michael_ch
asked on
On which Layer ( OSI ISO Model ) is SSL /TLS encryption working
Hello,
can anyone explain on which layer ( ISO OSI Model ) SSL respectively TLS is working?
For example, if I use a browser with https, does the browser makes the encryption or is the transportlayer responsible for the encryption ?
can anyone explain on which layer ( ISO OSI Model ) SSL respectively TLS is working?
For example, if I use a browser with https, does the browser makes the encryption or is the transportlayer responsible for the encryption ?
Krokky
The transport layer
FROM: http://www.networksecurityarchive.org/html/CISSP-Discussion/2004-11/msg00034.html
"Great question. This question brings up the (once again) the point
that books are fallible. The short answer to your question is the SSL
(version 1 and 2) and called TLS in version 3. Is both layer 4 -
Transport and Layer 5 - Session.
The longer answer is that it is a bad question and shows a lack of
knowledge by the author.
1) The OSI model is a protocol stack model not THE protocol stack
model.
2) Many protocols do not map cleanly to the OSI stack. Some
protocols straddle the OSI boundaries (but would be at a single
layer in another model) and others include multiple protocols as
part of the protocol suite (such as SSL) and therefore map to
multiple OSI layers.
3)SSL is not a single layer protocol. In fact it comprises two
protocols: the record protocol that sits on top of TCP (layer 4) and
encapsulates other protocols; and the handshake protocol that is a
stateful protocol and sits at the session layer (layer 5).
Advice: If you see a question on this phrased such that the author
wants you to map SSL or TLS to the OSI stack narrow the answers down
to layer 4 or 5. If this leaves you with a single answer - go for
it. If it leaves two answers - take a guess. For your own knowledge
know that it is at those two layers.
BTW: I highly doubt the CISSP exam would include such a confused
question.
"
"Great question. This question brings up the (once again) the point
that books are fallible. The short answer to your question is the SSL
(version 1 and 2) and called TLS in version 3. Is both layer 4 -
Transport and Layer 5 - Session.
The longer answer is that it is a bad question and shows a lack of
knowledge by the author.
1) The OSI model is a protocol stack model not THE protocol stack
model.
2) Many protocols do not map cleanly to the OSI stack. Some
protocols straddle the OSI boundaries (but would be at a single
layer in another model) and others include multiple protocols as
part of the protocol suite (such as SSL) and therefore map to
multiple OSI layers.
3)SSL is not a single layer protocol. In fact it comprises two
protocols: the record protocol that sits on top of TCP (layer 4) and
encapsulates other protocols; and the handshake protocol that is a
stateful protocol and sits at the session layer (layer 5).
Advice: If you see a question on this phrased such that the author
wants you to map SSL or TLS to the OSI stack narrow the answers down
to layer 4 or 5. If this leaves you with a single answer - go for
it. If it leaves two answers - take a guess. For your own knowledge
know that it is at those two layers.
BTW: I highly doubt the CISSP exam would include such a confused
question.
"
ASKER
Hi Krokky,
thanks for your fast response. That's the same I thought (until now ;-), but than I startet to research and I found the english wikipedia entry where SSL/TLS is dedicated to the application layer (there is the 4 Layer Internet Model used):
http://en.wikipedia.org/wiki/Transport_Layer_Security
If I looked on the german Wikipedia there is SLL/TLS on the Transportlayer.
It's not really clear, where the encryption is progressed. A colleague, who is working with the JSSE ( Java Secure Socket Extension, means the implementation of JSSE would progress the encryption, and that would denotes on the application layer.
What do you think ?
thanks for your fast response. That's the same I thought (until now ;-), but than I startet to research and I found the english wikipedia entry where SSL/TLS is dedicated to the application layer (there is the 4 Layer Internet Model used):
http://en.wikipedia.org/wiki/Transport_Layer_Security
If I looked on the german Wikipedia there is SLL/TLS on the Transportlayer.
It's not really clear, where the encryption is progressed. A colleague, who is working with the JSSE ( Java Secure Socket Extension, means the implementation of JSSE would progress the encryption, and that would denotes on the application layer.
What do you think ?
ASKER
Hi Neilsr,
sorry I red your answer only I already sent my next question. That would clarify many problems while trying to research and found some unclear information. Do you know about some good tutorials which are
describing in that exactly level ( don't mean the RFC's ;-)
sorry I red your answer only I already sent my next question. That would clarify many problems while trying to research and found some unclear information. Do you know about some good tutorials which are
describing in that exactly level ( don't mean the RFC's ;-)
As you are discovering in your search, it is a little bit of a grey area. A bit like politics, depends on who you ask as to what the answer is BUT they ALL have the correct answer....
If your studying for an exam then read the books published by the examining body. If its just a general question then i think you have as acurate an answer as you are going to get.....
If your studying for an exam then read the books published by the examining body. If its just a general question then i think you have as acurate an answer as you are going to get.....
Hi,
I don't entirely agree with Neilsr.
I'll suggest you think of it in this way:
What is the purpose of having SSL/ TLS in place?
- Is it an application? No (Application Layer)
- Does it carry out any information formatting? No (Presentation Layer)
- Is it used for Session Management? Yes (Session Layer)
- Does it offer integrity checking or transmission acknowledgement? No (Transport Layer)
And I think we all agree that either SSL/ TLS don't belong to layers below transport layer, right?
Session layer is responsible for initiation, establishment, management and dissemination of sesssions. This I believe is what the SSl ans TLS are used for.
I would hence say that SSL/ TLS encryption works on the Session Layer of the OSI model.
Expert comments welcome.
Warm regards,
Sarang
I don't entirely agree with Neilsr.
I'll suggest you think of it in this way:
What is the purpose of having SSL/ TLS in place?
- Is it an application? No (Application Layer)
- Does it carry out any information formatting? No (Presentation Layer)
- Is it used for Session Management? Yes (Session Layer)
- Does it offer integrity checking or transmission acknowledgement? No (Transport Layer)
And I think we all agree that either SSL/ TLS don't belong to layers below transport layer, right?
Session layer is responsible for initiation, establishment, management and dissemination of sesssions. This I believe is what the SSl ans TLS are used for.
I would hence say that SSL/ TLS encryption works on the Session Layer of the OSI model.
Expert comments welcome.
Warm regards,
Sarang
So you say that TRANSPORT Layer Security works on the session layer?
As I said earlyier, it is a grey area that even the best accademics can't agree on. Here is another reference from a university professor.
http://www.sis.pitt.edu/~jjoshi/IS2935/Lecture9.pdf
As I said earlyier, it is a grey area that even the best accademics can't agree on. Here is another reference from a university professor.
http://www.sis.pitt.edu/~jjoshi/IS2935/Lecture9.pdf
sarangk_14:
" Does it offer integrity checking or transmission acknowledgement? No (Transport Layer)"
Well thats the interesting thig.... SSL is NOT ONE Protocol, it comprises two sub protocols.
The SSL record protocol
Tthe SSL handshake protocol.
SSL Handshake Protocol
Produces the cryptographic parameters of the session state: keys to use for encryption; encryption mode (block, stream, or null) to use; compression algorithm to use; hash function to use
SSL Record Protocol
Responsible for taking data from higher-layer protocols (including the handshake layer) and encrypting, compressing, and authenticating it.
So is not the Handshake protocol at the session layer and the record Protocol at the transmission layer?
" Does it offer integrity checking or transmission acknowledgement? No (Transport Layer)"
Well thats the interesting thig.... SSL is NOT ONE Protocol, it comprises two sub protocols.
The SSL record protocol
Tthe SSL handshake protocol.
SSL Handshake Protocol
Produces the cryptographic parameters of the session state: keys to use for encryption; encryption mode (block, stream, or null) to use; compression algorithm to use; hash function to use
SSL Record Protocol
Responsible for taking data from higher-layer protocols (including the handshake layer) and encrypting, compressing, and authenticating it.
So is not the Handshake protocol at the session layer and the record Protocol at the transmission layer?
@Neilsr:
If your last post was for me, I would like to ask which part of my post gave you the impression that I was suggesting that Transport Layer Security works on the session Layer?
The following link by Microsoft: http://technet.microsoft.com/en-us/library/cc784450%28WS.10%29.aspx states that "For TLS or SSL authentication to occur, there must be TCP/IP network connectivity between the client, and the target server."
We all know that in the OSI model, every layer is dependent on the layer above it and/ or the layer below it. Applying this logic, If TLS/ SSL are dependent on TCP (Transport Layer), it will belong to a layer, either higher or lower than Transport layer. I leave this part to your better judgement.
Even in the link provided by you, for the most of the time, it talks about SSL/ TLS being used for Negotiation, Handshake, Authentication, which I believe is the task for the session layer and not the transport layer.
Also request you to refer to: http://www.faqs.org/rfcs/rfc2246.html which clearly states in the Introductions section that "At the lowest level, layered on top of some reliable transport protocol (e.g., TCP[TCP]), is the TLS Record Protocol."
It was based on this information that I deduced what I did.
Warm regards,
Sarang
If your last post was for me, I would like to ask which part of my post gave you the impression that I was suggesting that Transport Layer Security works on the session Layer?
The following link by Microsoft: http://technet.microsoft.com/en-us/library/cc784450%28WS.10%29.aspx states that "For TLS or SSL authentication to occur, there must be TCP/IP network connectivity between the client, and the target server."
We all know that in the OSI model, every layer is dependent on the layer above it and/ or the layer below it. Applying this logic, If TLS/ SSL are dependent on TCP (Transport Layer), it will belong to a layer, either higher or lower than Transport layer. I leave this part to your better judgement.
Even in the link provided by you, for the most of the time, it talks about SSL/ TLS being used for Negotiation, Handshake, Authentication, which I believe is the task for the session layer and not the transport layer.
Also request you to refer to: http://www.faqs.org/rfcs/rfc2246.html which clearly states in the Introductions section that "At the lowest level, layered on top of some reliable transport protocol (e.g., TCP[TCP]), is the TLS Record Protocol."
It was based on this information that I deduced what I did.
Warm regards,
Sarang
I would also like draw everyone's attention to this paper (Understanding Security Using the OSI Model) published in the SANS reading room:
http://www.sans.org/reading_room/whitepapers/protocols/understanding_security_using_the_osi_model_377?show=377.php&cat=protocols
Section 8 deals with Session Layer Protocol.
http://www.sans.org/reading_room/whitepapers/protocols/understanding_security_using_the_osi_model_377?show=377.php&cat=protocols
Section 8 deals with Session Layer Protocol.
Thats fine, I like discussion :D
From the book: Optimizing Network Performance with Content Switching: Server, Firewall and Cache Load Balancing
Fitting SSL into the Seven Layer Model
In the concepts of the OSI Seven Layer Model as we saw in Chapter 2, Understanding Layer 2, 3, and 4 Protocols, SSL sits between the Application layer and the Transport layer, traditionally seen as part of the Presentation layer. This means that the use of SSL is selectively performed by each application rather than as a whole with encryption based in IPSec. This gives the client machine the ability to run secure services for certain applications only, while remaining impartial to the underlying Layer 3 and 4 services below. In comparison, IPSec, for example, can operate in a tunneling mode, which means that all traffic flowing to or from a particular address or range of addresses is encrypted right down to the IP layer. Within SSL, only the Application layer data is encrypted. Figure 3-10 shows the presence of SSL in the OSI model.
So here we have a different view again.
From the book: Optimizing Network Performance with Content Switching: Server, Firewall and Cache Load Balancing
Fitting SSL into the Seven Layer Model
In the concepts of the OSI Seven Layer Model as we saw in Chapter 2, Understanding Layer 2, 3, and 4 Protocols, SSL sits between the Application layer and the Transport layer, traditionally seen as part of the Presentation layer. This means that the use of SSL is selectively performed by each application rather than as a whole with encryption based in IPSec. This gives the client machine the ability to run secure services for certain applications only, while remaining impartial to the underlying Layer 3 and 4 services below. In comparison, IPSec, for example, can operate in a tunneling mode, which means that all traffic flowing to or from a particular address or range of addresses is encrypted right down to the IP layer. Within SSL, only the Application layer data is encrypted. Figure 3-10 shows the presence of SSL in the OSI model.
So here we have a different view again.
Well, it simply goes on to show that every book cannot be Bible. :D
May be, one of us ought to send this across to the writers of the book you mentioned:
http://www.thecertificationhub.com/networkplus/the_osi_ref_model.htm
Going back to the original post by michael_ch, I would like to reiterate my position that the transport layer is only responsible for facilitating data flow on the sessions established by the session layer and provide services such as packet sequence, delivery confirmation, resending packets, etc. It does not play any direct role in establishing sessions.
I don't mean to be harsh, but there is a reason why Application, Presentation and Session layers are referred to as Upper layers. (Transport, Network, Data-Link and Physical layers are called Lower layers)
May be, one of us ought to send this across to the writers of the book you mentioned:
http://www.thecertificationhub.com/networkplus/the_osi_ref_model.htm
Going back to the original post by michael_ch, I would like to reiterate my position that the transport layer is only responsible for facilitating data flow on the sessions established by the session layer and provide services such as packet sequence, delivery confirmation, resending packets, etc. It does not play any direct role in establishing sessions.
I don't mean to be harsh, but there is a reason why Application, Presentation and Session layers are referred to as Upper layers. (Transport, Network, Data-Link and Physical layers are called Lower layers)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ok. I checked the Studynotes.net link and here are a couple of observations:
1. Before anything else, let's get this clear - Encoding and Encryption is not one and the same thing. There are differences, subtle as they may be.
2. Same document, scroll below the diagram to the section beginning with "A look at each of the OSI layers , and the role it plays." The description of the session layer clearly mentions, "It performs name recognition and the functions such as security, needed to allow two applications to communicate over the network, also provides error handling."
Warm regards,
Sarang
1. Before anything else, let's get this clear - Encoding and Encryption is not one and the same thing. There are differences, subtle as they may be.
2. Same document, scroll below the diagram to the section beginning with "A look at each of the OSI layers , and the role it plays." The description of the session layer clearly mentions, "It performs name recognition and the functions such as security, needed to allow two applications to communicate over the network, also provides error handling."
Warm regards,
Sarang
ASKER
Hello together,
first of all I want to thank you for your voluminous support.
@sarangk_14 and Neilsr:
I didn't want to create a conflict between you two ;-)
Perhaps I want to explain the motivation behind the question.
We are testing the behaviour of our client under load. Therefor
we are using a loadtesttool (loadrunner), which is simulating the datastream
only on protocol layer ( don't using the client itself ).
We need to configure some networkconnection parameters
like TCP KeepAlive, SSLSessionTimeout, SSLSessionReuse for analysing the
behaviour under load. And now we need to know, where are these
parameters to configure. Especially the SSL paramters.
As far as I know, the Transportlayer is working inside the Kernelspace, isn't it ?
So, if SSL would work inside the transportlayer, the operatingsystem would be
responsible for encrypting the payload datas, right so far ?
Then I would search for some systemcalls to configure these SSL paramters. If it would work
above the Transportlayer then it would work in userspace and I need to
build the clients ssl-functionality manually.
I hope that clarify the meaning behind my question.
Best regards
Michael
first of all I want to thank you for your voluminous support.
@sarangk_14 and Neilsr:
I didn't want to create a conflict between you two ;-)
Perhaps I want to explain the motivation behind the question.
We are testing the behaviour of our client under load. Therefor
we are using a loadtesttool (loadrunner), which is simulating the datastream
only on protocol layer ( don't using the client itself ).
We need to configure some networkconnection parameters
like TCP KeepAlive, SSLSessionTimeout, SSLSessionReuse for analysing the
behaviour under load. And now we need to know, where are these
parameters to configure. Especially the SSL paramters.
As far as I know, the Transportlayer is working inside the Kernelspace, isn't it ?
So, if SSL would work inside the transportlayer, the operatingsystem would be
responsible for encrypting the payload datas, right so far ?
Then I would search for some systemcalls to configure these SSL paramters. If it would work
above the Transportlayer then it would work in userspace and I need to
build the clients ssl-functionality manually.
I hope that clarify the meaning behind my question.
Best regards
Michael
hehe No friction on my part. Was just pointing out that there is NO set answer on this one. Lots of people have lots of differing ideas as to where SSL sits within the OSI model. And when i say Lots of "People" I dont mean Joe Blogs, I mean real, technical genius's and members of the scientific and computing community.
As you pointed out, SSL can be a library that is compiled into an application, how is that fitting into the transport layer?
I just like to provoke thought and discussion some days ;)
N.
As you pointed out, SSL can be a library that is compiled into an application, how is that fitting into the transport layer?
I just like to provoke thought and discussion some days ;)
N.
There is no friction on my part, either.
All I was pointing out that once the guys who were working on the TLS (the rfc mentioned in my other post) say that it sits on top of transport layer, that automatically makes it part of the session layer, and Microsoft says the same, it really shouldn't matter what anyone else says.
@Neilsr: Thought provoking, I like. You made me look at places I wouldn't have otherwise.
But, RFC, Microsoft, SANS against Studynotes, Optimizing Network Performance with Content Switching: Server, Firewall and Cache Load Balancing and some lecture slides which mostly deal with IPSec and such stuff?
As I said yesterday, which one would you believe more?
All I was pointing out that once the guys who were working on the TLS (the rfc mentioned in my other post) say that it sits on top of transport layer, that automatically makes it part of the session layer, and Microsoft says the same, it really shouldn't matter what anyone else says.
@Neilsr: Thought provoking, I like. You made me look at places I wouldn't have otherwise.
But, RFC, Microsoft, SANS against Studynotes, Optimizing Network Performance with Content Switching: Server, Firewall and Cache Load Balancing and some lecture slides which mostly deal with IPSec and such stuff?
As I said yesterday, which one would you believe more?
I don't think SSL can be taken care of at the OS level. It's the application that will have to handle encryption.
ASKER
Hi sarangk_14,
in the meanwhile I belive too, that SSL /TLS makes more sense to locate it on the session layer ( hence in the userworld). Especially if there are protocolls like DTLS (UDP based SSL, e.g used for VoIP ). UDP is definitely without session handling, but SSL uses sessionhandling.
But it is not naturally, that the userworld is resonsible for encryption. So IPSec is located on the IP Layer ( kernel layer ), isn't it ? And so I thought in the past, that TLS is located in the kernelspace too (especially there many information which are agreeing to that meening). S-HTTPS was the only encrypting protocol which I assigned to the application layer ( ISO OSI and TCP/IP design)
Perhaps the missunderstandings are depending on the differences between the two designs of Netwerklayers (ISO OSI 7 Layers and TCP/IP 4 Layers).
On the other hand I found other information about the subject of TCP-over-TCP meltdown which I don't understand until now (http://www.sslftp.com/sslvpn.asp). By the way, the articel affirmed, that SSL is working in the userspace ;-)
In a nutshell, I would recommend, if you are interested to a further discussion I would keep this case alive. Otherwise I would recommend to close this case and open a new case with question about TCP-over-TCP meltdown subject.
Would you agree to split the points 250 to 250 ? Independent of the sentences, it shows that there are many obscurities on this subject.
What do you think?
in the meanwhile I belive too, that SSL /TLS makes more sense to locate it on the session layer ( hence in the userworld). Especially if there are protocolls like DTLS (UDP based SSL, e.g used for VoIP ). UDP is definitely without session handling, but SSL uses sessionhandling.
But it is not naturally, that the userworld is resonsible for encryption. So IPSec is located on the IP Layer ( kernel layer ), isn't it ? And so I thought in the past, that TLS is located in the kernelspace too (especially there many information which are agreeing to that meening). S-HTTPS was the only encrypting protocol which I assigned to the application layer ( ISO OSI and TCP/IP design)
Perhaps the missunderstandings are depending on the differences between the two designs of Netwerklayers (ISO OSI 7 Layers and TCP/IP 4 Layers).
On the other hand I found other information about the subject of TCP-over-TCP meltdown which I don't understand until now (http://www.sslftp.com/sslvpn.asp). By the way, the articel affirmed, that SSL is working in the userspace ;-)
In a nutshell, I would recommend, if you are interested to a further discussion I would keep this case alive. Otherwise I would recommend to close this case and open a new case with question about TCP-over-TCP meltdown subject.
Would you agree to split the points 250 to 250 ? Independent of the sentences, it shows that there are many obscurities on this subject.
What do you think?
Yes, I fully agree with you there. I am ok to split the points as well.
Warm regards,
Sarang
Warm regards,
Sarang
We could keep this discussion alive in the lounge or the experts lounge sections of EE.
What do you and Neilsr say?
What do you and Neilsr say?
ASKER
Hi sarangk_14,
I'm very sorry for my very long absence, but a bigger task packet is containing me completely.
So I will close this case, although this issue seems very interessting. Specially the source of the missunderstandings of layer mapping.
Thanks again for your help and best regards,
Michael
I'm very sorry for my very long absence, but a bigger task packet is containing me completely.
So I will close this case, although this issue seems very interessting. Specially the source of the missunderstandings of layer mapping.
Thanks again for your help and best regards,
Michael