| Home: www.vipan.com | Vipan Singla | e-mail: vipan@vipan.com |
For all the server knows, it may be sending sensitive information (such as some other user's bank account balance) to the wrong user ("impersonation"). Same problem is faced by the real user.
This is the routine mode. The user has not authenticated himself to the server by entering a username and a password. Nor is the HTTP connection established through the SSL.
Additional problems include "eavesdropping" (someone can learn your credit card number) and "tampering" (someone can replace your ship-to address with his address). Such concerns are also called "the-man-in-the-middle" type concerns. All Internet data passes through so many servers on the way that any of them could be an evil server.
Use this type of communication for exchanging public data only. You should not care if someone else sees it or modifies it.
Here, the user has requested a server URL. Before supplying the requested URL, the server asks the user to enter his username and password on a form and send it to the server. The user complies. The information reaches the server where it (usually) makes a "one-way hash" of the password supplied by the user and compares the resulting value to the one-way hash of the password supplied by the user during registration. If they match, the user is authenticated and the server sends the requested URL.
The problem is that user's browser has sent the password as clear text, or, at best, encoded with base-64 encoding. The-man-in-the-middle can very easily read it, save it for future impersonations to the server or change the included data. In addition, the user still does not know if he is talking to the real server or some impersonator in the middle.
People usually use it log into their Yahoo, MSN, AOL or such accounts where they are not actually spending any money.
SSL makes sure that the user is talking to the real server, encrypts the user's data before sending it to the server (effectively wrapping the data in an (really, really secure) envelope, and decrypts server's data upon receipt. Each modern browser such as Netscape and Internet Explorer now-a-days comes with embedded Secure Socket Layer software.
With SSL, the user KNOWS that he is talking to the real server and "the-man-in-the-middle" CANNOT view or change the data being communicated over the SSL connection. If he tries to view it, he will see scrambled data. If he tries to break the code to unscramble the data, it will take him a few MILLION years to do that given the current capabilities of such hardware and software. In frustration, if he tries to change the scrambled data by replacing it with some other scrambled data, the message digest will not match. And he can't really change the message digest because it has been encrypted also!
The server still does not know that it is talking to the real user. As far as the server knows, somebody sitting on a computer entered the correct username and password and now, the server is supposed to be sending sensitive data to that computer.
The down side is that each user will have to jump through some hoops in getting a valid certificate from a well recognized authority, or one from each well-known authority (VeriSign, Thawte etc.) just in case a server is picky about the brand of certificates it trusts.
The server, being a machine, cannot really look at the user and match his photo to the one on his driver's license or passport. May be in future we will have iris scanners mounted on each computer by default and each server will have access to the iris print database to compare. Not yet!
The solution is to have the user get a (digital) certificate from a trusted issuer who certifies that:
The certificate issuer "signs" the certificate and sends the digital file to the user. The user can then send it along with his request to the server over the SSL connection (so that "the-man-in-the-middle" can't mess with it). If it is really the user who gets the certificate and if the user keeps tight control of his private key, then the server is sure for all intent and purposes that it is the real user with whom the server is communicating.
Additional Details: The browser encrypts some data known to the server with the user's private key, and sends both the encrypted data and the user's public certificate to the server. The server checks the "message digest" to make sure that the encrypted data was not tampered en-route, decrypts the data using the public key contained in the user's public certificate, and matches it against the one known to the server. Since only an authentic private key could have encrypted the data decryptable with the public key contained in the user's certificate, the server is quite sure that it is dealing with the real user.
In addition, the server is supposed to check at the certificate issuer's central location if the certificate has been revoked before it expired.
It is the user's responsibility to renew his digital certificate before it expires so that he may continue using it.
Well, you can use some encryption software (e.g. PGP) and your own personal encryption/decryption keys (symmetric or asymmetric, it doesn't matter), encrypt sensitive data (such as your Money or Quicken file or your entire hard disk, for that matter) with it, and save the encryption key at a safe location (such as save it on a floppy disk, CD-ROM or smart card, and store that media under lock and key, may be in a safe even!).
But the user's data is not protected on the server. Yes, the server may encrypt and decrypt it using the server's own keys, but that's beyond the user's control. For all the user knows, the server may keep all of user's data as an open book. You will have to just trust the server's word that the server keeps all your sensitive data encrypted, and only decrypts it for you or other authorized entities. Good luck with that!
Triple DES or 3DES cipher encrypts data with a 168-bit symmetric-key. It is generally used with SHA-1 message digest of the encrypted data to make sure that the encrypted bits received are the same as the ones sent. Triple-DES is based on using DES three times (normally in an encrypt-decrypt-encrypt sequence with three different, unrelated keys). Triple DES is the strongest cipher supported by SSL, but it is not as fast as RC4.
To verify a signature, the recipient first determines whether it trusts that the key belongs to the person it is supposed to belong to (using the web of trust or a prior knowledge), and then decrypts the signature using the public key of the person. If the signature decrypts properly and the information matches that of the message (proper message digest etc.), the signature is accepted as valid. The most widely known algorithm is RSA.
The "length" header tells how much data is in the record. The "PADDING" header specifies how many bytes of data were appended to the original record by the server to make the record length a multiple of the block cipher's block size (when a block cipher is used for encryption).
.---.
.-. |B |
|U| .--------. |R | .---------.
|S| |Plain | |O S| | HOLD |
|E|->|Text |->|W S|->| REQUEST |
|R| |Request | |S L| | |
`-' `--------' |E | `---------'
|R |
`---'
<--------Plain Text Communications-------->
.---. .---------. .---. .-----------. .---. .-----------.
|B | |Client | |S | |Server | |B | |Verify |
|R | |Hello w/ | |E | |Hello w/ | |R | |Server |
|O S| |Random | |R S| |Certificate| |O S| |Certificate|
|W S|->|Challenge|->|V S|->|& Random |->|W S|->|& Domain |
|S L| |Data | |E L| |Connection | |S L| |Name |
|E | |(Plain | |R | |ID (Plain | |E | |(Checks OK)|
|R | |Text) | | | |Text) | |R | | |
`---' `---------' `---' `-----------' `---' `-----------'
<--Asymmetric Key Encryption--->
.---. .---------. .-------. .---. .-------. .---------.
|B | |Generate | | | |S | | | |Generate |
|R | |Master | |Encrypt| |E | |Decrypt| |Symmetric|
|O S| |Secret | |w/ | |R S| |w/ | |Key Pair |
|W S|->|to be |->|Server |->|V S|->|Server |->|for Read |
|S L| |Shared | |Public | |E L| |Private| |& Write |
|E | |w/ | |Key | |R | |Key | |(Session |
|R | |Server | | | | | | | |Keys) |
`---' `---------' `-------' `---' `-------' `---------'
|
Symmetric---------- V -------------------------------Symmetric
Key .---------. .---------. .---. .-------. Key
Encryption |Generate | |Encrypt | |S | |Decrypt| Encryption
| | | |Symmetric| |Server | |E | |w/ | | | |
| | | |Key Pair | |Conn. ID | |R S| |Server | | | |
| | | |for Read |->|w/ Client|->|V S|->|Read | | | |
V V V |Write | |Write Key| |E L| |Key | V V V
|(Session | |- Client | |R | |(Checks|
|Keys) | |Finish | | | |OK) |
`---------' `---------' `---' `-------'
.---. .---------. .---. .-------.
|S | |Encrypt | |B | |Decrypt|
|E | |Client | |R | |w/ |
|R S| |Challenge| |O S| |Client |
|V S|->|Data w/ |->|W S|->|Read |
|E L| |Server | |S L| |Key |
|R | |Write | |E | |(Checks|
| | |Key | |R | |OK) |
`---' `---------' `---' `-------'
.---. .---------. .---. .-------.
|S | |Server | |B | |Decrypt|
|E | |Finish - | |R | |w/ |
|R S| |Encrypted| |O S| |Client |
|V S|->|New |->|W S|->|Read |
|E L| |Session | |S L| |Key, |
|R | |ID | |E | |use in |
| | | | |R | |session|
`---' `---------' `---' `-------'
.---. .--------. .---. .---------. .---.
|B | |ENCRYPT | |S | |Decrypt | |B | .-.
|R | |HELD | |E | |& get | |R | .-------. |U|
|O S| |USER | |R S| |resource | |O S| |Decrypt| |S|
|W S|->|REQUEST,|->|V S|->|---------|->|W S|->|& Give |->|E|
|S L| |Session | |E L| |Encrypt | |S L| |to User| |R|
|E | |ID | |R | |Response | |E | `-------' `-'
|R | `--------' | | `---------' |R |
`---' `---' `---'
.---. .---. .---------. .---.
.-. .--------. |B | .--------. |S | |Decrypt | |B | .-.
|U| |More | |R | |Encrypt | |E | |& get | |R | .-------. |U|
|S| |Plain | |O S| |User | |R S| |resource | |O S| |Decrypt| |S|
|E|->|Text |->|W S|->|Request,|->|V S|->|---------|->|W S|->|& Give |->|E|
|R| |Request | |S L| |Session | |E L| |Encrypt | |S L| |to User| |R|
`-' `--------' |E | |ID | |R | |Response | |E | `-------' `-'
|R | `--------' | | `---------' |R |
`---' `---' `---'
A Session ID identifies the pre-established browser session to a server. Think of it as a handle that both parties use to access a recorded secret key (Session Key). If both parties remember the Session ID, then the secret key is already known and need not be regenerated.
The browser must choose at least one server-authentication and session-key-exchange algorithm (such as RSA or Triple DES), one symmetric key encryption algorithm (such as RC2 or RC4), and one message integrity (hashing) algorithm (such as MD5 or SHA). For example, the browser's CIPHER-CHOICE may be:
SSL_CK_RC4_128_WITH_MD5 SSL_CK_RC4_128_EXPORT40_WITH_MD5 SSL_CK_RC2_128_CBC_WITH_MD5 SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 SSL_CK_IDEA_128_CBC_WITH_MD5
For example, server CIPHER-KIND may be one of:
SSL_CK_RC4_128_WITH_MD5 SSL_CK_RC4_128_EXPORT40_WITH_MD5 SSL_CK_RC2_128_CBC_WITH_MD5 SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 SSL_CK_IDEA_128_CBC_WITH_MD5 SSL_CK_DES_64_CBC_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5
The server then sends back the picked cipher, some randomly generated data of its own (call it "connection ID"), server's digital certificate, and the server's SSL version number as plain text.
A Nonce is a randomly generated value used to defeat "playback" attacks. One party (usually server) randomly generates a nonce ("connection ID) and sends it to the other party. The receiver encrypts it using the agreed upon secret key and returns it to the sender. Because the nonce was randomly generated by the sender this defeats playback attacks because the replayer can't know in advance the nonce the sender will generate. The receiver denies connections that do not have the correctly encrypted nonce.
If the browser reaches this far, the server's certificate is authentic and still valid. So, the server's certificate (not the server itself) can be trusted.
(If the user is warned, an encrypted and authenticated connection cannot be established with the requested server. The user decides whether to continue or not.)
This "master secret" will be used by both the browser and the server as a seed to create the same "symmetric" keys so that communications can be encrypted at both ends. Remember, any data the server encrypts with its private key can be decrypted by anyone using the server's public key, by definition. So, the server needs an encryption key that only the browser can "decrypt". SSL uses "symmetric" keys for this key exchange because they are much faster (128 to 168 bit long) than using "asymmetric" keys (1024 to 2048 bit long).
Each session uses a different session key, so even the theft of one key (however remote) does not result in multiple session eavesdropping or tampering.
Actually, in SSL, there are four keys that are called session keys: CLIENT-READ-KEY, CLIENT-WRITE-KEY, SERVER-READ-KEY, and SERVER-WRITE-KEY. These are all generated from the "master secret".
The browser is now done with the "handshake" protocol, and has started the actual SSL session.
The server decrypts the connection ID with its session key (which is an exact copy of the browser's session key) and compares it with the connection ID it originally sent. If they match, the client has the correct session key.
The server is now also done with the "handshake" protocol, and has started the actual SSL session.
The browser decrypts the "challenge" data with its session key (which is an exact copy of the server's session key) and compares it with the "challenge" data it originally sent. If they match, the server has the correct session key.
From this point on, if message encryption is active (the default state), SSL encrypts and decrypts the byte stream of the application protocol being used (HTTP etc.) before passing it on to the underlying TCP/IP protocol. This means that all the information in both the HTTP request and the HTTP response is fully encrypted, including the URL the client is requesting, any submitted form contents, any HTTP access authorization information, and all the data returned from the server to the client.
The browser and the server use the session keys to encrypt and decrypt the data they send to each other and to validate its integrity.
uid=doe,e=doe@netscape.com,cn=John Doe,o=Netscape Communications Corp.,c=US.
Certificate:
Data:
Version: v3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: OU=Ace Certificate Authority, O=Ace Industry, C=US
Validity:
Not Before: Fri Oct 17 18:36:25 1997
Not After: Sun Oct 17 18:36:25 1999
Subject: CN=Jane Doe, OU=Finance, O=Ace Industry, C=US
Subject Public Key Info:
Algorithm: PKCS #1 RSA Encryption
Public Key:
Modulus:
00:ca:fa:79:98:8f:19:f8:d7:de:e4:49:80:48:e6:2a:2a:86:
ed:27:40:4d:86:b3:05:c0:01:bb:50:15:c9:de:dc:85:19:22:
43:7d:45:6d:71:4e:17:3d:f0:36:4b:5b:7f:a8:51:a3:a1:00:
98:ce:7f:47:50:2c:93:36:7c:01:6e:cb:89:06:41:72:b5:e9:
73:49:38:76:ef:b6:8f:ac:49:bb:63:0f:9b:ff:16:2a:e3:0e:
9d:3b:af:ce:9a:3e:48:65:de:96:61:d5:0a:11:2a:a2:80:b0:
7d:d8:99:cb:0c:99:34:c9:ab:25:06:a8:31:ad:8c:4b:aa:54:
91:f4:15
Public Exponent: 65537 (0x10001)
Extensions:
Identifier: Certificate Type
Critical: no
Certified Usage: SSL Client
Identifier: Authority Key Identifier
Critical: no
Key Identifier:
f2:f2:06:59:90:18:47:51:f5:89:33:5a:31:7a:e6:5c:fb:36:
26:c9
Signature:
Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
6d:23:af:f3:d3:b6:7a:df:90:df:cd:7e:18:6c:01:69:8e:54:65:fc:06:
30:43:34:d1:63:1f:06:7d:c3:40:a8:2a:82:c1:a4:83:2a:fb:2e:8f:fb:
f0:6d:ff:75:a3:78:f7:52:47:46:62:97:1d:d9:c6:11:0a:02:a2:e0:cc:
2a:75:6c:8b:b6:9b:87:00:7d:7c:84:76:79:ba:f8:b4:d2:62:58:c3:c5:
b6:c1:43:ac:63:44:42:fd:af:c8:0f:2f:38:85:6d:d6:59:e8:41:42:a5:
4a:e5:26:38:ff:32:78:a1:38:f1:ed:dc:0d:31:d1:b0:6d:67:e9:46:a8:
dd:c4
-----BEGIN CERTIFICATE----- MIICKzCCAZSgAwIBAgIBAzANBgkqhkiG9w0BAQQFADA3MQswCQYDVQQGEwJVUzERMA8GA1UEChMITmV0 c2NhcGUxFTATBgNVBAsTDFN1cHJpeWEncyBDQTAeFw05NzEwMTgwMTM2MjVaFw05OTEwMTgwMTM2MjVa MEgxCzAJBgNVBAYTAlVTMREwDwYDVQQKEwhOZXRzY2FwZTENMAsGA1UECxMEUHViczEXMBUGA1UEAxMO U3Vwcml5YSBTaGV0dHkwgZ8wDQYJKoZIhvcNAQEFBQADgY0AMIGJAoGBAMr6eZiPGfjX3uRJgEjmKiqG 7SdATYazBcABu1AVyd7chRkiQ31FbXFOGD3wNktbf6hRo6EAmM5/R1AskzZ8AW7LiQZBcrXpc0k4du+2 Q6xJu2MPm/8WKuMOnTuvzpo+SGXelmHVChEqooCwfdiZywyZNMmrJgaoMa2MS6pUkfQVAgMBAAGjNjA0 MBEGCWCGSAGG+EIBAQQEAwIAgDAfBgNVHSMEGDAWgBTy8gZZkBhHUfWJM1oxeuZc+zYmyTANBgkqhkiG 9w0BAQQFAAOBgQBtI6/z07Z635DfzX4XbAFpjlRl/AYwQzTSYx8GfcNAqCqCwaSDKvsuj/vwbf91o3j3 UkdGYpcd2cYRCgKi4MwqdWyLtpuHAH18hHZ5uvi00mJYw8W2wUOsY0RC/a/IDy84hW3WWehBUqVK5SY4 /zJ4oTjx7dwNMdGwbWfpRqjd1A== -----END CERTIFICATE-----
The upcoming Smart cards promise to solve this problem. Your smart card generates and stores your key-pair on a chip (Integrated Circuit or IC) which also has encryption/decryption instructions on it. The key-pair is never sent to or stored on the computer. You insert the smart card into a device which itself is connected to the computer through a cable. When you want to decrypt some data, your computer passes the scrambled data through the smart card's chip by sending it over the cable. The smart card's chip asks you for your PIN (pass phrase). You enter the correct PIN. (If you enter it incorrectly a few times, smart cards and tokens are disabled automatically.) The chip decrypts the data and sends it back over the cable to the computer.
This way you can carry your smart card around like a credit card and use it on any compliant computer/device, ATM etc.
ActivCard, Bull Computers, Chrysalis-ITS, SafeNet, Fischer International, Gemplus, Litronic, Schlumberger, Security Dynamics, and VASCO Data Security provide smart cards, smart keys, PCMCIA cards, and hardware tokens to users.