Security at The Transport Layer
Security at The Transport Layer
Security at The Transport Layer
INTRODUCTION
Secure socket layer(SSL) protocol has emerged as the principal means of securing
communication between an Internet client and a server. It was developed by Netscape in 1994.
It was standardized by IFTF in 1999 and called Transport Layer Security (TLS). Today SSL and
TLS are used interchangeably. SSL is sandwiched between TCP and an application layer
protocol. It is application protocol independent. Protocols such as HTTP, FTP, SMTP, IMAP,
and POP can all be run over SSL.
SSL is comprised of two main protocols
The Handshake Protocol
The Record Layer Protocol
The SSL handshake protocol is used to negotiate the set of algorithms to be used for securing
the communication link. This include algorithms for encryption and hash computation
besides a method for key exchange. Server authentication in SSL is mandatory and
performed as part of the handshake.
The actual job of providing message authentication +integrity checking and encryption
is performed by the SSL record layer protocol. It sits just below the handshake protocol
and protects each message exchanged by the two communication parties. The record layer
protocol also detects replayed, reordered, and duplicate packets.
1
Security at the Transport Layer
The main steps in the SSL handshake for establishing a new session are as follows:
1) Agreement on a common cipher suit to be used in the new session.
2) Receipt and validation of the server certificate by the client.
3) Communication of a “pre-master secret” and computation of derived secrets.
4) Integrity verification of handshake message and server authentication.
Client Server
2
Security at the Transport Layer
SERVERAUTHENTICATION
The keyed hash (or MAC) computed by both parties and sent in the finished messages
Is used as an integrity check on the previous handshake messages. All the handshake
Messages are sent in the clear (except for encryption of pre-master secret).Its
Possible for an attacker to alter one or more of the handshake messages. For example
He may replace the choice 128 - bitDesbya56bitDes.This may induce both parts to
Use a weaker cipher, which can be compromised by the attacker. The Mac detects any
Modifications in the handshake messages.
SESSIONANDCONNECTION
Itisagoodsecuritypracticetochangekeysduringalong-lastingsession.SSLhasa
provisionforchangingkeysbycreatinganewconnectionwithinaexistingsession.By
For the largest component of the overhead increasing a new session is the private key
Operation (decryption of the pre – master secret) at the server. This overhead is obviated
bycreatinganewconnectionwithinaexistingsession.Increatinganewconnection
The pre – master secret which is a par to the existing sessions at a new.
Insteadanewmastersecretiscomputedasafunctionoftheexistingpre-master
Secret and two fresh contributed by the client and the Server.
3
Security at the Transport Layer
The next step after computing the MAC is encryption. If the combined size of the data
fragment and MAC is not a multiple block size, a pad is appended. The data fragment, MAC,
and pad (if any) are then encrypted, prepended with a header, and passed on to the TCP layer for
further processing.
The SSL record layer header is straightforward –there is a 1-byte content type field,
which identifies the higher layer protocol used to process the fragment. Two bytes are used to
specify the version number. Finally, the field indicates the fragment size in bytes.
4
Security at the Transport Layer
OpenSSL
openSSL is open source software that implements the SSL/TLS protocol.it is comprised of a
number of libraries that implement various cryptographic algorithms.it provides extensive
support for communicating and validating digital certificates. OpenSSL is based on the ssLey
library developed by Eric A. Young and Tim J.Hudson.
openSSL enhances the productivity of application developers by providing a rich set of APIs
that handle diverse aspects of SSL-enabled communication from connection set-up and tear-
down to certificate storage, management, and verification. This means that the developers can
focus o the application domain and functional requirements that need to be met ad reply on the
openSSL APIs to implement the required security.