Message authentication code 1

Message authentication codeIn cryptography, a message authentication code (often MAC) is a short piece of information used to authenticate amessage.A MAC algorithm, sometimes called a keyed (cryptographic) hash function, accepts as input a secret key and anarbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC valueprotects both a message's data integrity as well as its authenticity, by allowing verifiers (who also possess the secretkey) to detect any changes to the message content.

SecurityWhile MAC functions are similar to cryptographic hash functions, they possess different security requirements. Tobe considered secure, a MAC function must resist existential forgery under chosen-plaintext attacks. This means thateven if an attacker has access to an oracle which possesses the secret key and generates MACs for messages of theattacker's choosing, the attacker cannot guess the MAC for other messages without performing infeasible amounts ofcomputation.MACs differ from digital signatures as MAC values are both generated and verified using the same secret key. Thisimplies that the sender and receiver of a message must agree on the same key before initiating communications, as isthe case with symmetric encryption. For the same reason, MACs do not provide the property of non-repudiationoffered by signatures specifically in the case of a network-wide shared secret key: any user who can verify a MAC isalso capable of generating MACs for other messages. In contrast, a digital signature is generated using the privatekey of a key pair, which is asymmetric encryption. Since this private key is only accessible to its holder, a digitalsignature proves that a document was signed by none other than that holder. Thus, digital signatures do offernon-repudiation.

Message integrity codesThe term message integrity code (MIC) is frequently substituted for the term MAC, especially in communications,[1]

where the acronym MAC traditionally stands for Media Access Control. However, some authors[2] use MIC as adistinctly different term from a MAC; in their usage of the term the MIC operation does not use secret keys. Thislack of security means that any MIC intended for use gauging message integrity should be encrypted or otherwise beprotected against tampering. MIC algorithms are created such that a given message will always produce the sameMIC assuming the same algorithm is used to generate both. Conversely, MAC algorithms are designed to producematching MACs only if the same message, secret key and initialization vector are input to the same algorithm. MICsdo not use secret keys and, when taken on their own, are therefore a much less reliable gauge of message integritythan MACs. Because MACs use secret keys, they do not necessarily need to be encrypted to provide the same levelof assurance.

S8CSE_Cryptography additionals

by Abhijith Marathakam

Message authentication code 2

ImplementationMAC algorithms can be constructed from other cryptographic primitives, such as cryptographic hash functions (as inthe case of HMAC) or from block cipher algorithms (OMAC, CBC-MAC and PMAC). However many of the fastestMAC algorithms such as UMAC and VMAC are constructed based on universal hashing.[3]

StandardsVarious standards exist that define MAC algorithms. These include:• FIPS PUB 113 Computer Data Authentication,[4] withdrawn in 2002,[5] defines an algorithm based on DES.• ISO/IEC 9797-1 Mechanisms using a block cipher[6]

• ISO/IEC 9797-2 Mechanisms using a dedicated hash-function[7]

ISO/IEC 9797-1 and -2 define generic models and algorithms that can be used with any block cipher or hashfunction, and a variety of different parameters. These models and parameters allow more specific algorithms to bedefined by nominating the parameters. For example the FIPS PUB 113 algorithm is functionally equivalent toISO/IEC 9797-1 MAC algorithm 1 with padding method 1 and a block cipher algorithm of DES.

Example

In this example, the sender of a message runs it through a MAC algorithm to produce a MAC data tag. The messageand the MAC tag are then sent to the receiver. The receiver in turn runs the message portion of the transmissionthrough the same MAC algorithm using the same key, producing a second MAC data tag. The receiver thencompares the first MAC tag received in the transmission to the second generated MAC tag. If they are identical, thereceiver can safely assume that the integrity of the message was not compromised, and the message was not alteredor tampered with during transmission.

S8CSE_Cryptography additionals

by Abhijith Marathakam

Message authentication code 3

External links• RSA Laboratories entry on MACs [8]

• Ron Rivest lecture on MACs [9]

References[1] IEEE 802.11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications (http:/ / standards. ieee. org/

getieee802/ download/ 802. 11-2007. pdf). (2007 revision). IEEE-SA. 12 June 2007. doi:10.1109/IEEESTD.2007.373646. .[2] Fred B Schneider, Hashes and Message Digests, Cornell University (http:/ / www. cs. cornell. edu/ courses/ cs513/ 2005fa/ NL20. hashing.

html)[3] "VMAC: Message Authentication Code using Universal Hashing" (http:/ / www. fastcrypto. org/ vmac/ draft-krovetz-vmac-01. txt). CFRG

Working Group (CFRG Working Group). . Retrieved 16 March 2010.[4] FIPS PUB 113 Computer Data Authentication (http:/ / www. itl. nist. gov/ fipspubs/ fip113. htm)[5] Federal Information Processing Standards Publications, Withdrawn FIPS Listed by Number (http:/ / www. itl. nist. gov/ fipspubs/ withdraw.

htm)[6] ISO/IEC 9797-1 Information technology — Security techniques — Message Authentication Codes (MACs) — Part 1: Mechanisms using a

block cipher (http:/ / www. iso. org/ iso/ iso_catalogue/ catalogue_tc/ catalogue_detail. htm?csnumber=30656)[7] ISO/IEC 9797-2 Information technology — Security techniques — Message Authentication Codes (MACs) — Part 2: Mechanisms using a

dedicated hash-function (http:/ / www. iso. org/ iso/ iso_catalogue/ catalogue_tc/ catalogue_detail. htm?csnumber=31136)[8] http:/ / www. rsasecurity. com/ rsalabs/ node. asp?id=2177[9] http:/ / web. mit. edu/ 6. 857/ OldStuff/ Fall97/ lectures/ lecture3. pdf

S8CSE_Cryptography additionals

by Abhijith Marathakam

Article Sources and Contributors 4

Article Sources and ContributorsMessage authentication code  Source: http://en.wikipedia.org/w/index.php?oldid=482740944  Contributors: Abatakar, Ablewisuk, AdjustShift, Andris, Benizi, Bobo192, Callwithme, Ceyockey,Ciphergoth, Connelly, Conny, CryptoDerk, Dachshund, Darkfight, David spector, Davidgothberg, Dimawik, DividedByNegativeZero, Dougher, Ed Brey, Edipo, Emufarmers, Gareth Jones,Giftlite, HamburgerRadio, Henning Makholm, Iridescent, Jesse Viviano, Jorge Stolfi, KnightRider, Kotepho, Linas, Loadmaster, Macabu, Mandarax, Manscher, Matb, Matt Crypto, MauriceCarbonaro, Merovingian, Messiah7, Michael Hardy, Mindmatrix, Mitch Ames, Nealmcb, Nroets, PabloCastellano, Pi.C.Noizecehx, Quarl, Qutezuce, Rasmus Faber, Robertgreer, RonaldDuncan,Schnolle, Sh00tr, Shiningfm, Signalhead, Smilerpt, TLange, TonyW, TreasuryTag, Twisp, Varuna, Verloc, Wonderstruck, Ww, Xvani, Y(J)S, 56 anonymous edits

Image Sources, Licenses and ContributorsImage:MAC.svg  Source: http://en.wikipedia.org/w/index.php?title=File:MAC.svg  License: Public Domain  Contributors: Twisp

LicenseCreative Commons Attribution-Share Alike 3.0 Unported//creativecommons.org/licenses/by-sa/3.0/

S8CSE_Cryptography additionals

by Abhijith Marathakam

MD5 1

MD5

MD5

General

Designers Ronald Rivest

First published April 1992

Series MD2, MD4, MD5, MD6

Detail

Digest sizes 128 bits

Structure Merkle–Damgård construction

Rounds 4 [1]

Best public cryptanalysis

A 2009 attack by Tao Xie and Dengguo Feng breaks MD5 collision resistance in 220.96 time. This attack runs in a few seconds on a regularcomputer.[2]

The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit(16-byte) hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, andis also commonly used to check data integrity. MD5 was designed by Ron Rivest in 1991 to replace an earlier hashfunction, MD4. An MD5 hash is typically expressed as a 32-digit hexadecimal number.However, it has since been shown that MD5 is not collision resistant;[3] as such, MD5 is not suitable for applicationslike SSL certificates or digital signatures that rely on this property. In 1996, a flaw was found with the design ofMD5, and while it was not a clearly fatal weakness, cryptographers began recommending the use of otheralgorithms, such as SHA-1—which has since been found also to be vulnerable. In 2004, more serious flaws werediscovered in MD5, making further use of the algorithm for security purposes questionable—specifically, a group ofresearchers described how to create a pair of files that share the same MD5 checksum.[4][5] Further advances weremade in breaking MD5 in 2005, 2006, and 2007.[6] In December 2008, a group of researchers used this technique tofake SSL certificate validity.,[7][8] and US-CERT now says that MD5 "should be considered cryptographicallybroken and unsuitable for further use."[9] and most U.S. government applications now require the SHA-2 family ofhash functions.[10]

History and cryptanalysisMD5 is one in a series of message digest algorithms designed by Professor Ronald Rivest of MIT (Rivest, 1994).When analytic work indicated that MD5's predecessor MD4 was likely to be insecure, MD5 was designed in 1991 tobe a secure replacement. (Weaknesses were indeed later found in MD4 by Hans Dobbertin.)In 1993, Den Boer and Bosselaers gave an early, although limited, result of finding a "pseudo-collision" of the MD5compression function; that is, two different initialization vectors which produce an identical digest.In 1996, Dobbertin announced a collision of the compression function of MD5 (Dobbertin, 1996). While this was notan attack on the full MD5 hash function, it was close enough for cryptographers to recommend switching to areplacement, such as SHA-1 or RIPEMD-160.The size of the hash—128 bits—is small enough to contemplate a birthday attack. MD5CRK was a distributedproject started in March 2004 with the aim of demonstrating that MD5 is practically insecure by finding a collisionusing a birthday attack.

S8CSE_Cryptography additionals

by Abhijith Marathakam

MD5 2

MD5CRK ended shortly after 17 August 2004, when collisions for the full MD5 were announced by Xiaoyun Wang,Dengguo Feng, Xuejia Lai, and Hongbo Yu.[4][5][11] Their analytical attack was reported to take only one hour on anIBM p690 cluster.On 1 March 2005, Arjen Lenstra, Xiaoyun Wang, and Benne de Weger demonstrated[12] construction of two X.509certificates with different public keys and the same MD5 hash, a demonstrably practical collision. The constructionincluded private keys for both public keys. A few days later, Vlastimil Klima described[13] an improved algorithm,able to construct MD5 collisions in a few hours on a single notebook computer. On 18 March 2006, Klima publishedan algorithm[14] that can find a collision within one minute on a single notebook computer, using a method he callstunneling.In 2009, the United States Cyber Command used an MD5 hash of their mission statement as a part of their officialemblem.[15]

On December 24, 2010, Tao Xie and Dengguo Feng announced the first published single-block MD5 collision (two64-byte messages with the same MD5 hash given in Little endian notation).[16] Previous collision discoveries reliedon multi-block attacks. For "security reasons", Xie and Feng did not disclose the new attack method. They haveissued a challenge to the cryptographic community, offering a US$ 10,000 reward to the first finder of a different64-byte collision before January 1, 2013.In 2011 an informational RFC was approved to update the security considerations in RFC 1321 (MD5) and RFC2104 (HMAC-MD5). [17]

SecurityThe security of the MD5 hash function is severely compromised. A collision attack exists that can find collisionswithin seconds on a computer with a 2.6Ghz Pentium4 processor (complexity of 224.1).[18] Further, there is also achosen-prefix collision attack that can produce a collision for two chosen arbitrarily different inputs within hours,using off-the-shelf computing hardware (complexity 239).[19] The ability to find collisions has been greatly aided bythe use of off-the-shelf GPUs. On an NVIDIA GeForce 8400GS graphics processor, 16–18 million hashes persecond can be computed. An NVIDIA GeForce 8800 Ultra can calculate more than 200 million hashes persecond.[20]

These hash and collision attacks have been demonstrated in the public in various situations, including collidingdocument files[21][22] and digital certificates.[7]

Collision vulnerabilitiesFurther information: Collision attackIn 1996, collisions were found in the compression function of MD5, and Hans Dobbertin wrote in the RSALaboratories technical newsletter, "The presented attack does not yet threaten practical applications of MD5, but itcomes rather close ... in the future MD5 should no longer be implemented...where a collision-resistant hash functionis required."[23]

In 2005, researchers were able to create pairs of PostScript documents[24] and X.509 certificates[25] with the samehash. Later that year, MD5's designer Ron Rivest wrote, "md5 and sha1 are both clearly broken (in terms ofcollision-resistance)."[26]

On 30 December 2008, a group of researchers announced at the 25th Chaos Communication Congress how they had used MD5 collisions to create an intermediate certificate authority certificate which appeared to be legitimate when checked via its MD5 hash.[7] The researchers used a cluster of Sony Playstation 3s at the EPFL in Lausanne, Switzerland[27] to change a normal SSL certificate issued by RapidSSL into a working CA certificate for that issuer, which could then be used to create other certificates that would appear to be legitimate and issued by RapidSSL. VeriSign, the issuers of RapidSSL certificates, said they stopped issuing new certificates using MD5 as their

S8CSE_Cryptography additionals

by Abhijith Marathakam

MD5 3

checksum algorithm for RapidSSL once the vulnerability was announced.[28] Although Verisign declined to revokeexisting certificates signed using MD5, their response was considered adequate by the authors of the exploit(Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne deWeger).[7] Bruce Schneier wrote of the attack that "[w]e already knew that MD5 is a broken hash function" and that"no one should be using MD5 anymore."[29] The SSL researchers wrote, "Our desired impact is that CertificationAuthorities will stop using MD5 in issuing new certificates. We also hope that use of MD5 in other applications willbe reconsidered as well."[7]

MD5 uses the Merkle–Damgård construction, so if two prefixes with the same hash can be constructed, a commonsuffix can be added to both to make the collision more likely to be accepted as valid data by the application using it.Furthermore, current collision-finding techniques allow to specify an arbitrary prefix: an attacker can create twocolliding files that both begin with the same content. All the attacker needs to generate two colliding files is atemplate file with a 128-byte block of data, aligned on a 64-byte boundary that can be changed freely by thecollision-finding algorithm. An example MD5 collision, with the two messages differing in 6 bits, is:

d131dd02c5e6eec4 693d9a0698aff95c 2fcab58712467eab 4004583eb8fb7f89

55ad340609f4b302 83e488832571415a 085125e8f7cdc99f d91dbdf280373c5b

d8823e3156348f5b ae6dacd436c919c6 dd53e2b487da03fd 02396306d248cda0

e99f33420f577ee8 ce54b67080a80d1e c69821bcb6a88393 96f9652b6ff72a70

d131dd02c5e6eec4 693d9a0698aff95c 2fcab50712467eab 4004583eb8fb7f89

55ad340609f4b302 83e4888325f1415a 085125e8f7cdc99f d91dbd7280373c5b

d8823e3156348f5b ae6dacd436c919c6 dd53e23487da03fd 02396306d248cda0

e99f33420f577ee8 ce54b67080280d1e c69821bcb6a88393 96f965ab6ff72a70

Both produce the MD5 hash 79054025255fb1a26e4bc422aef54eb4.[30]

Preimage vulnerabilityIn April 2009, a preimage attack against MD5 was published that breaks MD5's preimage resistance. This attack isonly theoretical, with a computational complexity of 2123.4 for full preimage.[31][32]

Other vulnerabilitiesA number of projects have published MD5 rainbow tables online, that can be used to reverse many MD5 hashes intostrings that collide with the original input, usually for the purposes of password cracking.The use of MD5 in some websites' URLs means that search engines such as Google can also sometimes function as alimited tool for reverse lookup of MD5 hashes.[33]

Both these techniques are rendered ineffective by the use of a sufficiently long salt.

ApplicationsMD5 digests have been widely used in the software world to provide some assurance that a transferred file hasarrived intact. For example, file servers often provide a pre-computed MD5 (known as Md5sum) checksum for thefiles, so that a user can compare the checksum of the downloaded file to it. Unix-based operating systems includeMD5 sum utilities in their distribution packages, whereas Windows users use third-party applications. AndroidROMs also utilize this type of checksum.However, now that it is easy to generate MD5 collisions, it is possible for the person who created the file to create asecond file with the same checksum, so this technique cannot protect against some forms of malicious tampering.Also, in some cases the checksum cannot be trusted (for example, if it was obtained over the same channel as thedownloaded file), in which case MD5 can only provide error-checking functionality: it will recognize a corrupt or

S8CSE_Cryptography additionals

by Abhijith Marathakam

MD5 4

incomplete download, which becomes more likely when downloading larger files.MD5 was widely used to store passwords.[34][35] Sound uses of MD5 include UUID (also known as GUID) version 3specified in RFC 4122, CRAM specified in RFC 2195, and the IETF NomCom lottery specified in RFC 3797.MD5 and other hash functions are also used in the field of electronic discovery, in order to provide a uniqueidentifier for each document that is exchanged during the legal discovery process. This method can be used toreplace the Bates stamp numbering system that has been used for decades during the exchange of paper documents.

Algorithm

Figure 1. One MD5 operation. MD5 consists of 64 of these operations, grouped infour rounds of 16 operations. F is a nonlinear function; one function is used in each

round. Mi denotes a 32-bit block of the message input, and Ki denotes a 32-bitconstant, different for each operation. s denotes a left bit rotation by s places; s

varies for each operation. denotes addition modulo 232.

MD5 processes a variable-length messageinto a fixed-length output of 128 bits. Theinput message is broken up into chunks of512-bit blocks (sixteen 32-bit little endianintegers); the message is padded so that itslength is divisible by 512. The paddingworks as follows: first a single bit, 1, isappended to the end of the message. This isfollowed by as many zeros as are required tobring the length of the message up to 64 bitsfewer than a multiple of 512. The remainingbits are filled up with a 64-bit big endianinteger representing the length of theoriginal message, in bits, modulo 264. Thebytes in each 32-bit block are big endian,but the 32-bit blocks are arranged in littleendian format.

The main MD5 algorithm operates on a128-bit state, divided into four 32-bit words,denoted A, B, C and D. These are initializedto certain fixed constants. The mainalgorithm then operates on each 512-bitmessage block in turn, each blockmodifying the state. The processing of amessage block consists of four similarstages, termed rounds; each round is composed of 16 similar operations based on a non-linear function F, modularaddition, and left rotation. Figure 1 illustrates one operation within a round. There are four possible functions F; adifferent one is used in each round:

denote the XOR, AND, OR and NOT operations respectively.

Pseudocode

The MD5 hash is calculated according to this algorithm:

S8CSE_Cryptography additionals

by Abhijith Marathakam

MD5 5

//Note: All variables are unsigned 32 bits and wrap modulo 2^32 when calculating

var int[64] r, k

//r specifies the per-round shift amounts

r[ 0..15] := {7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22}

r[16..31] := {5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20}

r[32..47] := {4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23}

r[48..63] := {6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21}

//Use binary integer part of the sines of integers (Radians) as constants:

for i from 0 to 63

k[i] := floor(abs(sin(i + 1)) × (2 pow 32))

end for

//(Or just use the following table):

k[ 0.. 3] := { 0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee }

k[ 4.. 7] := { 0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501 }

k[ 8..11] := { 0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be }

k[12..15] := { 0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821 }

k[16..19] := { 0xf61e2562, 0xc040b340, 0x265e5a51, 0xe9b6c7aa }

k[20..23] := { 0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8 }

k[24..27] := { 0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed }

k[28..31] := { 0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a }

k[32..35] := { 0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c }

k[36..39] := { 0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70 }

k[40..43] := { 0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x04881d05 }

k[44..47] := { 0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665 }

k[48..51] := { 0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039 }

k[52..55] := { 0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1 }

k[56..59] := { 0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1 }

k[60..63] := { 0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391 }

//Initialize variables:

var int h0 := 0x67452301

var int h1 := 0xefcdab89

var int h2 := 0x98badcfe

var int h3 := 0x10325476

//Pre-processing: adding a single 1 bit

append "1" bit to message

/* Notice: the input bytes are considered as bit strings,

where the first bit is the most significant bit of the byte.[36]

In other words: the order of bits in a byte is BIG ENDIAN,

but the order of bytes in a word is LITTLE ENDIAN */

//Pre-processing: padding with zeroes

append "0" bits until message length in bits ≡ 448 (mod 512)append length mod (2 pow 64) to message

/* bit (not byte) length of unpadded message as 64-bit little-endian integer */

S8CSE_Cryptography additionals

by Abhijith Marathakam

MD5 6

//Process the message in successive 512-bit chunks:

for each 512-bit chunk of message

break chunk into sixteen 32-bit little-endian words w[j], 0 ≤ j ≤ 15//Initialize hash value for this chunk:

var int a := h0

var int b := h1

var int c := h2

var int d := h3

//Main loop:

for i from 0 to 63

if 0 ≤ i ≤ 15 then f := (b and c) or ((not b) and d)

g := i

else if 16 ≤ i ≤ 31 f := (d and b) or ((not d) and c)

g := (5×i + 1) mod 16

else if 32 ≤ i ≤ 47 f := b xor c xor d

g := (3×i + 5) mod 16

else if 48 ≤ i ≤ 63 f := c xor (b or (not d))

g := (7×i) mod 16

temp := d

d := c

c := b

b := b + leftrotate((a + f + k[i] + w[g]) , r[i])

a := temp

end for

//Add this chunk's hash to result so far:

h0 := h0 + a

h1 := h1 + b

h2 := h2 + c

h3 := h3 + d

end for

var char digest[16] := h0 append h1 append h2 append h3 //(expressed as little-endian)

//leftrotate function definition

leftrotate (x, c)

return (x << c) binary or (x >> (32-c));

Note: Instead of the formulation from the original RFC 1321 shown, the following may be used for improvedefficiency (useful if assembly language is being used - otherwise, the compiler will generally optimize the abovecode. Since each computation is dependent on another in these formulations, this is often slower than the abovemethod where the nand/and can be parallelised):

(0 ≤ i ≤ 15): f := d xor (b and (c xor d))(16 ≤ i ≤ 31): f := c xor (d and (b xor c))

S8CSE_Cryptography additionals

by Abhijith Marathakam

MD5 7

MD5 hashesThe 128-bit (16-byte) MD5 hashes (also termed message digests) are typically represented as a sequence of 32hexadecimal digits. The following demonstrates a 43-byte ASCII input and the corresponding MD5 hash:

MD5("The quick brown fox jumps over the lazy dog")

= 9e107d9d372bb6826bd81d3542a419d6

Even a small change in the message will (with overwhelming probability) result in a mostly different hash, due to theavalanche effect. For example, adding a period to the end of the sentence:

MD5("The quick brown fox jumps over the lazy dog.")

= e4d909c290d0fb1ca068ffaddf22cbd0

The hash of the zero-length string is:

MD5("")

= d41d8cd98f00b204e9800998ecf8427e

The MD5 algorithm is specified for messages consisting of any number of bits; it is not limited to multiples of eightbits (octets, bytes) as shown in the examples above. Some MD5 implementations such as md5sum might be limitedto octets, or they might not support streaming for messages of an initially undetermined length.

Notes[1][1] RFC 1321, section 3.4, "Step 4. Process Message in 16-Word Blocks", page 5.[2] Tao Xie and Dengguo Feng (30 May 2009). How To Find Weak Input Differences For MD5 Collision Attacks (http:/ / eprint. iacr. org/ 2009/

223. pdf). .[3] Xiaoyun Wang and Hongbo Yu. "How to Break MD5 and Other Hash Functions" (http:/ / merlot. usc. edu/ csac-f06/ papers/ Wang05a. pdf). .

Retrieved 2009-12-21.[4][4] Xiaoyun Wang, Dengguo ,k.,m.,m, HAVAL-128 and RIPEMD], Cryptology ePrint Archive Report 2004/199, 16 August 2004, revised 17

August 2004. Retrieved July 27, 2008.[5] J. Black, M. Cochran, T. Highland: A Study of the MD5 Attacks: Insights and Improvements (http:/ / www. cs. colorado. edu/ ~jrblack/

papers/ md5e-full. pdf), March 3, 2006. Retrieved July 27, 2008.[6] Marc Stevens, Arjen Lenstra, Benne de Weger: Vulnerability of software integrity and code signing applications to chosen-prefix collisions

for MD5 (http:/ / www. win. tue. nl/ hashclash/ SoftIntCodeSign/ ), Nov 30, 2007. Retrieved Jul 27, 2008.[7] Sotirov, Alexander; Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger (2008-12-30). "MD5

considered harmful today" (http:/ / www. win. tue. nl/ hashclash/ rogue-ca/ ). . Retrieved 2008-12-30. Announced (http:/ / events. ccc. de/congress/ 2008/ Fahrplan/ events/ 3023. en. html) at the 25th Chaos Communication Congress.

[8] Stray, Jonathan (2008-12-30). "Web browser flaw could put e-commerce security at risk" (http:/ / news. cnet. com/8301-1009_3-10129693-83. html). CNET.com. . Retrieved 2009-02-24.

[9] "US-CERT Vulnerability Note VU#836068" (http:/ / www. kb. cert. org/ vuls/ id/ 836068). Kb.cert.org. . Retrieved 2010-08-09.[10] "NIST.gov - Computer Security Division - Computer Security Resource Center" (http:/ / csrc. nist. gov/ groups/ ST/ hash/ policy. html).

Csrc.nist.gov. . Retrieved 2010-08-09.[11] Philip Hawkes and Michael Paddon and Gregory G. Rose: Musings on the Wang et al. MD5 Collision (http:/ / eprint. iacr. org/ 2004/ 264),

13 Oct 2004. Retrieved July 27, 2008.[12] Arjen Lenstra, Xiaoyun Wang, Benne de Weger: Colliding X.509 Certificates (http:/ / eprint. iacr. org/ 2005/ 067), Cryptology ePrint

Archive Report 2005/067, 1 March 2005, revised 6 May 2005. Retrieved July 27, 2008.[13] Vlastimil Klima: Finding MD5 Collisions – a Toy For a Notebook (http:/ / eprint. iacr. org/ 2005/ 075), Cryptology ePrint Archive Report

2005/075, 5 March 2005, revised 8 March 2005. Retrieved July 27, 2008.[14] Vlastimil Klima: Tunnels in Hash Functions: MD5 Collisions Within a Minute (http:/ / eprint. iacr. org/ 2006/ 105), Cryptology ePrint

Archive Report 2006/105, 18 March 2006, revised 17 April 2006. Retrieved July 27, 2008.[15] "Code Cracked! Cyber Command Logo Mystery Solved" (http:/ / www. wired. com/ dangerroom/ 2010/ 07/

code-cracked-cyber-command-logos-mystery-solved/ ). USCYBERCOM. Wired News. 2010-07-08. . Retrieved 2011-07-29.[16] Tao Xie, Dengguo Feng (2010). "Construct MD5 Collisions Using Just A Single Block Of Message" (http:/ / eprint. iacr. org/ 2010/ 643)

(PDF). . Retrieved 2011-07-28.[17][17] RFC 6151, Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms

S8CSE_Cryptography additionals

by Abhijith Marathakam

MD5 8

[18] M.M.J. Stevens (June 2007). On Collisions for MD5 (http:/ / www. win. tue. nl/ hashclash/ On Collisions for MD5 - M. M. J. Stevens. pdf). ."[...] we are able to find collisions for MD5 in about 224.1 compressions for recommended IHV's which takes approx. 6 seconds on a 2.6GHzPentium 4."

[19] Marc Stevens, Arjen Lenstra, Benne de Weger (2009-06-16). Chosen-prefix Collisions for MD5 and Applications (https:/ / documents. epfl.ch/ users/ l/ le/ lenstra/ public/ papers/ lat. pdf). .

[20] "New GPU MD5 cracker cracks more than 200 million hashes per second.." (http:/ / bvernoux. free. fr/ md5/ index. php). .[21] Magnus Daum, Stefan Lucks. "Hash Collisions (The Poisoned Message Attack)" (http:/ / th. informatik. uni-mannheim. de/ People/ lucks/

HashCollisions/ ). Eurocrypt 2005 rump session. .[22] Max Gebhardt, Georg Illies, Werner Schindler. A Note on the Practical Value of Single Hash Collisions for Special File Formats (http:/ /

csrc. nist. gov/ groups/ ST/ hash/ documents/ Illies_NIST_05. pdf). .[23] Dobbertin, Hans (Summer 1996), "The Status of MD5 After a Recent Attack" (ftp:/ / ftp. rsasecurity. com/ pub/ cryptobytes/ crypto2n2. pdf)

(pdf), RSA Laboratories CryptoBytes 2 (2): 1, , retrieved 2010-08-10, "The presented attack does not yet threaten practical applications ofMD5, but it comes rather close. ....[sic] in the future MD5 should no longer be implemented...[sic] where a collision-resistant hash function isrequired."

[24] "Schneier on Security: More MD5 Collisions" (http:/ / www. schneier. com/ blog/ archives/ 2005/ 06/ more_md5_collis. html).Schneier.com. . Retrieved 2010-08-09.

[25] "Colliding X.509 Certificates" (http:/ / www. win. tue. nl/ ~bdeweger/ CollidingCertificates/ ). Win.tue.nl. . Retrieved 2010-08-09.[26] "[Python-Dev] hashlib - faster md5/sha, adds sha256/512 support" (http:/ / mail. python. org/ pipermail/ python-dev/ 2005-December/

058850. html). Mail.python.org. . Retrieved 2010-08-09.[27] "Researchers Use PlayStation Cluster to Forge a Web Skeleton Key" (http:/ / blog. wired. com/ 27bstroke6/ 2008/ 12/ berlin. html). Wired.

2008-12-31. . Retrieved 2008-12-31.[28] Callan, Tim (2008-12-31). "This morning's MD5 attack - resolved" (https:/ / blogs. verisign. com/ ssl-blog/ 2008/ 12/

on_md5_vulnerabilities_and_mit. php). Verisign. . Retrieved 2008-12-31.[29] Forging SSL Certificates (http:/ / www. schneier. com/ blog/ archives/ 2008/ 12/ forging_ssl_cer. html)[30] Eric Rescorla (2004-08-17). "A real MD5 collision" (http:/ / www. rtfm. com/ movabletype/ archives/ 2004_08. html#001055). Educated

Guesswork (blog). .[31] Yu Sasaki, Kazumaro Aoki (2009-04-16). Finding Preimages in Full MD5 Faster Than Exhaustive Search (http:/ / www. springerlink. com/

content/ d7pm142n58853467/ ). Springer Berlin Heidelberg. .[32] Ming Mao and Shaohui Chen and Jin Xu (2009). "Construction of the Initial Structure for Preimage Attack of MD5" (http:/ / doi.

ieeecomputersociety. org/ 10. 1109/ CIS. 2009. 214). International Conference on Computational Intelligence and Security (IEEE ComputerSociety) 1: 442–445. doi:10.1109/CIS.2009.214. ISBN 978-0-7695-3931-7. .

[33] Steven J. Murdoch: Google as a password cracker (http:/ / www. lightbluetouchpaper. org/ 2007/ 11/ 16/ google-as-a-password-cracker/ ),Light Blue Touchpaper Blog Archive, Nov 16, 2007. Retrieved July 27, 2008.

[34] FreeBSD Handbook, Security - DES, Blowfish, MD5, and Crypt (http:/ / www. freebsd. org/ doc/ en/ books/ handbook/ crypt. html)[35] Solaris 10 policy.conf(4) man page (http:/ / docs. sun. com/ app/ docs/ doc/ 816-5174/ policy. conf-4?l=en& a=view)[36][36] RFC 1321, section 2, "Terminology and Notation", Page 2.

References• Berson, Thomas A. (1992). "Differential Cryptanalysis Mod 232 with Applications to MD5". EUROCRYPT.

pp. 71–80. ISBN 3-540-56413-6.• Bert den Boer; Antoon Bosselaers (1993). Collisions for the Compression Function of MD5. Berlin; London:

Springer. pp. 293–304. ISBN 3-540-57600-2.• Hans Dobbertin, Cryptanalysis of MD5 compress. Announcement on Internet, May 1996. "CiteSeerX" (http:/ /

citeseer. ist. psu. edu/ dobbertin96cryptanalysis. html). Citeseer.ist.psu.edu. Retrieved 2010-08-09.• Dobbertin, Hans (1996). "The Status of MD5 After a Recent Attack" (ftp:/ / ftp. rsasecurity. com/ pub/

cryptobytes/ crypto2n2. pdf). CryptoBytes 2 (2).• Xiaoyun Wang; Hongbo Yu (2005). "How to Break MD5 and Other Hash Functions" (http:/ / www. infosec. sdu.

edu. cn/ uploadfile/ papers/ How to Break MD5 and Other Hash Functions. pdf). EUROCRYPT. ISBN3-540-25910-4.

S8CSE_Cryptography additionals

by Abhijith Marathakam

MD5 9

External links• RFC 1321 The MD5 Message-Digest Algorithm• RFC 6151 Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms• W3C recommendation on MD5 (http:/ / www. w3. org/ TR/ 1998/ REC-DSig-label/ MD5-1_0)• REXX MD5 test suite (http:/ / purl. net/ xyzzy/ src/ md5. cmd) covers MD5 examples in various RFCs (incl.

errata)

S8CSE_Cryptography additionals

by Abhijith Marathakam

Article Sources and Contributors 10

Article Sources and ContributorsMD5  Source: http://en.wikipedia.org/w/index.php?oldid=488462210  Contributors: 129.128.164.xxx, 216.150.138.xxx, 4twenty42o, Aaboelela, Aayush214, Adashiel, Ahy1, Akamad, Aleenf1,Alerante, Alex Shih, AlexanderKlink, AlistairMcMillan, Allmightyduck, Amr Ramadan, Andre Engels, AndyKali, Antaeus Feldspar, Anthony, ArchonMagnus, Arvindn, Astronautics, Aurumax,Az1568, BBar, Bagricek, Bbatsell, Bdesham, Ben-Zin, Bender235, Beta16, Bevo, Biblbroks, Bigdok, Biggins, Bkell, Blowdart, Bmschulman, BonzoESC, Boredzo, Brendandonhue, Brianhe,BrokenSegue, Bryan Derksen, CBM, CRGreathouse, CambridgeBayWeather, Canadian-Bacon, CanisRufus, CesarB, Cfeet77, Chealer, Ciphergoth, Cit helper, Clone53421, Coffee2theorems,Comperr, Conversion script, Coolhead33, Cophus, Corti, Crobichaud, Cryptic, Css, Damieng, DancingPhilosopher, Darrien, David Eppstein, David-Sarah Hopwood, Davidgothberg,Dawnseeker2000, Dcoetzee, Deagle AP, DerekMorr, Dimawik, Djordjes, Dmccarty, Dngrogan, DocWatson42, Dolphin51, Draicone, Drake Wilson, Drichards2, Dwheeler, DéRahier, Długosz,Elsendero, Elvey, EncMstr, Evercat, Evil Monkey, Eyreland, F, FQuist, Face, Faithtear, Fant, Feezo, Fr33ke, FrYGuY, Frankk74, Frazzydee, Frecklefoot, Fredrik, Freywa, Garas, Gary63, Gaviaimmer, Gcm, Gearoid murphy, Gerbrant, Giftlite, Graham87, Graue, Greg Tyler, GregorB, GreyCat, Guoxue, Gwilbur, Haakon, Hadal, Haikz, Hash hasher, Hede2000, Hethrir, His HighnessSajjad, HonoreDB, Hoovernj, HorsePunchKid, HubertTrzewik, IRbaboon, Ikh, Imran, Inkling, Intgr, Ironmanxsl, Isidore, Islamsalah, Ivan, Ivan Akira, Ixfd64, J-Wiki, J.delanoy, J44xm,Jacks1881, Janetmck, Janufist, Jaredwf, Jbanes, Jberkes, Jebus989, Jeffz1, Jesse Viviano, Jewbacca, Jj137, Jk2q3jrklse, John Vandenberg, JohnAdriaan, Johnuniq, Jonelo, Jpkotta, Karada, KellyMartin, Kernoz, KevinJr42, Kigali1, King hacr, Kirachinmoku, Kirill Zinov, Kiwi128, Knowhow, Kragen, Kricxjo, Kylu, KyuubiSeal, Largesock, Lark046, Lipis, LittleDan, Lmatt, Loadmaster,Lolden, Lowellian, Lumingz, Lunkwill, M4gnum0n, MER-C, MITalum, MageDealer, Magioladitis, Maian, Makavelimx, Manishearth, MarekMahut, Mariushm, Markwaugh117, Martin Hinks,Martin.cochran, Materialscientist, Matt Crypto, Mcindy, Mdd4696, Mendaliv, Michael Hardy, Michael miceli, Michaelll, Mike Rosoft, Mike1242, MikeCapone, Mikeblas, Mipadi, Mmernex,Moonrat506, Moriori, Mpnolan, Mrand, Myria, Mzacarias, Nakon, NawlinWiki, Nealmcb, Netkinetic, Nicolas1981, Nikai, Noloader, Not Kenton Archer, Ntsimp, Olathe, Oli Filth, Omegatron,Omniplex, OverlordQ, Ozuma, Padsquad43, Pako, Palica, PatrikR, Paulschou, Peterl, Pgan002, Pgimeno, Piriax, Pjf, Platonides, Pol430, Powerslide, Psychotic Spoon, Pvasudev, Quelrod,Quietbritishjim, Qwfp, Qwu1777, R00723r0, Rabbler, RainbowOfLight, RandomAct, RandyHassan, Raraoul, Rasmus Faber, Rawling, Rdancer, Reaper Eternal, Relaxing, Rettetast, RichFarmbrough, Richardcavell, S3000, SDC, SMC, ST47, STOriginaL, Sadads, Sameervijaykar, Saqib, Sasquatch, Scienceandpoetry, Sciyoshi, Sdschulze, SeL, Seanqtx, Serpentes, Seyen,Shabbirbhimani, Shaddack, ShaunMacPherson, Sideris-efthimios, Simetrical, Skalman, Slash, Sligocki, Sliwers, Snori, Snorkelman, Soku, SpeedyGonsales, Spinal007, StarBuG, Stevo2001,Strom, Superm401, Surachit, Suruena, Sus scrofa, Syrthiss, Taimy, Tbsdy lives, Tcsetattr, Tedickey, Tero, Tetracube, The Anome, The Inedible Bulk, The Thing That Should Not Be, Theone256,Thereverendeg, Thomas Larsen, Tim Starling, Timwi, Tom harrison, TomViza, Tracer9999, Travis Evans, Unkamunka, WISo, Wellithy, WereSpielChequers, WikHead, Wikilolo, Wikinaut,WojPob, Wolftengu, Ww, Xmm0, Yaronf, Yurik, ZanderZ, Zarano, Zchenyu, Zeruski, Zivi03, Ztobor, Zundark, 852 anonymous edits

Image Sources, Licenses and ContributorsImage:lll.png  Source: http://en.wikipedia.org/w/index.php?title=File:Lll.png  License: Public Domain  Contributors: Matt CryptoImage:Boxplus.png  Source: http://en.wikipedia.org/w/index.php?title=File:Boxplus.png  License: Public Domain  Contributors: Grafite, JMCC1, MaksimImage:MD5.svg  Source: http://en.wikipedia.org/w/index.php?title=File:MD5.svg  License: Creative Commons Attribution-Sharealike 3.0,2.5,2.0,1.0  Contributors: Surachit

LicenseCreative Commons Attribution-Share Alike 3.0 Unported//creativecommons.org/licenses/by-sa/3.0/

S8CSE_Cryptography additionals

by Abhijith Marathakam

Secure Electronic Transaction 1

Secure Electronic TransactionSecure Electronic Transaction (SET) was a standard protocol for securing credit card transactions over insecurenetworks, specifically, the Internet. SET was not itself a payment system, but rather a set of security protocols andformats that enable users to employ the existing credit card payment infrastructure on an open network in a securefashion. However, it failed to gain traction. VISA now promotes the 3-D Secure scheme.

History and developmentSET was developed by SETco, led by VISA and MasterCard (and involving other companies such as GTE, IBM,Microsoft, Netscape, RSA, Safelayer --formerly SET Projects-- and VeriSign) starting in 1996. SET was based onX.509 certificates with several extensions. The first version was finalised in May 1997 and a pilot test wasannounced in July 1998.SET allowed parties to cryptographically identify themselves to each other and exchange information securely. SETused a blinding algorithm that, in effect, would have let merchants substitute a certificate for a user's credit-cardnumber. If SET were used, the merchant itself would never have had to know the credit-card numbers being sentfrom the buyer, which would have provided verified good payment but protected customers and credit companiesfrom fraud.SET was intended to become the de facto standard of payment method on the Internet between the merchants, thebuyers, and the credit-card companies. Despite heavy publicity, it failed to win market share. Reasons for thisinclude:• Network effect - need to install client software (an e-wallet).• Cost and complexity for merchants to offer support and comparatively low cost and simplicity of the existing SSL

based alternative.•• Client-side certificate distribution logistics.

Key featuresTo meet the business requirements, SET incorporates the following features:•• Confidentiality of information•• Integrity of data•• Cardholder account authentication•• Merchant authentication

ParticipantsA SET system includes the following participants:•• Cardholder•• Merchant•• Issuer•• Acquirer•• Payment gateway•• Certification authority

S8CSE_Cryptography additionals

by Abhijith Marathakam

Secure Electronic Transaction 2

TransactionThe sequence of events required for a transaction are as follows:1. The customer obtains a credit card account with a bank that supports electronic payment and SET2. The customer receives a X.509v3 digital certificate signed by the bank.3.3. Merchants have their own certificates4.4. The customer places an order5.5. The merchant sends a copy of its certificate so that the customer can verify that it's a valid store6.6. The order and payment are sent7.7. The merchant requests payment authorization8.8. The merchant confirms the order9.9. The merchant ships the goods or provides the service to the customer10.10. The merchant requests payment

Dual signatureAn important innovation introduced in SET is the dual signature. The purpose of the dual signature is the same asthe standard electronic signature: to guarantee the authentication and integrity of data. It links two messages that areintended for two different recipients. In this case, the customer wants to send the order information (OI) to themerchant and the payment information (PI) to the bank. The merchant does not need to know the customer's creditcard number, and the bank does not need to know the details of the customer's order. The link is needed so that thecustomer can prove that the payment is intended for this order.The message digest (MD) of the OI and the PI are independently calculated by the customer. The dual signature isthe encrypted MD (with the customer's secret key) of the concatenated MD's of PI and OI. The dual signature is sentto both the merchant and the bank. The protocol arranges for the merchant to see the MD of the PI without seeing thePI itself, and the bank sees the MD of the OI but not the OI itself. The dual signature can be verified using the MD ofthe OI or PI. It doesn't require the OI or PI itself. Its MD does not reveal the content of the OI or PI, and thus privacyis preserved.

S8CSE_Cryptography additionals

by Abhijith Marathakam

Article Sources and Contributors 3

Article Sources and ContributorsSecure Electronic Transaction  Source: http://en.wikipedia.org/w/index.php?oldid=431183512  Contributors: Alansohn, Argilo, Axel.fois, Becheung, David Gerard, Deville, Grimey109,Ignacioerrico, Jarjoura, Juanpdp, Luismgarcia, MainFrame, Matt Crypto, MuffledThud, RJaguar3, SWAdair, Sbisolo, Shadowjams, Sietse Snel, SkyWalker, SouthernNights, Tad Lincoln, Tcncv,Urdna, Vicky Ng, WMXX, Wk muriithi, Yun-Yammka, Zollerriia, 67 anonymous edits

LicenseCreative Commons Attribution-Share Alike 3.0 Unported//creativecommons.org/licenses/by-sa/3.0/

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 1

Transport Layer SecurityTransport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocolsthat provide communication security over the Internet.[1] TLS and SSL encrypt the segments of network connectionsat the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, andmessage authentication codes for message integrity.Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail,Internet faxing, instant messaging and voice-over-IP (VoIP).TLS is an IETF standards track protocol, last updated in RFC 5246, and is based on the earlier SSL specificationsdeveloped by Netscape Communications.[2]

DescriptionThe TLS protocol allows client-server applications to communicate across a network in a way designed to preventeavesdropping and tampering.Since most protocols can be used either with or without TLS (or SSL) it is necessary to indicate to the server whetherthe client is making a TLS connection or not. There are two main ways of achieving this, one option is to use adifferent port number for TLS connections (for example port 443 for HTTPS). The other is to use the regular portnumber and have the client request that the server switch the connection to TLS using a protocol specific mechanism(for example STARTTLS for mail and news protocols).Once the client and server have decided to use TLS they negotiate a stateful connection by using a handshakingprocedure.[3] During this handshake, the client and server agree on various parameters used to establish theconnection's security.• The handshake begins when a client connects to a TLS-enabled server requesting a secure connection and

presents a list of supported cipher suites (ciphers and hash functions).•• From this list, the server picks the strongest cipher and hash function that it also supports and notifies the client of

the decision.• The server sends back its identification in the form of a digital certificate. The certificate usually contains the

server name, the trusted certificate authority (CA) and the server's public encryption key.•• The client may contact the server that issued the certificate (the trusted CA as above) and confirm the validity of

the certificate before proceeding.• In order to generate the session keys used for the secure connection, the client encrypts a random number with the

server's public key and sends the result to the server. Only the server should be able to decrypt it, with its privatekey.

•• From the random number, both parties generate key material for encryption and decryption.This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the keymaterial until the connection closes.If any one of the above steps fails, the TLS handshake fails and the connection is not created.

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 2

History and development

Secure Network Programming APIEarly research efforts toward transport layer security included the Secure Network Programming (SNP)application programming interface (API), which in 1993 explored the approach of having a secure transport layerAPI closely resembling Berkeley sockets, to facilitate retrofitting preexisting network applications with securitymeasures.[4]

SSL 1.0, 2.0 and 3.0The SSL protocol was originally developed by Netscape.[5] Version 1.0 was never publicly released; version 2.0 wasreleased in February 1995 but "contained a number of security flaws which ultimately led to the design of SSLversion 3.0".[6] SSL version 3.0, released in 1996, was a complete redesign of the protocol produced by Paul Kocherworking with Netscape engineers Phil Karlton and Alan Freier. Newer versions of SSL/TLS are based on SSL 3.0.The 1996 draft of SSL 3.0 was published by IETF as a historic document in RFC 6101.

TLS 1.0TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade to SSL Version 3.0. As stated in the RFC, "thedifferences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 andSSL 3.0 do not interoperate." TLS 1.0 does include a means by which a TLS implementation can downgrade theconnection to SSL 3.0, thus weakening security.On September 23, 2011 researchers Thai Duong and Juliano Rizzo demonstrated a "proof of concept" called BEAST(Browser Exploit Against SSL/TLS) using a Java Applet to violate same origin policy constraints, for along-known Cipher block chaining (CBC) vulnerability in TLS 1.0.[7][8] Practical exploits had not been previouslydemonstrated for this vulnerability, which was originally discovered by Phillip Rogaway[9] in 2002.Mozilla updated the development versions of their NSS libraries to mitigate BEAST-like attacks. NSS is used byMozilla Firefox and Google Chrome to implement SSL. Some web servers that have a broken implementation of theSSL specification may stop working as a result.[10]

Microsoft released Security Bulletin MS12-006 on January 10, 2012, which fixed the BEAST vulnerability bychanging the way that the Windows Secure Channel (SChannel) component transmits encrypted network packets.[11]

As a work-around, the BEAST attack can also be prevented by removing all CBC ciphers from one's list of allowedciphers—leaving only the RC4 cipher, which is still widely supported on most websites.[12][13] Users of Windows 7and Windows Server 2008 R2 can enable use of TLS 1.1 and 1.2, but this work-around will fail if it is not supportedby the other end of the connection and will result in a fall-back to TLS 1.0.

TLS 1.1TLS 1.1 was defined in RFC 4346 in April 2006.[14] It is an update from TLS version 1.0. Significant differences inthis version include:• Added protection against Cipher block chaining (CBC) attacks.

• The implicit Initialization Vector (IV) was replaced with an explicit IV.• Change in handling of padding errors.

• Support for IANA registration of parameters.

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 3

TLS 1.2TLS 1.2 was defined in RFC 5246 in August 2008. It is based on the earlier TLS 1.1 specification. Major differencesinclude:• The MD5-SHA-1 combination in the pseudorandom function (PRF) was replaced with SHA-256, with an option

to use cipher-suite specified PRFs.•• The MD5-SHA-1 combination in the Finished message hash was replaced with SHA-256, with an option to use

cipher-suite specific hash algorithms. However the size of the hash in the finished message is still truncated to96-bits.

• The MD5-SHA-1 combination in the digitally-signed element was replaced with a single hash negotiated duringhandshake, defaults to SHA-1.

•• Enhancement in the client's and server's ability to specify which hash and signature algorithms they will accept.• Expansion of support for authenticated encryption ciphers, used mainly for Galois/Counter Mode (GCM) and

CCM mode of Advanced Encryption Standard encryption.• TLS Extensions definition and Advanced Encryption Standard CipherSuites were added.TLS 1.2 was further refined in RFC 6176 in March 2011 redacting its backward compatibility with SSL such thatTLS sessions will never negotiate the use of Secure Sockets Layer (SSL) version 2.0.

ApplicationsIn applications design, TLS is usually implemented on top of any of the Transport Layer protocols, encapsulating theapplication-specific protocols such as HTTP, FTP, SMTP, NNTP and XMPP. Historically it has been used primarilywith reliable transport protocols such as the Transmission Control Protocol (TCP). However, it has also beenimplemented with datagram-oriented transport protocols, such as the User Datagram Protocol (UDP) and theDatagram Congestion Control Protocol (DCCP), usage which has been standardized independently using the termDatagram Transport Layer Security (DTLS).A prominent use of TLS is for securing World Wide Web traffic carried by HTTP to form HTTPS. Notableapplications are electronic commerce and asset management. Increasingly, the Simple Mail Transfer Protocol(SMTP) is also protected by TLS. These applications use public key certificates to verify the identity of endpoints.TLS can also be used to tunnel an entire network stack to create a VPN, as is the case with OpenVPN. Many vendorsnow marry TLS's encryption and authentication capabilities with authorization. There has also been substantialdevelopment since the late 1990s in creating client technology outside of the browser to enable support forclient/server applications. When compared against traditional IPsec VPN technologies, TLS has some inherentadvantages in firewall and NAT traversal that make it easier to administer for large remote-access populations.TLS is also a standard method to protect Session Initiation Protocol (SIP) application signaling. TLS can be used toprovide authentication and encryption of the SIP signaling associated with VoIP and other SIP-based applications.

SecurityTLS has a variety of security measures:•• Protection against a downgrade of the protocol to a previous (less secure) version or a weaker cipher suite.• Numbering subsequent Application records with a sequence number and using this sequence number in the

message authentication codes (MACs).• Using a message digest enhanced with a key (so only a key-holder can check the MAC). The HMAC construction

used by most TLS cipher suites is specified in RFC 2104 (SSL 3.0 used a different hash-based MAC).•• The message that ends the handshake ("Finished") sends a hash of all the exchanged handshake messages seen by

both parties.

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 4

• The pseudorandom function splits the input data in half and processes each one with a different hashing algorithm(MD5 and SHA-1), then XORs them together to create the MAC. This provides protection even if one of thesealgorithms is found to be vulnerable. TLS only.

•• SSL 3.0 improved upon SSL 2.0 by adding SHA-1 based ciphers and support for certificate authentication.From a security standpoint, SSL 3.0 should be considered less desirable than TLS 1.0. The SSL 3.0 cipher suiteshave a weaker key derivation process; half of the master key that is established is fully dependent on the MD5 hashfunction, which is not resistant to collisions and is, therefore, not considered secure. Under TLS 1.0, the master keythat is established depends on both MD5 and SHA-1 so its derivation process is not currently considered weak. It isfor this reason that SSL 3.0 implementations cannot be validated under FIPS 140-2.[15]

A vulnerability of the renegotiation procedure was discovered in August 2009 that can lead to plaintext injectionattacks against SSL 3.0 and all current versions of TLS. For example, it allows an attacker who can hijack an httpsconnection to splice their own requests into the beginning of the conversation the client has with the web server. Theattacker can't actually decrypt the client-server communication, so it is different from a typical man-in-the-middleattack. A short-term fix is for web servers to stop allowing renegotiation, which typically will not require otherchanges unless client certificate authentication is used. To fix the vulnerability, a renegotiation indication extensionwas proposed for TLS. It will require the client and server to include and verify information about previoushandshakes in any renegotiation handshakes.[16] This extension has become a proposed standard and has beenassigned the number RFC 5746. The RFC has been implemented in recent OpenSSL[17] and other libraries.[18][19]

There are some attacks against the implementation rather than the protocol itself:[20]

• In the earlier implementations, some CAs[21] did not explicitly set basicConstraints CA=FALSE for leaf nodes.As a result, these leaf nodes could sign rogue certificates. In addition, some early software (including IE6 andKonqueror) did not check this field altogether. This can be exploited for man-in-the-middle attack on all potentialSSL connections.

• Some implementations (including older versions of Microsoft Cryptographic API, Network Security Services andGnuTLS) stop reading any characters that follow the null character in the name field of the certificate, which canbe exploited to fool the client into reading the certificate as if it were one that came from the authentic site, e.g.paypal.com\0.badguy.com would be mistaken as the site of paypal.com rather than badguy.com.

• Browsers implemented SSL/TLS protocol version fallback mechanisms for compatibility reasons. The protectionoffered by the SSL/TLS protocols against a downgrade to a previous version by an active MITM attack can berendered useless by such mechanisms.[22]

SSL 2.0 is flawed in a variety of ways:•• Identical cryptographic keys are used for message authentication and encryption.•• SSL 2.0 has a weak MAC construction that uses the MD5 hash function with a secret prefix, making it vulnerable

to length extension attacks.• SSL 2.0 does not have any protection for the handshake, meaning a man-in-the-middle downgrade attack can go

undetected.•• SSL 2.0 uses the TCP connection close to indicate the end of data. This means that truncation attacks are possible:

the attacker simply forges a TCP FIN, leaving the recipient unaware of an illegitimate end of data message (SSL3.0 fixes this problem by having an explicit closure alert).

•• SSL 2.0 assumes a single service and a fixed domain certificate, which clashes with the standard feature of virtualhosting in Web servers. This means that most websites are practically impaired from using SSL.

SSL 2.0 is disabled by default in Internet Explorer 7,[23] Mozilla Firefox 2, Mozilla Firefox 3, Mozilla Firefox 4[24]

Opera and Safari. After it sends a TLS ClientHello, if Mozilla Firefox finds that the server is unable to complete thehandshake, it will attempt to fall back to using SSL 3.0 with an SSL 3.0 ClientHello in SSL 2.0 format to maximizethe likelihood of successfully handshaking with older servers.[25] Support for SSL 2.0 (and weak 40-bit and 56-bitciphers) has been removed completely from Opera as of version 9.5.[26]

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 5

Modifications to the original protocols, like False Start (adopted and enabled by Google Chrome[27]) or Snap Start,have been reported to introduce limited TLS protocol version rollback attacks[28] or to allow modifications to thecipher suite list sent by the client to the server (an attacker may be able influence the cipher suite selection in anattempt to downgrade the cipher suite strength, to use either a weaker symmetric encryption algorithm or a weakerkey exchange[29]).

TLS handshake in detailThe TLS protocol exchanges records, which encapsulate the data to be exchanged. Each record can be compressed,padded, appended with a message authentication code (MAC), or encrypted, all depending on the state of theconnection. Each record has a content type field that specifies the record, a length field and a TLS version field.When the connection starts, the record encapsulates another protocol — the handshake messaging protocol — whichhas content type 22.

Simple TLS handshake

A simple connection example follows, illustrating a handshake where the server (but not the client) is authenticatedby its certificate:1.1. Negotiation phase:

• A client sends a ClientHello message specifying the highest TLS protocol version it supports, a randomnumber, a list of suggested CipherSuites and suggested compression methods. If the client is attempting toperform a resumed handshake, it may send a session ID.

• The server responds with a ServerHello message, containing the chosen protocol version, a random number,CipherSuite and compression method from the choices offered by the client. To confirm or allow resumedhandshakes the server may send a session ID. The chosen protocol version should be the highest that both theclient and server support. For example, if the client supports TLS1.1 and the server supports TLS1.2, TLS1.1should be selected; SSL 3.0 should not be selected.

• The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by theserver).[30]

• The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.• The client responds with a ClientKeyExchange message, which may contain a PreMasterSecret, public key,

or nothing. (Again, this depends on the selected cipher.) This PreMasterSecret is encrypted using the publickey of the server certificate.

• The client and server then use the random numbers and PreMasterSecret to compute a common secret, calledthe "master secret". All other key data for this connection is derived from this master secret (and the client- andserver-generated random values), which is passed through a carefully designed pseudorandom function.

2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from nowon will be authenticated (and encrypted if encryption parameters were present in the server certificate)." TheChangeCipherSpec is itself a record-level protocol with content type of 20.• Finally, the client sends an authenticated and encrypted Finished message, containing a hash and MAC over

the previous handshake messages.• The server will attempt to decrypt the client's Finished message and verify the hash and MAC. If the

decryption or verification fails, the handshake is considered to have failed and the connection should be torndown.

3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will beauthenticated (and encrypted, if encryption was negotiated)."• The server sends its authenticated and encrypted Finished message.•• The client performs the same decryption and verification.

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 6

4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with contenttype of 23. Application messages exchanged between client and server will also be authenticated and optionallyencrypted exactly like in their Finished message. Otherwise, the content type will return 25 and the client will notauthenticate.

Client-authenticated TLS handshake

The following full example shows a client being authenticated (in addition to the server like above) via TLS usingcertificates exchanged between both peers.1.1. Negotiation Phase:

• A client sends a ClientHello message specifying the highest TLS protocol version it supports, a randomnumber, a list of suggested cipher suites and compression methods.

• The server responds with a ServerHello message, containing the chosen protocol version, a random number,cipher suite and compression method from the choices offered by the client. The server may also send asession id as part of the message to perform a resumed handshake.

• The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by theserver).[30]

• The server requests a certificate from the client, so that the connection can be mutually authenticated, using aCertificateRequest message.

• The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.• The client responds with a Certificate message, which contains the client's certificate.• The client sends a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or

nothing. (Again, this depends on the selected cipher.) This PreMasterSecret is encrypted using the public keyof the server certificate.

• The client sends a CertificateVerify message, which is a signature over the previous handshake messagesusing the client's certificate's private key. This signature can be verified by using the client's certificate's publickey. This lets the server know that the client has access to the private key of the certificate and thus owns thecertificate.

• The client and server then use the random numbers and PreMasterSecret to compute a common secret, calledthe "master secret". All other key data for this connection is derived from this master secret (and the client- andserver-generated random values), which is passed through a carefully designed pseudorandom function.

2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from nowon will be authenticated (and encrypted if encryption was negotiated)." The ChangeCipherSpec is itself arecord-level protocol and has type 20 and not 22.• Finally, the client sends an encrypted Finished message, containing a hash and MAC over the previous

handshake messages.• The server will attempt to decrypt the client's Finished message and verify the hash and MAC. If the

decryption or verification fails, the handshake is considered to have failed and the connection should be torndown.

3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will beauthenticated (and encrypted if encryption was negotiated)."• The server sends its own encrypted Finished message.•• The client performs the same decryption and verification.

4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with contenttype of 23. Application messages exchanged between client and server will also be encrypted exactly like in theirFinished message. The application will never again return TLS encryption information without a type 32 apology.

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 7

Resumed TLS handshake

Public key operations (e.g., RSA) are relatively expensive in terms of computational power. TLS provides a secureshortcut in the handshake mechanism to avoid these operations. In an ordinary full handshake, the server sends asession id as part of the ServerHello message. The client associates this session id with the server's IP address andTCP port, so that when the client connects again to that server, it can use the session id to shortcut the handshake. Inthe server, the session id maps to the cryptographic parameters previously negotiated, specifically the "mastersecret". Both sides must have the same "master secret" or the resumed handshake will fail (this prevents aneavesdropper from using a session id). The random data in the ClientHello and ServerHello messages virtuallyguarantee that the generated connection keys will be different than in the previous connection. In the RFCs, this typeof handshake is called an abbreviated handshake. It is also described in the literature as a restart handshake.1.1. Negotiation phase:

• A client sends a ClientHello message specifying the highest TLS protocol version it supports, a randomnumber, a list of suggested cipher suites and compression methods. Included in the message is the session idfrom the previous TLS connection.

• The server responds with a ServerHello message, containing the chosen protocol version, a random number,cipher suite and compression method from the choices offered by the client. If the server recognizes thesession id sent by the client, it responds with the same session id. The client uses this to recognize that aresumed handshake is being performed. If the server does not recognize the session id sent by the client, itsends a different value for its session id. This tells the client that a resumed handshake will not be performed.At this point, both the client and server have the "master secret" and random data to generate the key data to beused for this connection.

2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from nowon will be encrypted." The ChangeCipherSpec is itself a record-level protocol and has type 20 and not 22.• Finally, the client sends an encrypted Finished message, containing a hash and MAC over the previous

handshake messages.• The server will attempt to decrypt the client's Finished message and verify the hash and MAC. If the

decryption or verification fails, the handshake is considered to have failed and the connection should be torndown.

3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will beencrypted."• The server sends its own encrypted Finished message.•• The client performs the same decryption and verification.

4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with contenttype of 23. Application messages exchanged between client and server will also be encrypted exactly like in theirFinished message.

Apart from the performance benefit, resumed sessions can also be used for single sign-on as it is guaranteed thatboth the original session as well as any resumed session originate from the same client. This is of particularimportance for the FTP over TLS/SSL protocol which would otherwise suffer from a man in the middle attack inwhich an attacker could intercept the contents of the secondary data connections.[31]

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 8

TLS record protocolThis is the general format of all TLS records.

+ Byte +0 Byte +1 Byte +2 Byte +3

Byte0

Content type

Bytes1..4

Version Length

(Major) (Minor) (bits 15..8) (bits 7..0)

Bytes5..(m-1)

Protocol message(s)

Bytesm..(p-1)

MAC (optional)

Bytesp..(q-1)

Padding (block ciphers only)

Content typeThis field identifies the Record Layer Protocol Type contained in this Record.

Content types

Hex Dec Type

0x14 20 ChangeCipherSpec

0x15 21 Alert

0x16 22 Handshake

0x17 23 Application

VersionThis field identifies the major and minor version of TLS for the contained message. For a ClientHellomessage, this need not be the highest version supported by the client.

Versions

MajorVersion

MinorVersion

Version Type

3 0 SSL 3.0

3 1 TLS 1.0

3 2 TLS 1.1

3 3 TLS 1.2

LengthThe length of Protocol message(s), not to exceed 214 bytes (16 KiB).

Protocol message(s)One or more messages identified by the Protocol field. Note that this field may be encrypted depending on thestate of the connection.

MAC and Padding

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 9

A message authentication code computed over the Protocol message, with additional key material included.Note that this field may be encrypted, or not included entirely, depending on the state of the connection.No MAC or Padding can be present at end of TLS records before all cipher algorithms and parameters havebeen negotiated and handshaked and then confirmed by sending a CipherStateChange record (see below) forsignalling that these parameters will take effect in all further records sent by the same peer.

Handshake protocolMost messages exchanged during the setup of the TLS session are based on this record, unless an error or warningoccurs and needs to be signalled by an Alert protocol record (see below), or the encryption mode of the session ismodified by another record (see ChangeCipherSpec protocol below).

+ Byte +0 Byte +1 Byte +2 Byte +3

Byte0

22

Bytes1..4

Version Length

(Major) (Minor) (bits 15..8) (bits 7..0)

Bytes5..8

Message type Handshake message data length

(bits 23..16) (bits 15..8) (bits 7..0)

Bytes9..(n-1)

Handshake message data

Bytesn..(n+3)

Message type Handshake message data length

(bits 23..16) (bits 15..8) (bits 7..0)

Bytes(n+4)..

Handshake message data

Message typeThis field identifies the Handshake message type.

Message Types

Code Description

0 HelloRequest

1 ClientHello

2 ServerHello

11 Certificate

12 ServerKeyExchange

13 CertificateRequest

14 ServerHelloDone

15 CertificateVerify

16 ClientKeyExchange

20 Finished

Handshake message data lengthThis is a 3-byte field indicating the length of the handshake data, not including the header.

Note that multiple Handshake messages may be combined within one record.

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 10

Alert protocolThis record should normally not be sent during normal handshaking or application exchanges. However, thismessage can be sent at any time during the handshake and up to the closure of the session. If this is used to signal afatal error, the session will be closed immediately after sending this record, so this record is used to give a reason forthis closure. If the alert level is flagged as a warning, the remote can decide to close the session if it decides that thesession is not reliable enough for its needs (before doing so, the remote may also send its own signal).

+ Byte +0 Byte +1 Byte +2 Byte +3

Byte0

21

Bytes1..4

Version Length

(Major) (Minor) 0 2

Bytes5..6

Level Description

Bytes7..(p-1)

MAC (optional)

Bytesp..(q-1)

Padding (block ciphers only)

LevelThis field identifies the level of alert. If the level is fatal, the sender should close the session immediately.Otherwise, the recipient may decide to terminate the session itself, by sending its own fatal alert and closingthe session itself immediately after sending it. The use of Alert records is optional, however if it is missingbefore the session closure, the session may be resumed automatically (with its handshakes).Normal closure of a session after termination of the transported application should preferably be alerted withat least the Close notify Alert type (with a simple warning level) to prevent such automatic resume of a newsession. Signalling explicitly the normal closure of a secure session before effectively closing its transportlayer is useful to prevent or detect attacks (like attempts to truncate the securely transported data, if itintrinsically does not have a predetermined length or duration that the recipient of the secured data mayexpect).

Alert level types

Code Level type Connection state

1 warning connection or security may be unstable.

2 fatal connection or security may be compromised, or an unrecoverable error has occurred.

DescriptionThis field identifies which type of alert is being sent.

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 11

Alert description types

Code Description Level types Note

0 Close notify warning/fatal

10 Unexpected message fatal

20 Bad record MAC fatal Possibly a bad SSL implementation, or payload has been tampered with e.g. FTPfirewall rule on FTPS server.

21 Decryption failed fatal TLS only, reserved

22 Record overflow fatal TLS only

30 Decompression failure fatal

40 Handshake failure fatal

41 No certificate warning/fatal SSL 3.0 only, reserved

42 Bad certificate warning/fatal

43 Unsupported certificate warning/fatal E.g. certificate has only Server authentication usage enabled and is presented as aclient certificate

44 Certificate revoked warning/fatal

45 Certificate expired warning/fatal Check server certificate expire also check no certificate in the chain presented hasexpired

46 Certificate unknown warning/fatal

47 Illegal parameter fatal

48 Unknown CA (Certificateauthority)

fatal TLS only

49 Access denied fatal TLS only - E.g. no client certificate has been presented (TLS: Blank certificatemessage or SSLv3: No Certificate alert), but server is configured to require one.

50 Decode error fatal TLS only

51 Decrypt error warning/fatal TLS only

60 Export restriction fatal TLS only, reserved

70 Protocol version fatal TLS only

71 Insufficient security fatal TLS only

80 Internal error fatal TLS only

90 User cancelled fatal TLS only

100 No renegotiation warning TLS only

110 Unsupported extension warning TLS only

111 Certificate unobtainable warning TLS only

112 Unrecognized name warning TLS only; client's Server Name Indicator specified a hostname not supported by theserver

113 Bad certificate status response fatal TLS only

114 Bad certificate hash value fatal TLS only

115 Unknown PSK identity (used inTLS-PSK and TLS-SRP)

fatal TLS only

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 12

ChangeCipherSpec protocol

+ Byte +0 Byte +1 Byte +2 Byte +3

Byte0

20

Bytes1..4

Version Length

(Major) (Minor) 0 1

Byte5

CCS protocol type

CCS protocol typeCurrently only 1.

Application protocol

+ Byte +0 Byte +1 Byte +2 Byte +3

Byte0

23

Bytes1..4

Version Length

(Major) (Minor) (bits 15..8) (bits 7..0)

Bytes5..(m-1)

Application data

Bytesm..(p-1)

MAC (optional)

Bytesp..(q-1)

Padding (block ciphers only)

LengthLength of Application data (excluding the protocol header and including the MAC and padding trailers)

MAC20 bytes for the SHA-1-based HMAC, 16 bytes for the MD5-based HMAC.

PaddingVariable length ; last byte contains the padding length.

Support for name-based virtual serversFrom the application protocol point of view, TLS belongs to a lower layer, although the TCP/IP model is too coarseto show it. This means that the TLS handshake is usually (except in the STARTTLS case) performed before theapplication protocol can start. The name-based virtual server feature being provided by the application layer, allco-hosted virtual servers share the same certificate because the server has to select and send a certificate immediatelyafter the ClientHello message. This is a big problem in hosting environments because it means either sharing thesame certificate among all customers or using a different IP address for each of them.There are two known workarounds provided by X.509:• If all virtual servers belong to the same domain, a wildcard certificate can be used. Besides the loose host name

selection that might be a problem or not, there is no common agreement about how to match wildcard certificates.Different rules are applied depending on the application protocol or software used.[32]

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 13

•• Add every virtual host name in the subjectAltName extension. The major problem being that the certificate needsto be reissued whenever a new virtual server is added.

In order to provide the server name, RFC 4366 Transport Layer Security (TLS) Extensions allow clients to include aServer Name Indication extension (SNI) in the extended ClientHello message. This extension hints the serverimmediately which name the client wishes to connect to, so the server can select the appropriate certificate to send tothe client.

ImplementationsSSL and TLS have been widely implemented in several free and open source software projects. Programmers mayuse the PolarSSL, CyaSSL, OpenSSL, NSS, or GnuTLS libraries for SSL/TLS functionality. Microsoft Windowsincludes an implementation of SSL and TLS as part of its Secure Channel package. Delphi programmers may use alibrary called Indy. Comparison of TLS Implementations provides a brief comparison of features of differentimplementations.

Browser implementationsAll the most recent web browsers support TLS:• Apple's Safari supports TLS, but it’s not officially specified which version.[33] On operating systems (Safari uses

the TLS implementation of the underlying OS) like Mac OS X 10.5.8, Mac OS X 10.6.6, Windows XP, WindowsVista or Windows 7, Safari 5 has been reported to support TLS 1.0.[34]

• Mozilla Firefox, versions 2 and above, support TLS 1.0.[35] As of January 2012 Firefox does not support TLS 1.1or 1.2.[36]

• Microsoft Internet Explorer always uses the TLS implementation of the underlying Microsoft Windows OperatingSystem, a service called SChannel Security Service Provider. Internet Explorer 8 in Windows 7 and WindowsServer 2008 R2 supports TLS 1.2. Windows 7 and Windows Server 2008 R2 use the same code (MicrosoftWindows Version 6.1 (build 7600)) similar to how Windows Vista SP1 uses the same code as Windows 2008Server.[37]

• As of Presto 2.2, featured in Opera 10, Opera supports TLS 1.2.[38]

• Google's Chrome browser supports TLS 1.0, but not TLS 1.1 or 1.2.[39]

StandardsThe current approved version of TLS is version 1.2, which is specified in:• RFC 5246: “The Transport Layer Security (TLS) Protocol Version 1.2”.The current standard replaces these former versions, which are now considered obsolete:• RFC 2246: “The TLS Protocol Version 1.0”.• RFC 4346: “The Transport Layer Security (TLS) Protocol Version 1.1”.as well as the never standardized SSL 3.0:• RFC 6101: “The Secure Sockets Layer (SSL) Protocol Version 3.0”.Other RFCs subsequently extended TLS.Extensions to TLS 1.0 include:• RFC 2595: “Using TLS with IMAP, POP3 and ACAP”. Specifies an extension to the IMAP, POP3 and ACAP

services that allow the server and client to use transport-layer security to provide private, authenticatedcommunication over the Internet.

• RFC 2712: “Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)”. The 40-bit cipher suites defined in this memo appear only for the purpose of documenting the fact that those cipher suite codes have

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 14

already been assigned.• RFC 2817: “Upgrading to TLS Within HTTP/1.1”, explains how to use the Upgrade mechanism in HTTP/1.1 to

initiate Transport Layer Security (TLS) over an existing TCP connection. This allows unsecured and securedHTTP traffic to share the same well known port (in this case, http: at 80 rather than https: at 443).

• RFC 2818: “HTTP Over TLS”, distinguishes secured traffic from insecure traffic by the use of a different 'serverport'.

• RFC 3207: “SMTP Service Extension for Secure SMTP over Transport Layer Security”. Specifies an extension tothe SMTP service that allows an SMTP server and client to use transport-layer security to provide private,authenticated communication over the Internet.

• RFC 3268: “AES Ciphersuites for TLS”. Adds Advanced Encryption Standard (AES) cipher suites to thepreviously existing symmetric ciphers.

• RFC 3546: “Transport Layer Security (TLS) Extensions”, adds a mechanism for negotiating protocol extensionsduring session initialisation and defines some extensions. Made obsolete by RFC 4366.

• RFC 3749: “Transport Layer Security Protocol Compression Methods”, specifies the framework for compressionmethods and the DEFLATE compression method.

• RFC 3943: “Transport Layer Security (TLS) Protocol Compression Using Lempel-Ziv-Stac (LZS)”.• RFC 4132: “Addition of Camellia Cipher Suites to Transport Layer Security (TLS)”.• RFC 4162: “Addition of SEED Cipher Suites to Transport Layer Security (TLS)”.• RFC 4217: “Securing FTP with TLS”.• RFC 4279: “Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)”, adds three sets of new cipher

suites for the TLS protocol to support authentication based on pre-shared keys.Extensions to TLS 1.1 include:• RFC 4347: “Datagram Transport Layer Security” specifies a TLS variant that works over datagram protocols

(such as UDP).• RFC 4366: “Transport Layer Security (TLS) Extensions” describes both a set of specific extensions and a generic

extension mechanism.• RFC 4492: “Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)”.• RFC 4507: “Transport Layer Security (TLS) Session Resumption without Server-Side State”.• RFC 4680: “TLS Handshake Message for Supplemental Data”.• RFC 4681: “TLS User Mapping Extension”.• RFC 4785: “Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)”.• RFC 5054: “Using the Secure Remote Password (SRP) Protocol for TLS Authentication”. Defines the TLS-SRP

ciphersuites.• RFC 5081: “Using OpenPGP Keys for Transport Layer Security (TLS) Authentication”, obsoleted by RFC 6091.Extensions to TLS 1.2 include:• RFC 5746: “Transport Layer Security (TLS) Renegotiation Indication Extension”.• RFC 5878: “Transport Layer Security (TLS) Authorization Extensions”.• RFC 6091: “Using OpenPGP Keys for Transport Layer Security (TLS) Authentication“.• RFC 6176: “Prohibiting Secure Sockets Layer (SSL) Version 2.0”.• RFC 6209: “Addition of the ARIA Cipher Suites to Transport Layer Security (TLS)”.

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 15

References and footnotes[1] T. Dierks, E. Rescorla (August 2008). "The Transport Layer Security (TLS) Protocol, Version 1.2" (http:/ / tools. ietf. org/ html/ rfc5246). .[2] A. Freier, P. Karlton, P. Kocher (August 2011). "The Secure Sockets Layer (SSL) Protocol Version 3.0" (http:/ / tools. ietf. org/ html/

rfc6101). .[3] " SSL/TLS in Detail (http:/ / technet. microsoft. com/ en-us/ library/ cc785811. aspx)". Microsoft TechNet. Updated July 31, 2003.[4] Thomas Y. C. Woo, Raghuram Bindignavle, Shaowen Su and Simon S. Lam, SNP: An interface for secure network programming

Proceedings USENIX Summer Technical Conference, June 1994[5] "THE SSL PROTOCOL" (http:/ / web. archive. org/ web/ 19970614020952/ http:/ / home. netscape. com/ newsref/ std/ SSL. html). Netscape

Corporation. 2007. Archived from the original (http:/ / home. netscape. com/ newsref/ std/ SSL. html) on 14 June 1997. .[6][6] Rescorla 2001[7] Dan Goodin (2011-09-19). "Hackers break SSL encryption used by millions of sites" (http:/ / www. theregister. co. uk/ 2011/ 09/ 19/

beast_exploits_paypal_ssl/ ). .[8] "Y Combinator comments on the issue" (http:/ / news. ycombinator. com/ item?id=3015498). 2011-09-20. .[9] "Security of CBC Ciphersuites in SSL/TLS" (http:/ / www. openssl. org/ ~bodo/ tls-cbc. txt). 2004-05-20. .[10] Brian Smith (2011-09-30). "(CVE-2011-3389) Rizzo/Duong chosen plaintext attack (BEAST) on SSL/TLS 1.0 (facilitated by websockets

-76)" (https:/ / bugzilla. mozilla. org/ show_bug. cgi?id=665814). .[11] "Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)" (http:/ / technet. microsoft. com/ en-us/ security/ bulletin/

ms12-006). 2012-01-10. .[12] "Safest ciphers to use with the BEAST? (TLS 1.0 exploit)" (http:/ / serverfault. com/ questions/ 315042/ ). 2011-09-24. .[13] "First solutions for SSL/TLS vulnerability" (http:/ / www. h-online. com/ security/ news/ item/

First-solutions-for-SSL-TLS-vulnerability-1349813. html). 2011-09-26. .[14] Dierks, T. and E. Rescorla (April 2006). "The Transport Layer Security (TLS) Protocol Version 1.1, RFC 4346" (http:/ / tools. ietf. org/

html/ rfc5246#ref-TLS1. 1). .[15] National Institute of Standards and Technology (December 2010). "Implementation Guidance for FIPS PUB 140-2 and the Cryptographic

Module Validation Program" (http:/ / csrc. nist. gov/ groups/ STM/ cmvp/ documents/ fips140-2/ FIPS1402IG. pdf). .[16] Eric Rescorla (2009-11-05). "Understanding the TLS Renegotiation Attack" (http:/ / www. educatedguesswork. org/ 2009/ 11/

understanding_the_tls_renegoti. html). Educated Guesswork. . Retrieved 2009-11-27.[17] "SSL_CTX_set_options SECURE_RENEGOTIATION" (http:/ / www. openssl. org/ docs/ ssl/ SSL_CTX_set_options.

html#SECURE_RENEGOTIATION). OpenSSL Docs. 2010-02-25. . Retrieved 2010-11-18.[18] "GnuTLS 2.10.0 released" (http:/ / article. gmane. org/ gmane. network. gnutls. general/ 2046). GnuTLS release notes. 2010-06-25. .

Retrieved 2011-07-24.[19] "NSS 3.12.6 release notes" (https:/ / developer. mozilla. org/ NSS_3. 12. 6_release_notes). NSS release notes. 2010-03-03. . Retrieved

2011-07-24.[20] Various (2002-08-10). "IE SSL Vulnerability" (http:/ / www. mail-archive. com/ bugtraq@securityfocus. com/ msg08807. html). Educated

Guesswork. . Retrieved 2010-11-17.[21] "Defeating SSL" (https:/ / www. blackhat. com/ presentations/ bh-dc-09/ Marlinspike/ BlackHat-DC-09-Marlinspike-Defeating-SSL. pdf). .[22] Adrian, Dimcev. "SSL/TLS version rollbacks and browsers" (http:/ / www. carbonwind. net/ blog/ post/

Random-SSLTLS-101–SSLTLS-version-rollbacks-and-browsers. aspx). Random SSL/TLS 101. . Retrieved 9 March 2011.[23] Lawrence, Eric (2005-10-22). "IEBlog : Upcoming HTTPS Improvements in Internet Explorer 7 Beta 2" (http:/ / blogs. msdn. com/ ie/

archive/ 2005/ 10/ 22/ 483795. aspx). MSDN Blogs. . Retrieved 2007-11-25.[24] "Bugzilla@Mozilla — Bug 236933 - Disable SSL2 and other weak ciphers" (https:/ / bugzilla. mozilla. org/ show_bug. cgi?id=236933).

Mozilla Corporation. . Retrieved 2007-11-25.[25] "Firefox still sends SSLv2 handshake even though the protocol is disabled" (https:/ / bugzilla. mozilla. org/ show_bug. cgi?id=454759).

2008-09-11. .[26] Pettersen, Yngve (2007-04-30). "10 years of SSL in Opera — Implementer's notes" (http:/ / my. opera. com/ yngve/ blog/ 2007/ 04/ 30/

10-years-of-ssl-in-opera). Opera Software. . Retrieved 2007-11-25.[27] Wolfgang, Gruener. "False Start: Google Proposes Faster Web, Chrome Supports It Already" (http:/ / www. conceivablytech. com/ 3299/

products/ false-start-google-proposes-faster-web-chrome-supports-it-already). . Retrieved 9 March 2011.[28] Brian, Smith. "Limited rollback attacks in False Start and Snap Start" (http:/ / www. ietf. org/ mail-archive/ web/ tls/ current/ msg06933.

html). . Retrieved 9 March 2011.[29] Adrian, Dimcev. "False Start" (http:/ / www. carbonwind. net/ blog/ post/ Random-SSLTLS-101-False-Start. aspx). Random SSL/TLS 101. .

Retrieved 9 March 2011.[30] These certificates are currently X.509, but there is also a draft specifying the use of OpenPGP based certificates.[31] vsftpd-2.1.0 released (http:/ / scarybeastsecurity. blogspot. com/ 2009/ 02/ vsftpd-210-released. html) Using TLS session resume for FTPS

data connection authentication. Retrieved on 2009-04-28.[32] Named-based SSL virtual hosts: how to tackle the problem (https:/ / www. switch. ch/ pki/ meetings/ 2007-01/ namebased_ssl_virtualhosts.

pdf), SWITCH.[33] Apple (2009-06-10). "Features" (http:/ / www. apple. com/ safari/ features. html). . Retrieved 2009-06-10.

S8CSE_Cryptography additionals

by Abhijith Marathakam

Transport Layer Security 16

[34] Adrian, Dimcev. "Common browsers/libraries/servers and the associated cipher suites implemented" (http:/ / www. carbonwind. net/TLS_Cipher_Suites_Project/ tls_ssl_cipher_suites_annex_a1_main. docx). TLS Cipher Suites Project. .

[35] Mozilla (2008-08-06/). "Security in Firefox 2" (https:/ / developer. mozilla. org/ en/ Security_in_Firefox_2). . Retrieved 2009-03-31.[36] "Bug 480514 - Implement support for TLS 1.2 (RFC 5246)" (https:/ / bugzilla. mozilla. org/ show_bug. cgi?id=480514). 2010-03-17. .

Retrieved 2010-04-04.[37] Microsoft (2009-02-27). "MS-TLSP Appendix A" (http:/ / msdn. microsoft. com/ en-us/ library/ dd208005(PROT. 13). aspx). . Retrieved

2009-03-19.[38] Yngve Nysæter Pettersen (2009-02-25). "New in Opera Presto 2.2: TLS 1.2 Support" (http:/ / my. opera. com/ core/ blog/ 2009/ 02/ 25/

new-in-opera-presto-2-2-tls-1-2-support). . Retrieved 2009-02-25.[39] Chromium Project (2011-07-25). "No TLS 1.2 (SHA-2) Support" (http:/ / code. google. com/ p/ chromium/ issues/ detail?id=90392). .

Retrieved 2011-09-21.

Further reading• Wagner, David; Schneier, Bruce (November 1996). "Analysis of the SSL 3.0 Protocol" (http:/ / www. schneier.

com/ paper-ssl. pdf). The Second USENIX Workshop on Electronic Commerce Proceedings. USENIX Press.• Eric Rescorla (2001). SSL and TLS: Designing and Building Secure Systems. United States: Addison-Wesley Pub

Co. ISBN 0-201-61598-3.• Joshua Davies (2011). Implementing SSL/TLS Using Cryptography and PKI. New York: Wiley.

ISBN 978-0-470-92041-1.• Stephen A. Thomas (2000). SSL and TLS essentials securing the Web. New York: Wiley. ISBN 0-471-38354-6.• Bard, Gregory (2006). "A Challenging But Feasible Blockwise-Adaptive Chosen-Plaintext Attack On Ssl" (http:/

/ eprint. iacr. org/ 2006/ 136). International Association for Cryptologic Research (136). Retrieved 2011-09-23.• Canvel, Brice. "Password Interception in a SSL/TLS Channel" (http:/ / lasecwww. epfl. ch/ memo/ memo_ssl.

shtml). Retrieved 2007-04-20.• IETF Multiple Authors. "RFC of change for TLS Renegotiation" (http:/ / tools. ietf. org/ html/ rfc5746). Retrieved

2009-12-11.• Creating VPNs with IPsec and SSL/TLS (http:/ / www. linuxjournal. com/ article/ 9916) Linux Journal article by

Rami Rosen

External links• SSL 2 specification (http:/ / www. mozilla. org/ projects/ security/ pki/ nss/ ssl/ draft02. html) (published 1994)• Early drafts of SSL 3.0 specification (http:/ / tools. ietf. org/ html/ draft-freier-ssl-version3-00) (published 1995)• The Secure Sockets Layer (SSL) Protocol Version 3.0 (2011) (http:/ / tools. ietf. org/ html/ rfc6101)• The IETF (Internet Engineering Task Force) TLS Workgroup (http:/ / www. ietf. org/ html. charters/ tls-charter.

html)• SSL tutorial (http:/ / www2. rad. com/ networks/ 2001/ ssl/ index. htm)• ECMAScript Secure Transform (Web 2 Secure Transform Method) (http:/ / www. semnanweb. com/

ecmast-ecmascript-secure-transform/ )• OWASP: Transport Layer Protection Cheat Sheet (http:/ / www. owasp. org/ index.

php?title=Transport_Layer_Protection_Cheat_Sheet)• A talk on SSL/TLS that tries to explain things in terms that people might understand. (http:/ / computing. ece. vt.

edu/ ~jkh/ Understanding_SSL_TLS. pdf)• SSL: Foundation for Web Security (http:/ / www. cisco. com/ web/ about/ ac123/ ac147/ archived_issues/ ipj_1-1/

ssl. html)This article is based on material taken from the Free On-line Dictionary of Computing prior to 1 November 2008 andincorporated under the "relicensing" terms of the GFDL, version 1.3 or later.

S8CSE_Cryptography additionals

by Abhijith Marathakam

Article Sources and Contributors 17

Article Sources and ContributorsTransport Layer Security  Source: http://en.wikipedia.org/w/index.php?oldid=488908041  Contributors: 0x6adb015, 5ko, 806f0F, Abaybas, Abdull, AbsolutDan, Acodring, Adam Conover,Adrianfd, Aka042, Akebinho, Alansohn, Albedo, Aldie, Alec it, Alias Flood, AlistairMcMillan, Alphathon, Amenel, Anclation, Andre Engels, Andrei.wap, Andrew Hampe, Andrzej P. Wozniak,Anna512, Anon lynx, Ant honey, Antientropic, Apankrat, Aprogrammer, Arkoon, Arman Cagle, Armour Hotdog, Arsenikk, Ashdurbat, Avbentem, AxelBoldt, Barakw, Barek, Beetstra, Beland,Bender235, Beno1000, Biot, Blackbearded, BlindWanderer, Blodulv, Boblord, Boomboombi, Borb, Bovineone, Branko, Branlon, Bryan Derksen, Btrzupek, Bunnyhop11, Burke Libbey, Bxj,C1010, CKlunck, Cajunbill, Calton, CanadianLinuxUser, CanisRufus, Cellmate707, Cf. Hay, Cfp, Chealer, Chester Markel, Chris conlon, Ciphers, ClementSeveillac, Colenso, Colonies Chris,Comet Tuttle, CommonsDelinker, Complicated1, Conseguenza, Conversion script, Crossland, Czhower, DARTH SIDIOUS 2, David-Sarah Hopwood, Davidfstr, Davidoff, Davodd,Dawnseeker2000, Debresser, Deedub1983, Devon Sean McCullough, Dfarrell07, Dictouray, Digi-cs, Discospinster, Doedoejohn, Dogbyter, Dougjih, Dreamafter, Ed Brey, Edward, Emperorbma,Enjoi4586, Ercrt, Ericnay, Erth64net, Eruionnyron, Etu, Everyking, Evice, ExportRadical, Eyreland, FBarber, Falcon8765, Feezo, Felixcatuk, FlippyFlink, FloydRTurbo, Frap, Freyr,Fritzophrenic, Fryed-peach, Furrykef, GABaker, Gerbrant, Ghalas, Ghettoblaster, Gidoca, Giftlite, Gionnico, GoodStuff, Graham87, Greatwhitesharkbear, GreyCat, Groovy12, Guthrg007, Gzorg,Haakon, HaeB, Haham hanuka, Hairy Dude, HamburgerRadio, Hanche, Hawk-Eagle, Hgfernan, Hottdee, Iangfc, Iida-yosiaki, Imroy, Int21h, Interiot, Intgr, Isilanes, Itahmed, J-p krelli, JTN,JWilk, JaGa, Jamelan, Jas4711, Jc monk, Jclemens, Jdthood, Jef-Infojef, Jesse Viviano, Jigen III, Jjplaya209, Jlehen, Jmaister, Jmorgan, JoanneB, JoaoRicardo, Joblack, JonHarder, Jpinkerton88,Juhovh, Julie Deanna, Kbrose, Kelson, Kgaughan, Kgfleischmann, Kinema, Koektrommel, Koeplinger, Kpsmithuk, Krellis, Ksn, Kyng, Lakshmin, LeoNomis, Leotohill, Levin, LittleBenW,Loftenter, Lotje, Lradrama, Lukegilman, Lundse, Lunkwill, Lzyiii, M. B., Jr., Maartenvanrooijen, Mabdul, Mac, Madigral, Magioladitis, MagnetiK, Makerofthings7, Mange01, Mani1,Marrowmonkey, Martinkunev, Materialscientist, Matt Crypto, Matthew V Ball, Maxim Razin, Mayevski, Meetabu, Meowimasexycat, Mgcsinc, Michael Hardy, MichaelCoates, Michaelfowler,Michaelkrauklis, Mickraus, Mike Rosoft, Mild Bill Hiccup, Mindmatrix, MinorContributor, Mischling, MisterSSL, Mmernex, Molf, Moocha, Mpvdm, Mr Heine, Mrbbking, Msiddalingaiah,Mundocani, Mwanner, Mydogategodshat, Mårten Berglund, N.MacInnes, Nagle, Nealcardwell, Nealmcb, Nerwal, Nikai, Nill smith, Nils, Ninels, Niqueco, Nitrogenx, Nk, Nmav, Nonno88, Noq,Ntsimp, Nubiatech, Nurg, Nuujinn, Nyco, ObscurO, Oconnor663, Olegos, Olivier Debre, Omniplex, Oscardt, PHansen, Papadopa, Pasi Eronen, Paul Foxworthy, Paul1337, PeterB, Pfortuny,Phoenix-forgotten, Pilotguy, Plugwash, Plustgarten, Pmsyyz, Ppelleti, Produke, Psz, Qslack, QuiteUnusual, RP459, Raanoo, Rafigordon, Rarut, Rasmus Faber, Raviaulakh, Ray Dassen,Remember the dot, Rettetast, ReyBrujo, Rholton, Rich Farmbrough, RichiH, Rick Block, Ripsss, Rlcantwell, Robertssh, Robinalden, SCΛRECROW, SPCartman, SSLcertificatesecurity,Sachuraju, Sanxiyn, Sara Wright, Scetoaux, Schlafly, Schmalls, Seneces, Sesu Prime, Sfisher, Shaddack, Shadowjams, ShakataGaNai, Siddhant, Simetrical, Simon.may.007, Sleske, Smyth,Spartan-James, Speaker to Lampposts, SpeedyGonsales, Star General, Startcom, Stefonic, Stephan Leeds, Stupid Corn, SunCreator, Superm401, Suruena, Swagatata, Sweeper tamonten, TDM,THEN WHO WAS PHONE?, TJJFV, Ta bu shi da yu, Tacke, Tbutzon, Ternto333, The Anome, TheWishy, Themfromspace, Thomas Springer, Thomasgud, Thorne, Thumperward,Thunderbritches, Tim Ivorson, Timberframe, Titiri, Tommy2010, Tony esopi patra, Toyotabedzrock, Tqbf, Traveler100, TwelveBaud, Twkd, Typhoonhurricane, UncleBubba, Unixman83, Uogl,Usaguruman, VAcharon, Verdy p, Versageek, VictorAnyakin, Vijay.kotari, Vinayr rao, VishalJBhatt, WLU, Webguynik, Weyes, Wiarthurhu, Widefox, Wilfrednilsen, William Avery,WinTakeAll, Winterst, Wizofaus, Wmahan, Wmasterj, WojPob, Writermonique, Wutherings, Ww, Xizhi.zhu, Yadirh, Yaronf, Youremyjuliet, Ysimonson, Yuhong, Zigkill, Zimbabweed, Zr40,Zundark, Zzuuzz, 책읽는달팽, 815 anonymous edits

LicenseCreative Commons Attribution-Share Alike 3.0 Unported//creativecommons.org/licenses/by-sa/3.0/

S8CSE_Cryptography additionals

by Abhijith Marathakam

S8CSE_Cryptography additionals

by Abhijith Marathakam

S8CSE_Cryptography additionals

by Abhijith Marathakam