Secure Sockets Secure Sockets Layer (SSL) Layer (SSL)

ProtocolProtocolby Steven Giovencoby Steven Giovenco

OverviewOverview

HistoryHistory SSLSSL SSL RolesSSL Roles Protocol StackProtocol Stack The 4 ProtocolsThe 4 Protocols The Record LayerThe Record Layer Message Message

Authentication Authentication CodeCode

HandshakingHandshaking HandshakingHandshaking ChangeCipherSpec ChangeCipherSpec

ProtocolProtocol More HandshakingMore Handshaking Alert and Alert and

Application Application ProtocolsProtocols

Benefits and Benefits and DrawbacksDrawbacks

HistoryHistory

Need for secure web communicationNeed for secure web communication NetscapeNetscape

Worried especially about credit card Worried especially about credit card transaction over the webtransaction over the web

Also worried about ease of Also worried about ease of implementation since they wanted this implementation since they wanted this to be industry-standard, not proprietaryto be industry-standard, not proprietary

SSLv1 - 1994SSLv1 - 1994

SSLv2SSLv2

SSLv2 also released in 1994SSLv2 also released in 1994 SSLv1 wasn’t widely implementedSSLv1 wasn’t widely implemented

Rules for establishing secure connectionRules for establishing secure connection Rules for public key encryptionRules for public key encryption Optional certificate-based authentication Optional certificate-based authentication

for servers and even clientsfor servers and even clients FlexibleFlexible

No specifically required encryption, No specifically required encryption, compression, or key generation algorithmcompression, or key generation algorithm

SSL RolesSSL Roles

Two rolesTwo roles ClientClient

Initiates communication, lists possibilities Initiates communication, lists possibilities for choicesfor choices

ServerServer Listens for client connections, chooses from Listens for client connections, chooses from

possibilities sent from clientspossibilities sent from clients

Both roles simply add Secure Both roles simply add Secure Sockets Layer to protocol stackSockets Layer to protocol stack

SSL and the Protocol SSL and the Protocol StackStack

SSL between Transmission Control SSL between Transmission Control Protocol (TCP) layer and Application layerProtocol (TCP) layer and Application layer

Actually 2 layersActually 2 layers RecordRecord Secure ApplicationSecure Application

Can run under any protocol that relies on Can run under any protocol that relies on TCP, including HTTP, LDAP, POP3, FTPTCP, including HTTP, LDAP, POP3, FTP

The Four Upper Layer The Four Upper Layer ProtocolsProtocols

Handshaking ProtocolHandshaking Protocol Establish communication variablesEstablish communication variables

ChangeCipherSpec ProtocolChangeCipherSpec Protocol Alert to a change in communication Alert to a change in communication

variablesvariables Alert ProtocolAlert Protocol

Messages important to SSL connectionsMessages important to SSL connections Application Encryption ProtocolApplication Encryption Protocol

Encrypt/Decrypt application dataEncrypt/Decrypt application data

Record LayerRecord Layer

Frames and encrypts upper level data Frames and encrypts upper level data into one protocol for transport into one protocol for transport through TCPthrough TCP

5 byte frame5 byte frame 11stst byte protocol indicator byte protocol indicator 22ndnd byte is major version of SSL byte is major version of SSL 33rdrd byte is minor version of SSL byte is minor version of SSL Last two bytes indicate length of data Last two bytes indicate length of data

inside frame, up to 2inside frame, up to 21414

Message Authentication Code (MAC)Message Authentication Code (MAC)

Message Authentication Message Authentication CodeCode

MAC secures connection in two waysMAC secures connection in two ways Ensure Client and Server are using Ensure Client and Server are using

same encryption and compression same encryption and compression methodsmethods

Ensure messages sent were received Ensure messages sent were received without error or interferencewithout error or interference

Both sides compute MACs to match Both sides compute MACs to match themthem

No match = error or attackNo match = error or attack

Handshaking MessagesHandshaking Messages ClientHelloClientHello ServerHelloServerHello *Certificate*Certificate ServerKeyExchangServerKeyExchang

ee *CertificateRequest*CertificateRequest ServerHelloDoneServerHelloDone *Certificate*Certificate *CertificateVerify*CertificateVerify ClientKeyExchangeClientKeyExchange ChangeCipherSpecChangeCipherSpec FinishedFinished

*=optional

The Process BeginsThe Process Begins

Client Sends ClientHelloClient Sends ClientHello Highest SSL version supportedHighest SSL version supported 32-byte random number32-byte random number SessionIDSessionID List of supported encryption methodsList of supported encryption methods List of supported compression methodsList of supported compression methods

The Server RespondsThe Server Responds

Server Sends ServerHelloServer Sends ServerHello SSL version that will be usedSSL version that will be used 32-byte random number32-byte random number SessionIDSessionID Encryption method that will be usedEncryption method that will be used Compression method that will be usedCompression method that will be used

Server AuthenticationServer Authentication

To authenticate Server, Server To authenticate Server, Server sends Certificatesends Certificate Server’s public key certificateServer’s public key certificate Issuing authority’s root certificateIssuing authority’s root certificate

When Client receives Certificate, it When Client receives Certificate, it decides whether or not to trust decides whether or not to trust ServerServer This is the only step that might involve This is the only step that might involve

User if User never specified whether or User if User never specified whether or not to trust issuing authority beforenot to trust issuing authority before

Still Shaking HandsStill Shaking Hands

Server Sends ServerKeyExchangeServer Sends ServerKeyExchange Any information necessary for public Any information necessary for public

key encryption systemkey encryption system If Sever wishes Client to be If Sever wishes Client to be

authenticated, Server sends authenticated, Server sends CertificateRequest messageCertificateRequest message The client would respond to this with a The client would respond to this with a

Certificate message encrypted with Certificate message encrypted with Server’s public keyServer’s public key

Server sends ServerHelloDoneServer sends ServerHelloDone

Client RespondsClient Responds

Client sends ClientKeyExchangeClient sends ClientKeyExchange Information necessary for public key Information necessary for public key

encryption systemencryption system Encrypted with Server’s public keyEncrypted with Server’s public key

Compute secret keys using Key Compute secret keys using Key Derivation Function such as Diffie-Derivation Function such as Diffie-HellmanHellman

If Client is being authenticated, If Client is being authenticated, Client sends CertificateVerifyClient sends CertificateVerify Digest of previous messages encrypted Digest of previous messages encrypted

with Client’s private keywith Client’s private key

ChangeCipherSpec ChangeCipherSpec ProtocolProtocol

Special protocol with only one Special protocol with only one messagemessage

When Client processes encryption When Client processes encryption information, it sends information, it sends ChangeCipherSpec messageChangeCipherSpec message Signals all following messages will be Signals all following messages will be

encryptedencrypted ChangeCipherSpec is always ChangeCipherSpec is always

followed by Finished messagefollowed by Finished message

The End of the The End of the BeginningBeginning

Upon receipt of ChangeCipherSpec, Upon receipt of ChangeCipherSpec, Server sends its own ChangeCipherSpec Server sends its own ChangeCipherSpec and Finished messagesand Finished messages

After both Client and Server receive After both Client and Server receive Finish messages, Handshaking phase is Finish messages, Handshaking phase is overover

All following communication is encryptedAll following communication is encrypted Encryption and compression methods Encryption and compression methods

can be changed with new can be changed with new ChangeCipherSpec messagesChangeCipherSpec messages

Alert and Application Alert and Application ProtocolsProtocols

Alert protocol always two byte messageAlert protocol always two byte message First byte indicates severity of messageFirst byte indicates severity of message

Warning or FatalWarning or Fatal A Fatal alert will terminate the connectionA Fatal alert will terminate the connection

Second byte indicate preset error codeSecond byte indicate preset error code Secure connection end alert not always usedSecure connection end alert not always used

Application Protocol is HTTP, POP3, Application Protocol is HTTP, POP3, SMTP, or whatever application is being SMTP, or whatever application is being usedused Simply give a datagram to the Record LayerSimply give a datagram to the Record Layer

BenefitsBenefits

Ease of implementationEase of implementation For network application developersFor network application developers

As easy as implementing unsecured SocketsAs easy as implementing unsecured Sockets For network implementation developersFor network implementation developers

Simply add layer to established network Simply add layer to established network protocol stackprotocol stack

For UsersFor Users Only need to authorize certificatesOnly need to authorize certificates

DrawbacksDrawbacks

More bandwidth neededMore bandwidth needed SlowerSlower Needs a dedicated port – 443 for Needs a dedicated port – 443 for

HTTPSHTTPS Assumes reliable transport for Assumes reliable transport for

underlying transport protocolunderlying transport protocol No UDPNo UDP Implications for streaming media, VoIPImplications for streaming media, VoIP

SummarySummary

Need for secure communicationNeed for secure communication Netscape issues SSL specNetscape issues SSL spec The 4 SSL protocolsThe 4 SSL protocols Message Authentication CodeMessage Authentication Code HandshakingHandshaking Alert and Application messagesAlert and Application messages Benefits and DrawbacksBenefits and Drawbacks

ReferencesReferences Rescorla, Eric. Rescorla, Eric. SSL and TLSSSL and TLS. Boston: Addison-Wesley, . Boston: Addison-Wesley,

20012001 “ “Secure Sockets Layer.” Secure Sockets Layer.” Netscape NetworkNetscape Network. 2004. . 2004.

Netscape Communications Corporation. 2 Nov 2004 Netscape Communications Corporation. 2 Nov 2004 <http://wp.netscape.com/security/techbriefs/ssl.html><http://wp.netscape.com/security/techbriefs/ssl.html>

“ “Secure Socket Layer.” Secure Socket Layer.” WindowSecurity.comWindowSecurity.com. 22 July . 22 July 2004. WindowSecurity.com. 2 Nov 2004 2004. WindowSecurity.com. 2 Nov 2004 <http://www.windowsecurity.com/articles/<http://www.windowsecurity.com/articles/Secure_Socket_Layer.html>Secure_Socket_Layer.html>

Thomas, Stephen A. Thomas, Stephen A. SSL and TLS EssentialsSSL and TLS Essentials. New . New York: Wiley Computer York: Wiley Computer Publishing, 2000Publishing, 2000

““Transport Layer Security.” Transport Layer Security.” Wikipedia the Free Wikipedia the Free EncyclopediaEncyclopedia. 1 Nov 2004. Wikipedia. 2 Nov 2004 . 1 Nov 2004. Wikipedia. 2 Nov 2004 <http://en.wikipedia.org/wiki/Transport_Layer_Securit<http://en.wikipedia.org/wiki/Transport_Layer_Security>y>