Friday, February 20, 2009

SSL-TLS

SSL Version 3, documented in an IETF draft, provides one of the most commonly available security mechanisms on the Internet. SSL stands for Secure Sockets Layer, though IETF has renamed it TLS (Transport Layer Security). TLS is documented in RFC 2246 and identifies itself in the protocol version field as SSL 3.1.
Developed by Netscape, SSL is used extensively by web browsers to provide secure connections for transferring credit cards numbers and other sensitive data. An SSL-protected HTTP transfer uses port 443 (instead of HTTP's normal port 80), and is identified with a special URL method - https. Thus, https://www.verisign.com/ would cause an SSL-enabled browser to open a secure SSL session to port 443 at www.verisign.com.

SSL, like most modern security protocols, is based on cryptography. When an SSL session is established, the server begins by announcing a public key to the client. No encryption is in use initially, so both parties (and any eavesdropper) can read this key, but the client can now transmit information to the server in a way that no one else could decode. The client generates 46 bytes of random data, forms them into a single very large number according to PKCS#1, encrypts them with the server's public key, and sends the result to the server. Only the server, with its private key, can decode the information to determine the 46 original bytes. This shared secret is now used to generate a set of conventional RC4 cipher keys to encrypt the rest of the session.
Resource links:

0 comments:

Post a Comment