Posted by arlene

SSL Server Functionality

This technology was originally developed by the Netscape Corporation for its browser Netscape Navigator. It works as a layer which lies between protocols such as HTTP and FTP and underlying protocols embedded in the TCP/IP suite. There are a number of functions embedded in SSL:

• SSL server authentication. This enables a client to confirm the identity of a server. SSL uses public key cryptography to validate the digital certificate of a server and confirm that it has been issued by a valid certification authority.
• SSL client authentication. In a similar way that servers are validated, clients are validated: an SSL-enabled server is able to check the digital certificates of clients in order to ensure that they are who they say they are before sending sensitive data.
• SSL encryption. SSL uses a variety of symmetric encryption techniques to send data to and from servers and clients. The mechanisms for doing this are detailed below.
• SSL supports two sub-protocols. The first is the SSL record protocol. This is used for the transmission of bulk data. The second protocol is the SSL handshake protocol; this is used to establish the ciphers and algorithms which are to be used for data transfer. It is a form of handshake protocol which initialises the two computers involved in an SSL transfer to coordinate with each other.

SSL Server Supported cipher suites

The SSL protocol supports a number of ciphers and cryptographic algorithms; which ones it supports depend on a number of factors such as what version of SSL is being employed, the security policy of at least one of the organisations involved in the data transfer and the current American government restrictions on the use and deployment of cryptography technology.

There is a wide variety of technologies used by SSL. It includes: the DES (Data Encryption Standard); the DSA (Digital Signature Algorithm); KEA, an algorithm used by the American government for exchanging keys; the MD5 message digest algorithm; the RC2 and RC4 encryption methods; the RSA algorithm for public key encryption; the SHA-1 algorithm for constructing message digests; SKIPJACK, a classified symmetric encryption algorithm used by the American government; and Triple DES.

The range of encryption is from the strongest, Triple DES which is supported by the SHA-1 algorithm for message authentication, to the weakest, no encryption with message authentication provided by the MD5 algorithm.

SSL Server the transfer process

The process of transferring data from a client such as a Web browser and a server such as a Web server using SSL is a two-stage process.

• The client sends the server a number of items of data including the client’s SSL version number, the cipher settings for the client and some randomly generated data.
• The server responds with a burst of similar data and also sends its digital certificate; if the interchange of data requires the client to provide a digital certificate then it will ask for this item.
• The client authenticates the server; if this fails the user of the client is informed.
• Using the data that has been generated in the handshake the client creates an item
  of data known as the premaster secret. This is used later in the handshake.

• The server authenticates the client. This only happens if the transaction requires both parties to be authenticated. SSL is capable of being used when only the server is authenticated and so this step could be omitted, and most of the time it is.
• If the client and the server have been successfully authenticated then both sides carry out the process of generating another item of data known as the master secret; this item is partly generated from the premaster secret. The master secret is a one-time 48 bit quantity that is used to create the keys used in the bulk transfer of data between the client and the server after the handshake has been completed.
• At this point the client and the server generate a pair of keys from the master secret. One key is used for encrypting and decrypting data from the client to the server; the other key is used for encrypting and decrypting data from the server to the client.

The handshake is complete and the client and the server can start exchanging encrypted data employing one of the algorithms which are built into the version of SSL that is used. Part of the handshake involves the parties to the transfer of data deciding on which algorithm to use. Once a session has been completed the connection is severed. If the two parties wish to communicate again then they have to carry out the handshake; each time that the handshake takes place a different pair of encryption keys are generated and a different master secret generated.

Possibly related posts: (automatically generated)
SSL Server（Secure Sockets Layer）

• Internet Security, Public Key Encryption and Digital Certificates
• Using Information in the Digital Certificate to Prevent Interception Attacks
• Web Servers and System Hardening
• Platforms and Convergence Digital Payment Systems (SEMPER)
• Java Database, J2EE Framework
• The Point-to-Point Tunneling Protocol (PPTP)
• Improving Security
• Wired Protected Access (WPA), WPA2, and 802.11i
• Public Key Renewal
• SSL Server (Secure Sockets Layer) continue...