The Basics of Crypto 11: Transport Layer Security

Transport layer security (TLS) is the encryption system the internet runs on. The system we used prior to TLS was called the secure socket layer (SSL) however it has now been depreciated and replaced with the modern TLS system. Over the years this system has grown larger and larger to cover more and more use cases, this has led to a large amount of vulnerabilities being discovered in the system such as Heartbleed, POODLE, FREAK and numerous others with equally silly acronyms. Recently (at the time of writing) TLS has been overhauled with a lot of the unnecessary functionality removed, the supported cipher suite updated to only the most modern and secure ciphers in an attempt to reduce the amount of vulnerabilities in the system, this new version is called TLSv1.3.

Requirements

In order for TLS to gain the mass adoption it has seen it was necessary to fulfil some functionality requirements. The main goal of the project was to facilitate secure communications between two servers or a client and a server whilst removing the threat posed by potential man in the middle attackers. On top of this the project was required to hit a number of other targets:

Efficient: The TLS protocol should be almost as fast as unencrypted communications and not require much more computational power than unencrypted protocols. This would reduce additional costs placed on the owner of the server, reduce waiting times for the client and reduce battery consumption on mobile devices.

Platform Agnostic: The protocol should be platform agnostic allowing it to run on any hardware and on any operating system. This allows it to run on all devices such as Windows servers, MacBooks and Android phones.

Extensible: It should be possible to apply the TLS protocol to any communications system allowing for additional functionality to be gained from the protocol.

As you will see through the rest of this instalment the TLS protocol meets all of these requirements and as such is seen throughout modern technology as the de facto way of carrying out secure communications.

A Breakdown of TLS

TLS is not in of itself a protocol but is more a combination of features that together are referred to as the TLS protocol. The two main features are the record protocol and the handshake protocol.

TLS Handshake Protocol

The TLS Handshake Protocol is the process by which a client and server exchange keys in order to set up a secure communications channel. When establishing a secure session the client sends a message to the server specifying that it wants to set up a secure connection, which cipher suites it supports and a Diffie-Hellman public key. The server then responds with the cipher to use, an integer for downgrade protection and a certificate for the domain in question along with a MAC covering all of the above.

The Handshake Protocol is responsible for managing the following:

1. Cipher suite negotiation.

2. Authentication of the server and optionally, the client.

3. Session key information exchange.

TLS Record Protocol

The TLS Record protocol secures application data using the keys created during the TLS Handshake. TLS records are chunks of data that are at most 16KB. All data transported over TLS is done through TLS records. TLS records are initially used to carry out the TLS handshake and then all application data is broken down into chunks and transported as TLS records. The Record Protocol is responsible for securing application data and verifying its integrity and origin. It manages the following:

1. Dividing outgoing messages into manageable blocks, and reassembling incoming messages.

2. Compressing outgoing blocks and decompressing incoming blocks (optional).Applying a Message Authentication Code to outgoing messages, and verifying incoming messages using the MAC.

3. Encrypting outgoing messages and decrypting incoming messages.

When the Record Protocol is complete, the outgoing encrypted data is passed down to the Transmission Control Protocol (TCP) layer for transport. A useful image detailing the order of handshake and record between parties can be seen below:

Improvements of TLS 1.3 Over Previous Versions

TLSv1.3 aims to remove many of the features in previous versions of TLS that made the protocol less secure. Many of the old algorithms have been removed such as MD5, SHA1 and RC4, it removes support for data compression that lead to the CRIME attack. TLSv1.3 also brings in a number of new features aimed at increasing the security and of the protocol such as downgrade protection, single round trip handshakes and session resumption.