27

Please correct me if I'm wrong, but my understanding is that SSLv3 and TLSv1 is just a rename of the earlier protocol... but TLSv1 adds the ability to have secured and unsecured traffic on the same port.

What are the differences and benefits of all the newer specs of TLS?

AviD
  • 72,138
  • 22
  • 136
  • 218
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • I think "TLSv1 adds the ability to have secured and unsecured traffic on the same port" is a misunderstanding due to some application (typically e-mail clients) having a user option they call "SSL" and "TLS" meaning "SSL/TLS from the beginning" or "switching to SSL/TLS via something like STARTTLS" (within the initial application protocol, e.g. SMTP). You can turn a plain socket into an SSL one too (by initiating a handshake as you would with TLS). See http://stackoverflow.com/questions/3660798/what-happens-on-the-wire-when-a-tls-ldap-or-tls-http-connection-is-set-up/3661416#3661416 – Bruno May 15 '11 at 15:12

2 Answers2

26

I like this blog entry by yaSSL describing the differences: http://www.yassl.com/yaSSL/Blog/Entries/2010/10/7_Differences_between_SSL_and_TLS_Protocol_Versions.html

I copied the key snippets from the blog to here:

"SSL 3.0 [..] Some major improvements of SSL 3.0 over SSL 2.0 are:

  • Separation of the transport of data from the message layer
  • Use of a full 128 bits of keying material even when using the Export cipher
  • Ability of the client and server to send chains of certificates, thus allowing organizations to use certificate hierarchy which is more than two certificates deep.
  • Implementing a generalized key exchange protocol, allowing Diffie-Hellman and Fortezza key exchanges as well as non-RSA certificates.
  • Allowing for record compression and decompression
  • Ability to fall back to SSL 2.0 when a 2.0 client is encountered

TLS 1.0 [..] This was an upgrade from SSL 3.0 and the differences were not dramatic, but they are significant enough that SSL 3.0 and TLS 1.0 don't interoperate. Some of the major differences between SSL 3.0 and TLS 1.0 are:

  • Key derivation functions are different
  • MACs are different - SSL 3.0 uses a modification of an early HMAC while TLS 1.0 uses HMAC.
  • The Finished messages are different
  • TLS has more alerts
  • TLS requires DSS/DH support

TLS 1.1 [..] is an update to TLS 1.0. The major changes are:

  • The Implicit Initialization Vector (IV) is replaced with an explicit IV to protect against Cipher block chaining (CBC) attacks.
  • Handling of padded errors is changed to use the bad_record_mac alert rather than the decryption_failed alert to protect against CBC attacks.
  • IANA registries are defined for protocol parameters
  • Premature closes no longer cause a session to be non-resumable.

TLS 1.2 [..] Based on TLS 1.1, TLS 1.2 contains improved flexibility. The major differences include:

  • The MD5/SHA-1 combination in the pseudorandom function (PRF) was replaced with cipher-suite-specified PRFs.
  • The MD5/SHA-1 combination in the digitally-signed element was replaced with a single hash. Signed elements include a field explicitly specifying the hash algorithm used.
  • There was substantial cleanup to the client's and server's ability to specify which hash and signature algorithms they will accept.
  • Addition of support for authenticated encryption with additional data modes.
  • TLS Extensions definition and AES Cipher Suites were merged in.
  • Tighter checking of EncryptedPreMasterSecret version numbers.
  • Many of the requirements were tightened
  • Verify_data length depends on the cipher suite
  • Description of Bleichenbacher/Dlima attack defenses cleaned up.
Bruno
  • 10,765
  • 1
  • 39
  • 59
Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
6

According to the Wikipedia article (if this can be trusted):

  • TLS version 1.1:
    • Added protection against Cipher block chaining (CBC) attacks.
    • The implicit Initialization Vector (IV) was replaced with an explicit IV.
    • Change in handling of padding errors.
    • Support for IANA registration of parameters.
  • TLS version 1.2
    • The MD5-SHA-1 combination in the pseudorandom function (PRF) was replaced with SHA-256, with an option to use cipher-suite specified PRFs.
    • The MD5-SHA-1 combination in the Finished message hash was replaced with SHA-256, with an option to use cipher-suite specific hash algorithms.
    • The MD5-SHA-1 combination in the digitally-signed element was replaced with a single hash negotiated during handshake, defaults to SHA-1.
    • Enhancement in the client's and server's ability to specify which hash and signature algorithms they will accept.
    • Expansion of support for authenticated encryption ciphers, used mainly for Galois/Counter Mode (GCM) and CCM mode of Advanced Encryption Standard encryption.
    • TLS Extensions definition and Advanced Encryption Standard CipherSuites were added.
AviD
  • 72,138
  • 22
  • 136
  • 218
  • It would be nice if someone can shed some background on why those changes were made, and how important they are. – makerofthings7 Nov 22 '10 at 16:41
  • 1
    Most of them are to fix cryptography flaws, the rest are for support of additional crypto algorithms, or for flexibility in defining those algorithms. Why? a. to fix the flaws / increase security, b. to provide more flexibility in situations and platforms that require it. How important? well, how important are security and flexibility to you? – AviD Nov 22 '10 at 16:47
  • My security requirements are relative to the given application/task. Mobile devices with weak CPU's demand one standard. PII information demands another standard. Each scenario may be different. Perhaps I should pose the remainder of my questions to the upcoming crypto forum. – makerofthings7 Nov 22 '10 at 17:06
  • @makerofthings7: That's exactly the point. With more flexibility comes the ability to change the protocol to better meet your requirements and constraints. – AviD Nov 22 '10 at 21:02