The secure socket layer (SSL) is an open protocol originally developed by Netscape Communications for securing data communications across computer networks. Also it has been universally accepted on the World Wide Web for authenticating and encrypting communication between clients and servers. As we all know the World Wide Web is growing in popularity, more organizations and individuals are seeing the Web as an efficient, inexpensive means of distributing information, services and products. Companies must therefore provide a reasonable level of security in their e-commerce activities.
The SSL protocol runs below the application layer and above transport layer, and it uses TCP/IP on behalf of the application protocols.
กก
This protocol allows an SSL-enabled server to authenticate itself with an SSL-enabled client, and also allows the client to authenticate itself with the server. Thus both client and server can establish a connection for encrypting messages. These capabilities address fundamental concerns about communication over the Internet and other TCP/IP networks. Thus three important features that SSL protocol provides are as following:
Allows a user to confirm a servers identity. This is very important, since users dont want to send out our personal information, such as credit card numbers to an illegitimate web server. Therefore SSL-enabled client software can use standard techniques of public key cryptography to check if a servers certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the clients list of trusted CAs. A Certification Authority is a trusted authority responsible for issuing certificates used to identify a community of individuals, systems or other entities, which make use of a computer network.
Not only do clients want to check a servers identity; sometimes a server also would like to check a clients identity before it sends out information to that client. SSL client authentication allows a server to confirm a users identity by using the same techniques as those used for server authentication.
After both server and client confirm each others identity, an encrypted SSL connection will be established, which means all information sent between the client and the server is encrypted. An encrypted connection between a client and a server is required, because even though both server and client have been confirmed each others identity, but there is still a possibility that during the process, information might be intercepted by a third party. If the information is encrypted before it is sent out, it will remain protected until received by the server or the client. SSL also provides a mechanism for determining whether the data has been altered during this transition.
The SSL protocol includes two sub protocols: the SSL record protocol and the SSL handshake protocol. The SSL record protocol defines the format that is used to transmit data, which is used for all SSL communications and by both the client and the server at all, times. The SSL handshake protocol involves using the SSL record protocol to exchange a series of messages between an SSL-enabled server and an SSL enabled client, when they first establish an SSL connection.
In SSL, all data sent is encapsulated in a record, an object that is composed of a header and some non-zero amount of data. Each record header is either a two or three byte length. If the most significant bit is set in the first byte, then the header has two bytes; otherwise the record has three bytes.
The data portion of an SSL record is composed of three components:
ACTUAL-DATA is the actual data being transmitted, which means the message before encryption. After the message is encrypted, the PADDING-DATA will shows the cipher block size. The MAC-DATA is some data computed by an encryption algorithm, which will be added to the actual data being transmitted to prevent hackers from reading the encrypted message. A MAC message is 40 or 128 bit long, which would make it impossible to try to figure out what the right MAC is. The odds of guessing are 2 to the power of 128. Thus it prevents hackers send out faked message, because they can not decrypt the MAC information. The general process to make a SSL record is as follows:
The handshake allows the server to authenticate itself to the client using public-key techniques. Conversely, it can also allow the client to authenticate itself to the server.
Following steps shows what happens during a handshake:
4. After all the above verification process is complete (if the server asked a client for
authentication, then client sends all the information that the server needs, the server
then checks the clients identity by using similar steps above), the client will send the
server a premaster Secrete, which is 48 byte information. Then both the server and
the client uses that to create an another 48 byte long message called master secrete.
They both use this master secrete to generate a pair of session keys known as
symmetric keys. In the beginning of the handshake, the client and the server both
exchange each others SSL setting, so they know each others encryption algorithm,
which will be set to the same at the end. Then because they both use a same
premaster secrete to generate a master secrete, therefore the master secrete they
generate should be the same, then they use the same master secrete to generate a pair
of session keys, which is also the same at the end. Thus the server and the client can
encrypt and decrypt each others messages. Another more important issue about the
session keys is that because each time the premaster and master secrete will be
regenerated, the session keys will be different each time they get generated. The
advantage to this is that you do not have to worry about too much security for the
session keys since each will be different.
5. After all the above is complete, the server and the client will notify each other, then
they can start to communicate with each other by encrypting and decrypting
messages using the session keys.
Overall, SSL provides you a secure way to exchange information through the internet. We also see most keys range from 40 to 1,024 digits long, with these long lengths it will take very long time to break the key, and if the number of digits in the key gets longer, then the number of possible combinations grows into the trillions. SSL protocol, like any other protocol is designed to work with the existing network protocols. After initiating the security handshake, to start a TCP/IP connection, SSLs only role is to encrypt and decrypt the byte stream of the application protocol being used. Thus SSL may operate independently of the Internet application and connection protocols. There are many companies using SSL enabled products and supporting the SSL protocol for Internet security. Some of the companies that are supporters of the SSL protocol are: Apple Computer., Bank of America, Delphi Internet Services Corporation, IBM, MasterCard, Novell Inc., Microsoft Corporation, MCI Communications Corp., Sun Microsystems, Inc. and Visa International.
กก
กก