To keep away from hacker spoofing PKI (Public Key infrastructure) is used. Where public keys are Digitally signed and issued in the form of Digital Certificates. Digital certificates are like Passport which typically includes Entity name (CN:), Organization(O:), Country(C:), public key, Certificate authority signature etc. in X509 format. Digital certificate are issued and signed by Trusted Certificate Authority (CA) by using its (CA) private key.
In normal encryption, two communicating parties each share a password or key, and this is used to both encrypt and decrypt messages. While this is a very simple and efficient method, it doesn't solve the problem of giving the password to someone you have not yet met or trust. This is called Symmetric cryptography.
In public key cryptography, each party has two keys, a public key and a private key. Information encrypted with a person's public key can only be decrypted with the private key and vice versa. Each user publicly tells the world what his public key is but keeps his private key for himself. This is called Asymmetric cryptography.
How SSL Works
I. Obtaining an SSL Certificate
XYZ Inc., intends to secure their customer's website www.xyz.com.
Step 1: XYZ creates a Certificate Signing Request (CSR) and during this process, a private key is generated.
Step 2: XYZ goes to a trusted third party Certificate Authority, such as Verisign. Verisign takes the certificate signing request and validates XYZ in a two step process. Verisign validates that XYZ has control of the domain xyz.com and that XYZ Inc. is an official organization listed in public government records.
Step 3: When the validation process is complete, Verisign gives XYZ a new public key (certificate) encrypted with Verisign's private key.
Step 4: XYZ installs the certificate on their webserver's.
II. How Customers communicate with the Server using SSL
Step 1: A customer makes a connection to xyz.com on an SSL port, typically 443. This connection is denoted with https instead of http.
Step 2: xyz.com sends back its public key to the customer. Once customer receives it, his/her browser decides if it is alright to proceed.
* The xyz.com public key must NOT be expired.
* The xyz.com public key must be for xyz.com only.
* Client must have Verisign public key installed in their browser certificate store.
Step 3: If the customer decides to trust the certificate, then the customer will send to xyz.com his/her public key.
Step 4: xyz.com will next create a unique hash and encrypt it using both the customer's public key and xyz.com's private key, and send this back to the client.
Step 5: Customer's browser will decrypt the hash. This process shows that the xyz.com sent the hash and only the customer is able to read it.
Step 6: Customer and website can now securely exchange information.
Almost any service on the Internet can be protected with SSL. Example: WebMail, Control Panels, POP, IMAP, SMTP, FTP and more.
References:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html
http://tomcat.apache.org/tomcat-4.0-doc/ssl-howto.html
http://www.sslassistant.com/info.php
http://www.rajeevnet.com/crypto/ca/ca-paper.html
http://www.xramp.com/resources/how-ssl-works
Tuesday, August 29, 2006
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment