SSL - Handshake

> Software Security > Cryptography - Key

1 - About

TLS handshake process.

Advertising

3 - Steps

Standard SSL handshake when RSA key exchange algorithm is used.

During the negotiation between client and server, they will indicate to each other a list of algorithms that can be understood ranked by order of preference. The common preferred algorithm is then chosen.

3.1 - Client: Hello

Client initiates the request by sending to the server:

  • Information that the server needs to communicate with the client using SSL. (SSL version number, cipher settings, session-specific data)

For instance, a browser requests a secure page (usually https://).

3.2 - Server: Hello

The server sends to the client:

  • certificate (acquired from a keyStore)
  • with its corresponding public key
  • Information that the server needs to communicate with the client using SSL. (SSL version number, cipher settings, session-specific data)

If client authentication is enabled at server side, the server will requests the client’s certificate.

3.3 - Client: Server Authentication and Secret

The client:

The client sends to the server:

  • the encrypted secret with the encrypted URL required
  • other encrypted http data.
  • its own certificate (from its keystore) if the server requires it.

Both Server and Client perform steps to generate the master secret with .

Advertising

3.4 - Server: Decryption and Master Secret

The Server:

  • (optionally) authenticate the client if the client’s certificate (or the root CA’s certificate) is found in its truststore.
  • decrypts the symmetric encryption key using its private key
  • uses the symmetric key to decrypt the URL and http data.
  • sends back the requested document and data encrypted with the symmetric key.

3.5 - Client: Encryption with Session Key

The client decrypts the data and document using the symmetric key and displays the information.

Both client and server exchange messages to inform that future messages will be encrypted.

4 - Example

See it:

openssl s_client -connect www.gerardnico.com:443 -servername gerardnico.com -state -quiet
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = sni137003.cloudflaressl.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
SSL3 alert read:warning:close notify
SSL3 alert write:warning:close notify