Wednesday, 21 May 2014

SSL Overview

It is important that transmissions between a web server and a browser are secure. There are three tasks that must be performed in order to do this:

  1. Verify the identities of the hosts participating in the transmission by performing authentication procedures.
  2. Check the integrity of the data by adding digital signatures containing a digest value - a unique value representing the data.
  3. Secure the privacy of the transmission by encrypting it. Transactions between a browser and the sever can then be encrypted, with only the browser and the server able to decrypt the transmissions.

SSL

The protocol most often used to implement secure transmissions is the Secure Sockets Layer (SSL) protocol. SSL was originally developed by Netscape for secure transactions on the web.

SSL uses a form of public- and private-key encryption for authentication. Data is encrypted with the public key, but can only be decrypted using the private key. Once the data is authenticated, an agreed-upon cipher is used to encrypt it. Digital signatures encrypt an MD5 digest value for data to ensure integrity.

Certificates

Authentication is carried out using certificates of authority. Certificates are held by both the browser and the web server, uniquely identifying both parties in a secure transmission, and verifying that they are who they say they are. Certificates are signed by an independent certificate authority such as VeriSign, verifying that they are valid.

A certificate contains:

  • The public key of the server or browser that it is given to
  • The digital signature of the certificate authority
  • Identity information such as the name of the user or company running the server or browser.

SSL Session

An SSL session is set up using a handshake sequence:

  1. The server and browser exchange certificates
  2. A cipher is agreed upon to to encrypt the transmissions
  3. The digest integrity check is chosen
  4. The type of public-key encryption, usually RSA or DSA, is chosen
  5. A unique session key is set up that is used by both the browser and the server.