Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Transport Layer Security
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Key exchange or key agreement=== Before a client and server can begin to exchange information protected by TLS, they must securely exchange or agree upon an encryption key and a cipher to use when encrypting data (see {{section link||Cipher}}). Among the methods used for key exchange/agreement are: public and private keys generated with [[RSA (algorithm)|RSA]] (denoted TLS_RSA in the TLS handshake protocol), [[DiffieāHellman]] (TLS_DH), ephemeral DiffieāHellman (TLS_DHE), [[elliptic-curve DiffieāHellman]] (TLS_ECDH), ephemeral elliptic-curve DiffieāHellman (TLS_ECDHE), [[Key-agreement protocol#Exponential key exchange|anonymous DiffieāHellman]] (TLS_DH_anon),{{Ref RFC|5246}} [[TLS-PSK|pre-shared key]] (TLS_PSK)<ref name=RFC4279>{{cite IETF|title=Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)|rfc=4279|publisher=Internet Engineering Task Force|access-date=9 September 2013|author=P. Eronen, Ed.|editor-first1=P |editor-first2=H |editor-last1=Eronen |editor-last2=Tschofenig |date=December 2005}}</ref> and [[TLS-SRP|Secure Remote Password]] (TLS_SRP).<ref name=RFC5054>{{cite IETF|rfc=5054|title=Using the Secure Remote Password (SRP) Protocol for TLS Authentication|publisher=Internet Engineering Task Force|access-date=December 21, 2014|author=D. Taylor, Ed.|date=November 2007}}</ref> The TLS_DH_anon and TLS_ECDH_anon key agreement methods do not authenticate the server or the user and hence are rarely used because those are vulnerable to [[man-in-the-middle attack]]s. Only TLS_DHE and TLS_ECDHE provide [[#Forward secrecy|forward secrecy]]. Public key certificates used during exchange/agreement also vary in the size of the public/private encryption keys used during the exchange and hence the robustness of the security provided. In July 2013, [[Google]] announced that it would no longer use 1024-bit public keys and would switch instead to 2048-bit keys to increase the security of the TLS encryption it provides to its users because the encryption strength is directly related to the [[key size]].<ref>{{cite web|last=Gothard|first=Peter|title=Google updates SSL certificates to 2048-bit encryption|url=http://www.computing.co.uk/ctg/news/2285984/google-updates-ssl-certificates-to-2048bit-encryption|work=Computing|date=31 July 2013|publisher=Incisive Media|access-date=9 September 2013|url-status=live|archive-url=https://web.archive.org/web/20130922082322/http://www.computing.co.uk/ctg/news/2285984/google-updates-ssl-certificates-to-2048bit-encryption|archive-date=22 September 2013}}</ref><ref>{{Cite news|url=http://searchsecurity.techtarget.com/answer/From-1024-to-2048-bit-The-security-effect-of-encryption-key-length|title=The value of 2,048-bit encryption: Why encryption key length matters|work=SearchSecurity|access-date=2017-12-18|language=en-US|url-status=live|archive-url=https://web.archive.org/web/20180116081141/http://searchsecurity.techtarget.com/answer/From-1024-to-2048-bit-The-security-effect-of-encryption-key-length|archive-date=2018-01-16}}</ref> {{anchor|keyexchange-table}} {{sticky header}} {|class="wikitable sticky-header"style=text-align:center |+Key exchange/agreement and authentication !scope=col|Algorithm !scope=col|SSL 2.0 !scope=col|SSL 3.0 !scope=col|TLS 1.0 !scope=col|TLS 1.1 !scope=col|TLS 1.2 !scope=col|TLS 1.3 !scope=col|Status |- !{{Depends|[[RSA (cryptosystem)|RSA]]}} |{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}}||rowspan=21|Defined for TLS 1.2 in RFCs |- !{{Depends|[[DiffieāHellman key exchange|DH]]-[[RSA (cryptosystem)|RSA]]}} |{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}} |- !{{Good|[[DiffieāHellman key exchange|DHE]]-[[RSA (cryptosystem)|RSA]] ([[#Forward secrecy|forward secrecy]])}} |{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}} |- !{{Depends|[[Elliptic-curve DiffieāHellman|ECDH]]-[[RSA (cryptosystem)|RSA]]}} |{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}} |- !{{Good|[[Elliptic-curve DiffieāHellman|ECDHE]]-[[RSA (cryptosystem)|RSA]] (forward secrecy)}} |{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}} |- !{{Depends|[[DiffieāHellman key exchange|DH]]-[[Digital Signature Algorithm|DSS]]}} |{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}} |- !{{Good|[[DiffieāHellman key exchange|DHE]]-[[Digital Signature Algorithm|DSS]] (forward secrecy)}} |{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}}<ref>{{cite web|url=https://www.ietf.org/mail-archive/web/tls/current/msg17680.html|title=Consensus: remove DSA from TLS 1.3|date=September 17, 2015|author=Sean Turner|url-status=live|archive-url=https://web.archive.org/web/20151003193113/http://www.ietf.org/mail-archive/web/tls/current/msg17680.html|archive-date=October 3, 2015}}</ref> |- !{{Good|[[DiffieāHellman key exchange|DHE]]-[[Elliptic Curve DSA|ECDSA]] (forward secrecy)}} |{{N/A|No}}||{{N/A|No}}||{{N/A|No}}||{{N/A|No}}||{{N/A|No}}||{{Yes}} |- !{{Depends|[[Elliptic-curve DiffieāHellman|ECDH]]-[[Elliptic Curve DSA|ECDSA]]}} |{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}} |- !{{Good|[[Elliptic-curve DiffieāHellman|ECDHE]]-[[Elliptic Curve DSA|ECDSA]] (forward secrecy)}} |{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}} |- !{{Good|[[DiffieāHellman key exchange|DHE]]-[[EdDSA]] (forward secrecy)}} |{{N/A|No}}||{{N/A|No}}||{{N/A|No}}||{{N/A|No}}||{{N/A|No}}||{{Yes}} |- !{{Depends|[[Elliptic-curve DiffieāHellman|ECDH]]-[[EdDSA]]}} |{{No}} |{{No}} |{{Yes}} |{{Yes}} |{{Yes}} |{{N/A|No}} |- !{{Good|[[Elliptic-curve DiffieāHellman|ECDHE]]-[[EdDSA]] (forward secrecy)}}<ref>{{IETF RFC|8422}}</ref> |{{No}} |{{No}} |{{Yes}} |{{Yes}} |{{Yes}} |{{Yes}} |- !{{Depends|[[TLS-PSK|PSK]]}} |{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}} |- !{{Depends|[[RSA (cryptosystem)|RSA]]-[[Pre-shared key|PSK]]}} |{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}} |- !{{Good|[[DiffieāHellman key exchange|DHE]]-[[Pre-shared key|PSK]] (forward secrecy)}} |{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}} |- !{{Good|[[Elliptic-curve DiffieāHellman|ECDHE]]-[[Pre-shared key|PSK]] (forward secrecy)}} |{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}} |- !{{Depends|[[TLS-SRP|SRP]]}} |{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}} |- !{{Depends|[[Secure Remote Password protocol|SRP]]-[[Digital Signature Algorithm|DSS]]}} |{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}} |- !{{Depends|[[Secure Remote Password protocol|SRP]]-[[RSA (cryptosystem)|RSA]]}} |{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}} |- !{{Depends|[[Kerberos (protocol)|Kerberos]]}} |{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{dunno}} |- !{{Bad|[[DiffieāHellman key exchange|DH]]-ANON (insecure)}} |{{N/A|No}}||{{No|Yes}}||{{No|Yes}}||{{No|Yes}}||{{No|Yes}}||{{N/A|No}} |- !{{Bad|[[Elliptic-curve DiffieāHellman|ECDH]]-ANON (insecure)}} |{{N/A|No}}||{{N/A|No}}||{{No|Yes}}||{{No|Yes}}||{{No|Yes}}||{{N/A|No}} |- !{{Good|[[GOST|GOST R 34.10-2012]]<ref name=gostlink>{{IETF RFC|5830|6986|7091|7801|8891}}</ref>}} |{{No}}||{{No}}||{{No}}||{{No}}||{{Yes}}||{{Yes}} |Defined for TLS 1.2 and for TLS 1.3 in {{IETF RFC|9189|9367}}. |}
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)