TLS
- content type
- 20 = changecipherspec: indicator of changing to new cipher and keys
- 21 = alert
- 22 = handshake
- 23 = application
- compares Alternative subject name to resource name
Client Client hello Server
-------------------------------------------------------->
cipher suite, session ID, compression, TLS version, nonce
Server hello
<---------------------------------------------------------
Certificate
<---------------------------------------------------------
Certificate request
<---------------------------------------------------------
Server hello done
<---------------------------------------------------------
Certificate
--------------------------------------------------------->
Client key exchange
--------------------------------------------------------->
TLS version, pre_master
Certificate verify
--------------------------------------------------------->
Change cipher spec
--------------------------------------------------------->
Finished
--------------------------------------------------------->
Change cipher spec
<---------------------------------------------------------
Finished
<---------------------------------------------------------
nonce = datetime + pseudorandom (28 bytes)
pre_master is encrypted on public key from certificate
TLS v1.3
- encrypted SNI (ESNI)
- deprecated
- requires DoH
- encrypts SNI during handshake
- session is aborted if decryption fails
- TXT record contains public key
- key rotation is usually faster than DNS TTL
- TXT cannot hold more than one value (e.g., key per CDN)
- _esni.example.com
- encrypted Client Hello (ECH)
- required DoH
- inner Client Hello
- extension of outer Client Hello: type = 0xfe0d
- destined to the real FQDN
- HTTPS DNS record
- server public key for encryption
- if decryption fails, server proceeds with outer Client Hello
- ciphersuites
- public name: used in outer SNI
- server public key for encryption
- DNS NSEC used to detect presence of HTTPS record
- SNI, ALPN
- grease ECH: if public key is not available, fill inner Client Hello with random data – triggers HelloRetry
- outer Client Hello
- destined to ECH provider – client-facing server (e.g., CDN)
- can provide correct ECH parameters, if decryption fails (TLS HelloRetry)
- allows active MITM if signing certificate is trusted (inline proxy)
- can omit post-handshake parameters
DTLS
- RFC 4347
- UDP
- no sliding window
- does not retransmit lost real-time traffic
- epoch is increased with ChangeCipherSpec
- handshake functions
- reordering: seq.n + epoch
- reliable delivery: seq.n + epoch
- windowing: time-based, replay protection
- authentication cookie
- DoS protection
- requests Hello retransmit to include cookie
- no CPU-intensive task or resource allocation is done without cookie
- retransmit after ~ TCP RTT
SCEP
- simple certificate enrollment protocol
- HTTP
- RSA certificate
EST
- enrollment over secure transport
- TLS
- EC certificate