SSL is on a Transport Layer or Application Layer

Erinkima

Hi All,

SSL is on a Transport Layer or Application Layer?


TLS is on a Transport layer which replaced the SSL. It make sense that it is on a SSL Layer. But on the user end, when a person access https://abc.def.com, the https here could refer to application layer.

Can anyone advise?

Any good website on OSI model for CISSP preparation

TheProfezzor

The following lie on the transport layer:

- TCP
- UDP
- SSL
- TLS
- SPX

When you access the website using your explorer, HTTP is at work on application layer. SSL is being used to encapsulate the HTTP traffic, at the transport layer. SSL at the transport layer encrypts the HTTP traffic coming from the application layer.

JDMurray

Just to note, you need to always specify if the context is the OSI model or the TCP/IP model.

In the TCP/IP model, all encryption and session management is in the Application Layer, and SSL uses TCP for Transport Layer services, so SSL is in the Application layer in the TCP/IP model.

In the OSI model it's less defined because encryption is in Layer 6 and session control is in Layer 5. HTTPS (layer 7) uses SSL and SSL (Layers 5/6) uses TCP (Layer 4). SSL negotiation actually starts in Layer 5 and the encrypted tunneling kicks in after the SSL handshake is successful, so I would call SSL an OSI Layer 5 protocol.

EasyPeezy

It is usually written TSL/SSL... Secure sockets live in the application layer and the TSL being the Transport live in the transport layer.

jonwinterburn

New to these forums (long time lurker) and currently studying for SSCP. Actually been studying CISSP on and off for 18 months, but decided to take the SSCP route first. It's more applicable to my job, and it'll prepare me for CISSP.

@JDMurray - I'm a little confused by your reply above. Having spent the last 3 days studying Crypto, I thought I'd nailed SSL/TLS. However, you say it's a layer 5/6 (OSI) protocol. I understood it to be layer 4/5 protocol, with the emphasis (from exam perspective) of layer 4, as per Shon's description in her AIO CISSP:

"SSL is made up of two protocols—one works in the lower portion of the session layer and the other works in the transport layer. For purposes of the CISSP exam, SSL resides in the transport layer."

Secondly, the acronym TLS would indicate that it operates primarily at layer 4.

I suppose the $64m question is: is it likely that a question will come up which requires a specific answer to which layer SSL resides in?

Thanks

Jon

JDMurray

My previous comment was only about SSL and not TLS. However, SSL and TLS are basically the same thing. TLS might have been called SSL 4.0 had it not changed to make it backward-incompatible with SSL, so the name had to be changed as well. This means that TLS and SSL must be in the same layer(s).

When I look at an SSL or TLS connection in a protocol analyzer, I see it riding on top of TCP. If TLS (or SSL) was its own transport protocol, there would be no TCP there, as only one transport protocol can be in use by a connection. One could say that a "transport layer security" mechanism does not need to reside directly in the transport layer, but instead can reside above it to encrypt the payload being transported. This means that a standard transport mechanism (TCP) can still be used and be more secure without needing to make changes to the Transport Layer. That sounds like a win-win to me.

teancum144

According to the AIO, 6th edition (p. 531), SSL and TLS work at the transport layer of the OSI model.

According to CISSP for Dummies (p. 259), "SSL operates at the Transport Layer (Layer 4) of the OSI model..."

JDMurray

...and there are many more resources that say SSL/TLS definitely are not in the Transport layer:

"SSL sits between the Application layer and the Transport layer, traditionally seen as part of the Presentation layer."

"The SSL/TLS library operates above the transport layer (uses TCP) but below application protocols."

"one of the most popular encryption schemes that is usually associated with the presentation layer is the Secure Sockets Layer (SSL) protocol."

"TLS/SSL is initialized at layer 5 (session layer) and works at layer 6 (the presentation layer). ...TLS and SSL work on behalf of the underlying transport layer, whose segments carry encrypted data."


Now, all that being said, what the OIG CISSP CBK says about SSL/TLS is what I would expect to see on the exam.

SuperISSO

Thanks for clearing this up. I kept reading different resources and choose transport layer. Then, I took an online course that stated its on the presentation layer. I was confused until reading your response.