SSL / TLS Basics.

SSL (Secure Sockets Layer) is enhanced version of TCP (Tranmission Control Protocol) with additions of confidentiality (feature that hides transmitted data from eavesdroppers), data integrity (transmitted data is hard to tamper with), and end-point authentication (we know who 'talks' with each other via the Internet or other medium; both client and server is authenticated).

TLS (Transport Layer Security) is a version of the SSL version 3 that has been standarized by the IETF (Internet Engineering Task Force) [RFC 2246]. (Request For Change 2246).

SSL is something between TCP (in Transport Layer) and Application Layer... that is, when we program Secure Socket, we configure security and handle it as an abstraction over standard TCP Socket.

SSL consists of three phases:

* Handshake

During Handshake phase, client and server negotiate encryption protocol, establish connection, server sends certificate with assymetric public key which is used to transmit Master Secret, an information that can be used for symmetric key encryption between client to server that handles secure transmission.

During encryption protocol negotiation, hackers can delete strong ciphers if weaker ones are available, so do not add weak ciphers if you do not have to. It's alluring to add more available ciphers for variety, and trust infrastructure to do rest, but computer criminals treat this as vulnerability and reduce your options so do not do it. It's best to leave default configuration if you are not expert.

* Key Derivation,

In principle Master Secret (MS), now shared by client and server (Alice and Bob) could be used as the symmetric session key for all subsequent encryption and data integrity checking. It is, however, generally considered safer for Alice and Bob to each other use different cryptographic keys, and also use different keys for encryption and integrity checking. Thus Alice and Bob use the MS to generate four keys: Alice's session encryption key, Bob's session encryption key, Alice's MAC key for checking data integrity, Bob's MAC key for checking data integrity.

* Data Transfer.

During data transfer, SSL uses simple sequence numbers to ensure correct order of records (data chunks) transferred, and Message Authentication Codes (MAC) for integrity checking of each of the records. And let's not forget about session keys for symmetric encryption of data transmitted between Alice and Bob.

Lastly, to close SSL TCP connection, we need to send proper information inside encrypted data (proper SSL record), then finalize TCP connection with a TCP FIN. Otherwise, we are susceptible to an truncation attack... now we know something 'funny' happens if data transmitted is finalized with TCP FIN before proper SSL record indicated end of secure transmission.

Source: [3].

No comments:

Post a Comment