Is a cryptographic protocol used to guarantee information and telecommunication security. Created in 1994 by Netscape, in collaboration with Bank of America, MCI, Mastercard and Silicon Graphics, it immediately became the standard used to exchange data on the Internet. The protocol, now at its 3.0 release, is supported by the the main Web clients and servers. For the moment it is the most largely used standard adopted by Web services. Used to protect data alterations, non authorized accesses, e-commerce services and trading online.
SSL developed and evolved with the birth of Internet, that brought the need for information security. Because the Internet is a highly insecure communication system it requires by nature instruments that guarantee protection against attacks (Spamming, phishing, spyware, Bot net, interception) that a company's information system is subject to everyday. The damage caused increases proportionally with the importance of the intercepted information. When talking about the RSA algorithm we mentioned the importance of having techniques and systems that are able to guarantee data security in compliance with privacy principles, integrity, authenticity e non-repudiation. In order to guarantee communication security over the Internet, SSL uses cryptography and public keys. Lets see in detail how SSL works.
Lets start by defining what the protocol guarantees in terms of security.
SSL protocol objectives.
Following are the objectives that Netscape engineers set when developing the SSL protocol: - Protected connection: SSL enables a secure connection between two entities and guarantees that the data exchanged is non readable or interpretable by unauthorized third parties. - Interaction: SSL's communiction interface was designed to enable interaction among different devices. Programmers from different organizations are be able to develop applications by only making arrangements on the cryptographic algorithms without knowing each others source code; - Easy Update: SSL tries to supply a structure that allows future public and symmetric key cipher methods, that by nature are modified due to the increasing calculating computation capabilities of the elaborators used for decoding, to be incorporated without having to develop a new protocol; - Efficiency: Cryptographic operations tend to be laborious, especially during public key encryption processes. For this reason SSL incorporated session caching schemes (optional) to decrease the number of connections that require to be newly established, consequently decreasing the amount of activity on the network.
In order to guarantee the above objectives the protocol was developed following specific criteria.
SSL protocol's features
The SSL protocol guarantees security when data is exchanged in a non secure environment thanks to the following features that distinguish it:
- Connection Security: To guarantee a secure connection between two users that are communicating, the SSL protocol uses cryptographic algorithms and symmetric keys that make the data exchanged between the users unreadable(example; DES, AES);
- Authenticatione: Identity authentication during connection is guaranteed by using public key cryptography (example; RSA, DSS etc). This guarantees the fact that the clients are communicating with the right server, preventing eventual exchanges. Furthermore server and client certification is provided;
- Integrity of the information exchanged: The transmission level includes an integrity check on the message based on a MAC tag (Message Authentication Code) that is generated by using the secure hash function made available by SSL (exapmple; SHA, MD5 etc.). This allows to verify that the data exchanged between client and server has not been altered during transmission by checking the MAC field.
SSL protocol applications
The SSL protcol, as we said at the beginning of this document, is widely used in many applications. It is used to:
- encrypt web traffic using Hypertext Transfer Protocol (HTTP). When HTTP is used with SSL, it is conventionally called HTTPS.
- to authenticate Web servers and encrypt communications between browser and Web servers. Understanding SSL (Secure Sockets Layer)
- as a base for new protocols. Since 2001 the Internet Engineering Task Force (IETF) uses SSL as the base for the development of its own protocol- Transport Layer Security (TLS). SSL and TLS are strictly linked to each other, they both use the same known port and the majority of SSL's implementations support TLS.
- encrypts the traffic generated through e-mails and newsgroups.
Kryptotel's use of the SSL protocol
Kryptotel uses the encrypted 256 bit SSL protocol, universally known as being inviolable, for the connection to e-mail servers and for the KryptoComputer solution.
The use of the SSL protocol is justified by the fact that there is no trace of the e-mail transmission, this means that documents that are attached to the e-mails are codified just like the message.
Communication Protection process through the use of SSL protocol
In order to protect the information exchanged on the Internet the SSL protocol uses a hybrid encryption. It deals with a threesome of algorithms, a symmetric, an asymmetric and a hash, obtaining a perfect balance between security and calculation speed. Every session of the SSL protocol starts with the "handshake" phase, that is an exchange of messages using public key cryptography, with the goal of creating a secure and protected communication channel, peer-to-peer, between two terminals, a client and a server (authentication phase).
The next phase consists in the creation, through client and server collaboration, of a session key used to increase the speed of the exchanged data, maintaining their confidentiality and integrity.
The SSL's protocol encryption process can be summarized as following:
1. ClientHello - The client asks the server to establish a communication by sending, together with that information, the version number of the supported SSL, and the information on the private key encryption algorithms supported by the client.
2. ServerHello - The server sends to the client the identification number of the SSL protocol version supported and the settings of the private key encryption algorithms in use.
3. The client proceeds with the authentication of the server by examining the provided certificate, checking that the CA that it was undersigned with appears in the the list of trusted CAs.
4. The server requests the certificate to the client for the authentication.
5. The client sends the certificate to the server. If the server is not able to authenticate it, then an encrypted SSL connection cannot be established, instead if the authentication is successful we move on to the next phase.
6. ClientKeyExchange - The client creates a premaster secret (session key) that can be used only for the present exchange of information and data, it is encrypted with the server's public key (contained in the server's certificate) and it sends the encrypted session key to the server.
7. If the server has requested authentication to the client (optional step) the clients sends part of the data in this session and digitally signs this data and sends it's certificate together with the encrypted session key.
8. ChangeCipherSpec - Client and Server communicate to each other that the data that will be exchanged in the next phase will be encrypted with the session key previously exchanged.
9. Finished - The server sends an encrypted message indicating, on its behalf, the end of the handshake session, the client consequently responds. The handshake phase ends and the real SSL session begins. The client and the server use the session key to encrypt and decrypt the data that they mutually exchange to validate the integrity.
SSL Handshake procedure