Saturday, 24 September 2011

How SSL works ?

Secure Socket Layer (SSL)

The Secure Sockets Layer (SSL) is a protocol that provides secure communication between client and server.  Here the client is your browser and server is the web site you're communicating with. Secure communication has three main goals: privacy, message integrity, and authentication.

Example for SSL Usage :-
Alice -> Client
Bob -> Server


Alice intends to trnasmit sensitive information to Bob. Alice wants to make sure that the information she sends to Bob is kept confidential (privacy), and cannot be altered along the way (message integrity). She also wants to make sure that she's really sending the information to Bob and not an imposter (authentication).

Privacy:- Using Cryptography plaintext message is encrypted into ciphertext.

Public Key Cryptography
The information used to turn a plaintext message into an encrypted ciphertext message is a key. Public key cryptography makes use of a pair of keys, one is public, and the other is private.

Alice wants to send Bob private information, so Bob says, "Here Alice, use this public key to encrypt your message before sending it to me. When I receive your encrypted message I will use my private key to decrypt your message." It's okay for anyone to have a copy of the public key, but only Bob should have a copy of his private key. A plaintext message encrypted with the public key can only be decrypted with corresponding private key.

Message Integrity :-
When Alice sends the message to Bob, some data could get lost or corrupted. Message integrity is achieved by sending a message digest along with the encrypted message. A message digest is a fixed-length representation of a message.

Alice says to Bob, "I'm going to send you an encrypted message. So that you know my message to you hasn't been intercepted and altered along the way, I'm also sending a fingerprint of my original message. Please check the fingerprint to see if it matches when you receive my message."

Authentication
How does Alice know that she is really sending the message to Bob? Alice needs to authenticate Bob, to make sure he's really Bob and not someone else. Authentication is achieved by Digital Certificates.

Digital SSL Certificates
A digital certificate is an electronic document. Inside that certificate is a copy of sender's public key and information about its owner (domain name, organization name, location).

Why Should Alice Trust the Information ?

Because the SSL certificate is verified or "signed" by a trusted third party Certificate Authority, such as GeoTrust. The trusted Certificate Authority's job is to verify Bob's application for a digital SSL certificate. The authentication process can range from verifying that Bob has authoritative control of his domain (for GeoTrust QuickSSL), to requiring Bob to submit legal documents that verify Bob's business or organization (for GeoTrust True BusinessID). Once Bob's identity has been verified he will be issued a digital SSL certificate.

All of these concepts- privacy by encryption, integrity by message digests (fingerprinting), and authentication by digital SSL certificates- are integrated into the SSL protocol to allow Alice and Bob to communicate securely.

Why SSL exists ?

For 2 basic purposes
Encryption - Converting plain text to cipher text.
Identification - Need to trust the computer on the other end as the computer you think it is.

ENCRYPTION - How ?

1. Computers agree on how to encrypt data between them.
2. Server sends Certificate which containing Public Key.
3. Client computer says 'Start Encrypting'.
4. The Server says 'Start Encryting'
5. All messages are now encrypted.

1. Computers agree on how to encrypt
In the first part of the SSL Handshake computers agree on how to encrypt.
i) Client send 'Hello' to Server.
It contains the foll :-
Key exchange methods such as RSA, Deffie-Hellman, DSA.
Ciphers (way of encrypting data) - RC4, Triple DES, AES.
HASH (Used to generate Message Authentication code which is sent along to ensure integrity of the messages) - HMAC-MD5, HMAC-SHA.
Also sent is SSL Version (eg: 3.3 for TLS)
And a random number which is used to compute a master secret which is then used to calculate encryption keys.

ii) The server picks one of the methods from each of the various sent by the client. And they are ready for the next stage.

2. Server sends Certificate
Certificate contains info about who the server belongs to, validity, various Serial No's, and importantly the Public Key. So, server sends the Certificate to the client.

3. Your computer says 'Start Encrypting'Three messages accomplish this.
i) Client Key Exchange - Once this is sent, both computers can calculate a master Secret code. So, from now on, the Master Secret Code is used to encrypt all of the data communication between.
ii) Change Cipher Specification - Client asks, to change to the cipher spec previously agreed on.
iii) Lets Start - Start Encrypting

4. The server says 'Start Encryting'
i) Change Cipher Spec - It gives the cipher specification.
ii) Finished - Lets Go. So, the FINISH message is completly encrypted by the server and sent to the client.


5. All messages are now encrypted.Now all messages are encrypted.


IDENTIFICATION - How ?

Who to Trust ?
1. Company asks CA for Certificate. (CA is the Certification Authority like VeriSign or Thwate.)
2. CA creates certificate. (CA will first verify the details of the org, and crptographically sign it in a way that cannot be forged.)
3. Certificate installed in Server. (Then they send the Certificate back to the Organization, who then installs it on their web server.)
4. Browser issued with root certificates.
5. Browser trusts only correctly signed Certificates.(Client's browser will trust correctly signed certificates, but it will not trust incorrectly signed certificates.)


1. Company asks CA for Certificate.In order to do this the company has to give a whole lot of information, like
The Web Server.
What the company is ?
Where is it located ?
Certificate Authority checks correctness and authenticity of the organization. (It uses Puublic Records and
various other methods.) 


2. CA creates certificate.  
It creates the certificate and signs it.
Certificate Info :-
Version
Serial Number
Algorithm ID
Issuer
Validity
Company Details
Subject Public Key Info
    Algorithm
    Key
Identifier for Issuer
Identifier for Company
Signature Algorithm
Signature

Signature is created by condensing all details into a number through a Hash Function.
So, all the info before Signature Algorithm will be condensed into a single number.
Then CA encrypts that number with the private key. So, anyone holding a public key can verify it.
Thats a signature.

3. Certificate is installed on the Server.
Now that Certificate is given to the Organization, who installs it on the Server.
The Organization will run a Webserver. (Apache, Tomcat etc.)
The Certificate is installed into this server.
The Webserver is configured to use the certificate.
From then on the Certificate is going to be used in the Handshake process of the SSL.

4. Browser issued with root certificates.
Any Browser ships with out of the box Certificates from CAs all around the world called the Root Certificates, and that enables it to check the authenticity of any Certificates.

5. Browser trusts only correctly signed Certificates .
The Root Certificates installed on the browser has the public key of that CA in it. So, when it recieves a Certificate from a site, it is able to verify if the signature is absolutly correct.

No comments:

Post a Comment