Security Basics mailing list archives

RE: SSL workings

From: "Boyer, G. T. IT2 ISSM Office" <boyerg () enterprise navy mil>
Date: Wed, 3 Dec 2003 21:38:01 -0500

http://www.faqs.org/faqs/computer-security/ssl-talk-faq/

-----Original Message-----
From: dave kleiman [mailto:dave () isecureu com]
Sent: Tuesday, December 02, 2003 7:23 PM
To: trystano () aol com; security-basics () securityfocus com
Subject: RE: SSL workings

Tryst,

It is kind of like dating:

1. You see some hot server you want to hang with.

2.  You go up to meet the server, talk to it, and shake its hand (SSL
handshake): 
"Ok lets talk, can you Diffie?"   "Yes I can."  "Can you RC4 128?"  "No I
cannot but I can 3DES?"   "Sorry I only RC4 128".  "Goodbye"  (Negotiate
what cipher suite to use).  (ok but we will pretend she (I mean it) said yes
to 3DES.)
Now the server sends its certificate, you authenticate the server by
validating the certificate.  And now you go to the champagne room, I mean
you go sit down and talk in your private language (symmetric encryption).

3.  Now every time you talk you do so in your private session, until you
leave:
You say something it is Hashed, the "hash" (if the bar you are in happens to
be in Amsterdam) is encrypted, you send the hash and encrypted data. And
vice versa.  And you both only accept the information if all values match. 

4.  Once you leave a new negotiation occurs.   New keys etc....

Of course most of the time it just ends at the "Goodbye"

_______________________________
Dave Kleiman, CISSP, MCSE, CIFI
dave () isecureu com
www.SecurityBreachResponse.com

"High achievement always takes place in the framework of high expectation."
Jack Kinder

-----Original Message-----
From: trystano () aol com [mailto:trystano () aol com] 
Sent: Tuesday, December 02, 2003 12:18
To: security-basics () securityfocus com
Subject: SSL workings

Can some please highlight exactly how SSL works. I know it encrypts data
sent between a client and a server and uses authentications through use of
certificates etc.

But does it secure the a socket/port out of which the data is being
transffered. Does SSL send data through a different port that normal
unprotected data transfers?

Sorry if this sounds kind of beginner like :-s

Cheers

Tryst

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

SSL workings trystano (Dec 02)
- RE: SSL workings Joey Peloquin (Dec 03)
- RE: SSL workings dave kleiman (Dec 03)
- Re: SSL workings Creed Erickson (Dec 03)
- Re: SSL workings Markus Müssig (Dec 03)
- <Possible follow-ups>
- Re: SSL workings Trystano (Dec 03)
  - RE: SSL workings dave kleiman (Dec 03)
  - RE: SSL workings Joey Peloquin (Dec 03)
- SSL workings Boyer, G. T. IT2 ISSM Office (Dec 03)
- RE: SSL workings Boyer, G. T. IT2 ISSM Office (Dec 03)
  - CSI/FBI Survey Meritt James (Dec 04)