|
Frequently
Asked Questions about SSL
What
is Web Security? And why do we need it?
Any Web
or System Administrator faces two major tasks when it comes
to dealing with business or sensitive data
- It
must protect that data so that the wrong people will not
allter it (This is what is known as DATA INTEGRITY)
- It
must protect certain kinds of data so that only authorized
people can access it (Defined as USER AUTHENTICATION)
By the
same token, any Web user of such a system will want to:
- Make
sure that sensitive data he or she sends to a server - e.g.
a credit card number - goes to the right server (SERVER
AUTHENTICATION)
What
happens when we do not have data integrity?
The following
is a headline from the Wall Street Journal, June 26, 1996:
Electronic
Vandals Deface World Wide Web Pages
Graffiti
artists are defacing cyberspace, invading sites on the Internet's
World Wide Web with impunity, they are scrawling words and
images on others' work at will. Victims include the British
government, the Nation of Islam and the American Psychoanalytic
Association, which have had their Web pages defaced, erased,
or, in one case, replaced, by intruders.
Since
then, both the DOJ and the CIA Web sites have been hacked;
mirrors of the DOJ site and the CIA site were preserved for
posterity. These are only the high-profile cases. the ones
that make the papers; have you checked *your* web data lately?
What
happens when user authentication is broken?
Licensed
data might be accessible to someone who shouldn't have access;
grades and hold of one student might be read by another; a
professor's exam answer sheet might be readable by the students
instead of just the TA of the class, and so on.
What happens
when server authentication is broken?
A user
might have sent his/her credit card number to a server that
masquerades as coolthings.com but in reality is unscrupulous.cardstealers.com;
user authentication information (a user name and password)
might just have been sent to someone who shouldn't have it;
personal information that the user doesn't want the world
to know may be given to the wrong people, and so on.
What
is a "Secure Sockets Layer."?
Digital
certificates encrypt data using Secure Sockets Layer (SSL)
technology, the industry-standard method for protecting web
communications developed by Netscape Communications Corporation.
The SSL security protocol provides data encryption, server
authentication, message integrity, and optional client authentication
for a TCP/IP connection. Because SSL is built into all major
browsers and web servers, simply installing a digital certificate
turns on their SSL capabilities.
SSL comes
in two strengths, 40-bit and 128-bit, which refer to the length
of the "session key" generated by every encrypted transaction.
The longer the key, the more difficult it is to break the
encryption code. Most browsers support 40-bit SSL sessions,
and the latest browsers, including Netscape Communicator 4.0,
enable users to encrypt transactions in 128-bit sessions -
trillions of times stronger than 40-bit sessions. Global companies
that require international transactions over the web can use
global server certificates program to offer strong encryption
to their customers.
Why
use server certificates? What does a web server SSL cert do?
When you
connect to a secure web server such as https://www.ssl.com
you ask that server to authenticate itself. This authentication
is quite a complex process involving public keys, private
keys and a digital certificate. The certificate tells you
that an independent third party has agreed that the server
belongs to the company it claims to belong to. A valid certificate
means that you can have confidence that you are sending information
to the right place.
So
what is a SSL Certificate?
An SSL
certificate is a string of information (often stored as a
text file) that is used by the SSL protocol to establish a
secure connection. SSL server certificates contain information
about whom it belongs to, whom it was issued by, a unique
serial number or other unique identification, valid dates,
and an encrypted "fingerprint" that can be used to verify
the contents of the certificate.
What
is a Root CA Certificate?
A Root
Certification Authority Certificate must be installed in your
computer in order for your browsers to recognize SSL certificates
issued by a Certification Authority. The root CA certificate
tells your browser that you will accept certificates signed
by its issuing entity.
So
what is a CA?
A CA is
an acronym for Certification Authority. A CA is an independent
party that verifies the identity of a SSL Certificate applicant.
If the person or organization that is requesting the Certificate
are proven to be who they claim to be, and their web address
matches the proper public records, the certificate is issued
and the applicant is able to send data using the SSL protocol,
and therefore enabling Data Integrity, user authentication,
and non-repudiation.
How
does SSL provide security?
Suppose
two parties want to talk to each other, using encryption,
and they do not want anyone else to get in the middle intercepting
their messages and deciphering them or replacing them with
other messages as though one of the parties sent them.
If both
parties have a private/public key pair, they can simply trade
pairs and then use their private keys to encrypt everything,
and the public ones to decrypt whatever is received. Of course
that is no protection against someone snatching a packet and
putting junk in its place, but a checksum of each packet could
be generated and signed it with the private key, sending it
along with the packet, and then things would be a lot tougher
for the man in the middle.
However,
this kind of encryption is time-intensive, and we want something
that is not only hard to break, but also usable in the real
world. The alternative is to use instead some faster encryption
algorithm to encrypt the main part of the packet, and then
send the key used to encrypt the packet, *but* this key will
be encrypted using the private key and so will be very well-protected.
This way, the heavy-duty encryption is used only for the 'session
key', which is very short, making the whole transaction close
in speed to a non-encrypted one.
SSL works
very much like this; a 'master key' is generated using some
random data; it is used to generate a session key for each
session, from which a client write key and a server write
key are generated (you read with the other party's write key).
The server's public key is used to encrypt the master key
during the initial handshake; from then on, the packets are
encryted with the server or client write key, depending on
who is sending it, a digest is taken, the whole thing is packaged
up with a session number, and off we go.
The client
and server write keys are used with some zippier form of encryption
than RSA, say, DES, so that the whole job gets done quickly,
and safe from prying eyes.
|
E-Commerce
Shopping
Carts
