What’s SSL for?
SSL = Secure Socket Layer
It is a system which makes it possible to exchange information between 2 computers safely. SSL ensures 3 things:
Confidentiality: It is impossible to spy on the information exchanged.
Integrity: It is impossible to fake the information exchanged.
Authentication: It ensures the identity of the program, person or company with whom you are communicating.
SSL is a complement to TCP/IP and allows (potentially) to secure any protocol or program using TCP/IP.
SSL was created and developed by Netscape and RSA Security. There are now open source versions as well as a similar free protocol: TLS (see below).
Why use SSL instead of another system?
Why use OpenSSL?
SSL is standardized.
There is a free version of SSL: OpenSSL (http://www.openssl.org) that you can use in your programs without paying royalties.
OpenSSL is open source: anyone can control and verify the source code (The secret lies in the encryption keys, not in the algorithm itself).
SSL has been encrypted: this system has been analyzed more than any of its competitors. Many cryptographic specialists have reviewed SSL. It can, therefore, be considered safe.
It is widespread: programs can easily be created that will interact with other programs using SSL.
Beware of proprietary systems: contrary to what one might think, the security of an encryption system does not lie in the secret of the encryption algorithm, but in the secret of the key. Trust only those systems that have been published and analyzed.
How does SSL work?
SSL consists of 2 protocols:
SSL Handshake protocol: before communicating, the 2 SSL programs negotiate common keys and encryption protocols.
SSL Record protocol: Once negotiated, they encrypt all information exchanged and perform various checks.
SSL (“handshake”) trading
At the beginning of the communication between the client and the server exchange:
the SSL version they want to work with,
the list of encryption (symmetric and asymmetric) and signature methods that everyone knows (with key lengths),
compression methods that everyone knows,
Client and server try to use the most robust encryption protocol and decrease until they find a standard protocol. Once this is done, they can start exchanging data.
SSL communication (“record”)
With SSL, the sender of the data:
breaks data into packets,
compresses the data,
cryptographically signs the data,
encrypts the data,
The one who receives the data:
decrypts the data,
verifies the signature of the data,
decompresses the data,
reassembles the data packets.
How does SSL protects communications?
An asymmetric encryption system (like RSA or Diffie-Hellman). You can learn more here: http://sebsauvage.net/comprendre/encryptage/crypto_asy.html. It is used to generate the master key that will generate session keys.
A symmetric encryption system (DES, 3DES, IDEA, RC4…) using session keys to encrypt data.
A cryptographic signature system (HMAC, using MD5, SHA…) to ensure that messages are not corrupted.
It is during SSL negotiation that the client and the server choose common systems (asymmetric, symmetric encryption, signature, and key length).
In your browser, you can see the list of systems used by placing your cursor over the small padlock when you are in an HTTPS page.
What are certificates for?
During an SSL negotiation, it is necessary to make sure of the identity of the person with whom one communicates. How can you be sure that the server you’re talking to is whom it says it is?
That’s where the certificates come in. When you connect to a secure web server, the server will send you a certificate containing the name of the company, its address, etc. It’s some kind of ID.
How to verify the authenticity of this identity document?
It is the PKI (Public Key Infrastructure), external companies (that you implicitly trust), that will verify the authenticity of the certificate.
(The list of these PKIs is included in your browser. There are usually VeriSign, Thawte, etc.)
These PKIs sign company certificates cryptographically (and they get paid for it).