SSL: Foundation for Web Security

Virtually all businesses, most government agencies, and many individuals now have Web sites. The number of individuals and companies with Internet access is expanding rapidly, and all of them have graphical Web browsers. As a result, businesses are enthusiastic about setting up facilities on the Web for electronic commerce. But the reality is that the Internet and the Web are extremely vulnerable to compromises of various sorts. Have a variety of threats; Integrity, Confidentiality, Denial of service, and Authentication. As businesses utilize the Internet for more than information dissemination, they will need to use trusted security mechanisms. An increasingly popular general-purpose solution is to implement security as a protocol that sits between the underlying transport protocols (TCP) and the application. The foremost example of this approach is the Secure Sockets Layer (SSL) and the follow-on (subsequent) Internet standard of SSL known as Transport Layer Security (TLS). At this level, there are two implementation choices;

For full generality, SSL (or TLS) could be provided as part of the underlying protocol suite and therefore be transparent to applications. Alternatively, SSL can be embedded in specific packages. For example, Netscape and Microsoft Explorer browsers come equipped with SSL, and most Web servers have implemented the protocol.

Although it is possible to use SSL for applications other than Web transactions, its use at present is typically as part of Web browsers and servers; and hence limited to Web traffic. Most of this article deals with the technical details of SSL; the status of TLS is described at the end. -SSL was originated by Netscape. -Version 3 of the protocol was designed with public review and input from industry and was published as an Internet Draft document. -Subsequently, when a consensus was reached to submit the protocol for Internet standardization, the TLS working group was formed within the Internet Engineering Task Force (IETF) to develop a common standard.

-The current work on TLS is aimed at producing an initial version as an Internet Standard.

SSL Architecture

-SSL is designed to make use of TCP to provide a reliable end-toend secure service. -SSL is not a single protocol but rather two layers of protocols. The SSL Record Protocol provides basic security services to various higher-layer protocols. In precise, the HTTP, which provides the transfer service for Web client/server interaction, can operate on top of SSL. Three higher-layer protocols are defined as part of SSL: the Handshake Protocol, the Change CipherSpec Protocol, and the Alert Protocol. These SSL-specific protocols are used in the management of SSL exchanges. Two important SSL concepts are the SSL session and the SSL connection, which are defined in the specification as follows:

Connection: A logical client/server link that provides a suitable type of service. For SSL, such connections are peer-to-peer relationships. The connections are transient. Every connection is associated with one session. Session: An association between a client and a server. Sessions are created by the Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be shared among

multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection.

SSL Record Protocol

The SSL Record Protocol provides two services for SSL connections: -confidentiality, by encrypting application data; Using symmetric encryption with a shared secret key defined by handshake protocol Message is compressed before encryption -integrity, by using a message authentication code (MAC); Using MAC with a shared secret key Similar to HMAC but with different padding Note: the other acronym; Media Access ControlMAC The Record Protocol is a base protocol that can be utilized by some of the upper-layer protocols of SSL. One of these is the handshake protocol which, as described later, is used to exchange the encryption and authentication keys. It is vital that this key exchange be invisible to anyone who may be watching this session.
Figure 1 indicates the overall operation of the SSL Record Protocol. The Record Protocol takes an application message to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and transmits the resulting unit in a TCP segment. Received data is decrypted, verified, decompressed, and reassembled and then delivered to the calling application, such as the browser.

Figure 1: SSL Record Protocol Operation

Change CipherSpec Protocol

-The Change CipherSpec Protocol is one of the three SSL-specific protocols that use the SSL Record Protocol, and it is the simplest. -This protocol consists of a single message, which consists of a single byte with the value 1. -The sole purpose of this message is to cause the pending state to be copied into the current state, which updates the Cipher Suite to be used on this connection. -This signal is used as a coordination signal. The client must send it to the server and the server must send it to the client. After each side has received it, all of the following messages are sent using the agreed-upon ciphers and keys.

Alert Protocol
The Alert Protocol is used to convey SSL-related alerts to the peer entity. -As with other applications that use SSL, alert messages are compressed and encrypted, as specified by the current state. -Each message in this protocol consists of two bytes;

The first byte takes the value "warning" (1) or "fatal"(2) to convey the severity of the message. If the level is fatal, SSL immediately terminates the connection. Other connections on the same session may continue, but no new connections on this session may be established. The second byte contains a code that indicates the specific alert. An example of a fatal message is illegal parameter (a field in a handshake message was out of range or inconsistent with other fields). An example of a warning message is close notify (notifies the recipient that the sender will not send any more messages on this connection; each party is required to send a close notify alert before closing the write side of a connection).

Other examples [fatal] include Unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter Other Examples [warning] include Close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown.

Handshake Protocol
The most complex part of SSL is the Handshake Protocol. -This protocol allows the server and client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record. -The Handshake Protocol is used before any application data is transmitted. The Handshake Protocol consists of a series of messages [phases] exchanged by the client and the server. Establish security capabilities Server authentication and key exchange Client authentication and key exchange Finish Figure 2 shows the initial exchange needed to establish a logical connection between the client and the server. The exchange can be viewed as having four phases.

Figure 2: Handshake Protocol Action

Transport Layer Security

TLS is an IETF standardization initiative whose goal is to produce an Internet standard version of SSL. In fact, the charter for the TLS working group states: "The TLS working group is a focused effort on providing security features at the transport layer, rather than general purpose security and key management mechanisms. The standard track protocol specification will provide methods for implementing privacy, authentication, and integrity above the transport layer." This means that TLS can be used to provide security services to any application that uses TCP or the User Datagram Protocol (UDP). However, the driving force behind this work is to develop a standardized version of SSL. Microsoft has indicated that TLS will go into the next major

version of its browser and Web server products, and Netscape has made a similar commitment. With this kind of support, it is likely that TLS will move quickly along the Internet Standards track. The current draft version of TLS is very similar to SSLv3. TLS uses slightly different cryptographic algorithms for such things as the MAC function generation of secret keys. TLS also includes more alert codes. SSL is already widely deployed and, under the name TLS, is moving toward Internet standardization. It is the solution of choice for Web transaction security.