Saturday, May 27, 2006

SSL and S-HTTP

What is SSL?
SSL, Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data - a public key known to everyone and a private or secret key known only to the recipient of the message.
It is a low level encryption scheme used to encrypt transactions in higher-level protocols. It can work with multiple higher level protocols such as such as HTTP, NNTP and FTP. The SSL protocol includes provisions for server authentication (verifying the server's identity to the client), encryption of data in transit, and optional client authentication (verifying the client's identity to the server).

What is S-HTTP?
S-HTTP (Secure HTTP) is the scheme proposed by CommerceNet, a coalition of businesses interested in developing the Internet for commercial uses. It is a higher level protocol that only works with the HTTP protocol, but is potentially more extensible than SSL.

What is the difference between them?
  • SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely
  • S-HTTP is designed to transmit individual messages securely.
So, are S-HTTP and HTTPS similar ?
Nope, "https" is normal "http" over SSL. By convention, URLs that require an SSL connection start with https: instead of http: . S-HTTP is a protocol as discussed earlier.

What is SSL used for ?
SSL is the de facto standard for e-commerce transaction security and many Web sites use the protocol to obtain confidential user information, such as credit card numbers.

You talked about SSL encryption. What are the key lengths of the certificates ?
SSL certificates come in 40-bit and 128-bit varieties, though 40-bit encryption has been hacked. As such, you definitely should be looking at getting a 128-bit certificate.

So how does it (SSL) work ?

Phew ! You asked for it. Here goes :
  1. A browser requests a secure page (usually https://).
  2. The web server sends its public key, with its certificate, to the browser.
  3. The browser checks the certificate was issued by a trusted party (a trusted CA such as Thawte), that the certificate is still valid and that the certificate is related to the site contacted.
  4. The browser then uses the public key to generate an encryption key and sends it to the server along with the URL required - encrypted.
  5. The web server decrypts the encryption key using its private key, and then uses the key to decrypt the browser's request.
  6. The web server sends back the requested data, encrypted with the key.
  7. The browser then decrypts the data sent using the key, and displays the information.
  8. The encryption using a private key/public key pair ensures that the data can encrypted by one key can only be decrypted by the other key.
  9. The keys are similar in nature and each is based on prime numbers.
  10. Their length in terms of bits ensures the difficulty in decrypting the messages.
  11. It is necessary to keep one key secret (the private key) and to distribute the other key (the public key) to everybody. This ensures that anybody can send you an encrypted message that only you will be able to decrypt - you are the only one to have the other key pair.
  12. In the opposite situation, others can certify that a message is only coming from you, because you have encrypted it with you private key, and only the associated public key will decrypt it correctly.

You talked so much about SSL but so little about S-HTTP?
Author's prerogative :p

References:
Webopedia
W3 Security FAQs
SSL-Specification
S-HTTP RFC
How does SSL work ?

No comments: