Secure Socket Layer (SSL) and Transport Layer Security (TLS) are protocols designed to provide the security between the web server and web browser.
However, there are minor differences between SSL and TLS, SSL is the foremost approach to serve the purpose and also it is supported by all browsers whereas TLS is the follow-on internet standard with some enhanced security and privacy features.
Content: SSL Vs TLS
|Basis for comparison||SSL||TLS|
|Cipher Suite||Supports Fortezza (algorithm)||Does not support Fortezza|
|Cryptography secret||Uses message digest of the pre-master secret for creating master secret.||Uses a pseudorandom function to create master secret.|
|Record protocol||Uses MAC (Message Authentication Code)||Uses HMAC (Hashed MAC)|
|Alert protocol||The "No certificate" alert message is included.||It eliminates alert description (No certificate) and adds a dozen other values.|
|Message authentication||Ad hoc||Standard|
|key material authentication||Ad hoc||Pseudorandom function|
|Finished||Ad hoc||Pseudorandom function|
Definition of SSL
The Secure Socket Layer (SSL) protocol is an Internet protocol which ensures secure exchange of information between a web browser and a web server. It offers two basic security services: Authentication and confidentiality. Logically, it provides a secure link between the web browser and the web server. Netscape Corporation developed SSL in 1994. Since then, SSL has become the worlds most popular Web security mechanism. All the major Web browsers support SSL. Currently, SSL comes in three versions: 2,3 and 3.1.
SSL can be conceptually considered as an additional layer in the TCP/IP protocol suite. The SSL layer is positioned between the application layer and the transport layer. Here at first, the application layer data is passed to the SSL layer. Then, SSL layer performs encryption on the data received from the application layer and also adds its own encryption information header called as, SSL header (SH) to the encrypted data. After this, the SSL layer data becomes the input for the transport layer. It adds its own header and passes it on to the internet layer and so on. This process happens exactly the way it happens in the case of normal TCP/IP data transfer. Finally, when the data reaches the physical layer, it is sent in the form of voltage pulses across the transmission medium.
At the receiver’s end, the process happens quite similar to how it happens in the case of a normal TCP/IP connection until it reaches the new SSL layer. The SSL layer at the receiver’s end removes the SSL header (SH), decrypts the encrypted data and gives the plain text back to the application layer of the receiving computer.
How SSL works?
The three sub-protocols that constitute the overall working of the SSL protocol are-
- Handshake protocols: It is actually made up of four phases.
- Establish security capabilities
- Server authentication and key exchange
- Client authentication and key exchange
- Record protocol: The record protocol in SSL appears only after successful completion of the handshake between client and server. This protocol provides two services to SSL connections as follows:
- Confidentiality– This is achieved by using the secret key that is defined by the handshake protocol.
- Integrity– The handshake protocol also defines a shared secret key (MAC) that is used for assuring the message integrity.
- Alert protocol: If an error is detected by client or server, the detecting party sends an alert message to the another party. In case the error is fatal, both the parties rapidly close the SSL connection.
Definition of TLS
Transport Layer Security (TLS) is an IETF (Internet Engineering Task Force) standardization initiative, whose goal is to come out with an Internet standard version of SSL. Netscape wanted to standardize SSL and hence handed the protocol over the IETF. There are subtle differences between the SSL and TLS. However, the core idea and implementation are quite similar.
Key Differences Between SSL and TLS
- The TLS protocol does not support Fortezza/DMS cipher suites while SSL supports Fortezza. Also, the TLS standardization process makes it much easier to define new cipher suites.
- In SSL to create a master secret, the message digest of the pre-master secret is used. In contrast, TLS uses a pseudorandom function to create master secret.
- The SSL record protocol adds MAC (Message Authentication Code) after compressing each block and encrypts it. As against, TLS record protocol uses HMAC (Hash-based Message Authentication Code).
- The “No certificate” alert message is included in SSL. On the other hand, TLS eliminates alert description (No certificate) and adds a dozen other values.
- SSL message authentication unites key information and application data in an ad-hoc manner, created just for the SSL protocol. Whereas, the TLS protocol just relies on a standard message authentication code known as HMAC.
- In the TLS certificate verify the message, the MD5 and SHA-1 hashes are calculated only over handshake messages. On the contrary, in SSL the hash calculation also include the master secret and pad.
- As with the finished message in TLS, created by applying the PRF to the master key and handshake messages. Whereas in SSL, it’s created by applying message digest to the master key and handshake messages.
Both SSL and TLS are protocols which serve the same purpose, providing security and encryption to your connection between TCP and applications. SSL version 3.0 was designed first then TLS version 1.0 was designed, which is the predecessor or the latest version of SSL which consist of all the SSL features but have some enhanced security features too.