Secure Socket Layer (SSL)

Secure Socket Layer (SSL)

• World’s most widely used securitymechanism on the Internet

• Secures communication between a clientand a server

• Located between the Application andTransport Layers of TCP/IP protocol suite

Position of SSL in TCP/IP

Application Layer

SSL Layer

Transport Layer

Internet Layer

Data Link Layer

Physical Layer

Fig 6.9

Data Exchange including SSL

X Y

L5 data Application L5 data

L5 data SH SSL L5 data SH

L5 data H4 Transport L5 data H4

L4 data H3 Internet L4 data H3

L3 data H2 Data Link L3 data H2

010101010100010101010010 Physical 010101010100010101010010

Transmission medium

Fig 6.10

SSL Sub-Protocols

• Handshake Protocol

• Record Protocol

• Alert Protocol

SSL Handshake Message Format

Type Length Content

1 byte 3 bytes 1 or more bytes

Fig 6.11

SSL Handshake MessagesMessage Type Parameters

Hello request None

Client hello Version, Random number, Session id, Cipher suite, Compressionmethod

Server hello Version, Random number, Session id, Cipher suite, Compressionmethod

Certificate Chain of X.509V3 certificates

Server key exchange Parameters, signature

Certificate request Type, authorities

Server hello done None

Certificate verify Signature

Client key exchange Parameters, signature

Finished Hash value

Fig 6.12

SSL Handshake Process

WebBrowser 1. Establish security capabilities Web

Server2. Server authentication and key

exchange

3. Client authentication and keyexchange

4. Finish

Fig 6.13

SSL Handshake - Phase 1

WebBrowser Step 1: Client hello

Step 2: Server hello

WebServer

Fig 6.14

SSL Handshake - Phase 2

Step 1: Certificate

Web WebBrowser Step 2: Server key exchange Server

Step 3: Certificate request

Step 4: Server hello done

Fig 6.15

SSL Handshake - Phase 3

Web WebBrowser Server

Fig 6.16

SSL Handshake - Phase 4

1. Change cipher specs

WebBrowser

Web2. Finished Server

Step 3: Change cipher specs

Step 4: Finished

Fig 6.17

SSL Record Protocol

Application data

Fragmentation

Compression

Addition of MAC

Encryption

Append header

Fig 6.20

SHTTP and SSL Positions

Application Layer, SHTTP

SSL Layer

Transport Layer

Internet Layer

Data Link Layer

Physical Layer

Fig 6.24

SSL versus SETIssue SSL SET

Main aim Exchange of data in an encrypted E-commerce related paymentform mechanism

Certification Two parties exchange certificates All the involved parties must becertified by a trusted third party

Authentication Mechanisms in place, but not Strong mechanisms forvery strong authenticating all the parties

involvedRisk of merchant fraud Possible, since customer gives Unlikely, since customer gives

financial data to merchant financial data to paymentgateway

Risk of customer fraud Possible, no mechanisms exist if Customer has to digitally signa customer refuses to pay later payment instructions

Action in case of customer fraud Merchant is liable Payment gateway is liable

Practical usage High Low at the moment, expected togrow

Fig 6.40