|
SSL (Secure Socket Layer)
Part:
1
2
3
Sample programs listed in this chapter have been tested with JDK 1.5.0.
What is SSL?
SSL (Secure Socket Layer) is a communication protocol created by Netscape
in 1994 to ensure secure transactions between web servers and browsers.
A good description about SSL was given by Franck Martin
in "SSL Certificates HOWTO" at
http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO:
- A browser requests a secure page (usually https://).
- The web server sends its public key with its certificate.
- The browser checks that the certificate was issued
by a trusted party (usually a trusted root certificate authority),
that the certificate is still valid and that the certificate
is related to the site contacted.
- The browser then uses the public key, to encrypt a random
symmetric encryption key and sends it to the server with the
encrypted URL required as well as other encrypted http data.
- The web server decrypts the symmetric encryption key using
its private key and uses the symmetric key to decrypt the URL
and http data.
- The web server sends back the requested html document and
http data encrypted with the symmetric key.
- The browser decrypts the http data and html document
using the symmetric key and displays the information.
The latest version of SSL is version 3.0 which was defined in 1996.
A new protocol called Transport Layer Security (TLS) has been developed
to replace SSL.
SSL Specification Overview
SSL protocol operates between the TCP/IP layer and the application layer
in the communication layer model. See the following diagram:
Client Server
Application Application
SSL SSL
TCP/IP TCP/IP
| |
|-----------------|
The objective of SSL protocol is to offer to the application the following security properties:
- Privacy - Application data can be encrypted with symmetric cryptography technologies.
- Authenticity - Remote host can be authenticated with certificate technologies.
- Integrity - Application data's integrity can be checked with message digest technologies.
SSL protocol is actually composed of 4 sub-protocols:
- Record Protocol - Operates between the TCP/IP layer and application layer
to apply fragmentation, compression, encryption, and message digest operations.
- Handshake Protocol - Operates on top of the record protocol layer
before any real application data transmission to authenticate remote host,
exchange encryption settings and initializing the record protocol layer.
- Change Cipher Spec Protocol - Operats on top of the record protocol
layer to inform remote host to change security settings in the record protocol
layer.
- Alert Protocol - Operates on top of the record protocol layer
to send alerts to the remote host.
SSL's sub-protocols work together with application protocols
as shown in the following diagram:
--> Time
|----------------------------------------------------------------|
| SSL Handshake | SSL Change Cipher Spec | Application/SSL Alert |
| Protocol | Protocol | Protocol |
|----------------------------------------------------------------|
| SSL Record Protocol |
|----------------------------------------------------------------|
| TCP/IP Protocol |
|----------------------------------------------------------------|
As you can see, the handshake protocol is very important for establishing
the SSL. The following diagram shows you what are the messages used
in the handshake protocol and in what sequence they are used:
Client Server
Client Hello -->
<-- Server Hello
<-- Server Certificate (optional)
<-- Server Key Exchange (optional)
<-- Certificate Request (optional)
Certificate -->
Client Key Exchange -->
Certificate Verify -->
Change Cipher Spec -->
Finished -->
<-- Change Cipher Spec
<-- Finished
For details of the SSL specifications, see "The SSL Protocol, Version 3.0"
at http://wp.netscape.com/eng/ssl3/draft302.txt.
(Continued on next part...)
Part:
1
2
3
| 