What is an SSL?
In 1995 Netscape introduced an SSL certificate for the first time. SSL means “Secure Sockets Layer”, and it is an internet security protocol which is encryption-based. The purpose of incorporating it is to guarantee online privacy and security. Therefore, most of the website uses an SSL certificate to secure their website and users also trust only those websites that are secured with an SSL certificate. This discussion aside, it is important to understand for students of this field, how an SSL connection is established. Seeing its importance, we are going to discuss some details about it here.
SSL Connection- Basic Steps to Establish it
There is a chain reaction to establish an SSL connection. We can divide this process into four key steps.
- The server receives a request from the user for a secure connection. In response, the user receives a digital certificate from the server.
- In the next step, verifies the server from an authentic list of the certificate authorities.
- After verification, the user generates an arbitrary symmetric key. After this, he need to encrypt the arbitrary symmetric key with the help of server’s public key.
- Now, the symmetric key is public for both (user and server). The symmetric key enables them to encode and decode the data available in the user’s request and the server’s response to it using the SSL encoding procedure.
This whole process is called an SSL handshake. Let’s discuss this process in detail.
SSL Handshake
While searching an HTTPS URL in a browser, we came to know about an SSL handshake. The website and the browser create an HTTPS connection with the help of an SSL handshake. This process is a one-way process. The essential purpose of using an SSL handshake is to secure the data of the user. Here, an SSL handshake ensures the privacy of the user and keeps the user’s data secure from hackers. Therefore, for establishing a secure SSL connection, the user and the server need to correspond with sensitive information.
There are two types of SSL handshakes.
One-way SSL
In this type of SSL handshake, while establishing an SSL connection only the user verifies the server but the server does not verify the user.
Two-way SSL (Mutual SSL)
In a two-way SSL (Mutual SSL), the server verifies the user, and the user verifies the server using the list of authentic certificate authorities. When any server requires to communicate with any other server, it utilizes the two-way SSL also known as Mutual SSL to verify each other.
Steps for an SSL handshake
There are some rules to follow during an SSL handshake, and we will discuss these rules briefly.
Client Hello
It is the first step in SSL handshake where the user sends the needed data to a server to create an SSL connection. Through this, the user informs the server about its supported versions. Then, the server chooses the cipher that supports it. The servers will ignore the ciphers if they are not compatible with them and after ignoring those ciphers, the server will inform the user by sending a failure warning and terminates the communication.
Server Hello
In response to the Client Hello, the server will use the selected configuration and data collected from Client Hello and go ahead with the SSL handshake. During Server Hello, the server will select the lowest supported TLS version by the user and the highest supported TLS version by it (server). The server then sends back the cipher after choosing out of the available ciphers of the user.
Besides the Server Hello, the server sends the server’s certificate along with the certificate chain. This certificate chain is verified by comparing it with Geotrust SSL certificate in the trust store of the client.
Server Key Exchange Message
In this step, the server sends the key exchange information or message to the user. This message includes all the required information for the user to create the pre-master secret. If you are using the RSA key exchange method or any other method similar to RSA, the server will not send the key exchange message. It occurs as RSA key exchange method does not require to use any data from the server to create the pre-master secret.
Certificate Request
The next step in the SSL handshake process to establish an SSL connection is Certificate Request. However, this step is not required in the one-way SSL handshake. In this step, the server will send a certificate request on behalf of the user with certificate signature methods, certificate authorities, and certificate type that the server supports. The user then needs to send the client certificate. After this process, the user will receive the Server Hello Done message showing the completion of Server Hello. After it, the server waits for the user’s reply.
In some cases, the certificate authorities list will be empty. Here, only the user can decide to either send the client certificate or not.
Client Certificate
After the certificate request, the user will give his certificate list to the servers. Therefore, the certificate must be suitable for the settled cipher’s key exchange method or relevant expansions.
Client Key Exchange Message
The user requires to send client key exchange message after sharing the user certificate message. When it comes to one-way SSL handshake, the user need to send a message after getting the message of Hello Done from the Server. However, in an HTTPS connection, the data exchanged between a server and the user will be encoded. A server uses Symmetric encoding for encoding due to its low computational cost as compared to Asymmetric encoding. We use a mutual key between a server and the user to perform symmetric encoding. This message is for generating a mutual key between a server and the user with complete privacy.
In case you are utilizing the RSA as a key exchange method, the customer need to create a 48-byte pre-master secret. Here, the user need to encode the pre-master secret with the help of public key and share it back to the server. The server will use the relevant private key to decode pre-master secret of that user.
The Final Words
After completion of the authentication process and generation of pre-master secrets, both the user and the server will receive the “change cipher spec message” specifying that the encryption of the communication has taken place between them. After the change cipher spec message, both will receive the Finished message. This message is the first encrypted message with the settled algorithms. However, the application data is exchanged only after both sides send this finished message and confirming the content of this message.