Secure Sockets Layer (SSL)
(Page 1 of 2)
SSL, or Secure Sockets Layer, is a protocol developed by Netscape for securely transmitting confidential information like credit card numbers across the Internet, between a web browser and web server, by means of public key encryption technology. It provides assurance that transmitted data remains private and unmodified, thanks to the encryption of traffic.
It also provides a way for the sender to verify the servers identity and determine that the server, to which the data is sent, is authorized to have the data. This is achieved by allowing the user to view the certificate information for the server (as well detail in Chapter 4, certificates are digital documents containing identifying information verified by a trusted third party). In practice, most users never inspect server certificates, but theoretically, it could be done.
A key part of an SSL communication session is the SSL handshake, in which the server authenticates itself to the client (see above), the client and server agree on an encryption algorithm and encryption keys to use for the rest of the conversation, and (optionally) the client authenticates itself to the server. SSL typically uses a 9-message handshake process, including an optional cipher selection, but its often simplified and described as a 6-step handshake:
This process is illustrated in Figure 23.
Originally SSLv2, as supplied with Netscape browsers, supported only DES encryption, which is considered weak today. SSLv3 adds support for optional encryption algorithm selection, so that an appropriate algorithm could be chosen for each application using SSL. SSL implementations can (but are not required to) support a huge variety of encryption ciphers, from 3DES to RSA, RC2 to DSA, MD5 hashing for message integrity verification (without encryption, if desired), etc.191
191. Introduction to SSL, Netscape, http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.