SSL PROTOCOL

1.Introduction
The Secure Sockets Layer (SSL) is the most widely deployed security protocol used
today. It is essentially a protocol that provides a secure channel between two
machines operating over the Internet or an internal network. In today’s Internet
focused world, the SSL protocol is typically used when a web browser needs to
securely connect to a web server over the inherently insecure Internet.
The original Secure Sockets Layer (SSL) implementation was developed in the early
1990s by the Netscape Communications Corporation to secure HTTP, which sends
its data as plain text over the Inter-net. The first official release was version 2.0,
which gained widespread acceptance despite some design problems with the
protocol. In the late 1990s it became apparent that SSL 2.0 was not secure. Netscape
began working on SSL 3.0. In conjunction with Netscape, the Internet Engineering
Task Force (IETF, the Internet standards governing body) began work on
standardizing SSL, a project that became known as TLS (Transport Layer Security).
SSL 3.0 was not developed as rigorously as TLS, so it became available sooner and
quickly overtook SSL 2.0 as the industry standard. TLS was finalized in 2000,
providing the first standardized protocol for SSL. Although SSL 3.0 is still in
widespread use, it is mostly obsolete for new development since almost all modern
browsers support TLS.

BMSIT & M 1
 SSL PROTOCOL
2. Relevance of the topic
One of the most important components of online business is creating a trusted
environment where potential customers feel confident in making purchases. SSL
certificates create a foundation of trust by establishing a secure connection. To
assure visitors their connection is secure, browsers provide special visual cues that
we call EV indicators -- anything from a green padlock to branded URL bar.

SSL certificates have a key pair: a public and a private key. These keys work
together to establish an encrypted connection. The certificate also contains what is
called the “subject,” which is the identity of the certificate/website owner.

To get a certificate, you must create a Certificate Signing Request on your server.
This process creates a private key and public key on your server. The CSR data file
that you send to the SSL Certificate issuer (called a Certificate Authority or CA)
contains the public key. The CA uses the CSR data file to create a data structure to
match your private key without compromising the key itself. The CA never sees the
private key.

Once you receive the SSL certificate, you install it on your server. You also
install an intermediate certificate that establishes the credibility of your SSL
Certificate by tying it to your CA’s root certificate. The installation instructions and
testing your certificate will be different depending on your server.

Thus it is very much important to know the Role of the SSL protocol in providing
secure connection over internet through its SSL Certificate.

BMSIT & M 2
 SSL PROTOCOL
3. LITERATURE SURVEY ON SSL PROTOCOL

Wagner, David; Schneier, Bruce (November 1996). "Analysis of the SSL 3.0
Protocol" (PDF). The Second USENIX Workshop on Electronic Commerce
Proceedings. USENIX Press. pp. 29–40.
Eric Rescorla (2001). SSL and TLS: Designing and Building Secure Systems.
United States: Addison-Wesley Pub Co. ISBN 978-0-201-61598-2.
Stephen A. Thomas (2000). SSL and TLS essentials securing the Web. New
York: Wiley. ISBN 978-0-471-38354-3.
Bard, Gregory (2006). "A Challenging But Feasible Blockwise-Adaptive
Chosen-Plaintext Attack on SSL". International Association for Cryptologic
Research (136). Retrieved 2011-09-23.
Canvel, Brice. "Password Interception in a SSL/TLS Channel". Retrieved 2007-
04-20.
IETF Multiple Authors. "RFC of change for TLS Renegotiation". Retrieved
2009-12-11.
Creating VPNs with IPsec and SSL/TLS Linux Journal article by Rami Rosen
Polk, Tim; McKay, Kerry; Chokhani, Santosh (April 2014). "Guidelines for the
Selection, Configuration, and Use of Transport Layer Security (TLS)
Implementations" (PDF). National Institute of Standards and Technology. Archived
from the original (PDF) on 2014-05-08. Retrieved 2014-05-07.
Abdou, Abdel Rahman; van Oorschot, Paul (August 2017). "Server Location
Verification (SLV) and Server Location Pinning: Augmenting TLS Authentication".
Transactions on Privacy and Security. ACM.

BMSIT & M 3
 SSL PROTOCOL
4. Details of the topic
What is SSL Protocol?

Secure Sockets Layer (SSL) is a standard security technology for establishing an

encrypted link between a server and a client—typically a web server (website) and
a browser, or a mail server and a mail client (e.g., Outlook).

SSL allows sensitive information such as credit card numbers, social security
numbers, and login credentials to be transmitted securely. Normally, data sent
between browsers and web servers is sent in plain text—leaving you vulnerable to
eavesdropping. If an attacker is able to intercept all data being sent between a
browser and a web server, they can see and use that information.

More specifically, SSL is a security protocol. Protocols describe how algorithms

should be used. In this case, the SSL protocol determines variables of the encryption
for both the link and the data being transmitted.

SSL objectives and architecture

The Goal of SSL Protocol is to provide Confidentiality, Integrity and
Authentication.

Authenticating the client and server to each other: the SSL protocol supports the
use of standard key cryptographic techniques (public key encryption) to authenticate
the communicating parties to each other. Though the most frequent application
consists in authenticating the service client on the basis of a certificate, SSL may
also use the same methods to authenticate the client.

Ensuring data integrity: during a session, data cannot be either intentionally or

unintentionally tampered with.

Securing data privacy: data in transport between the client and the server must
be protected from interception and be readable only by the intended recipient. This
prerequisite is necessary for both the data associated with the protocol itself
(securing traffic during negotiations) and the application data that is sent during the
session itself.

BMSIT & M 4
 SSL PROTOCOL
ARCHITECTURE

FIG: SSL PROTOCOL ARCHITECTURE

SSL is in fact not a single protocol but rather a set of protocols that can
additionally be further divided in two layers:

1. The protocol to ensure data security and integrity: this layer is composed of the
SSL Record Protocol.

2. The protocols that are designed to establish an SSL connection: three protocols are
used in this layer: the SSL Handshake Protocol, the SSL Change Cipher SpecP
protocol and the SSL Alert Protocol.

BMSIT & M 5
 SSL PROTOCOL
SSL HANDSHAKE PROTOCOL

Every SSL/TLS connection begins with a “handshake” – the negotiation

between two parties that nails down the details of how they’ll proceed. The
handshake determines what cipher suite will be used to encrypt their
communications, verifies the server, and establishes that a secure connection is in
place before beginning the actual transfer of data. This all happens in the
background, thankfully – every time you direct your browser to a secure site a
complex interaction takes place to make sure that your data is safe.

Imagine this SSL Handshake Process as a dialog between the two.

Let’s see how it goes.

Client: “Hello there. I want to establish secure communication between the two of
us. Here are my cipher suits and compatible SSL/TLS version.”

Server: “Hello Client. I have checked your cipher suits and SSL/TLS version. I
think we’re good to go ahead. Here are my certificate file and my public key. Check
‘em out.”

Client: “Let me verify your certificate. (After a while) Okay, it seems fine, but I
need to verify your private key. What I’ll do is, I will generate and encrypt a pre-
master (shared secret key) key using your public key. Decrypt it using your private
key and we’ll use thing master key to encrypt and decrypt the information”

Server: “Done.”

[Now that both the parties know who they’re talking to, the information transferred
between them will be secured using the master-key. Keep in mind that once the
verification part is over, the encryption takes place through the master-key only. This
is symmetric encryption.]

Client: “I’m sending you this sample message to verify that our master-key works.
Send me the decrypted version of this message. If it works, our data is in safe hands.”

Server: “Yeah, it works. I think we’ve accomplished what we were looking for.”

BMSIT & M 6
 SSL PROTOCOL

BMSIT & M 7
 SSL PROTOCOL
SSL RECORD PROTOCOL

Fig SSL Record Protocol

The SSL record protocol involves using SSL in a secure manner and with message
integrity ensured. To this end it is used by upper layer SSL protocols. The purpose
of the SSL record protocol is to take an application message to be transmitted,
fragment the data which needs to be sent, encapsulate it with appropriate headers
and create an object just called a record, which is encrypted and can be forwarded
for sending under the TCP protocol. The first step in the preparation of
transmission of the application data consists in its fragmentation i.e. breaking up
the data stream to be transmitted into 16Kb (or smaller) data fragments followed
by the process of their conversion in a record. These data fragments may be further
compressed, although the SSL 3.0 protocol specification includes no compression
protocol, thus at present, no data compression is used.
The record header that is added to each data portion contains two elementary
pieces of information, namely the length of the record and the length of the data
block added to the original data.

In the next step, the record data constructed consists of the following elements:
primary data,
some padding to complete the datagram as required, MAC value.

BMSIT & M 8
 SSL PROTOCOL
MAC is responsible for the verification of integrity of the message included in
the transmitted record. It is the result of a hash function that follows a specific hash
algorithm, for example MD5 or SHA-1. MAC is determined as a result of a hash
function that receives the following data:

MAC = Hash function [secret key, primary data, padding, sequence number].

A secret key in creation of MAC is either a client write MAC secret or a server
write MAC secret respectively, it depends on which party prepares the packet. After
receiving the packet, the receiving party computes its own value of the MAC and
compares it with that received. If the two values match, this means that data has not
been modified during the transmission over the network. The length of the MAC
obtained in this way depends on the method uses for its computing.

Next, the data plus the MAC are encrypted using a preset symmetric encryption
algorithm, for example DES or triple DES. Both data and MAC are encrypted. This
prepared data is attached with the following header fields:

 Content type: identifies what payload is delivered by the packet to determine

which higher protocols are to be used for processing of data included in the
packet. The possible values are change_cipher_spec, alert, handshake, and
application_data that refer to the appropriate protocols.
 Major version: establishes the main portion of the protocol version to be
used. For SSL 3.0, the value is 3,
 Minor version: establishes the additional portion of the used version of the
protocol. For SSL 3.0 the value is 0.

With the addition of fields, the process of record preparation is completed.

Afterwards, the record is sent to the targeted point.

BMSIT & M 9
 SSL PROTOCOL
The entire process of preparation of the packet to be sent can be illustrated as shown
below:

BMSIT & M 10
 SSL PROTOCOL
5. Advantages
 Encrypts Information: The major purpose of an SSL certificate is to encrypt
information so that it can only be read and understood by the intended parties.
 Provides authentication: You want to be sure that the information on your
website, including customer information, goes to the correct server without being
intercepted. When obtaining an SSL certificate, another type of protection called
a server certificate is also issued. This certificate acts as a mediator between
browsers and SSL servers to show that the SSL certificate provider can be trusted
 Guards against phishing: phishing emails often contain links that lead
unsuspecting customers to a convincing replica of an otherwise reputable site.
Often disguised as advertisements or shipping confirmations, these emails
attempt to gather credit card information for malicious use. However, the people
who build these fake sites will have a hard time obtaining an authentic SSL
certificate. When customers don’t see the signs of security on a site, they’re more
likely to navigate away without entering any information
 Improves customer trust: All of these elements work together to create trust
between a customer and a business. Providing your customers with security for
all of their information and giving them ways to verify that security improves
confidence and helps to ensure a positive buying experience.
 Offers added brand power: Companies that provide SSL certificates often
offer site seals and other images that indicate well-trusted encryption is in use.
Displaying these branded icons gives customers an added level of assurance that
their information is safe as it travels.

BMSIT & M 11
 SSL PROTOCOL

6. Disadvantages
Complex installation: SSL technology can be very difficult to install on a website
especially for someone who is new to website development.
Cost of Certificate: It is possible to get a free SSL certificate, but this isn’t
recommended for a lot of reasons. Depending on the type of cert you buy, the price
will vary quite a bit. However, when you consider the added level of security, the
cost isn’t really prohibitive for most websites.
Proxy Caching: Another possible problem is if you have a complex proxy caching
system setup on your web server. Encrypted content isn’t going to be able to be
cached. To get around this, you need to add a server to handle the encryption before
it gets to the caching server. This will require additional costs, but it’s a good way
to make sure you’re encrypting your visitors’ data when they’re accessing your
website.

BMSIT & M 12
 SSL PROTOCOL
7. Conclusion

HTTP is insecure and is subject to eavesdropping attacks because the data

being transferred from the web browser to the web server or between other
endpoints, is transmitted in plaintext. This means attackers can intercept and view
sensitive data, such as credit card details and account logins. When data is sent or
posted through a browser using HTTPS, SSL ensures that such information is
encrypted and secure from interception.
SSL secures millions of peoples’ data on the Internet every day, especially
during online transactions or when transmitting confidential information. Internet
users have come to associate their online security with the lock icon that comes
with an SSL-secured website or green address bar that comes with an Extended
Validation SSL-secured website

BMSIT & M 13
 SSL PROTOCOL
8. References:
1. https://www.digicert.com/ssl/
2. https://en.wikipedia.org/wiki/Transport_Layer_Security
3. https://www.ibm.com/support/knowledgecenter/en/SSGU8G_12.1.0/com.i
bm.sec.doc/ids_ssl_001.htm
4. http://techgenix.com/Secure_Socket_Layer/

BMSIT & M 14
 SSL PROTOCOL
9. Plagiarism Report

BMSIT & M 15
 SSL PROTOCOL

BMSIT & M 16