SOFTENG 325 Assignment 2 Research Report

Security for distributed systems

Author: So Sum Yau (sso007)

1.0 Introduction

Secure Socket Layer (SSL) is a cryptographic protocol that provides and manages the security of data message communications on the Internet. It was originally developed by Netscape. Version two of SSL was released in 1994; Version three was released in 1996 and recently succeeded by Transport Layer Security (TLS). SSL is designed to prevent attacks such as masquerade, tampering and eavesdropping. The type of hash function used by SSL includes MD5 and SHA.

2.0 How it works

Secure Socket Layer protects the Internet in three ways. The first way of protection is the SSL certificate enables encryption of sensitive information during online transactions. Each SSL certificate contains authenticated information about the certificate owner that is unique to all other certificates. The identity of the owner will be verified by a certificate authority when the certificate is issued.

2.1 Encryption

Encryption is important when the messages being sent are sensitive. That is, if the data is not protected and anyone can access the data, it is possible that these data will be stolen or modified by unauthorized users. Therefore it is essential to protect these data and avoid them from attacks.

To prevent attacks, one way is to encrypt the messages sent. An SSL certificate establishes a private communication channel enabling encryption of the data during transmission. Encryption is simply the scrambling of the data to create privacy.

A SSL certificate consists of a public key and a private key. The public key is used to encrypt data and the private key is used to decrypt it. Anything encrypted with the client’s public key can only be decrypted with the private key. For a person to enrol in a public key infrastructure, the computer generates a pair of encryption keys (public and private). The private key is never revealed; conversely the public key is distributed to anyone that connects to it. The user sends their public key to the certification authorities and the administrator approves the request and the CA generates the user’s certificate. When the certificate is installed on the client’s computer, they can participate in the secured network.

This is used frequently for encrypting email which uses the identity and security features of the certificate. The encryption information protects the communication from outsiders who are not allowed access.

2.2 Authentication

Authentication is required to prevent masquerade attacks. Otherwise, how can the client be sure that the server they are sending information to is who the client think they actually are. Authentication is like a personal identification or a passport. The SSL certificate is issued by a trusted source.

As SSL session begins with an exchange of messages called the SSL handshake which allows the server to authenticate itself to the client using public key. Some browsers display the authenticated information by showing a padlock in the browser window.

By clicking on the closed padlock the user can see the authenticated organization name. If the information does not match or the certificate has expired, the browser displays an error message or warning.

3.0 Secure Socket Layer Uses

SSL is needed when a website is handling sensitive data such as credit card numbers or personal information such as address, birth date, license or passwords. For example, SSL is needed in an online store or a website that accepts online orders and credit card payments. It is also needed if the website offers login or sign in features. SSL can be useful if you value privacy and expect others to trust you and visit your site more often.

4.0 Critical Evaluation

4.1 Benefits and Strengths

SSL is integrated in both Microsoft and Netscape browsers. SSL with 256 bit encryption can protect the data from unauthorized access. The 3.0 version of SSL have stronger resistance to Man-in-the-middle attacks and better handshake protocol. The client can verify that the issuing CA is on its list of trusted CA.

With the unique session key, SSL encrypts all information exchanged. This ensures that personal information cannot be viewed even if it is intercepted by unauthorized people and the data cannot be tampered over the Internet.

A benefit on the E-commerce side is that it increases business by giving confidence to customers visiting the company’s website. It guarantees that the customers a legal web site and that their transactions are safe. A customer connecting to a secure website is assured that the company really owns the web site.

4.2 Weaknesses and Limitations

Despite of its benefits, SSL does have some weaknesses; one might be that SSL v2 does not have any protection against Man-in-the-middle attacks. Also, SSL v2 is vulnerable to truncation of its data messages as it uses the TCP connection close to indicate the end of the data and allows a hacker to forge a TCP FIN leaving the recipient unaware of an illegitimate end of the message.

The limitations to SSL lie within the private key and trust. It is possible and has proven by hackers that the older 40 bit private keys can be “guessed” with trial and error if one has access to vast computer resources. Hackers can also do this by trying all possible private key combinations.

It all comes down to trust as some websites that are secure but do not bother and do not want to spend money to get a third party’s approval and have their keys approved by themselves. Others use third parties that are almost free and which spend very little effort in validating the company. In these situations, SSL cannot assure that the client is really talking to the intended person or could be some hacker disguising as that person or company to communicate with the client.

5.0 Conclusion

Secure Sockets Layer is a protocol that is designed to enforce the data exchanged is safe and private. As discussed, the later version of SSL does achieve this and the data is protected against attacks. This is beneficial for online company and web site that require personal information from the customers.

There were some weaknesses in SSL raised but they all lie within the older versions of SSL. The newest version has overcome most of the issues and SSL v3 provides confidence in the security in online business and network infrastructure.

6.0 References

http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/index.html
http://luxsci.com/info/about_ssl.html
http://www.schneier.com/paper-ssl.pdf