Logo
RSS Feed

πŸ‘ˆπŸΌ Back to
Crypto Protocols

πŸ“š SSL and TLS

Created: 16.11.2020

This article explains how SSL and its successsor work.

Intro

SSL makes use of assymmetric encryption for verification and symmetric encryption for data exchanging. Common ports: 443, sometimes 5443. TLS is an improvement. SSL is not being used too much since it’s not very secure (exploiting it requires a lot of knowledge and effort though), however, the protocol scheme is still called SSL/TLS.

https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/#:~:text=Configure%20Wireshark%20to%20decrypt%20SSL&text=Open%20Wireshark%20and%20click%20Edit,)%2DMaster%2DSecret%20log%20filename.

Preamble

Bob 🐝 salutes the 🌺 server . This message is called Client Hello. It contains the following things:

  • SSL version that the client supports
  • random data
  • encryption algorithm
  • session ID (*optional)
  • key exchange algorithm
  • compression algorithm
  • MAC

img

The 🌺 server replies with … surprise-surprise Server Hello. It contains the following things:

  • SSL version
  • Session ID: 12345
  • server’s certificate

img

The 🌺 server stops the babbling with Hello done message.

img

Bob 🐝 checks the certificate at the certificate authority.

img

Let’s assume that the certificate is ok.

img

If the certificate is valid, Bob 🐝 generates a secret using an algoruthm G() and random data r as input to get a secret. This secret is then encrypted with some function that both Bob 🐝 and the 🌺 server have agreed on: Enc(secret). Then Bob 🐝 sends Client Key Exchange message. This message is encrypted using nectar (or any other asymmetric algo like RSA) with the server’s 🌺 public key πŸ”“.

img

Upon receiving this message, the 🌺 server decrypts the secret 🀫.

img

It then computes the hash for it 🀫. Bob 🐝 does the same and sends this hash to the 🌺 server in the Change Cipher Spec Finished hash message.

If the hashes match, the 🌺 server sends Finished message.

img

That’s how the connection is established. One more thing to note, if the session is not expired, then Bob 🐝 sends his session ID in the first, Client Hello message. If it exists, they resume from the step when Bob sends a Finished message.

TLS improvements

TLS is basically the same, but some algorithms were deprecated. Besides, TLS supports client authentication as well (the additional steps are below). Uses DES/RSA + keyed MAC.

After Server hello, the 🌺 server sends a Server hello done.

Bob 🐝 creates a master secret +SID. Now Bob 🐝 has to send his certificate Enc(Premaster secret) encrypted with the 🌺 server server’s 🌺 public key πŸ”’. The rest is the same.

Record protocol

  1. Fragment and reassemble data
  2. optional comression and decompression
  3. Apply MAC
  4. encryption

How SSL certificates are verified?

References

https://sectigostore.com/blog/ssl-vs-tls-decoding-the-difference-between-ssl-and-tls/

πŸ—’ https://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified