lotus



previous page: 4.10) What SSL implementations should I test against?
  
page up: Secure Sockets Layer Discussion List FAQ
  
next page: 5.1) How does Netscape handle client certificates in Communicator 4.X? Navigator 3.X?

4.11) What is the difference between SSL 2.0 and 3.0?




Description

This article is from the Secure Sockets Layer Discussion List FAQ, by Shannon Appel SAppel@consensus.com with numerous contributions by others.

4.11) What is the difference between SSL 2.0 and 3.0?

Security improvements:

1. SSL 2.0 is vulnerable to a "man-in-the-middle" attack. An
active attacker can invisibly edit the list of ciphersuite
preferences in the hello messages to invisibly force both client and
server to use 40-bit encryption. SSL 3.0 defends against this
attack by having the last handshake message include a hash of all
the previous handshake messages.

2. SSL 2.0 uses a weak MAC construction, although post-encryption
seems to stop attacks. This is fixed in 3.0.

3. SSL 2.0 feeds padding bytes into the MAC in block cipher modes,
but leaves the padding-length field unauthenticated, which could
allow active attackers to delete bytes from the end of messages.
This, too, is fixed in 3.0.

4. In SSL 3.0, the Message Authentication Hash uses a full 128 bits
of keying material, even when using an Export cipher. In SSL 2.0,
Message Authentication used only 40 bits when using an Export
cipher.

Functionality improvements:

1. In SSL 2.0, the client can only initiate a handshake at the
beginning of the connection. In 3.0, the client can initiate a
handshake routine, even in the middle of an open session. A server
can request that the client start a new handshake. Thus, the
parties can change the algorithms and keys used whenever they want.

2. SSL 3.0 allows the server and client to send chains of
certificates. This allows organizations to use a certificate
hierarchy that is more than two certifications deep.

3. SSL 3.0 has a generalized key exchange protocol. It allows
Diffie-Hellman and Fortezza key exchanges and non-RSA certificates.

4. SSL 3.0 allows for record compression and decompression.

Backward compatibility:

1. SSL 3.0 can recognize an SSL 2.0 client hello and fall back to
SSL 2.0. An SSL 3.0 client can also generate an SSL 2.0 client
hello with the version set to SSL 3.0, so SSL 3.0 servers will
continue the handshake in SSL 3.0, and SSL 2.0 server will cause the
client to fall back to SSL 2.0.

Other:

1. SSL 3.0 separates the transport of data from the message layer.
In 2.0, each packet contained only one handshake message. In 3.0, a
record may contain part of a message, a whole message, or several
messages. This requires different logic to process packets into
handshake messages. Therefore, the formatting of the packets had to
be completely changed.

2. Cipher specifications, handshake messages, and other constants
are different.

 

Continue to:













TOP
previous page: 4.10) What SSL implementations should I test against?
  
page up: Secure Sockets Layer Discussion List FAQ
  
next page: 5.1) How does Netscape handle client certificates in Communicator 4.X? Navigator 3.X?