Secure Socket Layer (SSL) and Transport Layer Security (TLS) are protocols designed to provide the security between the web server and web browser.
However, there are minor differences between SSL and TLS, SSL is the foremost approach to serve the purpose and also it is supported by all browsers whereas TLS is the follow-on internet standard with some enhanced security and privacy features.
Content: SSL Vs TLS
|Basis for comparison||SSL||TLS|
|Cipher Suite||Supports Fortezza (algorithm)||Does not support Fortezza|
|Cryptography secret||Uses message digest of the pre-master secret for creating master secret.||Uses a pseudorandom function to create master secret.|
|Record protocol||Uses MAC (Message Authentication Code)||Uses HMAC (Hashed MAC)|
|Alert protocol||The "No certificate" alert message is included.||It eliminates alert description (No certificate) and adds a dozen other values.|
|Message authentication||Ad hoc||Standard|
|key material authentication||Ad hoc||Pseudorandom function|
|Finished||Ad hoc||Pseudorandom function|
Definition of SSL
The Secure Socket Layer (SSL) protocol is an Internet protocol which ensures the secure exchange of information between a web browser and a web server. It offers two basic security services: Authentication and confidentiality. Logically, it provides a secure connection between the web browser and the web server.
Netscape Corporation developed SSL in 1994. Since then, SSL has become the worlds most popular Web security mechanism. All the crucial Web browsers support SSL. At present, SSL is available in three versions: 2,3 and 3.1.
SSL layer can be notionally considered as a supplementary in the TCP/IP protocol suite. The SSL layer is positioned between the application layer and the transport layer. Here at first, the application layer data is passed to the SSL layer. Then, SSL layer performs encryption on the data received from the application layer and also adds its own encryption information header called as, SSL header (SH) to the encrypted data. After this, the SSL layer data becomes the input for the transport layer. It adds its own header and passes it on to the internet layer and so on. This process happens exactly the way it happens in the case of normal TCP/IP data transfer. Finally, when the data arrives at the physical layer, it is transmitted in the voltage pulses form along the transmission medium.
At the receiver’s end, the procedure is quite similar to how it happens in the case of a normal TCP/IP connection until it reaches the new SSL layer. The SSL layer at the receiver’s end eliminate the SSL header (SH), decrypts the encrypted data and return the plain text back to the application layer of the receiving computer.
How SSL works?
The three sub-protocols that form the overall functioning of the SSL protocol are-
- Handshake protocols: It is actually made up of four phases.
- Establish security capabilities
- Server authentication and key exchange
- Client authentication and key exchange
- Record protocol: The record protocol in SSL appears only after successful completion of the handshake between client and server. The protocol offers two defined services to SSL connections which are as follows:
- Confidentiality: This is achieved by using the secret key that is defined by the handshake protocol.
- Integrity: A shared secret key (MAC) is specified by a handshake protocol which is used for assuring the message integrity.
- Alert protocol: If an error is identified by client or server, the identifying party sends an alert message to another party. In case the error is fatal, both the parties rapidly close the SSL connection.
Definition of TLS
Transport Layer Security (TLS) is an IETF (Internet Engineering Task Force) standardization commencement, which aimed to come out with an Internet standard version of SSL. Netscape passed the protocol over the IETF because it wanted to standardize SSL.
There are major differences between the SSL and TLS. However, the main idea and implementation are quite similar.
Key Differences Between SSL and TLS
- The TLS protocol does not support Fortezza/DMS cipher suites while SSL supports Fortezza. Also, the TLS standardization process makes it much easier to define new cipher suites.
- In SSL to create a master secret, the message digest of the pre-master secret is used. In contrast, TLS uses a pseudorandom function to generate master secret.
- The SSL record protocol adds MAC (Message Authentication Code) after compressing each block and encrypts it. As against, TLS record protocol uses HMAC (Hash-based Message Authentication Code).
- The “No certificate” alert message is included in SSL. On the other hand, TLS removes alert description (No certificate) and adds a dozen other values.
- SSL message authentication unites key information and application data in an ad-hoc manner, created just for the SSL protocol. Whereas, the TLS protocol just relies on a standard message authentication code known as HMAC.
- In the TLS certificate verify the message, the MD5 and SHA-1 hashes are computed only over handshake messages. On the contrary, in SSL the hash calculation also include the master secret and pad.
- As with the finished message in TLS, created by applying the PRF to the master key and handshake messages. Whereas in SSL, it’s constructed by applying message digest to the master key and handshake messages.
Both SSL and TLS are protocols which serve the same purpose, providing security and encryption to your connection between TCP and applications. SSL version 3.0 was designed first then TLS version 1.0 was designed, which is the predecessor or the latest version of SSL which consist of all the SSL features but have some enhanced security features too.
Santosh Sah says
thanks for this post