Security on Web : Secure Sockets Layer
What you need to know about SSL
Summary
SSL provides total encryption and decryption to the information travelling
in the web and secure them from the hackers.
Lets say, a user visits a commercial web site and is asked to supply
information, such as credit card or bank account number. He sometimes
fears that a hacker might intercept this information. To look after
such types of concerns you need to secure sensitive information travelling
over a network from all forms of tampering and interception. It is
where the SSL comes into picture.
Netscape Communication has proposed a protocol for providing data
security layer between high-level application and TCP/IP. This security
protocol, called Secure Sockets Layer (SSL), provides data encryption,
server authentication, message integrity, and optional client authentication
for a TCP/IP connection. The Secure Sockets Layer protocol (SSL) provides
a secure and virtually inpenetrable way of establishing an encrypted
communication link with users. SSL guarantees the authenticity of
your Web content, while reliably verifying the identity of users accessing
restricted Web sites.
SSL is layered beneath application protocols such as HTTP, SMTP,
TELNET, FTP, Gopher, and NNTP and above the Internet connection
protocol TCP/IP. SSL provides a security 'handshake' to iniciate
the TCP/IP connection.
Server Certificates are unique digital identifications, which frms
the base of your Web server's SSL security featuers. These are obtained
from a mutually trusted, 3rd party organisation. It provides a way
to the visitor on the web to identify your site.It contains detailed
identification information, such as the name of the organization
affiliated with the server content, the name of the organization
that issued the certificate, and a unique identification file called
a public key. The public key, togather with an another privately
held key, form the SSL key pair. This key pair is used to negotiiate
a secure TCP/IP connection with the user web browser.
SSL's only role is to encrypt and decrypt the message stream. With
SSL, your server and the user's web browser engage in a negotiating
exchange - one evolving the certificate and the key pair - to determine
the level of encryption required for securing communication. Both
your server and users web browser use the session key to encrypt
and decrypt transmitted information. The strenth of session key,
for the level of encryption or decryption, is measured ib bits.
Your web server's session key is typically 40-bits long, but can
be substantially longer. In US and Cannada, 128-bits session key
is used.
SSL fully encrypts all the information in both the HTTP request
and the HTTP response, including the URL the client is requesting,
any submitted form contents (including things like credit card numbers),
any HTTP access authorization information (user name and password),
and all the data returned from the server to client.
Netscape has moved forward with its hardware-enhanced security services
by incorporating the U.S. Government's Fortezza initiative, which
outlines a PC-card-based encryption scheme. The Fortezza initiative
has ties to the government's earlier Clipper initiative, which proposed
a nationwide standard for encryption hardware using a classified
algorithm with built-in law enforcement access -- a move which makes
the cryptography community and civil rights champions a bit nervous
and may prevent widespread adoption.
About the article
This article is from the December 1999 issue of ASPWatch.com
|
