1 / 20

Secure Sockets Layer

Secure Sockets Layer. SSL. SSL is a communications protocol layer which can be placed between TCP/IP and HTTP It intercepts web traffic and provides security between browser and server Encryption is used to guarantee secure communication in an insecure environment

gage
Download Presentation

Secure Sockets Layer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Sockets Layer

  2. SSL • SSL is a communications protocol layer which can be placed between TCP/IP and HTTP • It intercepts web traffic and provides security between browser and server • Encryption is used to guarantee secure communication in an insecure environment • All security operations are transparent at both ends of the communication • SSL uses public-key cryptography

  3. Mortice-lock cryptography • Ordinary encryption is like sending messages in a box that is locked with a mortice lock • Both the sender of the message and the recipient must share a secret • they must each have a copy of the key to the lock • the sender needs a copy of the key to lock the box • the recipient needs a copy of the key to open the box • However, we don’t have to use mortice locks • we can use Yale locks

  4. Yale lock cryptography • Consider a box with a Yale lock • If the box is open, anybody can put a message inside and lock the box • no key is needed to lock the box • However, only the person who has the key of the Yale lock can open the box and read the message • The owner of the key can make many copies of the lock and send them to anybody who wants to send him a message • these people need never see the owner’s private key

  5. Public-key cryptography • Public-key cryptography is also known as asymmetric key cryptography • It allows users to communicate securely without having prior access to a shared secret key • Instead, it uses a pair of keys which are related mathematically • a message encoded with Key1 can only be decoded by using Key2 • a message encoded with Key2 can only be decoded by using Key2

  6. Public-key cryptography (contd.) • Typically, one key is called a public key and the other is called a private key • The public key can be regarded as like a Yale lock • many copies of it can be made • they can be given to everybody who asks for one • The private key can be regarded as like the key to a Yale lock • the owner of the key does not share it with anybody else • he can use it to open locked boxes that people send to him

  7. Public Key certificates • Suppose you want to send a secure message to somebody and ask him to send you a Yale lock in the post • Suppose a Yale lock arrives in the post • How do you know the Yale lock is really from the person to whom you want to send your secure message? • You would require some guarantee • In public-key cryptography, this guarantee is called a public-key certificate

  8. Public-key certificates (contd.) • A public-key certificate binds a public key with a name • it guarantees that the public key is indeed owned by the person/organization/program with the given name • thus, it guarantees that any message encoded with the public key will only be readable by that person/organization/program • To increase the credibility of a public-key certificate, it is often signed by a trusted organization known as a Certification Authority (CA)

  9. Unidirectional versus bi-directional cryptography • Sometimes, both parties to a conversation need to send secret information • bi-directional cryptography is needed • each party must send his public key to the other • Sometimes, only one party to a conversation needs to send secret information • only unidirectional cryptography is needed • only the recipient of the secret information needs to own a public key • which he must send to sender of the secret information

  10. Much e-Commerce involves only unidirectional cryptography • A customer making an online purchase needs to send secret information, such as a credit card number, to the company • The company does not need to send any secret information to the customer • In this case, only unidirectional cryptography is needed • Thus, the customer need not own any cryptographic key, but the company must • the server will have to send its public key to the customer’s browser

  11. An example • Consider buying a ticket from Aer Lingus • Initially, no secret information is being exchanged • Aer Lingus merely lists flight availability • the customer selects flights • Then, however, the customer must provide credit card details • before that can happen, Aer Lingus must send its public key to the customer

  12. Customer specifies Cork-Heathrow itineraryhttp protocol in use; no lock on status bar

  13. Customer selects flightsstill http protocol; no lock on status bar

  14. Customer is warned that SSL communication is about to start

  15. Customer is warned that SSL communication is about to start

  16. Customer is being asked for credit card detailsprotocol is now https; there is a lock on the status bar

  17. HTTPS and lock

  18. What happened when user agreed to secure connection • The Aer Lingus server sent its certificate to the user’s browser • The browser decided that the CA on the certificate was trustworthy and that the public key really was for Aer Lingus • Henceforth, all information sent by the user would be encoded using the public key

  19. Sometimes, a browser needs to receive secrets from a server • If a browser needs to receive secrets from a server, the browser must be able to provide a public-key certificate to the server • There are freely-available utilities, such as OpenSSL, which enable you to • select a public+private key combination • get a signed certificate for your public key • import the certificate into your browser, so that it can send this to servers who request it

  20. openSSL • Available on cosmos.ucc.ie • It provides a great many options • Too many to consider here today

More Related