adam's notes

TLS 1.3 Protocols

TLS is composed of 4 subprotocols:

  • handshake protocol
    • client and webserver negotiate the version of TLS and the cryptographic algorithms to use
    • establish a shared secret for symmetric encryption
    • authenticate each other using public keys
  • record protocol
    • client and server encrypt and decrypt messages using the shared key and verify the integrity of received data
  • alert protocol
    • handles errors
  • 0-RTT protocol
    • enables the transmission of data without authentication when the client and server have pre-shared keys

Handshake Protocol

  • client and server exchange Hello messages in order to:
    • select the cryptographic algorithm to use
    • establish shared keying material
    • authenticate the server to the client
      • optionally, the client to the server
  • first messages in TLS are ClientHello and ServerHello
    • have same structure
      • TLS versions
      • Random nonce value
      • Cipher suite
      • Extensions
      • Options (legacy compatibility)
    • any TLS extension contains a list of items that are ordered according to the sender’s preferences
      • a ClientHello messages with extensions indicates items supported by the client
      • a ServerHello message extension indicates the item that will be used by the server of the options
      • e.g. client includes a list of ciphers, server includes the cipher it will use
      • most used extensions:
        • supported groups
          • indicates the supported mathematical groups (i.e. finite fields and elliptic curves)
        • Key share
          • indicates the supported key exchange protocols
        • pre-shared key extension
          • indicates the pre-shared keys known to the client and server before starting the current handshake
        • signature algorithms
          • indicates the supported signature algorithms
        • certificate authorities
          • indicates which certificate authorities are supported
          • used to indicate known trust anchors
        • early data indication
          • allows the client to send application data encrypted with the pre-shared symmetric key, without performing the authentication

Full TLS Handshake

  • gray box means that the authentication of the client is not mandatory
  • Hello message may be transmitted in a single record or split into multiple

Record Protocol

Record protocol is used to provide confidentiality and integrity of transmitted data.

  • used to protect handshake, application data, and alert messages
  • how it works
    • record layer fragments data into records with a maximum length of bytes
    • a record is encrypted and decrypted with an AEAD (Authenticated encryption with Associated data) algorithm
      • agreed upon by client and server
    • nonce is included in each encrypted record to prevent some attacks
  • maximum of full-length records may be encrypted on a given connection using AES-GCM
    • to keep the security of encryption below an acceptable margin

Alert Protocol

Alert protocol provides indication regarding errors and incapacities to establish or maintain a secure connection between parties.

  • common alerts:
    • not supported TLS version, Handshake failure, Uknown pre-shared key identifier
    • Bad certificate, Unsupported certificate, Expired certificate, Revoked certificate, Unknown CA
    • Bad record MAC, Record exceeding the limit size

Graph View

Backlinks