SSL/TLS Protocols

 

 

SSL (Secure Socket Layer, developed by Netscape ) &


TLS (Transport Layer Security, is an IETF standard)

 

Both are almost the same.


They run as a user-level processes on top of  TCP/IP.

 

The Basic Protocol:

 

{============================================
Alice                                                                               Bob

I want to talk, ciphers I support, Ra                              >
<                                      certificate, cipher I choose, Rb


choose secret S, compute K= f (S,Ra,Rb):
{S}Bob , {keyed hash of handshake msgs}                         >
                                                 compute K= f(S,Ra,Rb):
<                                     {keyed hash of handshake msgs}

 

<           data protected with keys derived from K         >

====================================================}


Keys:

·      Alice chooses a random number S, as pre-master secret.

·      It is shuffled with Ra and Rb to produce a master secret K.

·      Ra and Rb are 32 octets long,

    The first 4 are the UNIX time (seconds since Jan 1, 1970).

This is to ensure that Rs are always different.

·      The master secret is shuffled with Rs to produce six (6) keys:

 Three (3) for each side for  encryption, integrity, and IV.
 The three keys used for transmission are known as the write keys
 while the three keys used for receiption are known as the read kyes
 Thus Alice's write keys are Bob's  read keys and vice versa.

 

·      To ensure that the keyed hash Alice sends is different from the keyed hash Bob sends,  Alice include the string "CLNT" and the Bob include "SRVR" in the hash.

 

·      Note that Alice has authenticated Bob (since the private Key of Bob is needed to find out the shared secret S) but Bob has no idea to whom he's talking to.

In SSL it is optional for the server to authenticate the client, if it has a certificate. 
Normally the server authenticates the client using:

<name, password>

     

       sent securely over the ssl connection.

 

 

 

 

HTTP Over SSL - https




HTTP:                                     

HTTP (HyperText Transfer Protocol) is the Web basic transport protocol. The basic unit of HTTP interaction is the request/response pair:

·         The client opens a TCP connection to the server and writes the request.

·         The server writes back the response and indicates the end of response either with a length header or by closing the connection.


HTTPS:

 

The client makes a connection to the server,

negotiates an SSL connection and

transmits http data over the established secure connection.