Secure Socket Layer : A Netscape Baby
Netscape created the first version (1.1) of the SSL protocol in 1994 and since then it has evolved and the final version 1.3 has been accepted as a standard in the web community for secure wire transfers. SSL is used to send data in encrypted data over the wire. Encryption is necessary when you are sending sensitive data like any funds transaction, credit card related data, or any sh*t in this world that you feel should be secured from an unautherised access and should reach in safe hands.
SSL is meant to ensure that your data reaches the safe hands. How does it all happens but? Before we can actually discuss the process lemme tell you some key terms that are you need to know for better understanding of the whole of the process.
Certificate: A certificate or digital certificate is an electronic document that is used to establish trust between the two parties (client and server) who want to communicate on the wire. It has following information which is used in establishing the authenticity and trust between two parties:
- Information about the owner of the certificate, like e-mail address, owner’s name
- Certificate usage, duration of validity
- Resource location or Distinguished Name (DN) which includes the Common Name (CN) (web site address or e-mail address depending of the usage) and the certificate ID of the person who certifies (signs) this information.
Lets also have a look at how beautiful a certificate look:
Version: 3 (0×2)
Serial Number: 1 (0×1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=FJ, ST=Fiji, L=Sanjeev, O=SOPAC, OU=ICT, CN=SOPAC Root CA/Emailemail@example.com
Not Before: Nov 20 05:47:44 2001 GMT
Not After : Nov 20 05:47:44 2002 GMT
Subject: C=DI, ST=DIRECT, L=Mansha, O=DIRECT, OU=ICT, CN=www.directi.com/Emailfirstname.lastname@example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
Exponent: 65537 (0×10001)
X509v3 Basic Constraints:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
DirName:/C=FJ/ST=Fiji/L=Suva/O=SOPAC/OU=ICT/CN=SOPAC Root CA/Emailemail@example.com
Signature Algorithm: md5WithRSAEncryption
Besides the above information, you can notice that there is a public key information also in the certificate.
Public Key / Private Key: The key is based on prime numbers and their length in terms of bits ensures the difficulty of being able to decrypt the message without the having the key pairs. This is the key using which the data to be transferred on wire is encrypted. The process is known as Public-key cryptography, or asymmetric cryptography. By asymmetric we mean that the keys used to encrypt and decrypt the message are different. The private key is nothing different than the public key, the only difference being, as the name suggests, it is always kept secret. The message encrypted with the public key can only be decrypted using the private key and vice versa.
Now after knowing all these terms, I would like to pen down the simple steps in which the whole encryption/decryption process happens:
- A client (browser) requests a secure page (https).
- The web server first sends it’s public key enclosed within a certificate.
- The client checks that the certificate was issued by a trusted party (usually a trusted Certificate Authority), that the certificate is still valid, and that the certificate is related to the site contacted.
- The client uses the public key of the certificate to encrypt the data and sends it to the server.
- Teh server decrypts the message using the private key.
- The server then process the request and encrypts the result data using its private key and sends it back to the client.
The above type of encryption mechanism is known as Asymmetric Cryptography as the keys which are involved in encryption and decryption are different. But there is a flaw in the above process. The data that is being sent by the server back to the client, can be decrypted by any of the clients who have ever contacted the server. This is because all those clients would have the public key of the certificate (as you know the public key is distributed openly with the certificate). So basically the above process just offered one way protection of the data.
In order to solve this problem, the above process need to be modified a little. The solution is to have some key that only the client and the server know about and is unique for every single session. This is achieved by the process called Key Exchange. In this process after receiving the public key for the first time from the server certificate, the client generates a random key and encrypts it using the public key. This key is then sent to the server which server decrypts and thus they have a key which only the lint and the server know about. Any further communication between the client and the server happens using this key thereafter. That is the server then uses that key to encrypt the message sent to the client and the does the client. In fact the same key is used to decrypt the messages. So the same key is used for encryption and decryption both. And therefore this process is also known as Symmetric Cryptography. Since the same key is used this process o communication is relatively faster than the asymmetric one.
For the symmetric encryption, the above process is changed as follows:
4. The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted HTTP data.
5. The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and HTTP data.
6. The web server sends back the requested html document and HTTP data encrypted with the symmetric key.
7. The browser decrypts the HTTP data and html document using the symmetric key and displays the information.
- Point to Point Security: SSL only offers point to point security rather than end-to-end. By end to end we mean that when the data needs to go form one one end to the other passing through various nodes in between, where in the data needs to be processed by each node then it requires cumbersome task of encrypting and decrypting data at each point where any processing is required till the data reaches the final destination.
- Acts at the Transport layer and not on the Message layer: This means that SSL provides security only as long as the data is in the wire i.e. online and as soon as the is downloaded on the physical disk, the security is lost.
- Its atomic encryption: In SSL if you want to encrypt or secure a part of a long file and keep the rest as such, then it is not possible. It either does the whole data encryption or does not do at all for the whole data.