8/4/2019 SSL - Report - EE282 - Sagar Chandawale

http://slidepdf.com/reader/full/ssl-report-ee282-sagar-chandawale 1/3

SSL (Secure Sockets Layer)

Sagar Chandawale (SJSU ID: 007507045)Graduate Student, San José State University 

Why SSL exists?

 There are two faces to why SSL exists i.e. Encryption & Identification. Encryptionis hiding what is sent from one computer to another by changing the content,similar to speaking in a code. The code is much more complex and cannot becracked easily. Another one is Identification, which is making sure the computeryou are communicating to is the one you trust.

Encryption

We can consider an example of sending credit card details. Without SSL, theinformation can be corrupted or eavesdropped by any other computer on any

other network between your computer and the web server. But, SSL acts as abarrier on that information, so when any other computer looks at it, it sees theinformation as a garbage. Google's gmail service will encrypt the login informationand password using SSL. One can easily know that looking at the HTML behind thepage. When it submits the login details, the action in the HTML, begins with HTTPS

<form id=”gaia_loginform”

action=”https://www.google.com/accounts/ServiceLoginAuth"method="post"”

this indicated that it wants to submit the form securely. Now, after pressing

submit, there are several steps before the actual encrypted data is sent, which iscalled as “hand-shaking”.

Steps:

1. Both the computers agree on how to encrypt the data between them.2. Server sends certificate containing details about themselves and a key to

encrypt the data.3. Your computer says 'start encrypting'.4. The server says 'start encrypting'.5. All the messages are encrypted.

Lets proceed by explaining each of these steps:

1. Computers agree on how to encrypt - First Computer 1 sends a “Hello”message to the server (Computer 2). The “Hello” message containsinformation like:

a. Key exchange methods (like RSA, Diffie-Hellman, DSA)b. Cipher – Used for encrypting the data between the two computers/servers (likeRC4 Triple DES or AES )

8/4/2019 SSL - Report - EE282 - Sagar Chandawale

http://slidepdf.com/reader/full/ssl-report-ee282-sagar-chandawale 2/3

c. Hash – Used to generate 'Message Authentication Code' which is sent alongwhich these different messages and hence they can assure the integrity of themessage (like HMAC – MDS, SHA)

Also sent is the SSL version (eg. 3.3 for TLSv1) and a random number used tocompute the master secret, which is then used to calculate the encryption keys.

Once, the client sends the message to the server, the server replies by agreeingwith the same key, cipher and the hash, and that the communication can be takento the next stage.

2. Server Sends Certificate – This is the next stage where, the Server sendsthe certificate to the client. The certificate contains information about 'whothe server belongs to?', 'How long the certificate is valid for?', and mostimportantly the public key.

3. Client signals to 'Start Encrypting' –  There in all 3 messages whichaccomplish this:

a. Client Key Exchange – Once this message is sent both the client & server cancalculate the master secret code, which can be used to communicate betweeneach other then on.b. Change cipher spec – Cipher spec will be the one which was agreed earlier inthe “Hello” messages.c. Finished – Then the client says it is finished and it is ready to exchange datawith the server.

4. Server signals to 'Start Encrypting' – Server does this by giving thecipher spec and then it is ready to exchange data too. This is an encryptedmessage.

In this way, all the messages are encrypted, and this is how encryption works.Now, another reason SSL exits is 'Identification'. Exchanging the data securely is  just not enough, there has to be some authentication to verify that the dataexchange is happening with the computer which is intended to and not someoneelse.

Who to trust?

When a computer is sending an information to another computer over SSL, there

is a way to find out, exactly to whom the messages are being conveyed. Theorganization we are communicating to needs to communicate with anotherorganization called the Certificate Authority (eg. Verisign) to get the certificate.Certificate Authority (CA) will issue a digital certificate, which certifies theownership of a public key by the named subject of the certificate. Then theorganization installs that certificate in its web server and on the other hand if theclient wants to view that certificate. The web browser on the client side will trustonly the correctly signed certificates but not the incorrectly signed ones. Thisguarantees the authentication of both the parties.

8/4/2019 SSL - Report - EE282 - Sagar Chandawale

http://slidepdf.com/reader/full/ssl-report-ee282-sagar-chandawale 3/3

 These are steps:

1. Company asks for CA (Certificate Authority) for a certificate – Thecompany has to give information to the CA about the web server, what the

company is and where it is located. The CA then checks the correctness andauthenticity of the company, by going through public records, receivingletter-headed papers, similar to one used to issue a passport!

2. CA creates certificate and signs it – The certificate has the followingcontents:

a. Versionb. Serial Numberc. Algorithm IDd. Issuere. Validity (from-to)f. Company details

g. Public key informationh. Identifier for issuerI. Identifier for company j. Signature algorithm & Signature.

3. Certificate installed in a server – The company runs a web server (likeApache, Tomcat, etc.) and the certificate is installed in this web server. Theweb server is then configured to use the certificate and then this certificateis used for hand-shaking process.

4. On the client (browser) side – Here, the browser is issued with rootcertificates from CA's all around the world and this enables it to check theauthenticity of the certificate that it gets.

5. Browser trusts correctly signed certificates - All the certificates thebrowser receives has a public key of that CA in it, which makes it verify thecertificate.

References:

1. Networking – SSL Tutorial –www.eventhelix.com/realtimemantra/networking/ssl.pdf 

2. SSL – FAQ's - http://www.whichssl.com/faqs/

3.  Transport Layer Security TLSv1 (SSL 3.3)–http://en.wikipedia.org/wiki/Transport_Layer_Security

4. Cryptography & Network Security: Principles & Practices – William Stalkings