P1: IML/FFX P2: IML/FFX QC: IML/FFX T1: IML
WL040C-21 WL040/Bidgolio-Vol I WL040-Sample.cls August 13, 2003 17:16 Char Count= 0
266 SECURESOCKETSLAYER(SSL)CRYPTOGRAPHIC CONCEPTS
USED IN SSL AND TLS
Encryption
Encryption is the process of converting plaintext (read-
able text) into ciphertext (unreadable text). Decryption
is the process of converting ciphertext into plaintext.
Usually this is done by means of a publicly known algo-
rithm and a shared key. Encryption is vital in providing
message confidentiality, client/server authentication, and
message integrity. There are two methods of encryption:
symmetric or private-key and asymmetric or public-key.
Each method of encryption has its particular use. Sym-
metric encryption is used for encryption of the messages
exchanged between a client and a server, whereas asym-
metric encryption will be used to exchange the common
keys used by clients and servers in their symmetric encryp-
tion process. Asymmetric encryption may also be used for
the encryption of messages.Symmetric Encryption
There are two main types of symmetric encryption: stream
ciphers and block ciphers. Stream ciphers combine one
byte of the key with one byte of the plaintext to create
the ciphertext in a byte-after-byte process. Block ciphers
process plaintext in blocks of bytes, generally 8 or 16 bytes
in length, into blocks of ciphertext
RC4 is a widely used stream cipher. There are a num-
ber of block ciphers. Among them are DES, 3DES, and
RC2. AES is another block cipher that is an improvement
to DES. The specifics of these ciphers are discussed else-
where in this volume.Asymmetric Encryption
In asymmetric encryption a pair of keys, a public key and
a private key, are used to carry out the encryption pro-
cess. If the private key is used to create the ciphertext then
only the corresponding public key can be used to decrypt
that ciphertext and vice versa. Asymmetric (or public-key)
encryption can be used for key sharing and digital signa-
tures.Key Sharing
There are two means to carry out key sharing. One is “key
exchange” where one side of the message exchange pair
generates a symmetric key and encrypts it with the public
key of the private/public key pair of the other side. The
other technique of key sharing is “key agreement.” In this
technique each side of the message exchange pair cooper-
ate to generate the same key that will be used for symmet-
ric encryption. The RSA public key algorithm can be used
for the key exchange technique. The Diffie–Hellman pub-
lic algorithm can be used for the key agreement technique.
The details of these algorithms are discussed elsewhere in
this text.Digital Signatures
Digital signatures are used for nonrepudiation. Public-
key algorithms can be used for digital signatures. RSA
is a means of providing a digital signature by the senderencrypting a known pass phase with his or her private key;
only the corresponding public key will decrypt the cipher-
text of the pass phrase to the correct plaintext. The digital
signature algorithm (DSS) is another algorithm that can
be used for this purpose.Message Digest Algorithms
Message digest algorithms are used to generate a “digest”
of a message. A message digest algorithm computes a
value based on the message content. The same algorithm
and message content will generate the same value. If a
shared secret key in included with the message before
the digest is computed then when the digest is computed
the result is a message authentication code (MAC). If the
client and server are sharing this secret key and know each
other’s message digest algorithms then they can verify the
integrity of the message exchange.
Two commonly used message digest algorithms are
MD5, which computes a 16-byte value (128 bits), and
SHA-1, which computes a 20-byte value (160 bits).Certification Authorities
A certification authority (CA) is a trusted third party that
is responsible for the distribution of the public key of a
public/private key pair. The CA does this by issuing (and
revoking) public key certificates. A standard for these cer-
tificates is X.509v3. This standard defines the fields con-
tained in the certificate. This is a widely accepted standard
and is used by most CAs.SSL ARCHITECTURE
Overview
SSL is composed of four protocols. Three of the four, SSL
Handshake Protocol, SSL Change Cipher Spec Protocol,
and SSL Alert Protocol, are used to set up and manage se-
cure communication channels. The remaining protocol,
the SSL Record Protocol, provides the security service
required by applications. The SSL lies between the appli-
cation layer and the TCP layer of the TCP/IP protocols.
This architecture is represented in Figure 6.Figure 6: SSL layers within TCP/IP.