The Secure Socket Layer Review

The topic Secure Socket Layer (SSL) is a topic whose true meaning and implementations have tended to elude the casual web surfer as well as the Computer Science professional. Many e-commerce sites use SSL for securing their daily business transactions. This paper will focus on not only how it is implemented, but also how it works, how its encryption works, how SSL fits between the layers of the TCP/IP protocol, and a brief description of generic installations.

(RSA, 2003) "SSL is a protocol designed to enable secure communications on an insecure network such as the Internet." SSL was developed by Netscape Communications in the early 1990's to safe guard sensitive materials transferred across the Internet from being tampered with or stolen by unscrupulous individuals. (Syme & Goldie, 2003) SSL is neither a Transport layer protocol nor an Application layer protocol; in fact it is nestled right in between these two layers. SSL has been one of the major forces in Internet security since version SSL version 0.8 was released publicly by Netscape; currently the most popular version is SSL version 3.0, developed in 1996. SSL has entailed easy incorporation for administrators as well as developers to convey secure content and services using typical HTTP servers. Typically, there are little changes in HTML content, plus it is included in most modern and up to date web browsers, so SSL digital certificates are not only easy to install but easy to use. This ease creates a transparent feel for the user, meaning it does not disturb the actual transmission of the security service. The only knowledge the user receives when using SSL are a popup box notifying the user of the certificate and is third party authenticator and possibly an image of a small padlock in the corner of the browser window signifying that this document in use is secure.

As mentioned before, SSL is nestled between the Application layer and the Transport layer that provides the main security device for online purchases to be transacted through an e-commerce site. The SSL layer has what are called Server certificates that are designed to protect users of e-commerce sites during the transmissions of sensitive data. The idea of a digital certificate is for the consumer or user to have confidence in the transaction. The task of the digital certificate on a particular server, automatically communicates the sites authenticity to a visitors' web browser, confirming that the visitor is actually communicating with the intended source and not with a malicious hacker looking to gain custody of that particular sensitive information. SSL is currently at version 3.0, it is said to be outdated and will be replaced by the Transport Layer Security (TLS), but still remains a constant as most e-commerce sites.

A good example of how SSL is useful and how it works is to imagine a bank patron and a bank teller exchanging monies and other sensitive goods. SSL's purpose is to be a mediator, or to position itself in between them (layers) and change certain pieces of the monies and data as they pass between the two individuals. If not for SSL, hackers could easily step into that space and garner sensitive information at will. So, SSL provides mechanisms for each side to ensure that the Application layer data being sent and received has not been tampered with or changed in any way as it treks across Internet. Netscape's contribution to the growth of the Internet is more profound with its SSL security system more than its web browsers, so much of today's Internet fortunes rest on the security which SSL has arranged. (Killelea, 2002)Secure HTTP, also known as HTTPS, uses ordinary HTTP over the SSL protocol on port 443 by default. SSL encrypts all traffic, so users and administrators will maintain the utmost confidents that the content will not be intelligible to anyone snooping Internet packets. In fact, even the HTTP headers and all images will be encrypted as well. It has been mentioned among professionals that even the usages of stateful cookies are sometimes difficult to implement in conjunction with SSL being that they are encrypted as well.

(Syme & Goldie, 2003)The process of encrypting data and then decrypting it essentially means to take some data and alter it to a condition which is unreadable to an outside party and then convert it back to its initial condition, consequently making it readable to only its user. This entire process is obtained using a cipher and a key. A cipher, also known as the Cryptographic Algorithm, is a mathematical formula that is applied to the original data source for encryption or to the altered data for decryption. Simply put, (Syme & Goldie, 2003) "the cipher encrypt the data must also be used to decrypt at the other end. The use of a key, or series of keys, gives the cipher the ability to encrypt the data in such a way so as not to be decrypted easily."

(Syme & Goldie, 2003)Ciphers alone, are neither robust nor hidden enough to create a secure environment, they need to conjure in a random type factor to the encryption process; that being keys. It's the keys which allow the cipher the ability to encrypt data in a fashion for which decrypting is nearly impossible. If you were to encrypt a simple sentence using an algorithm that is widely known, it would be a relatively simple task to run the data through the same algorithm and arrive at the answer. Encrypting a generic line of text with a well known algorithm would lead to a very elementary task to decipher that line of text. A simple analogy involving web scripting would be writing a JavaScript function and choosing to encrypt it with an open source Code Encryptor. The Code Encryptor is enabled off of the JavaScript escape function and its duty is to change all HTML Entities and code to their URL-Encode, such as %20 meaning space. Concluding the analogy, if the hacker can either read URL-Encode or knows about the JavaScript escape function, then the encryption is not guaranteed. So with keys, the user must have the correct cipher and key to decrypt a message, which also must be the exact pair to encrypt the data initially. (Syme & Goldie, 2003) "This combination of cipher and key forms the basic premise of modern cryptography: Decryption with the known key is simple, but decryption without the key is extremely difficult and in most cases computationally impossible. SSL uses a combination of two basic encryption techniques, symmetric-key encryption and public-key encryption."

SSL utilizes public key cryptography which is widely used for encryption and authentication throughout the computing world. (RSA, 2003) "Netscape has licensed RSA public key cryptography from RSA Data Security Inc. for use in its products, specifically for authentication." Public keys use a cryptographic system that utilizes two keys; a public key and a private key. Public keys are utilized in a cryptic type system where a public and a private key are used. The idea of the public key is that the public key is known to everyone and a conjoining private key, also called the secret key, is only known on the side of the recipient. For each pair of keys, there exists a publicly distributed key and a never distributed secret private key. (RSA, 2003) "Data that is encrypted with the public key can be decrypted only with the private key." Meaning for every public key which has encrypted data, it can only be decrypted with the coinciding private key and vice versa. Which is why public key cryptography is practical, the coincided acknowledgements through the cooperation of each key is what is meant by asymmetrical keys; and SSL is built upon the foundation of utilizing asymmetrical and symmetrical keys, respectively, in its implementation.

(Syme & Goldie, 2003) "In asymmetric- or public-key encryption, any data encrypted using the easily available public key can only be decrypted using the corresponding private key."

An excellent example would be if a bank patron wanted to pay some bills online then the patron would send a secure message to the bank. The bank would then use their own private key to encrypt the transaction. (Netscape, 1999)"An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them." From a mathematical standpoint, it is extremely difficult and even more so unlikely that the private key will be cracked if the patron knows the public key.

In addition to the public key cryptography system, there is a need for an accredited third party to verify and authenticate the entire encryption and decryption process. This is known as a Certificate of Authority and its two main duties are to provide a standard of authentication and to construct a standard arrangement for the passing and receiving of keys. (ONCPW) "Certificates are like digital passports that can authenticate an organization to a user on connection to its site."

(Netscape, 2003) "SSL 3.0 comes in two different strength levels, 40-bit and 128-bit", respectively. These two bit sizes refer to the length of the of the "session key" generated by every encrypted transaction." The 40 bit sizes were the original size devised in the early 90's. As e-commerce and online data transfers became abundant, the need to create a more robust encryption was needed. Coinciding with online banking, the banking industry required the 128 bit session key. It robustness alone arose to detract even the most vigilant hackers. (RSA, 2003)The longer the key, the more difficult it is to break the encryption code and so entails a 128 bit is 309 septillion times larger than 40 bit encryption.

(Syme & Goldie, 2003)Thus it should come as no surprise that SSL is a very expensive operation. But on the upside SSL does have some clear strong suits for which to mark its reputation upon. Most notably, the arrangement of mathematically related corresponding keys conjures that when something has been encrypted, it may only be decrypted by the coinciding holder of the private key and no others. Also a strong attribute of SSL is that it has been developed for the large scale environment. Since public keys are transmitted in clear text, to their uniform key holders, they are particularly well suited for most applications ranging throughout the Internet.

As mentioned earlier, SSL is nestled between the Application layer and the Transport layer; to traditionalists this is known as the Presentation layer. This conclusively deduces that the SSL is selectively performed at both layers and that each application is treated independently. Consequently, this allows the client machine (Syme & Goldie, 2003) "the ability to run secure services for certain applications only, while remaining impartial to the underlying Layer 3 and 4 services." It should be mentioned that within SSL; only the Application layer data is encrypted.

(Gakenheimer, 2004)Below is a rendition of the TCP/IP Protocol Model compared to the OSI Seven Layer Model and where the Secure Socket Layer (SSL) resides in their realms.

Since the Application layer data is encrypted, all items including stateful cookies and values transported over the Internet via "post" or "get" will be encrypted as well.

Most everyone has encountered SSL through countless menageries of activities while cascading the Internet, but many Computer Scientist have not had the opportunity to implement or install SSL. SSL implementations tend to involve MIS, Web Development people or web hosting through a third party, but it should be partially explained how it can be installed on an open source or through various Windows server accouterments. For the Windows IIS installation, the expected should be expected, simply meander through a course of five or six steps to fully install the service. (FreeSSL, 2004)According to the product FreeSSL, there are only a few steps to install the SSL services and their accompanying software provides most of the instructional fortitude. (Faure, 1998)To install SSL on to an open source Apache web server all that is needed is the SSL software and the execution of about the same number of commands ranging from Configure to make to rehash.

Eventually all good things must end, or at least change for the future. The future of SSL 3.0 will eventually be replaced by the Transport Layer Security (TLS). (Tech Target, 2003) TLS is based off of SSL 3.0 and its first version TLS 1.0 was first made available in 1999. Its focus will be to stop all eaves droppers from intersection SSL's short falls. The current version of TLS is backward compatible with SSL 3.0, as well as supported by most modern web browsers. TLS does not have a large user base, but its future is to replace SSL is very promising.

In conclusion, this topic could have included many other implementations such as VeriSign and could have gone father as far as how public keys and various algorithms are used within SSL. The need to emphasize the basics of operations of the SSL was needed because this technology relies much on security as well as its place in the TCP/IP and OSI ISO layers, respectively. SSL has been a main stay for the e-commerce and the Internet community as a whole and deserved to be introduced and analyzed. It may be replaced in the near future, but must always be remembered of its contributions towards the safe guarding of the fascinating and infinite spans of the Internet.

Bibliography