written 2.6 years ago by |
fig: WTLS Handshake Protocol:
Handshake Protocol is the most complex part of WTLS . This protocol allows the server and client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in a WTLS record. The Handshake Protocol is used before any application data are transmitted.
The Handshake Protocol consists of a series of messages exchanged by client and server. The above figure shows initial exchange needed to establish a logical connection between client and server.The exchange can be viewed as having four phases they are:
First phase: The first phase is used to initiate a logical connection and to establish the security capabilities that will be associated with it. The exchange is initiated by the client. The client sends a client_hello message that includes a session ID and a list of cryptographic and compression algorithms supported by the client (in decreasing order of preference for each algorithm type). After sending the client_hello message, the client waits for the server_hello message. This message indicates which cryptographic and compression algorithms will be used for the exchange.
Second phase: The second phase is used for server authentication and key exchange. The server begins this phase by sending its public-key certificate, if it needs to be authenticated. Next, a server_key_exchange message may be sent if it is required. This message is needed for certain public-key algorithms used for symmetric key exchange. Next, the server can request a public key certificate from the client, using the certificate_request message.The final message in Phase 2, and one that is always required, is the server_hello_done message, which is sent by the server to indicate the end of the server hello and associated messages. After sending this message, the server will wait for a client response. This message has no parameters.
Third phase: The third phase is used for client authentication and key exchange. Upon receipt ofthe server_hello_done message, the client should verify that the server provided a valid certificate if required and check that the server_hello parameters are acceptable.If all is satisfactory, the client sends one or more messages back to the server. If the server has requested a certificate, the client sends a certificate message. Next is the client_key_exchange message, which must be sent in this phase.The content ofthe message depends on the type of key exchange. Finally, in this phase, the client may send a certificate_verifymessage to provide explicit verification of a client certificate.
Fourth phase: The fourth phase completes the setting up of a secure connection. The client sends a change_cipher_spec message and copies the pending CipherSpec into the current CipherSpec. Note that this message is not considered part of the Handshake Protocol but is sent using the Change Cipher Spec Protocol. The client then immediately sends the finished message under the new algorithms, keys, and secrets. The finished message verifies that the key exchange and authentication processes were successful. In response to these two messages, the server sends its own change_cipher_spec message, transfers the pending to the current CipherSpec, and sends its finished message. At this point the handshake is complete and the client and server may begin to exchange application layer data.