But where'd that extra "s" come from, and what does it mean?

Transcription

1 SSL/TLS While browsing Internet, some URLs start with " while others start with " Perhaps the extra "s" when browsing websites that require giving over sensitive information, like paying bills online. But where'd that extra "s" come from, and what does it mean? To put it simply, the extra "s" means, the connection to that website is secure and encrypted, any data which is safely shared with that website. The technology that powers that little "s" is called SSL, which stands for Secure Sockets Layer SSL is a computer networking Protocol for establishing encrypted link between a web server and a browser. It uses encrypting techniques to encrypt data in transit, hence preventing attackers from reading as it is sent over connection. TLS is an Updated and more secure version SSL (Secure Sockets Layer) but it is referred as SSL because it is more commonly used term. SSL History: SSL 1.0, 2.0 and 3.0: Originally SSL is developed by Netscape. SSL 1.0 was never released due to its serious security flaws. SSL 2.0 was released in Feb 1995, because of its security flaws which necessitated design of SSL Version 3.0 SSL 3.0 was released in 1996, which is also found to be vulnerable to the POODLE attack. TLS 1.0 is an upgraded version of SSL 3.0 and released in January TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security. TLS 1.1 is an updated version of TLS 1.0 which is released in August 2008, it added a protection against cipher-block chaining attacks and supports for IANA registration of parameters. TLS 1.2 was defined in August 2008, and it is based on TLS 1.1 with much more enhancement.

2 SSL Certificate: It s a small data file that digitally bind a cryptographic key to an organization s details. SSL certificate bind together: A Domain Name, server name or hostname An organizational identity and location. SSL certificates are issued by a trusted Certificate Authority. And the format of these certificate is specified by the X.509 standard. When SSL/TLS certificate is installed on a web server, it enables secure connection between the web server and browser that connects to it. SSL URLs: Most web browser supports SSL and many websites uses this protocol.

3 HTTPS appears in the URL when a website is secured with SSL certificate. The presence of an SSL protocol and an encrypted session is indicated by presence of the lock icon in the address bar. If the website uses an extended validation (EV) certification, then the browser may also show a green address bar. Details of the certificate can be viewed by clicking on the lock symbol on the browser bar. Security parameters of SSL: Along with Encryption, SSL also supports following security principles: Encryption: Protects data transmission Authentication: Ensures the connected server is actually the correct server. Data integrity: Ensures the data that is requested or submitted is what is actually delivered. What is SSL used for? SSL is used for secure online business to protect customers personal Information and their online Transactions.

4 If application are using forms to collect personal information, Document and Images. Connection between client and server and many more. Who is Certificate authority? It s an entity who is authorized to issue, suspend, renew or revoke Digital certificates. Usually Client software such as browser include a set of trusted CA certificates known as trusted Root CA. An organization s certificate contains a public key and identity of the owner. And this certifies the ownership of the public key by the named subject of the certificate. Digital certificates are verified using a chain of trust. And this chain consist of Root CA and Intermediate certificate. In order to trust a certificate, it has been issued by a CA that is included in the Trusted Root CA. If the certificate was not issued by a trusted CA, the connecting device will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on. What details are included in the SSL certificate?

5 SSL Certificates will contain details of whom the certificate has been issued to. This includes the domain name or common name, serial number; the details of the issuer; the period of validity - issue date and expiry date; SHA Fingerprints; subject public key algorithm, subject's public key; certificate signature algorithm, certificate signature value. Other important details such as the type of certificate, SSL/TLS version, Perfect Forward Secrecy status, and cipher suite details are included. Organization validated and extended validation certificates also contain verified identity information about the owner of the website, including organization name, address, city, state and country.

6 How does SSL work? (SSL handshake process) Browser checks to see if there is SSL certificate when it visits a website. SSL/TLS negotiation occurs (also called SSL Handshake) if SSL certificate is present on the Server to encrypt the communication between client and Server. In SSL communication, the server s SSL certificate contains an asymmetric public and private key pair. This pair is used only during the generation of session key. Once the session key is generated, Server and browser encrypt and decrypt all transmitted data with symmetric session key. The following steps define the SSL/TLS Negotiation process: Phase 1: Establishing Security capabilities (Client and Server Hello) : In this phase, client and server exchange information that is needed to communicate using SSL such as SSL version, cipher settings, and Session specific data in Client Hello and Server Hello packets respectively. Phase 2: Server authentication and Key Exchange:

7 Server Share its certificate with its client, Client authenticates it using Common Name/ Date/Issuer. Client creates the pre-master secret for the session, encrypts with the server s public keys and sends the encrypted pre-master secret to the server. Phase 3: Client authentication and key exchange (optional): In some cases, server requests client s certificate for client authentication. Client encrypts its certificate with its Private Key and server decrypts it with client s Public keys. Phase 4: Key Generation: Server uses its private keys to decrypt the pre-master secret (which is shared by the client in second step). Both server and client generate Master secret based on the agreed ciphers, Random number and the pre master secret. Phase 5: Finish Both client and server exchange Finish messages to inform that future messages will be encrypted. Different Types of SSL Certificates: Based on vetting and verification processes needed to obtain the certificate, certificates are classified in three categories: 1. Domain Validated (DV SSL) Certificates: These certificates are issued after Domain control has been established using an automated, online process. CA only checks the right of the applicant to use a specific domain name. Provides encryption but not authentication. Recommended to use where security is not concern such as Protected Internal Systems. 2. Organizational Validated (OV SSL) Certificates: It checks the right of the applicant to use a specific domain plus it conducts vetting of the organization.

8 These certificates are authenticated by real agents against business registry Databases hosted by government. These certificates provide more information to customers mousing-over the Padlock. These are not validated to the CA/B (Certificate Authority/ Browser) forum standards, they do not possess the ability to turn the browser address bar green. It is a type of Standard certificate required on a commercial or public facing certificate. 3. Extended validation (EV SSL) certificates: The CA checks the right to the application to use a specific domain name plus it conducts a thorough vetting of the organization that includes verifying legal, physical and operational existence of the entity also verifying that entity has exclusive right to use the domain specified in the EV SSL certificate. These certificates provides the highest levels of security. These are issued only after CA conducted rigorous background check based on the CA/B (certificate Authority/Browser) Forum. These are generally identified with a green address bar in the browser containing the company name. This level of security (these certificates) are used by the major corporations, governments and business entities. References:

9