Based on the need for a secure connection to transfer private information over the internet, Netscape developed Secure Sockets Layer (SSL) as a means of establishing a secure pathway between a client and a server over an internet. Using standard internet protocols such as TCP/IP, information sent from one computer to another can be sniffed out and intercepted or viewed by hackers who are positioned along the path of transmission. SSL prevents such snooping by utilizing Public Key Encryption and Digital Certificates or IDs established by trusted Certificate Authorities (CA) to establish a server’s identity and enable the transfer of information in an encrypted form over the internet. Establishing a SSL connection involves four parts: the SSL request, the SSL Handshake, secure information transfer, and termination of the SSL connection. The request is made from the client computer utilizing port 443, a designated secure port, to the server which then sends its public key and digital certificate to the client. The certificate is validated against established criteria from the CA. Once the certificate is verified, the client and server communicate with each other to establish a mutually supported encryption algorithm and using this and the server’s public and private keys, generate a temporary set of symmetrical keys called session keys that can be used only during the current connection. The session keys will be used during the session to encrypt the message, while the server’s public and private keys will be used to authenticate the sender and the message. Once the session has terminated or the client is directed outside the secure connection, he or she is notified that they are leaving the secure connection. Different versions of SSL support different levels of encryption from 40-bit and 56-bit to 128-bit encryption. Secure Sockets Layer is not without problems and is not completely secure. SSL is the most commonly used secure connection method and 128-bit SSL offers possibly the best means of securing your information.
With the dawn of the information age a significant amount of information can be transferred over the internet in a few keystrokes. Some of that information can contain facts or data that can be considered personal or sensitive. Disclosure of such information can often be damaging to individuals or organizations when placed in the wrong hands. Credit card numbers, bank account numbers, credit ratings, and social security numbers are just a few examples of sensitive information that could be damaging to individuals if it were obtained by unauthorized users. Similarly, company plans, financial information, or employee and customer data must be protected from unauthorized disclosure. Businesses could suffer financially or be legally held responsible for disclosure of any consumer or employee data. Under normal internet protocols, this information could easily be intercepted and read by anyone with the know-how to intercept this information. To understand this vulnerability you must first understand how information is transferred over the internet.
For information to be transferred over the internet, several actions must take place. First, every computer on the internet must be communicating in the same language. Internet Protocol (IP) is probably the most common type of network in existence today. On an IP network, each connected computer is given an address called an IP address. This is used to identify each computer uniquely on a network. These IP addresses are expressed as a series of decimal numbers that are linked to text names by using the Domain Name System (DNS). This enables you to remember the name of a target such as www.CNN.com instead of 127.24.102.2 for example. Once your source and target are identified your message or information is broken into small segments of information called “packets”. According to the website How Stuff Works.com “Each packet carries the information that will help it get to its destination -- the sender's IP address, the intended receiver's IP address, something that tells the network how many packets this message has been broken into and the number of this particular packet.” Each packet contains a portion of the message or information that is being sent. These packets are sent out using routers which direct the packets across the networks to the destination. Once all of the packets arrive at the destination they are reassembled into the original message format. Unfortunately, all of the data that travels across the networks can be seen by any computer that is positioned or assigned along the route of travel from the message’s source to its destination. Programs such as Carnivores or Sniffers, originally designed for network administrators, can be used by hackers to view or copy every packet that passes by it on a network. A hacker’s ability to intercept transmissions on the internet creates a significant risk in the transmission of sensitive information over the internet. It is for this reason that secure channels were designed.
Secure Sockets Layer (SSL) was Netscape’s answer to the secure transfer of information over the internet. Secure Sockets Layer is now used by Microsoft and Netscape internet browsers, and according to Netscape Online “SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers.” SSL uses Public Key Infrastructure (PKI) in the form of Digital Certificates to create a secure path from one computer to another enabling the transfer of sensitive information in an encrypted format so that only the target computer can decipher the data. Even though a Sniffer or Carnivore program can still intercept the data, the information would be seen in an encrypted state and therefore would be undecipherable by anyone who did not know the decryption algorithms. Secure Sockets Layer is available in 40-bit encryption, 56-bit encryption, and 128 bit encryption. According to RSA Inc. “Prior to January 2000, software products that contained strong encryption strengths were considered a munition by the US Government and in most cases were not able to be shipped or downloaded by anyone overseas. Most web browsers were limited to 40 or 56-bit SSL encryption” (SSL Basics for Internet Users).
Secure Sockets Layer functions by using the public key encryption system with Digital Signatures. Public Key Encryption uses two separate keys, a public key and a private key. These keys can be used to encrypt messages to the receiver or to authenticate the identity of the sender. The public key is available to anyone who wishes to correspond with the individual or entity that owns the pair of keys. The private key must be maintained in secret by the owner in order to protect the integrity of the message. A transmission sent to the owner of the key pair can be encrypted by the sender using the receiver’s public key. Once the message is encrypted by the sender it can only be decrypted by the receiver using his or her private key. Any interception of this message during the transfer of information would be indecipherable without the private key. Once the message reaches its target, the receiver then uses the private key to decrypt the message and read it in plain text. Similarly, to authenticate a message from the key owner, the message is encrypted using the sender’s private key. The receiver would then use the public key to validate the identity of the sender. This message, if intercepted, could be easily decrypted by a hacker, but the integrity of the message would be in tact. If a hacker were to attempt to alter the message, the key pair would disagree and therefore would not validate the message.
A digital ID or certificate is a pair of keys assigned to an owner’s name along with other credentials that validate their identity. These digital certificates are signed by well known and commonly trusted Certificate Authorities (CA). Internet browsers such as Netscape’s Navigator or Microsoft’s Internet Explorer both contain a list of the most commonly known and trusted Certificate Authorities. If a Digital ID is assigned to a CA which is not recognized, the user will be notified that the certificate does not match the list of “Trusted Sites” and given the option to accept the certificate or to reject it. Digital signatures from trusted Certificate Authorities utilize the public key encryption process to verify identity of the key owners. This is done by assigning the keys to a specific identity along with other criteria such as the expiration date of the signature to validate it. These digital certificates play a significant role in the operation of SSL.
Secure Sockets Layer works in four stages. The first action that takes place is the SSL request. Next, the SSL handshake takes place. Then the information is securely transferred. Finally the connection is terminated. Several actions may take place during each stage.
During the SSL request stage, the client or requestor requests a secure communication link between it and the computer acting as the server or target. This is accomplished by making a communication request on port 443. Normally, unsecure communication takes place on port 80 for TCP/IP networks. Port 443 is designated exclusively for secure or HTTPS connections.
Once the SSL request has been made the SSL Handshake takes place. This is the most important step in establishing a secure connection. At this point, the client and server exchange the applicable digital certificates. In some SSL transactions both the client and server are required to have digital certificates, but this is not common in most commercial transactions over the internet. This information is then checked against the appropriate Certificate Authority, such as Verisign ™ or another trusted CA, for identity of the owner and expiration date of the certificate. Additionally, the client will notify the server of all of the possible encryption algorithms that it can support. Once this is done, the client and server will mutually agree to use the highest level encryption algorithm that they both support. Once this common encryption algorithm is established, the client will randomly generate a code called a pre-master secret that is encrypted using the server’s public key. The server then uses its private key to decode the pre-master secret. Both the client and the server mutually use the pre-master secret to create a master secret which ultimately is used to create another set of symmetric keys written in the agreed upon encryption algorithm. Symmetric keys are the same for both the encryptor and decryptor. This set of keys is referred to as the “cipher keys” or “session keys”. These session keys are randomly generated and are only valid during the established session between the client and the server. Once the connection is broken or times-out, the session keys are no longer usable. The symmetric session key is encrypted by the client using the server’s public key and sends it to the client. This ensures that the only entity that can decrypt the session key is the server. The client and server then send messages to each other encrypted with the session key stating that all future transmissions will be sent using the session keys and that their respective handshake communications are complete. This completes the SSL handshake and now information can be safely transferred from one computer to the other using the session key. Additionally, for the purpose of authentication, the server may be required to send a message to the client using the session key and then encrypt it with his or her private key. This message can be decrypted by the client using the server’s public key which will serve as a digital signature for the message ensuring that the message is authentic and then use the session key to decrypt the message itself to view its contents.
After the SSL handshake has taken place, the transmission of secure data can take place. All communications between client and server must be made using the session key once the SSL handshake has taken place. When the transaction is completed, or the client is directed to a location outside of the secure link, he or she will be notified that they are leaving a secure connection and asked if they wish to cancel or continue the operation.
A typical SSL transaction may follow the sequence of events illustrated in the following example. In an ecommerce transaction, the buyer’s computer would make the request to establish the secure connection between it and the seller’s website. The seller’s computer would then reveal its digital certificate along with its public key information to the buyer’s computer. After the digital signature has been verified by the buyer’s computer, the buyer’s computer notifies the seller of all of the encryption algorithms that it can support. Both the buyer and seller computers then mutually agree upon the algorithms to be used during the session. Next, the buyer’s computer randomly generates a pre-master secret code which it encrypts and sends to the seller’s computer. From this pre-master secret the buyer and seller’s computers mutually establish a set of symmetric session keys (both encryption and decryption keys are the same) to be used for the transaction and encrypts them with the seller’s public key. The buyer’s computer then receives the encrypted message and decodes it using his private key. Now both the buyer and the seller know the session keys, but nobody else does since the transmission of the session keys itself was encrypted. Then the seller’s computer sends a message using the session key and encrypts it using his or her private key. This will digitally sign the message. The buyer’s computer then receives the message and decrypts it using the seller’s public key. This will show that the message is authentic because it was signed by the buyer. The buyer’s computer then sends a message back to the seller using the session key and the seller’s public key verifying the validity of the session keys and ending the handshake session. Now all communications between the buyer and the seller will take place using the session keys to encode and decode the message and the seller’s public and private keys to authenticate the message. Now the buyer can securely send the seller his or her personal information such as bank account or credit card number and address.
Almost all ecommerce transactions use SSL to protect the transaction data. Additionally, many banks or online financial institutions use SSL to protect account information and PIN numbers. Even web based email servers such as Hotmail and Yahoo utilize 128-bit SSL to enable secure login. While SSL is so widely accepted, it must be added that nothing is completely secure when it comes to the internet. SSL does have its limitations. First of all, the presence of a digital certificate from a trusted source only validates the certificate as one who is assigned to a specific entity, but says nothing about the entity itself. Anyone can purchase a digital ID, regardless of your business experience or reputation. What this means is that while SSL can use digital certificates to protect your information over the internet, they can not guarantee the business transaction itself. In short, SSL can secure the transaction between a client and a bank’s web site, and secure the request the transfer of funds from one account to another; it cannot ensure that the bank will actually make the transfer. Additionally, while SSL can secure the transmission of credit card and billing information over the internet to an e-business, it cannot guarantee that your order will be filled or shipped or that your information will be kept secure once it is stored on the business database. Rick Farrow, an independent computer consultant, “Some large sites deal with the slow pace of SSL key exchange by placing SSL proxy servers in front of their Web servers. This means that your precious secrets travel the last few meters (or perhaps much further) of an exchange unencrypted. And keep in mind that SSL does nothing to protect your data once it's stored at an e-commerce site. Your sensitive data may be stolen from improperly hardened sites.”
As
the internet continues to grow, ecommerce, online banking, and other transaction-based
functions will continue to become more and more common. This will continue to create a serious demand
for the secure transfer capability.
Currently, Secure Sockets Layer is the answer to this demand. It provides a means to encrypt, decrypt and authenticate
messages transferred over the internet using a secure connection. While nothing can guarantee total security,
the 128-bit version of SSL utilizing digital certificates and Public Key
Encryption can protect your data quite effectively.
Marshall, Brian. “What’s a Packet?” 25 May 2001. How Stuff
Works.com.
Tyson, Jeff. “How Carnivore Works.” How Stuff Works.com.
“Digital ID Introduction.” Verisign Online.
“Introduction to SSL.” iPlanet Online.
“SSL Basics for Internet Users.” RSA Security Online.
Farrow, Rick “Secure Sockets Layer is Not a Magic Bullet.”