Johny Learns

 Network Security

by preeti shivaji

 


Chapter - 2  : What is SSL?

Son : Dad !

Dad: Yes, John!

Son : Yesterday you were telling that HTTPS uses SSL. What is this SSL?

Son : Dad, tell me what exactly happened when I type gmail.com.

Dad :  See this example. I have typed   gmail.com and  captured the packets .See the captured output . Are you able to trace the word Certificate?

 

Son : yes

Dad: Once we typed gmail. com, gmail wants to talk with us in secured manner. So it starts the conversation with us like this: " Hello ! I  have sent my certificate. It is for proving that I AM THE GMAIL.COM.

Son : Will I able to view that certificate and the public key ?

Dad:  Yes. Check the status bar. You will see a lock. If you  double click that lock, you can see the certificate.

 

 Dad: Now let us double click on that lock. Yeah. we are able to view the certificate. Click the Details Tab in that Certificate and select the Public key. We are able to view the public key of gmail.com

Son : Dad, I am not interested in the certificate and authentication of server. Just I want to know how my password is encrypted and sent.

Dad:  The following  are the steps involved ( handshake?)

Step1: Our Browser will authenticate the certificate it received from gmail.com.

Step-2: Our browser will create a random key known as PREMASTER KEY and send it to gmail.com encrypting  using the gmail's public key. 

 Step-3 : gmail will decode the message  with the help of its private key and get the Premaster key sent by the browser.

Step -4 : Now both our browser and gmail.com will create the Session keys and communicate.

Son: Dad, Session key is asymmetric or symmetric?

Dad: It is symmetric.

 

ESSENCE:

1. SSL is mainly for secured communication between browser and web server.

2. SSL takes care of confidentiality, data integrity and server authentication

3. The working SSL is like this:

i) Client contacts the server

ii) Server sends its certificate.

iii) The client creates a radom key known as premaster key and then sends this key to the  server by encrypting using public key which was available in the certificate.

iv) Now both are having premaster key. Using this key, they calculate the session key.

v) This session key is a symmetric key and is used for secured communications.

4. Certificates are normally purchased from CA(certificate authority) such as Verisign and Thawte

5. A Certificate is cryptographically signed document and is equal to digital id card of the server.

6. If you are really interested in the encryption part and not on the authentication of server, then the certificate  can be self signed by the server.

7. For creating self-signed certificate, you can use key tool utility.

8. SSL was originally developed by Netscape.

9. SSL lies between application layer and transport layer

10. SSL uses asymmetric and symmtric keys.