TLS Record Layer
At the bottom layer of the TLS protocol is the TLS record layer. The record layer sends blocks of data, called records , between the client and the server. Each block can contain up to 16,383 bytes of data. Quoting from the original SSL specification and RFC 2246, “Client message boundaries are not preserved in the record layer.” This means that if higher-level processes send multiple messages very quickly, those messages may be grouped together into a single record. Alternatively, they might be broken into many records—and they will be broken if they’re longer than 16,383 bytes.
Each TLS record contains the following information:
Content type
Protocol version number
Length
Data payload (optionally compressed and encrypted)
Message Authentication Code (MAC)[229]
Each record is compressed and encrypted according to the current compression algorithm and encryption algorithm. At the start of the connection, the compression function is defined as CompressionMethod.null and the encryption method is TLS_NULL_WITH_NULL_NULL—that is, there is no compression or encryption. Both the compression and encryption algorithms can be set during the “Hello” and changed during the course of the conversation.
The MAC is calculated using the formula:
HMAC_hash( MAC_write_secret, seq_num + TLSCompressed.type + TLSCompressed.version + TLSCompressed.length + TLSCompressed.fragment))
where:
seq_num is the sequence number for the message.
HMAC_hash( ) is the hashing algorithm. HMAC is a keyed MAC function ...
Get Web Security, Privacy & Commerce, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.