Your SlideShare is downloading. ×
Understanding transport-layer_security__ssl
Understanding transport-layer_security__ssl
Understanding transport-layer_security__ssl
Understanding transport-layer_security__ssl
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Understanding transport-layer_security__ssl

151

Published on

Useful document and tutorial on SSL, encryption, TLS, cryptography, JEE security

Useful document and tutorial on SSL, encryption, TLS, cryptography, JEE security

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
151
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Secured website examplehttp://idiotechie.com/understanding-transport-layer-security-secure-socket-layer/ May 12, 2013Understanding Transport Layer Security / Secure SocketLayerIdioTechieTransport Layer Security (TLS) 1.0 / Secure Sockets Layer (SSL) 3.0, is the mechanism toprovide private, secured and reliable communication over the internet. It is the most widely usedprotocols that provides secure HTTPS for internet communications between the client (webbrowsers) and web servers. It ensures that the transport of sensitive data are safe from cybercrimes which steals valuable client information. TLS/SSL enables server authentication, clientauthentication, data encryption, and data integrity over internet. Earlier most of the paymentbased web applications were involved in secured communication to prevent hacking and keepthe critical payment information safe. The disadvantage of SSL is the performance hit. Sincethe data passed over the secured layer has to be encrypted by the server it uses more serverresources than the unencrypted communication. However in recent days with faster internetmost of the authentication based web applications prefer secured HTTPS. E.g. Google,Facebook, Twitter etc. and HTTPS is not limited to e-commerce or banking websites only.What is the difference between TLS and SSL?There are subtle differences between TLS and SSL. TLS is the successor to the SSL but TLS1.2 cannot be interchangeable with SSL 3.0. TLS uses Hashing for Message AuthenticationCode (HMAC) algorithm over the SSL Message Authentication Code (MAC) algorithm.HMAC is more secured than the standard SSL MAC algorithm.How to recognize a secured website?Most of the browsers helps the visitors to identify if any website is secured by showing the‘https’ in the address bar and also the certificate authority which has validated the website.Before we explore on how SSL works let’s try tounderstand more about some of the keyterminologies.Encryption – In cryptography terminologyencryption is a process of encodinginformation which is sent from onecomputer to another in such a way thatunauthorized persons cannot get accessto the original data.Identification – Identification is a processthrough which one system confirms theidentity of another person / entity/computer system.Authentication – Authentication is aprocess to verify the credentials of theprincipal or the system. The JEE platform requires that all the application servers providesupport for authentication mechanisms likes HTTP basic authentication, SSL mutualauthentication, form based login.Authorization – It is a process by which the principal is either granted access ordisallowed to protected resources. Only the trusted principal can be granted secureaccess.Why do we need encryption?©http://idiotechie.com
  • 2. Unencrypted Message ExampleEncrypted Message1. SSL Handshake2. SSL HandshakeIf we do not use encryption then the critical credit card information can be stolen by theunauthorised persons who might hijack the session between the client and servercommunication.When we use encryption the credit cardinformation are encrypted and it is passedthrough a secured HTTPS connection whichprevents any hackers from unauthorized accessof the data.How does this Encryption process worksbetween the client and server?There are several steps before the actualencrypted message is sent. The first processstarts with SSL Handshake or establishing asecured connection between the client and theserver. This process requires total of ninehandshake messages to be communicatedbetween server and client. One the handshake iscompleted then encrypted messages arecommunicated between client and server.One way SSL authenticationStep 1: Client and server agrees on the mediumof encryptionStep 2: Server sends a certificate message to theclientServer sends Hello message to the client.Server sends a Certificate message to theclient which consists of the server’scertificate including the server’s public key.Before the client computer requests tostart encryption the server concludes itspart of the negotiationwith ServerHelloDone message.Step 3: Client computer requests to startencryptionClient then sends the session key informationwhich is encrypted with server’s public key in theClient Key Exchange message. Both client andserver calculates the master secret code and infuture this code is used to encrypt the messagesbetween the client and server.Clientsends Change Cipher Spec message to activatethe negotiated SSL encryption options whichwas agreed during the Hello messagecommunication for all future messages it willsend.And then the client requests finish which finally will request the server to start the encryption.©http://idiotechie.com
  • 3. 3 SSL Handshake4 SSL Handshake1. SSL Handshake2 Mutual SSL HandshakeStep 4: Server confirms to start the encryptionServer sends Change Cipher Spec message toactivate the previously negotiated options for allfuture messages it will send. Server then sendsthe Finished message to the client and requestsit to check the newly activated options. Whenthe finished message is delivered it is sent inencrypted mode.This completes all the handshake process. Step5: The messages are encrypted Now the clientand servers communicates securely throughencrypted messages only.Two way SSL communication (Mutual SSLAuthentication)Step 1: Client and server agrees on the mediumof encryptionStep 2: Server sends a certificate message to theclient • Server sends Hello message to theclient. • Server sends a Certificate message tothe client which consists of the server’scertificate including the server’s public key. •Server requests client’s certificate in CertificateRequest message, so that the connection canbe mutually authenticated. • Before the clientcomputer requests to start encryption the serverconcludes its part of the negotiation with ServerHello Done message.Step 3: Client computer requests to startencryption • Client responds to the server withCertificate message, which contains the client’scertificate. • Client then sends the session keyinformation which is encrypted with server’spublic key in the Client Key Exchange message.• Client sends a Certificate Verify message tolet the server know it owns the sent certificate.Both client and server calculates the mastersecret code and in future this code is used toencrypt the messages between the client andserver. • Client sends Change Cipher Specmessage to activate the negotiated SSLencryption options which was agreed during theHello message communication for all futuremessages it will send. • And then the clientrequests finish which finally will request theserver to start the encryption.Step 4: Server confirms to start the encryption©http://idiotechie.com
  • 4. 3 Mutual SSL Handshake4 SSL HandshakeStep 4: Server confirms to start the encryptionServer sends Change Cipher Spec message toactivate the previously negotiated options for allfuture messages it will send. Server then sendsthe Finished message to the client and requestsit to check the newly activated options. Whenthe finished message is delivered it is sent inencrypted mode.This completes all the handshake process. Step5: The messages are encrypted Now the clientand servers communicates securely throughencrypted messages only.In our next series we will discuss more into thecode level details and security implementation inweb servers. Please keep watching this space.©http://idiotechie.com

×