secure socket layer (ssl)
TRANSCRIPT
SSLSecure Socket Layer
Srishti Thakkar
Manish Jain
Nehal Dudani
Samip Jain
1
• It is an Internet protocol for secure exchange of information between a web browser and a web server
• It provides
▫ Authentication
▫ Confidentiality
• Developed by Netscape Corporation in 1994
• Currently comes in three versions : 2, 3 and 3.1
2
3
Application Layer
Transport Layer
Internet Layer
Data Link Layer
Physical Layer
SSL Layer
4
X
L5 data
010101010100010101010010
Transmission medium
H4L5 data
H3L4 data
Application
Transport
Internet
Physical
H2L3 data Data Link
Y
L5 data
010101010100010101010010
H4L5 data
H3L4 data
H2L3 data
5
X
L5 data
010101010100010101010010
Transmission medium
H4L5 data
H3L4 data
Application
Transport
Internet
Physical
L5 data SSLSH
H2L3 data Data Link
Y
L5 data
010101010100010101010010
H4L5 data
H3L4 data
L5 data SH
H2L3 data
6
7
1 • Handshake protocol
2 • Record protocol
3 • Change Cipher protocol
4 • Alert protocol
8
Type Length Content
1 byte 3 bytes 1 or more bytes
Message Format
9
Message Type Parameters
Hello request None
Client hello Version, Random number, Session id, Cipher suite,Compression method
Server hello Version, Random number, Session id, Cipher suite,Compression method
Certificate Chain of X.509V3 certificates
Server key exchange Parameters, signature
Certificate request Type, authorities
Server hello done None
Certificate verify Signature
Client key exchange Parameters, signature
Finished Hash value
10
1• Establish security capabilities
2• Server authentication and key exchange
3• Client authentication and key exchange
4• Finish
11
• Used to initiate logical connection and establish security capabilities.
• Consists of two messages
▫ Client hello
▫ Server hello
12
Web Browser
Web Server
Step 1: Client hello
Step 2: Server hello
13
• Identifies highest version of SSL that client can supportVersion
• 32 bit date time field• 28 byte random number
Random
• Variable length session identifier• Can be zero (new session) or non zero (connection exists)
Session id
• Contains list of cryptographic algorithms supported by the clientCipher suite
• Contains list of compression algorithms supported by the client
Compression method
14
• Identifies lower of version suggested by client and highest supported by serverVersion
• Same structure as that in client hello• Random value independent of client’s value
Random
• Uses same value if client sends non zero value• Otherwise creates new session id
Session id
• Contains single cipher suite which server selects from the list sent by clientCipher suite
• Contains single compression algorithm which server selects from the list sent by client
Compression method
15
16
Web Browser
Web ServerStep 2: Server key exchange
Step 3: Certificate request
Step 4: Server hello done
Step 1: Certificate
17
• Server sends its Digital certificate • Helps the to authenticateCertificate
• Sent only if the certificate does not contain enough information to complete the key exchange
Server key exchange
• Sent if the client needs to authenticate itselfCertificate
request
• Sent to indicate that the server is finished its part of the key exchange
• after sending this message the server waits for client response
Server hello done
18
Web Browser
Web Server
Step 1: Certificate
Step 2: Client key exchange
Step 3: Certificate verify
19
• will send a certificate message or a no certificate alertCertificate
• always sent• RSA encrypted pre-master secret
Client key exchange
• sent only if the client sent a certificate• provides client authentication• contains signed hash of all the previous handshake
messages
Certificate verify
20
Master secret
Pre master secret
Client random Server random
Message Digest Algorithm
21
Symmetric Key
Master secret Client random Server random
Message Digest Algorithms
22
Web Browser
Web Server
Step 1: Change cipher specs
Step2 : Finished
Step 3: Change cipher specs
Step 4: Finished
• Provide two services for SSL connections:
Confidentiality: by encrypting application data.
Message Integrity: by computing MAC over the compressed data.
• Can be utilized by some upper-layer protocols of SSL.
24
≤ 214 bytes
(optional; default: null)
25
SSL MAC is computed as:
hash(MAC_write_secret || pad_2 ||
hash(MAC_write_secret || pad_1 || seq_num ||
SSLCompressed.type || SSLCompressed.length ||
SSLCompressed.fragment ) )
26
27
2 byte alert message 1 byte level
Fatal or warning 1 byte
Alert Code
28
Warning or fatal
close_notify(0),
unexpected_message(10),
bad_record_mac(20),
decryption_failed(21),
record_overflow(22),
decompression_failure(30),
handshake_failure(40),
bad_certificate(42),
unsupported_certificate(43),
certificate_revoked(44),
certificate_expired(45),
certificate_unknown(46),
illegal_parameter(47),
unknown_ca(48),
access_denied(49),
decode_error(50),
decrypt_error(51),
export_restriction(60),
protocol_version(70),
insufficient_security(71),
internal_error(80),
user_canceled(90),
no_renegotiation(100),
29
Always fatalunexpected_messagesbad_record_macdecompression_failurehandshake_failureillegal_parameter
30
Remaining alertsclose_notifyno_certificatebad_certificateunsupported_certificatecertificate_revokedcertificate_expiredcertificate_unknown
31
Authentication of server
– How does client know who they are dealing with?
Information integrity– How do we know third party has not altered data en
route?
Bob’s web
siteAlice thinks she is at Bob’s site, but Darth is
spoofing it
Bob’s web
siteAddress information
Change so item shipped to Darth
32
There are several versions of the SSL protocol defined. The latest version, the Transport Layer Security Protocol (TLS), is based on SSL 3.0
SSL Version 1.0
SSL Version 2.0
SSL Version 3.0
TLS Version 1.0
TLS Version 1.0 with SSL Version 3.0
33
www.aiub.edu
34
www.gmail.com
35
www.varsityadmission.com
36
37
https://www.digicert.com/ssl.htm http://www.webopedia.com/TERM/S/SSL.html http://en.wikipedia.org/wiki/Transport_Layer_Security
38