Title: Secure Sockets Layer SSL SSL is a communications protoco
1Secure Sockets Layer
2SSL
- SSL is a communications protocol layer which can
be placed between TCP/IP and HTTP - It intercepts web traffic and provides security
between browser and server - Encryption is used to guarantee secure
communication in an insecure environment - All security operations are transparent at both
ends of the communication - SSL uses public-key cryptography
3Mortice-lock cryptography
- Ordinary encryption is like sending messages in a
box that is locked with a mortice lock - Both the sender of the message and the recipient
must share a secret - they must each have a copy of the key to the lock
- the sender needs a copy of the key to lock the
box - the recipient needs a copy of the key to open the
box - However, we dont have to use mortice locks
- we can use Yale locks
4Yale lock cryptography
- Consider a box with a Yale lock
- If the box is open, anybody can put a message
inside and lock the box - no key is needed to lock the box
- However, only the person who has the key of the
Yale lock can open the box and read the message - The owner of the key can make many copies of the
lock and send them to anybody who wants to send
him a message - these people need never see the owners private
key
5Public-key cryptography
- Public-key cryptography is also known as
asymmetric key cryptography - It allows users to communicate securely without
having prior access to a shared secret key - Instead, it uses a pair of keys which are related
mathematically - a message encoded with Key1 can only be decoded
by using Key2 - a message encoded with Key2 can only be decoded
by using Key2
6Public-key cryptography (contd.)
- Typically, one key is called a public key and the
other is called a private key - The public key can be regarded as like a Yale
lock - many copies of it can be made
- they can be given to everybody who asks for one
- The private key can be regarded as like the key
to a Yale lock - the owner of the key does not share it with
anybody else - he can use it to open locked boxes that people
send to him
7Public Key certificates
- Suppose you want to send a secure message to
somebody and ask him to send you a Yale lock in
the post - Suppose a Yale lock arrives in the post
- How do you know the Yale lock is really from the
person to whom you want to send your secure
message? - You would require some guarantee
- In public-key cryptography, this guarantee is
called a public-key certificate
8Public-key certificates (contd.)
- A public-key certificate binds a public key with
a name - it guarantees that the public key is indeed owned
by the person/organization/program with the given
name - thus, it guarantees that any message encoded with
the public key will only be readable by that
person/organization/program - To increase the credibility of a public-key
certificate, it is often signed by a trusted
organization known as a Certification Authority
(CA)
9Unidirectional versus bi-directional cryptography
- Sometimes, both parties to a conversation need to
send secret information - bi-directional cryptography is needed
- each party must send his public key to the other
- Sometimes, only one party to a conversation needs
to send secret information - only unidirectional cryptography is needed
- only the recipient of the secret information
needs to own a public key - which he must send to sender of the secret
information
10Much e-Commerce involves only unidirectional
cryptography
- A customer making an online purchase needs to
send secret information, such as a credit card
number, to the company - The company does not need to send any secret
information to the customer - In this case, only unidirectional cryptography is
needed - Thus, the customer need not own any cryptographic
key, but the company must - the server will have to send its public key to
the customers browser
11An example
- Consider buying a ticket from Aer Lingus
- Initially, no secret information is being
exchanged - Aer Lingus merely lists flight availability
- the customer selects flights
- Then, however, the customer must provide credit
card details - before that can happen, Aer Lingus must send its
public key to the customer
12Customer specifies Cork-Heathrow itineraryhttp
protocol in use no lock on status bar
13Customer selects flightsstill http protocol no
lock on status bar
14Customer is warned that SSL communication is
about to start
15Customer is warned that SSL communication is
about to start
16Customer is being asked for credit card
detailsprotocol is now https there is a lock on
the status bar
17HTTPS and lock
18What happened when user agreed to secure
connection
- The Aer Lingus server sent its certificate to the
users browser - The browser decided that the CA on the
certificate was trustworthy and that the public
key really was for Aer Lingus - Henceforth, all information sent by the user
would be encoded using the public key
19Sometimes, a browser needs to receive secrets
from a server
- If a browser needs to receive secrets from a
server, the browser must be able to provide a
public-key certificate to the server - There are freely-available utilities, such as
OpenSSL, which enable you to - select a publicprivate key combination
- get a signed certificate for your public key
- import the certificate into your browser, so that
it can send this to servers who request it
20openSSL
- Available on cosmos.ucc.ie
- It provides a great many options
- Too many to consider here today