Netzsicherheit 2: 2 TLS 2.3.1 Handshake Uebersicht

Introduction

This tutorial provides an overview of the Transport Layer Security (TLS) handshake process, specifically focusing on the TLS-RSA, TLS-DH, and TLS-DHE handshake families. Understanding these handshake mechanisms is essential for ensuring secure communications over the internet. This guide will break down the key concepts and steps involved in each handshake type.

Step 1: Understanding TLS Handshake Families

TLS handshakes establish a secure connection between a client and a server. The three primary handshake families are:

• TLS-RSA (Rivest-Shamir-Adleman)

  • Utilizes public-key cryptography for secure key exchange.
  • The server's RSA public key is used to encrypt a pre-master secret, which is sent to the server.

• TLS-DH (Diffie-Hellman)

  • Implements a key exchange method allowing two parties to establish a shared secret over an insecure channel.
  • Each party generates a private-public key pair and exchanges public keys to compute a shared secret.

• TLS-DHE (Diffie-Hellman Ephemeral)

  • A variant of TLS-DH that uses ephemeral keys for each session.
  • Enhances security by ensuring that the shared secret is unique to each session and not reused.

Step 2: Exploring the TLS-RSA Handshake Process

The TLS-RSA handshake involves the following steps:

1. Client Hello

   • The client sends a "Hello" message to the server, including supported TLS versions and cipher suites.

2. Server Hello

   • The server responds with its chosen TLS version and cipher suite.

3. Server Certificate

   • The server sends its digital certificate, containing its public key.

4. Key Exchange

   • The client generates a pre-master secret and encrypts it with the server's public key before sending it.

5. Session Keys Creation

   • Both parties derive session keys from the pre-master secret.

6. Finished Messages

   • Both client and server send messages to confirm that the handshake is complete.

Practical Tip: Ensure the server’s certificate is valid to avoid man-in-the-middle attacks.

Step 3: Understanding the TLS-DH Handshake Process

The TLS-DH handshake consists of the following steps:

1. Client Hello

   • Similar to the TLS-RSA handshake, the client initiates a connection.

2. Server Hello

   • The server responds with its selected parameters.

3. Server Parameters

   • The server sends its public key parameters for the DH exchange.

4. Client DH Parameters

   • The client generates its own DH parameters and sends the public key to the server.

5. Shared Secret Calculation

   • Both parties compute the shared secret using their private keys and the received public keys.

6. Session Keys Creation

   • Session keys are derived from the shared secret.

7. Finished Messages

   • Confirmation messages are exchanged to finalize the handshake.

Common Pitfall: Always validate the server's parameters to prevent rejection of the handshake.

Step 4: Exploring the TLS-DHE Handshake Process

The TLS-DHE handshake follows similar steps as the TLS-DH handshake but adds ephemeral key generation:

1. Client Hello and Server Hello

   • Initiation messages are exchanged as in previous handshakes.

2. Server Parameters

   • The server sends its public DH parameters.

3. Client DH Parameters

   • The client generates ephemeral DH parameters and sends its public key.

4. Shared Secret Calculation

   • Both parties calculate a shared secret using their private ephemeral keys.

5. Session Keys Creation

   • Unique session keys are generated for the session.

6. Finished Messages

   • Both parties confirm the successful completion of the handshake.

Practical Tip: Using ephemeral keys enhances security by ensuring keys are not reused.

Conclusion

In this tutorial, we have explored the TLS handshake process, focusing on the TLS-RSA, TLS-DH, and TLS-DHE families. Each handshake type has its unique mechanisms and use cases, but all aim to establish a secure communication channel. Understanding these processes is crucial for anyone involved in network security.

Next steps may include implementing a TLS handshake in a secure application or further studying the security implications of these mechanisms in real-world scenarios.