CONTENTSABSTRACTIntroductionSSL HandshakeDigital Certificate ContentsDigital SignatureAuthentication processConclusionREFERENCESDepartment of Computer ScienceCS 265 – Cryptography and Computer SecurityDigital Certificates & SSL Project ReportSubmitted By:Swapna ErabathiniSpring 2005CONTENTSCONTENTS.....................................................................................................................................................2ABSTRACT.....................................................................................................................................................3Introduction......................................................................................................................................................4SSL Handshake.................................................................................................................................................4Digital Certificate Contents......................................................................................................................6Digital Signature.......................................................................................................................................7Authentication process.............................................................................................................................8Conclusion......................................................................................................................................................10REFERENCES...............................................................................................................................................10ABSTRACTThe purpose of this Paper is to explain the SSL technology’s most common Handshakeprocess, Digital Certificate contents, Digital Signature & the Authentication process. SSL(Secure Sockets Layer) is the industry standard protocol & technology for securing onlinetransactions (e.g. Online purchase at http://www.amazon.com). SSL uses EncryptionTechnology & Digital certificates to provide the security required for authentication. SSLhas highly reliable authentication & encryption processes, which helps identify hackerattacks (tampering, re-directing etc) and nullify* the effect of the attack.* There is no system in the world that is 100% secure and SSL falls into the samecategory but the security used by SSL-128 bit encryption is so reliable that it is virtuallyimpossible to break the security thus making SSL near 100% (if not 100%) secure.Digital Certificates & SSLAS THERE IS NO END TO THE SKY, THERE IS NO END TO IMPROVING THE SYSTEMS BROKEN SYSTEMS ARE THE INSPIRATION FOR DEVELOPING BETTER SYSTEM.S _ ME (SWAPNA ERABATHINI)IntroductionSSL (Secured Sockets Layer) SSL is as a protocol layer, lying between the Transmission Control Protocol (TCP)layer and the Application. It forms a secure connection between clients and servers sothat they can communicate in a secure manner over a network. SSL provides the following: Security - 1. Privacy :- Messages are encrypted so that only the two end point applications understand the data. 2. Integrity :- no data gets altered during it flight.3. Authentication :- which verifies the identity of the remote user by using digital certificates. Digital CertificatesA Digital Certificate is an electronic file (also referred to as a Digital Passport) that uniquely identifies (authenticates) individuals and Web sites and enables encrypted communications.Why do we need to Server Authentication?Authenticating the server is very important, for example, when the client sends creditcard over the internet, then definitely client wants to make sure about the receivingserver's identitySSL HandshakeThe very first SSL handshake process takes place to establish new session between client & server. Sequence of Commands that occur when messages are exchanged during an SSL handshake, are explained below1. The client first sends CLIENT_HELLO command to the server, which will include:-The highest SSL version, Data compression methods, The session ID, the Cipher supported by the client and a random data/message generated by the client which will be eventually used in the key generation process 2. The server then sends the SERVER_HELLO command to the client, which will include: The highest SSL version , Data compression methods, Cipher, The session ID used for SSL session and the random data generated by server which will be eventually used in the key generation process 3. The server then sends the CERTIFICATE command., which will include the server's certificate. 4. The server then sends the SERVER_DONE command. This command indicates the completion of SSL handshake process by the server. 5. The client now sends the CLIENT_KEY_EXCHANGE after validating &authenticating the server certificate. These are the following points to note :- a) The above command contains the pre-master secret created by the client and uses the server's public key to encrypt. b) Using this pre-master secret and the random data (which is generated from the SERVER_HELLO and CLIENT_HELLO commands.), symmetric encryption keys are generated by the client and the server .6. The client then sends the CHANGE_CIPHER_SPEC, this particular commandindicates that all further data will be encrypted. 1.CLIENT_HELLO2. SERVER_HELLO3. CERTIFICATE4. SERVER_DONE5. CLIENT KEY EXCHANGE6.CHANGE_CIPHER_SPEC7.FINISHED8..CHANGE_CIPHER_SPEC9.FINISHEDCLIENTSERVER7. The client then sends the command, FINISHED, this command is sent to confirmthat commands that were exchanged between the server and the clientunencrypted, were not modified in the flight. To accomplish this, the client sendsthe digest of all SSL handshake commands so far.8. The server then sends the command, CHANGE_CIPHER_SPEC, this particular command indicates that all further data will be encrypted. 9. The server then sends the command, FINISHED. the server sends the digest of all SSL handshake commands so far. Step 5 above indicates a key process of authenticating the server. Now, we aregoing to study in more details how the client is confirming a server's identity Now, to understand the authentication
View Full Document