Secure Sockets Layer SSL SSL is a communications protoco

1
Secure Sockets Layer
2
SSL

• SSL is a communications protocol layer which can
  be placed between TCP/IP and HTTP
• It intercepts web traffic and provides security
  between browser and server
• Encryption is used to guarantee secure
  communication in an insecure environment
• All security operations are transparent at both
  ends of the communication
• SSL uses public-key cryptography

3
Mortice-lock cryptography

• Ordinary encryption is like sending messages in a
  box that is locked with a mortice lock
• Both the sender of the message and the recipient
  must share a secret
• they must each have a copy of the key to the lock
• the sender needs a copy of the key to lock the
  box
• the recipient needs a copy of the key to open the
  box
• However, we dont have to use mortice locks
• we can use Yale locks

4
Yale lock cryptography

• Consider a box with a Yale lock
• If the box is open, anybody can put a message
  inside and lock the box
• no key is needed to lock the box
• However, only the person who has the key of the
  Yale lock can open the box and read the message
• The owner of the key can make many copies of the
  lock and send them to anybody who wants to send
  him a message
• these people need never see the owners private
  key

5
Public-key cryptography

• Public-key cryptography is also known as
  asymmetric key cryptography
• It allows users to communicate securely without
  having prior access to a shared secret key
• Instead, it uses a pair of keys which are related
  mathematically
• a message encoded with Key1 can only be decoded
  by using Key2
• a message encoded with Key2 can only be decoded
  by using Key2

6
Public-key cryptography (contd.)

• Typically, one key is called a public key and the
  other is called a private key
• The public key can be regarded as like a Yale
  lock
• many copies of it can be made
• they can be given to everybody who asks for one
• The private key can be regarded as like the key
  to a Yale lock
• the owner of the key does not share it with
  anybody else
• he can use it to open locked boxes that people
  send to him

7
Public Key certificates

• Suppose you want to send a secure message to
  somebody and ask him to send you a Yale lock in
  the post
• Suppose a Yale lock arrives in the post
• How do you know the Yale lock is really from the
  person to whom you want to send your secure
  message?
• You would require some guarantee
• In public-key cryptography, this guarantee is
  called a public-key certificate

8
Public-key certificates (contd.)

• A public-key certificate binds a public key with
  a name
• it guarantees that the public key is indeed owned
  by the person/organization/program with the given
  name
• thus, it guarantees that any message encoded with
  the public key will only be readable by that
  person/organization/program
• To increase the credibility of a public-key
  certificate, it is often signed by a trusted
  organization known as a Certification Authority
  (CA)

9
Unidirectional versus bi-directional cryptography

• Sometimes, both parties to a conversation need to
  send secret information
• bi-directional cryptography is needed
• each party must send his public key to the other
• Sometimes, only one party to a conversation needs
  to send secret information
• only unidirectional cryptography is needed
• only the recipient of the secret information
  needs to own a public key
• which he must send to sender of the secret
  information

10
Much e-Commerce involves only unidirectional
cryptography

• A customer making an online purchase needs to
  send secret information, such as a credit card
  number, to the company
• The company does not need to send any secret
  information to the customer
• In this case, only unidirectional cryptography is
  needed
• Thus, the customer need not own any cryptographic
  key, but the company must
• the server will have to send its public key to
  the customers browser

11
An example

• Consider buying a ticket from Aer Lingus
• Initially, no secret information is being
  exchanged
• Aer Lingus merely lists flight availability
• the customer selects flights
• Then, however, the customer must provide credit
  card details
• before that can happen, Aer Lingus must send its
  public key to the customer

12
Customer specifies Cork-Heathrow itineraryhttp
protocol in use no lock on status bar
13
Customer selects flightsstill http protocol no
lock on status bar
14
Customer is warned that SSL communication is
about to start
15
Customer is warned that SSL communication is
about to start
16
Customer is being asked for credit card
detailsprotocol is now https there is a lock on
the status bar
17
HTTPS and lock
18
What happened when user agreed to secure
connection

• The Aer Lingus server sent its certificate to the
  users browser
• The browser decided that the CA on the
  certificate was trustworthy and that the public
  key really was for Aer Lingus
• Henceforth, all information sent by the user
  would be encoded using the public key

19
Sometimes, a browser needs to receive secrets
from a server

• If a browser needs to receive secrets from a
  server, the browser must be able to provide a
  public-key certificate to the server
• There are freely-available utilities, such as
  OpenSSL, which enable you to
• select a publicprivate key combination
• get a signed certificate for your public key
• import the certificate into your browser, so that
  it can send this to servers who request it

20
openSSL

• Available on cosmos.ucc.ie
• It provides a great many options
• Too many to consider here today