ILTA
Am I a member?
Browse the member listing...

SSL Fundamentals

One of the most fundamental technologies for providing security over the Internet is SSL, or secure socket layer. Originally developed by Netscape, SSL has become the standard for securing login and credit card information provided over the Internet. Anytime a website displays a lock or key graphic on the browser status bar, users know the site uses SSL. Or you can also tell by the URL of the site being browsed: If it begins with HTTPS, as opposed to standard HTTP, then it is using a secure port for transmission of data.

SSL has become such a pervasive technology because it provides several important services.

First, it confirms the identity of the server to which you are transmitting information. Without SSL, users run the risk of transmitting data to a site that is "pretending" to be the site being targeted. SSL ensures proper transmission by using standard public key cryptography, ensuring that a server's certificate and public ID are valid and have been issued by a certificate authority (CA) listed by the client as a trusted authority. A CA is a third-party company (such as VeriSign) or government agency entrusted with authenticating the company operating a server.

Second, SSL can also be used to verify the client's (or browser's) identity using the same techniques that confirm the server's identity. While this is a reasonable request for a company that does business on the Internet, it is not reasonable to expect millions of Internet users to do this before conducting business with a website. As a result this is rarely done.

Third, SSL encrypts data from the moment it's entered on your computer until it reaches the destination site, preventing your data from being read or "sniffed" by others. This would be analogous to scrambling a phone call so that only the person with the corresponding descrambler could understand what you were saying. If anyone had a tap on the phone line, they would merely hear noise.

Fourth, SSL guarantees that the connection is reliable because all message transports include a message integrity check. This confirms that the client is the same as the client that began the session. This prevents another user from taking over a session to access the account after the client has logged in.

Note that SSL does nothing to ensure the security of the data once it is delivered to the destination site. It is the responsibility of the solution provider to ensure that the data is protected once it gets to the site.

The SSL protocol runs on top of TCP/IP and below HTTP, LDAP, IMAP and other protocols. Thus it is used for much more than Web browsing. It also provides security for e-mail, directory services, telnet and more. Internally, SSL is composed of two layers. The first is the SSL record protocol that is used for the encapsulation of the higher-level protocols. The higher-level protocols include functions like the SSL Handshake protocol for authentication and establishment of the encryption algorithm.

The encryption or cipher algorithm itself is not built into SSL. Instead SSL provides a standard for exchanging data through any one of a number of cipher techniques. The most common ciphers include the following:
  • DES. Data Encryption Standard, an encryption algorithm used by the U.S. government.
  • DSA. Digital Signature Algorithm, part of the digital authentication standard used by the U.S. government.
  • KEA. Key Exchange Algorithm, an algorithm used for key exchange by the U.S. government.
  • MD5. Message Digest algorithm developed by Rivest.
  • RC2 and RC4. Rivest encryption ciphers developed for RSA Data Security.
  • RSA. A public-key algorithm for both encryption and authentication. Developed by Rivest, Shamir, and Adleman.
  • RSA key exchange. A key-exchange algorithm for SSL based on the RSA algorithm.
  • SHA-1. Secure Hash Algorithm, a hash function used by the U.S. Government.
  • SKIPJACK. A classified symmetric-key algorithm implemented in FORTEZZA-compliant hardware used by the U.S. Government.
  • Triple-DES. DES applied three times


Most of these algorithms support multiple key lengths. The key is the shared secret that is used to encrypt and decrypt the message. The most common key lengths are 40-bit for international and 128-bit within the US. This is what is signified when a site says it uses "128-bit" encryption, which means that there are approximately 3.4 * 1038 possible keys, making them very difficult to crack.

Without SSL the Internet would be a very uncertain place to conduct business. There would be no way to ensure the identities of the parties involved in a transaction. Furthermore there would be no way to protect the information as it is transmitted between parties over the net.

The existence and omnipresence of SSL have helped to create an environment of trust in the safety of transacting business on the Internet. There is no reason that it should not be used for all transactions that contain valuable or sensitive information. You should always look for the lock at the bottom on the screen before entering a password, credit card number or other sensitive information.

About our author...

Dan O'Day is the Vice President of Internet Development at Elite.com where he is responsible for the development of Timesolv and Worksolv. You can reach Dan at (323) 642-5296 or by e-mail at doday@elite.com.

 

© 2012 International Legal Technology Association
9701 Brodie Lane, Suite 200
Austin, TX 78748
MyILTA | Contact Us | ILTA's Connected Community | Follow ILTA on Twitter | Become a Fan on Facebook | Add us to your circles on Google+ | Members Only - LinkedIn Group | Site Map | Terms & Conditions
From: 
Email:  
To: 
Email:  
Subject: 
Message: