documentg1
DESCRIPTION
this advance network security pptTRANSCRIPT
Secure Socket Layer (SSL)
• World’s most widely used securitymechanism on the Internet
• Secures communication between a clientand a server
• Located between the Application andTransport Layers of TCP/IP protocol suite
Position of SSL in TCP/IP
Application Layer
SSL Layer
Transport Layer
Internet Layer
Data Link Layer
Physical Layer
Fig 6.9
Data Exchange including SSL
X Y
L5 data Application L5 data
L5 data SH SSL L5 data SH
L5 data H4 Transport L5 data H4
L4 data H3 Internet L4 data H3
L3 data H2 Data Link L3 data H2
010101010100010101010010 Physical 010101010100010101010010
Transmission medium
Fig 6.10
SSL Handshake MessagesMessage Type Parameters
Hello request None
Client hello Version, Random number, Session id, Cipher suite, Compressionmethod
Server hello Version, Random number, Session id, Cipher suite, Compressionmethod
Certificate Chain of X.509V3 certificates
Server key exchange Parameters, signature
Certificate request Type, authorities
Server hello done None
Certificate verify Signature
Client key exchange Parameters, signature
Finished Hash value
Fig 6.12
SSL Handshake Process
WebBrowser 1. Establish security capabilities Web
Server2. Server authentication and key
exchange
3. Client authentication and keyexchange
4. Finish
Fig 6.13
SSL Handshake - Phase 2
Step 1: Certificate
Web WebBrowser Step 2: Server key exchange Server
Step 3: Certificate request
Step 4: Server hello done
Fig 6.15
SSL Handshake - Phase 4
1. Change cipher specs
WebBrowser
Web2. Finished Server
Step 3: Change cipher specs
Step 4: Finished
Fig 6.17
SSL Record Protocol
Application data
Fragmentation
Compression
Addition of MAC
Encryption
Append header
Fig 6.20
SHTTP and SSL Positions
Application Layer, SHTTP
SSL Layer
Transport Layer
Internet Layer
Data Link Layer
Physical Layer
Fig 6.24
SSL versus SETIssue SSL SET
Main aim Exchange of data in an encrypted E-commerce related paymentform mechanism
Certification Two parties exchange certificates All the involved parties must becertified by a trusted third party
Authentication Mechanisms in place, but not Strong mechanisms forvery strong authenticating all the parties
involvedRisk of merchant fraud Possible, since customer gives Unlikely, since customer gives
financial data to merchant financial data to paymentgateway
Risk of customer fraud Possible, no mechanisms exist if Customer has to digitally signa customer refuses to pay later payment instructions
Action in case of customer fraud Merchant is liable Payment gateway is liable
Practical usage High Low at the moment, expected togrow
Fig 6.40