Tuesday, April 27, 2010

Security|How SSL Server Certificates Work

How SSL Server Certificates Work

SSL certificates take advantage of SSL to work seamlessly between Web sites and visitors' Web browsers. The SSL protocol uses a combination of asymmetric public key encryption and faster symmetric encryption.

The Netscape Navigator and Microsoft Internet Explorer browsers have built-in security mechanisms to prevent users from unwittingly submitting their personal information over insecure channels. If a user tries to submit information to an unsecured site (a site without an SSL server certificate), the browsers will, by default, show a warning.

In contrast, if a user submits credit card or other information to a site with a valid server certificate and an SSL connection, the warning does not appear. The secure connection is seamless, but visitors can be sure that transactions with a site are secured by looking for the following cues:

  • The URL in the browser window displays "https" at the beginning, instead of http.

  • In Netscape Communicator, the padlock in the lower-left corner of the Navigator window will be closed instead of open.

  • In Internet Explorer, a padlock icon appears in the bar at the bottom of the IE window

SSL Strengths: 40-Bit and 128-Bit SSL

SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the session key generated by every encrypted transaction. The longer the key, the more difficult it is to break the encryption code. 128-bit SSL encryption is the world's strongest; according to RSA Labs, it would take a trillion years to crack using today's technology. 128-bit encryption is approximately 3 X 1026 stronger than 40-bit encryption.

Microsoft and Netscape offer two versions of their Web browsers, export and domestic, that enable different levels of encryption depending on the type of SSL server certificate with which the browser is communicating. First, 40-bit SSL server certificates (such as VeriSign's SSL Certificates) enable 40-bit SSL when communicating with export-version Netscape and Microsoft Internet Explorer (IE) browsers (used by most people in the U.S. and worldwide) and 128-bit SSL encryption when communicating with domestic-version Microsoft and Netscape browsers. Second, 128-bit SSL server certificates (such as VeriSign's Global Server IDs) enable 128-bit SSL encryption (the world's strongest) with both domestic and export versions of Microsoft and Netscape browsers.

INFO: SSL Server Certificates Steps

The process begins by establishing an SSL "handshake"—allowing the server to authenticate itself to the browser user, and then permitting the server and browser to cooperate in the creation of the symmetric keys used for encryption, decryption, and tamper detection:

  1. A customer contacts a site and accesses a secured URL—a page secured by an SSL certificate (indicated by a URL that begins with "https:" instead of just "http:" or by a message from the browser). This might typically be an online order form collecting private information from the customer, such as address, phone number, and credit card number or other payment information.

  2. The customer's browser automatically sends the server the browser's SSL version number, cipher settings, randomly generated data, and other information the server needs to communicate with the client using SSL.

  3. The server responds, automatically sending the customer's browser the site's digital certificate, along with the server's SSL version number, cipher settings, and so on.

  4. The customer's browser examines the information contained in the server's certificate, and verifies that:

    1. The server certificate is valid and has a valid date.

    2. The CA that issued the server has been signed by a trusted CA whose certificate is built into the browser.

    3. The issuing CA's public key, built into the browser, validates the issuer's digital signature.

    4. The domain name specified by the server certificate matches the server's actual domain name.

    If the server cannot be authenticated, the user is warned that an encrypted, authenticated connection cannot be established.

  5. If the server can be successfully authenticated, the customer's Web browser generates a unique "session key" to encrypt all communications with the site using asymmetric encryption.

  6. The user's browser encrypts the session key itself with the site's public key so that only the site can read the session key, and sends it to the server.

  7. The server decrypts the session key using its own private key.

  8. The browser sends a message to the server informing it that future messages from the client will be encrypted with the session key.

  9. The server then sends a message to the client informing it that future messages from the server will be encrypted with the session key.

  10. An SSL-secured session is now established. SSL then uses symmetric encryption (which is much faster than asymmetric PKI encryption) to encrypt and decrypt messages within the SSL-secured "pipeline."

  11. After the session is complete, the session key is eliminated.

It all takes only seconds and requires no action by the user

In order to fully enable 128-bit encryption with a Global Server ID, it's important to generate the right kind of private key during the process of obtaining an SSL certificate. An important step in the process is generating a Certificate Signing Request (CSR) within the Web server software. In generating a CSR, Web server administrators should be careful to select a 1024-bit private key, which enables the Global Server ID to establish 128-bit SSL encryption, rather than a 512-bit private key, which enables only 40-bit encryption.

Netscape users can follow these steps to see what level of encryption is protecting their transactions:

  • Go to the secure Web page you want to check.

  • Click the Security button in Navigator's toolbar. The Security Info dialog box indicates whether the Web site uses encryption.

  • If it does, click the Open Page Info button to display more information about the site's security features, including the type of encryption used.

You can also check to see which level of SSL is activated on your Web server by following these steps:

  • Using a 128-bit client, such as the domestic version of Netscape Navigator, click Options/Security Preferences.

  • Under the Enable SSL options, click Configure for both SSL 2 and SSL 3. Make sure acceptance for the 40- and 56-bit encryption ciphers are turned off.

  • Try to access the site. If it using less than 128 bit security, then you will receive an error in your browser window: "Netscape and this server cannot communicate securely because they have no common encryption methods"

IE users can find out a Web site's encryption level by following these steps:

  • Go to the Web site you want to check.

  • Right-click on the Web site's page and select Properties.

  • Click the Certificates button.

  • In the Fields box, select Encryption type. The Details box shows you the level of encryption, 40-bit or 128-bit. (See the following section for more information about SSL encryption levels.)

E-businesses may choose to simplify the process of certificate checking for site visitors by describing the security measures they have implemented in a Security and Privacy statement on their sites. For example, sites that use VeriSign SSL Certificates can also post the Secure Site Seal on their home page, security statement page, and purchase pages. The Seal is a widely recognized symbol of trust that enables site visitors to check certificates in real time from VeriSign with one click.

SGC and 128-Bit Step-Up

To ensure that strong, 128-bit encryption protects e-commerce transactions for all users, businesses should install 128-bit IDs, such as VeriSign's Global Server IDs, on their servers. However, the export browsers that permit only 40-bit encryption with 40-bit SSL server certificates will allow strong, 128-bit encryption when interacting with 128-bit server certificates because these certificates are equipped with a special extension that enables Server Gated Cryptography (SGC) for Microsoft browsers and "International Step-Up" for Netscape browsers.

The extension enables 128-bit encryption with export-version browsers by prompting two "handshakes" when a user's browser accesses a page protected by a Global Server ID. When an export-version Netscape or Microsoft browser connects to the Web server, the browser initiates a connection with only a 40-bit cipher. When the server certificate is transferred, the browser verifies the certificate against its built-in list of approved CAs. Here, it recognizes that the server certificate includes the SGC or International Step-Up extension, and then immediately renegotiates the SSL parameters for the connection to initiate an SSL session with a 128-bit cipher. In subsequent connections, the browser immediately uses the 128-bit cipher for full-strength encryption.

Posted by Stephen Cheng at 6:50 AM

1 comment:

Anonymous said...

I have never even heard of authorities or resellers selling 40bit encrypted certificates anymore, which is some indication of how fast tecnhology moves! Currently 128 bit encryption is more than sufficient for most sites. However, as technology advances even further and with more sophisticated algorithms and computer power, it is expected that at some point the industry standard will have to shift to 256 bit SSL Certificates encryption, if not already! SSL247.co.uk have the largest choice of 256 bit certificates on the web today!

June 7, 2010 at 3:51 AM

Post a Comment

Subscribe to: Post Comments (Atom)