Presentation on Secure Socket Layer

7/26/2019 Presentation on Secure Socket Layer

1/47

Secure Socket Layer (S


2/47

INTRODUCTION


3/47

Position of SSL in TCP/IP Protocol Suite


4/47

Position of SSL(Continue)

Alication Layer Data is asse! to SSL Layer

SSL Layer Perfor"s encrytion on t#e !ata recei$e! fro

layer% an! also a!!s its o&n encrytion infor"ation #

SSL 'ea!er

SSL Layer at recei$ers en! re"o$es t#e SSL 'ea!er%

encryte! !ata an! i$es lain*te+t !ata ,ack to t#e

layer-

Only Alication Data is encryte! ,y SSL-


5/47

.uestion

Can SSL be positioned below data-link Layer?

It would lead to problems.

If SSL encrypted all the lower layer headers, evand physical addresses of the computers would

encrypted , and become unreadable.


6/47

Ser$ices Pro$i!e! y SSL


7/47

Ser$ices Pro$i!e! y SSL

1. Fragmentation

SSL divides the data into blocks of !

1. Compression Lossless Compression method "ptional

#. $ntity %uthentication %uthenticate both client and server

#. &essa'e Inte'rity reserves inte'rity usin' keyed-hash functions to create &%C


8/47

Ser$ices

(. Confidentiality"ri'inal data and &%C are encrypted usin' symmetric-key crypto'raph

). *ramin'+eader is added to encrypted payloadayload passed to transport layer


9/47

0ey 1+c#ane Alorit#"s


10/47


T#ese are t#e "et#o!s re2uire! for e+c#anin keys ,e

client an! ser$er

Why these methods are required?

3or e+c#anin aut#enticate! an! con4!ential "essaecrytora#ic secrets are re2uire!

To create t#ese secrets% one re*"aster secret "ust ,e To esta,lis# re*"aster secret t#ese are re2uire!


11/47


1. Null o key echan'e

2. RSA re-master secret is / byte random number Created by client $ncrypted with server0s public key Server needs to send its 1S% encryption2decryption certificate


12/47

3. Anonymous Diffie Hellman

Simplest and most unsecure method4sin' 5iffie +ellman protocol+alf keys are sent in plaintetIt is called %nonymous because neither party is known to the

other&an in the middle attack


13/47

4. Ephemeral Diffie-Hellman$ach party sends 5iffie-+ellman key si'ned by its private key.

1eceiver verify the si'nature usin' public key of the sender.ublic keys for the verification are echan'ed usin' either 1S% or 5

si'nature certificates


14/47

. Fi!e" Diffie-Hellman

o key echan'e messa'es are passed in this method, only certificate

echan'ed.$ach entity create half key and insert it into a certificate verified by C%6wo parties do not directly echan'e the half keys, C% sends the half k

1S% or 5SS special certificates


15/47

1ncrytion/Decrytion Alorit#"s


16/47

1ncrytion/Decrytion Alorit#"s


17/47

'as# Alorit#"s

# l i #


18/47

'as# Alorit#"s


19/47

Ci#er Suite

Ci # S it


20/47

Ci#er Suite

6he combination of key echan'e, hash and encryption al'orithms def

cipher suite for each SSL session.

*ormat7

Cipher Suite7

SSL89ey $chan'e &ethod8:I6+8 $ncryption25ecryption %l'o8+as


21/47


22/47

Co"ression Alorit#"s



23/47


Compression is optional

o specific compression al'orithm is defined for SSLv3 5efault compression method is 4LL System can use whatever compression al'orithm it desires


24/47

Crytora#ic Para"eter 6eneratio


25/47

Steps7

#.$chan'e two random numbers

!.$chan'e re-master Secret3.Create /-;yte &aster Secret

.&aster Secret is used to create variable len'th 9ey material.

(.$tract ) different keys

7r! ste


26/47

7r! ste

8t# ste


27/47

8t# ste

9t# Ste


28/47

9t# Ste


29/47

3our Protocols

3our SSL Protocols


30/47

3our SSL Protocols

6he 1ecord rotocol is the carrier. It carries messa'es from three other protocols as well as the

from the application layer.


31/47

'an!s#ake Protocol


32/47

T#e 'an!s#ake Protocol uses "essaesTo neotiate t#e ci#er suite

To aut#enticate t#e ser$er to t#e client

To aut#enticate t#e client to t#e Ser$er

To e+c#ane infor"ation for ,uil!in t#e crytora#ic secre

'an!s#ake Protocol consists of 8 #ases

P#ase :; 1sta,lis#in Security Caa,ility


33/47

P#ase :; 1sta,lis#in Security Caa,ility

T#e client an! ser$er announce t#eir security caa,ilitiet#ose t#at are con$enient for ,ot#.

P#ase


34/47

y

T#e Ser$er aut#enticates itself if nee!e!-


35/47

P#ase 7; Client 0ey 1+c#ane an! Aut#entication


36/47

y

T#is #ase is use! to aut#enticate client-


37/47

P#ase 8; 3inali=in an! 3inis#in


38/47

6he client and server send messa'es to chan'e cipher specificat

finish the handshakin' protocol.


39/47

C#aneCi#erSec Protoc


40/47

'an!s#ake Protocol;:- Neotiation of ci#er Suite

ritin


41/47


42/47

Alert Protocol


43/47

SSL uses t#e Alert Protocol for reortin errors an! a,nor

con!itions-


44/47

Recor! Protocol


45/47

Carries "essaes fro" uer layer

?essae is fra"ente! an! otionally co"resse!

?AC is a!!e! to co"resse! "essae usin neotiate! alorit#"

1ncrytion is !one-

SSL #ea!er is a!!e!


46/47


47/47

T#anks

Presentation on Secure Socket Layer

Documents