Monday, July 25, 2005

SSL handshake process

When a client (could be a PC browser) first talks to a website over SSL (Eg. eBay), they perform a process known as handshake. Here is what happens:

  1. Client sends in a ClientHello message with the version number of SSL the browser uses and the ciphers and data compression methods it supports.
  2. Server acknowledges with a ServerHello message. This message contains a session ID and the ciphers and compression schemes that the server and client have in common.
  3. Server sends its public key encapsulated within its certificate
  4. Server concludes the negotiation with a ServerHelloDone message
  5. Client sends a ClientKeyExchange message that it created using the server's public key. It contains the session ID chosen by the client. This session ID is encrypted by the client using the server's public key.
  6. At this point both the server and the client send the ChangeCipherSpec message indicating to each other that they are ready for encrypted transmission
  7. Both send Finished messages containing the digest of the communication so far.
  8. Handshake complete. Secure session established.

Since the client initiates a communication, it is the clients responsibility of proposing a set of SSL options to use for the exchange.

This is the application layer security. You could be trying to login into your bank's site, or might be trying to purchase something from Amazon. This process happens everytime a new secure session needs to be established between your client (browser) and a server. Pretty much the entire ecommerce between end-users and online businesses depends upon this..

Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

Copyright Anand Jain 2004, 2005. All rights reserved.