SSL and TLS

Question 1

Why is web security important?

Answer 1

The web is widely used for a range of purposes.

Question 2

What type of threats is the web vulnerable to?

Answer 2

• integrity
• confidentiality
• denial of service
• authentication

Question 3

What does SSL stand for?

Answer 3

Secure Socket Layer

Question 4

What is SSL?

Answer 4

A standard protocol that provides a range of security services to your application data.

Question 5

Where does SSL sit in the TCP/IP model?

Answer 5

In-between the application layer and the TCP layer.

Question 6

What is a basic application example for SSL?

Answer 6

1. Client contacts Server
2. Client conveys secret info to Server
3. Client wants to authenticate the server.

Question 7

What is the SSL Architecture?

Answer 7

SSL is broken into two parts “layers”:
1. Record Protocol
2. Multiple Protocols (Handshake, Change Cipher Spec, Alert Protocols)

Question 8

What is the SSL Handshake Protocol?

Answer 8

Allows the server & Client to:
- Authenticate each other
- Negotiation encryption & MAC algorithms
- Negotiate cryptographic keys to be used

Question 9

What is the SSL Change Cipher Spec Protocol?

Answer 9

Handles and notifies the client if there’s any change in the Cipher Spec.

Question 10

What is the SSL Alert Protocol?

Answer 10

Handles warnings and errors of web communication.

Question 11

What is an SSL session?

Answer 11

An association between a client and a server.

Question 12

What does it mean that SSL sessions are stateful?

Answer 12

The session state includes security algorithms and parameters.

Question 13

What might a session include?

Answer 13

Multiple secure connections between the same client and server.

Question 14

What does connections of the same session share?

Answer 14

The session state.

Question 15

What are sessions used for?

Answer 15

To avoid expensive negotiation of new security parameters for each connection (reconnection).

Question 16

What is a session state?

Answer 16

Carries the following information:
- Session identifier
- Peer certificate
- Compression method
- Cipher Spec

Question 17

What is a session identifier?

Answer 17

A random number to identify a session.

Question 18

What is a Peer certificate?

Answer 18

Authenticates that the server or client is connected to a valid client or server.

Question 19

What is Cipher Spec?

Answer 19

Used to understand what type of encryption/security algorithm is used to secure communications.

Question 20

What are the two responsibilities of the SSL Record Protocol Services?

Answer 20

• Message integrity
• Confidentiality
• Compress before encryption

Question 21

How does SSL Record protocol work?

Answer 21

Split the application data into fragments. For each fragment:
- Compress it
- Append MAC value
- Encrypt fragment
- Append SSL Record Header

Question 22

What are the phases of the Handshake Protocol?

Answer 22

Phase 1: Negotiation of the session ID, and security algorithms
Phase 2: Server can send it certificate and key exchange message and requests the client certificate
Phase 3: Client sends certificate if request and may send verification messages. Client always sends its key exchange message
Phase 4: Change Cipher Spec and finish handshake

Question 23

What is the Change Cipher Spec?

Answer 23

Practically a single message that indicates the end of the SSL handshake.

Question 24

What is TLS?

Answer 24

Transport Layer Security, same principle as SSL but may vary MAC, alert codes, verify message etc.