Cryptography Protocol

SSL / TLS Protocol

Secure Socket Layer (SSL) and Transport Security Layer (TLS) are both cryptographic protocols which provide secure communication over networks

Version SSL 1.0 SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2

History

Web now widely used by business, government, individuals for multiple application like web browsing, email, instant messaging and VOIP but Internet & Web are vulnerable.

SSL / TLS provide below key features to secure end to end communication.

integrity confidentiality denial of service authentication

Which added security mechanisms

Why SSL / TLS Required ?

Client and Server exchange parameters with Client Hello and Server Hello Messages

Hello messages Certificate and Key Exchange messages Change CipherSpec and Finished messages

SSL / TLS Handshake

SSL / TLS Handshake

Client Hello & Server Hello Messages Parameter exchange Version Number Cipher Suite Method Session ID Compression Method Random Number

Note : The server selects a cipher suite or, if no acceptable choices are presented, returns a handshake failure alert and closes the connection.

Client Hello / Server Hello

Server send X.509 v3 certificate and key exchange to client and send server hello done message.

Now client verify that certificate from Intermediate Authority and Root Certificate Authority.

Client check with certificate fields to authenticate certificate.

Server Certificate/Key Exchange and Server Hello Done

Certificate Validity Period DN verify from listed CA / Root CA Validate Digital Signature of Certificate

There are 3 levels of validation of certificate Domain Validation (DV) Organization Validation (OV) Extended Validation (EV)

Server Certificate Authentication

CRL CRL (Certificate Revocation Lists) contains a list of certificate

serial numbers that have been revoked by the CA. The client then checks the serial number from the certificate against the serial numbers within the list from CDC (CRL Distribution Centre)

OCSP OCSP (online certificate status protocol) provide status

Good/Bad/Unknown of the certificate rather than download whole list of revoked certificate.

Certificate Revocation Methods

This is the first message that the client sends after he/she receives a Server Hello Done message.

This message is only sent if the server requests a certificate.

If no suitable certificate is available, the client sends a no_certificate alert instead.

This alert is only a warning; however, the server might respond with a fatal handshake failure alert if client authentication is required.

Client Exchange

After validate certificate successfully from client end, Client generate pre-master key with help of random number and encrypt with Server Certificate Public Key and send it to server.

Server decrypt message with own private key and find Pre Master key.

With help of pre-master key client and server generate master key ( 48 Bytes ) and generate session key from master key.

Change CipherSpec Exchange

A Finished message is always sent immediately after a Change Cipher Spec message in order to verify that the key exchange and authentication processes weresuccessful.

The Finished message is the first protected packet with the most recently negotiated algorithms, keys, and secrets. No acknowledgment of the Finished message is required.

After receive Finish Message from Server, client start to send data with encrypted with session key to server.

Finish Message

Devang Badrakiyahttp://devang.be

Thank You