Internet security is foremost in the minds of
businesses as well as consumers. What can we do to provide a secure environment
for online transactions? The answer is SSL and Public-Key Cryptography.|
What is SSL?
The Secure Sockets Layer (SSL) protocol, is a set of rules governing server
authentication, client authentication, and encrypted communication between
servers and clients and is primarily used for secured transactions like passing
Purchase Orders and Credit Card numbers over the internet.
The Transmission Control Protocol/Internet Protocol (TCP/IP) governs the
transport and routing of data over the Internet. Other protocols, such as the
HyperText Transport Protocol (HTTP) or Lightweight Directory Access Protocol (LDAP),
run on top of TCP/IP in the sense that they all use TCP/IP to support typical
application tasks. The SSL protocol runs somewhere between these two types of
protocol i.e. over TCP/IP and below other protocols such as HTTP, LDAP etc.
To understand how SSL works, it is required that we understand what Public-Key
Cryptography is and how it works.
What is Public-Key Cryptography?
When information flows from your computer to the server hosting a web site, it
is possible that the someone can tamper with the information, or worse, steal
it. Fortunately, a set of well-established techniques and standards known as
public-key cryptography make it relatively difficult for hackers to get hold of
your important information.
Besides facilitating other tasks, public-key cryptography encrypts and decrypts
the information during the transfer, making life difficult for hackers.
Encryption and decryption allow two communicating parties to disguise
information they send to each other. The sender encrypts, or scrambles,
information before sending it. The receiver decrypts, or unscrambles, the
information after receiving it. While in transit, the encrypted information is
unintelligible to an intruder.
With most modern cryptography, the ability to keep
encrypted information secret is based not on the cryptographic algorithm, which
is widely known, but on a number called a key that must be used with the
algorithm to produce an encrypted result or to decrypt previously encrypted
information. Decryption with the correct key is simple. Decryption without the
correct key is very difficult, and in some cases impossible for all practical
purposes. Among the various ways to use this key for encryption and decryption,
we'll be discussing the most common ones i.e. Symmetric-Key Encryption and
In Symmetric-Key Encryption the same key is used for encryption and decryption.
Information encrypted using one key can only be decrypted using the same key.
Symmetric-key encryption provides an effective level of cryptography only if
both the parties keep the symmetric key secret. If a third party discovers the
symmetric key, it can not only decrypt messages but also encrypt new messages
and would appear as if one of the two parties generated the new message.
Symmetric-key encryption plays an important role in the SSL protocol.
Public-key encryption (also called asymmetric encryption) involves a pair of
keys - a public key and a private key. These two keys work together, so a
message scrambled with the private key can only be unscrambled with the public
key and vice versa. The more digits in these keys, the more secure the process.
The public key is made available freely to the public, while the private key is
kept secret by the issuer, which means that the information is encrypted by one
party using the public key and the same information is decrypted by the second
party using the private key. It is virtually impossible for a third party to
decrypt the information without having the correct private key.
Compared with symmetric-key encryption, public-key encryption requires more
computation and is therefore not always appropriate for large amounts of data.
However, it's possible to use public-key encryption to send a symmetric key,
which can then be used to encrypt additional data. This is the approach used by
the SSL protocol.
Now that we know something about encryption, lets get our attention back to SSL.
SSL server authentication allows a user to confirm a server's identity.
SSL-enabled client software can use standard techniques of public-key
cryptography to check that a server's certificate and public ID are valid and
have been issued by a certificate authority (CA) listed in the client's list of
trusted CAs. This confirmation might be important if the user, for example, is
sending a credit card number over the network and wants to check the receiving
SSL client authentication allows a server to confirm a user's identity. Using the same techniques as those used for server authentication, SSL-enabled
server software can check that a client's certificate and public ID are valid
and have been issued by a certificate authority (CA) listed in the server's list
of trusted CAs. This confirmation might be important if the server, for example,
is a bank sending confidential financial information to a customer and wants to
check the recipient's identity.
An encrypted SSL connection requires all information sent between a client and a
server to be encrypted by the sending software and decrypted by the receiving
software, thus providing a high degree of confidentiality. Confidentiality is
important for both parties to any private transaction. In addition, all data
sent over an encrypted SSL connection is protected with a mechanism for
detecting tampering - that is, for automatically determining whether the data
has been altered in transit.
The future of SSL
SSL is not without its limitations. Certificates and keys that originate from a
computer can be stolen over a network or by other electronic means. One possible
solution to this weakness is to use hardware tokens instead. Hardware tokens
improve security tremendously because these tokens are more difficult to steal
and they can be made to recognize only the person for which they were created.
This can be done in a number of ways, including biometric means like fingerprint
or retinal scan matching.