Secure Socket Layer
Secure Socket Layer
• SSL (Secure Socket Layer) is the standard technology used for enabling secure
communication between a client and sever to ensure data security & integrity.
• SSL has evolved with time and several versions have been introduced to deal with
any potential vulnerabilities.
• SSL V2 released in 1995 was the first public version of SSL followed by SSL V3 in
1996 followed by TLS V1.0 in 1999, TLS V1.1 in 2006 and TLS V1.2 in 2008.
• TLS has been evolving as time passes to keep up with more complex security
requirements, to fix cryptographic flaws, etc.
• For ensuring security of the data being transferred between a client and
server, SSL can be implemented either one-way or two-way.
• In one way SSL, only client validates the server to ensure that it
receives data from the intended server.
3. Server returns its public certificate to the client along with server hello
message.
The random byte string itself is encrypted with the server’s public key.
After agreeing on this secret key, client and server communicate further for
actual data transfer by encryping/decrypting data using this key.
Server Hello
Server Certificate
Generate the Random Byte String (Seed).The
random byte string itself is encrypted with the
Encrypted Seed server’s public key.
Decrypt it using Server’s
Private Key
Finish
• Contrary to one-way SSL; in case of two-way SSL, both client and server
authenticate each other to ensure that both parties involved in the
communication are trusted.
• Both parties share their public certificates to each other and then
verification/validation is performed based on that.
• You get a digital certificate from a recognized Certificate authority (CA). Just like you
get a passport from a passport office.
• You fill out the appropriate forms add your public keys (they are just numbers) and
send it/them to the certificate authority. (this is a certificate Signing Request)
• The certificate authority does some checks ( depends on authority), and sends you
back the keys enclosed in a certificate.
• The certificate is signed by the Issuing Certificate authority, and this it what
guarantees the keys.
• Now when someone wants your public keys, you send them the certificate, they
verify the signature on the certificate, and if it verifies, then they can trust your
keys
It connects your server certificate to your CA’s (in this case DigiCert’s) root certificate
through an intermediate certificate.
• The most important part of an SSL certificate is that it is digitally signed by a trusted CA, like DigiCert.
• Anyone can create a certificate, but browsers only trust certificates that come from an organization on their list
of trusted CAs.
• Browsers come with a pre-installed list of trusted CAs, known as the Trusted Root CA store.
• In order to be added to the Trusted Root CA store and thus become a Certificate Authority, a company must
comply with and be audited against security and authentication standards established by the browsers.
The four sub-components of the SSL protocol handle various tasks for secure communication between the
client machine and the server.
Record Protocol
It fragments the data into manageable blocks (max length 16 KB). It optionally compresses the data.
Provides a header for each message and a hash (Message Authentication Code (MAC)) at the end.
Establishment of session involves Server authentication, Key and algorithm negotiation, Establishing keys and
Client authentication (optional).
Multiple secure TCP connections between a client and a server can share the same session.
Handshake protocol actions through four phases. These are discussed in the next section.
Simplest part of SSL protocol. It comprises of a single message exchanged between two communicating
entities, the client and the server.
As each entity sends the ChangeCipherSpec message, it changes its side of the connection into the secure
state as agreed upon.
The cipher parameters pending state is copied into the current state.
Exchange of this Message indicates all future data exchanges are encrypted and integrity is protected.
This protocol is used to report errors – such as unexpected message, bad record MAC,
security parameters negotiation failed, etc.
It is also used for other purposes – such as notify closure of the TCP connection, notify
receipt of bad or unknown certificate, etc.
HTTPS application protocol typically uses one of two popular transport layer security protocols - SSL or
TLS. The process of secure browsing is described in the following points.
You request a HTTPS connection to a webpage by entering https:// followed by URL in the browser
address bar.
Web browser initiates a connection to the web server. Use of https invokes the use of SSL protocol.
An application, browser in this case, uses the system port 443 instead of port 80 (used in case of http).
The SSL protocol goes through a handshake protocol for establishing a secure session as discussed in
earlier sections.
The website initially sends its SSL Digital certificate to your browser. On verification of certificate, the
SSL handshake progresses to exchange the shared secrets for the session.
When a trusted SSL Digital Certificate is used by the server, users get to see a padlock icon in the
browser address bar. When an Extended Validation Certificate is installed on a website, the address bar
turns green.
Once established, this session consists of many secure connections between the web server and the
browser.