Tuesday, May 31, 2022

What is SSL? | What is SSL Ceritificate? | SSL Architecture and Protocols | Secure Socket Layer | SSL Protocol Stack | Purpose of SSL

 

SSL Architecture & Protocol

SSL is developed by Netscape Communication. SSL stands for “Secure Socket Layer”.

SSL stands for Secure Socket Layer.

What is SSL?

SSL is a protocol for establishing secure links between networked computers.

Purpose of SSL

SSL provides confidentiality, authentication and data integrity in internet communication. SSL is the predecessor to the modern TLS encryption used today.

Figure: Connection using HTTP

In above figure user interact with server but server uses only normal http, it shows unsecured connection between server and client. Hacker or attacker can capture the message from unsecured connection. Username and password are also sent in plain text form. It means hacker or attacker get user’s sensitive information.

Figure: Connection using HTTPS (use of SSL Certificate)

In above figure user interact with server and server user secure https, it shows secure connection between client and server. SSL certificate is added at server side. So, http use SSL, it converts into https. Connection is secured, it means all the data in encrypted from during transmission. Hacker or attacker cannot get any information from that connection.

 

What is an SSL Certificate?

An SSL certificate is a bit of code on your web server that provides security for online communications. When a web browser contacts your secured website, the SSL certificate enables an encrypted connection. It's kind of like sealing a letter in an envelope before sending it through the mail. Websites need SSL certificates to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and convey trust to users.

 

SSL Architecture (Watchvideo to understand with animation)

The current version of SSL is 3.0. SSL is works in between application layer and transport layer the reason SSL is also called TLS (Transport Layer Security).

Figure: SSL Protocol Stack

SSL encrypt the data received from application layer of client machine and add its own header (SSL header) into the encrypted data and send encrypted data to the server side. SSL is not a single protocol to perform security tasks there are two layers of sub-protocols which supports SSL there are the SSL handshake protocol, SSL change cipher specification, SSL alert protocol and the SSL record protocol shown in architecture.

SSL Handshake Protocol: Connection establishment.

SSL Change Spec Protocol: Use of required cipher techniques for data encryption.

SSL Alert Protocol: Alert (warning, error if any) generation.

SSL Record Protocol: Encrypted data transmission and encapsulation of the data sent by the higher layer protocols. Two important SSL concepts are the SSL Connection and the SSL Session.

SSL Connection: It is a transport that provides a suitable type of service. Each connection is associated with one SSL session.

SSL Session: It is a set of cryptographic security parameters which can be shared among multiple SSL connections. An SSL session is an association between a client and a server.

 

SSL Protocols (Watchvideo to understand with animation)

SSL Handshake Protocol

Figure: SSL Handshake Protocol Action

Phase 1: Establishing security capabilities

Client Hello:

The highest SSL version number which the client can support.

A session ID that defines the session.

There is a cipher suite parameter that contains the entire cryptographic algorithm which supports client’s system.

A list of compression methods that can be supported by client system.

Server Hello:

The highest SSL version number which the server can support.

A session ID that defines the session.

A cipher suite contains the list of all cryptographic algorithms that is sent by the client which the server will select the algorithm.

A list of compression method sent by the client from which the server will select the method.

Phase 2: Server Authentication and Key Exchange

Certificate: The server sends a certificate message to authentication itself to the client. If the key exchange algorithm is Diffie-Hellman than no need of authentication.

Server key exchange: This is optional. It is used only if the server doesn’t sends its digital certificate to client.

Certificate Request: The server can request for the digital certificate of client. The client’s authentication is optional.

Server Hello done: The server message hello done is the last message in phase 2, this indicates to the client that the client can now verify all the certificates received by the server. After this hello message done, the server waits for the client-side response in phase 3.

Phase 3: Client Authentication and Key Exchange

Client Certificate: It is optional, it is only required if the server had requested for the client’s digital certificate. If client doesn’t have certificate, it can be sending no certificate message. Then it is up to server’s decision whether to continue with the session or to abort the session.

Client key exchange: The client sends a client key exchange, the contents in this message are based on key exchange algorithms between both the parties.

Certificate Verify: It is necessary only if the server had asked for client authentication. The client has already sent its certificate to the server. Bit additionally if server wants then the client has to prove that it is authorized holder of the private key. The sever can verify the message with its public key already sent to ensure that the certificate belongs to client.

Phase 4: Finish

Change cipher spec: It is a client-side messages telling about the current status of cipher protocols and parameters which has been made active from pending state.

Finished: This message announces the finish of the handshaking protocol from client side.

Change cipher spec: This message is sent by server to show that it has made all the pending state of cipher protocols and parameters to active state.

Finished: This message announces the finish of the handshaking protocol from server and finally handshaking is totally completed.

 

SSL Change Cipher Spec Protocol

Figure: SSL Change Cipher Spec Protocol Format

SSL Change Cipher Spec Protocol is upper layer protocol. It is the simplest protocol. This protocol consists of only single byte with value “1”, as shown in figure. It consists of single message only. It copies pending state to current state, which updates the cipher suite to be used to this connection.

 

SSL Alert Protocol

 Figure Shows Alert Protocol Format

Figure: SSL Alert Protocol Format

SSL uses the Alert protocol for reporting error that is detected by client or server, the party which detects error sends an alert message to other party. If error is serious than both parties terminate the session.

Table shows the types of alert messages. SSL alert protocol is the last protocol of SSL used transmit alerts, if any via SSL record protocol to the client or server.

The SSL alert protocol format is shown in figure. Alert protocol uses two bytes to generate alert. First 1 byte indicates two values either 1 or 2. “1” value indicate warning and “2” indicate a fatal error.

Whereas second 1 byte indicates predefined error code either the server or client detects any error it sends an alert containing the error.


SSL Record Protocol

After completion of successful SSL handshaking the keen role of SSL record protocol starts now. SSL record protocol is second sub-protocol of SSL also called lower-level protocol. As defined earlier the SSL record protocol is responsible for encrypted data transmission and encapsulation of the data sent by the higher layer protocols also to provide basic security services to higher layer protocols. SSL records protocol provides different service like data authentication; data confidentiality through encryption algorithm and data integrity through message authentication to SSL enabled connections.

The record protocol provides two services in SSL connection:

Confidentiality: This can be achieved by using secret key, which is already defined by handshake protocol.

Integrity: The handshake protocol defines a shared secret key that is used to assure the message integrity.

Following are the operation performed in Record protocol after connection is established and authentication is done of both client and server.

Figure: SSL Reccord Protocol Operation

Fragmentation: The original message that is to be sent it broken into blocks. The size of each block is less than or equal to 214 bytes.

Compression: The fragmented blocks are compressed which is optional. It should be noted that the compression process must not result into loss of original data.

Addition of MAC: A short piece of information used to authenticate a message for integrity and assurance of message.

Encryption: The overall steps including message is encrypted using symmetric key but the encryption should not increase the overall block size.

Append Header: After all the above operation, header is added in the encrypted block which contains following fields.

Content type: It specifies which protocol is used for processing.

Major version: It specifies the major version of SSL used, for example if SSL version 3.1 is in use than this field contains 3.

Minor version: It specifies minor version of SSL used, for example version 3.0 is in use than field contains 0.

Compressed length: It specifies the length in bytes of the original plain text block.

Figure shows SSL record protocol header format.

Figure: SSL Record Format

To learn more about Socket Programming Functions, Click here

Watch more videos click here.

1 comment: