the SSL (Secure Sockets Layer) protocol

Submitted by admin on Thu, 11/12/2009 - 23:00
The Secret Code movie
  1. introduction
  2. what it is
    1. SSL handshake protocol
  3. what it isn't
  4. where it is
  5. history

introduction

The universal method of protecting WWW traffic is by using the SSL (Secure Sockets Layer) protocol. When a customer types a URL into a web browser that starts with "HTTPS:" the web browser and web server encrypt their conversation using SSL.

An SSL conversation is not called secure because no bad boy hackers can copy the conversation: the Internet is unfortunately open to eavesdropping. It is secure because all messages sent back and forth are encrypted so no-one can understand the conversation.

what it is

The SSL protocol is a session-layer protocol (layer 5 in the OSI 7 layer model). SSL was created to avoid a lack of security in the WWW. Without security, e-commerce would not exist. It is as essential a building block as the network itself.

The problem is the HTTP protocol that a web client and a web server use to communicate is vulnerable to eavesdropping. Requests and responses are sent back and forth in plain text so anyone copying the conversation can read it. The solution is the SSL protocol.

Every time you enter a URL in your web browser that starts with HTTPS , like "HTTPS://host.domain.com/", the conversation gets encrypted and cannot be read by eavesdroppers. The work is all automated. The customer does not have to do anything to set up an encrypted conversation except type HTTPS instead of HTTP into a web browser. The HTTPS bit tells the web browser to use the SSL protocol to communicate with the web server. The web browser and the web server sort out the clever bits for you using these mini-protocols.

  • The SSL handshake protocol does the hard work at the start of the conversation.
  • The SSL Change Cipher Spec Protocol is used for picking a cipher suite.
  • The SSL Alert Protocol is used when things go wrong.

There is a specialised computer that does nothing else but SSL protocol work, called the SSL Accelerator. This is a computer containing everything needed for SSL work, such as accelerator cards, ethernet ports and administrative applications. This type of computer is used to take the number-crunching stress off a web server.

SSL handshake protocol

The SSL handshake protocol, named after the ritual of handshaking when two people meet, does the hard work. It relies on many security things to work, including SSL cipher suites, public key certificates and CAs (Certificate Authorities). When a web client requests a resource from a web server they use the SSL handshake protocol to sort out the encryption.

  1. The client and server choose the best cipher suite that they can both understand.
  2. The client and server choose a symmetric encryption key.
  3. The web server sends a public key certificate.
  4. The client checks the certificate. Was it issued by a trusted CA? Has it expired? Does the name in the certificate match the name in the URL?
  5. The server may ask the client for a public key certificate. B2B sites often do this step. The server runs the same checks on the client that the client did on the server.

The handshake is complete. The client and server can then get down to their conversation, safe from snoopers.

  1. The server find the resource, encrypts it with the symmetric key and sends it to the client.
  2. The client decrypts the resource using the symmetric key and presents the information.
  3. The client may ask for more resources, or the conversation may finish here.

This procedure, from client request to finish, is called a session.

what it isn't

SSH (Secure SHell). This is a set of protocols that does pretty much the same job as SSL but is not used in the WWW.

where it is

All web sites in the Internet that need security, such as banks and shops, use SSL.

The LIC contains SSL accelerators to do the SSL work instead of the web servers.

history

In the beginning (or 1976), Whitfield Diffie, Martin Hellman and Ralph Merkle published work on PKC (Public key Cryptography). Three guys named Ronald Rivest, Adi Shamir, and Leonard Adleman built upon their work and started the RSA company in 1982 to turn mathematics into flash cars and big houses. These clever mathematicians made high grade cryptography available to the masses.

The ITU (International Telecommunications Union), an agency of the United Nations, published the X.509 recommendation in 1988 which defined many things, including how to embed a public key and other information into a certificate. Netscape came up with the SSL protocol for exchanging certificates and setting up a secure WWW link. The SSL protocol defines cipher suites. The components were in place for giving birth to e-commerce.

In 1991 RSA and a bunch other companies got the e-commerce ball rolling by defining PKCS (Public Key Cryptography Standards) for using certificates: storing them, exchanging them, using them and so on.

In 1994 Netscape came up with the SSL protocol for exchanging certificates and setting up a secure WWW link. The SSL protocol defines cipher suites. They built it into their web browser, Netscape Navigator 1.1.