Nexcore 
                  
EMAILHOME 
         articles
   b2b integration
   e-scm

using encryption for
internet security

processes and
components of scm

e-commerce solutions
built to order

enterprise application
integration
 
 
Internet security is foremost in the minds of businesses as well as consumers. What can we do to provide a secure environment for online transactions? The answer is SSL and Public-Key Cryptography.

What is SSL?
The Secure Sockets Layer (SSL) protocol, is a set of rules governing server authentication, client authentication, and encrypted communication between servers and clients and is primarily used for secured transactions like passing Purchase Orders and Credit Card numbers over the internet.

The Transmission Control Protocol/Internet Protocol (TCP/IP) governs the transport and routing of data over the Internet. Other protocols, such as the HyperText Transport Protocol (HTTP) or Lightweight Directory Access Protocol (LDAP), run on top of TCP/IP in the sense that they all use TCP/IP to support typical application tasks. The SSL protocol runs somewhere between these two types of protocol i.e. over TCP/IP and below other protocols such as HTTP, LDAP etc.




To understand how SSL works, it is required that we understand what Public-Key Cryptography is and how it works.

What is Public-Key Cryptography?
When information flows from your computer to the server hosting a web site, it is possible that the someone can tamper with the information, or worse, steal it. Fortunately, a set of well-established techniques and standards known as public-key cryptography make it relatively difficult for hackers to get hold of your important information.

Besides facilitating other tasks, public-key cryptography encrypts and decrypts the information during the transfer, making life difficult for hackers. Encryption and decryption allow two communicating parties to disguise information they send to each other. The sender encrypts, or scrambles, information before sending it. The receiver decrypts, or unscrambles, the information after receiving it. While in transit, the encrypted information is unintelligible to an intruder.

With most modern cryptography, the ability to keep encrypted information secret is based not on the cryptographic algorithm, which is widely known, but on a number called a key that must be used with the algorithm to produce an encrypted result or to decrypt previously encrypted information. Decryption with the correct key is simple. Decryption without the correct key is very difficult, and in some cases impossible for all practical purposes. Among the various ways to use this key for encryption and decryption, we'll be discussing the most common ones i.e. Symmetric-Key Encryption and Public-Key Encryption.

Symmetric-Key Encryption
In Symmetric-Key Encryption the same key is used for encryption and decryption. Information encrypted using one key can only be decrypted using the same key. Symmetric-key encryption provides an effective level of cryptography only if both the parties keep the symmetric key secret. If a third party discovers the symmetric key, it can not only decrypt messages but also encrypt new messages and would appear as if one of the two parties generated the new message. Symmetric-key encryption plays an important role in the SSL protocol.

Public-Key Encryption
Public-key encryption (also called asymmetric encryption) involves a pair of keys - a public key and a private key. These two keys work together, so a message scrambled with the private key can only be unscrambled with the public key and vice versa. The more digits in these keys, the more secure the process. The public key is made available freely to the public, while the private key is kept secret by the issuer, which means that the information is encrypted by one party using the public key and the same information is decrypted by the second party using the private key. It is virtually impossible for a third party to decrypt the information without having the correct private key.

Compared with symmetric-key encryption, public-key encryption requires more computation and is therefore not always appropriate for large amounts of data. However, it's possible to use public-key encryption to send a symmetric key, which can then be used to encrypt additional data. This is the approach used by the SSL protocol.


Now that we know something about encryption, lets get our attention back to SSL.

SSL server authentication allows a user to confirm a server's identity. SSL-enabled client software can use standard techniques of public-key cryptography to check that a server's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the client's list of trusted CAs. This confirmation might be important if the user, for example, is sending a credit card number over the network and wants to check the receiving server's identity.

SSL client authentication allows a server to confirm a user's identity. Using the same techniques as those used for server authentication, SSL-enabled server software can check that a client's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the server's list of trusted CAs. This confirmation might be important if the server, for example, is a bank sending confidential financial information to a customer and wants to check the recipient's identity.

An encrypted SSL connection requires all information sent between a client and a server to be encrypted by the sending software and decrypted by the receiving software, thus providing a high degree of confidentiality. Confidentiality is important for both parties to any private transaction. In addition, all data sent over an encrypted SSL connection is protected with a mechanism for detecting tampering - that is, for automatically determining whether the data has been altered in transit.

The future of SSL
SSL is not without its limitations. Certificates and keys that originate from a computer can be stolen over a network or by other electronic means. One possible solution to this weakness is to use hardware tokens instead. Hardware tokens improve security tremendously because these tokens are more difficult to steal and they can be made to recognize only the person for which they were created. This can be done in a number of ways, including biometric means like fingerprint or retinal scan matching.