Secure Sockets Layer

1
Secure Sockets Layer

• SSL/HTTPS

2
Quick review of HTTPHyper Text Transfer
Protocol

• HTTP Underlying protocol used on the
  World Wide Web.
• HTTP protocol defines the procedure by which
  message or information will be transferred
  between the web browser/client and the web server
  over the Internet.

3
Quick review of HTTP (cont.)

• Messages are transferred in plain text.
• No standard ways to authenticate the web server.
• Bad guys might create a replication web server to
  obtain user critical information.

4
Secure Sockets Layer (SSL)

• SSL encrypts and secures messages from
  traditional insecure protocol like HTTP.
• The SSL version of HTTP is HTTPS.
• HTTPS Web browser always authenticates the web
  server before sending out or exchanging any data
  with the web server.
• An encryption method and a new session encryption
  key will be established when the authentication
  process between the browser and server is
  completed.

5
The implementation of Secure Sockets Layer -Web
server side.

• SSL secure web server needs to have a
  certificate.
• Basic information on the certificate secure web
  server name, public key, and the
  signature.(p.79-p.80)
• Private key is never sent over the network.
• Certificate authorities (CA)
• www.verisign.com www.webtrust.org

6
SSL Implementation (cont.)Web browser/Client side

• Receives a copy of the certificate.
• Two important steps has to accomplish
• Verifying the certificate.
• Identifying the web server.

7
SSL Flowchart
Reference source http//www.nusphere.com/products
/graphics/ssl_flowchart.gif
8
Step 1 Verifying the authenticated of the
Certificate

• Generating hash of the certificate data about the
  web server locally at the web browser public
  key, secure web server name, certificate
  authority, signature.
• Checking the list of certificate authority (CA).
• Retrieving the public key from CA.
• CA uses the private key to generate the
  signature of the secure web server and send it to
  the web browser.
• Web browser combines the public key with the
  signature to obtain the original of the
  certificate when it was created.
• Comparing this information with the one generated
  locally to conclude about the validity and
  reliability of the certificate.

9
Step 2 Identifying the secure web server

• The web browser sends an encrypted message to the
  web server.
• Encrypted message is created by encrypting the
  message with the public key.

10
Identifying the secure web server (cont.)

• Only the legitimate web server will have the
  private key to decrypt the encrypted message.
• Secure web server is identified.

11
Final phase in SSL/HTTPS communication

• A new session key is created by the web browser
  and sent to the secure web server.
• A new secure communication is established.
• Both hosts will use this key for any web
  conversation.
• No other computers in the world have a copy of
  the key.

12
Overview of a SSL/HTTPS communication

• SSL/HTTPS is a asymmetric encryption system. It
  uses two keys private key and public key in
  encrypting and decrypting the message.
• A secure web server must have a certificate. This
  digital certificate includes the web server name,
  the web server public key, the web server
  signature, and certificate authority name.
• The web server private key is kept secret and
  never be sent over the network.

13
References

• Pfleeger,Charles, Shari Lawrence Pfleeger.
  Security in Computing. Third edition,2003.
• www.verisign.com
• www.webtrust.org
• http//www.fastlanetek.com/sites/netgear/genvpn/vp
  n02/03vpn02.htm
• http//www.marketinghacker.com.br/palestra/linkani
  a04.htm
• http//www.nuitari.de/crypto.html

14
How is my presentation?Any questions?