SSL or
Secure
Sockets
Layer is a cryptographic protocol created originally by
Netscape to provide a secure communication protocol over the Internet for applications such as web browsers, email programs, FTP, instant messaging and other such data transfers. SSL allows applications to communicate over a network and provide the end user with data that is not subject to a third party listening in or tampering with the intended data. SSL provides endpoint authentication and uses cryptology to provide communication privacy across the Internet. In a typical SSL setup, a server is authenticated while the client remains unauthenticated. What this means is the end user knows exactly with whom they're communicating. There is a higher level of security called mutual authentication in which a public key is passed between the server and the end user to ensure that both are authenticated and trusted.
SSL operates in three steps:
- Negotiation with the peer for support of algorithms
- Public key encryption for certificate based authentication
- Symmetric cipher for traffic encryption
During the first step, the server and the client negotiate using cryptographic alogrithms and impliment the following encryption choices:
- For public-key encryption - RSA, Diffie Hellman, DSA
- For symmetric ciphers - RC2, RC4, IDEA, DES, Triple DES, AES or Camellia
- For one-way hash functions - MD2, MD4, MD5 or SHA.
In a typical browser
Session, SSL can be summarized in six basic steps. SSL establishes a connection negotiated by a handshaking procedure between the client and the server. During this handshake, the following happens:
- The handshake begins when a browser connects to an SSL enabled server and requests the server's identification
- The server sends its identification in the form of a secured digital certificate. This certificate usually contains the name, the trusted certificate authority and the public encryption key. At this time, the browser may contact the stated certificate authority to confirm that the certificate is authentic before moving on. The browser then presents a list of encryption algorithms.
- The server decides which algorithm is the strongest from the list and establishes the encryption protocol. The browser uses the server public key from the certificate to encrypt a random number and sends that to the server.
- This data can be encrypted from the client and only the server can decrypt it which is why third parties cannot access the data.
- The server replies with random data.
- Both the client and the server use the selected hash funtion and secure communication has been established. If any one of these steps fail, the handshake fails and the connection is closed.
SSL runs on layers beneath the application layer of the OSI model which give way to protocols such as HTTP, FTP, SMTP, NNTP and XMPP. In contrast, it runs above the TCP portion of the OSI model. While SSL can add encryption to any protocol that uses reliable connections, it is most commonly used with HTTP in the form of HTTPS. HTTPS is used on web pages that commonly partake in electronic commerce. SSL offers a secure transmission of personal information without the worry of a third party illegally obtaining it. Additionally, SSL is commonly used within FTP protocols to provide secure and uninterupted file transfer between a host and a peer.