How Three Way Handshake work and what is it’s purpose?
If you are studying on Cyber Security, Networking or any network/computer related branch, you may heard something like Three Way Handshake. Well, at least I heard it and I started searching up.
So what is it?
It is a method to make secure connection between server and client within TCP protocol. But when I said “secure” that was not what you thought. It prevents connection between attacker, who create custom network packet with false IP address, and victim machines.
Well, How does it do that?
In order to explain that, we should learn what is Sequence number, SYN and ACK means.
- SYN(Synchronize): Initiates a connection. It is a flag/bit in the TCP Header.
- ACK(Acknowledment): Acknowledges received data. It is a flag/bit in the TCP Header.
- Sequence Number: Sequence number(obviously). If SYN flag is set, then this is the initial sequence number. It could be between __ to 4,294,967,295 (2^32). So It’s very hard to guess.
- Acknowledment Number: 32 Bit number field which indicates the next sequence number that the sending device is expecting from the other device.
- FIN: Terminates a connection.
Let’s take a look how computers connect each other.
First, client sends a TCP packet with_ SYN=1, ACK=0 and ISN(Sequence Number)= 5000_. Do not forget, sequence number is random and it could be between 0 to 4,294,967,295.
This packet means “I want to make connection”.
Next, server receive client’s packet and if it’s okay to make connection, server send TCP packet to client with SYN=1, ACK=1, ISN=1000(It’s server’s own sequence number.), ACK Number=5001(5000+1). Otherwise, server sends TCP packet with RST/ACK flags set to terminate connection.
This packet means “You want to make connection and I am okay with this. You send me TCP packet with ISN=5000 and I am sending you my sequence number(ISN=1000)”.
Note: In the picture (Flag[S.]), “.” means ACK flag.
And the finally client receive server’s packet and sends TCP packet with SYN=0, ACK=1, ISN=5001, ACK Number=1001.
This packet means “Everything okay. Connection is established. From now on we can send data to each other with ISN and ACK Number”.
That’s why it is called “3 way Handshake”.
So, once again. Why it’s called secure connection?
Let’s make a scenario. Attacker want to make connection between victim and server. Attacker create custom TCP packet with victim’s IP address and send to server. For now everythings fine. But server create own ISN(Sequence number) and send it to victim. Attacker doesn’t know what is server’s sequence number and because of sequence number is 32bit(very high number), attacker can’t guess or brute force it. So attacker can’t make connection between victim and server. (Except man in the middle attacks)