Cryptography Reference
In-Depth Information
12.3.3 Record Protocol
When a party needs to send a message (called
application data
) to the other party, it is
first split into
fragments
of length at most 2
14
bytes. Each fragment is treated separately.
A fragment is compressed using the compression algorithm of the session (if any). Then
we append a MAC to the compressed fragment and we obtain the plaintext. Next, it is
encrypted, and the ciphertext is finally sent with an SSL record header.
Upon reception of a record, the header is extracted, the ciphertext is decrypted, the
MAC is checked, then extracted, and the remaining is decompressed in order to get the
fragment.
When the hash algorithm of the cipher spec is
NULL
, no MAC is computed, i.e.
the MAC length is null. Otherwise, the MAC is simply an HMAC algorithm with the
specified hash function. More precisely the MAC of a fragment is computed as
⎛
⎞
seq num
TLSCompressed
.
type
,
TLSCompressed
.
version
,
TLSCompressed
.
length
TLSCompressed
.
fragment
⎝
⎠
HMAC
MAC write secret
where
MAC write secret
is the MAC key of the sender,
seq num
is the sequence
number of the fragment, and remaining fields are the compressed fragment with its
actual length and some additional information about the TLS protocol (namely, the
compression algorithm) that is being used.
12.3.4
Stream Cipher
The RC4 stream cipher is used as a key-stream generator with one-time pad. The
internal state of the generator is kept in the connection state so that the RC4 automaton
continuously generates keystreams in order to encrypt the sequence of fragments.
12.3.5 Block Cipher
Since block ciphers are used in CBC mode, the plaintext must be converted into an
integral sequence of blocks. For this we append a padding to the plaintext and a padding
length of 1 byte. The padding length must be equal to all bytes of the padding, and the
total length (the plaintext, the padding, and the padding length) must be a multiple of
the block size. When the ciphertext is decrypted, the last byte specifies the length of the
padding to be removed. The padding structure is also checked and an error is issued if
it is not valid.
Note that the padding does not need to be the shortest one. It can actually be longer
in order to hide the real size of the plaintext to a potential adversary.
Search WWH ::
Custom Search