Secure Sockets Layer

The Secure Sockets Layer is an intermediate layer between the application and the transport protocol with the purpose to create secure and reliable communication.

SSL Handshake Protocol

The goal of the protocol is to create an agreement between a client and a server on a set of cryptographic protocols, algorithms and the parameters used for communication between them.

The protocol consists of a sequence of steps:

1. Client Hello - the client sends to the server the message:

ClientHello(CipherSuite[], CompressionMethod[], ClientRandom)

One CipherSuite defines three encryption protocols:

1. key-exchange protocol: RSA, Diffie-Hellman;
2. secret-key encryption algorithm: null, rc4, rc2, des, des40, fortezza;
3. cryptographic hash algorithm: null, md5, sha;
2. Server Hello - the server sends to the client the message:

ServerHello(CipherSuite, CompressionMethod, ServerRandom)

The server selects the cipher suite and the compression method and sends the information to the client. After this message, the encryption and compression protocols are selected. The rest of the protocols is used to agree on the secret keys.

3. Key Exchange - there are two cases:
• The server has a certificate - the server send the certificate to the client:

ServerCertificate(Certificate)

The client generates 48 bytes (time + random) that is the master secret of this session and based on it other keys are generated. The client sends the master-key to the server:

encrypt(ClientMasterSecret, ServerPublicKey)

• The server does not have a certificate:

The Server initiates a key-exchange protocol, for example the Diffie-Hellman protocol. After the exchange of three messages, the server and the client have the master secret. Based on the master secret both parties create the keys used in communication.

4. Finished - the client and the server send to each other the digest of all the messages sent so far and the master-secret:

Client to Server

hash(AllMessagesSentByClient+MasterSecret)

Server to Client

hash(AllMessagesSentByServer+MasterSecret)

SSL Application Data Protocol

1. Client send to server a request:

encrypt(ClientRequest + hash(ClientRequest+MasterKey), ClientWriteKey);

2. Server decrypts the request, prepares the response, encrypts it and sends it to the client:

encrypt(ServerResponse + hash(ServerResponse), ServerWriteKey);

Prev Up Next