Technology is updating every day; it has become a challenge for businesses of all types and the customers to keep their personal data safe and secure. Without a perfect protection strategy, the businesses will be at risk and spread malware, attacks on another website, and also the IT infrastructure. Web Security is a crucial and important component to protect/secure Websites and servers. Secure Socket Layer (SSL) is a standard protocol used for the secure transmission of documents over a network. Developed by Netscape, SSL creates a secure link between a web server and browser to ensure private and integral data transmission. SSL uses Transport Control Protocol (TCP) for communication. The word socket in SSL refers to the transfer of data between a server and client over a network.
During Internet transactions using Secure Socket Layer, a Web server needs an SSL certificate to create a secure connection. The encryption of the network connection is carried out above the transport layer, which is a connection component above the program layer. An asymmetric cryptographic mechanism is followed by SSL. In this, a web browser creates a public key and a private key. The public key is placed in a data file known as a certificate signing request (CSR). The private key is issued to the recipient only.
How does SSL Certificate Create a secure connection?
When a browser tries to access a website, which is secured by SSL, the browser and the web server establish a secured connection using the process called an “SSL Handshake”. The SSL handshake is invisible to the user and it happens instantaneously. Three keys are essential to set up SSL Connection: Public, Private, and Session keys. Anything that is encrypted with the public key can be decrypted with the private key and vice versa.
This encrypting and decrypting with a private key and public key take a lot of processing power, they are only used during the SSL Handshake to create symmetric session key, After the connection Is made, the session key is used to encrypt the transmitted data.
- The browser connects to the webserver (website) which is secured with SSL (https). The browser then requests the server to identify itself.
- The SSL Certificate is sent by the server, including the server’s public key.
- Browser now checks the certificate root over a list of trusted Cas and also the certificate is unexpired, unrevoked, and its common name is valid for the website which it is going to connect to. The certificate is trusted by the browser, it creates, encrypts, and sends back a symmetric session key using the public key of the server.
- The server decrypts the symmetric session key using the private key and sends the acknowledgment which is encrypted with the session key to start the encrypted session.
- The browser and the server now encrypt all transmitted data with the session key.
What does EV look like?
If the site collects credit card information, it is required by the Payment Card Industry (PCI) to have an SSL certificate. If the website consists of login sessions or it sends/receives other private information (name, age, street, address, records, phone number, etc.), you should be using Extended Validation SSL Certificates to protect the data. Your customers should know that you value their security and you are serious about protecting their information. A has the number of customers is becoming savvy online shoppers and in return reward the brand, they trust with increased business.
The objectives of SSL are:
- The integrity of Data: Data is protected from tampering.
- Privacy of Data: Data privacy is ensured through a series of protocols.
- Client-server authentication: The SSL protocol uses standard cryptographic techniques to authenticate the client and server.
Protocols of Secure Socket Layer:
- SSL record protocol
- Handshake protocol
- Change-cipher spec protocol
- Alert protocol
SSL Protocol Stack
SSL Record Protocol:
There are two services provided to secured connection from SSL records.
- Message Integrity
Application data is divided into fragments in SSL Record Protocol. It is a compressed and encrypted Message Authentication Code (MAC) which is generated by algorithms like SHA (Secure Hash Protocol) and MD5 (Message Digest) is appended. On completion of the encryption of data, the SSL header is appended to the data.
This protocol is used to establish sessions. This allows authentication of client and server by sending a series of messages to each other. This protocol comprises of four phases to complete cycle.
Phase-1: In this, both server and client send hello-packets to one another. In this IP session, the protocol version and cipher suite are exchanged for security reasons.
Phase-2: Server sends its certificate and also Server-Key-exchange. The server ends this phase by sending Server-hello-end packet
Phase-3: In this client replies to the server by sending its certificate and client-exchange-key.
Phase-4: In this Change-cipher suite occurs and after this, the Handshake Protocol ends.
SSL record protocol is used by Change-Cipher protocol. The SSL record output will be in a pending state unless the Handshake protocol is completed. The pending state is converted into the Current state after the Handshake protocol. This consists of a single message of 1-byte length having only one value. The purpose of this protocol is to cause the pending state to get copied into the current state.
Alert protocol is used to convert SSL-related alerts to the peer entity. Each message consists of 2 bytes.
In this level is classified further into two parts:
- Warning: This type of alert has no impact on the connection between receiver and sender.
- Fatal Error: This type of error breaks the connection between receiver and sender.
Salient features of Secure Socket Layer:
- This type of approach has an advantage that the service can be tailored to the needs of the given application.
- Netscape was the one to originate Secure Socket Layer (SSL)
- It is designed to make use of TCP to provide end-to-end secure service
- This protocol is two-layered
Difference between Secure Socket Layer (SSL) and Transport Layer Security (TLS):
Both Transport Layer Security and Secure Socket Layer are the protocols used to provide security between wen server and web browser. The main difference is that in SSL, a Message digest is used to create a master secret and it provides basic security which is Confidentiality and Authentication. While in Transport Layer Security (TLS) Pseudo-random function creates the master secret. The Secure Socket Layer supports the Fortezza algorithm. While Transport Layer Security (TLS) does not support the Fortezza algorithm. Secure Socket Layer (SSL) is complex than Transport Layer Security (TLS). SSL is a 3.0 version. While TLS is 1.0 version.
With the increasing number of scams happening over the web, web security plays a crucial role. It is essential in order to attain the trust of the customer and impacts every business.SSL plays a very important role in ensuring web security and builds trust among the customers.