|
|
 |
|
|
|
Internet security is foremost in the minds of businesses as well as consumers.
What can we do to provide a secure environment for online transactions? The
answer is SSL and Public-Key Cryptography.
What is SSL?
The Secure Sockets Layer (SSL) protocol, is a set of rules governing server
authentication, client authentication, and encrypted communication between
servers and clients and is primarily used for secured transactions like passing
Purchase Orders and Credit Card numbers over the internet.
The Transmission Control Protocol/Internet Protocol (TCP/IP) governs the
transport and routing of data over the Internet. Other protocols, such as the
HyperText Transport Protocol (HTTP) or Lightweight Directory Access Protocol
(LDAP), run on top of TCP/IP in the sense that they all use TCP/IP to support
typical application tasks. The SSL protocol runs somewhere between these two
types of protocol i.e. over TCP/IP and below other protocols such as HTTP, LDAP
etc.
To understand how SSL works, it is required that we understand what Public-Key
Cryptography is and how it works.
What is Public-Key Cryptography?
When information flows from your computer to the server hosting a web site, it
is possible that the someone can tamper with the information, or worse, steal
it. Fortunately, a set of well-established techniques and standards known as
public-key cryptography make it relatively difficult for hackers to get hold of
your important information.
Besides facilitating other tasks, public-key cryptography encrypts and decrypts
the information during the transfer, making life difficult for hackers.
Encryption and decryption allow two communicating parties to disguise
information they send to each other. The sender encrypts, or scrambles,
information before sending it. The receiver decrypts, or unscrambles, the
information after receiving it. While in transit, the encrypted information is
unintelligible to an intruder.
With most modern cryptography, the ability to keep encrypted information secret
is based not on the cryptographic algorithm, which is widely known, but on a
number called a key that must be used with the algorithm to produce an
encrypted result or to decrypt previously encrypted information. Decryption
with the correct key is simple. Decryption without the correct key is very
difficult, and in some cases impossible for all practical purposes. Among the
various ways to use this key for encryption and decryption, we'll be discussing
the most common ones i.e. Symmetric-Key Encryption and Public-Key Encryption.
Symmetric-Key Encryption
In Symmetric-Key Encryption the same key is used for encryption and decryption.
Information encrypted using one key can only be decrypted using the same key.
Symmetric-key encryption provides an effective level of cryptography only if
both the parties keep the symmetric key secret. If a third party discovers the
symmetric key, it can not only decrypt messages but also encrypt new messages
and would appear as if one of the two parties generated the new message.
Symmetric-key encryption plays an important role in the SSL protocol.
Public-Key Encryption
Public-key encryption (also called asymmetric encryption) involves a pair of
keys - a public key and a private key. These two keys work together, so a
message scrambled with the private key can only be unscrambled with the public
key and vice versa. The more digits in these keys, the more secure the process.
The public key is made available freely to the public, while the private key is
kept secret by the issuer, which means that the information is encrypted by one
party using the public key and the same information is decrypted by the second
party using the private key. It is virtually impossible for a third party to
decrypt the information without having the correct private key.
Compared with symmetric-key encryption, public-key encryption requires more
computation and is therefore not always appropriate for large amounts of data.
However, it's possible to use public-key encryption to send a symmetric key,
which can then be used to encrypt additional data. This is the approach used by
the SSL protocol.
Now that we know something about encryption, lets get our attention back to
SSL.
SSL server authentication
allows a user to confirm a server's identity. SSL-enabled client software can
use standard techniques of public-key cryptography to check that a server's
certificate and public ID are valid and have been issued by a certificate
authority (CA) listed in the client's list of trusted CAs. This confirmation
might be important if the user, for example, is sending a credit card number
over the network and wants to check the receiving server's identity.
SSL client authentication
allows a server to confirm a user's identity. Using the same techniques as
those used for server authentication, SSL-enabled server software can check
that a client's certificate and public ID are valid and have been issued by a
certificate authority (CA) listed in the server's list of trusted CAs. This
confirmation might be important if the server, for example, is a bank sending
confidential financial information to a customer and wants to check the
recipient's identity.
An encrypted SSL connection requires all information sent between a client and
a server to be encrypted by the sending software and decrypted by the receiving
software, thus providing a high degree of confidentiality. Confidentiality is
important for both parties to any private transaction. In addition, all data
sent over an encrypted SSL connection is protected with a mechanism for
detecting tampering - that is, for automatically determining whether the data
has been altered in transit.
The future of SSL
SSL is not without its limitations. Certificates and keys that originate from a
computer can be stolen over a network or by other electronic means. One
possible solution to this weakness is to use hardware tokens instead. Hardware
tokens improve security tremendously because these tokens are more difficult to
steal and they can be made to recognize only the person for which they were
created. This can be done in a number of ways, including biometric means like
fingerprint or retinal scan matching.
|
|
|
|
|
| |
