Unformatted text preview: ecord Protocol
The Record Protocol is responsible for coordinating the client and server sessions.
Message Block Mn
M1 M2 … Mn Key
Exchange .. Key Blocks of equal size such that the
final SSL Record is not bigger
than 214 bytes. Compressed
Cipher HMAC Block
Cipher Padding Enciphered
Stream Ciphers: RC4 40-bit or 128-bit key.
Block Ciphers: DES 56-bit, 3DES 168-bit, or AES-128 VPN IPsec IKE v2 TLS M. Mogollon – 01/08 - 38 • First, the client message is divided into message blocks that have arbitrary length but no more than
214 bytes, then compression is applied (optional), and, finally, a message authentication code
(MAC) is computed. The compressed cleartext and the MAC are appended and enciphered using
symmetric encryption, either stream ciphers or block ciphers. If a block cipher is used, some
padding is required so the total data size, compressed message plus MAC plus padding, is a
multiple of the cipher’s block.
• Enciphering the Data: TLS supports data encryption with one of the following symmetric
encryption algorithms: RC4 using 128-bit, DES using 56-bit, 3DES using 168-bit, and AES using
128-bit and 256-bit. Most TLS solutions typically negotiate encryption strength downward to the
level supported by the lowest end of the connection.
• Public Key: Depending on the certificate authority, the key size of the public-key / private-key
pair may be different. VeriSign uses either 512 bits or 1024 bits, depending on the server software.
The VeriSign private key, used to sign certificates, is 1024 bits, and the session key used in the
TLS transaction is the strongest permitted by US Government law (generally either 128 bit or 256
• There are four record protocols: the Handshake Protocol, the Alert Protocol, the Change Cipher
Spec Protocol, and the Application Data Protocol. 38 VPN, IPSec and TLS Handshake Protocol (Session State)
Phase 1 Establishing Security Capabilities
Client_Hello Client Exchang...
View Full Document
- Spring '10
- VPNs, M. Mogollon, IKE v2