1> Abstract
2> What is SSL ?
3> The Record Layer
4> The Change CipherSpec
Protocol
5> The Alert Protocol
6> The Handshake Protocol
7> Back to main page
This document describes the SSL protocol (v. 3.0), in non technical
terms, as well as basic encryption methods and algorithms.
It is the intention of this article to introduce the reader to the SSL
protocol and encryption methods in general, but not to provide the means
to implement it.
What is SSL ?
SSL (Secure Socket Layer) is a protocol which allows client/server applications to comunicate in a way which prevents eavesdropping, tampering or message forgery.
The goals of SSL are:
- Cryptographic security
Establishing a secure connection between two parties. Encryption
is used after an initial handshake to define a secret key.
This encryption is symmetric.
- Reliabilty
The connection is reliable. Message transport includes
a message integrity check using a keyed MAC.
Secure hash functions are used
for MAC computations.
- Interoperability
Differrent applications of differrent programers should be
able to successfully exchange cryptographic parameters without knowledge
of one another's code.
- Extensibility
New public key
and bulk encryption methods can be incorporated as necessary.
- Relative efficiency
Cryptographic operations tend to be highly CPU intensive.
For this reason the SSL protocol has some options (such as caching and
compression) which allow a reduction in the number of connections that
need to be established from scratch and a reduction in network activity.
The protocol is composed of two layers. At the lowest level, layered on top of some reliable transport protocol (TCP), is the SSL Record Protocol, which is used for encapsulation of various higher level protocols, such as the SSL Handshake Protocol, which allows the server and client to authenticate each other and to 'negotiate' an encryption algorithm and cryptographic keys before the application protocol transmits or recieves it's first byte of data.
The SSL Record Layer recieves uninterpreted data from higher layers in blocks of arbitrary size, and performs some operations on it (such as fragmentation and compression) which make the data compressed, encrypted, and fragmented into menageble structures.
The operations of the Record Layer are:
- Fragmentation
The record layer fragments information blocks into SSLPlaintext
records (a record with some info about the data) of 2^14 bytes or less.
- Compression
All records are compressed using the compression algorithm
defined in the current station state. The compression algorithm translates
an SSLPlaintext structure into an SSLCompressed structure.
The encryption and MAC functions translate an SSLCompressed structure into
an SSLCiphertext structure.
The decryption and decompression
functions reverse the process.
- Record Payload protection
All records are protected using the encryption and
MAC algorithms defined in the current CipherSpec (a record which contains
info about the algorithms that were chosen). There is always an active
CipherSpec, however initially it is set with SSL_NULL_WITH_NULL_NULL,
which does not provide any security.
The Change Cipherspec protocol
This protocol exists to signal transitions in ciphering strategies. The protocol consists of a single message, which is encrypted and compressed under the current (not the pending!!!) CipherSpec. This message is sent to notify the recieving party that susequent records will be protected under the just-negotiated (in the handshake protocol) CipherSpec and keys.
Alert is a type of message supported by the SSL Record layer. Alert messages convey a level of severity and a description of the alert. An alert message with a level of 'fatal result' will cause an immediate termination of the connection.
Some important messages are:
- close_notify: The client and the server must share the knowledge
that the connection is ending in order to avoid a truncation attack. This
message notifies the recipient that the sender will not send any more messages
on this connection.
- unexpected_message: an inappropriate message was recieved.
- bad_record_mac: a record is recieved with an incorrect MAC.
- bad_certificate: A certificate
was corrupt, contained signatures
that did not verify correctly, etc.
- decompression_failure: the decompression function recieved improper
input.
This protocol, which operates on top of the SSL Record Layer,
is responsible for producing the cryptographic parameters of the session
state. When an SSL client and a server first start communicating, they
agree on a protocol version, select cryptographic algorithms, optionally
authenticate each other, and use public-key encryption techniques to generate
shared
secrets (a symmetric key). These processes can be summarized as follows:
The client sends a client hello message to which the server must respond with a server hello message, or else the connection will fail. These messages are used to establish security enhancement capabilities between client and server, such as protocol version, session ID, cipher suite, and compression method.
Following the hellow messages, the server will send it's certificate. Now the server will send the server hello done message, indicating that the hello-message phase of the handshake is complete. The server will then wait for a client response.
The client key exchange message is now sent, and the content of that message will depend on the public key algorithm selected between the client hello and the server hello. At this point, a change cipher spec message is sent by the client, and then he immediatley sends the finished message under the new algorithms, keys and secrets. In response, the server will send it's own change cipher spec message, and send it's finished message under the new cipher spec. At this point, the handshake is complete and the client and server may begin to exchange application layer data (under the new algorithms, keys and secrets that where agreed upon).