SSL Architecture & Protocol
SSL is developed by Netscape Communication. SSL stands for “Secure Socket Layer”.
SSL stands for Secure Socket Layer.
What is SSL?
SSL is a protocol for establishing secure links between networked computers.
Purpose of SSL
SSL provides confidentiality, authentication and data integrity in internet communication. SSL is the predecessor to the modern TLS encryption used today.
Figure: Connection using HTTP |
In above figure user interact with server but server uses only normal http, it shows unsecured connection between server and client. Hacker or attacker can capture the message from unsecured connection. Username and password are also sent in plain text form. It means hacker or attacker get user’s sensitive information.
Figure: Connection using HTTPS (use of SSL Certificate) |
In above
figure user interact with server and server user secure https, it shows secure
connection between client and server. SSL certificate is added at
server side. So, http use SSL, it converts into https. Connection is secured,
it means all the data in encrypted from during transmission. Hacker or attacker
cannot get any information from that connection.
What is an SSL Certificate?
An SSL
certificate is a bit of code on your web server that provides security for
online communications. When a web browser contacts your secured website, the
SSL certificate enables an encrypted connection. It's kind of like sealing a
letter in an envelope before sending it through the mail. Websites need SSL
certificates to keep user data secure, verify ownership of the website,
prevent attackers from creating a fake version of the site, and convey trust to
users.
SSL Architecture (Watchvideo to understand with animation)
The current version of SSL is 3.0. SSL is works in between application layer and transport layer the reason SSL is also called TLS (Transport Layer Security).
Figure: SSL Protocol Stack |
SSL
encrypt the data received from application layer of client machine and add its
own header (SSL header) into the encrypted data and send encrypted data to the
server side. SSL is not a single protocol to perform security tasks there are
two layers of sub-protocols which supports SSL there are the SSL handshake
protocol, SSL change cipher specification, SSL alert protocol and the SSL
record protocol shown in architecture.
SSL Handshake Protocol: Connection
establishment.
SSL Change Spec Protocol: Use of
required cipher techniques for data encryption.
SSL Alert Protocol: Alert
(warning, error if any) generation.
SSL Record Protocol: Encrypted
data transmission and encapsulation of the data sent by the higher layer
protocols. Two important SSL concepts are the SSL Connection and the SSL
Session.
SSL
Connection: It is a transport that provides a suitable type of
service. Each connection is associated with one SSL session.
SSL
Session: It is a set of cryptographic security parameters
which can be shared among multiple SSL connections. An SSL session is an association
between a client and a server.
SSL Protocols (Watchvideo to understand with animation)
SSL Handshake Protocol
Figure: SSL Handshake Protocol Action |
Phase 1: Establishing security capabilities
Client
Hello:
The
highest SSL version number which the client can support.
A session
ID that defines the session.
There is
a cipher suite parameter that contains the entire cryptographic algorithm which
supports client’s system.
A list of
compression methods that can be supported by client system.
Server
Hello:
The
highest SSL version number which the server can support.
A session
ID that defines the session.
A cipher
suite contains the list of all cryptographic algorithms that is sent by the
client which the server will select the algorithm.
A list of
compression method sent by the client from which the server will select the
method.
Phase 2: Server Authentication and Key Exchange
Certificate: The server
sends a certificate message to authentication itself to the client. If the key
exchange algorithm is Diffie-Hellman than no need of authentication.
Server
key exchange: This is optional. It is used only if the server
doesn’t sends its digital certificate to client.
Certificate
Request: The server can request for the digital
certificate of client. The client’s authentication is optional.
Server
Hello done: The server message hello done is the last message
in phase 2, this indicates to the client that the client can now verify all the
certificates received by the server. After this hello message done, the server
waits for the client-side response in phase 3.
Phase 3: Client Authentication and Key Exchange
Client
Certificate: It is optional, it is only required if the server
had requested for the client’s digital certificate. If client doesn’t have certificate,
it can be sending no certificate message. Then it is up to server’s decision
whether to continue with the session or to abort the session.
Client
key exchange: The client sends a client key exchange, the
contents in this message are based on key exchange algorithms between both the
parties.
Certificate
Verify: It is necessary only if the server had asked for
client authentication. The client has already sent its certificate to the
server. Bit additionally if server wants then the client has to prove that it
is authorized holder of the private key. The sever can verify the message with
its public key already sent to ensure that the certificate belongs to client.
Phase 4: Finish
Change
cipher spec: It is a client-side messages telling about the
current status of cipher protocols and parameters which has been made active
from pending state.
Finished: This
message announces the finish of the handshaking protocol from client side.
Change
cipher spec: This message is sent by server to show that it
has made all the pending state of cipher protocols and parameters to active
state.
Finished: This
message announces the finish of the handshaking protocol from server and
finally handshaking is totally completed.
SSL Change Cipher Spec Protocol
Figure: SSL Change Cipher Spec Protocol Format |
SSL
Change Cipher Spec Protocol is upper layer protocol. It is the simplest
protocol. This protocol consists of only single byte with value “1”, as shown
in figure. It consists of single message only. It copies pending state to
current state, which updates the cipher suite to be used to this connection.
SSL Alert Protocol
Figure Shows Alert Protocol Format
Figure: SSL Alert Protocol Format |
SSL uses
the Alert protocol for reporting error that is detected by client or server,
the party which detects error sends an alert message to other party. If error
is serious than both parties terminate the session.
Table
shows the types of alert messages. SSL alert protocol is the last protocol of
SSL used transmit alerts, if any via SSL record protocol to the client or
server.
The SSL
alert protocol format is shown in figure. Alert protocol uses two bytes to
generate alert. First 1 byte indicates two values either 1 or 2. “1” value
indicate warning and “2” indicate a fatal error.
Whereas
second 1 byte indicates predefined error code either the server or client
detects any error it sends an alert containing the error.
SSL Record Protocol
After
completion of successful SSL handshaking the keen role of SSL record protocol
starts now. SSL record protocol is second sub-protocol of SSL also called lower-level
protocol. As defined earlier the SSL record protocol is responsible for
encrypted data transmission and encapsulation of the data sent by the higher
layer protocols also to provide basic security services to higher layer
protocols. SSL records protocol provides different service like data
authentication; data confidentiality through encryption algorithm and data
integrity through message authentication to SSL enabled connections.
The
record protocol provides two services in SSL connection:
Confidentiality: This can
be achieved by using secret key, which is already defined by handshake
protocol.
Integrity: The
handshake protocol defines a shared secret key that is used to assure the
message integrity.
Following are the operation performed in Record protocol after connection is established and authentication is done of both client and server.
Figure: SSL Reccord Protocol Operation |
Fragmentation: The
original message that is to be sent it broken into blocks. The size of each
block is less than or equal to 214 bytes.
Compression: The
fragmented blocks are compressed which is optional. It should be noted that the
compression process must not result into loss of original data.
Addition
of MAC: A short piece of information used to authenticate
a message for integrity and assurance of message.
Encryption: The
overall steps including message is encrypted using symmetric key but the
encryption should not increase the overall block size.
Append
Header: After all the above operation, header is added in
the encrypted block which contains following fields.
Content type: It
specifies which protocol is used for processing.
Major
version: It specifies the major version of SSL used, for example if
SSL version 3.1 is in use than this field contains 3.
Minor version: It
specifies minor version of SSL used, for example version 3.0 is in use than
field contains 0.
Compressed length: It
specifies the length in bytes of the original plain text block.
Figure shows SSL record protocol header format.
Figure: SSL Record Format |
To learn more about Socket Programming Functions, Click here
Watch more videos click here.
NICE EXPLANATION
ReplyDelete