Friday, September 27, 2013

Secure Socket Layer

Share it Please
Internet traffic needs to be encrypted when we are passing confidential data across the network. Now every thing on the internet needs to be encrypted, but when we are contacting a Online back for performing operations. We should encrypt the data like user name and password and send them to the web site.

When you logon to your bank’s website, your traffic travels through your ISP’s network. If your bank is not a customer of the same ISP, your data will travel through at least one more ISP’s network, and often a few other networks. So there are many opportunities for criminals to “sniff” your traffic. If you are connected to the internet with a wireless connection, then your account info is literally floating around in the air where people nearby can receive it.

So In layman Terms,

SSL Or Secure Socket layer is a Cryptographic protocol that provides data integrity and security for communications over the Tcp/Ip networks.

SSL allows the application to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery.

Encrypting and decrypting data takes additional computer power. So, most of the time as you surf the web, none of your traffic is encrypted until you go to a website where money is involved such as your bank, broker, or credit card company.

How does the Encryption Works
The One big Question is how does the encryption works in SSL Case. We will see

Asymmetric Encryption and symmetric Encryption and see how they work together in achieving the encryption.

Asymmetric Encryption or public-key cryptography
in this mode , there will be 2 keys
public key
private key

The users will normally use the public key available from the Server and uses that to encrypt data. Once the encrypted data is available at the Destination , uses the private key to decrypt the message. In this way only the intended people will be able to decrypt the message.

The most common asymmetric encryption algorithm is RSA.

Symmetric Encryption

Symmetric encryption uses a single key to both encrypt and decrypt data. Both the sender and the receiver need the same key to communicate.

Which is Stronger
There are 2 important points we need to consider when using the SSL.They are
computational Over head
ease of distribution

Asymmetric keys are typically 1024 or 2048 bits and Symmetric key sizes are typically 128 or 256 bits. Since the key size is bigger , the asymmetric keys are generally Stronger.

But since the key size is very less , the computation for the symmetric keys are very less . The main problem is since we use the same key for both encryption and decryption.

This is not in the case of Asymmetric key. Two keys are used where the public key is distributed over the internet with out any problems as only the private key can decrypt it.

Public Key Infrastructure (PKI)
This is a set of hardware , people , software,polices that are needed to create, manage, distribute, use, store, and revoke digital certificates. So a PKI is the one which binds keys with user identities by means of the Certificate Authority (CA).

The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates.

A public key infrastructure consists of:

A certificate authority (CA) that issues and verifies digital certificate. A certificate includes the public key or information about the public key

A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requestor

One or more directories where the certificates (with their public keys) are held

A certificate management system

So coming to the Encryption, this is how it works

When we contact a Web Site
1.The Server sends the Asymmetric public key to the User
2.The user takes the asymmetric public key ,
create a Symmetric key
encrypts the symmetric key with the asymmetric public key provided by the server
send the encrypted data to the server
3.The server decrypts the encrypted data using the Asymmetric private key available with the server and gets the symmetric key send by the User
4.For now the client and Server communication happens using the symmetric keys

Asymmetric keys = RSA
Symmetric Keys = Twofish, AES, or Blowfish, to create keys—AES currently being the most popular

All Browsers are able to connect to the Servers on SSL. But in order for the communication to be encrypted we need some thing called Certificate.

What is a Certificate
The Certificate contains public and private keys which helps in encrypting the Data Communication.

The certificate also includes a SUBJECT element which tells us about the identity of the certificate/website owner.

How Do we get this Certificate
In Order to get a Certificate we need to first create a Certificate Signing Request (CSR) on your server.

CSR will contain encoded information specific to your company and domain name; this information is known as a Distinguished Name or DN. The DN for most servers contains the following fields: Country, State (or province), Locality (or city), Organization, Organizational Unit, and Common Name.

The CSR creates the Private key and also a Data File and we will use these to send to the Certificate Authority ( CA ) . The CA uses the CSR data file to create a public key to match your private key.

Once you receive the SSL Certificate, you install it on your server. You also install a pair of intermediate certificates that establish the credibility of your SSL Certificate by tying it to your CA’s root certificate. This is called Certificate Chain

Any one can create a Certificate but browsers only identify certificates from a Known Certificate authorities or trusted CA's .Browsers come with a pre-installed list of trusted CAs, known as the Trusted Root CA store.

Once the Certificate is trusted by the browser from the trusted CA's ,it is now good to connect to the server.

How does the SSL Certificate helps in Securing the Connections

1.Browser connects to a web server (website) secured with SSL (https). Browser requests that the server identify itself.
2.Server sends a copy of its SSL Certificate, including the server’s public key.
3.Browser checks the certificate root against a list of trusted CAs and that the certificate is unexpired, unrevoked, and that its common name is valid for the website that it is connecting to. If the browser trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the server’s public key.
4.Server decrypts the symmetric session key using its private key and sends back an acknowledgement encrypted with the session key to start the encrypted session.
Server and Browser now encrypt all transmitted data with the session key.

In the next Articles We will see How we can Configure SSL On Servers.