Introduction to Secure Sockets Layer
Results 1 to 7 of 7

Thread: Introduction to Secure Sockets Layer

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    472

    Introduction to Secure Sockets Layer

    SSL is a protocol that offers secure transmission over the HTTP-protocol. It has become a standard for authentication and encryption between web browsers and servers. If you use SSL in your web applications itís close to impossible to steal the exchanged information. If you donít, itís very easy. SSL has two implementations: Server-side certificate implementation and server and client-side certificate implementation. This article explains the first, because it's the most commonly used.

    SSL does three things:
    *Tells the client if the server is who he claims to be or not.
    *Encrypts the transmission.
    *Will notice if data has been tampered with during transmission.

    The SSL certificate
    The implementation of SSL requires a certificate (ID), which is provided by an SSL-providor, for example Verisign. The providor only issues certificates to approved customers. They have certain procedures to check out a customer, so they donít deliver to crooks. The server admin will put the certificate on the server and enable SSL. Itís also important that browsers which will communicate with the server support SSL and have SSL enabled.

    The SSL handshake
    When you host a server and you get your certificate, it proves that the server is safe and belongs to you. A transmission is started with an SSL handshake that authenticates the server. When a browser requests document from the server, the URL will change from Ďhttpí to Ďhttpsí. The browser will also display a lock icon, and when the lock is clicked with the mouse, the certificate will be displayed so that the user can check it out. If the certificate isnít valid or has expired, the browser will automatically message the user.

    The encryption
    SSL uses a 128-bit RSA-algorithm. The higher number the better, and 128 takes quite a while to crack. How does the key stuff work? Well, RSA uses PUBLIC and PRIVATE keys. The server issues a public key to the client (browser), which encrypts itís information with it and sends the encrypted message back to the server. The server decrypts the information with itís private key. Whatís important here is the public key cannot decrypt the message, only the private key. Thatís whatís so fantastic about the RSA algorithm.

    Who uses SSL?
    Anyone who cares for their customers information. Used by many internet banks, online career services etc. But anyone who's approved by a certificate user can implement it.

    -

    Please feel free to comment on mistakes or whatever! I'll be back with SSL weaknesses (they exist!) some other time......
    ---
    proactive

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    257
    Something I've always been curious about, not so much dealing with ssl but rather public/private key encryption. Since the public key encrypts data that only the private key can decrypt, should it not be possible to reverse engineer the public key to determine what the private key has to be to decrypt the data?

  3. #3
    Member
    Join Date
    Aug 2001
    Posts
    66
    good post proactive.
    Ah well...I\'m back on AntiOnline!

  4. #4
    Member
    Join Date
    Aug 2001
    Posts
    66
    Originally posted by shkuey
    Something I've always been curious about, not so much dealing with ssl but rather public/private key encryption. Since the public key encrypts data that only the private key can decrypt, should it not be possible to reverse engineer the public key to determine what the private key has to be to decrypt the data?
    The answer lies in the mathematical complexity in achieving that. Basically we are just expecting that no shortcut formula or ultra powerful machine will be there in near future to reverse engineer the public and the data to do that within days or months.
    Ah well...I\'m back on AntiOnline!

  5. #5
    Token drunken Irish guy
    Join Date
    Sep 2001
    Posts
    2,813
    Thats a nice tut man, keep up the good work!

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    472
    Thanks guys!
    ---
    proactive

  7. #7
    Member
    Join Date
    Nov 2001
    Posts
    32
    If you guys want to test it on your machines, you can use the OpenSSH packages from www.openssh.org , which will make public-private RSA key based communication between two boxes over an insecure network.

    On latest distribs (Mandrake 8.0+) I'found these nice packages on the first install CD.

    Easy to install : sshd package on server side, sshclient on client side, a bit of rsakeygen to gen the keys et hop c'est parti.

    Benefits are for example secure telnet.

    -hantiz.
    Linoux c\'est de la bombe bťbť !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides