SSL and TLS: A Beginners Guide

SANS Institute InfoSec Reading Room SSL and TLS: A Beginners Guide … SSL accelerators are PCI cards sold by several companies (Cisco, Broadcom, etc) to … SANS Institute 2003, Author retains full rights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2003, As part of the Information Security Reading Room. Author retains full rights. Holly Lynne McKinley GSEC Practical v.1.4b SSL and TLS: A …

Examples of these attacks are: active wiretapping, masquerading and spoofing. These attacks can occur while information is being transmitted through the pathways of the Internet. One way of mitigating a potential attack during a user’s session would be to use a secure communication protocol to encrypt data in transit between the user and the server on which the sensitive information resides. Two of these communication protocols will be explained within this paper: Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Secure Sockets Layer Protocol Definition of SSL SSL is the secure communications protocol of choice for a large part of the Internet community. There are many applications of SSL in existence, since it is capable of securing any transmission over TCP. Secure HTTP, or HTTPS, is a familiar application of SSL in e-commerce or password transactions. (Viega, 10) According to the Internet Draft of the SSL Protocol , the point of the protocol “is to provide privacy and reliability between two communicating applications.” (Freier, 3.) The protocol release further explains that three points combine to provide connection security. These points are: • Privacy - connection through encryption • Identity authentication - identification through certificates, and • Reliability -dependable maintenance of a secure connection through message integrity checking. The current version of SSL is version 3.0, released by Netscape in 1999. The Internet Engineering Task Force (IETF) has created a similar protocol in an attempt to standardize SSL within the Internet community. This protocol, the Transport Layer Security (TLS) protocol, will be discussed later in this paper. Using a series of nine messages (explained later), the server authenticates itself to a client that is transmitting information. Though it is a good idea for the user to hold a digital certificate, it is not required for the SSL connection to be established. Keep the following scenario in mind, as it shows a common application of SSL: A user without a certificate wishes to check her e-mail on a web-based e-mail system. Since she has requested a secure connection from the e-mail web page, she expects to send her username and password to the e-mail site. The identification of the e-mail server to her current workstation is critical. To the e-mail server though, it is not critical that the user has an identifying certificate on her machine because she can check her e-mail from any computer. For this reason, SSL does not require a client certificate. Other practical applications of SSL communications are found in e-mail and financial transaction communications. Application to a Web System The need to send sensitive information over the Internet is increasing, and so is the necessity to secure information in transit through the Internet. A common application of SSL with a web system is an online store where a client machine is…