Secure Sockets Layer has become the de facto standard for secure communications between end users and Internet sites, and today, SSL support is built into virtually every browser.
SSL is a protocol layer that includes two subprotocols - the SSL handshake protocol and the SSL record protocol. Both provide authenticated, confidential and tamper-resistant connections to applications, particularly HTTP. SSL's small footprint fits neatly into the Internet's processing stack, and above TCP/IP and below the application layer without significantly affecting the other protocol layers. This small footprint also allows it to be used with other Internet applications, such as intranet and extranet access, application security, wireless applications and Web services.
SSL enables secure data communications over the Internet by encrypting data leaving the browser and decrypting it after it is secure in the data center. Likewise, transmissions back to the client are encrypted before they are sent over the Internet.
At a high level, SSL sessions consist of two parts: the connection and the application session. During the connection, the client and server exchange credentials and negotiate the security parameters. If the client accepts the server's credentials, a master secret is established and used to encrypt all subsequent communications.
During the application session, the client and server securely pass information between each other, such as credit card numbers, stock trading data, personal medical data and other types of sensitive or confidential data.
SSL provides three key components for security:
- Authentication - the ability to verify the server or both the server and client at each end of the connection.
- Confidentiality - the ability to encrypt traffic, so only the two parties exchanging the information can access and understand it.
- Integrity - the capacity to prevent message contents from being modified without detection. Receivers can be sure they have received unaltered information.
A key piece of the secure communication process is authenicating the two parties.The SSL handshake subprotocol handles this function. A series of messages between the server and client facilitate these actions:
- Authenticate the server to the client.
- Let the client and server select the cryptographic algorithms and level of security they want.
- Optionally authenticate the client to the server.
- Use public-key cryptography to generate shared secrets that will be used later to transmit the actual confidential data.
- Establish the SSL connection.
The SSL record subprotocol is responsible for the encrypted data transfer. Here are the actions taken to facilitate this:
- The data is broken up into small, usable chunks called fragments.
- The data is protected from alteration via an integrity "wrapper."
- The data is encrypted, and the wrapper is appended.
Historically, many of the original applications that used SSL, such as e-commerce, did not perform client authentication. This was done outside the SSL protocol via some out of band information such as a name/credit card number combination or some other client-provided data, such as a password.
However, corporations now are adopting SSL as a protocol for new applications in the data center. For applications such as SSL-based VPNs or those that require additional verification of end users, client authentication is becoming a requirement.
Client authentication lets a server confirm a user's identity within the protocol using the same techniques that allowed the client to authenticate the server. While the detailed message-flows for this type of authentication are significantly different, the process is the same conceptually as for server authentication.
This process also takes place within the SSL handshake subprotocol. In this case, the client must present a valid credential (a certificate from a trusted certificate authority) to the server. The server uses this information to validate the end user with standard techniques using public-key cryptography.
SSL's pervasiveness is because of its flexibility and robustness. Expect to see SSL's usage continue to increase dramatically as it becomes a key protocol for enterprise applications, wireless access devices, Web services and secure access management.