Professional Documents
Culture Documents
SSL
SSL
originally
developed by Netscape SSL use TCP to provide a reliable end to end and secure connection SSL is not a single protocol ,but two layers of protocols.
7-1
SSL Architecture
7-2
SSL Architecture
SSL
record protocol provide basic security services to higher layers HTTP provide transfer services for client server interaction. 3 specific protocols :change cipher spec, handshake and alert protocol provide management of SSL exchange
7-3
SSL Architecture
SSL
connection
SSL
session
an association between client & server created by the Handshake Protocol define a set of cryptographic parameters may be shared by multiple SSL connections
7-4
Session
state defined by parameters Session identifier: arbitrary byte sequence chosen by server Peer certificate: X509.v3 certificate of peer Compression method : any algorithm Cipher spec: data encryption algorithm Master secret:48 byte key shared by client and server Is resumable: flag indicating whether 7-5 new connection can be initiated
Connection
state Server and client random: byte sequence chosen by server and client Server write MAC secret: secret key used in mac operation on data sent by server Client write MAC secret: Server write key: encryption key for data encrypted by server. Client write key: Sequence number:
7-6
confidentiality
using a MAC with shared secret key similar to HMAC but with different padding using symmetric encryption with a shared secret key defined by Handshake Protocol AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption
7-7
integrity
7-8
7-9
7-10
of 3 SSL specific protocols which use the SSL Record protocol a single message causes pending state to become current hence updating the cipher suite in use
7-11
specific alert
warning or fatal
fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown
7-12
authenticate each other to negotiate encryption & MAC algorithms to negotiate cryptographic keys to be used
7-14