WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search






Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.3  The Web
           9  2.3.1  SSL/TLS (Secure Sockets Layer / Transport Layer Security)

Previous Topic/Section
2.3.1  SSL/TLS (Secure Sockets Layer / Transport Layer Security)
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 Transport Layer Security (TLS)
Next Topic/Section

Secure Sockets Layer (SSL)
(Page 1 of 2)

SSL, or Secure Sockets Layer, is a protocol developed by Netscape for securely transmitting confidential information like credit card numbers across the Internet, between a web browser and web server, by means of public key encryption technology. It provides assurance that transmitted data remains private and unmodified, thanks to the encryption of traffic.

It also provides a way for the sender to verify the server’s identity and determine that the server, to which the data is sent, is authorized to have the data. This is achieved by allowing the user to view the certificate information for the server (as we’ll detail in Chapter 4, certificates are digital “documents” containing identifying information verified by a trusted third party). In practice, most users never inspect server certificates, but theoretically, it could be done.

SSL Handshake

A key part of an SSL communication session is the SSL handshake, in which the server authenticates itself to the client (see above), the client and server agree on an encryption algorithm and encryption keys to use for the rest of the conversation, and (optionally) the client authenticates itself to the server. SSL typically uses a 9-message handshake process, including an optional cipher selection, but it’s often simplified and described as a 6-step handshake:

  1. Client sends hello to server

  2. Server sends hello to client

  3. Server sends its digital certificate to client

  4. Client computes a preliminary secret key, and encrypts it using the server’s public key sent in the server’s certificate, then sends the encrypted secret key to the server

  5. The client computes some additional keys and encryption initialization information to be used in the conversation, and sends a “finished” message to the server.

  6. The server also computes additional keys and initialization information, and sends a “finished” message to the client

This process is illustrated in Figure 23.

Figure 23: Secure Sockets Layer (SSL)

 

Originally SSLv2, as supplied with Netscape browsers, supported only DES encryption, which is considered weak today. SSLv3 adds support for optional encryption algorithm selection, so that an appropriate algorithm could be chosen for each application using SSL. SSL implementations can (but are not required to) support a huge variety of encryption ciphers, from 3DES to RSA, RC2 to DSA, MD5 hashing for message integrity verification (without encryption, if desired), etc.191

SSL Technology

SSL (Secure Sockets Layer) is a secure communications technology for HTTP (web based) transactions, which optionally uses public-key cryptography to encrypt messages, and X.509 digital certificates to identify the server to which the user sends data.

SSL uses a 6-step handshake process to exchange authentication information between server and client, and agree on encryption keys.

The two main versions of SSL are:

· SSLv2192, supplied with Netscape browsers, supports only the weak DES encryption algorithm.

· SSLv3193 allows for selection of an algorithm from a set of many possible algorithms; it includes support for conventional symmetric encryption algorithms like 3DES, public key algorithms like RSA, and non-encrypting hashing algorithms like MD5 which are used to verify message integrity without the overhead of encryption.



 __________________

191. “Introduction to SSL”, Netscape, http://developer.netscape.com/docs/manuals/security/sslin/contents.htm

192. http://wp.netscape.com/eng/security/SSL_2.html

193. http://home.de.netscape.com/eng/ssl3/

Previous Topic/Section
2.3.1  SSL/TLS (Secure Sockets Layer / Transport Layer Security)
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 Transport Layer Security (TLS)
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.