Understanding the working of Secure Socket Layer(SSL)
Due to the increase in widespread use of internet website's for online bank transactions, and exchange of sensitive information, over the wire, several efforts were made to secure the communication.
The result of such efforts are evident from different communication protocol's that exists today. We will be discussing two such protocol's in this post.
- SSL(Secure Socket Layer)
- TLS(Transport Layer Security)
The current version of SSL is version 3.0. This was initially made and released by Netscape(currently their browser source code is called as Mozilla.) in 1999. IETF(Internet Engineering Task Force), the people who standardizes internet protocol's standardized SSL,by making their version of the protocol, and is now called as TLS v1.0.
Secure Socket Layer believes in the principle of authenticating the server, to the client by showing a certificate to the client. But the client is only authenticated by the login username and password, if present. This is because the client should be able to login or access her mail from different computer's.
However, there are mechanism's that is included inside initial handshake protocol to support client side certificates also(But is an optional method, which is seldom used in practical)
An important fact to note with regard to SSL communication is that, client configuration changes are not required, because the ability to communicate with an SSL enabled server is fully built into a web browser, or other application's that are used to establish the communication.
Secure Socket Layer(SSL)
Secure Socket Layer is a networking protocol mechanism used to provide privacy and reliability for communication between two end devices.
SSL addresses, three important things in the field of security. They are as follows.
- Message Integrity Checking
- Identity of the server with which you are communicating
- Privacy through Encryption.
There are four layers of SSL protocol. They are mentioned below.
Read: handshake Protocol
Read: Change Cipher Spec Layer
Read: Alert Protocol in SSL
The two most important protocol's inside SSL are Record layer protocol & Handshake Protocol. Both of them are explained in detail, in their respective post.
The initial Handshake is the most important thing to understand in the complete architecture of SSL(this is also the place, where most of the people get confused).
I hope the above mentioned four links will be helpful to comprehend the concept of SSL and its working. However i would like to mention some points to note about SSL protocol(which may or may not be mentioned in those links).
I have not explained about Certificate Authority (CA), in the above links, as it requires special attention, and needs to be explained in a dedicated post.
- SSL/TLS is an application layer independent protocol. So it can be implemented with any application you make. Hence you will see, a wide range of applications supporting it.
- SSL makes use of both asymmetric and symmetric key cryptography. This is because, of performance reasons. Only the initial "client key exchange message" is encrypted with asymmetric encryption. Symmetric encryption is good compared to asymmetric encryption when compared in terms of performance/speed
- Certificate authorities are nothing but a trusted third party. They may and may not be the same firm/organization, that the server belong to.
- SSL protocol layers comes on top of TCP(transport Layer), and is below application layer. Hence no network infra changes are required to deploy SSL.
- Each and every connection that's made, through SSL has got one session information. Session can also be reused for other connections to the server.