October 13, 2013

1.4.4 SSL


Secure Sockets Layer (SSL) (and its successor Transport Layer Security), is a cryptographic protocol designed to secure communications over the Internet. They use X.509 digital certificates, asymmetric cryptography and the exchange of a symmetric key to secure the message transmission.

The TLS/SSL protocol is divided into two layers operating at both the Session and Presentation layers of the OSI 7 Layer Model. At the session layer, TLS/SSL uses a handshake protocol to establish a session including cipher settings and a shared key. At the presentation layer, asymmetric and symmetric cryptography is used to create a secure communication session for the rest of the transmission.
“The SSL handshake protocol, allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or receives its first byte of data.”
OSI Model Equivalence

SSL Architecture

Application Layer
HTTP, POP3 and Other Application Layer Protocols

Presentation Layer SSL Handshake SSL Alert Change Cipher Spec SSL Handshake Layer
Session Layer
SSL Record Layer
Transport Layer

Network Layer

SSL enables an encrypted channel to be established between a server and a client. Data sent over that channel is secured, allowing the transmission of sensitive data over an unsecured network. A web browser such as Google Chrome and web server or a mail client such as Outlook and a mail server can securely exchange data.

SSL allows a transmission to meet the requirements of confidentiality - ensuring the secrecy of data from unauthorized access (via asymmetric and symmetric encryption), integrity - the assurance that data has not been modified during transmission (via message authentication code) and authentication - the validation of the communication partner (via certificates).

SSL enables users to trust the authenticity of the webserver (website) and the security of the communication channel between your browser and the website.

SSL helps website owners comply with industry and government regulations for data security and privacy such as PCI (Payment Card Industry) and HIPAA. It also provides the website’s users peace of mind that their information is protected as it travels across the Internet between the client and server.

SSL extends the trust mechanisms of the physical world into the digital world. In the physical world, if you wanted to buy a pair of shoes, you would go to a shoe store. Why would you trust that physical store enough to give them your cash, hand them your credit card or trust that if the shoe fell apart on first use you could return it? It might be that the store has a recognizable name, the inventory is displayed in a physical building (not the back of a truck), the store sign is not written with a marker and that the store did not just appear overnight. These are some of the things that would engender trust in the physical world.

SSL through the use of SSL certificates and Certificate Authorities (CA) vouch for the authenticity of a website and through the use of encryption protocols meets the confidentiality, integrity and even non-repudiation needs of a secure transaction in the digital world.

The browser has a visual indicator that a website is secured via TLS/SSL:

Notice the padlock icon and the use of the HTTPS protocol.

By The Way:
  1. Good security is a layered security. SSL is not a panacea for security. It will secure the communication channel between two parties. It will confirm that you are connected to the site you entered into your browser for example. And it will ensure that the message sent between you is not changed. However it cannot stop you from or detect that you are connected to a malevolent website that can then download viruses and other malicious software. A malevolent website would actually prefer to communicate via SSL as its actions would be invisible to normal detection systems.
  2. The most up-to-date version of SSL is 3.0 and it is documented in RFC 6101. Note: this protocol is labeled as “historic”. TLS should be used instead.
  3. The differences between this TSL 1.0 and SSL 3.0 are not dramatic, however they are significant enough that they do not interoperate.
  4. TLS 1.0 incorporates a mechanism by which a TLS implementation can back down to SSL 3.0. TLS 1.0 is sometimes known as SSL 3.1.
  5. The latest version of TLS is TLS 1.2 which is documented in RFC 5246.
  6. TLS/SSL at the session layer of the OSI 7 Layer Model. It can be used to secure any TCP-based application.
  7. SSL was developed by Netscape Corporation and became the de facto standard for securing Internet communication until it was succeeded by TLS (Transport Layer Security).
  8. An advantage of SSL is that it is application protocol independent. Examples of TCP application secured using TLS/SSL include: HTTP, FTP, NNTP, IMAP, POP3.
  9. Sample TCP Applications and Port Numbers:
  10. Application Port Number Application Over TLS/SSL Port Number
    FTP (data) 20 FTPS (data) 989
    FTP (control) 21 FTPS (control) 990
    TELNET 23 TELNET 992
    HTTP 80 HTTPS 443
    POP3 110 POP3S 995
    IRC 194 IRCS 994
    NNTP 119 NNTPS 563
    IMAP 143 IMAPS 993
    LDAP 389 LDAPS 636
    SMTP 25/587* SMTPS 465/587*
    * STARTTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication.
    Port 465 for secure SMTP is now deprecated.

No comments:

Post a Comment