vijay

welcome Netizen

Share Your Knowledge.It is a way to achieve immortality

Wednesday, May 30, 2012

What Is SSL (Secure Socket Layer) and How its work?


Secure Socket Layer (SSL) certificates are widely used to help secure and authenticate communications both on  the Internet and within organizational intranets.

History:

SSL is a protocol developed by Netscape in 1995, which quickly became the preferred method for securing data transmissions across the Internet.
SSL is built into every major web server and web browser and makes use of public-private key encryption techniques originally developed by RSA. To make an SSL connection, a web server must have a digital certificate installed; this certificate utilizes the public and private keys used for encryption, and the certificate uniquely and positively identifies the server. You can think of digital certificates as a kind of electronic identification card, not unlike a driver’s license or national identity card, which authenticates the server to the client before establishing an encrypted communications channel. Typically, digital certificates are issued by an independent, trusted third-party to ensure their validity and broad acceptance. The issuer of a certificate is also known as a Certification Authority (CA).
Features of SSL:
People tend to associate SSL with encryption, but in fact, an SSL certificate provides four distinct features,
·         Encryption
·         Integrity
·         Authentication
·         Non-Repudation

ENCRYPTION
Encryption utilizes mathematical algorithms to transform data so that it can only be read by the intended parties. In the case of SSL, the private and public keys provided as part of the server’s digital certificate play an important role in securing data sent to and from the web browser.
INTEGRITY
By encrypting data so that only the intended parties can read it, SSL certificates also ensure the integrity of that data. In other words, if nobody else can successfully read the data, the data cannot be modified in transit. Modifying the encrypted data would render it useless, and the intended parties would then know that someone had tried to tamper with the data.understanding SSL certificates2
AUTHENTICATION
One of the primary roles of the CA in issuing a digital certificate is to validate the identity of the organization, or person, requesting the certificate. SSL certificates are tied to an Internet domain name, and by verifying ownership of that name, a CA ensures that users know with whom they are dealing at a basic level. For example, when you connect to an SSL-enabled web site, such as Amazon.com, the certificate identifies its owner as Amazon, Inc., and you can be sure that you are dealing with Amazon.

NON-REPUDIATION
Encryption, integrity, and authentication combine to establish non-repudiation, which means that neither party in a secured transaction can legitimately state that their communications came from someone other than themselves. This feature removes the option for one party to repudiate, or “take back,” information that they have communicated online
Applications of SSL
SSL can be used in many ways and for different purposes:
• Browser-to-server communications—Most commonly, SSL is used to secure communications between a web server and a web browser, often when sensitive information is being transmitted. This nformation may relate to an online purchase, a patient’s medical data, or banking details. SSL helps ensure that the user of the web browser knows to whom their information is being sent and that only the intended recipient can access the information.

• Server-to-server communications—SSL can also be used to secure communications between two servers, such as two businesses that transact with one another. In this scenario, both servers usually have a certificate, mutually authenticating them to each other as well as securing the communications between them.

• Compliance with legislative and industry requirements—Many legal and industry requirements call for levels of authentication and privacy that SSL certificates provide. The Payment Card Industry Data Security Standard (PCI DSS), for example, requires the use of authentication and encryption technologies during any online payment transaction

 HOW IS AN SSL SESSION CREATED?
An SSL session begins when a web browser sends a request to a web server using the https:// protocol 
The web server responds with its digital ID, which includes its public encryption key. The web browser verifies the digital ID, which may include an online check with the CA as well as a check of the certificate itself for validity dates and other details. Once verified, the browser generates a session key, encrypts the session key using the server’s public key, and sends the package back to the server.

The server decrypts the session key by using the server’s private encryption key, which only the server
possesses. This ensures that only the browser and the server possess the session key, and they can use
that shared key to encrypt further communications between them. Servers usually discard session keys after
several minutes of inactivity


0 comments:

Post a Comment