SSL/TLS are protocols used for encrypting information between two points. It is usually between server and client, but there are times when server to server and client to client encryption are needed. For the purpose of this blog, I will focus only on the negotiation between server and client.
For SSL/TLS negotiation to take place, the system administrator must prepare the minimum of 2 files: Private Key and Certificate. When requesting from a Certificate Authority such as Symantec Trust Services, an additional file must be created. This file is called Certificate Signing Request, generated from the Private Key. The process for generating the files are dependent on the software that will be using the files for encryption.
Additional certificates called Intermediate Certificate Authority Certificates and Certificate Authority Root Certificates may need to be installed on the server. This is again server software dependent. There is usually no need to install the Intermediate and Root CA files on the client applications or browsers.
Certificate-Version Number-Serial Number-Signature Algorithm ID-Issuer Name-Validity period--Not Before--Not After-Subject name-Subject Public Key Info--Public Key Algorithm--Subject Public Key-Issuer Unique Identifier (optional)-Subject Unique Identifier (optional)-Extensions (optional)
Certificate Signature Algorithm
Certificate Signature
The following is a standard SSL handshake when RSA key exchange algorithm is used: (Please refer to the diagram Source: Wikimedia)
Client Hello
– Information that the server needs to communicate with the client using SSL.
– Including SSL version number, cipher settings, session-specific data.
Server Hello
– Information that the client needs to communicate with the server using SSL.
– Including SSL version number, cipher settings, session-specific data.
– Including Server’s Certificate (Public Key)
Authentication and Pre-Master Secret
– Client authenticates the server certificate. (e.g. Common Name / Date / Issuer)
– Client (depending on the cipher) creates the pre-master secret for the session,
– Encrypts with the server’s public key and sends the encrypted pre-master secret to the server.
Decryption and Master Secret
– Server uses its private key to decrypt the pre-master secret,
– Both Server and Client perform steps to generate the master secret with the agreed cipher.
Generate Session Keys
– Both the client and the server use the master secret to generate the session keys, which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session
Encryption with Session Key
– Both client and server exchange messages to inform that future messages will be encrypted.
Source: Wikipedia
Tools such as OpenSSL can be used check the SSL/TLS negotiations. Try running the command below on a Linux/Mac/Windows Machine which has the latest OpenSSL Version installed on it and see the results:
“openssl s_client -connect amisafe.secops.in:443 -ssl3”
“openssl s_client -connect amisafe.secops.in:443 -tls1”
“openssl s_client -connect amisafe.secops.in:443 -tls1.1”
“openssl s_client -connect amisafe.secops.in:443 -tls1.2”
Hits: 412
