Transport Layer Security (TLS)

Jesús Arias Fisteus

Web Applications (2022/23)

Web Applications (2022/23) Transport Layer Security (TLS) 1

HTTP Secure (HTTPS)

Hypertext Transfer Protocol Secure (HTTPS) is an

adaptation of HTTP for secure communication, where
messages are transmitted on top of the Transport Layer
Security (TLS) protocol.

(The default TCP port for HTTPS is 443)

Web Applications (2022/23) Transport Layer Security (TLS) 2

Transport Layer Security (TLS)

Transport Layer Security (TLS) provides a secure channel

between two communicating peers.

I The connection is private, as data is encrypted with

symmetric cryptography.
I The identity of the server can be verified using the public-key
infrastructure.
I Data integrity can be verified, i.e. data loss or alteration
during transmission can be detected.

Web Applications (2022/23) Transport Layer Security (TLS) 3

Transport Layer Security (TLS)

I TLS is the de facto standard to secure communications

between applications.
I Its origin is SSL (Secure Sockets Layer), first developed at
Netscape in the 90’s.
I It is an IETF standard.
I Its current version is TLS 1.3 (RFC 8446).

Web Applications (2022/23) Transport Layer Security (TLS) 4

Components of the TLS protocol

I Handshake protocol:
I A TLS session between client and server is established.
I Record protocol:
I Data is securely transmitted from client to server and from
server to client within the context of an already established
TLS session.

Web Applications (2022/23) Transport Layer Security (TLS) 5

Steps of the handshake protocol

1. Negotiation:
I Client and server agree on a TLS protocol version and the
cryptographic algorithms and parameters to use.
2. Key exchange:
I Client and server derive the symmetric keys to be used for
encrypting transmitted data.
3. Authentication:
I The client authenticates the server (and, optionally, the server
can also authenticate the client).

Web Applications (2022/23) Transport Layer Security (TLS) 6

Handshake: negotiation

I The client specifies the algorithms it supports by sending the

ClientHello message, which includes:
I One or more key exchange algorithms.
I Two or more digital signature algorithms.
I One or more hash functions to be used for HKDF.
I One or more authenticated encryption algorithms.
I The server chooses the algorithms to be used from the list of
algorithms the client specified, and communicates them to it
by sending a ServerHello message.

Web Applications (2022/23) Transport Layer Security (TLS) 7

Handshake: key exchange

1. Client and server communicate each other their public keys:

I The public keys they use should be ephemeral in order to
provide forward secrecy.
I In TLS 1.3 they can be communicated in the ClientHello
and ServerHello messages in order to optimize the process.

Web Applications (2022/23) Transport Layer Security (TLS) 8

Handshake: key exchange

2. The symmetric keys to be used for the session are derived by

using the HMAC-based Extract-and-Expand Key Derivation
Function (HKDF) algorithm and the selected hash function:
I A pair of random values chosen by the client in the
ClientHello message and the server in the ServerHello
message randomize the derived keys.
I In TLS 1.3 different keys are derived for different parts of the
communication.

(In TLS 1.3 further handshake communication after keys have

been derived is encrypted.)

Web Applications (2022/23) Transport Layer Security (TLS) 9

Handshake: authentication

I Servers must be authenticated:

I Websites need a certificate (a long term website’s public key
signed by a certification authority).
I The website’s certificate can be validated through the public
key infrastructure.
I Optionally, clients can be authenticated too, but normally just
servers are subject to authentication in the Web.

Web Applications (2022/23) Transport Layer Security (TLS) 10

The public key infrastructure

I Web browsers trust a set of root certificate authorities.

I Root certificate authorities may sign certificates for
intermediate certificate authorities.
I Root and intermediate certificate authorities can sign
certificates for websites.
I Certificates are validated by verifying their signatures against
the signing certificate authority’s own certificate, following the
verification process through the certificate chain up to a root
certificate authority.

Web Applications (2022/23) Transport Layer Security (TLS) 11

Certificates

I X.509 certificates are normally used.

I Website certificates contain, among others:
I The website’s public key.
I The domain name(s) to which the certificate applies.
I Initial and final date and time of the certificate’s validity
period.
I The signature of the certificate’s data by the certification
authority issuing it.

Web Applications (2022/23) Transport Layer Security (TLS) 12

Handshake: authentication

1. The server sends:

I Its own certificate.
I The certificate chain (the chain of certificates of the certificate
authorities that sign it, up to a root certificate authority).
I A signature of all the previous handshake messages done with
the private key associated to the public key in the server’s
certificate.
2. The client verifies the signature of the handshake messages
and the chain of certificates.

Web Applications (2022/23) Transport Layer Security (TLS) 13

Handshake: session resumption

I It’s normal for clients to connect several times to the same

websites, but TLS handshakes are costly.
I TLS allows previous sessions to be resumed by reusing
previously exchanged keys through a pre-session keys (PSK)
handshake:
I Servers may produce a session ticket that the client can use in
the future to resume a closed session.
I Clients may send a ClientHello message with the session
ticket in order to ask the server to resume a previous session,
thus skipping negotiation, key exchange and authentication.

Web Applications (2022/23) Transport Layer Security (TLS) 14

Application data transmission (record protocol)

I Encryption of application data:

I Data is encrypted with a symmetric key.
I Protection against message tampering:
I Messages are authenticated and the integrity of their contents
is verified through the use of authenticated encryption.
I Protection against replayed or reordered messages:
I Data is split into records, which are assigned a sequence
number. Peers verify the sequence number of the records they
receive.

Web Applications (2022/23) Transport Layer Security (TLS) 15

References

I The Transport Layer Security (TLS) Protocol Version 1.3.

IETF RFC 8446. August 2018.
I David Wong, Real-World Cryptography, Manning Publications
(2021):
I Chapter 9 (Secure Transport).
I Online access at O’Reilly through UC3M Library

Web Applications (2022/23) Transport Layer Security (TLS) 16