SSL is based on encrypting data between your browser and a Web server. There are other uses for SSL, but this is perhaps the most widespread use. There are two basic methods for encrypting data transactions on a network:
When you're using symmetric encryption, there is the problem of exchanging the single key so that both sides can use it to encrypt and decrypt the data. How do you send a secret key to the other party to a transaction? Use snail mail, place a telephone call, or send it as plain-text across the Internet? Obviously, none of these methods is truly secure. Sending the key via the postal service can take a few days or more, and using a telephone conversation for each Web server you want to contact can take more time than it would be worth. And, a plain-text transfer, like the previous two methods, is open to interception by a third party. Letters can be opened and resealed. Telephone conversations can be tapped. Plain-text is easily intercepted on the Internet. Although this may sound paranoid for a casual user, a large business might think otherwise. It is not uncommon for corporate spies to go through the trash of a company looking for important data. Certain newspapers usually found at the grocery store check-out lane often use this method to get information about public figures, such as movie stars! You can protect sensitive data stored on paper by simply shredding (or burning) it. Protecting data transferred on the Internet is another thing altogether.
A better method for exchanging the symmetric key is to use public/private (asymmetric) key encryption. This type of exchange can set up an encrypted data path that can then be used to exchange the symmetric key for the remainder of the session. Asymmetric encryption uses both private and public keys, and enables your browser and the Internet server to exchange data without having to first exchange a single encryption key. Digital CertificatesSSL depends on a private and public key pair for the initial exchange of the symmetric key, as well as for authentication using digital certificates. Public keys are readily available on the Internet from companies that provide digital certificate services. There are several major providers of these sorts of keys, such as VeriSign (www.verisign.com) and Entrust (www.entrust.com), among many others. Digital certificates are used so that your browser can ensure that the Web server being contacted is indeed who it says it is. The SSL Handshake ProcedureThe SSL handshake procedure uses public/private keys to accomplish the following:
The exact details of the messages exchanged and the syntax used are a little complicated, but the basic method is as follows:
The preceding steps describe the basic method used to set up an SSL session. Other steps can also be involved. For example, in these steps the client first authenticated the Web server's certificate by contacting the CA to check the validity of the certificate the client received from the server. The opposite can also be performed: The Web server may need to authenticate the client. This will depend on which way sensitive data is being exchanged. If you are placing an order on a Web site and need to send credit-card information, your browser will definitely want to authenticate the Web server. If the Web server is sending sensitive data to the client (such as when you send confidential data to a customer), the Web server should also authenticate the client so that the server knows that the client is who it appears to be. Using Information in the Digital Certificate to Prevent Interception AttacksThe preceding section described the basics of SSL. Although the techniques used may appear to be all that is necessary to ensure secure communications, because both sides of the session can authenticate with each other, that is not always the case. In Chapter 47 you will learn about a "man in the middle" attack that is used by hackers for many different protocols. The concept is to place an application between both of the parties to the secure session during the setup phase, and impersonate the server to the client, and the client to the server. Some of the typical information that is found on a digital certificate includes the following:
The last item, the server's domain name, is not actually part of the SSL protocol. However, it is used by many browsers. The first three items must match those of the certificate presented by the Web server (or the client in the case of client authentication). The server's domain name, however, is very important. For example, if the first three items listed are correct (the certificates have not been altered, and the certificate has not yet expired), does that guarantee that the Web server's certificate has not been stolen and is being used by another Web server to impersonate the server that was originally issued the certificate? The application used to intercept communications between the Web server and the client performs two functions to satisfy both sides of the data exchange, and gain access to the encrypted data that will be sent using SSL:
Using this method is not an easy task. It usually is done by an insider of an organization because intercepting and impersonating clients and the Web sites with which they will establish important sessions is not very profitable, considering the huge amount of traffic on the Internet. Worse yet is the fact that such a compromise in security can produce bad publicity for your company. Would you want to trust an Internet site with your credit-card number if that site had been hacked recently? Yet, when this type of attack succeeds, the application that stands between the client and the server can intercept all data from either side. Worse yet, it can modify the data to serve some other purpose. No matter what the reasoning for using this type of attack, and the fact that it is difficult to implement, this threat can be practically eliminated by using the domain name of the client or Web server's digital certificate. The domain name can be resolved to an IP address. The application that stands between the client and the Web server will have to use a different IP address. Looking up the domain name and checking to see whether the IP address that each side is talking to is accurate usually prevents this kind of attack from occurring. http:// and https://When you are using a browser to access a typical Web page, the address field usually begins with http://, followed by the Web site. When using SSL, you'll notice that this text has an extra character added to it: https://. The "s" that is attached to the URL lets you know that SSL is being used. Watch that field. You might start out on a Web page that uses http://. Then when you decide to make a purchase, or conduct some other transaction involving sensitive information, you will usually have to click on a button. The next page that appears should have https:// in the address field. If it doesn't, don't trust that page. Many browsers will also display a padlock icon on the status bar to indicate that you are connected to a secure site. Adding Another Layer to the Network Protocol StackNow that you have a good understanding of how SSL works, you'll want to know where it fits into the protocol stack on your computer. SSL can work with many protocols other than just HTTP. So it needs to be below the Application layer. Yet, because TCP/IP (at the Network layer) is used to ensure reliable communication sessions, SSL needs to be above TCP/IP in the protocol stack. As you can see in Figure 34.1, that is exactly the case. SSL is stuck neatly between these two layers.
Another important distinction is that the typical port used for HTTP communications is port 80. For SSL that port is usually 443. Both of these settings can be changed by altering the syntax of the URL in the address fields, but it's best to just use the defaults to ensure compatibility with some Web servers that don't let you use another port. |