The SSL Protocol

Version 3.0

Internet Draft

March 1996 (Expires 9/96)

Alan O. Freier, Netscape Communications
Philip Karlton, Netscape Communications
Paul C. Kocher, Independent Consultant

Table of Contents

1. Status of this memo

2. Abstract

3. Introduction

4. Goals

5. Goals of this document

6. Presentation language

6.1 Basic block size
 6.2 Miscellaneous
 6.3 Vectors
 6.4 Numbers
 6.5 Enumerateds
 6.6 Constructed types
6.6.1 Variants
6.7 Cryptographic attributes
6.8 Constants
7. SSL protocol
7.1 Session and connection states
7.2 Record layer
7.2.1 Fragmentation
7.2.2 Record compression and decompression
7.2.3 Record payload protection and the CipherSpec
7.3 Change cipher spec protocol
7.4 Alert protocol
7.4.1 Closure alerts
7.4.2 Error alerts
7.5 Handshake protocol overview
7.6 Handshake protocol
7.6.1 Hello messages
7.6.2 Server certificate
7.6.3 Server key exchange message
7.6.4 Certificate request
7.6.5 Server hello done
7.6.6 Client certificate
7.6.7 Client key exchange message
7.6.8 Certificate verify
7.6.9 Finished
7.7 Application data protocol
8. Cryptographic computations
8.1 Asymmetric cryptographic computations
8.1.1 RSA
8.1.2 Diffie-Hellman
8.1.3 Fortezza
8.2 Symmetric cryptographic calculations and the CipherSpec
8.2.1 The master secret
8.2.2 Converting the master secret into keys and MAC secrets

Appendices

A. Protocol constant values
A.1 Reserved port assignments
A.1.1 Record layer
A.2 Change cipher specs message
A.3 Alert messages
A.4 Handshake protocol
A.4.1 Hello messages
A.4.2 Server authentication and key exchange messages
A.5 Client authentication and key exchange messages
A.5.1 Handshake finalization message
A.6 The CipherSuite
A.7 The CipherSpec
B. Glossary

C. CipherSuite definitions

D. Implementation Notes

D.1 Temporary RSA keys
D.2 Random Number Generation and Seeding
D.3 Certificates and authentication
D.4 CipherSuites
E. Version 2.0 Backward Compatibility
E.1 Version 2 client hello
E.2 Avoiding man-in-the-middle version rollback
F. Security analysis
F.1 Handshake protocol
F.1.1 Authentication and key exchange
F.1.2 Version rollback attacks
F.1.3 Detecting attacks against the handshake protocol
F.1.4 Resuming sessions
F.1.5 MD5 and SHA
F.2 Protecting application data
F.3 Final notes
G. Patent Statement

References

Authors

Other contributors

Early reviewers

November 1996 text draft
Postscript draft (TGZ or ZIP format)
HTML draft (TGZ or ZIP format)

SSL Version 3.0 - March 1996