The readers are invited to a brief overview of the draft draft recommendations on standardization , defining the use of Russian cryptographic algorithms in the TLS 1.2 protocol (hereinafter simply draft recommendations).

TLS protocol

The Transport Layer Security (TLS) protocol is one of the most popular protocols designed to establish a secure communication channel on the Internet. It is based on the SSL (Secure Sockets Layer) version 3.0 protocol specification, but during its existence it has undergone quite a few changes. The current protocol version is currently TLS 1.2 , but in the near future, TLS 1.3 is expected to be released.

The TLS protocol consists of two levels. At the bottom level is the TLS Records protocol, running on top of some transport protocol with guaranteed packet delivery (see TCP ). The Record Protocol ensures the confidentiality and integrity of the data transmitted over the communication channel. In turn, the Alert protocol, the Change Status protocol, the Application Data protocol and the Handshake protocol work on top of the Records protocol. The first three essentially do not solve any cryptographic tasks, and the main interest here is the Handshake Protocol, which is responsible for authenticating the parties and developing the security parameters necessary to protect data at the Record Protocol level.

New kryptonabors: who are they and why are they needed?

In 2015, new standards GOST R 34.12–2015 and GOST R 34.13–2015 were issued , which describe two algorithms for block encryption Grasshopper and Magma, as well as their modes of operation. As a result, it became necessary to integrate these algorithms into new krypton sets that would correspond to the version of the TLS 1.2 protocol. Also one of the important tasks facing the authors of the document was the creation of a Russian-language complete and self-sufficient description of one of the largest and most complex for understanding modern network protocols. And this task was solved.

The draft recommendations that are being developed define two new krypton sets:

• TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC;
• TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC.

The first is based on the use of the Grasshopper block cipher, the second is based on the use of
block cipher magma.

Let us examine in more detail what is new, in addition to new encryption algorithms, was added to the version of the TLS 1.2 protocol with Russian kryptonabors.

Basic principles and important features

The basic principles of the Handshake Protocol in new kryptonabors almost did not change compared with the previous version of domestic kryptonabors. In short, the main secret parameter - the premaster secret (PMS) - is generated by the client and transmitted to the server encrypted using its public key. Server authentication is carried out due to the fact that the server correctly extracted the PMS secret value using its private key. The client, if required, is authenticated with a signature.

The main cryptographic innovations in the Handshake protocol are as follows:

• A new PMS encryption algorithm is used, the so-called key export algorithm, based on new ciphers and their modes of operation (determined within another new document );
• Session secret - master secret (MS) - is now tied not only to random values ​​of the parties transmitted in the greeting messages, but also to all messages transmitted prior to its generation. The main thing here is that the value of MS now depends on the server certificate, which allows you to counter the attack of Triple Handshake . This innovation complies with RFC 7627 recommendations.

In contrast to the Handshake protocol, the Records protocol is not similar to its counterpart from the previous version of the national recommendations, nor to foreign versions. It implements all the advanced achievements concerning the tasks of ensuring a secure communication channel and minimizing the load on the key (that is, the amount of data processed on one key). Keys involved in data protection form a hierarchy (root key, intermediate level keys, message processing keys, and section keys), which allows you to increase the number of messages processed while staying within the framework of a safe key load. The creation of such a hierarchy is achieved through the use of external and internal key conversion mechanisms (external and internal re-keying), the positive properties of which have been proven in a number of works both foreign (see the work of Abdala and Bellar ) and domestic cryptographers (see here and here ). These mechanisms are implemented through the use of the CTR-ACPKM encryption mode and the TLSTREE key diversification function. The mentioned approaches to reducing the load on the key are described in the draft RFC , which is also being developed now under the guidance of domestic specialists.

Conclusion

The resulting document is a fully self-sufficient description and, despite its impressive scope, has become understandable and structured. In addition to the description of the algorithmic part in the annex to the document, you can find a detailed log of the operation of the protocol, broken down by the fields of the structures used. Such a description of control values ​​greatly facilitates the understanding of the details of the operation of the protocol.

Currently, the numbers of the developed krypton sets are assigned temporary values ​​from the private IANA number area. As soon as the draft recommendation is adopted, it is planned to immediately begin developing its RFC.

It is also worth noting that the immediate plans of the experts of the working group of the technical committee 26 ( 26 ) are the beginning of the development of the next draft recommendations on the crypto-sets corresponding to the TLS 1.3 version. Work on this document will begin immediately after approval of the current project for TLS 1.2 in TK26, as well as after the release of the new RFC for TLS 1.3.