TKK | Tietoverkkolaboratorio | Opetus

[intro]
[cryptography]
[schemes]
[protocols]
[implementations]
[authors]
 

Secure Sockets Layer (SSL)

Secure Sockets Layer (SSL) is a protocol that establishes and maintains secure communication between servers and www-browsers across the Internet. SSL supports the creation and use of secure communications channels, which ensure both data integrity and confidentiality for transferred data. In addition, SSL prevents message forgery by allowing the server and the user to authenticate each other during the establishment of the secure connection.

The SSL protocol is based on the public key authentication principle. It trusts certificate authorities to prove the identities of the server, and optionally the user. SSL is developed by Netscape but nowadays it has become a de facto standard in secure WWW-connections. Both Netscape Navigator and Internet Explorer support SSL.

How it works

Both the server and the user must first obtain a digital ID (certificate) from a certificate authority. Upon establishing the connection the server first sends it certificate to the browser. The browser checks if the certificate is out of date or issued by an authority that it does not recognize. If not, the browser then uses the issuer´s public key to decrypt the digital signature in the certificate and by calculating a message digest from the certificate verifies that the certificate is valid. The browser has the certificates of the issuing authorities it recognizes, and therefore has access to their public keys.

If user authentication is needed for the connection, the user sends his certificate to the server along with a signed piece of information that is known to both the user and the server. The server can then first check the certificate and then verify the signature. At this point the user has been authenticated.

The actual session is encrypted using one of various symmetric algorithms. The strongest cipher that both the browser and the server can use is selected. A special session key is used. The browser randomly generates the session key. This is then encrypted using the servers public key (found from the certificate it sent) and sent to the server. If the server can decrypt the session key, it must be have the corresponding private key and is thus authenticated. If another server tries to masquerade as the server the browser is trying to reach, it is revealed at this point. All further exhange of information is then encrypted using the session key.

If any of the stages described above is not completed succesfully (for example, if a certificate cannot be verified), the connection is closed.

A considrably more extensive but still very readable document of SSL can be found here.

Plusses and minuses of SSL

SSL, e.g. compared to Kerberos, has the usual advantages of public key authentication over trusted-third-party authentication system. Disadvantages include
  • Cost of use: SSL is patented and costs to the service providers. Personal certificates also cost.
  • Key revocation: how can a certificate be revoked in case it is compromised? How will all servers know that the certificate is no longer valid?
Many Web sites use the protocol to obtain confidential user information, such as credit card numbers. Because user certificates are not free of charge, often only the server is authenticated by SSL. User is then authenticated by password. By convention, Web pages that require an SSL connection start with https:// instead of http://.

Tietoverkkolaboratorio on nyt osa Tietoliikenne- ja tietoverkkotekniikan laitosta. Tällä sivulla oleva tieto voi olla vanhentunutta.

Kurssien ajantasainen tieto on MyCourses-palvelussa.

Tämä sivu on tehty oppilaiden harjoitustyönä. Tietoverkkolaboratorio ei vastaa sivun oikeellisuudesta, ajantasaisuudesta tai ylläpidosta. Vakavissa tapauksissa yhteyshenkilöinä toimivat ja Webmaster.
Sivua on viimeksi päivitetty 15.11.1999 16:45.
URI: http://www.netlab.tkk.fi/opetus/s38118/s99/htyo/1/ssl.shtml
[ TKK > Sähkö- ja tietoliikennetekniikan osasto > Tietoverkkolaboratorio > Opetus ]