• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

How SSL works - why isn't there any real guides?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security

View previous topic :: View next topic  
Author Message
lillero
Just Arrived
Just Arrived


Joined: 03 Jun 2010
Posts: 0


Offline

PostPosted: Tue Aug 10, 2010 7:24 am    Post subject: How SSL works - why isn't there any real guides? Reply with quote

When the client connects to the server, it downloads the servers certificate. Does it open the hash of this downloaded certificate with the locally stored certificates public key, and this way make sure it's a legit server? Many guides just explain "it compares the certificates".

I want to learn what actually happens in all the steps during the SSL connection.


Please help!

- Lilléro

Moderator note: moved from Beginners - capi


Last edited by lillero on Thu Aug 12, 2010 12:21 pm; edited 2 times in total
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Tue Aug 10, 2010 1:34 pm    Post subject: Reply with quote

I suggest you read Wikipedia's article on Transport Layer Security (the successor to SSL). The How it works section may be of particular interest.
Back to top
View user's profile Send private message
lillero
Just Arrived
Just Arrived


Joined: 03 Jun 2010
Posts: 0


Offline

PostPosted: Wed Aug 11, 2010 8:05 am    Post subject: Reply with quote

Thanks for the reply

I previously read the SSL guide found in this website, but it leaves alot of questions unanswered, so i tried to find more information.

http://www.windowsecurity.com/articles/Secure_Socket_Layer.html

If there could be a website that explains in great detail the contents of .X509 certificate and how the parties are identified using it, for example in SSL connection it would be great.

For example in the wikipedia article, there are lines like:

"From the random number, both parties generate key material for encryption and decryption."

How does that actually happen? There is a random number, and encrypted material just comes... how?

Why is there sent a random number in both ClientHello and ServerHello messages? Are theser numbers encrypted?

What is a PreMasterSecret the client sends to server?

I appreciate all the help i can get.

Best regards,
lillero


Last edited by lillero on Thu Aug 12, 2010 12:07 pm; edited 1 time in total
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Wed Aug 11, 2010 12:26 pm    Post subject: Reply with quote

lillero wrote:
I also had some questions in the other thread about certificate principles, which are still unsanswered. For some reason it seems it's hard to find people who really know how the stuff works. I keep getting roundabout answers about keys and copy+paste to links that don't answer anything.

I think you will find that replying in the way in which you have above will not go very far towards motivating people to help you. Have you stopped to consider that the people who know how stuff works may have busy lives, and to appreciate the time someone takes from their work to post that "copy+paste link" instead of complaining about how they didn't have the 3 hours it would take to write a professional-level 3-page article on SSL and give it away to you for free?

Really, you ask an extremely open question about a complex matter giving absolutely no background and no specific questions, then you complain when you are given an introductory answer. Try walking up to a physics researcher and asking him to give you a lecture on quantum physics, then complain to him in such an offended manner when he refers you to a 2nd year physics book.

As for the random numbers, read up on nonces. As for key generation, there are several articles on that, both in Wikipedia and in general literature. You may want to read up on cryptographic hashes, too. As for the details of the protocol, really, read the RFC. You did see that the Wikipedia article contained links to further reading, no? Read RFC5246, read Microsoft's SSL/TLS in Detail (you did find that in the references section, no?). Go visit http://www.openssl.org and read the documentations; better yet, read the sources.
Back to top
View user's profile Send private message
lillero
Just Arrived
Just Arrived


Joined: 03 Jun 2010
Posts: 0


Offline

PostPosted: Thu Aug 12, 2010 12:11 pm    Post subject: Reply with quote

Holas

I'd like to get back to the issue.

After many years i thought somebody would have written such article. The article written by Onyszko is ok, but leaves some of the questions unanswered i pointed also in the wikipedia article.

If somebody can answer the questions i raised earlier, or point to similar even more comprehensive article, i'd appreciate it.

- Lilléro
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register