2. Introduction
● It is an Internet Protocol for secure exchange of information between a web browser and a web
server
● Ensuring that all data passed between them remain private and free from attack.
● This is done with the use of Certificates and keys
● Security services are:
○ Authentication
○ Confidentiality
○ Message integrity
● Developed By Netscape Corporation in 1994.
● Currently comes in three versions: 2,3 and 3.1
2
3. Example of SSL with Amazon
3
- Secured Website like Amazon uses SSL.
- padlock icon. Or (in status bar) or https
- This indicates website’s server uses SSL to secure your personal information.
- This type of SSL between a client and a website server is known as Server
Authentication.
Fig. Example of Secure connection
5. Steps for SSL Communication
1) Client connects to a web server (website) secured with SSL (https). Client requests that the
server identify itself.
2) Server sends a copy of its SSL Certificate, including the server’s public key.
3) Client checks that the certificate is trusted: unexpired, unrevoked, and valid for the website that
it is connecting to. If the client trusts the certificate, it creates, encrypts, and sends back a session
key using the server’s public key.
4) Server decrypts the symmetric session key using its private key and begins an encrypted
session with the client. The server and client now encrypt all transmitted data with the session key.
5
Fig. General view of SSL
communication
9. SSL Protocol Stack
● Handshake phase
Handshake Protocol is used to establish sessions. This protocol allows the
client and server to authenticate each other by sending a series of messages to
each other. Handshake protocol uses four phases to complete its cycle.
● Change-cipher Protocol
This protocol uses the SSL record protocol. Unless Handshake Protocol is
completed, the SSL record Output will be in a pending state. After handshake
protocol, the Pending state is converted into the current state. Change-cipher
protocol consists of a single message which is 1 byte in length and can have
only one value. This protocol’s purpose is to cause the pending state to be
copied into the current state.
9
10. ● Alert Protocol
This protocol is used to convey SSL-related alerts to the peer entity. Each
message in this protocol contains 2 bytes.
This Alert has no impact on the connection between sender and receiver.
But, alert level indicates :
Level -1 : Bad certificate, no certificate or certificate expired etc.
Level-2 : Handshake failure, Decompression failure, Bad record MAC etc.
10
11. SSL Record Protocol
11
● Divided into fragments
● Block compressed
● Compression encrypted with
MAC(Message
Authentication Code)
● Encryption of data is done
● SSL header is added
12. Silent Features
• The advantage of this approach is that the service can be tailored to the
specific needs of the given application.
• Secure Socket Layer was originated by Netscape.
• SSL is designed to make use of TCP to provide reliable end-to-end secure
service.
• This is a two-layered protocol.
12
13. SSL Services
●Receive data from any application layer protocol but receives typically from
HTTP
●Data received from application are optionally compressed, signed and
encrypted.
●The data is then passed to TCP layer
●SSL provides services on data received from application layer such as:-
13
14. SSL Services
1.Fragmentation
At first SSL provides the data block into blocks of sizes 2^14 bytes or less
2.Compression
Each fragment of data is compressed using lossless compression negotiated between
the transmitter and receiver. This service is optional
3. Message Integrity
to preserve the integrity of data, SSL uses keyed between hash function to create a MAC
4. Confidentiality
the original data and MAC are encrypted using symmetric key cryptography
5. Framing
A header is added to encrypted payload which is then passed to a reliable transport
layer protocol such as TCP
14