Figure 1: SSL Protocol Architecture
The SSL is inserted between the TCP protocol and the application protocol. In the case of Netscape 1.1 a secure version of the http protocol, https, has been developed by layering http on top of SSL which, in turn uses tcp.
Figure 2: Phase II Formats
The SSL protocol operates in two phases. In the second phase data is encrypted using an algorithm and keys chosen in the first phase. Currently Netscape uses the RC4 algorithm which is a proprietary, unpublished, symmetric key, encryption algorithm invented by RSA Data Security Inc for data encryption. The SSL protocol, however, supports a range of other encryption algorithms including DES. Authentication and secure key exchange is achieved using the PKCS#1 RSA public key encryption algorithm.
Data to be sent over the connection is formatted into one of two formats, depending on whether padding is required to fill an encryption block. These formats are shown in figure 2). In this phase the SSLs main function is to encrypt and decrypt all data for the application protocol. If necessary random padding data will be added to an application message to make it the correct length for the encryption algorithm to process. To ensure the integrity of the message and to guard against an attacker replying an old message the message, the secret key, and a sequence number are passed through a hashing algorithm which produces a Message Authentication Code (MAC) which is sent with the message.
Figure 3: Phase I Packet Exchange
In the first phase the sever, and optionally the client, are authenticated, using certificates. An encryption algorithm is selected from a set of predefined algorithms and a symmetric key is chosen for each direction of communication . The exchange of packets is shown in figure 3 and described in the following sections.