SSLTLS

1
SSL/TLS

• Brief history
• Netscape SSL v2 (1995) ? SSL v3
• Microsoft PCT (Private Communication Technique)
• IETF TLS.
• Belongs to layer 4 (transport layer)
• In fact run on the top of layer 4 TCP
• Do not need to change OS
• TCP provides reliable transmission of packets

2
SSL position
Copied from http//developer.netscape.com/docs/man
uals/security/sslin/
3
SSL functionality

• Server authentication (by public certificate)
• Client authentication (Optional)
• Data encryption (by secret key system)
• Integrity protection by (MAC)

4
SSL handshake
I want to talk, ciphers I support, RC
Certificate (PS), cipher I choose, RS
Client
Server
SPS, keyed hask of handshake MSG
compute
compute
Kf(S,RC,RS)
keyed hash of handshake MSG
Kf(S,RC,RS)
Data protected by keys derived from K
There are total six keys, three keys (encryption
key, IV, integrity key) in each direction.
5
SSL certificate

• SSL clients such as Browser stores some CAs
  public keys
• User of the client can add or delete CAs public
  keys
• SSL servers need to get public key certificates
  issued by CAs.
• When SSL server sends its certificate to a SSL
  client, the client can verify it.
• Client certificates and authentication are not
  supported widely.

6
SSL server authentication
Copied from http//developer.netscape.com/docs/man
uals/security/sslin/
7
SSL cipher suite

• DES, Triple-DES, MD5, RSA, SHA-1.
• DSA. Digital Signature Algorithm
• KEA. Key Exchange Algorithm, an algorithm used
  for key exchange by the U.S. Government.
• RC2 and RC4. Rivest encryption ciphers developed
  for RSA Data Security.
• RSA key exchange. A key-exchange algorithm for
  SSL based on the RSA algorithm.
• SKIPJACK. A classified symmetric-key algorithm
  implemented in FORTEZZA-compliant hardware used
  by the U.S. Government. (For more information,
  see FORTEZZA Cipher Suites.)