TLS (Transport Layer Security, RFC 8446)

Secure communication protocol over TCP/IP.

• Created upon SSL V3 (Secure Sockets Layer).

• Manages per-application secure sessions over TCP/IP.

  • Initially conceived for HTTP traffic.

  • Used for other traffic types.

There is a similar version for UDP (DTLS, RFC 6347).

Security mechanisms.

• Communication confidentiality and integrity.

  • Key distribution.

• Authentication of communication endpoints.

  • Servers (or, more frequently, services).

  • Client users.

  • Both with asymmetric key pairs, typically with certified public keys.

Interaction diagram

Ciphersuites

If a server supports a single algorithm, it is not expected for all clients to also support it.

• More powerful/limited, older/newer.

The Ciphersuite concept allows the negotiation of mechanisms between client and server.

• Both send their supported ciphersuites, and select one they both share.

• TLS v1.3: O servido escolhe.

Example: ECDHE-RSA-AES128-GCM-SHA256.

Format:

• Key negotiation algorithm: ECDHE.

• Authentication algorithm: RSA.

• Cifra algorithm, and cipher mode: AES-128 GCM.

• Integrity control algorithm: SHA256.