Post on 14-Apr-2017
Cryptography Protocol
SSL / TLS Protocol
Secure Socket Layer (SSL) and Transport Security Layer (TLS) are both cryptographic protocols which provide secure communication over networks
Version SSL 1.0 SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
History
Web now widely used by business, government, individuals for multiple application like web browsing, email, instant messaging and VOIP but Internet & Web are vulnerable.
SSL / TLS provide below key features to secure end to end communication.
integrity confidentiality denial of service authentication
Which added security mechanisms
Why SSL / TLS Required ?
Client and Server exchange parameters with Client Hello and Server Hello Messages
Hello messages Certificate and Key Exchange messages Change CipherSpec and Finished messages
SSL / TLS Handshake
SSL / TLS Handshake
Client Hello & Server Hello Messages Parameter exchange Version Number Cipher Suite Method Session ID Compression Method Random Number
Note : The server selects a cipher suite or, if no acceptable choices are presented, returns a handshake failure alert and closes the connection.
Client Hello / Server Hello
Server send X.509 v3 certificate and key exchange to client and send server hello done message.
Now client verify that certificate from Intermediate Authority and Root Certificate Authority.
Client check with certificate fields to authenticate certificate.
Server Certificate/Key Exchange and Server Hello Done
Certificate Validity Period DN verify from listed CA / Root CA Validate Digital Signature of Certificate
There are 3 levels of validation of certificate Domain Validation (DV) Organization Validation (OV) Extended Validation (EV)
Server Certificate Authentication
CRL CRL (Certificate Revocation Lists) contains a list of certificate
serial numbers that have been revoked by the CA. The client then checks the serial number from the certificate against the serial numbers within the list from CDC (CRL Distribution Centre)
OCSP OCSP (online certificate status protocol) provide status
Good/Bad/Unknown of the certificate rather than download whole list of revoked certificate.
Certificate Revocation Methods
This is the first message that the client sends after he/she receives a Server Hello Done message.
This message is only sent if the server requests a certificate.
If no suitable certificate is available, the client sends a no_certificate alert instead.
This alert is only a warning; however, the server might respond with a fatal handshake failure alert if client authentication is required.
Client Exchange
After validate certificate successfully from client end, Client generate pre-master key with help of random number and encrypt with Server Certificate Public Key and send it to server.
Server decrypt message with own private key and find Pre Master key.
With help of pre-master key client and server generate master key ( 48 Bytes ) and generate session key from master key.
Change CipherSpec Exchange
A Finished message is always sent immediately after a Change Cipher Spec message in order to verify that the key exchange and authentication processes weresuccessful.
The Finished message is the first protected packet with the most recently negotiated algorithms, keys, and secrets. No acknowledgment of the Finished message is required.
After receive Finish Message from Server, client start to send data with encrypted with session key to server.
Finish Message
Devang Badrakiyahttp://devang.be
Thank You