Sunday, December 7, 2008

How SSL works under covers

SSL essentially uses hybrid crypto system (combination of symmetric & asymmetric algorithms)

i) Exchange of "symmetric key/s" is done through asymmetric algorithms (client encrypts the "symmetric key" with public key and server decrypts with its private key) ii) Exchange of data is done with by symmetric key algorithm. The sequence of events in one-way SSL communication are:
1) Client sends a SSL request

2) Socket level TCP handshake occurs.

3) Client sends ClientHello message. This includes information from client on its supported SSLversion, Ciphers,message authentication function This is message from SSL debug enabled weblogic server accepting SSL browser request: Nov 25, 2008 10:07:15 AM CST Debug SecuritySSL AdminServer [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' HANDSHAKEMESSAGE: ClientHello
4) Server sends back ClientHello message and this includes: The SSL or TLS version that will be used for the SSL session, cipher that will be used for the SSL session, session ID for the SSL session, server digital certificate (or chain of certificates) At this point client and server agree on the ssl version,ciphers to be used, message authentication function to be used. These are messages from SSL debug enabled weblogic server accepting/responding SSL browser request:

Nov 25, 2008 10:07:15 AM CST Debug SecuritySSL AdminServer [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' 14297843 SSL3/TLS MAC

Nov 25, 2008 10:07:15 AM CST Debug SecuritySSL AdminServer [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' Using JCE Cipher: SunJCE version 1.6 for algorithm RC4

Nov 25, 2008 10:07:15 AM CST Debug SecuritySSL AdminServer [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' Will use default Mac for algorithm SSL3MAC_MD5

5) Client validates the server certificate by checking the certificate authority and other details like domain name and expiration date. All browsers come preloaded with the certificates of common CAs. For Eg, in Internet Explorer, these can be viewed from:
Tools-> Internet Options --> Content Tab-->Certificates -->Trusted Root CAs After the validation client generates the MASTER_KEY and encrypts it with server's public key(available from certificate) and sends back to server. Server decrypts the MASTER_KEY with its private key.

6) Client as well as the server use the MASTER_KEY to generate the session keys, which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session.

7) From this point both client and server encrypt data with their own session keys.

No comments:

Post a Comment