Introduction to SSL
SSL (Secure Sockets Layers) is a process that manages the security of transactions made on the Internet. The SSL standard was developed by Netscape, together with Mastercard, Bank of America, MCI and Silicon Graphics. It is based on a public-key encryption process to guarantee that data sent over the Internet remain secure. Its principle involves establishing a secure (encrypted) communication channel between two machines (a client and a server) after an authentication phase.
The SSL system is independent of the protocol used, which means it can secure transactions made on the Web via the HTTP protocol as well as connections via the FTP, POP and IMAP protocols. SSL acts as an additional layer, making it possible to guarantee secure data, that is located between the application layer and the transport layer (TCP protocol for example).
As such, SSL is transparent for the user (this means the user may not know he is using SSL). For example, a user using an Internet browser to connect to an e-commerce website protected by SSL will send encrypted data without having to perform any special operation.
Almost all browsers now support the SSL protocol. Netscape Navigator, for example, displays a locked padlock to indicate a connection to an SSL secure website and an open padlock in the opposite case, whereas Microsoft Internet Explorer displays a padlock only for a connecton to an SSL secure site.
|in Internet Explorer
An SSL secure web server has a URL that starts with https://, where the "s" of course means secure.
In mid-2001, the SSL patent that had until then belonged to Netscape was bought by the IETF (Internet Engineering Task Force) and was renamed TLS (Transport Layer Security).
How SSL 2.0 works
Transaction security with SSL 2.0 is based on an exchange of keys between a client and a server. An SSL secure transaction is made according to the following model:
- Firstly, the client connects to the commercial site protected by SSL and asks it for authentication. The client also sends the list of cryptosystems it supports, sorted in descending order by key length.
- The server receiving the request sends a certificate to the client, containing the server's public key signed by a certification authority (CA), as well as the name of the cryptosystem that is highest on the list it is compatible with (the length of the encryption key - 40 bits or 128 bits - will be that of the shared cryptosystem having the largest key size).
- The client verifies the certificate's validity (and therefore the merchant's authenticity), then creates a random secret key (more precisely a supposedly random block), encrypts this key with the server's public key, and then sends the server result (the session key).
- The server is capable of decrypting the session key with its private key. As such, the two entitites have a shared key that only they know. The remaining transactions can be made using the session key, guaranteeing the integrity and confidentiality of exchanged data.
SSL 3.0 aims to authenticate the server vis-à-vis the client and possibly the client vis-à-vis the server.