SSL (born Secure Sockets Layer - the level of Secure Sockets Layer) - a cryptographic protocol that allows establishing a secure connection between client and server. SSL was originally developed by Netscape Communications. Subsequently, based on the SSL 3.0 protocol was developed and adopted standard RFC, was named TLS.
The protocol provides confidentiality of data exchange between client and server using TCP / IP, and for asymmetric encryption uses public-key algorithm. With public-key encryption uses two keys, and any of them can be used to encrypt messages. Thus, if one key for encryption, decryption, respectively, to use a different key. In such a situation, you can receive secure messages by publishing a public key, and keeping secret the secret key.
The SSL protocol consists of two subprotocol: the SSL record and handshake. The SSL protocol defines a record format used for data transmission. The SSL handshake involves using the SSL record for the exchange of messages between the series of server and client in establishing the first connection. To use SSL requires that the server has SSL-certificate.
SSL provides a channel that has three main properties:
Authentication. The server is always authenticated, while the client is authenticated according to the algorithm.
Integrity. Messaging includes an integrity check.
Particular channel. Encryption is used after a connection is used for all subsequent messages.
In SSL, all data is transmitted in the form of records, objects, consisting of a header and transmitted data. Transmission begins with a header. The header contains either two or three bytes of code length. Moreover, if the high bit in the first byte of code is one, then the record has no filler and overall length of the header is two bytes, otherwise the record contains a filler and a full length header is three bytes. Code length of the record does not include the number of bytes in the header. The record length of 2-byte header:
RecLength = ((byte [0] & 0x7F) <<8) | byte [wiki];
Here, byte [0] byte [1] - the first and second bytes are received. The record length of 3-byte header:
RecLength = ((byte [0] & 0x3F) <<8) | byte [wiki];
Escape = (byte [0] & 0x40)! = 0;
Padding = byte [2];
Here Padding determines the number of bytes added by the sender to the source, in order to make the record length times the size of a block cipher using a block cipher.
Now, the sender "filled" records adds padding after the available data and encrypts it. Moreover, the content of the filler does not matter. Due to the fact that the known amount of data transmitted, the header can be generated based Padding.
In turn, the recipient decrypts the record all the data field and gets a full background information. Then calculates the values of the known RecLength Padding, and aggregate data from the field is removed. SSL Record Data consists of 3 components:
MAC_Data [Mac_Size] - (Message Authentication Code) - message authentication code Padding_Data [Padding] - Aggregate data Actual_Data [N] - the actual data
When records are sent in clear text, it is obvious that no codes are not used. Then the length and Padding_Data MAC_Data zero. When using encryption Padding_Data depends on the cipher block size, and MAC_Data depend on the cipher. Example calculations MAC_Data:
MacData = Hash (Secret, Actual_Data, Padding_Data, Sequence_Number);
Secret value depends on who (client or server) sends a message. Sequence_Number - a counter that is incremented by both the server and client. Here Sequence_Number is a 32-bit value that is passed to the hash function in the form of 4 bytes, and, most significant byte transmitted first. For MD2, MD5 MAC_Size is 16 bytes (128 bits). For 2-byte header maximum record length is 32767 bytes, and for the 3-byte header - 16 383 bytes.