In this tutorial, learn how to implement effective SSL/TLS security into a web application.
SSL (Secure Socket Layer)
SSL is designed for providing security at the transport layer. There are many applications of SSL in existence since it is capable of securing any transmission over TCP.
Development History of SSL
It was developed by Netscape with version 1.0 in 1994. SSL 2.0 was developed about a year later and was released with version 1.0 of Netscape Navigator. SSL 3.0 was released in 1999. After that, Netscape allowed IETF to develop future versions.
Two Behaviors of SSL
There are two main behaviors of SSL: one-way and two-way.
1. One-Way SSL Behavior
In this model, the server is validating its identity, then providing an encrypted means of communication. We are not concerned with the client's identity.
2. Two-Way SSL Behavior
In this model, the client also validates its identity and has its own keystore to provide a certificate. The server has its own truststore to validate the key/cert.
Nowadays, sending information over the internet is increasing, so securing information is a must. And for securing information in web applications, we have SSL. To apply the SSL protocol to a websystem, some requirements must be met since the SSL protocol is integrated into most web browsers.
Configuration is relatively simple from the server side of the communication equation:
The web server administrator must acquire a digital certificate provided by Certification Authority (CA) such as VeriSign or RSA Data Security.
The proper configuration of the web server to allow SSL connections.
Add an accelerator to the web server.
There are four protocol layers for SSL. They encapsulate all communication between the client machine and the server
Record layer: Provides a header for each message and a hash generated from a Message Authentication Code (MAC) at the end.
ChangeCipherSpec protocol: Composed of one message that signals the beginning of secure communications between the client and server.
Alert protocol: Sends errors, problems, or warnings about the connection between the two parties.
Handshake protocol: Messages are passed back and forth between the user’s browser (client) and web application (server) to establish a handshake that begins a secure connection.
TLS (Transport Layer Security Protocol)
Transport Layer Security (TLS) is a protocol that provides privacy and data integrity between two communicating applications. Nowadays, it is used for web browsers and other applications that require data to be securely exchanged over a network.
Development History of TLS
The name of future versions of the SSL protocol will be changed to TLS, with version numbers of the protocol beginning at 1.0. All the versions of TLS were developed by ITEF.
TLS 1.2 is the current version; they are planning to release TLS 1.3 in the future. There are two protocols layer for TLS:
TLS record protocol: Negotiates a private, reliable connection between the client and the server.
TLS handshake protocol: Allows authenticated communication to commence between the server and client.
SSL vs. TLS
They are six major difference between SSL and TLS.
1. Protocol Version in Messages
To differentiate TLS Version 1.0 and SSL Version 3.0, the protocol version number negotiated by a client and server communicating through TLS version 1 is version number 3.1.
2. Alert Protocol Message Types
These message types are allowed as Alert Descriptions within the TLS protocol.
3. Message Authentication
TLS implements a standardized MAC (H-MAC) that has been proven in many other implementations. The main benefit to this change is that H-MAC operates with any hash function, not just MD5 or SHA, as explicitly stated by the SSL protocol.
4. Key Material Generation
TLS uses the HMAC standard and its pseudorandom function (PRF) output to generate key material and SLS uses RSA, Diffie-Hellman or Fortezza/DMS.
5. Certificate Verify
In SSL, the Certificate Verify message requires a complex procedure of messages. With TLS, however, the verified information is completely contained in the handshake messages previously exchanged during the session.
In TLS, the PRF output of the H-MAC algorithm is used with the master secret and either a “client finished” or a “server finished” designation to create the finished message.
In SSL, the finished message is created in the same ad hoc manner that key material is generated using a combination of hash output, selected ciphersuite, and parameter information.