What is SSL (Secure Socket Layer) at all?
This article is intended to be written in a simple way so that it will be understood by the majority of computer and network power users (not developers or designers).
What is SSL at all? This was One of the frequently asked questions from me during the past 2 days, and upon the my blog entries on the following topics:
- SSL security issue caused by the Iranian government: In depth look!
- SSL security issue caused by the Iranian government: Answers to your Questions!
Well, I must confess that this is a very difficult question to answer to those who are not specialised in the area of Computer Science and Networking.
Basically, as the internet became popular and the commercial industry started taking advantages out of it, the need to secure data transport was felt more than ever before. Imagine you are trying to buy something from the internet, say from Amazon®. When you want to pay for the good using your credit or debit card, you want to make sure that the following happens:
- Your money goes to Amazon
- The details of your credit/debit cards are safely transferred to the Amazon server
- Your details can only be retrieved and used by Amazon
- The details of the purchase remain as they are. (The quantity doesn’t change, for instance)
- No one else in the middle of line (between you and the Amazon server) is going to be able to read your data, and maybe use it later for unauthorised purchases off the internet.
In order to achieve these goals, the requirement of a security system was understood. The experts later realised that the issue is not limited merely to the transaction. For instance, when you want to write an email which consists classified information to your colleague, you want to make sure that:
- The email goes to your colleague.
- The email goes ONLY to your colleague.
- The credentials (username and password) of your email are not disclosed.
- You other emails are not disclosed.
In which case, it was decided to define a generally purposed protocol which gets placed between (figure 2) the Application Layer (layer number 7) which is mostly known as the protocol that handles HTTP arguments, and the Transport layer (layer number 5) which is the only handling the transport and is mostly known by name TCP, in OSI (Open System Interconnection) modelling system as shown in figure 1.
They reason why this later is called a “Transport Layer Security” is that, from the layer above it (the Application Layer), it looks just like a normal transport layer, except that is a secured transmitting system. That means, the sender may open a connection and deliver data for transmission, and the Secure Transport Layer makes sure that the data is getting transfer securely. So, basically by running this protocol before TCP (the transmitting protocol), it is assured that all the TCP features are provided to the application just as well.
So there should be a difference between a secured, and an unsecured transmission. Of course there is one beyond an individual’s sight, but there must be a way for people to recognise whether they are in a secured or an unsecured area. To meet this requirement, it was decided to slightly change the name of the protocol when it becomes secured. In which case, a letter “S”, representing “Secure”, is added to somewhere to the name of a secured protocol. So, HTTP protocol becomes HTTPS when secured. FTP protocol, becomes FTPS when secure and so on and so forth.
Secure Transport Layer inserted between layers
Application Layer (HTTP, FTP)
SECURE TRANSPORT LAYER
For the sake of convenience, special ports are assigned to the secured protocols as well. So, HTTP protocol port is 80 whereas HTTPS is 443, FTP port number is 21 whereas FTPS is 989, and so forth.
There are various cryptographic algorithms that may be used for various operations, however, you cannot assume that the other side of the communication always implements all these algorithms. In which case, the two systems (both sender and the receiver) must keep negotiating until they find something that they both agree on. The encryption may also be changed in the middle of a connection if it is required, for instance when: “you had a very important data that warranted more computationally expensive encryption” – [Larry L. Peterson et al. – Computer Networks, 3rd Edition: Morgan Kaufman Publishers]
That is why the Transport Later Security breaks into two pasts:
- A HANDSHAKE protocol which negotiates
- A RECORD protocol used for the data transfer
Now this is where the interesting things happens:
In making a purchase using your bank card, you need to know that you are talking to the real server (Amazon in our example above). But you do not necessarily need to the authenticated. In which case, the server shall provide you with a certificate, or sometimes several certificates, if required. Thereafter, it provides you with a reliable copy of its public key. The server is therefore able to authenticate subsequent message using the private key. You are now able to encrypt messages with the public key provided by the server. One of the things done with this key is that a premaster secret key gets sent to the server.
Now the RECORD protocol defines several formats and procedures:
- Fragmented and coalesced into blocks of required (defined) sizes.
- Optionally compressed
- Integrity protected using a hash
- Passed to the next layer
Just to be clear, handshaking protocol is where the Iranian government has fingered using the invalid certificate and providing the clients with an invalid public key.
Well, this was a very brief explanation of how SSL (TSL) works in a very simple language.
Hope you have enjoyed it.
Thank you for spending your time on my blog.