Ass|gnment No

A|m 1o lmplemenL SSL

1heory

1he SSL proLocol runs above 1C/l and below hlgherlevel proLocols such as P11 or lMA lL uses
1C/l on behalf of Lhe hlgherlevel proLocols and ln Lhe process allows an SSLenabled server Lo
auLhenLlcaLe lLself Lo an SSLenabled cllenL allows Lhe cllenL Lo auLhenLlcaLe lLself Lo Lhe server and
allows boLh machlnes Lo esLabllsh an encrypLed connecLlon
1hese capablllLles address fundamenLal concerns abouL communlcaLlon over Lhe lnLerneL and oLher
1C/l neLworks
O SSL server auLhenLlcaLlon allows a user Lo conflrm a servers ldenLlLy SSLenabled cllenL
sofLware can use sLandard Lechnlques of publlckey crypLography Lo check LhaL a servers
cerLlflcaLe and publlc lu are valld and have been lssued by a cerLlflcaLe auLhorlLy (CA) llsLed
ln Lhe cllenLs llsL of LrusLed CAs 1hls conflrmaLlon mlghL be lmporLanL lf Lhe user for
example ls sendlng a credlL card number over Lhe neLwork and wanLs Lo check Lhe recelvlng
servers ldenLlLy
O SSL cllenL auLhenLlcaLlon allows a server Lo conflrm a users ldenLlLy uslng Lhe same
Lechnlques as Lhose used for server auLhenLlcaLlon SSLenabled server sofLware can check
LhaL a cllenLs cerLlflcaLe and publlc lu are valld and have been lssued by a cerLlflcaLe
auLhorlLy (CA) llsLed ln Lhe servers llsL of LrusLed CAs 1hls conflrmaLlon mlghL be lmporLanL
lf Lhe server for example ls a bank sendlng confldenLlal flnanclal lnformaLlon Lo a cusLomer
and wanLs Lo check Lhe reclplenLs ldenLlLy
O An encrypLed SSL connecLlon requlres all lnformaLlon senL beLween a cllenL and a server Lo
be encrypLed by Lhe sendlng sofLware and decrypLed by Lhe recelvlng sofLware Lhus
provldlng a hlgh degree of confldenLlallLy ConfldenLlallLy ls lmporLanL for boLh parLles Lo any
prlvaLe LransacLlon ln addlLlon all daLa senL over an encrypLed SSL connecLlon ls proLecLed
wlLh a mechanlsm for deLecLlng LamperlngLhaL ls for auLomaLlcally deLermlnlng wheLher
Lhe daLa has been alLered ln LranslL
1he SSL proLocol lncludes Lwo subproLocols Lhe SSL record proLocol and Lhe SSL handshake
proLocol 1he SSL record proLocol deflnes Lhe formaL used Lo LransmlL daLa 1he SSL handshake
proLocol lnvolves uslng Lhe SSL record proLocol Lo exchange a serles of messages beLween an SSL
enabled server and an SSLenabled cllenL when Lhey flrsL esLabllsh an SSL connecLlon 1hls exchange
of messages ls deslgned Lo faclllLaLe Lhe followlng acLlons
O AuLhenLlcaLe Lhe server Lo Lhe cllenL
O Allow Lhe cllenL and server Lo selecL Lhe crypLographlc algorlLhms or clphers LhaL Lhey boLh
supporL
O pLlonally auLhenLlcaLe Lhe cllenL Lo Lhe server
O use publlckey encrypLlon Lechnlques Lo generaLe shared secreLs
O sLabllsh an encrypLed SSL connecLlon

|phers Used w|th SSL

1he SSL proLocol supporLs Lhe use of a varleLy of dlfferenL crypLographlc algorlLhms or clphers for
use ln operaLlons such as auLhenLlcaLlng Lhe server and cllenL Lo each oLher LransmlLLlng
cerLlflcaLes and esLabllshlng sesslon keys CllenLs and servers may supporL dlfferenL clpher sulLes or
seLs of clphers dependlng on facLors such as Lhe verslon of SSL Lhey supporL company pollcles
regardlng accepLable encrypLlon sLrengLh and governmenL resLrlcLlons on exporL of SSLenabled
sofLware Among lLs oLher funcLlons Lhe SSL handshake proLocol deLermlnes how Lhe server and
cllenL negoLlaLe whlch clpher sulLes Lhey wlll use Lo auLhenLlcaLe each oLher Lo LransmlL cerLlflcaLes
and Lo esLabllsh sesslon keys
1he clpher sulLe descrlpLlons LhaL follow refer Lo Lhese algorlLhms
O uS uaLa ncrypLlon SLandard an encrypLlon algorlLhm used by Lhe uS CovernmenL
O uSA ulglLal SlgnaLure AlgorlLhm
O A ey xchange AlgorlLhm
O Mu3 Message ulgesL algorlLhm developed by 8lvesL
O 8C2 and 8C4 8lvesL encrypLlon clphers developed for 8SA uaLa SecurlLy
O 8SA A publlckey algorlLhm for boLh encrypLlon and auLhenLlcaLlon
O 8SA key exchange A keyexchange algorlLhm for SSL based on Lhe 8SA algorlLhm
O SPA1 Secure Pash AlgorlLhm a hash funcLlon used by Lhe uS CovernmenL
O Sl!AC A classlfled symmeLrlckey algorlLhm
O 1rlpleuS uS applled Lhree Llmes
The SSL Handshake
1he SSL proLocol uses a comblnaLlon of publlckey and symmeLrlc key encrypLlon SymmeLrlc key
encrypLlon ls much fasLer Lhan publlckey encrypLlon buL publlckey encrypLlon provldes beLLer
auLhenLlcaLlon Lechnlques An SSL sesslon always beglns wlLh an exchange of messages called Lhe
SSL handshake 1he handshake allows Lhe server Lo auLhenLlcaLe lLself Lo Lhe cllenL uslng publlckey
Lechnlques Lhen allows Lhe cllenL and Lhe server Lo cooperaLe ln Lhe creaLlon of symmeLrlc keys
used for rapld encrypLlon decrypLlon and Lamper deLecLlon durlng Lhe sesslon LhaL follows
pLlonally Lhe handshake also allows Lhe cllenL Lo auLhenLlcaLe lLself Lo Lhe server
1 1he cllenL sends Lhe server Lhe cllenLs SSL verslon number clpher seLLlngs randomly
generaLed daLa and oLher lnformaLlon Lhe server needs Lo communlcaLe wlLh Lhe cllenL
uslng SSL
2 1he server sends Lhe cllenL Lhe servers SSL verslon number clpher seLLlngs randomly
generaLed daLa and oLher lnformaLlon Lhe cllenL needs Lo communlcaLe wlLh Lhe server
over SSL 1he server also sends lLs own cerLlflcaLe and lf Lhe cllenL ls requesLlng a server
resource LhaL requlres cllenL auLhenLlcaLlon requesLs Lhe cllenLs cerLlflcaLe
3 1he cllenL uses some of Lhe lnformaLlon senL by Lhe server Lo auLhenLlcaLe Lhe server lf Lhe
server cannoL be auLhenLlcaLed Lhe user ls warned of Lhe problem and lnformed LhaL an
encrypLed and auLhenLlcaLed connecLlon cannoL be esLabllshed lf Lhe server can be
successfully auLhenLlcaLed Lhe cllenL goes on Lo sLep 4
4 uslng all daLa generaLed ln Lhe handshake so far Lhe cllenL (wlLh Lhe cooperaLlon of Lhe
server dependlng on Lhe clpher belng used) creaLes Lhe premasLer secreL for Lhe sesslon
encrypLs lL wlLh Lhe servers publlc key (obLalned from Lhe servers cerLlflcaLe senL ln sLep 2)
and sends Lhe encrypLed premasLer secreL Lo Lhe server
3 lf Lhe server has requesLed cllenL auLhenLlcaLlon (an opLlonal sLep ln Lhe handshake) Lhe
cllenL also slgns anoLher plece of daLa LhaL ls unlque Lo Lhls handshake and known by boLh
Lhe cllenL and server ln Lhls case Lhe cllenL sends boLh Lhe slgned daLa and Lhe cllenLs own
cerLlflcaLe Lo Lhe server along wlLh Lhe encrypLed premasLer secreL
6 lf Lhe server has requesLed cllenL auLhenLlcaLlon Lhe server aLLempLs Lo auLhenLlcaLe Lhe
cllenL lf Lhe cllenL cannoL be auLhenLlcaLed Lhe sesslon ls LermlnaLed lf Lhe cllenL can be
successfully auLhenLlcaLed Lhe server uses lLs prlvaLe key Lo decrypL Lhe premasLer secreL
Lhen performs a serles of sLeps (whlch Lhe cllenL also performs sLarLlng from Lhe same
premasLer secreL) Lo generaLe Lhe masLer secreL
7 8oLh Lhe cllenL and Lhe server use Lhe masLer secreL Lo generaLe Lhe sesslon keys whlch are
symmeLrlc keys used Lo encrypL and decrypL lnformaLlon exchanged durlng Lhe SSL sesslon
and Lo verlfy lLs lnLegrlLyLhaL ls Lo deLecL any changes ln Lhe daLa beLween Lhe Llme lL was
senL and Lhe Llme lL ls recelved over Lhe SSL connecLlon
8 1he cllenL sends a message Lo Lhe server lnformlng lL LhaL fuLure messages from Lhe cllenL
wlll be encrypLed wlLh Lhe sesslon key lL Lhen sends a separaLe (encrypLed) message
lndlcaLlng LhaL Lhe cllenL porLlon of Lhe handshake ls flnlshed
9 1he server sends a message Lo Lhe cllenL lnformlng lL LhaL fuLure messages from Lhe server
wlll be encrypLed wlLh Lhe sesslon key lL Lhen sends a separaLe (encrypLed) message
lndlcaLlng LhaL Lhe server porLlon of Lhe handshake ls flnlshed
101he SSL handshake ls now compleLe and Lhe SSL sesslon has begun 1he cllenL and Lhe
server use Lhe sesslon keys Lo encrypL and decrypL Lhe daLa Lhey send Lo each oLher and Lo
valldaLe lLs lnLegrlLy
onc|us|on SSL was successfully undersLood and lmplemenLed