SSL (Secure Socket Layer) is a network layer security protocol which is responsible for ensuring security of data or messages in transit through http, ldap, smtp, imap or pop3 application layers and practically ensures a reliable end-to-end secure and authenticated connection between the client and the server over the open Internet.
Under this system the credit card number is encrypted before it is sent out over the Internet to keep it safe. Only the intended recipient can decode it, a piece of magic that is performed by using what are known as digital certificates.
First any company wanting to use this SSL technology must apply for a certificate from what is known as a Certificate Authority or CA. This certificate, which is actually a piece of software, is then installed on the company website to create a secure area. Depending entirely on where the website is hosted this might involve extra costs as some ISPs could charge an administration fee if the website is on their computer. However, with or without that the site is now open for business.
When potential customers then visit this site their Browser will automatically know it is secure, mainly because that information will be sent to them alongside everything else that makes up a web page. This will also be displayed to the user in the form of a small icon on the Browser itself. Netscape Navigator shows a stylized picture of a key, if the key is broken the site is insecure while a whole key means a secure site. In Microsoft Internet Explorer the picture is of an open or closed padlock. Should a visitor then want to buy off that site their digital certificate, which they must also apply for, encrypts their credit card details before sending such information out over the Internet?
There is slightly more to it than that as the buyer’s digital certificate also sends extra information to confirm the identity of the buyer concerned. This can then be checked at the receiving end i.e. by the seller. If the identity as stated on the digital certificate does not match that as stated on the credit card then the card is most likely being used fraudulently and the transaction can be prevented. Although this seems to give protection only to the seller the buyer too is safeguarded. Firstly because the digital certificates are only given to legitimately registered companies and secondly because they can be removed from any company should a doubt exist as to its trading standards.
On the face of it, then, SSL would appear to be the answer the whole of the Internet commerce industry has been looking for – except it has one glaring weakness. The merchant server, otherwise known as the computer hosting the selling company’s website, must store both these credit card numbers and the identity of the people who own them. Should security there ever be compromised the consequences could be catastrophic. In which case why would anyone want to take the risk with their credit card? It was to answer such worries that led to the creation of a different system known as Secure Electronic Transaction or SET.
The Secure Socket Layer, developed by Netscape, is a common protocol for providing secure transmission of messages on the Internet. It uses the program level between the HTTP and TCP layers. It is being replaced by the Transport Layer Security protocol, which ensures that a third party does not monitor communications between the two sources.
Most HTTP servers such as Apache and IIS are capable of supporting a SSL session. Also, most web browsers like Internet explorer, Mozilla, Firefox, Maxthon, Chrome, Opera and others, are equipped with a SSL-enabled software component at the client end. SSL protocol uses a standard key cryptographic method such as public key encryption to authenticate the client and the server through certificate examination. An SSL session is initiated by a web browser which contacts a secure web server, usually on TCP port 443 and using HTTPS protocol.
Objectives of Secure Socket Layer
The key objectives of SSL are listed as follows
1. SSL protocol makes use of standard key cryptographic techniques, mainly public key encryption, to authenticate participants in a communication session at the client and server end. Generally the service client is authenticated by the examination of a digital certificate. Authentication at the client end can also use a similar security mechanism which is offered via SSL protocol.
2. SSL protocol ensures data integrity through encryption during a communication session so that data may not be tampered with by misusing Attack vectors or other techniques.
3. SSL protocol ensures data privacy during transit in a communication session so that it is protected from interception and is reachable and readable only to the real recipient. The key objectives of SSL are served appropriately by its stack-based architecture which comprises a set of protocols within the SSL, sharing different responsibilities.
Architecture of Secure Socket Layer
Architecturally, the SSL protocol is designed as a suite of protocols over TCP/IP. The design of the SSL protocol is often described as the “SSL Protocol Stack”.
The first layer of the SSL Protocol Stack over TCP/IP is known as the SSL Record Protocol. The SSL Record protocol is responsible for ensuring data security through encryption, and data integrity. The SSL Record protocol also handles checking of data and encapsulating it with appropriate headers for secure transmission under the TCP protocol.
The second layer of the SSL Protocol Stack is positioned above the SSL Record protocol and is responsible for establishing secured connection with an application protocol like HTTP. The protocols at the second and the top layer of the SSL protocol stack include the SSL Handshake Protocol, the SSL Change Cipher protocol and the SSL Alert Protocol.
These three protocols at the top layer of the SSL protocol stack offer session management, cryptographic parameter management and secure transfer of SSL messages between the client and the server.