Follow me on TwitterMy Tweets
You’ve certainly heard about SSL or TLS protocols.
We’re going to see what it’s all about together.
In order to do that, this subject will be decomposed in 5 parts, each of them posted every day until friday.
First of all, a little history lesson: fasten your seat belt, let’s start with part 1!
SSL and TLS are cryptographic protocols that provide communications security.
They behave like an additional intermediate layer between the transport layer (TCP) and the applicative one (HTTP, FTP, SMTP…) (see diagram below)
This means that they can be used to secure a web transaction, sending or receiving emails…
Until now, everything’s right!
SSL and TLS are invisible to the user, and don’t require a usage of protocol of specific application.
OSI Model with SSL/TLS
SSL and TLS protocols allow to exchange secure information between to computers.
They are responsible for the following three things:
TLS and SSL protocols are based on a combination of several cryptographic concepts, dealing with both asymmetrical and symmetrical encryption (we’ll discuss about this in a related part of this article).
Moreover, these protocols are bound to evolve, independent from cryptographic algorithm and authentication set in a transaction. This allows them to adapt to users needs and have better security because those protocols are not impacted by technical evolution of cryptography (if an encryption becomes obsolete, the protocol can still be exploited by choosing a more secure encryption).
A – SSL:
SSL means Secure Socket Layer.
B – TLS:
TLS means Transport Layer Security.
The development of this protocol has been continued by IETF.
TLS protocol is not structurally from version 3 of SSL, but modifications in the use of hash functions result in a non-interoperability of both protocols.
Although TLS, like SSLv3, has an ascending compatibility with previous versions, meaning that at the beginning of the negotiation phase, client and server negotiate the best version of the protocol available in common. For security reasons (mentioned above), TLS compatibility with SSL v2 has been dropped.
What also differentiates TLS from SSL is that asymmetrical keys generation is a little more secured in SSL than in SSLV3, where not one step is uniquely based on MD5 (where weaknesses have appeared in cryptanalysis).
Most browsers support TLS 1.0. Browsers supporting by default TLS 1.1 and 1.2 are:
I really hope not to have lost anyone along the way, because we’re now going to dig in deep !