Why SSL, and how does it work?
What is it used for ?
SSL = Secure Socket Layer
It is a system that allows to exchange information between 2 computers in a safe way. It ensures 3 things:
- Confidentiality and Integrity: It is impossible to find or spy on information exchanged.
- Authentication: It makes it possible to make sure of the identity of the program, the person or the company with which one communicates.
It is a complement to TCP / IP and allows (potentially) to secure any protocol or program using TCP / IP.
It was created and developed by the company Netscape and RSA Security. There are now opensource versions and a similar free protocol: TLS (see below).
Why use it rather than another system?
Why use it?
- SSL is standardized
- It exists in free version: OpenSSL (http://www.openssl.org) that you can use in your programs without paying royalties.
- OpenSSL is open source: everyone can control and verify the source code (The secret lies in the encryption keys, not in the algorithm itself).
- It has been cryptanalyzed: this system has been more analyzed than any of its competitors. It has been reviewed by many cryptographic specialists. We can therefore consider it safe.
How does it work ?
- SSL Handshake protocol: Before communicating, the two SSL programs negotiate common keys and encryption protocols.
- SSL Record protocol: Once negotiated, they encrypt all information exchanged and perform various checks.
1.The negotiation (“handshake“)
At the beginning of the communication the client and the server are exchanged:
- the SSL version they want to work with,
- the list of encryption methods (symmetrical and asymmetrical) and signature that everyone knows (with key lengths),
- compression methods everyone knows,
- random numbers,
Client and server try to use the most powerful encryption protocol and decrease until they find a protocol common to both. Once this is done, they can start exchanging data.
2. Communication (“record“)
With SSL, the sender of the data:
- Cut the data into packets,
- Compress the data,
- Cryptographically sign the data,
- Number the data,
- Send them.
Whoever receives the data:
- Decrypt the data,
- Check the signature of the data,
- Decompresses the data,
- Reassembles the data packets.
Source : sebsauvage