Brief explanation about TLS and SSL protocol handshake and message exchange process and its describe certificate validation.

1. Cryptography Protocol
SSL / TLS Protocol

2.  Secure Socket Layer (SSL) and Transport Security Layer (TLS) are
both cryptographic protocols which provide secure
communication over networks
 Version
 SSL 1.0
 SSL 2.0
 SSL 3.0
 TLS 1.0
 TLS 1.1
 TLS 1.2
History

3.  Web now widely used by business, government, individuals for multiple
application like web browsing, email, instant messaging and VOIP but
Internet & Web are vulnerable.
 SSL / TLS provide below key features to secure end to end communication.
 integrity
 confidentiality
 denial of service
 authentication
 Which added security mechanisms
Why SSL / TLS Required ?

4.  Client and Server exchange parameters with Client Hello and
Server Hello Messages
 Hello messages
 Certificate and Key Exchange messages
 Change CipherSpec and Finished messages
SSL / TLS Handshake

5. SSL / TLS Handshake

6.  Client Hello & Server Hello Messages Parameter exchange
 Version Number
 Cipher Suite Method
 Session ID
 Compression Method
 Random Number
Note : The server selects a cipher suite or, if no acceptable choices are
presented, returns a handshake failure alert and closes the connection.
Client Hello / Server Hello

10.  Server send X.509 v3 certificate and key exchange to client and
send server hello done message.
 Now client verify that certificate from Intermediate Authority
and Root Certificate Authority.
 Client check with certificate fields to authenticate certificate.
Server Certificate/Key Exchange and Server
Hello Done

11.  Certificate Validity Period
 DN verify from listed CA / Root CA
 Validate Digital Signature of Certificate
 There are 3 levels of validation of certificate
 Domain Validation (DV)
 Organization Validation (OV)
 Extended Validation (EV)
Server Certificate Authentication

12.  CRL
 CRL (Certificate Revocation Lists) contains a list of certificate serial
numbers that have been revoked by the CA. The client then checks the
serial number from the certificate against the serial numbers within the
list from CDC (CRL Distribution Centre)
 OCSP
 OCSP (online certificate status protocol) provide status
Good/Bad/Unknown of the certificate rather than download whole list
of revoked certificate.
Certificate Revocation Methods

14.  This is the first message that the client sends after he/she
receives a Server Hello Done message.
 This message is only sent if the server requests a certificate.
 If no suitable certificate is available, the client sends a no_certificate
alert instead.
 This alert is only a warning; however, the server might respond with a
fatal handshake failure alert if client authentication is required.
Client Exchange

15.  After validate certificate successfully from client end, Client
generate pre-master key with help of random number and
encrypt with Server Certificate Public Key and send it to server.
 Server decrypt message with own private key and find Pre Master key.
 With help of pre-master key client and server generate master
key ( 48 Bytes ) and generate session key from master key.
Change CipherSpec Exchange

18.  A Finished message is always sent immediately after a Change
Cipher Spec message in order to verify that the key exchange
and authentication processes were
successful.
 The Finished message is the first protected packet with the most
recently negotiated algorithms, keys, and secrets. No
acknowledgment of the Finished message is required.
 After receive Finish Message from Server, client start to send
data with encrypted with session key to server.
Finish Message

19. Devang Badrakiya
http://devang.be
Thank You