Internet
traffic needs to be encrypted when we are passing confidential data
across the network. Now every thing on the internet needs to be
encrypted, but when we are contacting a Online back for performing
operations. We should encrypt the data like user name and password
and send them to the web site.
When
you logon to your bank’s website, your traffic travels through your
ISP’s network. If your bank is not a customer of the same ISP, your
data will travel through at least one more ISP’s network, and often
a few other networks. So there are many opportunities for criminals
to “sniff” your traffic. If you are connected to the internet
with a wireless connection, then your account info is literally
floating around in the air where people nearby can receive it.
So
In layman Terms,
SSL
Or Secure Socket layer is a Cryptographic protocol that provides data
integrity and security for communications over the Tcp/Ip networks.
SSL
allows the application to communicate across a network in a way
designed to prevent eavesdropping, tampering, and message forgery.
Encrypting
and decrypting data takes additional computer power. So, most of the
time as you surf the web, none of your traffic is encrypted until you
go to a website where money is involved such as your bank, broker, or
credit card company.
How
does the Encryption Works
The
One big Question is how does the encryption works in SSL Case. We
will see
Asymmetric
Encryption and symmetric Encryption and see how they work together in
achieving the encryption.
Asymmetric
Encryption or public-key cryptography
in
this mode , there will be 2 keys
public
key
private
key
The
users will normally use the public key available from the Server and
uses that to encrypt data. Once the encrypted data is available at
the Destination , uses the private key to decrypt the message. In
this way only the intended people will be able to decrypt the
message.
The
most common asymmetric encryption algorithm is RSA.
Symmetric
Encryption
Symmetric
encryption uses a single key to both encrypt and decrypt data. Both
the sender and the receiver need the same key to communicate.
Which
is Stronger
There
are 2 important points we need to consider when using the SSL.They
are
computational
Over head
ease
of distribution
Asymmetric
keys are typically 1024 or 2048 bits and Symmetric key sizes are
typically 128 or 256 bits. Since the key size is bigger , the
asymmetric keys are generally Stronger.
But
since the key size is very less , the computation for the symmetric
keys are very less . The main problem is since we use the same key
for both encryption and decryption.
This
is not in the case of Asymmetric key. Two keys are used where the
public key is distributed over the internet with out any problems as
only the private key can decrypt it.
Public
Key Infrastructure (PKI)
This
is a set of hardware , people , software,polices that are needed to
create, manage, distribute, use, store, and revoke digital
certificates. So a PKI is the one which binds keys with user
identities by means of the Certificate Authority (CA).
The
public key infrastructure provides for a digital certificate that can
identify an individual or an organization and directory services that
can store and, when necessary, revoke the certificates.
A
public key infrastructure consists of:
A
certificate authority (CA) that issues and verifies digital
certificate. A certificate includes the public key or information
about the public key
A
registration authority (RA) that acts as the verifier for the
certificate authority before a digital certificate is issued to a
requestor
One
or more directories where the certificates (with their public keys)
are held
A
certificate management system
So
coming to the Encryption, this is how it works
When
we contact a Web Site
1.The
Server sends the Asymmetric public key to the User
2.The
user takes the asymmetric public key ,
create
a Symmetric key
encrypts
the symmetric key with the asymmetric public key provided by the
server
send
the encrypted data to the server
3.The
server decrypts the encrypted data using the Asymmetric private key
available with the server and gets the symmetric key send by the User
4.For
now the client and Server communication happens using the symmetric
keys
Asymmetric
keys = RSA
Symmetric
Keys = Twofish, AES, or Blowfish, to create keys—AES currently
being the most popular
Certificate
All
Browsers are able to connect to the Servers on SSL. But in order for
the communication to be encrypted we need some thing called
Certificate.
What
is a Certificate
The
Certificate contains public and private keys which helps in
encrypting the Data Communication.
The
certificate also includes a SUBJECT element which tells us about the
identity of the certificate/website owner.
How
Do we get this Certificate
In
Order to get a Certificate we need to first create a Certificate
Signing Request (CSR) on your server.
CSR
will contain encoded information specific to your company and domain
name; this information is known as a Distinguished Name or DN. The DN
for most servers contains the following fields: Country, State (or
province), Locality (or city), Organization, Organizational Unit, and
Common Name.
The
CSR creates the Private key and also a Data File and we will use
these to send to the Certificate Authority ( CA ) . The CA uses the
CSR data file to create a public key to match your private key.
Once
you receive the SSL Certificate, you install it on your server. You
also install a pair of intermediate certificates that establish the
credibility of your SSL Certificate by tying it to your CA’s root
certificate. This is called Certificate Chain
Any
one can create a Certificate but browsers only identify certificates
from a Known Certificate authorities or trusted CA's .Browsers come
with a pre-installed list of trusted CAs, known as the Trusted Root
CA store.
Once
the Certificate is trusted by the browser from the trusted CA's ,it
is now good to connect to the server.
How
does the SSL Certificate helps in Securing the Connections
1.Browser
connects to a web server (website) secured with SSL (https). Browser
requests that the server identify itself.
2.Server
sends a copy of its SSL Certificate, including the server’s public
key.
3.Browser
checks the certificate root against a list of trusted CAs and that
the certificate is unexpired, unrevoked, and that its common name is
valid for the website that it is connecting to. If the browser trusts
the certificate, it creates, encrypts, and sends back a symmetric
session key using the server’s public key.
4.Server
decrypts the symmetric session key using its private key and sends
back an acknowledgement encrypted with the session key to start the
encrypted session.
Server
and Browser now encrypt all transmitted data with the session key.
In
the next Articles We will see How we can Configure SSL On Servers.
