Secure Socket
Layer (SSL) certificates are widely used to help secure and authenticate
communications both on the Internet and
within organizational intranets.
History:
SSL is a
protocol developed by Netscape in 1995, which quickly became the preferred method
for securing data transmissions across the Internet.
SSL is built
into every major web server and web browser and makes use of public-private key
encryption techniques originally developed by RSA.
To make an SSL connection, a web server must have a digital certificate
installed; this certificate utilizes the public and private keys used for
encryption, and the certificate uniquely and positively identifies the server.
You can think of digital certificates as a kind of electronic identification
card, not unlike a driver’s license or national identity card, which
authenticates the server to the client before establishing an encrypted
communications channel. Typically, digital certificates are issued by an
independent, trusted third-party to ensure their validity and broad acceptance.
The issuer of a certificate is also known as a Certification Authority (CA).
Features of SSL:
People tend to
associate SSL with encryption, but in fact, an SSL certificate provides four
distinct features,
·
Encryption
·
Integrity
·
Authentication
·
Non-Repudation
ENCRYPTION
Encryption
utilizes mathematical algorithms to transform data so that it can only be read
by the intended parties. In the case of SSL, the private and public keys
provided as part of the server’s digital certificate play an important role in
securing data sent to and from the web browser.
INTEGRITY
By encrypting
data so that only the intended parties can read it, SSL certificates also
ensure the integrity of that data. In other words, if nobody else can
successfully read the data, the data cannot be modified in transit. Modifying
the encrypted data would render it useless, and the intended parties would then
know that someone had tried to tamper with the data.understanding SSL
certificates2
AUTHENTICATION
One of the
primary roles of the CA in issuing a digital certificate is to validate the
identity of the organization, or person, requesting the certificate. SSL
certificates are tied to an Internet domain name, and by verifying ownership of
that name, a CA ensures that users know with whom they are dealing at a basic
level. For example, when you connect to an SSL-enabled web site, such as
Amazon.com, the certificate identifies its owner as Amazon, Inc., and you can
be sure that you are dealing with Amazon.
NON-REPUDIATION
Encryption,
integrity, and authentication combine to establish non-repudiation, which means
that neither party in a secured transaction can legitimately state that their
communications came from someone other than themselves. This feature removes
the option for one party to repudiate, or “take back,” information that they have
communicated online
Applications of SSL
SSL can be used
in many ways and for different purposes:
• Browser-to-server communications—Most commonly, SSL is
used to secure communications between a web server and a web browser, often
when sensitive information is being transmitted. This nformation may relate to
an online purchase, a patient’s medical data, or banking details. SSL helps
ensure that the user of the web browser knows to whom their information is
being sent and that only the intended recipient can access the information.
•
Server-to-server communications—SSL can also be used to secure communications
between two servers, such as two businesses that transact with one another. In
this scenario, both servers usually have a certificate, mutually authenticating
them to each other as well as securing the communications between them.
•
Compliance with legislative and industry requirements—Many legal and industry
requirements call for levels of authentication and privacy that SSL certificates
provide. The Payment Card Industry Data Security Standard (PCI DSS), for
example, requires the use of authentication and encryption technologies during
any online payment transaction
HOW IS AN SSL SESSION CREATED?
An SSL
session begins when a web browser sends a request to a web server using the https:// protocol
The web
server responds with its digital ID, which includes its public encryption key.
The web browser verifies the digital ID, which may include an online check with
the CA as well as a check of the certificate itself for validity dates and
other details. Once verified, the browser generates a session key, encrypts the
session key using the server’s public key, and sends the package back to the
server.
The
server decrypts the session key by using the server’s private encryption key,
which only the server
possesses.
This ensures that only the browser and the server possess the session key, and
they can use
that
shared key to encrypt further communications between them. Servers usually
discard session keys after
several
minutes of inactivity
