Introduction to Secure Sockets Layer

[proactive]

SSL is a protocol that offers secure transmission over the HTTP-protocol. It has become a standard for authentication and encryption between web browsers and servers. If you use SSL in your web applications it’s close to impossible to steal the exchanged information. If you don’t, it’s very easy. SSL has two implementations: Server-side certificate implementation and server and client-side certificate implementation. This article explains the first, because it's the most commonly used.

SSL does three things:
*Tells the client if the server is who he claims to be or not.
*Encrypts the transmission.
*Will notice if data has been tampered with during transmission.

The SSL certificate
The implementation of SSL requires a certificate (ID), which is provided by an SSL-providor, for example Verisign. The providor only issues certificates to approved customers. They have certain procedures to check out a customer, so they don’t deliver to crooks. The server admin will put the certificate on the server and enable SSL. It’s also important that browsers which will communicate with the server support SSL and have SSL enabled.

The SSL handshake
When you host a server and you get your certificate, it proves that the server is safe and belongs to you. A transmission is started with an SSL handshake that authenticates the server. When a browser requests document from the server, the URL will change from ‘http’ to ‘https’. The browser will also display a lock icon, and when the lock is clicked with the mouse, the certificate will be displayed so that the user can check it out. If the certificate isn’t valid or has expired, the browser will automatically message the user.

The encryption
SSL uses a 128-bit RSA-algorithm. The higher number the better, and 128 takes quite a while to crack. How does the key stuff work? Well, RSA uses PUBLIC and PRIVATE keys. The server issues a public key to the client (browser), which encrypts it’s information with it and sends the encrypted message back to the server. The server decrypts the information with it’s private key. What’s important here is the public key cannot decrypt the message, only the private key. That’s what’s so fantastic about the RSA algorithm.

Who uses SSL?
Anyone who cares for their customers information. Used by many internet banks, online career services etc. But anyone who's approved by a certificate user can implement it.

-

Please feel free to comment on mistakes or whatever! I'll be back with SSL weaknesses (they exist!) some other time......

[shkuey]

Something I've always been curious about, not so much dealing with ssl but rather public/private key encryption. Since the public key encrypts data that only the private key can decrypt, should it not be possible to reverse engineer the public key to determine what the private key has to be to decrypt the data?

[Manish]

good post proactive.

[Manish]

Originally posted by shkuey
Something I've always been curious about, not so much dealing with ssl but rather public/private key encryption. Since the public key encrypts data that only the private key can decrypt, should it not be possible to reverse engineer the public key to determine what the private key has to be to decrypt the data?

The answer lies in the mathematical complexity in achieving that. Basically we are just expecting that no shortcut formula or ultra powerful machine will be there in near future to reverse engineer the public and the data to do that within days or months.

[Ennis]

Thats a nice tut man, keep up the good work!

[proactive]

Thanks guys!

[hantiz]

If you guys want to test it on your machines, you can use the OpenSSH packages from www.openssh.org , which will make public-private RSA key based communication between two boxes over an insecure network.

On latest distribs (Mandrake 8.0+) I'found these nice packages on the first install CD.

Easy to install : sshd package on server side, sshclient on client side, a bit of rsakeygen to gen the keys et hop c'est parti.

Benefits are for example secure telnet.

-hantiz.