TLS Handshake Protocol

 

CH       C -> S: ProtVer, Rc, SessionID, CipherSuiteList, CompMethList

            S: If (SessionID BAD) THEN goto Negotiate New Session

 

Resume Session

SH       S -> C:  ProtVer, Rs, SessionID (old), CipherSuite, CompMeth

CCS    S -> C: X

F          S -> C: PRF(master, “finished”, hash(Previous Messages))

CCS    C -> S: X

F          C -> S: PRF(master, “finished”, hash(Previous Messages))

End

 

Negotiate New Session

SH       S -> C: ProtVer, Rs, SessionID (new),  CipherSuite, CompMeth

            S: IF (Key Exchange is Authenticated) THEN goto Authenticated Server

 

            Anonymous Server

SKE     S -> C: p, g, Ys

SHD    S -> C: X

CKE    C -> S: Yc

CCS    C -> S: X

F          C -> S: PRF(master, “finished”, hash(Previous Messages))

CCS    S -> C: X

F          S -> C: PRF(master, “finished”, hash(Previous Messages))

End

 

Authenticated Server

            S: IF (Key Exchange is ~RSA) THEN goto Diffie-Helman

 

            RSA

                        S: IF (Key Exchange is RSA_EXPORT & Public Key in Certificate for Signing only) THEN goto Temporary Key

 

                                    Encryption Key in Certificate

SC            S -> C: {S, Ks+}Kca-

                        Goto Client Response

 

Temporary Key

SC            S -> C: {S, sKs+}Kca-

SKE            S -> C: Ks+, {hash(Rc + Rs + Ks+)}sKs-

            Goto Client Response

 

Diffie-Helman

                        IF (Key Exchange is DHE) THEN goto DHE

 

                                    DH (RSA & DSS signing)

                        SC            S -> C: {S, (p, g, Ys), sKs+}Kca-

                                    Goto Client Response

 

DHE (RSA & DSS signing)

 

                        SC            S -> C: {S, sKs+}Kca-

                        SKE            (p, g, Ys), {hash(Rc + Rs + (p, g, Ys))}sKs-

 

            Client Response

            IF (No Client Certificate) THEN goto Client Key Exchange

CR       S -> C: (Cert_Type_List, Cert_Auth_List)

SHD    S -> C: X

CC       C -> S: {C, Kc+}Kca-

 

Client Key Exchange

            IF (Key Exchange is RSA or RSA_EXPORT) THEN

CKE    C -> S: {Prot. Ver., PreMaster}Ks+

            ELSE IF (Key Exchange is DHE) THEN

CKE    C -> S: Yc

            ELSE IF (Key Exhange is DH) THEN

CKE    C -> S: 0

 

            IF (no Client Certificate or Key Exchange DH) THEN goto Client Finished

 

            Certificate Verify

CV       C -> S: {hash(PreviousMessages)}sKc-

 

Client Finished

CCS    C -> S: X

F          C -> S: PRF(master, “finished”, hash(Previous Messages))

CCS    S -> C: X

F          S -> C: PRF(master, “finished”, hash(Previous Messages))

End

 

GLOSSARY

 

Bad Session ID

This means that the Client proposed no session ID or the one proposed was not found on a list of acceptable old sessions.

 

Computing Master Secret

master = PRF(PreMaster, “master secret”, Rc + Rs)      

 

Hash

In rfc 2246 there are two types of hashes used, MD5 and SHA.  These are used together to produce hashes.  However, they are not always used in the same fashion, in DSS signing only the SHA hash is used while in RSA signing both are used.

 

PRF

This is a function that uses the MD5 and SHA hashing algorithms.  It is used to combine these two hashing functions so that if one is broken, the other will still ensure security.

 

RSA vs DSS signing

These are different signing methods, but for protocol analysis purposes and our simple representation, this difference was ignored.

 

TLS Message codes

CH = Client Hello

SH = Server Hello

SC = Server Certificate

SKE = Server Key Exchange

CR = Certificate Request

SHD = Server Hello Done

CC = Client Certificate

CKE = Client Key Exchange

CV = Certificate Verify

CCS = Change Cipher Spec – this is not a handshake protocol message

F = Finished

 

Reference

rfc2246 on which the above was adapted from