| Lesson 6 || SSL and digital signatures |
| Objective || Describe the different methods for protecting data in transit. |
Secure Sockets Layer (SSL)
With e-commerce skyrocketing on the Web, Internet criminals are waiting in the wings to invade one's privacy.
However, the industry has taken action against such malice. Netscape has developed the industry standard protocol for private, secure communications: Secure Sockets Layer (SSL).
SSL provides public-key encryption to secure data. You can always identify Web sites that use SSL because they are URL begins with https://.
To enable an SSL-secured session, the user must be using an SSL enabled Web browser, while attempting to visit a Web site hosted by a secure server. Let us examine these conditions in more detail
What's the protocol?
The SSL protocol allows an SSL-compliant server to authenticate itself to an SSL-compliant client, the client to optionally authenticate itself to the server, and enable both machines to establish an encrypted connection.
This cross-authentication process permits confidential data to be exchanged over the Internet and is the cornerstone technology that has provided the level of security required to conduct
e-commerce as we know it today.
Three steps are involved in establishing SSL between a client and the secure server:
SSL server authentication
SSL server authentication occurs first to permit the user to confirm a server's identity. The client's SSL-compliant browser uses standard public-key cryptography to check that a server's certificate and public ID are valid and
was issued by a certificate authority (CA) listed in the client's list of trusted CAs. The server's "Cert," discussed previously permit confirmation of the server's legitimacy and identity.
Such confirmation has proven important to all users when sending or receiving confidential information over the Internet.
SSL client authentication
SSL client authentication is performed optionally by the server to confirm a user's identity.
Using the same techniques as those used for server authentication, SSL-compliant server software can check whether a client's certificate and public ID are valid and have been issued by a certificate authority (CA) also listed in the server's list of trusted CAs.
This confirmation might be important if the server, for example, is a bank sending confidential financial information to a customer and wants to check the recipient's identity.
Note that while nearly all servers conducting e-commerce register with a CA to assure their visitors of their legitimacy, few users purchase a Cert.
For this reason, SSL does not require confirmation of the user to establish a secure connection.
Finally, NT Server software from Microsoft has gotten around the need to purchase a server Cert in order to establish an SSL connection.
For the few SSL servers that are not registered with a CA, a warning message will appear on the client's screen indicating the site is "unknown."
An encrypted connection
An encrypted SSL connection secures the exchange of data after step 1 and (the optional) step 2 are performed. During an SSL connection all data exchanged is protected with through the use of message digests
(discussed below) to detect tampering of the data. This assures both parties the data has not been altered in transit.
A digital signature is simply a data value attached to an electronically transmitted message the uniquely identifies the sender. Such a signature cannot be forged and assures the receiver that the data originated with the sender and was not altered in transit.
Digital certificates are a validation technique brokered through an independent company that further assures the message came from the identified individual or company.
Such brokers are called Certificate Authorities and sell their validation services on a subscription basis.
To assure the signature has not been attached to an altered message, the digital signature runs a second utility to create a summary of the message contents.
The digest is a hashing algorithm, which results in a unique value enclosed in the signature. The recipient's PC recomputes the hash algorithm against the received message and compares the results to the signature's digest to assure a match.
A mismatch would mean the message had been changed while in transit.
One use of digital signatures is a service called non-repudiation. Non-repudiation is a service that documents the identities of both the sender and receiver of a data transmission so that neither can deny sending/receiving the message.
Non-repudiation has uses beyond e-mail, such as in inter-institutional transactions for online banking (EDI). It is also commonly used in the stock brokerage industry to avoid a buyer's denial of a stock's purchase when the stock's
value unexpectedly declines soon after the buy order was authorized by the purchaser.
In the next lesson, you will learn how log files detect security breaches.