Secure Socket Layer

Description

Secure Socket Layer (SSL) is a protocol layer that operates above the TCP transport layer to provide security services for application protocols like HTTP, forming HTTPS. Its primary objective is to establish an encrypted link between a client and a server, ensuring that all data passed between them remains private and integral. The SSL protocol involves a handshake phase where the client and server authenticate each other (often server-authentication only) and negotiate the cryptographic algorithms and session keys to be used. This is followed by the record protocol phase, where application data is encrypted, authenticated with a Message Authentication Code (MAC), and transmitted.

Architecturally, SSL (and its successor, TLS) is implemented as a shim between the application layer and the transport layer. In 3GPP specifications, SSL is referenced as a method for securing various interfaces, particularly for operations and management (O&M) traffic, user plane data in certain bearers, or for securing web-based interfaces of network elements. The protocol uses a combination of asymmetric cryptography (like RSA or Diffie-Hellman) for key exchange and authentication, and symmetric cryptography (like AES or 3DES) for bulk data encryption. A critical component is the use of X.509 digital certificates issued by a Certificate Authority (CA) to verify the identity of the communicating parties.

Within a 3GPP network, SSL might be deployed to secure the HTTP-based interfaces used for device management (e.g., OMA DM), for securing the communication between a User Equipment (UE) and a network-based application server, or for protecting management traffic to and from network elements like eNBs or MMEs. The protocol handles session resumption to improve performance by avoiding full handshakes for repeated connections. While SSL v3.0 was the last version of the original SSL protocol, it has been largely deprecated and replaced by Transport Layer Security (TLS), which is based on SSL but includes security improvements and is the term more commonly used in later 3GPP releases, though the functional concept remains the same.

Purpose & Motivation

SSL was created to address the fundamental lack of security in early Internet protocols, which transmitted data, including sensitive information like passwords and credit card numbers, in plaintext. Its development was motivated by the need for e-commerce and secure online transactions in the 1990s. For 3GPP networks, incorporating SSL (and later TLS) provided a standardized, widely implemented method to secure data communications that traverse potentially untrusted networks, such as the public internet between a UE and a service provider or between network operators' management systems.

The protocol solved key problems of eavesdropping, tampering, and message forgery for IP-based services offered over mobile networks. Before widespread use of SSL/TLS, securing application data required proprietary solutions or was neglected, creating vulnerabilities. In the 3GPP context, as networks began offering IP-based multimedia services (IMS), device management, and later web-based APIs for network management, adopting a well-known security protocol like SSL ensured interoperability and a high level of assurance. It addressed limitations of lower-layer security (e.g., IPsec) which could be more complex to deploy for specific application flows and provided a familiar security model for application developers.

Key Features

• Provides encryption for data confidentiality using symmetric ciphers
• Ensures message integrity through keyed Message Authentication Codes (MACs)
• Supports server authentication (and optional client authentication) via X.509 certificates
• Negotiates cryptographic parameters through a defined handshake protocol
• Allows for session resumption to reduce connection setup overhead
• Operates transparently to the application layer above it

Evolution Across Releases

Defining Specifications