词条 | Cipher suite | ||||||||||||||||||||
释义 |
A cipher suite is a set of algorithms that help secure a network connection that uses Transport Layer Security (TLS) or its now-deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.[1] The key exchange algorithm is used to exchange a key between two devices. This key is used to encrypt and decrypt the messages being sent between two machines. The bulk encryption algorithm is used to encrypt the data being sent. The MAC algorithm provides data integrity checks to ensure that the data sent does not change in transit. In addition, cipher suites can include signatures and an authentication algorithm to help authenticate the server and or client. Overall, there are hundreds of different cipher suites that contain different combinations of these algorithms. Some cipher suites offer better security compared to others.[2] The structure and use of the cipher suite concept is defined in the TLS standard document.[3] [https://www.ietf.org/rfc/rfc5246.txt TLS 1.2] is the most prevalent version of TLS. The next version of TLS ([https://tools.ietf.org/html/rfc8446 TLS 1.3]) adds additional requirements to cipher suites. TLS 1.3 was only recently standardised and is not yet widely used. Cipher suites defined for TLS 1.2 cannot be used in TLS 1.3, and vice versa, unless otherwise stated in their definition. A reference list of named cipher suites is provided in the TLS Cipher Suite Registry.[4] HistoryThe use of ciphers have been a part of the Secure Socket Layer (SSL) transit protocol since its creation. SSL has been succeeded by TLS for most uses. However, the name Cipher Suite was not used in the original draft of SSL. Instead the ability for a client and a server to choose from a small set of ciphers to secure their connection was called Cipher-Choice.[5][6] It was not until SSL v3 (the last version of SSL) that the name Cipher Suite was used.[7] Every version of TLS since has used Cipher Suite in their standardization. The concept and purpose of a Cipher Suite has not changed since the term was first coined. It has and still is used as a structure describing the algorithms that a machine supports in order for two machines to decide which algorithms to use to secure their connection. What has changed is the versions of the algorithms that are supported in the cipher suites. Each version of TLS has added support for stronger versions of the algorithms and removed support for versions of the algorithms that have been identified as insecure. TLS 1.3 marks a change in how cipher suites are coordinated between machines. The cipher suite chosen for two communicating machines to use is determined by the handshake process. Modifications were done in TLS 1.3 to the handshake process to cut down on the number of messages needed to be sent. This allows for less processing, less packet traffic and more efficiency compared to previous versions of TLS. Naming schemeEach cipher suite has a unique name that is used to identify it and to describe the algorithmic contents of it. Each segment in a cipher suite name stands for a different algorithm or protocol. An example of a cipher suite name: TLS_RSA_WITH_3DES_EDE_CBC_SHA The meaning of this name is:
Full handshake: coordinating cipher suitesTo use cipher suites, the client and the server must agree on the specific cipher suite that is going to be used in exchanging messages. Both the client and the server must support the agreed upon cipher suite. If the client and server do not agree on a cipher suite, no connection will be made.[11] This selection process occurs during the TLS Handshake Protocol. TLS 1.3 includes a TLS Handshake Protocol that differs compared to past and the current version of TLS/SSL.[12] After coordinating which cipher suite to use, the server and the client still have the ability to change the coordinated ciphers by using the ChangeCipherSpec protocol in the current handshake or in a new handshake.[13] To test which TLS ciphers a server supports, an SSL/TLS Scanner may be used.[https://www.ssllabs.com/ssltest/] TLS 1.0–1.2 handshakeThis client starts the process by sending a clientHello message to the server that includes the version of TLS being used and a list of cipher suites in the order of the client’s preference. In response, the server sends a serverHello message that includes the chosen cipher suite and the session ID. Next the server sends a digital certificate to verify its identity to the client. The server may also request a client’s digital certification if needed. If the client and server are not using pre-shared keys, the client then sends an encrypted message to the server that enables the client and the server to be able to compute which secret key will be used during exchanges. After successfully verifying the authentication of the server and, if needed, exchanging the secret key, the client sends a finished message to signal that it is done with the handshake process. After receiving this message, the server sends a finished message that confirms that the handshake is complete. Now the client and the server are in agreement on which cipher suite to use to communicate with each other. TLS 1.3 handshakeIf two machines are corresponding over TLS 1.3, they coordinate which cipher suite to use by using the TLS 1.3 Handshake Protocol. The handshake in TLS 1.3 was condensed to only one round trip compared to the two round trips required in previous versions of TLS/SSL. First the client sends a clientHello message to the server that contains a list of supported ciphers in order of the client's preference and makes a guess on what key algorithm is being used so that it can send a secret key to share if needed. By making a guess on what key algorithm that is being used it eliminates a round trip. After receiving the clientHello, the server sends a serverHello with its key, a certificate, the chosen cipher suite and the finished message. After the client receives the server's finished message it now is coordinated with the server on which cipher suite to use.[https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/] Supported algorithmsIn TLS 1.0–1.2
For more information about algorithms supported in TLS 1.0–1.2, see also: Transport Layer Security § Applications and adoption TLS 1.3In TLS 1.3, many legacy algorithms that were supported in early versions of TLS have been dropped in an effort to make the protocol more secure.[14] In addition, all encryption and authentication algorithms are combined in the authenticated encryption with associated data (AEAD) encryption algorithm. Also a hash algorithm must now be used in HMAC-based key derivation (HKDF).[15] Non-AEAD encryption algorithms (such as AES_128_CBC) are not allowed to be used. These changes were done because of flaws or possible vulnerabilities discovered since that last release that could result in an insecure TLS connection. DTLS with cipher suitesDatagram Transport Layer Security (DTLS) is based on TLS, but is specifically used for UDP connections instead of TCP connections. Since DTLS is based on TLS it is able to use a majority of the cipher suites described for TLS. There are special cases that must be considered when using TLS cipher suites with DTLS. DTLS does not support the stream cipher RC4 which means that no TLS cipher using RC4 can be used with DTLS.[16]To figure out if a TLS cipher suite is compatible with DTLS looking at its name will not help. Each TLS cipher suite will still include the TLS identifier space in its name. e.g.: TLS_RSA_WITH_RC4_128_MD5. Instead, all TLS parameter registries now include the flag DTLS-OK to signal if a cipher suite supports DTLS.[17] VulnerabilitiesA cipher suite is as secure as the algorithms that it contains. If the version of encryption or authentication algorithm in a cipher suite have known vulnerabilities the cipher suite and TLS connection is then vulnerable. Therefore, a common attack against TLS and cipher suites is known as a Downgrade Attack. A downgrade in TLS occurs when a modern client connects to legacy servers that are using older versions of TLS or SSL. When initiating a handshake, the modern client will offer the highest protocol that it supports. If the connection fails, it will automatically retry again with a lower protocol such as TLS 1.0 or SSL 3.0 until the handshake is successful with the server. The purpose of downgrading is so that new versions of TLS are compatible with older versions. However, it is possible for an adversary to take advantage of this feature and make it so that a client will automatically downgrade to a version of TLS or SSL that supports cipher suites with algorithms that are known for weak security and vulnerabilities.[18] This has resulted in attacks such as POODLE. One way to avoid this security flaw is to disable the ability of a server or client to be able to downgrade to SSL3.0. The shortcoming with this fix is that it will make it so that some legacy hardware can not be accessed by newer hardware. If SSL 3.0 support is needed for legacy hardware, there is an approved TLS_FALLBACK_SCSV cipher suite which verifies that downgrades are not triggered for malicious intentions.[19] Cipher suites for constrained devicesEncryption, key exchange and authentication algorithms usually require a large amount of processing power and memory. To provide security to constrained devices with limited processing power, memory, and battery life such as those powering the Internet of things there are specifically chosen cipher suites. Two examples include:
Each of these cipher suites have been implemented to run on devices with constraints in processing power and memory. They are both implemented in the open-sourced project [https://projects.eclipse.org/projects/iot.tinydtls TinyDTLS]. The reason that they are able to work on these constrained devices is because they can be implemented in a light-weight fashion. Implementations of the pre-shared key cipher suite used only 1889 bytes of RAM and 38266 of flash ROM which is very resource conscious compared most encryption and security algorithms.[21] This low memory usage is due to these cipher suites using proven efficient algorithms that are secure, but maybe not as secure as more resource-required algorithms; exp: Using 128 bit encryption vs 256 bit encryption. In addition they use pre-shared key or raw public key which requires less memory space and processing power compared to using traditional public key infrastructure (PKIX).[22] Programming referencesIn programming, a cipher suite is referred to in both plural and non-plural forms. Each one has different definitions:
struct { ProtocolVersion client_version; Random random; SessionID session_id; CipherSuite cipher_suites<2..2^16-2>; CompressionMethod compression_methods<1..2^8-1>; select (extensions_present) { case false: struct {}; case true: Extension extensions<0..2^16-1>; }; } ClientHello;
struct { ProtocolVersion server_version; Random random; SessionID session_id; CipherSuite cipher_suite; CompressionMethod compression_method; select (extensions_present) { case false: struct {}; case true: Extension extensions<0..2^16-1>; }; } ServerHello; References1. ^{{Cite web|url=https://docs.microsoft.com/en-au/windows/desktop/SecAuthN/cipher-suites-in-schannel|title=Cipher Suites in TLS/SSL (Schannel SSP) (Windows)|website=docs.microsoft.com|language=en|access-date=2018-07-02}} 2. ^{{Cite web|url=https://www.thesprawl.org/research/tls-and-ssl-cipher-suites/|title=tls and ssl cipher suites {{!}} research {{!}} sprawl|website=www.thesprawl.org|language=en|access-date=2017-10-26}} 3. ^{{IETF RFC|5246}} 4. ^[https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 TLS Cipher Suite Registry] 5. ^{{Cite web|url=https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html|title=The SSL 0.2 Protocol|website=www-archive.mozilla.org|access-date=2017-12-07}} 6. ^{{Cite web|url=https://tools.ietf.org/html/draft-hickman-netscape-ssl-00|title=draft-hickman-netscape-ssl-00|website=tools.ietf.org|language=en|access-date=2017-12-07}} 7. ^{{Cite web|url=http://www.freesoft.org/CIE/Topics/ssl-draft/3-SPEC.HTM|title=SSL 3.0 Specification|website=www.freesoft.org|access-date=2017-12-07}} 8. ^{{Cite web|url=https://tools.ietf.org/html/rfc5246#page-47|title=The Transport Layer Security (TLS) Protocol Version 1.2|last= 9. ^{{Cite web|url=https://tools.ietf.org/html/rfc5246#page-17|title=The Transport Layer Security (TLS) Protocol Version 1.2|last= 10. ^{{Cite web|url=https://tools.ietf.org/html/rfc5246#page-16|title=The Transport Layer Security (TLS) Protocol Version 1.2|last= 11. ^{{Cite news|url=http://www.jscape.com/blog/cipher-suites|title=An Introduction To Cipher Suites|last=Villanueva|first=John Carl|access-date=2017-10-25|language=en}} 12. ^{{Cite web|url=https://tools.ietf.org/html/draft-ietf-tls-tls13-28|title=The Transport Layer Security (TLS) Protocol Version 1.3|last= 13. ^{{Cite web|url=https://tools.ietf.org/html/rfc5246#section-7.1|title=The Transport Layer Security (TLS) Protocol Version 1.2|last= 14. ^{{Cite news|url=https://www.wolfssl.com/docs/tls13/|title=TLS 1.3 Protocol Support {{!}} wolfSSL Embedded SSL/TLS Library|work=wolfSSL|access-date=2017-10-26|language=en-US}} 15. ^{{cite web|url=https://tlswg.github.io/tls13-spec/#cipher-suites|title=The Transport Layer Security (TLS) Protocol Version 1.3|author=E. Rescorla|date=November 4, 2016|accessdate=2016-11-11}} 16. ^{{Cite web|url=https://tools.ietf.org/html/rfc4347#section-4.1.2.2|title=Datagram Transport Layer Security|last=N.|first=Modadugu,|last2=E.|first2=Rescorla,|website=tools.ietf.org|language=en|access-date=2017-10-25}} 17. ^{{Cite web|url=https://tools.ietf.org/html/rfc6347#section-7|title=Datagram Transport Layer Security Version 1.2|last=Eric|first=Rescorla,|last2=Nagendra|first2=Modadugu,|website=tools.ietf.org|language=en|access-date=2017-10-25}} 18. ^{{Cite web|url=https://tools.ietf.org/html/rfc7507|title=TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks|last=Bodo|first=Moeller,|last2=Adam|first2=Langley,|website=tools.ietf.org|language=en|access-date=2017-10-25}} 19. ^{{Cite web|url=https://tools.ietf.org/html/rfc7507|title=TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks|last=Bodo|first=Moeller,|last2=Adam|first2=Langley,|website=tools.ietf.org|language=en|access-date=2017-10-25}} 20. ^{{Cite web|url=https://tools.ietf.org/html/rfc6655|title=AES-CCM Cipher Suites for Transport Layer Security (TLS)|last=Daniel|first=Bailey,|last2=David|first2=McGrew,|website=tools.ietf.org|language=en|access-date=2017-10-26}} 21. ^{{Cite journal|last=Perelmen|first=Vladislav|date=June 29, 2012|title=Security in IPv6-enabled Wireless Sensor Networks: An Implementation of TLS/DTLS for the Contiki Operating System|url=http://cnds.eecs.jacobs-university.de/archive/msc-2012-vperelman.pdf|journal=|volume=|pages=38|via=}} 22. ^{{Cite web|url=https://tools.ietf.org/html/rfc7250|title=Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)|last=Samuel|first=Weiler,|last2=John|first2=Gilmore,|website=tools.ietf.org|language=en|access-date=2017-12-07|last3=Hannes|first3=Tschofenig,|last4=Tero|first4=Kivinen,|last5=Paul|first5=Wouters,}} 23. ^{{IETF RFC|5246}}, p. 41 24. ^{{Cite web|url=https://tools.ietf.org/html/rfc5246#appendix-A.4.1|title=The Transport Layer Security (TLS) Protocol Version 1.2|last= 25. ^{{IETF RFC|5246}}, pp. 42–43, 64 26. ^{{Cite web|url=https://tools.ietf.org/html/rfc5246#section-7.4.1.2|title=The Transport Layer Security (TLS) Protocol Version 1.2|last= 2 : Secure communication|Transport Layer Security |
||||||||||||||||||||
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。