What is SSL?
SSL stands for Secure Socket Layer (SSL). Originally developed by Netscape and now a de-facto standard for secure communication over the internet, SSL is implemented by all secure web servers and browsers like Internet Explorer, Firefox, Safari, Opera etc.
Where SSL is used
The widest use of the SSL protocol is done in browsers. It will secure the browser of any site on the internet, for example: for login pages, or online banking, or any other financial site. Accessing any site starting with https:// in the address bar of the browser initiates the SSL connection between the browser and the SSL server, e.g. https://www.paypal.com in your address bar will establish a secure SSL connection between the browser and the web server of www.paypal.com. Apart from this SSL can be used in FTP or any other application layer protocols. SFTP implements SSL for FTP.
Basic SSL Terminology
Encryption: process of converting readable data into unreadable data to prevent its usage from unknown/unauthorized people.
Decryption: process of converting the encrypted data back into readable form.
Plain Text: Text that is not encrypted and can be read by anyone.
Cipher: The algorithm used to encrypt the plain text.
Key: The unique data used by the cipher to perform the encryption or decryption. This is generally a secret, or private, key, and is not available in public domain.
Cipher text: The encrypted data that is not readable by anyone.
Symmetric Algorithm: The same key is used to encrypt and decrypt the data.
Asymmetric algorithm: Different keys are used to encrypt and decrypt the data.
OSI: Open Systems Interconnection model for layered network architecture.
SSL protocol is the application level protocol over the IP/TCP layer of the OSI model. As of now there are three main SSL versions.
- SSL 2.0: This is the old version, now disabled by default in most modern browser versions.
- SSL3.0: The next version of the SSL protocol, supported in most browsers by default.
- SSL 3.1 or TLS: The latest version of the SSL protocol, enabled by default in latest versions of all browsers, like IE 8.0 or Firefox 3.0.2
The figure below depicts layered architecture based on the OSI model of network layers and the location of the SSL in the same.
The SSL provides a cushion between the application protocols like HTTP or IMAP or FTP and the lower transport layer protocol TCP for secure data exchange. It allows the HTTP or FTP to use the SSL enabled server to establish a secure connection with a SSL enabled client. In most cases, for example with HTTP, the server is authenticated but SSL does support authentication of the client as well by process called Client Authentication.
Phases of SSL connection
SSL handshake protocol is performed during the establishment of the SSL connection between the SSL client and SSL server. The SSL handshake authenticates the SSL client to the SSL server, adapts to each other’s cipher list, and agrees for a cipher to be used during the data exchange. It uses the Public key encryption method to generate the symmetric key that will be used for encryption and decryption during the SSL record data exchange. This also involves establishing a SSL secure tunnel between the SSL client and the SSL server.
SSL Record layer
The SSL record layer is used to define the format used, by which the data will be transferred using the SSL connection. This involves the encapsulation of the data from the upper level protocols like HTTP/FTP/IMAP and transmitting the same to the lower layer after encryption of the same using the ciphers/parameters agreed upon during the SSL handshake phase. It also involves receiving the secure encrypted data from the lower layer (TCP) and decrypts the same and passes the same to the intended recipient of the same.
The figure below indicates the various phases of the SSL protocol for a typical connection establishment between a client and a server.
Each of the messages numbered in the SSL handshake figure above are described below:
1. SSL Client Hello: This message contains the SSL version number, list of ciphers supported by the SSL client, along with a random number.
2. SSL server Hello: The SSL server sends this message to SSL client. This message contains the SSL server version number, cipher selected, random number.
3. Server Certificate: The server send the server’s SSL certificate that has the public key of the Server that needs to be used by the client.
4. Server Hello Done: The server sends this message to indicate to the SSL client that the Server hello message is completed
5. Client Key Exchange: The client uses the information sent in Steps 2,3,4 and authenticates the server certificate. If server authentication succeeds, the client creates a premaster key and sends the same to the server after encrypting the same using the Server Public key as a Client-Key exchange message. This message is send from the SSL client to the SSL server.
6. Master Key Generation: The server uses its private key to decrypt the premaster key. The client and the server both perform a series of steps on same premaster key to generate the master key. Both client and server generate a symmetric session key using this Master key that is used for transfer of the encrypted data.
7. Client Change Cipher Specs: Client sends this message to indicate to the server that further messages will be encrypted with the generated session key. This contains the checksum of the handshake messages.
8. Finished: This message is send by the client to indicate to the server that the handshake portion from the client side is finished.
9. Server Change Cipher Specs: The server, upon receiving the change cipher specs of the client, deciphers the same using the session key, compares the checksum and then responds back with its own changed cipher spec message to the client containing the checksum.
10. Finished: This message is sent by the server to indicate to the client that the handshake portion from the server side is finished. The client compares the checksum received in Step 9 after deciphering the message, and if it matches the checksum send by the client, the connection is established.