draft-ietf-tls-tls13-00.txt   draft-ietf-tls-tls13-01.txt 
Network Working Group T. Dierks Network Working Group T. Dierks
Internet-Draft Independent Internet-Draft Independent
Obsoletes: 3268, 4346, 4366, 5246 E. Rescorla Obsoletes: 3268, 4346, 4366, 5246 E. Rescorla
(if approved) RTFM, Inc. (if approved) RTFM, Inc.
Updates: 4492 (if approved) April 17, 2014 Updates: 4492 (if approved) April 17, 2014
Intended status: Standards Track Intended status: Standards Track
Expires: October 19, 2014 Expires: October 19, 2014
The Transport Layer Security (TLS) Protocol Version 1.3 The Transport Layer Security (TLS) Protocol Version 1.3
draft-ietf-tls-tls13-00 draft-ietf-tls-tls13-01
Abstract Abstract
This document specifies Version 1.3 of the Transport Layer Security This document specifies Version 1.3 of the Transport Layer Security
(TLS) protocol. The TLS protocol provides communications security (TLS) protocol. The TLS protocol provides communications security
over the Internet. The protocol allows client/server applications to over the Internet. The protocol allows client/server applications to
communicate in a way that is designed to prevent eavesdropping, communicate in a way that is designed to prevent eavesdropping,
tampering, or message forgery. tampering, or message forgery.
Status of This Memo Status of This Memo
skipping to change at page 2, line 8 skipping to change at page 2, line 8
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Requirements Terminology . . . . . . . . . . . . . . . . 5 1.1. Requirements Terminology . . . . . . . . . . . . . . . . 6
1.2. Major Differences from TLS 1.1 . . . . . . . . . . . . . 5 1.2. Major Differences from TLS 1.1 . . . . . . . . . . . . . 6
2. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3. Goals of This Document . . . . . . . . . . . . . . . . . . . 7 3. Goals of This Document . . . . . . . . . . . . . . . . . . . 8
4. Presentation Language . . . . . . . . . . . . . . . . . . . . 7 4. Presentation Language . . . . . . . . . . . . . . . . . . . . 8
4.1. Basic Block Size . . . . . . . . . . . . . . . . . . . . 7 4.1. Basic Block Size . . . . . . . . . . . . . . . . . . . . 8
4.2. Miscellaneous . . . . . . . . . . . . . . . . . . . . . . 8 4.2. Miscellaneous . . . . . . . . . . . . . . . . . . . . . . 9
4.3. Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.3. Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.4. Numbers . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.4. Numbers . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.5. Enumerateds . . . . . . . . . . . . . . . . . . . . . . . 9 4.5. Enumerateds . . . . . . . . . . . . . . . . . . . . . . . 10
4.6. Constructed Types . . . . . . . . . . . . . . . . . . . . 10 4.6. Constructed Types . . . . . . . . . . . . . . . . . . . . 11
4.6.1. Variants . . . . . . . . . . . . . . . . . . . . . . 11 4.6.1. Variants . . . . . . . . . . . . . . . . . . . . . . 12
4.7. Cryptographic Attributes . . . . . . . . . . . . . . . . 12 4.7. Cryptographic Attributes . . . . . . . . . . . . . . . . 13
4.8. Constants . . . . . . . . . . . . . . . . . . . . . . . . 14 4.8. Constants . . . . . . . . . . . . . . . . . . . . . . . . 15
5. HMAC and the Pseudorandom Function . . . . . . . . . . . . . 14 5. HMAC and the Pseudorandom Function . . . . . . . . . . . . . 15
6. The TLS Record Protocol . . . . . . . . . . . . . . . . . . . 16 6. The TLS Record Protocol . . . . . . . . . . . . . . . . . . . 17
6.1. Connection States . . . . . . . . . . . . . . . . . . . . 16 6.1. Connection States . . . . . . . . . . . . . . . . . . . . 17
6.2. Record Layer . . . . . . . . . . . . . . . . . . . . . . 19 6.2. Record Layer . . . . . . . . . . . . . . . . . . . . . . 20
6.2.1. Fragmentation . . . . . . . . . . . . . . . . . . . . 19 6.2.1. Fragmentation . . . . . . . . . . . . . . . . . . . . 20
6.2.2. Record Compression and Decompression . . . . . . . . 21 6.2.2. Record Compression and Decompression . . . . . . . . 22
6.2.3. Record Payload Protection . . . . . . . . . . . . . . 21 6.2.3. Record Payload Protection . . . . . . . . . . . . . . 22
6.3. Key Calculation . . . . . . . . . . . . . . . . . . . . . 26 6.3. Key Calculation . . . . . . . . . . . . . . . . . . . . . 27
7. The TLS Handshaking Protocols . . . . . . . . . . . . . . . . 27 7. The TLS Handshaking Protocols . . . . . . . . . . . . . . . . 28
7.1. Change Cipher Spec Protocol . . . . . . . . . . . . . . . 28 7.1. Change Cipher Spec Protocol . . . . . . . . . . . . . . . 29
7.2. Alert Protocol . . . . . . . . . . . . . . . . . . . . . 28 7.2. Alert Protocol . . . . . . . . . . . . . . . . . . . . . 29
7.2.1. Closure Alerts . . . . . . . . . . . . . . . . . . . 29 7.2.1. Closure Alerts . . . . . . . . . . . . . . . . . . . 30
7.2.2. Error Alerts . . . . . . . . . . . . . . . . . . . . 30 7.2.2. Error Alerts . . . . . . . . . . . . . . . . . . . . 31
7.3. Handshake Protocol Overview . . . . . . . . . . . . . . . 34 7.3. Handshake Protocol Overview . . . . . . . . . . . . . . . 35
7.4. Handshake Protocol . . . . . . . . . . . . . . . . . . . 37 7.4. Handshake Protocol . . . . . . . . . . . . . . . . . . . 38
7.4.1. Hello Messages . . . . . . . . . . . . . . . . . . . 38 7.4.1. Hello Messages . . . . . . . . . . . . . . . . . . . 39
7.4.2. Server Certificate . . . . . . . . . . . . . . . . . 48 7.4.2. Server Certificate . . . . . . . . . . . . . . . . . 49
7.4.3. Server Key Exchange Message . . . . . . . . . . . . . 50 7.4.3. Server Key Exchange Message . . . . . . . . . . . . . 51
7.4.4. Certificate Request . . . . . . . . . . . . . . . . . 53 7.4.4. Certificate Request . . . . . . . . . . . . . . . . . 54
7.4.5. Server Hello Done . . . . . . . . . . . . . . . . . . 55 7.4.5. Server Hello Done . . . . . . . . . . . . . . . . . . 56
7.4.6. Client Certificate . . . . . . . . . . . . . . . . . 56 7.4.6. Client Certificate . . . . . . . . . . . . . . . . . 57
7.4.7. Client Key Exchange Message . . . . . . . . . . . . . 57 7.4.7. Client Key Exchange Message . . . . . . . . . . . . . 58
7.4.8. Certificate Verify . . . . . . . . . . . . . . . . . 62 7.4.8. Certificate Verify . . . . . . . . . . . . . . . . . 63
7.4.9. Finished . . . . . . . . . . . . . . . . . . . . . . 63 7.4.9. Finished . . . . . . . . . . . . . . . . . . . . . . 64
8. Cryptographic Computations . . . . . . . . . . . . . . . . . 65 8. Cryptographic Computations . . . . . . . . . . . . . . . . . 66
8.1. Computing the Master Secret . . . . . . . . . . . . . . . 65 8.1. Computing the Master Secret . . . . . . . . . . . . . . . 66
8.1.1. RSA . . . . . . . . . . . . . . . . . . . . . . . . . 65 8.1.1. RSA . . . . . . . . . . . . . . . . . . . . . . . . . 66
8.1.2. Diffie-Hellman . . . . . . . . . . . . . . . . . . . 66 8.1.2. Diffie-Hellman . . . . . . . . . . . . . . . . . . . 67
9. Mandatory Cipher Suites . . . . . . . . . . . . . . . . . . . 66 9. Mandatory Cipher Suites . . . . . . . . . . . . . . . . . . . 67
10. Application Data Protocol . . . . . . . . . . . . . . . . . . 66 10. Application Data Protocol . . . . . . . . . . . . . . . . . . 67
11. Security Considerations . . . . . . . . . . . . . . . . . . . 66 11. Security Considerations . . . . . . . . . . . . . . . . . . . 67
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 66 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 68 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 69
13.1. Normative References . . . . . . . . . . . . . . . . . . 68 13.1. Normative References . . . . . . . . . . . . . . . . . . 69
13.2. Informative References . . . . . . . . . . . . . . . . . 69 13.2. Informative References . . . . . . . . . . . . . . . . . 70
Appendix A. Protocol Data Structures and Constant Values . . . . 72 Appendix A. Protocol Data Structures and Constant Values . . . . 73
A.1. Record Layer . . . . . . . . . . . . . . . . . . . . . . 72 A.1. Record Layer . . . . . . . . . . . . . . . . . . . . . . 73
A.2. Change Cipher Specs Message . . . . . . . . . . . . . . . 73 A.2. Change Cipher Specs Message . . . . . . . . . . . . . . . 74
A.3. Alert Messages . . . . . . . . . . . . . . . . . . . . . 74 A.3. Alert Messages . . . . . . . . . . . . . . . . . . . . . 75
A.4. Handshake Protocol . . . . . . . . . . . . . . . . . . . 75 A.4. Handshake Protocol . . . . . . . . . . . . . . . . . . . 76
A.4.1. Hello Messages . . . . . . . . . . . . . . . . . . . 75 A.4.1. Hello Messages . . . . . . . . . . . . . . . . . . . 76
A.4.2. Server Authentication and Key Exchange Messages . . . 77 A.4.2. Server Authentication and Key Exchange Messages . . . 78
A.4.3. Client Authentication and Key Exchange Messages . . . 78 A.4.3. Client Authentication and Key Exchange Messages . . . 79
A.4.4. Handshake Finalization Message . . . . . . . . . . . 79 A.4.4. Handshake Finalization Message . . . . . . . . . . . 80
A.5. The Cipher Suite . . . . . . . . . . . . . . . . . . . . 79 A.5. The Cipher Suite . . . . . . . . . . . . . . . . . . . . 80
A.6. The Security Parameters . . . . . . . . . . . . . . . . . 81 A.6. The Security Parameters . . . . . . . . . . . . . . . . . 82
A.7. Changes to RFC 4492 . . . . . . . . . . . . . . . . . . . 82 A.7. Changes to RFC 4492 . . . . . . . . . . . . . . . . . . . 83
Appendix B. Glossary . . . . . . . . . . . . . . . . . . . . . . 82 Appendix B. Glossary . . . . . . . . . . . . . . . . . . . . . . 83
Appendix C. Cipher Suite Definitions . . . . . . . . . . . . . . 86 Appendix C. Cipher Suite Definitions . . . . . . . . . . . . . . 87
Appendix D. Implementation Notes . . . . . . . . . . . . . . . . 88 Appendix D. Implementation Notes . . . . . . . . . . . . . . . . 89
D.1. Random Number Generation and Seeding . . . . . . . . . . 88 D.1. Random Number Generation and Seeding . . . . . . . . . . 89
D.2. Certificates and Authentication . . . . . . . . . . . . . 88 D.2. Certificates and Authentication . . . . . . . . . . . . . 89
D.3. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . 89 D.3. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . 90
D.4. Implementation Pitfalls . . . . . . . . . . . . . . . . . 89 D.4. Implementation Pitfalls . . . . . . . . . . . . . . . . . 90
Appendix E. Backward Compatibility . . . . . . . . . . . . . . . 90 Appendix E. Backward Compatibility . . . . . . . . . . . . . . . 91
E.1. Compatibility with TLS 1.0/1.1 and SSL 3.0 . . . . . . . 90 E.1. Compatibility with TLS 1.0/1.1 and SSL 3.0 . . . . . . . 91
E.2. Compatibility with SSL 2.0 . . . . . . . . . . . . . . . 92 E.2. Compatibility with SSL 2.0 . . . . . . . . . . . . . . . 93
E.3. Avoiding Man-in-the-Middle Version Rollback . . . . . . . 93 E.3. Avoiding Man-in-the-Middle Version Rollback . . . . . . . 94
Appendix F. Security Analysis . . . . . . . . . . . . . . . . . 94 Appendix F. Security Analysis . . . . . . . . . . . . . . . . . 95
F.1. Handshake Protocol . . . . . . . . . . . . . . . . . . . 94 F.1. Handshake Protocol . . . . . . . . . . . . . . . . . . . 95
F.1.1. Authentication and Key Exchange . . . . . . . . . . . 94 F.1.1. Authentication and Key Exchange . . . . . . . . . . . 95
F.1.2. Version Rollback Attacks . . . . . . . . . . . . . . 97 F.1.2. Version Rollback Attacks . . . . . . . . . . . . . . 98
F.1.3. Detecting Attacks Against the Handshake Protocol . . 97 F.1.3. Detecting Attacks Against the Handshake Protocol . . 98
F.1.4. Resuming Sessions . . . . . . . . . . . . . . . . . . 97 F.1.4. Resuming Sessions . . . . . . . . . . . . . . . . . . 98
F.2. Protecting Application Data . . . . . . . . . . . . . . . 98 F.2. Protecting Application Data . . . . . . . . . . . . . . . 99
F.3. Explicit IVs . . . . . . . . . . . . . . . . . . . . . . 98 F.3. Explicit IVs . . . . . . . . . . . . . . . . . . . . . . 99
F.4. Security of Composite Cipher Modes . . . . . . . . . . . 98 F.4. Security of Composite Cipher Modes . . . . . . . . . . . 99
F.5. Denial of Service . . . . . . . . . . . . . . . . . . . . 99 F.5. Denial of Service . . . . . . . . . . . . . . . . . . . . 100
F.6. Final Notes . . . . . . . . . . . . . . . . . . . . . . . 100 F.6. Final Notes . . . . . . . . . . . . . . . . . . . . . . . 101
Appendix G. Working Group Information . . . . . . . . . . . . . 100 Appendix G. Working Group Information . . . . . . . . . . . . . 101
Appendix H. Contributors . . . . . . . . . . . . . . . . . . . . 100 Appendix H. Contributors . . . . . . . . . . . . . . . . . . . . 101
1. Introduction 1. Introduction
DISCLAIMER: This document is simply a copy of RFC 5246 translated DISCLAIMER: This document is simply a copy of RFC 5246 translated
into markdown format with no intentional technical or editorial into markdown format with no intentional technical or editorial
changes beyond updating the references and minor reformatting changes beyond updating the references and minor reformatting
introduced by the translation. It is being submitted as-is to create introduced by the translation. It is being submitted as-is to create
a clearer revision history for future versions. Any errata in TLS a clearer revision history for future versions. Any errata in TLS
1.2 remain in this version. Thanks to Mark Nottingham for doing the 1.2 remain in this version. Thanks to Mark Nottingham for doing the
markdown translation. markdown translation.
 End of changes. 3 change blocks. 
87 lines changed or deleted 99 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/