Secure Socket Layer
SSL Architecture: Secure Socket Layer
Secure Socket Layer is designed to make use of TCP to provide a reliable end-to-end secure service.
Moreover, Secure Socket Layer is not a single protocol but rather two layers of protocols, as illustrated in Figure below.
The SSL Record Protocol provides basic security services to various higher layer protocols.
In particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL.
Three higher-layer protocols are defined as part of SSL: the Handshake Protocol, The Change Cipher Spec Protocol, and the Alert Protocol.
Two important SSL concepts are the SSL session and the SSL connection, which are defined in the specification as follows.
- Connection: A connection is a transport that provides a suitable type of service. For SSL, such connections are peer-to-peer relationships. The connections are transient. Every connection associated with one session.
- Session: An SSL session is an association between a client and a server.
- There a number of states associated with each session. Once a session established, there is a current operating state for both read and write (i.e., receive and send)
- In addition, during the Handshake Protocol, pending read and write states created. Upon successful conclusion of the Handshake Protocol, the pending states become the current states.
- A session state defined by the following parameters.
- Session identifier: A random byte sequence chosen by the server to identify an active or resumable session state.
- Peer certificate: An X509.v3 certificate of the peer. It may be null.
- Compression method: The algorithm used to compress data.
- Cipher spec: Specifies the data encryption algorithm (such as null, AES, etc.) and a hash algorithm (such as MD5 or SHA-1) used for MAC calculation.
- Master secret: 48-byte secret shared between the client and server.
- Is resumable: A flag indicating whether or not the session can use to initiate new connections.
Moreover, A connection state defined by the following parameters:
- Server and client random: Byte sequences that =chosen by the server and client for each connection.
- Server write MAC secret: The secret key used in MAC operations on data sent by the server.
- Client write MAC secret: The secret key used in MAC operations on data sent by the client.
- Server write key: The conventional encryption key for data encrypted by the server and decrypted by the client. o Client write key: The conventional encryption key for data encrypted by the client and decrypted by the server.
- Initialization vectors: When a block cipher in CBC mode used, an initialization vector (IV) maintained for each key. This field initialized by the SSL Handshake Protocol.
Each party maintains separate sequence numbers for transmitted and received messages for each connection. When a party sends or receives a change cipher spec message, the appropriate sequence number set to zero.