Escolar Documentos
Profissional Documentos
Cultura Documentos
3. OpenSSL basics
OpenSSL is a free, full-featured SSL implementation
currently available for use with the C and C++ Fig 1: High level TLS 1.2 design
programming languages. It is an inherited work from
SSLeay and is supported by UNIX and most versions S2 and S3 module: These modules support
of Microsoft Windows operating systems. In functionality of SSL 2.0 and SSL 3.0 respectively.
December 1998, development of SSLeay ceased, and S23 module: This module supports compatibility of
the first version of OpenSSL was released as 0.9.1c, SSL 2.0 and SSL 3.0.
using SSLeay 0.9.1b. The OpenSSL toolkit is SSL ciphersuite module: This module supports all
licensed under an Apache-style license, which SSL, TLS 1.0 and TLS 1.2 cipher suites.
basically means that you are free to get and use it for SSL PKI handle module: This module supports
commercial and non-commercial purposes subject to Public Key Infrastructure (i.e. certificate).
some simple license conditions. OpenSSL is SSL cryptography module: This module supports
essentially two tools in one: a cryptography library all kind of cryptographic operations.
and an SSL toolkit. There are no other SSL SSL socket module: This module supports bind of
implementations in C which are free and available for socket to SSL object.
commercial use. SSL error handle and log module: This module
supports logging of all error messages.
produced by the TLS Handshake Protocol which uses message: Parsing of the signature algorithm
messages to negotiate the cipher suite and extension is required. While selecting cipher
authenticate the server to the client and to exchange suite the server must check all certificates
information for building the cryptographic secrets. that are signed by a hash/signature algorithm
pair that appears in the extension. Extension
present is detected by whether there are
bytes following the compression methods at
the end of the Client Hello. If client doesn’t
send signature algorithms use SHA1, RSA
pair.
3. Changes required in Server Certificate
message: Selected certificates must be
signed by Signature and Hash algorithm
pairs protected by client.
4. Changes required in client for Server
Certificate message: Client must verify
server certificate chain provided by server is
signed with client supported sign-hash pair.
Fig 2: Modules involved in OpenSSL 5. Changes in server required for Server key
library for TLS 1.2 exchange message: Signature and hash
algorithm used for singing parameter must
The TLS Handshaking is done in four phases: be one of the pair provided by client. The
- Establishing security capability through Client hash and signature algorithms must be
Hello and Server Hello messages. compatible with the key in the server’s end-
- Authentication is achieved by exchange of keys entity certificate.
between client and server.
- Client Key Exchange and authentication. The client Certificate type and CA check in Certificate
is authenticated to the server. Both the client and the Request
server know the pre-master secret. TLS 1.2 adds Certificate type and CA checks as part
- Finalizing and Finishing. Now the client and the of certificate request processing at client side.
server are ready to exchange data. Changes required in Client for Certificate request
message: Apart from parsing certificate types, client
The high level changes required in OpenSSL library must use certificate types for selecting the client
to support TLS 1.2 are: certificate. If the certificate authorities list in the
- SHA256 is implemented in the cryptography certificate request message is not empty, then one of
library. For SSL corresponding ID and cipher needs the certificates in the certificate chain should be
to be supported. issued.
- While using TLS1.2 the PRF function should use
SHA256. Signature/Hash Algorithm extension in Certificate
- New TLS1.2 ciphersuite based on SHA256 should request
be added. TLS 1.2 adds supported_signature_algorithms as part
- Protocol negotiation should now include TLS1.2 of certificate request.
version checking. 1. Changes required in Server for Certificate
Request message: In addition to cert types,
Signature algorithm extension server adds the Hash and signature
Client uses this extension to indicate to the server algorithm pairs that server supports in
which signature/hash algorithm pairs may be used in certificate request.
digital signatures. 2. Changes required in Client for Certificate
1. Changes required in client for Client Hello Request message: End entity certificate
message: Client adds the hash and signature public key has to be compatible with
algorithm pair that it can support as certificate types listed in Certificate request.
extension The certificates must be signed using an
2. Changes required in server for Client Hello acceptable hash/signature algorithm pair.
181
International Journal of Advanced Computer Research (ISSN (print): 2249-7277 ISSN (online): 2277-7970)
Volume-3 Number-3 Issue-12 September-2013
182
International Journal of Advanced Computer Research (ISSN (print): 2249-7277 ISSN (online): 2277-7970)
Volume-3 Number-3 Issue-12 September-2013
ssl3_send_client_certificate the client [5] Dierks, T. and E. Rescorla, "The Transport Layer
certificate will be checked to see if it Security (TLS) Protocol Version 1.2", RFC 5246,
matches the sign-hash pairs. April 2008.
6. s3_enc.c – Calculating hash of all the [6] R. Rivest, A. Shamir, and L. M. Adleman, "A
Method for Obtaining Digital Signatures and
handshake messages is updated in function Public-Key Cryptosystems", Communications of
ssl3_finish_mac. the ACM, v. 21, n. 2, Feb 1978, pp. 120-126.
7. T1_enc.c – The new PRF implementation [7] NIST FIPS PUB 186-2, "Digital Signature
for TLS 1.2 is added. Standard", National Institute of Standards and
Technology, U.S. Department of Commerce,
6. Conclusion 2000.
[8] Moeller, B., "Security of CBC Ciphersuites in
SSL/TLS: Problems and Countermeasures",
SSL / TLS are the most widely deployed security http://www.openssl.org/~bodo/tls-cbc.txt.
protocol standard for providing authentication,
integrity and secrecy. OpenSSL is primarily a library
that is used by developers to include support for
strong cryptography in their programs, but it is also a
tool that provides access to much of its functionality Suresh P received his ME degree
from the command line. Computation of hash for file from UVCE, Bangalore University,
contents can be performed easily by using command- Bangalore, India. He is presently
line tool. OpenSSL toolkit is licensed under an working as an Assistant Professor in
Dept. of CSE, SVCE, Bangalore. His
Apache-style license, means that you are free to get research interest includes Computer
and use it for commercial and non-commercial Network Security, Mobile Computing,
purposes. TLS 1.2 is currently the most secure and up Computer Architecture and
to date version of the standard. Achieving RFC Distributed Systems.
compliance is very important for commercial
products. In this paper how TLS 1.2 can be supported Pradeep K R received his M Tech
in OpenSSL is shown there by meeting the stringent degree from SJCE, VTU, Mysore,
security guidelines for commercial product. India. He is presently working as an
Assistant Professor in Dept. of ISE,
SVCE, Bangalore. His research interest
References includes Wireless Sensor Networks and
Cloud Computing.
[1] Postel, J., "Transmission Control Protocol", STD
7, RFC 793, September 1981.
[2] National Institute of Standards and Technology, Maria Navin J R received his ME
"Specification for the Advanced Encryption degree from UVCE, Bangalore
Standard (AES)" FIPS 197. November 26, 2001. University, Bangalore, India. He is
[3] B. Schneier. "Applied Cryptography: Protocols, presently working as an Assistant
Algorithms, and Source Code in C, 2nd ed.", Professor in Dept. of ISE, SVCE,
Published by John Wiley & Sons, Inc. 1996. Bangalore. His research interest
[4] Dierks, T. and E. Rescorla, "The Transport Layer includes Computer Network Security
Security (TLS) Protocol Version 1.1", RFC 4346, and Distributed Systems.
April 2006.
183