SoftDesignz :: Encryption

Secure Sockets Layer (SSL)

Netscape's Secure Sockets Layer (SSL) protocol is currently the most widely used method for performing secure transactions on the Web and is supported by most Web servers and clients including Netscape Navigator and Microsoft Internet Explorer.

The Secure Sockets Layer (SSL) protocol provides several features that make it particularly suitable for use in e-commerce transactions.

Privacy is guaranteed through encryption. Although information can still be intercepted by a third party they will be unable to read them as they have no access to the encryption key.

Integrity is also ensured through encryption. If information is received that will not decrypt properly then the recipient knows that the information has been tampered with during transmission.

Authentication is provided through digital certificates. Digital certificates provide the basis for secure electronic transactions as they enable all participants in a transaction to quickly and easily verify the identity of the other participants.

The Encryption Process essentially, SSL is secret-key encryption nested within public-key encryption, authenticated through the use of certificates.

The reason that both secret-key and public-key encryption methods are used is because of the relatively slow speed of public-key encryption compared to secret-key encryption. Initially, the client and server exchange public keys, and then the client generates a private encryption key that is used only for this transaction. This is referred to as a session key. The client then encrypts the session key with the server's public key and sends it to the server. Then, for the rest of the transaction, the client and the server can use the session key for private-key encryption.

An SSL connection is initiated by the client (normally a Web browser) by requesting a document to be sent through the HTTPS protocol as proposed to the standard HTTP protocol.

This is done by by simply prefixing the URL by "https" as opposed to "http". For example:

http://server.domain.com/index.aspl

requests the document index.aspl be sent through the standard HTTP protocol, whilst

https://server.domain.com/index.aspl

requests the same document be sent using the HTTPS protocol which incorporates SSL.

Here in detail are the steps taken during a SSL transaction:

The client sends a request for a document to be transmitted using the HTTPS protocol by prefixing the URL with "https".

The server sends its certificate to the client.

The client checks if the certificate was issued by a Certificate Authority (CA) it trusts. If not, it gives the user the option to continue or to terminate the transaction.

The client compares the information in the certificate with the information it just received concerning the site: its domain name and its public key. If the information matches, the client accepts the site as authenticated.

The client tells the server what ciphers, or encryption algorithms, it can communicate with.

The server chooses the strongest common cipher and informs the client.

The client generates a private (or session) key using the agreed cipher.

The client then encrypts the session key using the server's public key and sends it to the server.

The server receives the encrypted session key and decrypts it with its private key.

The client and the server then use the session key for the rest of the transaction.

An alternative secure protocol is the Secure Electronic Transaction (SET) protocol developed by Visa and MasterCard specifically for enabling secure credit card transactions on the Internet. Designed for cardholders, merchants, banks and other card processors, SET uses digital certificates to ensure the identities of all parties involved in a purchase. SET also encrypts credit and purchase information before transmission on the Internet.