The Secure Sockets Layer Protocol (SSL)
Taher Elgamal
Danvers IETF Meeting
April 1995
Agenda
- Transaction security on the Internet
- Which problems does SSL target
- Objectives for SSL
- The SSL protocol in detail
- Other Internet security issues
- Future directions for SSL
Transaction Security on the Internet
- Privacy
- Authentication
- Client and server authentication
- Proof of authorship
- User authentication and non-repudiation
- Integrity
- Guard against tampering with data on the network
Privacy
- Data encryption is required for privacy applications
- Ensure data only readable by intended recipient -- not
necessarily the first recipient
Authentication
- Client authentication to the server, and server authentication
to the client to create an authenticated channel
- System function at connection time
- Should be independent of the application or the application protocol
- Digital signatures for proof of authorship
- Authorize financial transactions
- Signatures on receipts and other data for non-repudiation purposes
- Application specific in general
Integrity
- Ensure non-tampering of the data either intentionally or unintentionally
Which Problems Does SSL Target
- Authenticating the client and the server to each other
- Securing the traffic over the communications channel
- Ensuring data integrity
SSL -- Design Objectives and Constraints
- Support many applications and protocols
- Use available TCP/IP based networks
- Requires a reliable transport layer (e.g. TCP)
- Applications (and developers) need to support SSL, but do not
need to worry about key generation and negotiation techniques
SSL in Detail
_________________________________________________
| |
| Application Layers |
|_________________________________________________|
______ ______ ______ ______
| | | | | | | |
| | | | | | | |
| HTTP | | NNTP | | FTP | . . . | SHTTP|
| | | | | | | |
|______| |______| |______| |______|
_________________________________________________
| SSL |
|_________________________________________________|
_________________________________________________
| |
| TCP/IP |
| |
|_________________________________________________|
SSL -- Negotiation Phase
- The client initiates the session
- The server responds and sends its certificate
- The client generates the master key and sends it encrypted using
the server's public key
- Requires a server certificate but does not require a client certificate
- Requires a certain level of trust in the server's certificate
- Optional client certificate can be used to authenticate the client to
the server
SSL -- Negotiation Phase
__________ _______________
| | | |
| Client | | Server |
|__________| |_______________|
start session
-------------------------->
certificate
<--------------------------
encrypted master key
-------------------------->
Session established,
<--------------------------
request cert
certificate and other data
--------------------------->
data encrypted with
<-------------------------->
session key
SSL -- Supported Methods
- Symmetric Ciphers
- DES, RC2, RC4, IDEA and Triple DES
- 40-bit exportable versions of RC2, RC4
- Public-key Ciphers
- RSA for key encryption and digital certificates
- Certificates
- X.509 certificate support
- Message Digests
- MD5 used for MAC computation
SSL -- Privacy
- Master key established by the client using the server's public key
- Master key used to generate two session keys (one for each direction)
- Once the session keys are established, all traffic is "transparently"
encrypted in both directions
- All operations can happen transparently from the user's (and higher
layer protocols) point of view
SSL -- Authentication and Integrity
- Server certificate is required to authenticate the server
- Client certificate is optional
- MAC computed for each record using MD5
- Uses a record sequence number to ensure record freshness
SSL -- Efficiency Issues
- Master key can be used for multiple sessions -- reduce the overhead
of private key encryption operations
- Session key generation uses MD5 -- very fast
- Two session keys for RC4 support
SSL Exportability
- Supports 40-bit RC2 and RC4 for bulk encryption
- Supports 512-bit RSA keys for digital certificates
SSL Availability
- Informational RFC
- Reference implementation available
- SSLREF 1.1 is almost complete, full source in ANSI C
- Protocol spec available
Other Internet Security Issues
- Access control and authorization schemes
- Digital signatures
- Non-repudiation
SSL -- Future Directions
- Key Negotiation
- Improved Certificate Management
- Certificate chains
- Longer RSA keys for server certificates
- PKCS #7, PEM certificate formats
- Other implementation items
- Solicit input from standard bodies and other interested groups
- Work with other standards efforts to establish common standards
for security issues in different applications and protocols