This experiment simplifies the SSL/TLS handshake to demonstrate the core concepts of establishing a secure channel.

Part 1: The Handshake - Establishing a Shared Secret Key

The first phase in SSL/TLS is the "handshake," where the client and server securely establish a shared secret key for encrypting their communication. Here's a simplified version of that process:

1. Initiate Connection: Begin a session by typing the following command on a terminal, using the server's IP address and port. This is analogous to a web browser starting a connection to a website.

   • openssl s_client -connect host:port

2. Server Authentication and Public Key Sharing: On a successful connection, the server sends a copy of its certificate, which contains its asymmetric public key. This key is public, and anyone can use it to encrypt messages for the server. However, only the server, with its corresponding private key, can decrypt them. You can view the public key file you received.

   • cat server_pubkey.pem

3. Client Generates the Session Key: The client now generates a random symmetric key. This key is called a session key because it will be used to encrypt all data for the remainder of this session.

   • openssl rand -hex 16 > sessionkey.txt
   • Take a look at this key. This is the secret that both client and server need to agree upon to communicate securely.

4. Client Encrypts the Session Key: To send the session key securely to the server, the client encrypts it using the server's public key (from step 2). This ensures that only the server can decrypt it.

   • openssl rsautl -encrypt -pubin -inkey server_pubkey.pem -in sessionkey.txt -out sessionkey.enc

5. Client Sends the Encrypted Key: The client sends the encrypted session key to the server. An eavesdropper cannot make sense of this data. This step is often called key exchange. In this particular method (RSA key transport), the "exchange" involves the client creating a key and securely transporting it to the server.

   • cat sessionkey.enc | nc host port

6. Server Decrypts the Session Key: The server receives the encrypted data and uses its private key to decrypt it, revealing the original session key created by the client.

   • openssl rsautl -decrypt -in sessionkey.enc -out sessionkey.txt -inkey server_privkey.pem

7. Shared Secret Achieved! Both client and server now possess the same secret session key. All subsequent communication can be encrypted and decrypted using this shared key. You can cat the decrypted file on the server side; it should be identical to the key generated by the client in step 3.

Part 2: Communicating over the Secure Channel

With a secure channel established, the client and server can now communicate.

8. To identify the host IP, the client will send a ping request to the server by executing the following command:

   • ping -c 3 IP_ADDRESS

9. To display the certificate info of the server, the client will execute the following command:

   • openssl x509 -in server.crt -text -noout

10. To quit the session, the client will execute the following command:

    • quit