SECURE SOCKET LAYER (SSL) Developed by Netscape communication Allows both client and server computers to manage encryption

n and decryption activities between each other during a secure web session SSL secures connections between two computers Encryption of outgoing messages and decryption of incoming messages happens automatically and transparently with SSL

SSL PROTOCOL: Provides a security handshake in which client and server computers exchange a brief burst messages Each computer identifies other and after that SSL encrypts and decrypts information flowing between the two computers. This means that the HTTP request and HTTP response is encrypted Encrypted information includes the URL the client is requesting, any forms containing information the user has completed and HTTP access authorization data such as username and password SSL can secure FTP sessions enabling private downloading and uploading of sensitive documents. SSL can secure TELNET sessions in which remote computers users can log on to corporate host machines and send their passwords and usernames Protocol that SSL implements is HTTPs Secure Socket allows the length of private session key generated by every encrypted transaction to be of variety of bit lengths (40,56,128 and 168) A session key is a key used by encryption algorithm to create cipher text from palin text during a single secure session Longer the key, the more resistant the encryption is to attack A web browser that has entered into the SSL session indicates that it is in an encrypted session Once the session is ended the session key is discarded permanently and not reused for subsequent secure sessions

HOW SSL WORKS? 1. SSL has to authenticate the e-commerce site and encrypt any transmission between two computers 2. When a client browser sends a request to a servers secure Web site, the server sends a hello request to the bowser(client) 3. Browser responds with a client hello
4. The exchange of these greetings or handshake allows the two computers

determine the compression and encryption standards that they both support 5. The browser asks the server for a digital certificate- proof of identity 6. Server sends to the browser a certificate signed by a recognized certification authority
7. Browser checks the serial no: and certificate fingerprint against the public key

of the Certificate authority stored within the browser

8. Once the certificate authoritys public key is verified the endorsement is

verified and authenticates the web server To implement secrecy, SSL uses public key encryption and private key encryption SSL uses private key encryption for its secure communication o Browser encrypts private key using servers public key o Servers public key is stored in the digital certificate that the server sent to the browser during authentication step o Once the key is encrypted the browser sends it to the server o The server decrypts the message with its private key and exposes the shared private key o All messages sent between the client and server are encrypted with the shared private key called session key o When session ends the session key is discarded

ESTABLISHING AN SSL SESSION

CLIENT SENDS HELLO MESSAGE SEND ENCRYPTION ALGORITHMS AND KEY LENGTH SERVER RESPONDS WITH HELLO MESSAGE

CLIENT SENDS RESPONDS

SEND SERVER CERTIFICATE CONTAINING SERVERS PUBLIC KEY

SEND CLIENT CERTIFICATE AND ENCRYPTED PRIVATE SESSION KEY

SERVER RECIEVES CLIENT RESPONSE AND INITIATES SESSION

SESSION

SEND DATA BETWEEN CLIENT AND SERVER USING PRIVATE , SHARED KEY

SESSION