Secure Sockets Layer

SSL• SSL is a communications protocol layer which can

be placed between TCP/IP and HTTP• It intercepts web traffic and provides security

between browser and server• Encryption is used to guarantee secure

communication in an insecure environment• All security operations are transparent at both ends

of the communication• SSL uses public-key cryptography

Mortice-lock cryptography

• Ordinary encryption is like sending messages in a box that is locked with a mortice lock

• Both the sender of the message and the recipient must share a secret– they must each have a copy of the key to the lock

• the sender needs a copy of the key to lock the box

• the recipient needs a copy of the key to open the box

• However, we don’t have to use mortice locks– we can use Yale locks

Yale lock cryptography

• Consider a box with a Yale lock• If the box is open, anybody can put a message

inside and lock the box– no key is needed to lock the box

• However, only the person who has the key of the Yale lock can open the box and read the message

• The owner of the key can make many copies of the lock and send them to anybody who wants to send him a message– these people need never see the owner’s private key

Public-key cryptography• Public-key cryptography is also known as

asymmetric key cryptography • It allows users to communicate securely without

having prior access to a shared secret key

• Instead, it uses a pair of keys which are related mathematically– a message encoded with Key1 can only be decoded by

using Key2

– a message encoded with Key2 can only be decoded by using Key2

Public-key cryptography (contd.)• Typically, one key is called a public key and the

other is called a private key

• The public key can be regarded as like a Yale lock – many copies of it can be made

– they can be given to everybody who asks for one

• The private key can be regarded as like the key to a Yale lock– the owner of the key does not share it with anybody else

– he can use it to open locked boxes that people send to him

Public Key certificates• Suppose you want to send a secure message to

somebody and ask him to send you a Yale lock in the post

• Suppose a Yale lock arrives in the post

• How do you know the Yale lock is really from the person to whom you want to send your secure message?

• You would require some guarantee

• In public-key cryptography, this guarantee is called a public-key certificate

Public-key certificates (contd.)• A public-key certificate binds a public key with a

name– it guarantees that the public key is indeed owned by the

person/organization/program with the given name

– thus, it guarantees that any message encoded with the public key will only be readable by that person/organization/program

• To increase the credibility of a public-key certificate, it is often signed by a trusted organization known as a Certification Authority (CA)

Unidirectional versus bi-directional cryptography

• Sometimes, both parties to a conversation need to send secret information– bi-directional cryptography is needed– each party must send his public key to the other

• Sometimes, only one party to a conversation needs to send secret information– only unidirectional cryptography is needed– only the recipient of the secret information needs

to own a public key• which he must send to sender of the secret information

Much e-Commerce involves only unidirectional cryptography

• A customer making an online purchase needs to send secret information, such as a credit card number, to the company

• The company does not need to send any secret information to the customer

• In this case, only unidirectional cryptography is needed

• Thus, the customer need not own any cryptographic key, but the company must– the server will have to send its public key to the

customer’s browser

An example• Consider buying a ticket from Aer Lingus

• Initially, no secret information is being exchanged– Aer Lingus merely lists flight availability– the customer selects flights

• Then, however, the customer must provide credit card details– before that can happen, Aer Lingus must send

its public key to the customer

Customer specifies Cork-Heathrow itineraryhttp protocol in use; no lock on status bar

Customer selects flightsstill http protocol; no lock on status bar

Customer is warned that SSL communication is about to start

Customer is warned that SSL communication is about to start

Customer is being asked for credit card detailsprotocol is now https; there is a lock on the status bar

HTTPS and lock

What happened when user agreed to secure connection

• The Aer Lingus server sent its certificate to the user’s browser

• The browser decided that the CA on the certificate was trustworthy and that the public key really was for Aer Lingus

• Henceforth, all information sent by the user would be encoded using the public key

Sometimes, a browser needs to receive secrets from a server

• If a browser needs to receive secrets from a server, the browser must be able to provide a public-key certificate to the server

• There are freely-available utilities, such as OpenSSL, which enable you to – select a public+private key combination– get a signed certificate for your public key– import the certificate into your browser, so that it

can send this to servers who request it

openSSL

• Available on cosmos.ucc.ie

• It provides a great many options

• Too many to consider here today