GLS, acronym for Goswell Layer Security, is a secure communication protocol developed by the Goswell company to respond to the actual secure connexion protocol’s problems.
These problems originate from the key exchange protocol who negotiate the key encryption for the session between client and server. This protocol allow different active attack on the secure connexion. GLS solve this problem using a know information by both party of the connexion, the user’s password. It derivate a key from it to use as encryption key, this way :
- The user’s password never travels on the network and still provide an authentication for the server. If the password is wrong, it will not be able to decrypt the message sent by the user and the login will fail.
- There is no key negotiation, both part already know it making active attacks like SSLStrip useless.
The original use of the key exchange protocol was to have a different key encryption for every session to make it harder for an attacker to decrypt the communication. Since no password and encryption key travel under the network, using one only key don’t create a security risk. In this condition only an exhaustive key search attack, alias brute-force, is theoretically possible. A 256 bits AES encryption will take hundreds of years to brute-force.
« AES permits the use of 256-bit keys. Breaking a symmetric 256-bit key by brute force requires 2^128 times more computational power than a 128-bit key. A device that could check a billion billion (10^18) AES keys per second (if such a device could ever be made - as of 2012, supercomputers have computing capacities of 20 Peta-FLOPS, see Titan. So 50 supercomputers would be required to process (10^18) operations per second) would in theory require about 3×10^51 years to exhaust the 256-bit key space. » - Wikipedia
To make the server’s search for the password easier, a plaintext message is sent from the client to tell is user’s ID. All the message following this one will be encrypted.