SSL Sessions and Connections

SSL/TLS modes

When SSL was designed, U.S. export regulations restricted the size of keys that could be used by applications exported from the U.S. Therefore, SSL was designed to have 1024-bit and 512-bit key exchanges to allow the option of strong cryptography providing maximum security while still remaining exportable. SSL v3 and TLS incorporate Ephemeral RSA for communication to an exportable client. The server generates a 512-bit key and associates it with its strong key; for domestic clients it just uses the strong key. The Ephemeral RSA mode has the ServerKeyExchange message to transmit the signed RSA key, and the client verifies the server's signature.

The other mode for SSL v3 and TLS is the Server Gated Security (Microsoft's Server Gated Cryptograph [SGC] or Netscape's Step-Up). Exceptions to the export regulations were allowed so that exportable clients could communicate with secure servers when absolutely necessary - such as in financial applications. The server has a certificate; this certificate identifies the server as able to engage in strong cryptography with exportable clients. Very few trustworthy Certificate Authorities (CAs), such as Verisign, issue this certificate. During the handshake, the client offers weak ciphers, and the server presents its certificate. The client verifies the server and confirms that more secure communication is appropriate; the client initiates a second handshake by offering strong ciphers in the ClientHello message.

Therefore, SSL v3 and TLS have two modes: Ephemeral RSA and Server Gated Security.

SSL and authentication

So far we have discussed RSA because it is the dominant public algorithm, but SSL v3 supports a number of other ciphers such as DSS and DH, both of which are mandatory in TLS. The TLS standard specifies DH/DSS key exchange and less-used cipher suites that use Elliptic Curves, Kerberos, and Fortezza algorithms. Unlike RSA, which can be used for digital signature and key agreement, DH can only be used for key agreement and DSS for digital signatures. So, DSS and DH are typically used together.

One way that DSS and DH are used together is for the server to generate a temporary DH key, sign it with DSS key, and transmit the signed key using the ServerKeyExchange message. The client uses the DH key for key agreement. Another way to use the DSS/DH combination is to use DH keys as fixed keys: The server has a certificate signed with DSS and that contains the DH key; the client uses the DH key in the certificate for key agreement.

For the key agreement, the client and server must be able to compute the shared DH secret. For that, they need their own DH key and the other side's public key. For this to happen, the client gets the server's DH key and generates a DH key in the same family - unless it already has one. The client then sends its public key in the ClientKeyExchange message. The DH secret is used as the pre_master_secret, and the rest of the connection is the same as with RSA.

Elliptic Curve (EC) ciphers use points in an elliptic curve but no cipher suites - so far - have been standardized. Kerberos is a symmetric key authentication system. It uses a central server trusted by the entities in the system, and the ticket is used to encrypt the pre_master_secret . The ClientKeyExchange contains both the ticket and the encrypted pre_master_secret . The server extracts the shared key from the ticket and decrypts the pre_master_secret . The process continues as in the previous cases.

The Fortezza card is a U.S.-government-designed cryptographic token that uses Key Exchange Algorithm (KEA) for the key agreement and SKIPLACK (a block cipher) for the block encryption algorithm. Fortezza cards were specified in SSL v3 but removed for TLS.