Pages

Friday, March 22, 2013

SSL Security

SSL is Secure Socket Layer
It is used to secure the communication between two end points in a network using public key encryption.

Why we need secure communication?
Long ago, pigeons were used for communication. An intruder can catch the pigeon and read the secret message and also he can replace the message with his content and sent to the intended recipient who gets the altered message. Then came, various wired modes of communication like, telegraph, telephone. In that also intruder can intercept the message. To prevent this intrusion and alteration of the original message, some security mechanism had to be formulated.

From this thought, synchronous encryption was employed. For synchronous encryption, a single shared key will be used for encryption as well as decryption of the message. The shared key needs to be shared between both the end points. The drawback of this is that anyone who gets the shared key can actually read the message and can also alter it.

This led to the development of asynchronous encryption or public key encryption. Here a key pair(public key and private key) is used. Private key is not shared with anyone and public key will be shared with others. If A needs to send message to B, then A will encrypt data using public key of B and will send. B can decrypt the message using its private key and no other person can decrypt it as its private is not shared with anyone.


One way public encryption method


Here the question is when A is sending message to B encrypting using B's public key, is A sure that B is actually B and it's not any impostor pretending to be B?i.e can A trust the public key send to it as B's public key. In order to make sure A is actually A and B is actually B, some third person needs to certify A and B. i.e certify that A's public key actually belongs to him and not someone else and B's to him. This is the key concept behind digital certificates.

If A wants to send messages to B, then A will request B's certificate. It will contain information about B, its Certificate Authority's information, B's public key, expiry date. A will then validate B's certificate using the signer information of the certificate. A will use B's public key in it's certificate after making sure that the certificate is valid, i.e the public key actually belongs to B.

How SSL works?
SSL employs both synchronous and asynchronous encryption methods and also certificates.
Synchronous encryption is faster than Asynchronous encryption so it is used to encrypt messages and Asynchronous encryption for encrypting the shared key(its used to encrypt the messages for that session). Also to make sure the message is not altered by anyone in between, the sender will send the encrypted message digest(hash value) along the with message.


SSL Handshake


No comments:

Post a Comment