Tls handshake schnell sicher: Difference between revisions
No edit summary |
No edit summary |
||
Line 10: | Line 10: | ||
#:- random data created with public key of the server |
#:- random data created with public key of the server |
||
#:- random key via Diffie-Hellmann-Key-Exchange |
#:- random key via Diffie-Hellmann-Key-Exchange |
||
In v1.3 this was revised to speed up the handshake, it now is as follows: |
|||
# Client Hello: Client initiates Connection to the Server, sends list of supported cipher suites |
|||
# Server Hello and Change Cipher Spec: |
|||
#:-If Server knows and supports one of the cipher suites, Server sends its certificate, certifcate chain, possibly OCSP-response |
|||
#:-Server signals started encrypted messaging |
|||
# Client Change Cipher Spec: Client responds that it also has started encrypted messaging |
Revision as of 15:49, 6 October 2024
Introduction
TLS is a cryptographic protocol used to encrypt data transfer between communication partners. It is located in the application layer of the Internet Protocol Suite (IP Suite) or in the presentation layer of the OSI model. It is typically used as a wrapper for other (insecure) protocols like HTTP or SMTP. Besides encryption TLS could be used for identification purposes of both communication partners. There are several versions of TLS with versions below 1.2 being deprecated. The current versions 1.2 and 1.3 dropped support of unsecure hash functions like MD5 or SHA224. An unconfigured v1.3 connection defaults to the cipher suite AES256_GCM_SHA384. A typical v1.2 connection without client authentication is done as follows:
- Client Hello: Client initiates connection to the Server, transmitting list of supported cipher suites, possibly indicating requiring server certificate status information (OCSP-stapling via flag status_request)
- Server Hello: Server replies chosen supported cipher suite
- Server-Certificate-Exchange: Server sends its certificate along with certificate chain (also sends valid OCSP-response if OCSP-stapling is configured)
- Client-Certificate-Exchange: Client acknowledges validity of certificate
- Session-Ticket: Client generates session ticket using on of the following methods:
- - random data created with public key of the server
- - random key via Diffie-Hellmann-Key-Exchange
In v1.3 this was revised to speed up the handshake, it now is as follows:
- Client Hello: Client initiates Connection to the Server, sends list of supported cipher suites
- Server Hello and Change Cipher Spec:
- -If Server knows and supports one of the cipher suites, Server sends its certificate, certifcate chain, possibly OCSP-response
- -Server signals started encrypted messaging
- Client Change Cipher Spec: Client responds that it also has started encrypted messaging