SSL Demystified
•
0 likes•39 views
A simple explanation about SSL handshake covering most of the topics asked in interviews about 1. SSL handshake process 2. Key exchange algorithm working 3. Implementation of confidentiality and integrity of messages exchanged 4. Authentication of client and server
More Related Content
What's hot
What's hot (20)
Similar to SSL Demystified
Similar to SSL Demystified (20)
Recently uploaded
Recently uploaded (20)
SSL Demystified
- 2. C L I E N T S E R V E R 𝑪 𝑃𝑘 𝑪 𝑃𝑢𝑏 𝑺 𝑃𝑢𝑏 𝑺 𝑃𝑘 Client Public Key Client Private Key Server Public Key Server Private Key PREVIEW 1. Client has public key and private key in browser 1. Server has its public key and private key
- 3. C L I E N T S E R V E R 𝑪 𝑃𝑘 𝑪 𝑃𝑢𝑏 𝑺 𝑃𝑢𝑏 𝑺 𝑃𝑘 Generate Random Number Rc Rc client_hello(crypto info, )Rc 2. Client generates a random number and sends to server with crypto info(SSLv #, cipher suites supported)
- 4. C L I E N T S E R V E R 𝑪 𝑃𝑘 𝑪 𝑃𝑢𝑏 𝑺 𝑃𝑢𝑏 𝑺 𝑃𝑘 Generate Random Number Rs RcRc Rs Demand Client Certificate Server Certificate (including ) 𝑺 𝑃𝑢𝑏 server_hello(crypto info, )Rs 3. Server responds with chosen cipher suite, session ID, another random string and its digital certificate 4. Requesting client certificate that includes list of types of certs supported and names of acceptable CAs
- 5. C L I E N T S E R V E R 𝑪 𝑃𝑘 𝑺 𝑃𝑘 Check server certificate Rc Rc Rs 𝑪 𝑃𝑢𝑏 𝑺 𝑃𝑢𝑏 Rs Client Certificate (including ) 𝑪 𝑃𝑢𝑏 Hash of all previous messages signed with 𝑪 𝑃𝑘 𝑺 𝑃𝑢𝑏 5. Client verifies server’s certificate 6. Client sends a hash of all messages signed with 𝑪 𝑃𝑘 + client′s digital certificate
- 6. C L I E N T S E R V E R 𝑪 𝑃𝑘 𝑪 𝑃𝑢𝑏 𝑺 𝑃𝑢𝑏 𝑺 𝑃𝑘 DH-KEY EXCHANGE random random abc xyz random abc random xyz random xyz random abc abc xyz random abcxyz Shared over open channel Shared over open channel Mathematically generates common session key Diffie-Hellman key agreement is not based on encryption and decryption, but instead relies on mathematical functions that enable two parties to generate a shared secret key for exchanging information confidentially online Client generated private key Server generated private key MK 7. Key Exchange
- 7. C L I E N T S E R V E R 𝑪 𝑃𝑘 𝑪 𝑃𝑢𝑏 𝑺 𝑃𝑢𝑏 𝑺 𝑃𝑘 RSA-KEY EXCHANGE random Shared over open channel RSA key exchange implements exchange of secret keys securely online by encrypting the secret key with the intended recipient's public key 𝑺 𝑃𝑢𝑏 drnoam drnoam 𝑺 𝑃𝑘 random MK 7. Key Exchange
- 8. C L I E N T S E R V E R 𝑪 𝑃𝑘 𝑺 𝑃𝑘 Change to encrypted connection using as KEY MK End SSL Handshake Rc Rc Rs 𝑪 𝑃𝑢𝑏 𝑺 𝑃𝑢𝑏 Rs MK MK 8. Client sends “finished” message encrypted with secret key
- 9. C L I E N T S E R V E R 𝑪 𝑃𝑘 𝑺 𝑃𝑘 Change to encrypted connection using as KEY MK End SSL Handshake Rc Rc Rs 𝑪 𝑃𝑢𝑏 𝑺 𝑃𝑢𝑏 Rs 9. Server sends “finished” message encrypted with secret key MK MK
- 11. C L I E N T S E R V E R 𝑪 𝑃𝑘 𝑪 𝑃𝑢𝑏 𝑺 𝑃𝑢𝑏 𝑺 𝑃𝑘 CONFIDENTIALITY During the SSL handshake, the SSL client and SSL server agree on encryption algorithm and a shared secret key to be used for one session only. All messages transmitted between the SSL client and SSL server are encrypted using that algorithm and key, ensuring that the message remains private even if it is intercepted Because SSL uses asymmetric encryption when transporting the shared secret key, there is no key distribution problem with SSL SSL provides data integrity check by calculating the message digest. A message can be digitally signed by a message exit at the sending end of a channel. The digital signature can then be checked by a message exit at the receiving end of a channel to detect whether the message has been deliberately modified. Use of SSL or TLS does ensure data integrity, provided that the CipherSpec in your channel definition uses a hash algorithm. INTEGRITY
- 13. C L I E N T S E R V E R 𝑪 𝑃𝑘 𝑪 𝑃𝑢𝑏 𝑺 𝑃𝑢𝑏 𝑺 𝑃𝑘 For SERVER authentication, the client uses the server’s PUBLIC KEY to ENCRYPT the data that is used to compute the secret key. The server can generate the secret key only if it can decrypt that data with the correct PRIVATE KEY. For CLIENT authentication, the server uses the PUBLIC KEY in the client certificate to VERIFY the data the client sends during of the handshake. The exchange of finished messages that are encrypted with the secret key confirms that authentication is complete. If any of the authentication steps fail, the handshake fails and the session terminates. AUTHENTICATION • The digital signature is checked • The certificate chain is checked • The expiry and activation dates and the validity period are checked • The revocation status of the certificate is checked CERTIFICATE VERIFICATION
- 15. The End