Unlocking TLS: Design Goals, History, and Modern Secure Communication

Recently I found cryptography fascinating and relevant to my work, so I took notes and reflections on TLS protocol analysis.

Cryptography theory is deep and concept‑rich; my knowledge is limited, so errors may exist—please point them out.

Goals of this article:

Appreciate the design of the TLS protocol and understand its principles and key details.

Review the history and progress of cryptographic applications.

Organize general approaches to designing modern encrypted communication protocols.

This article assumes readers have a clear, systematic understanding of modern cryptography; references are provided at the end.

Table of contents:

TLS协议分析 与 现代加密通信协议设计
一 . TLS协议的设计目标：
1. 密码学的方法论
2. TLS的设计目标
3. TLS的历史
二. TLS协议的原理
1. 自顶向下，分层抽象
2. TLS CipherSuite
3. 协议分层
4. record 协议
4.1. SecurityParameters
4.2. record层分段
4.3. record层的密码学保护
4.4. record层的密码学保护--MAC
4.5. record层的密码学保护--stream cipher
4.6. record层的密码学保护-- CBC block cipher
4.7. record层的密码学保护-- AEAD cipher
4.8. record层的密码学保护-- Key扩展
5. handshake 协议
5.1.handshake的总体流程
5.2. handshake 协议外层结构
5.3. handshake -- ClientHello，ServerHello，HelloRequest
5.4. handshake -- Server Certificate
5.5. handshake -- Server Key Exchange
5.6. handshake -- Certificate Request
5.7. handshake -- Server Hello Done
5.8. handshake -- Client Certificate
5.9. handshake -- Client Key Exchange
5.9.1. RSA 加密的 Premaster Secret 消息
5.9.2. 客户端 Diffie-Hellman 公钥
5.9.3 客户端 EC Diffie-Hellman 公钥
5.10. handshake -- Cerificate Verify
5.11. handshake -- Finished
5.12. handshake -- NewSessionTicket
6. ChangeCipherSpec 协议
7. Alert 协议
8. application data协议
9. TLS协议的安全分析
9.1. 认证和密钥交换 的安全性
9.2. 版本回退攻击
9.3. 针对握手过程的攻击
9.4. 针对 Resuming Sessions 的攻击
9.5. 针对应用数据保护的攻击
9.6. 显式 IV的安全性
9.7. 加密和MAC组合模式的安全性
9.8. DOS 攻击下的安全性
9.9.Session Ticket 的安全分析
10. TLS扩展:
11. TLS的配套：PKI体系
11.1. X.509 证书
11.2.现有PKI体系暴露出的问题
11. TLS协议历史上出现过的漏洞，密码学常见陷阱
11.1. TLS的漏洞
12.1. TLS的漏洞
12.2. 密码学常见陷阱
13. 下一代TLS: TLS 1.3
三. TLS协议的代码实现
四. TLS协议的部署与优化
五. 更多的加密通信协议case：QUIC，iMessage，TextSecure, otr, ios HomeKit，libsodium
1. QUIC
2. apple ios iMessage
3. apple ios HomeKit
4. TextSecure
5. otr 协议
6. libsodium/NaCL 等
六. TLS协议给我们的启发 -- 现代加密通信协议设计
七. 附录：密码学基础概念
八. 参考文献：
1. TLS/SSL 相关RFC及标准
2. 协议分析文章
3. 实际部署调优相关
4. 密码学相关
5. 相关开源项目

1. Design Goals of TLS

1.1 Cryptographic Methodology

Cryptography differs from software development; it is a science with strict specifications, rigorous modeling, and mathematical proofs. There is little room for trade‑offs—correct is correct, wrong is wrong. Historically, governments have heavily invested in cryptographic research, making it a fierce arms race.

Cryptographic protocols are high‑risk; using a standard, open, widely‑deployed protocol like TLS is recommended.

Decades of cryptographic development have produced many sophisticated attacks; most developers lack the expertise to evaluate or invent algorithms, so following industry‑standard practices is safest.

Modern cryptography has advanced rapidly; for a developer, understanding basic concepts and correctly configuring TLS is already a significant achievement.

Cryptographic algorithms are easy to misuse. Common pitfalls include:

Choosing AES mode, padding, IV/nonce size, key size, MAC algorithm, and how to combine encryption and MAC.

Confusing RSA variants such as RSASSA‑PKCS1‑v1_5, RSAES‑OAEP, and RSASSA‑PSS.

Other mistakes documented in a recommended StackExchange Q&A.

Implementation errors (e.g., Heartbleed, faulty RNGs, timing side‑channel bugs) can introduce severe vulnerabilities.

Never design cryptographic protocols with partial knowledge; open‑source, peer‑reviewed components reduce risk.

2. TLS Design Objectives

The TLS protocol aims to provide a secure transport layer on top of connection‑oriented transports (e.g., TCP) with the following properties:

Cryptographic security:

Confidentiality – encryption ensures message privacy.

Integrity – MAC verification detects tampering.

Authentication – mutual authentication via certificates prevents impersonation.

Interoperability – any implementation that follows the public RFC can interoperate without patent restrictions.

Extensibility – the TLS extension mechanism allows adding new features.

Efficiency – session caching and proper deployment yield high performance.

These goals will be addressed throughout the article.

3. History of TLS

1995: SSL 2.0 introduced by Netscape; quickly deprecated due to serious flaws.

1996: SSL 3.0 standardized; now insecure and must be disabled.

1999: TLS 1.0 released as the successor to SSL.

2006: TLS 1.1 (RFC 4346) fixed CBC‑related issues such as BEAST.

2008: TLS 1.2 (RFC 5246) improved security; widely deployed.

Post‑2015: TLS 1.3 under development, supporting 0‑RTT and removing non‑AEAD ciphers.

Since SSL versions are obsolete, the remainder of the series will refer to TLS exclusively.

Further content will be covered in subsequent articles.