A Usable, Secure Communications Protocol: Client-Side TLS - Implementing SSL/TLS Using Cryptography and PKI

Cryptography Reference

In-Depth Information

but it became the master secret by taking the MD5 hash of the premaster secret

plus the SHA hash of the letter A plus the premaster secret, the client random,

and the server random, followed by the same MD5 hash with A replaced by

BB, and the same MD5 hash again with CCC instead of BB. The fi nished mes-

sages, the other place where the PRF shows up in TLS, were based directly on

MD5 and SHA-1 hashes as well.

There's not much reason to go into any more detail on SSLv3 here. Because

SSLv3 and TLS 1.0 are almost identical, it's a good bet that any server that sup-

ports one supports the other.

Differences Between TLS 1.0 and TLS 1.1

The TLS 1.0 protocol stood untouched for seven years after it was standardized

in 1999. In 2006, Tim Dierks and Eric Rescorla drafted RFC 4346, specifying TLS

1.1 and making TLS 1.0 obsolete.

By and large, TLS 1.1 is not a signifi cant change from TLS 1.0. It added some

new cipher suites and some clarifi cations and implementation notes, but the

most important change is that initialization vectors are no longer computed

from the master secret; instead, they're prepended to each packet.

Why, you ask? Well, each record's IV is the most recently transmitted block.

Although an attacker can't decrypt the packet, even a passive eavesdropper

can see what the next IV is going to be. The attack is complex, but a dedicated

attacker who can inject known plaintext into the stream can guess what the last

plaintext block is and verify his guess by injecting a specially crafted plaintext

block into the stream. It's not clear under what circumstances an attacker might

be able to inject known plaintext, but not have access to the keys; perhaps he's

sniffi ng traffi c coming out of a call center, calls that call center, makes up an

account ID, and hopes that that account ID is the next packet on a live session.

Theoretical or not, this is an easy enough attack to defend against, so TLS 1.1

does so. TLS 1.1 is not particularly common on the public Internet, even today,

four years after it was drafted.

Two years after TLS 1.1 was drafted, it was made obsolete by RFC 5246, which

specifi es TLS 1.2. TLS 1.2 was a major modifi cation of the TLS protocol and

Chapter 9 is devoted to detailing the changes it introduced.

Search WWH ::

Custom Search

Home