Secure Socket Layer (SSL)

INTRODUCTION

Position of SSL in TCP/IP Protocol Suite

Position of SSL(Continue)
Application Layer Data is passed to SSL Layer
SSL Layer Performs encryption on the data received from application
layer, and also adds its own encryption information header, called
SSL Header
SSL Layer at receivers end removes the SSL Header, decrypts the
encrypted data and gives plain-text data back to the application
layer.
Only Application Data is encrypted by SSL.

Question
Can SSL be positioned below data-link Layer?
It would lead to problems.
If SSL encrypted all the lower layer headers, even the IP
and physical addresses of the computers would be
encrypted , and become unreadable.

Services Provided By SSL

Services Provided By SSL

1. Fragmentation
SSL divides the data into blocks of 2
1. Compression
Lossless Compression method
Optional
1. Entity Authentication
Authenticate both client and server
1. Message Integrity
Preserves integrity using keyed-hash functions to create MAC

Services

5. Confidentiality
Original data and MAC are encrypted using symmetric-key cryptography
6. Framing
Header is added to encrypted payload
Payload passed to transport layer

Key Exchange Algorithms

Key Exchange Algorithms

These are the methods required for exchanging keys between
client and server
Why these methods are required?
For exchanging authenticated and confidential message, 6
cryptographic secrets are required
To create these secrets, one pre-master secret must be established
To establish pre-master secret these are required

Key Exchange Algorithms

1. Null
No key exchange
2. RSA
Pre-master secret is 48 byte random number
Created by client
Encrypted with servers public key
Server needs to send its RSA encryption/decryption certificate

3. Anonymous Diffie Hellman

Simplest and most unsecure method
Using Diffie Hellman protocol
Half keys are sent in plaintext
It is called Anonymous because neither party is known to the
other
Man in the middle attack

4. Ephemeral Diffie-Hellman
Each party sends Diffie-Hellman key signed by its private key.
Receiver verify the signature using public key of the sender.
Public keys for the verification are exchanged using either RSA or DSS digital
signature certificates

5. Fixed Diffie-Hellman
No key exchange messages are passed in this method, only certificates are
exchanged.
Each entity create half key and insert it into a certificate verified by CA.
Two parties do not directly exchange the half keys, CA sends the half keys in an
RSA or DSS special certificates

Encryption/Decryption Algorithms

Encryption/Decryption Algorithms

Hash Algorithms

Hash Algorithms

Cipher Suite

Cipher Suite
The combination of key exchange, hash and encryption algorithms defines a
cipher suite for each SSL session.
Format:
Cipher Suite:
SSL_Key Exchange Method_WITH_ Encryption/Decryption Algo_Hash Algo

Compression Algorithms

Compression Algorithms

Compression is optional
No specific compression algorithm is defined for SSLv3
Default compression method is NULL
System can use whatever compression algorithm it desires

Cryptographic Parameter Generation

Steps:
1.Exchange two random numbers
2.Exchange Pre-master Secret
3.Create 48-Byte Master Secret
4.Master Secret is used to create variable length Key material.
5.Extract 6 different keys

3rd step

4th step

5th Step

Four Protocols

Four SSL Protocols

The Record Protocol is the carrier.

It carries messages from three other protocols as well as the data coming
from the application layer.

Handshake Protocol

The Handshake Protocol uses messages

To negotiate the cipher suite
To authenticate the server to the client
To authenticate the client to the Server
To exchange information for building the cryptographic secrets.
Handshake Protocol consists of 4 phases

Phase 1: Establishing Security Capability

The client and server announce their security capabilities and choose
those that are convenient for both.

Phase 2: Server Key Exchange and Authentication

The Server authenticates itself if needed.

Phase 3: Client Key Exchange and Authentication

This phase is used to authenticate client.

Phase 4: Finalizing and Finishing

The client and server send messages to change cipher specification and to
finish the handshaking protocol.

ChangeCipherSpec Protocol

 Handshake Protocol:
1. Negotiation of cipher Suite
2. Generation of Cryptographic Secrets
For using these parameters, special message (ChangeCipherSpec
message) should be exchanged between them.
Active and pending states
Each State has:
1. Read (Inbound) - Receiving
2. Write (Outbound) -Writing

Alert Protocol

 SSL uses the Alert Protocol for reporting errors and abnormal
conditions.

Record Protocol

 Carries messages from upper layer

Message is fragmented and optionally compressed
MAC is added to compressed message using negotiated hash
algorithm
Encryption is done.
SSL header is added

Thanks