2. Secure Socket Layer (SSL) and Transport Security Layer (TLS) are
both cryptographic protocols which provide secure
communication over networks
Version
SSL 1.0
SSL 2.0
SSL 3.0
TLS 1.0
TLS 1.1
TLS 1.2
History
3. Web now widely used by business, government, individuals for multiple
application like web browsing, email, instant messaging and VOIP but
Internet & Web are vulnerable.
SSL / TLS provide below key features to secure end to end communication.
integrity
confidentiality
denial of service
authentication
Which added security mechanisms
Why SSL / TLS Required ?
4. Client and Server exchange parameters with Client Hello and
Server Hello Messages
Hello messages
Certificate and Key Exchange messages
Change CipherSpec and Finished messages
SSL / TLS Handshake
6. Client Hello & Server Hello Messages Parameter exchange
Version Number
Cipher Suite Method
Session ID
Compression Method
Random Number
Note : The server selects a cipher suite or, if no acceptable choices are
presented, returns a handshake failure alert and closes the connection.
Client Hello / Server Hello
7.
8.
9.
10. Server send X.509 v3 certificate and key exchange to client and
send server hello done message.
Now client verify that certificate from Intermediate Authority
and Root Certificate Authority.
Client check with certificate fields to authenticate certificate.
Server Certificate/Key Exchange and Server
Hello Done
11. Certificate Validity Period
DN verify from listed CA / Root CA
Validate Digital Signature of Certificate
There are 3 levels of validation of certificate
Domain Validation (DV)
Organization Validation (OV)
Extended Validation (EV)
Server Certificate Authentication
12. CRL
CRL (Certificate Revocation Lists) contains a list of certificate serial
numbers that have been revoked by the CA. The client then checks the
serial number from the certificate against the serial numbers within the
list from CDC (CRL Distribution Centre)
OCSP
OCSP (online certificate status protocol) provide status
Good/Bad/Unknown of the certificate rather than download whole list
of revoked certificate.
Certificate Revocation Methods
13.
14. This is the first message that the client sends after he/she
receives a Server Hello Done message.
This message is only sent if the server requests a certificate.
If no suitable certificate is available, the client sends a no_certificate
alert instead.
This alert is only a warning; however, the server might respond with a
fatal handshake failure alert if client authentication is required.
Client Exchange
15. After validate certificate successfully from client end, Client
generate pre-master key with help of random number and
encrypt with Server Certificate Public Key and send it to server.
Server decrypt message with own private key and find Pre Master key.
With help of pre-master key client and server generate master
key ( 48 Bytes ) and generate session key from master key.
Change CipherSpec Exchange
16.
17.
18. A Finished message is always sent immediately after a Change
Cipher Spec message in order to verify that the key exchange
and authentication processes were
successful.
The Finished message is the first protected packet with the most
recently negotiated algorithms, keys, and secrets. No
acknowledgment of the Finished message is required.
After receive Finish Message from Server, client start to send
data with encrypted with session key to server.
Finish Message