written 8.4 years ago by | • modified 8.4 years ago |
SSL Protocol
- SSL is designed to make use of TCP to provide a reliable end-to-end secure service.
- SSL is not a single protocol but rather two layers of protocols, as illustrated in Figure below.
- The SSL Record Protocol provides basic security services to various higher layer Protocols.
- In particular, the Hypertext Transfer Protocol (HTTP), which providesthe transfer service for Web client/server interaction, can operate on top ofSSL.
- Three higher-layer protocols are defined as part of SSL:
- the Handshake Protocol,
- The Change Cipher Spec Protocol,
- The Alert Protocol.
- These SSL-specificprotocols are used in the management of SSL exchanges and are examinedlater in this section.
Two important SSL concepts are the SSL session and the SSL connection,which are defined in the specification as follows.
1. Connection:
- A connection is a transport (in the OSI layering model definition that provides a suitable type of service.
- For SSL, such connections arepeer-to-peer relationships. The connections are transient. Every connection isassociated with one session.
2. Session:
- An SSL session is an association between a client and a server.
- Sessionsare created by the Handshake Protocol. Sessions define a set of cryptographicsecurity parameters which can be shared among multiple connections.
- Sessions are used to avoid the expensive negotiation of new security parameters for each connection.
Handshake Protocol
This protocol allows the server and client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record.
The Handshake Protocol is used before any application data is transmitted. The Handshake Protocol consists of a series of messages exchanged by client and server.
Type (1 byte): Indicates one of 10 messages.
Length (3 bytes): The length of the message in bytes.
Content (bytes): The parameters associated with this message
Phase 1
Establishing Security Capabilities
The exchange is initiated by the client, which sends a client_hellomessage with the following parameters:
Version: The highest SSL version understood by the client.
Random: A client-generated random structure consisting of a 32-bit timestamp and 28 bytes generated by a secure random number generator. These values serve as nonces and are used during key exchange to prevent replay attacks.
Session ID: A variable-length session identifier. A nonzero value indicates that the client wishes to update the parameters of an existing connection or to create a new connection on this session. A zero value indicates that the client wishes to establish a new connection on a new session.
CipherSuite: This is a list that contains the combinations of cryptographic algorithms supported by the client, in decreasing order of preference. Each element of the list (each cipher suite) defines both a key exchange algorithm and a CipherSpec
PHASE 2.
SERVER AUTHENTICATION AND KEY EXCHANGE
- In this phase the server authenticates itself if needed.
- The sender may sends its certificate, its public key and may also request certificate from client.
- At the end server announces that the server Hello process is been done.
After phase 2
- The server is authenticated to the client.
- The client knows the public key of the server if required.
Phase 3
CLIENT KEY EXCHANGE AND AUTHENTICATION
Phase 3 is designed to authenticate the client upto 3 messages are send from client to server.
After phase 3
- The client is authenticated for the server
- Both client and server knows pre- master secret.
Phase 4
FINALIZING AND FINISHING
- In phase 4 client and server send messages to change cipher specification and to finish the handshake protocol
- Four messages are exchanged in this phase as shown below: