Secure Socket Layer (SSL)

• The socket layer lies between the application layer and the transport layer in the Internet protocol stack. The SSL protocol is an internet protocol for secure exchange of information between a web browser and web server. This provides a secure pipe for communication. SSL is the protocol that is used for the vast majority of secure transactions over the internet.
• Suppose Alice wants to buy a book from KT280.com. Before she provides the credit card information she needs to be sure that she’s dealing with the original site, hence she needs to authenticate KT280.com. The authentication need not be mutual.
• After Alice is satisfied that she is dealing with a secure site she will provide the private information which needs to be protected in transit.
• Features of SSL:
  • Fragmentation- Divides the data into blocks of 214 bytes or less.
  • Compression: Lossless compression methods are used for compressing fragmented data.
  • Message Integrity- To preserve the integrity of data SSL uses a keyed-hash function to create a MAC.
  • Confidentiality: Original data and the MAC are encrypted using symmetric-key cryptography.
  • Protects against Man-in-the-middle attack.
  • Simple and well designed.

Working of SSL Protocol:

SSL has three sub protocols namely the handshake protocol, the record protocol and the alert protocol. These three sub protocols constitute the overall working of SSL.

1. The Handshake protocol:

• This is the first sub protocol used by the client and server to communicate using an SSL-enabled connection. This is similar to how Alice and Bob would shake hands with each other with a hello before they start conversing.
• The handshake protocol is made up of four phases which pass messages between the client and server. The phases are as follows

i. Establish Security Capabilities:

This initiates a logical connection and establishes capabilities associated with that connection. This consists of two messages that is the client hello and server hello. The client sends the client a hello message to the server and receives a server hello message from the server as a reply.

ii. Server authentication and key exchange:

The server initiates this phase and is the sole sender of all messages while the client is the sole recipient of all these messages. This phase contains the following four steps:

Certificate- Server sends its digital certificate to the client for authentication.

Server exchange key- If server does not send a certificate it sends its public key.

Certificate request- The server can request for the clients digital certificate

Server hello done- This message indicates to the client that its portion of hello message is complete.

iii. Client authentication and key exchange:

The client initiates this phase and is the sole sender of all the messages while the server is the sole recipient of all the messages. The three steps in this phase are:

Certificate- this is optional and used only if the server requested for clients digital certificate

Client key exchange- The client sends the symmetric key to the server

Certificate verify- This is needed only if the server demands client authentication.

iv. Finish:

The client initiates this phase of the SSL handshake which the server ends. The client sends change cipher specs and finished messages to the server. On receiving them the server sends change cipher specs and finish messages.

• The Record Protocol:

This protocol comes into picture after a successful handshake is completed between the client and server. This protocol provides confidentiality and integrity service to an SSL connection

• The Alert Protocol:
• When the client or server detects an error the detecting party sends an alert message to the other party. If the error is fatal the SSL connection is terminated destroying the shared information. If the errors are not fatal then they are resolved and then the process is continued.
• Before ending the communication the client and server must inform each other that their side of the connection is ending using close notify alert.