY-0 = KEY-MATERIAL-0[0-7]
- CLIENT-READ-KEY-1 = KEY-MATERIAL-0[8-15]
- CLIENT-READ-KEY-2 = KEY-MATERIAL-1[0-7]
- CLIENT-WRITE-KEY-0 = KEY-MATERIAL-1[8-15]
- CLIENT-WRITE-KEY-1 = KEY-MATERIAL-2[0-7]
- CLIENT-WRITE-KEY-2 = KEY-MATERIAL-2[8-15]
-
- Data is fed to the MD5 hash function in the order shown, from
- left to right: first the MASTER-KEY, then the "0", "1" or
- "2", then the CHALLENGE and then finally the CONNECTION-ID.
-
- Note that the "0" means the ascii zero character (0x30), not
- a zero value. "1" means the ascii 1 character (0x31). "2"
- means the ascii 2 character (0x32).
-
- A total of 6 keys are produced, 3 for the read side DES-EDE3
- cipher and 3 for the write side DES-EDE3 function. The
- initialization vector is provided in the KEY-ARG-DATA. The
- keys that are produced are not parity adjusted. This step
- must be performed before proper DES keys are usable.
-
- Recall that the MASTER-KEY is given to the server in the
- CLIENT-MASTER-KEY message. The CHALLENGE is given to the server by
- the client in the CLIENT-HELLO message. The CONNECTION-ID is given
- to the client by the server in the SERVER-HELLO message. This
- makes the resulting cipher keys a function of the original session
- and the current session. Note that the master key is never
- directly used to encrypt data, and therefore cannot be easily
- discovered.
-
- The CLIENT-MASTER-KEY message must be sent after the CLIENT-HELLO
- message and before the CLIENT-FINISHED message. The
- CLIENT-MASTER-KEY message must be sent if the SERVER-HELLO message
- contains a SESSION-ID-HIT value of 0.
-
- CLIENT-CERTIFICATE (Phase 2; Sent encrypted)
-
- char MSG-CLIENT-CERTIFICATE
- char CERTIFICATE-TYPE
- char CERTIFICATE-LENGTH-MSB
- char CERTIFICATE-LENGTH-LSB
- char RESPONSE-LENGTH-MSB
- char RESPONSE-LENGTH-LSB
- char CERTIFICATE-DATA[MSB<<8|LSB]
- char RESPONSE-DATA[MSB<<8|LSB]
-
- This message is sent by one an SSL client in response to a server
- REQUEST-CERTIFICATE message. The CERTIFICATE-DATA contains data
- defined by the CERTIFICATE-TYPE value. An ERROR message is sent
- with error code NO-CERTIFICATE-ERROR when this request cannot be
- answered properly (e.g. the receiver of the message has no
- registered certificate).
-
- CERTIFICATE-TYPE is one of:
-
- SSL_X509_CERTIFICATE
- The CERTIFICATE-DATA contains an X.509 (1988) [3] signed
- certificate.
-
- The RESPONSE-DATA contains the authentication response data. This
- data is a function of the AUTHENTICATION-TYPE value sent by the
- server.
-
- When AUTHENTICATION-TYPE is SSL_AT_MD5_WITH_RSA_ENCRYPTION then
- the RESPONSE-DATA contains a digital signature of the following
- components (in the order shown):
-
- * the KEY-MATERIAL-0
- * the KEY-MATERIAL-1 (only if defined by the cipher kind)
- * the KEY-MATERIAL-2 (only if defined by the cipher kind)
- * the CERTIFICATE-CHALLENGE-DATA (from the REQUEST-CERTIFICATE
- message)
- * the server's signed certificate (from the SERVER-HELLO
- message)
-
- The digital signature is constructed using MD5 and then encrypted
- using the clients private key, formatted according to PKCS#1's
- digital signature standard [5]. The server authenticates the
- client by verifying the digital signature using standard
- techniques. Note that other digest functions are supported. Either
- a new AUTHENTICATION-TYPE can be added, or the algorithm-id in the
- digital signature can be changed.
-
- This message must be sent by the client only in response to a
- REQUEST-CERTIFICATE message.
-
- CLIENT-FINISHED (Phase 2; Sent encrypted)
-
- char MSG-CLIENT-FINISHED
- char CONNECTION-ID[N-1]
-
- The client sends this message when it is satisfied with the
- server. Note that the client must continue to listen for server
- messages until it receives a SERVER-FINISHED message. The
- CONNECTION-ID data is the original connection-identifier the
- server sent with its SERVER-HELLO message, encrypted using the
- agreed upon session key.
-
- "N" is the number of bytes in the message that was sent, so "N-1"
- is the number of bytes in the message without the message header
- byte.
-
- For version 2 of the protocol, the client must send this message
- after it has received the SERVER-HELLO message. If the
- SERVER-HELLO message SESSION-ID-HIT flag is non-zero then the
- CLIENT-FINISHED message is sent immediately, otherwise the
- CLIENT-FINISHED message is sent after the CLIENT-MASTER-KEY
- message.
-
- 2.6 Server Only Protocol Messages
-
- There are several messages that are only generated by servers. The
- messages are never generated by correctly functioning clients.
-
- SERVER-HELLO (Phase 1; Sent in the clear)
-
- char MSG-SERVER-HELLO
- char SESSION-ID-HIT
- char CERTIFICATE-TYPE
- char SERVER-VERSION-MSB
- char SERVER-VERSION-LSB
- char CERTIFICATE-LENGTH-MSB
- char CERTIFICATE-LENGTH-LSB
- char CIPHER-SPECS-LENGTH-MSB
- char CIPHER-SPECS-LENGTH-LSB
- char CONNECTION-ID-LENGTH-MSB
- char CONNECTION-ID-LENGTH-LSB
- char CERTIFICATE-DATA[MSB<<8|LSB]
- char CIPHER-SPECS-DATA[MSB<<8|LSB]
- char CONNECTION-ID-DATA[MSB<<8|LSB]
-
- The server sends this message after receiving the clients
- CLIENT-HELLO message. The server returns the SESSION-ID-HIT flag
- indicating whether or not the received session-identifier is known
- by the server (i.e. in the server's session-identifier cache). The
- SESSION-ID-HIT flag will be non-zero if the client sent the server
- a session-identifier (in the CLIENT-HELLO message with
- SESSION-ID-LENGTH != 0) and the server found the client's
- session-identifier in its cache. If the SESSION-ID-HIT flag is
- non-zero then the CERTIFICATE-TYPE, CERTIFICATE-LENGTH and
- CIPHER-SPECS-LENGTH fields will be zero.
-
- The CERTIFICATE-TYPE value, when non-zero, has one of the values
- described above (see the information on the CLIENT-CERTIFICATE
- message).
-
- When the SESSION-ID-HIT flag is zero, the server packages up its
- certificate, its cipher specs and a connection-id to send to the
- client. Using this information the client can generate a session
- key and return it to the server with the CLIENT-MASTER-KEY
- message.
-
- When the SESSION-ID-HIT flag is non-zero, both the server and the
- client compute a new pair of session keys for the current session
- derived from the MASTER-KEY that was exchanged when the SESSION-ID
- was created. The SERVER-READ-KEY and SERVER-WRITE-KEY are derived
- from the original MASTER-KEY keys in the same manner as the
- CLIENT-READ-KEY and CLIENT-WRITE-KEY:
-
- SERVER-READ-KEY = CLIENT-WRITE-KEY
- SERVER-WRITE-KEY = CLIENT-READ-KEY
-
- Note that when keys are being derived and the SESSION-ID-HIT flag
- is set and the server discovers the client's session-identifier in
- the servers cache, then the KEY-ARG-DATA is used from the time
- when the SESSION-ID was established. This is because the client
- does not send new KEY-ARG-DATA (recall that the KEY-ARG-DATA is
- sent only in the CLIENT-MASTER-KEY message).
-
- The CONNECTION-ID-DATA is a string of randomly generated bytes
- used by the server and client at various points in the protocol.
- The CLIENT-FINISHED message contains an encrypted version of the
- CONNECTION-ID-DATA. The length of the CONNECTION-ID must be
- between 16 and than 32 bytes, inclusive.
-
- The CIPHER-SPECS-DATA define a cipher type and key length (in
- bits) that the receiving end supports. Each SESSION-CIPHER-SPEC is
- 3 bytes long and looks like this:
-
- char CIPHER-KIND-0
- char CIPHER-KIND-1
- char CIPHER-KIND-2
-
- Where CIPHER-KIND is one of:
-
- * SSL_CK_RC4_128_WITH_MD5
- * SSL_CK_RC4_128_EXPORT40_WITH_MD5
- * SSL_CK_RC2_128_CBC_WITH_MD5
- * SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
- * SSL_CK_IDEA_128_CBC_WITH_MD5
- * SSL_CK_DES_64_CBC_WITH_MD5
- * SSL_CK_DES_192_EDE3_CBC_WITH_MD5
-
- This list is not exhaustive and may be changed in the future.
-
- The SSL_CK_RC4_128_EXPORT40_WITH_MD5 cipher is an RC4 cipher where
- some of the session key is sent in the clear and the rest is sent
- encrypted (exactly 40 bits of it). MD5 is used as the hash
- function for production of MAC's and session key's. This cipher
- type is provided to support "export" versions (i.e. versions of
- the protocol that can be distributed outside of the United States)
- of the client or server.
-
- An exportable implementation of the SSL Handshake Protocol will
- have secret key lengths restricted to 40 bits. For non-export
- implementations key lengths can be more generous (we recommend at
- least 128 bits). It is permissible for the client and server to
- have a non-intersecting set of stream ciphers. This, simply put,
- means they cannot communicate.
-
- Version 2 of the SSL Handshake Protocol defines the
- SSL_CK_RC4_128_WITH_MD5 to have a key length of 128 bits. The
- SSL_CK_RC4_128_EXPORT40_WITH_MD5 also has a key length of 128
- bits. However, only 40 of the bits are secret (the other 88 bits
- are sent in the clear by the client to the server).
-
- The SERVER-HELLO message is sent after the server receives the
- CLIENT-HELLO message, and before the server sends the
- SERVER-VERIFY message.
-
- SERVER-VERIFY (Phase 1; Sent encrypted)
-
- char MSG-SERVER-VERIFY
- char CHALLENGE-DATA[N-1]
-
- The server sends this message after a pair of session keys
- (SERVER-READ-KEY and SERVER-WRITE-KEY) have been agreed upon
- either by a session-identifier or by explicit specification with
- the CLIENT-MASTER-KEY message. The message contains an encrypted
- copy of the CHALLENGE-DATA sent by the client in the CLIENT-HELLO
- message.
-
- "N" is the number of bytes in the message that was sent, so "N-1"
- is the number of bytes in the CHALLENGE-DATA without the message
- header byte.
-
- This message is used to verify the server as follows. A legitimate
- server will have the private key that corresponds to the public
- key contained in the server certificate that was transmitted in
- the SERVER-HELLO message. Accordingly, the legitimate server will
- be able to extract and reconstruct the pair of session keys
- (SERVER-READ-KEY and SERVER-WRITE-KEY). Finally, only a server
- that has done the extraction and decryption properly can correctly
- encrypt the CHALLENGE-DATA. This, in essence, "proves" that the
- server has the private key that goes with the public key in the
- server's certificate.
-
- The CHALLENGE-DATA must be the exact same length as originally
- sent by the client in the CLIENT-HELLO message. Its value must
- match exactly the value sent in the clear by the client in the
- CLIENT-HELLO message. The client must decrypt this message and
- compare the value received with the value sent, and only if the
- values are identical is the server to be "trusted". If the lengths
- do not match or the value doesn't match then the connection is to
- be closed by the client.
-
- This message must be sent by the server to the client after either
- detecting a session-identifier hit (and replying with a
- SERVER-HELLO message with SESSION-ID-HIT not equal to zero) or
- when the server receives the CLIENT-MASTER-KEY message. This
- message must be sent before any Phase 2 messages or a
- SEVER-FINISHED message.
-
- SERVER-FINISHED (Phase 2; Sent encrypted)
-
- char MSG-SERVER-FINISHED
- char SESSION-ID-DATA[N-1]
-
- The server sends this message when it is satisfied with the
- clients security handshake and is ready to proceed with
- transmission/reception of the higher level protocols data. The
- SESSION-ID-DATA is used by the client and the server at this time
- to add entries to their respective session-identifier caches. The
- session-identifier caches must contain a copy of the MASTER-KEY
- sent in the CLIENT-MASTER-KEY message as the master key is used
- for all subsequent session key generation.
-
- "N" is the number of bytes in the message that was sent, so "N-1"
- is the number of bytes in the SESSION-ID-DATA without the message
- header byte.
-
- This message must be sent after the SERVER-VERIFY message.
-
- REQUEST-CERTIFICATE (Phase 2; Sent encrypted)
-
- char MSG-REQUEST-CERTIFICATE
- char AUTHENTICATION-TYPE
- char CERTIFICATE-CHALLENGE-DATA[N-2]
-
- A server may issue this request at any time during the second
- phase of the connection handshake, asking for the client's
- certificate. The client responds with a CLIENT-CERTIFICATE message
- immediately if it has one, or an ERROR message (with error code
- NO-CERTIFICATE-ERROR) if it doesn't. The
- CERTIFICATE-CHALLENGE-DATA is a short byte string (whose length is
- greater than or equal to 16 bytes and less than or equal to 32
- bytes) that the client will use to respond to this message.
-
- The AUTHENTICATION-TYPE value is used to choose a particular means
- of authenticating the client. The following types are defined:
-
- * SSL_AT_MD5_WITH_RSA_ENCRYPTION
-
- The SSL_AT_MD5_WITH_RSA_ENCRYPTION type requires that the client
- construct an MD5 message digest using information as described
- above in the section on the CLIENT-CERTIFICATE message. Once the
- digest is created, the client encrypts it using its private key
- (formatted according to the digital signature standard defined in
- PKCS#1). The server authenticates the client when it receives the
- CLIENT-CERTIFICATE message.
-
- This message may be sent after a SERVER-VERIFY message and before
- a SERVER-FINISHED message.
-
- 2.7 Client/Server Protocol Messages
-
- These messages are generated by both the client and the server.
-
- ERROR (Sent clear or encrypted)
-
- char MSG-ERROR
- char ERROR-CODE-MSB
- char ERROR-CODE-LSB
-
- This message is sent when an error is detected. After the message
- is sent, the sending party shuts the connection down. The
- receiving party records the error and then shuts its connection
- down.
-
- This message is sent in the clear if an error occurs during
- session key negotiation. After a session key has been agreed upon,
- errors are sent encrypted like all other messages.
-
- ------------------------------------------------------------------------
-
-Appendix A: ASN.1 Syntax For Certificates
-
- Certificates are used by SSL to authenticate servers and clients. SSL
- Certificates are based largely on the X.509 [3] certificates. An X.509
- certificate contains the following information (in ASN.1 [1] notation):
-
- X.509-Certificate ::= SEQUENCE {
- certificateInfo CertificateInfo,
- signatureAlgorithm AlgorithmIdentifier,
- signature BIT STRING
- }
-
- CertificateInfo ::= SEQUENCE {
- version [0] Version DEFAULT v1988,
- serialNumber CertificateSerialNumber,
- signature AlgorithmIdentifier,
- issuer Name,
- validity Validity,
- subject Name,
- subjectPublicKeyInfo SubjectPublicKeyInfo
- }
-
- Version ::= INTEGER { v1988(0) }
-
- CertificateSerialNumber ::= INTEGER
-
- Validity ::= SEQUENCE {
- notBefore UTCTime,
- notAfter UTCTime
- }
-
- SubjectPublicKeyInfo ::= SEQUENCE {
- algorithm AlgorithmIdentifier,
- subjectPublicKey BIT STRING
- }
-
- AlgorithmIdentifier ::= SEQUENCE {
- algorithm OBJECT IDENTIFIER,
- parameters ANY DEFINED BY ALGORITHM OPTIONAL
- }
-
- For SSL's purposes we restrict the values of some of the X.509 fields:
-
- * The X.509-Certificate::signatureAlgorithm and
- CertificateInfo::signature fields must be identical in value.
-
- * The issuer name must resolve to a name that is deemed acceptable
- by the application using SSL. How the application using SSL does
- this is outside the scope of this memo.
-
- Certificates are validated using a few straightforward steps. First,
- the signature on the certificate is checked and if invalid, the
- certificate is invalid (either a transmission error or an attempted
- forgery occurred). Next, the CertificateInfo::issuer field is verified
- to be an issuer that the application trusts (using an unspecified
- mechanism). The CertificateInfo::validity field is checked against the
- current date and verified.
-
- Finally, the CertificateInfo::subject field is checked. This check is
- optional and depends on the level of trust required by the application
- using SSL.
-
-Appendix B: Attribute Types and Object Identifiers
-
- SSL uses a subset of the X.520 selected attribute types as well as a
- few specific object identifiers. Future revisions of the SSL protocol
- may include support for more attribute types and more object
- identifiers.
-
- B.1 Selected attribute types
-
- commonName { attributeType 3 }
- The common name contained in the distinguished name contained
- within a certificate issuer or certificate subject.
-
- countryName { attributeType 6 }
- The country name contained in the distinguished name contained
- within a certificate issuer or certificate subject.
-
- localityName { attributeType 7 }
- The locality name contained in the distinguished name contained
- within a certificate issuer or certificate subject.
-
- stateOrProvinceName { attributeType 8 }
- The state or province name contained in the distinguished name
- contained within a certificate issuer or certificate subject.
-
- organizationName { attributeType 10 }
- The organization name contained in the distinguished name
- contained within a certificate issuer or certificate subject.
-
- organizationalUnitName { attributeType 11 }
- The organizational unit name contained in the distinguished name
- contained within a certificate issuer or certificate subject.
-
- B.2 Object identifiers
-
- md2withRSAEncryption { ... pkcs(1) 1 2 }
- The object identifier for digital signatures that use both MD2 and
- RSA encryption. Used by SSL for certificate signature
- verification.
-
- md5withRSAEncryption { ... pkcs(1) 1 4 }
- The object identifier for digital signatures that use both MD5 and
- RSA encryption. Used by SSL for certificate signature
- verification.
-
- rc4 { ... rsadsi(113549) 3 4 }
- The RC4 symmetric stream cipher algorithm used by SSL for bulk
- encryption.
-
-Appendix C: Protocol Constant Values
-
- This section describes various protocol constants. A special value
- needs mentioning - the IANA reserved port number for "https" (HTTP
- using SSL). IANA has reserved port number 443 (decimal) for "https".
-
- C.1 Protocol Version Codes
-
- #define SSL_CLIENT_VERSION 0x0002
- #define SSL_SERVER_VERSION 0x0002
-
- C.2 Protocol Message Codes
-
- The following values define the message codes that are used by version
- 2 of the SSL Handshake Protocol.
-
- #define SSL_MT_ERROR 0
- #define SSL_MT_CLIENT_HELLO 1
- #define SSL_MT_CLIENT_MASTER_KEY 2
- #define SSL_MT_CLIENT_FINISHED 3
- #define SSL_MT_SERVER_HELLO 4
- #define SSL_MT_SERVER_VERIFY 5
- #define SSL_MT_SERVER_FINISHED 6
- #define SSL_MT_REQUEST_CERTIFICATE 7
- #define SSL_MT_CLIENT_CERTIFICATE 8
-
- C.3 Error Message Codes
-
- The following values define the error codes used by the ERROR message.
-
- #define SSL_PE_NO_CIPHER 0x0001
- #define SSL_PE_NO_CERTIFICATE 0x0002
- #define SSL_PE_BAD_CERTIFICATE 0x0004
- #define SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006
-
- C.4 Cipher Kind Values
-
- The following values define the CIPHER-KIND codes used in the
- CLIENT-HELLO and SERVER-HELLO messages.
-
- #define SSL_CK_RC4_128_WITH_MD5 0x01,0x00,0x80
- #define SSL_CK_RC4_128_EXPORT40_WITH_MD5 0x02,0x00,0x80
- #define SSL_CK_RC2_128_CBC_WITH_MD5 0x03,0x00,0x80
- #define SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x04,0x00,0x80
- #define SSL_CK_IDEA_128_CBC_WITH_MD5 0x05,0x00,0x80
- #define SSL_CK_DES_64_CBC_WITH_MD5 0x06,0x00,0x40
- #define SSL_CK_DES_192_EDE3_CBC_WITH_MD5 0x07,0x00,0xC0
-
- C.5 Certificate Type Codes
-
- The following values define the certificate type codes used in the
- SERVER-HELLO and CLIENT-CERTIFICATE messages.
-
- #define SSL_CT_X509_CERTIFICATE 0x01
-
- C.6 Authentication Type Codes
-
- The following values define the authentication type codes used in the
- REQUEST-CERTIFICATE message.
-
- #define SSL_AT_MD5_WITH_RSA_ENCRYPTION 0x01
-
- C.7 Upper/Lower Bounds
-
- The following values define upper/lower bounds for various protocol
- parameters.
-
- #define SSL_MAX_MASTER_KEY_LENGTH_IN_BITS 256
- #define SSL_MAX_SESSION_ID_LENGTH_IN_BYTES 16
- #define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES 64
- #define SSL_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767
- #define SSL_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383
-
- C.8 Recommendations
-
- Because protocols have to be implemented to be of value, we recommend
- the following values for various operational parameters. This is only a
- recommendation, and not a strict requirement for conformance to the
- protocol.
-
- Session-identifier Cache Timeout
-
- Session-identifiers are kept in SSL clients and SSL servers.
- Session-identifiers should have a lifetime that serves their
- purpose (namely, reducing the number of expensive public key
- operations for a single client/server pairing). Consequently, we
- recommend a maximum session-identifier cache timeout value of 100
- seconds. Given a server that can perform N private key operations
- per second, this reduces the server load for a particular client
- by a factor of 100.
-
-Appendix D: Attacks
-
- In this section we attempt to describe various attacks that might be
- used against the SSL protocol. This list is not guaranteed to be
- exhaustive. SSL was defined to thwart these attacks.
-
- D.1 Cracking Ciphers
-
- SSL depends on several cryptographic technologies. RSA Public Key
- encryption [5] is used for the exchange of the session key and
- client/server authentication. Various cryptographic algorithms are used
- for the session cipher. If successful cryptographic attacks are made
- against these technologies then SSL is no longer secure.
-
- Attacks against a specific communications session can be made by
- recording the session, and then spending some large number of compute
- cycles to crack either the session key or the RSA public key until the
- communication can be seen in the clear. This approach is easier than
- cracking the cryptographic technologies for all possible messages. Note
- that SSL tries to make the cost of such of an attack greater than the
- benefits gained from a successful attack, thus making it a waste of
- money/time to perform such an attack.
-
- There have been many books [9] and papers [10] written on cryptography.
- This document does not attempt to reference them all.
-
- D.2 Clear Text Attack
-
- A clear text attack is done when the attacker has an idea of what kind
- of message is being sent using encryption. The attacker can generate a
- data base whose keys are the encrypted value of the known text (or
- clear text), and whose values are the session cipher key (we call this
- a "dictionary"). Once this data base is constructed, a simple lookup
- function identifies the session key that goes with a particular
- encrypted value. Once the session key is known, the entire message
- stream can be decrypted. Custom hardware can be used to make this cost
- effective and very fast.
-
- Because of the very nature of SSL clear text attacks are possible. For
- example, the most common byte string sent by an HTTP client application
- to an HTTP server is "GET". SSL attempts to address this attack by
- using large session cipher keys. First, the client generates a key
- which is larger than allowed by export, and sends some of it in the
- clear to the server (this is allowed by United States government export
- rules). The clear portion of the key concatenated with the secret
- portion make a key which is very large (for RC4, exactly 128 bits).
-
- The way that this "defeats" a clear text attack is by making the amount
- of custom hardware needed prohibitively large. Every bit added to the
- length of the session cipher key increases the dictionary size by a
- factor of 2. By using a 128 bit session cipher key length the size of
- the dictionary required is beyond the ability of anyone to fabricate
- (it would require more atoms to construct than exist in the entire
- universe). Even if a smaller dictionary is to be used, it must first be
- generated using the clear key bits. This is a time consumptive process
- and also eliminates many possible custom hardware architectures (e.g.
- static prom arrays).
-
- The second way that SSL attacks this problem is by using large key
- lengths when permissible (e.g. in the non-export version). Large key
- sizes require larger dictionaries (just one more bit of key size
- doubles the size of the dictionary). SSL attempts to use keys that are
- 128 bits in length.
-
- Note that the consequence of the SSL defense is that a brute force
- attack becomes the cheapest way to attack the key. Brute force attacks
- have well known space/time tradeoffs and so it becomes possible to
- define a cost of the attack. For the 128 bit secret key, the known cost
- is essentially infinite. For the 40 bit secret key, the cost is much
- smaller, but still outside the range of the "random hacker".
-
- D.3 Replay
-
- The replay attack is simple. A bad-guy records a communication session
- between a client and server. Later, it reconnects to the server, and
- plays back the previously recorded client messages.
-
- SSL defeats this attack using a "nonce" (the connection-id) which is
- "unique" to the connection. In theory the bad-guy cannot predict the
- nonce in advance as it is based on a set of random events outside the
- bad-guys control, and therefore the bad-guy cannot respond properly to
- server requests.
-
- A bad-guy with large resources can record many sessions between a
- client and a server, and attempt to choose the right session based on
- the nonce the server sends initially in its SERVER-HELLO message.
- However, SSL nonces are at least 128 bits long, so a bad-guy would need
- to record approximately 2^64 nonces to even have a 50% chance of
- choosing the right session. This number is sufficiently large that one
- cannot economically construct a device to record 2^64 messages, and
- therefore the odds are overwhelmingly against the replay attack ever
- being successful.
-
- D.4 The Man In The Middle
-
- The man in the middle attack works by having three people in a
- communications session: the client, the server, and the bad guy. The
- bad guy sits between the client and the server on the network and
- intercepts traffic that the client sends to the server, and traffic
- that the server sends to the client.
-
- The man in the middle operates by pretending to be the real server to
- the client. With SSL this attack is impossible because of the usage of
- server certificates. During the security connection handshake the
- server is required to provide a certificate that is signed by a
- certificate authority. Contained in the certificate is the server's
- public key as well as its name and the name of the certificate issuer.
- The client verifies the certificate by first checking the signature and
- then verifying that the name of the issuer is somebody that the client
- trusts.
-
- In addition, the server must encrypt something with the private key
- that goes with the public key mentioned in the certificate. This in
- essence is a single pass "challenge response" mechanism. Only a server
- that has both the certificate and the private key can respond properly
- to the challenge.
-
- If the man in the middle provides a phony certificate, then the
- signature check will fail. If the certificate provided by the bad guy
- is legitimate, but for the bad guy instead of for the real server, then
- the signature will pass but the name check will fail (note that the man
- in the middle cannot forge certificates without discovering a
- certificate authority's private key).
-
- Finally, if the bad guy provides the real server's certificate then the
- signature check will pass and the name check will pass. However,
- because the bad guy does not have the real server's private key, the
- bad guy cannot properly encode the response to the challenge code, and
- this check will fail.
-
- In the unlikely case that a bad guy happens to guess the response code
- to the challenge, the bad guy still cannot decrypt the session key and
- therefore cannot examine the encrypted data.
-
-Appendix E: Terms
-
- Application Protocol
- An application protocol is a protocol that normally layers
- directly on top of TCP/IP. For example: HTTP, TELNET, FTP, and
- SMTP.
-
- Authentication
- Authentication is the ability of one entity to determine the
- identity of another entity. Identity is defined by this document
- to mean the binding between a public key and a name and the
- implicit ownership of the corresponding private key.
-
- Bulk Cipher
- This term is used to describe a cryptographic technique with
- certain performance properties. Bulk ciphers are used when large
- quantities of data are to be encrypted/decrypted in a timely
- manner. Examples include RC2, RC4, and IDEA.
-
- Client
- In this document client refers to the application entity that is
- initiates a connection to a server.
-
- CLIENT-READ-KEY
- The session key that the client uses to initialize the client read
- cipher. This key has the same value as the SERVER-WRITE-KEY.
-
- CLIENT-WRITE-KEY
- The session key that the client uses to initialize the client
- write cipher. This key has the same value as the SERVER-READ-KEY.
-
- MASTER-KEY
- The master key that the client and server use for all session key
- generation. The CLIENT-READ-KEY, CLIENT-WRITE-KEY, SERVER-READ-KEY
- and SERVER-WRITE-KEY are generated from the MASTER-KEY.
-
- MD2
- MD2 [8] is a hashing function that converts an arbitrarily long
- data stream into a digest of fixed size. This function predates
- MD5 [7] which is viewed as a more robust hash function [9].
-
- MD5
- MD5 [7] is a hashing function that converts an arbitrarily long
- data stream into a digest of fixed size. The function has certain
- properties that make it useful for security, the most important of
- which is it's inability to be reversed.
-
- Nonce
- A randomly generated value used to defeat "playback" attacks. One
- party randomly generates a nonce and sends it to the other party.
- The receiver encrypts it using the agreed upon secret key and
- returns it to the sender. Because the nonce was randomly generated
- by the sender this defeats playback attacks because the replayer
- can't know in advance the nonce the sender will generate. The
- receiver denies connections that do not have the correctly
- encrypted nonce.
-
- Non-repudiable Information Exchange
- When two entities exchange information it is sometimes valuable to
- have a record of the communication that is non-repudiable. Neither
- party can then deny that the information exchange occurred.
- Version 2 of the SSL protocol does not support Non-repudiable
- information exchange.
-
- Public Key Encryption
- Public key encryption is a technique that leverages asymmetric
- ciphers. A public key system consists of two keys: a public key
- and a private key. Messages encrypted with the public key can only
- be decrypted with the associated private key. Conversely, messages
- encrypted with the private key can only be decrypted with the
- public key. Public key encryption tends to be extremely compute
- intensive and so is not suitable as a bulk cipher.
-
- Privacy
- Privacy is the ability of two entities to communicate without fear
- of eavesdropping. Privacy is often implemented by encrypting the
- communications stream between the two entities.
-
- RC2, RC4
- Proprietary bulk ciphers invented by RSA (There is no good
- reference to these as they are unpublished works; however, see
- [9]). RC2 is block cipher and RC4 is a stream cipher.
-
- Server
- The server is the application entity that responds to requests for
- connections from clients. The server is passive, waiting for
- requests from clients.
-
- Session cipher
- A session cipher is a "bulk" cipher that is capable of encrypting
- or decrypting arbitrarily large amounts of data. Session ciphers
- are used primarily for performance reasons. The session ciphers
- used by this protocol are symmetric. Symmetric ciphers have the
- property of using a single key for encryption and decryption.
-
- Session identifier
- A session identifier is a random value generated by a client that
- identifies itself to a particular server. The session identifier
- can be thought of as a handle that both parties use to access a
- recorded secret key (in our case a session key). If both parties
- remember the session identifier then the implication is that the
- secret key is already known and need not be negotiated.
-
- Session key
- The key to the session cipher. In SSL there are four keys that are
- called session keys: CLIENT-READ-KEY, CLIENT-WRITE-KEY,
- SERVER-READ-KEY, and SERVER-WRITE-KEY.
-
- SERVER-READ-KEY
- The session key that the server uses to initialize the server read
- cipher. This key has the same value as the CLIENT-WRITE-KEY.
-
- SERVER-WRITE-KEY
- The session key that the server uses to initialize the server
- write cipher. This key has the same value as the CLIENT-READ-KEY.
-
- Symmetric Cipher
- A symmetric cipher has the property that the same key can be used
- for decryption and encryption. An asymmetric cipher does not have
- this behavior. Some examples of symmetric ciphers: IDEA, RC2, RC4.
-
-References
-
- [1] CCITT. Recommendation X.208: "Specification of Abstract Syntax
- Notation One (ASN.1). 1988.
-
- [2] CCITT. Recommendation X.209: "Specification of Basic Encoding Rules
- for Abstract Syntax Notation One (ASN.1). 1988.
-
- [3] CCITT. Recommendation X.509: "The Directory - Authentication
- Framework". 1988.
-
- [4] CCITT. Recommendation X.520: "The Directory - Selected Attribute
- Types". 1988.
-
- [5] RSA Laboratories. PKCS #1: RSA Encryption Standard, Version 1.5,
- November 1993.
-
- [6] RSA Laboratories. PKCS #6: Extended-Certificate Syntax Standard,
- Version 1.5, November 1993.
-
- [7] R. Rivest. RFC 1321: The MD5 Message Digest Algorithm. April 1992.
-
- [8] R. Rivest. RFC 1319: The MD2 Message Digest Algorithm. April 1992.
-
- [9] B. Schneier. Applied Cryptography: Protocols, Algorithms, and
- Source Code in C, Published by John Wiley & Sons, Inc. 1994.
-
- [10] M. Abadi and R. Needham. Prudent engineering practice for
- cryptographic protocols. 1994.
-
-Patent Statement
-
- This version of the SSL protocol relies on the use of patented public
- key encryption technology for authentication and encryption. The
- Internet Standards Process as defined in RFC 1310 requires a written
- statement from the Patent holder that a license will be made available
- to applicants under reasonable terms and conditions prior to approving
- a specification as a Proposed, Draft or Internet Standard.
-
- The Massachusetts Institute of Technology and the Board of Trustees of
- the Leland Stanford Junior University have granted Public Key Partners
- (PKP) exclusive sub-licensing rights to the following patents issued in
- the United States, and all of their corresponding foreign patents:
-
- Cryptographic Apparatus and Method
- ("Diffie-Hellman")............................... No. 4,200,770
-
- Public Key Cryptographic Apparatus
- and Method ("Hellman-Merkle").................... No. 4,218,582
-
- Cryptographic Communications System and
- Method ("RSA")................................... No. 4,405,829
-
- Exponential Cryptographic Apparatus
- and Method ("Hellman-Pohlig").................... No. 4,424,414
-
- These patents are stated by PKP to cover all known methods of
- practicing the art of Public Key encryption, including the variations
- collectively known as El Gamal.
-
- Public Key Partners has provided written assurance to the Internet
- Society that parties will be able to obtain, under reasonable,
- nondiscriminatory terms, the right to use the technology covered by
- these patents. This assurance is documented in RFC 1170 titled "Public
- Key Standards and Licenses". A copy of the written assurance dated
- April 20, 1990, may be obtained from the Internet Assigned Number
- Authority (IANA).
-
- The Internet Society, Internet Architecture Board, Internet Engineering
- Steering Group and the Corporation for National Research Initiatives
- take no position on the validity or scope of the patents and patent
- applications, nor on the appropriateness of the terms of the assurance.
- The Internet Society and other groups mentioned above have not made any
- determination as to any other intellectual property rights which may
- apply to the practice of this standard. Any further consideration of
- these matters is the user's own responsibility.
-
-Security Considerations
-
- This entire document is about security.
-
-Author's Address
-
- Kipp E.B. Hickman
- AOL/Netscape Communications Corp.
- 466 Ellis Street
- Mountain View, CA 94043-4042
- kipp@netscape.com
View Lorry Controller Status