Zilog EZ80F91AZA User Manual

UM020107-1211

SSL Handshake Protocols

ZTP Network Security SSL Plug-In

User Manual

12

ple of the block size. The block cipher algorithm uses a key to convert the plain text blocks
into cipher text blocks on a block-by-block basis.

Hash Function.

A hash function takes an arbitrary amount of input data and produces a

fixed-sized hash, or digest, of the message. Cryptographic hash functions are one-way
functions. It is impossible to determine the original message from a hash of that message.
Hashes are commonly used in digital signatures and message authentication codes.

Message Integrity.

Prior to encrypting an SSL data record, the SSL protocol computes a

one-way hash on the data in the record as well as on the state information pertinent to the
SSL session (secret key + message sequence number). The output of the hash function is
called a message authentication code. If only the originator and intended recipient of the
message know the correct state information used to compute the hash, then it is unlikely
that an attacker can modify the message in transit without the recipient detecting an error
on the MAC.

X.509 Certificate.

The SSL protocols require that the server have a certificate that is

passed to the client for authentication purposes. The X.509 standard specifies the format
of information in the certificate. The certificate contains information such as the identity
of the server to which the certificate was issued, a time period over which the certificate is
valid, the server’s public key, the identity of the certificate issuer, and a digital signature of
the certificate generated by the issuer. The signature is created using a hash of the certifi-
cate and encrypted using an asymmetric cipher with the issuer’s private key.

If a client has the issuer’s public key (which can also be in the certificate), then the client
can validate the signature and verify the identity of the server. When the server proves that
it is in possession of the private key corresponding to the public key in the certificate, the
client trusts the server and begins exchanging sensitive data.

The X.509 certificate is specified using a platform independent data modelling language
called abstract syntax notation (ASN.1). Encoding of data values in the actual certificate
follows ASN.1 distinguished encoding rules (DER format).

Optionally, the SSL protocols allow the server to request a certificate from the client so
that it can authenticate the client. However, few clients are likely to have valid certificates,
and the server does not request a certificate from the client. The ZTP Network Security
SSL Plug-In SSL server does not support client authentication, nor does it request a certif-
icate from the client.