How Secure Sockets Layer Works

As mentioned, plain HTTP sends data in cleartext, which is too risky for bank sites or other data-sensitive transactions. HTTPS is used to ensure safe and secure communication between a client and a web server. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are widely used to authenticate a service to a client and then to provide confidentiality (encryption) to the data being transmitted.

SSL/TLS works in a negotiation process—known as a handshake—between the client and the web server. The handshake process is highlighted in Figure 8-2.

An illustration shows the steps involved in the S S L and T L S handshake negotiation between client system and web server.

FIGURE 8-2 SSL/TLS handshake negotiation.

Description

As shown in Figure 8-2, several steps are required in the SSL/TLS negotiation process:

  1. The session begins by the client browser sending a basic “Hello” message to the server. This initial message includes a request for a secure communication channel, including various cryptographic algorithms supported by the client.

  2. The server responds with its own “Hello” message, including its choice of algorithm to create the cryptography. If no mutual cryptography method can be agreed upon, the handshake fails. The server also sends its digital certificate and public key to the client. A digital certificate is a small electronic file that serves to validate or encrypt a message or browser session.

  3. If the browser verifies the certificate, it sends a one-time session key encrypted with the server’s public key.

  4. Both the client and the server now have symmetric keys, and the communication between them is encrypted and decrypted at each end.

SSL/TLS Encryption and Hash Protocols

SSL/TLS uses various protocols for both encryption and hashing services. Hashing algorithms are used to verify the integrity of a data stream. They are not used for encryption. Hashing ensures that data have not been tampered with during transmission.

There are two hashing algorithm protocols to be aware of: Secure Hash Algorithm 1 (SHA1) and Message Digest 5 (MD5). MD5 offers a 128-bit hashing algorithm. SHA1 uses an algorithm with a 160-bit function. Although it provides more security than MD5, SHA1 can affect overall performance because it demands more system resources. Further, known vulnerabilities have been discovered with MD5.

As mentioned, SSL/TLS communication uses a symmetric key exchange to secure the communication channel. Several key encryption protocols are associated with symmetric key exchanges:

  • Data Encryption Standard (DES) (40-bit)—This encryption method provides the best performance but at a cost: the encryption security is lower. Data Encryption Standard (DES) can be used in environments where the need for data security is a little lower.

  • Data Encryption Standard (56-bit)—Through your Internet Protocol Security (IPSec) policies, you can implement DES as the encryption method. The DES algorithm is a 56-bit encryption key. This algorithm was published in 1977 by the U.S. National Bureau of Standards and allows for the ability to frequently regenerate keys during a communication. This prevents the entire data set from being compromised if one DES key is broken. However, it is considered outdated for business use and should be used only for legacy application support. Specialized hardware has been able to crack the standard 56-bit key.

  • Triple DES (3DES)—IPSec policies also allow the choice of a strong encryption algorithm, Triple Data Encryption Standard (3DES), which provides stronger encryption than DES for higher security. 3DES uses a 56-bit encryption key as well, but as the name implies, it uses three of them. There are three options for using 3DES, differing by whether any or all the encryption keys are unique to each other. If 3DES uses three unique keys, the result is considered 168-bit encryption. However, because of a discovered “meet in the middle” attack, the effective security is equivalent to 112-bit encryption. The “meet in the middle” attack involves guessing the algorithm’s values between the three keys, hoping to reveal how it works. It is similar to a brute-force attack but with much better odds.

  • Advanced Encryption Standard (AES)—Also known as Rijndael, Advanced Encryption Standard (AES) is a block cipher encryption standard. AES can create keys from 128 bits to 256 bits in length.

  • Rivest Cipher—This is a family of secret key cryptographic algorithms from RSA Security, Inc. Rivest Cipher includes RC2, RC4, RC5, and RC6. Although RSA is widely known for its public key methods, its secret key algorithms are also widely used. The RCs were designed as a replacement for DES. RC2 uses a variable key and the block cipher method. RC4 uses a variable key and stream cipher method. Both RC5 and RC6 are block ciphers with variable keys up to 2040 bits. RC6 uses integer multiplication for improved performance over R5.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.167.181