SSL is an acronym for Secure Sockets
Layer, a global standard security
technology developed by Netscape in 1994. SSL is all about
encryption. It creates an encrypted link between a web server and a web
browser. The link ensures that all data passed between the web server and
browser remains private and secure and is recognised by millions of consumers by a secure padlock which
appears in their browser.
The SSL protocol is used by
e-Business globally to protect their customers ensuring their online
transactions remain confidential.
In order to be able to use the SSL protocol, a web server requires the use of
an SSL Certificate. Certificates are provided by Certification
Authorities (CA) who in most cases also offers additional products and services
to aid e-Businesses to demonstrate that they are trustworthy. Consumers have
grown to associate the 'golden padlock', that appears within their
browser display, as an indication of trust
in the web site. This simple fact allows e-Business providers an opportunity to
leverage that increased trust level to turn visitors into paying customers - so
long as you know which type to choose.
SSL is about creating trust. Trust
that your communications are not intercepted and, in the case of higher
verification, assurance that you communicating with a trustworthy party. The
Internet has successfully created many new global business opportunities for
enterprises conducting online commerce. However, that growth has also attracted
fraudsters and cyber criminals. Today's fastest growing threat is Phishing.
This is where a fraudulent web site impersonating a legitimate business
attempts to woe unsuspecting visitors into divulging personal information. The increasing awareness to this problem
has presented an opportunity to E-commerce providers to capitalize on consumer
fears by displaying trust indicators. Just like the real world, people need to
be confident before they proceed down an unknown path.
SSL
Architecture
SSL is designed to make use of TCP to
provide a reliable end-to-end secure service.SSL is not a single protocol but
rather two layers of protocols The SSL Record Protocol provides basic security
services to various higher layer protocols. In particular, the Hypertext
Transfer Protocol (HTTP), which provides the transfer service for Web
client/server interaction, can operate on top of SSL. Three higher-layer
protocols are defined as part of SSL: the Handshake Protocol, The Change Cipher
Spec Protocol, and the Alert Protocol. These SSL specific protocols are used in
the management of SSL exchanges and are examined later in this section.
Two important SSL concepts are the SSL
session and the SSL connection, which are defined in the specification as
follows.
1
Connection: A connection is a transport (in the OSI
layering model definition) that provides a suitable type of service. For SSL, such connections
are peer-to-peer relationships. The connections are transient. Every connection
is associated with one session.
A connection state is defined by the
following parameters.
Server and client random: Byte
sequences that are chosen by the server and client for each connection.
Server
write MAC secret: The secret key used in MAC operations on data sent by the
server.
Client write MAC secret: The
secret key used in MAC operations on data sent by the client.
Server write key: The
secret encryption key for data encrypted by the server and decrypted by the
client.
Client write key: The
symmetric encryption key for data encrypted by the client and decrypted by the
server.
Initialization vectors: When
a block cipher in CBC mode is used, an initialization vector (IV) is maintained
for each key. This field is first initialized by the SSL Handshake Protocol.
Thereafter, the final ciphertext block from each record is preserved for use as
the IV with the following record.
Sequence numbers: Each
party maintains separate sequence numbers for transmitted and received messages
for each connection. When a party sends or receives a change cipher spec
message, the appropriate sequence number is set to zero. Sequence numbers may
not exceed 264 – 1.
2 Session: An SSL session
is an association between a client and a server. Sessions are created by the
Handshake Protocol. Sessions define a set of cryptographic security parameters
which can be shared among multiple connections. Sessions are used to avoid the
expensive negotiation of new security parameters for each connection.
There are a number of states associated
with each session. Once a session is established, there is a current operating
state for both read and write (i.e., receive and send). In addition, during the
Handshake Protocol, pending read and writes states are created. Upon successful
conclusion of the Handshake Protocol, the pending states become the current
states.
A session state is defined by the
following parameters.
Session identifier: An
arbitrary byte sequence chosen by the server to identify an active or resumable
session state.
Peer certificate: An X509.v3 certificate of the peer. This element of the state may
be null.
Compression
method: The algorithm used to compress data
prior to encryption.
Cipher
spec: Specifies the bulk data encryption
algorithm (such as null, AES,etc.) and a hash algorithm (such as MD5 or SHA-1)
used for MAC calculation. It also defines cryptographic attributes such as the
hash size.
Master
secret: 48-byte secret shared between the client
and server.
Is
resumable: A flag indicating whether the session
can be used to initiate new connections .
Between any pair of parties
(applications such as HTTP on client and server), there may be multiple secure
connections. In theory, there may also be multiple simultaneous sessions between
parties, but this feature is not used in practice.
Architecturally,
the SSL protocol is designed as a suite of protocols over TCP/IP. The design of
the SSL protocol is often described as the "SSL Protocol Stack".
The
first layer of the SSL Protocol Stack over TCP/IP is known as the SSL Record
Protocol. The SSL Record protocol is responsible for ensuring data security
through encryption, and data integrity. The SSL Record protocol also handles
checking of data and encapsulating it with appropriate headers for secure
transmission under the TCP protocol.
The
second layer of the SSL Protocol Stack is positioned above the SSL Record
protocol and is responsible for establishing secured connection with an
application protocol like HTTP. The protocols at the second and the top layer
of the SSL protocol stack include the SSL Handshake Protocol, the SSL Change
Cipher protocol and the SSL Alert Protocol.
These three protocols at the top
layer of the SSL protocol stack offer session management, cryptographic
parameter management and secure transfer of SSL messages between the client and
the server
