Secure Socket Layer (SSL) is a suit of protocol that resides in the transport
layer of the OSI reference model.�
SSL is built into all major browsers and installing a digital certificate activates SSL
capabilities.� SSL is designed to ensure
the security requirements of PKI, through the use of digital
certificates and public key and private key encryptions.�
Note that both symmetric encryption and asymmetric encryption are used in
the communication.� In fact message
is encrypted and decrypted using symmetric key algorithm because it is much
faster.� Asymmetric key algorithm is
predominantly used for the private exchange of the symmetric key.�
In a client-server architecture, when a client requests
a secure session from a server, client and server undergo a handshake process
(for the exchange of private key):
At this point client and the server have established between themselves a
session key that is going to be used as a symmetric key for encrypting
messages.� This is called a session key
because it lasts for communication during a session that could be as long as a
number of hours and as short as a few minutes, depending on how the server is
configured.� An inactive session usually
times out after about 20 minutes.
Having established the connection and the session key, exchange of
message follows the following steps:
Hence through the use of SSL we have ensured:
Also see the following for more:
http://wp.netscape.com/eng/ssl3/ssl-toc.html
http://wp.netscape.com/eng/ssl3/index.html
http://www2.psy.uq.edu.au/~ftp/Crypto/
http://www.articsoft.com/security%20education.htm
How
would you know you are making SSL-secured connection to the server? Indicate
two ways. |
|
SSL's
symmetric encryption uses DES algorithm and the key could be between 40 and
128 bits (128-bit encryption is now standard).� Imagine the strength of a 40-bit
encryption.� By what factor is a
128-bit encryption stronger than a 40-bit encryption? |
|
How
do the client (browser) and the server decide what size of key to use for the
session key? |
|
For using SSL, does
the client side need to have a digital certificate)? If so, then why can I
access secure Web sites from my computer when seemingly I do not have a
certificate? If it is not needed, then how does the protocol work? |
|
What
is TLS? |
|