Secure Socket Layer (SSL)
Download as PPTX, PDF8 likes7,586 views
SSL (Secure Socket Layer) is an internet protocol ensuring secure communication between web browsers and servers, providing authentication and confidentiality. Developed by Netscape in 1994, it consists of multiple protocols including the handshake, record, change cipher, and alert protocols, facilitating secure data exchange. The latest version, TLS, evolved from SSL 3.0, incorporating enhancements for secure data transmission.
Secure Socket Layer (SSL)
- 1. SSL Secure Socket Layer Srishti Thakkar Manish Jain Nehal Dudani Samip Jain 1
- 2. • It is an Internet protocol for secure exchange of information between a web browser and a web server • It provides ▫ Authentication ▫ Confidentiality • Developed by Netscape Corporation in 1994 • Currently comes in three versions : 2, 3 and 3.1 2
- 3. 3
- 4. Application Layer Transport Layer Internet Layer Data Link Layer Physical Layer SSL Layer 4
- 5. X L5 data 010101010100010101010010 Transmission medium H4L5 data H3L4 data Application Transport Internet Physical H2L3 data Data Link Y L5 data 010101010100010101010010 H4L5 data H3L4 data H2L3 data 5
- 6. X L5 data 010101010100010101010010 Transmission medium H4L5 data H3L4 data Application Transport Internet Physical L5 data SSLSH H2L3 data Data Link Y L5 data 010101010100010101010010 H4L5 data H3L4 data L5 data SH H2L3 data 6
- 7. 7
- 8. 1 • Handshake protocol 2 • Record protocol 3 • Change Cipher protocol 4 • Alert protocol 8
- 9. Type Length Content 1 byte 3 bytes 1 or more bytes Message Format 9
- 10. Message Type Parameters Hello request None Client hello Version, Random number, Session id, Cipher suite, Compression method Server hello Version, Random number, Session id, Cipher suite, Compression method Certificate Chain of X.509V3 certificates Server key exchange Parameters, signature Certificate request Type, authorities Server hello done None Certificate verify Signature Client key exchange Parameters, signature Finished Hash value 10
- 11. 1 • Establish security capabilities 2 • Server authentication and key exchange 3 • Client authentication and key exchange 4 • Finish 11
- 12. • Used to initiate logical connection and establish security capabilities. • Consists of two messages ▫ Client hello ▫ Server hello 12
- 13. Web Browser Web Server Step 1: Client hello Step 2: Server hello 13
- 14. • Identifies highest version of SSL that client can supportVersion • 32 bit date time field • 28 byte random number Random • Variable length session identifier • Can be zero (new session) or non zero (connection exists) Session id • Contains list of cryptographic algorithms supported by the clientCipher suite • Contains list of compression algorithms supported by the client Compression method 14
- 15. • Identifies lower of version suggested by client and highest supported by serverVersion • Same structure as that in client hello • Random value independent of client’s value Random • Uses same value if client sends non zero value • Otherwise creates new session id Session id • Contains single cipher suite which server selects from the list sent by clientCipher suite • Contains single compression algorithm which server selects from the list sent by client Compression method 15
- 16. 16 Web Browser Web ServerStep 2: Server key exchange Step 3: Certificate request Step 4: Server hello done Step 1: Certificate
- 17. 17 • Server sends its Digital certificate • Helps the to authenticateCertificate • Sent only if the certificate does not contain enough information to complete the key exchange Server key exchange • Sent if the client needs to authenticate itself Certificate request • Sent to indicate that the server is finished its part of the key exchange • after sending this message the server waits for client response Server hello done
- 18. 18 Web Browser Web Server Step 1: Certificate Step 2: Client key exchange Step 3: Certificate verify
- 19. 19 • will send a certificate message or a no certificate alertCertificate • always sent • RSA encrypted pre-master secret Client key exchange • sent only if the client sent a certificate • provides client authentication • contains signed hash of all the previous handshake messages Certificate verify
- 20. 20 Master secret Pre master secret Client random Server random Message Digest Algorithm
- 21. 21 Symmetric Key Master secret Client random Server random Message Digest Algorithms
- 22. 22 Web Browser Web Server Step 1: Change cipher specs Step2 : Finished Step 3: Change cipher specs Step 4: Finished
- 23. • Provide two services for SSL connections: Confidentiality: by encrypting application data. Message Integrity: by computing MAC over the compressed data. • Can be utilized by some upper-layer protocols of SSL.
- 24. 24 ≤ 214 bytes (optional; default: null)
- 25. 25 SSL MAC is computed as: hash(MAC_write_secret || pad_2 || hash(MAC_write_secret || pad_1 || seq_num || SSLCompressed.type || SSLCompressed.length || SSLCompressed.fragment ) )
- 26. 26
- 27. 27 2 byte alert message 1 byte level Fatal or warning 1 byte Alert Code
- 31. 31 Authentication of server – How does client know who they are dealing with? Information integrity – How do we know third party has not altered data en route? Bob’s web siteAlice thinks she is at Bob’s site, but Darth is spoofing it Bob’s web siteAddress information Change so item shipped to Darth
- 32. 32 There are several versions of the SSL protocol defined. The latest version, the Transport Layer Security Protocol (TLS), is based on SSL 3.0 SSL Version 1.0 SSL Version 2.0 SSL Version 3.0 TLS Version 1.0 TLS Version 1.0 with SSL Version 3.0
- 33. 33 www.aiub.edu
- 34. 34 www.gmail.com
- 36. 36
- 37. 37 https://www.digicert.com/ssl.htm http://www.webopedia.com/TERM/S/SSL.html http://en.wikipedia.org/wiki/Transport_Layer_Security
- 38. 38