Wednesday, January 22, 2014

What is SSL handshake and how does it happen?

SSL handshake -

CLIENT - The client initiates the communication to the server over a secure port ex. 443, says Hello, and gives the server its SSL version, cipher settings and other information to the server telling it - "Hey you can talk to me using the information I just provided."

SERVER - Now the server replies to this Hello from client by saying Hello and gives the client its SSL version, cipher settings and other information to the client telling it - "Hey you can talk to me using the information I just provided." It also provides the client with its public key.
It’s like 2 couples sharing each other’s private phones numbers to talk privately.

Note If the client is requesting any server resources that require client authentication the server requests the client digital cert to be sent as well.

CLIENT - The client now uses all the data given by the server (data obtained during this handshake) creates a pre master secret key for the session and encrypts it with the server public key that it was given during step2. It then sends this pre master key to the server. (Only client has the pre master key for now.)

SERVER - The server decrypts this pre master key using its private key.

Note at this point after step 4 both the client and server has the pre master key.

CLIENT & SERVER - From this point on both the parties perform series of steps, starting from the same pre master key - generate a master secret password. Both client and server use this master key and generate symmetric keys which are used to encrypt and decrypt information during SSL session.

CLIENT - Client informs the server from this point on all future messages from it are going to be encrypted using the session key and then sends a separate encrypted message telling the server that client portion on SSL handshake has been completed.

SERVER - Pretty much does the same as above. Informs the client that from this point on all future messages from it are going to be encrypted using the session key and then sends a separate encrypted message telling the client that server portion on SSL handshake is now complete.

SSL handshake is now done and SSL session has begun. Whatever happens between the client and server is now encrypted and either parties use the symmetric keys to encrypt and decrypt.

Note - Symmetric encryption has begun after the last step. In this kind of encryption both the parties use the shared password (symmetric key) to encrypt and decrypt messages. But notice that to get to this point PKI (public and private key) infrastructure was in play. This is faster than situations where both the parties use public and private key all the time and would be taxing on the client and server.

Also keep in mind that if A encrypts a piece of information using B's Public key the only B who has the private key can decrypt it.
If A encrypts a piece of information using A's Private key then anyone who trusts A's public key can decrypt it. Successfully decrypting the information proves that it was send by A and no one else.

Head spinner but this is one of the most important topic and I tend to fall back on this explanation time to time.

Posted by at No comments:

F5 LTM SSL Configurations - Concept

The F5 LTM device is built to handle SSL traffic in load balancing scenario and meet most of the security requirements effectively. The 3 common SSL configurations that can be set up on LTM device are
  • SSL Offloading
  • SSL Re-Encryption
  • SSL Passthrough
Typical load balancing infrastructure setup would be Client--->F5 LTM---->Servers hosting applications i.e. client traffic will be directed to a load balancer like F5 which in return (using complex algorithm) send the traffic to an appropriate server.

SSL Offloading - In this method the client traffic to F5 is sent as encrypted. Instead of the server decrypting and re-encrypting the traffic LTM would handle that part. So the client traffic is decrypted by the LTM and the decrypted traffic is sent to the server. The return communication from the server to client is encrypted by the LTM and sent back to the client. Thus sparing the server additional load of encryption and decryption. All the server resources can now be fully utilized to serve the application content or any other purpose they are built to do.
 SSL Offloading
Note - 
  1. The communication between the server LTM and server is in clear txt.
  2. Servers are setup to listen on unsecure ports ex Port 80.
  3. Since the LTM decrypts the HTTP traffic it has now the ability to read the content (header, txt, cookies etc.) and all the persistence options can be applied. (Source address, Destination address, Cookies, SSL, SIP, Universal, MSRDP)
SSL Re-Encryption - In this method the LTM will re-encrypt the traffic before sending it to the servers. Client sends encrypted traffic to LTM, LTM then decrypts it and before send it to the servers or pool members re-encrypts it again. This method is generally used to satisfy the requirement of traffic to be encrypted between the LTM and Servers as well. This requirement might be put in place for additional security or prevent intrusion from within the network. When this method is used the servers will also have to decrypt and encrypt the traffic.

SSL Re-Encryption
Note –
  1. The communication between the server LTM and server is secure.
  2.  Servers are setup to listen on secure ports ex Port 443.
  3.  Since the LTM initially decrypts the HTTP traffic it still has the ability to read the content (header, txt, cookies etc.) and all the persistence options can be applied same as SSL Offloading. (Source address, Destination address, Cookies, SSL, SIP, Universal, MSRDP)

SSL Pass through - As the name suggests the LTM's will just pass the traffic from client to servers absolving itself from any SSL related workload. Instead of forwarding SSL handshakes and connections to the servers directly it will just pass the client traffic to the servers. Usually this setup is used if the applications being served are anti SSL proxy or cannot consume decrypted traffic.
SSL Pass Through
Note - 
  1. Since it’s just pass through LTM cannot read the headers which introduces limitations on persistence. Only non SSL information in the packet can be used to maintain persistence like source ip address, destination ip address.
I will try to post few more concept articles when time permits. Enjoy.

Posted by at No comments:
Subscribe to: Posts (Atom)