I am developing an Android app which need to consume .Net webservices over SSL which I have no experience in. Now I am looking for some guidance and explanation on SSL handshake and certificates.

Note: the server is using IP address and NOT domain name. It is an intranet application.

So far I have created a certificate(called self-signed?) in web server from IIS 7. To consume it from Android app, I found two ways of doing it :

1). Embedded the certificate in the app (Which certificate? How do I get it?)

2). Trust all the certificates ( ppl said there is security issue with this approach, could you elaborate more? Does it still do the handshake?)

CERTIFICATES:

How many type of certificates are there in the handshake and what are they?

Does self-signed certificate have root certificate? If yes, how can i get them?

Is it possible to move/copy the self-signed certificate from one server to another?

HANDSHAKE:

First of all, is this process correct?

The SSL handshake process(copied from a website) is described below:

1. The client initiates the SSL handshake process by sending a URL starting with the following: https:// to the server.

2. The client initially sends the Web server a list of each encryption algorithm which it supports. Algorithms supported by SSL include RC4 and Data Encryption Standard (DES). The client also sends the server its random challenge string which will be utilized later in the process.

   Will the embedded cert be sent in here?

3. The Web server next performs the following tasks:

   Selects an encryption algorithm from the list of encryption algorithms supported by, and received from the client.

   Sends the client a copy of its server certificate.

   Sends the client its random challenge string

4. The client utilizes the copy of the server certificate received from the server to authenticate the identity of the server.

5. The client obtains the public key of the server from the server certificate.

6. The client next generates a premaster secret. This is a different random string which will in turn be utilized to generate the session key for the SSL session. The client then encrypts a different value called the premaster secret using the public key of the server, and returns this encrypted value to the server. This is accompanied with a keyed hash of the handshake messages, and a master key. The hash is used to protect the messages exchanged in the handshake process. The hash is generated from the former two random strings transmitted between the server and the client.

   What is a master key?

7. The server sends the client a keyed hash of all the handshake messages exchanged between the two parties so far.

   What is this keyed hash made from?

8. The server and the client then generate the session key from the different random values and keys, and by applying a mathematical calculation.

9. The session key is used as a shared secret key to encrypt and decrypt data exchanged between the server and the client.

The session key is discarded when the SSL session either times-out or is terminated.

I'll try to answer to the best of my knowledge here

• Embedded the certificate in the app (Which certificate? How do I get it?) This the certificate identifying the client's/app identity. You can either get it through CA or self signed. This certificate will be used by the server to verify the client's/app identity

• Trust all the certificates ( ppl said there is security issue with this approach, could you elaborate more? Does it still do the handshake?) It still does the handshake but it doesn't do the certificate validation which is dangerous unless you are connecting internally (which seems you are). Trusting all certificate means an entity can claim as someone who they are not and thus could obtain confidential information from the users.

• How many type of certificates are there in the handshake and what are they? In handshake you have the server's certificate and optionally the client certificate (for two factors authentication)

• Does self-signed certificate have root certificate? If yes, how can i get them? Root certificate as far as I know means the ones that identifies by CA itself and thus it has no else to sign it. As your identity can still be verified and needs to be signed by CA, yours would not be classified as root certificate

• Is it possible to move/copy the self-signed certificate from one server to another? The short answer is yes though the procedures from one platform to the others are different. Check [this link)(http://www.sslshopper.com/how-to-move-or-copy-an-ssl-certificate-from-one-server-to-another.html), it has instructions to copy certificate for few platforms

• Will the embedded cert be sent in here? No, the embedded (client's) certificate is sent after validation of the server's identify is complete

• What is a master key? Master key is the key that is used to derived the session key for later communication. It is also used to hash the messages and to verify authenticity of the messages in the next set of stages

• What is this keyed hash made from? It's made from the master key sent by the client. In order to verify all messages, the server sent all messages that have been passed and hashed it with the master key. The client will hashed its messages as well with the same key and then compared with the data sent by the server. Only when the hash matches then we could be sure we are still communicating with the same server