Page 232 - Open Soource Technologies 304.indd
P. 232
Web Technologies-I
Notes
SSL Record Protocol
he SSL record protocol involves using SSL in a secure manner and with message
integrity ensured. To this end it is used by upper layer SSL protocols. The purpose of
Tthe SSL record protocol is to take an application message to be transmitted, fragment
the data which needs to be sent, encapsulate it with appropriate headers and create an object
just called a record, which is encrypted and can be forwarded for sending under the TCP
protocol. The first step in the preparation of transmission of the application data consists in its
fragmentation i.e. breaking up the data stream to be transmitted into 16KB (or smaller) data
fragments followed by the process of their conversion in a record. These data fragments may
be further compressed, although the SSL 3.0 protocol specification includes no compression
protocol, thus at present, no data compression is used.
At this moment, creation of the record is started for each data portion by adding a header to
it, possible information to complete the required data size and the MAC. The record header
that is added to each data portion contains two elementary pieces of information, namely
the length of the record and the length of the data block added to the original data.
In the next step, the record data constructed consists of the following elements:
• primary data,
• some padding to complete the datagram as required,
• MAC value.
MAC is responsible for the verification of integrity of the message included in the transmitted
record. It is the result of a hash function that follows a specific hash algorithm, for example,
MD5 or SHA-1. MAC is determined as a result of a hash function that receives the following
data:
MAC = Hash function [secret key, primary data, padding, sequence number].
A secret key in creation of MAC is either a client write MAC secret or a server write MAC
secret respectively. It depends on which party prepares the packet. After receiving the
packet, the receiving party computes its own value of the MAC and compares it with that
received. If the two values match, this means that data has not been modified during the
transmission over the network. The length of the MAC obtained in this way depends on the
method uses for its computing. Next, the data plus the MAC are encrypted using a preset
symmetric encryption algorithm, for example, DES or triple DES, both data and MAC are
encrypted. This prepared data is attached with the following header fields:
Content type identifies what payload is delivered by the packet to determine which higher
protocols are to be used for processing of data included in the packet. The possible values
are change_cipher_spec, alert, handshake, and application_data that refer to the appropriate
protocols.
Major version establishes the main portion of the protocol version to be used. For SSL 3.0,
the value is 3.
Minor version establishes the additional portion of the used version of the protocol. For
SSL 3.0 the value is 0.
With the addition of fields, the process of record preparation is completed. Afterwards, the
record is sent to the targeted point. The entire process of preparation of the packet to be
sent is illustrated in given below.
Contd...
226 LOVELY PROFESSIONAL UNIVERSITY
