SlideShare a Scribd company logo

Understanding transport-layer_security__ssl

Mainak Goswami
Mainak Goswami

Useful document and tutorial on SSL, encryption, TLS, cryptography, JEE security

TechnologyEducation
1 of 4
Download to read offline
Secured website example http://idiotechie.com/understanding-transport-layer-security-secure-socket-layer/ May 12, 2013 Understanding Transport Layer Security / Secure Socket Layer IdioTechie Transport Layer Security (TLS) 1.0 / Secure Sockets Layer (SSL) 3.0, is the mechanism to provide private, secured and reliable communication over the internet. It is the most widely used protocols that provides secure HTTPS for internet communications between the client (web browsers) and web servers. It ensures that the transport of sensitive data are safe from cyber crimes which steals valuable client information. TLS/SSL enables server authentication, client authentication, data encryption, and data integrity over internet. Earlier most of the payment based web applications were involved in secured communication to prevent hacking and keep the critical payment information safe. The disadvantage of SSL is the performance hit. Since the data passed over the secured layer has to be encrypted by the server it uses more server resources than the unencrypted communication. However in recent days with faster internet most of the authentication based web applications prefer secured HTTPS. E.g. Google, Facebook, Twitter etc. and HTTPS is not limited to e-commerce or banking websites only. What is the difference between TLS and SSL? There are subtle differences between TLS and SSL. TLS is the successor to the SSL but TLS 1.2 cannot be interchangeable with SSL 3.0. TLS uses Hashing for Message Authentication Code (HMAC) algorithm over the SSL Message Authentication Code (MAC) algorithm. HMAC is more secured than the standard SSL MAC algorithm. How to recognize a secured website? Most of the browsers helps the visitors to identify if any website is secured by showing the ‘https’ in the address bar and also the certificate authority which has validated the website. Before we explore on how SSL works let’s try to understand more about some of the key terminologies. Encryption – In cryptography terminology encryption is a process of encoding information which is sent from one computer to another in such a way that unauthorized persons cannot get access to the original data. Identification – Identification is a process through which one system confirms the identity of another person / entity/ computer system. Authentication – Authentication is a process to verify the credentials of the principal or the system. The JEE platform requires that all the application servers provide support for authentication mechanisms likes HTTP basic authentication, SSL mutual authentication, form based login. Authorization – It is a process by which the principal is either granted access or disallowed to protected resources. Only the trusted principal can be granted secure access. Why do we need encryption? © http://idiotechie.com
Unencrypted Message Example Encrypted Message 1. SSL Handshake 2. SSL Handshake If we do not use encryption then the critical credit card information can be stolen by the unauthorised persons who might hijack the session between the client and server communication. When we use encryption the credit card information are encrypted and it is passed through a secured HTTPS connection which prevents any hackers from unauthorized access of the data. How does this Encryption process works between the client and server? There are several steps before the actual encrypted message is sent. The first process starts with SSL Handshake or establishing a secured connection between the client and the server. This process requires total of nine handshake messages to be communicated between server and client. One the handshake is completed then encrypted messages are communicated between client and server. One way SSL authentication Step 1: Client and server agrees on the medium of encryption Step 2: Server sends a certificate message to the client Server sends Hello message to the client. Server sends a Certificate message to the client which consists of the server’s certificate including the server’s public key. Before the client computer requests to start encryption the server concludes its part of the negotiation with ServerHelloDone message. Step 3: Client computer requests to start encryption Client then sends the session key information which is encrypted with server’s public key in the Client Key Exchange message. Both client and server calculates the master secret code and in future this code is used to encrypt the messages between the client and server.Client sends Change Cipher Spec message to activate the negotiated SSL encryption options which was agreed during the Hello message communication for all future messages it will send. And then the client requests finish which finally will request the server to start the encryption. © http://idiotechie.com
3 SSL Handshake 4 SSL Handshake 1. SSL Handshake 2 Mutual SSL Handshake Step 4: Server confirms to start the encryption Server sends Change Cipher Spec message to activate the previously negotiated options for all future messages it will send. Server then sends the Finished message to the client and requests it to check the newly activated options. When the finished message is delivered it is sent in encrypted mode. This completes all the handshake process. Step 5: The messages are encrypted Now the client and servers communicates securely through encrypted messages only. Two way SSL communication (Mutual SSL Authentication) Step 1: Client and server agrees on the medium of encryption Step 2: Server sends a certificate message to the client • Server sends Hello message to the client. • Server sends a Certificate message to the client which consists of the server’s certificate including the server’s public key. • Server requests client’s certificate in Certificate Request message, so that the connection can be mutually authenticated. • Before the client computer requests to start encryption the server concludes its part of the negotiation with Server Hello Done message. Step 3: Client computer requests to start encryption • Client responds to the server with Certificate message, which contains the client’s certificate. • Client then sends the session key information which is encrypted with server’s public key in the Client Key Exchange message. • Client sends a Certificate Verify message to let the server know it owns the sent certificate. Both client and server calculates the master secret code and in future this code is used to encrypt the messages between the client and server. • Client sends Change Cipher Spec message to activate the negotiated SSL encryption options which was agreed during the Hello message communication for all future messages it will send. • And then the client requests finish which finally will request the server to start the encryption. Step 4: Server confirms to start the encryption © http://idiotechie.com
3 Mutual SSL Handshake 4 SSL Handshake Step 4: Server confirms to start the encryption Server sends Change Cipher Spec message to activate the previously negotiated options for all future messages it will send. Server then sends the Finished message to the client and requests it to check the newly activated options. When the finished message is delivered it is sent in encrypted mode. This completes all the handshake process. Step 5: The messages are encrypted Now the client and servers communicates securely through encrypted messages only. In our next series we will discuss more into the code level details and security implementation in web servers. Please keep watching this space. © http://idiotechie.com

Recommended

Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
SSL TSL;& SET
SSL TSL;& SETSSL TSL;& SET
SSL TSL;& SETRamesh Ogania
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL CertificateCheapSSLUSA
 
Web Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerWeb Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerAkhil Nadh PC
 
web security
web securityweb security
web securityChirag Patel
 
Web Security
Web SecurityWeb Security
Web SecurityRam Dutt Shukla
 
Web Security
Web SecurityWeb Security
Web SecurityDr.Florence Dayana
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIMERohit Soni
 

Recommended

Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
SSL TSL;& SET
SSL TSL;& SETSSL TSL;& SET
SSL TSL;& SETRamesh Ogania
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL CertificateCheapSSLUSA
 
Web Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerWeb Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerAkhil Nadh PC
 
web security
web securityweb security
web securityChirag Patel
 
Web Security
Web SecurityWeb Security
Web SecurityRam Dutt Shukla
 
Web Security
Web SecurityWeb Security
Web SecurityDr.Florence Dayana
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIMERohit Soni
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
How to design a digital signature in odoo
How to design a digital signature in odooHow to design a digital signature in odoo
How to design a digital signature in odooPlanetOdoo
 
Cryptography
CryptographyCryptography
CryptographyTanviGogri
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signaturejolly9293
 
Digital Signature
Digital SignatureDigital Signature
Digital SignatureJonathon Dosh
 
HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??SEONetsolITSolutions
 
Digital signature
Digital signatureDigital signature
Digital signatureCHESStest{perfect Kadhu}
 
Information and network security 43 digital signatures
Information and network security 43 digital signaturesInformation and network security 43 digital signatures
Information and network security 43 digital signaturesVaibhav Khanna
 
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commercemahesh tawade
 
SSl and certificates
SSl and certificatesSSl and certificates
SSl and certificatesNetri Chowdhary
 
Digital signature Brief Introduction
Digital signature Brief IntroductionDigital signature Brief Introduction
Digital signature Brief IntroductionGanesh Kothe
 
Digital signatures and e-Commerce
Digital signatures and e-CommerceDigital signatures and e-Commerce
Digital signatures and e-CommerceNaveen Jakhar, I.T.S
 
Otp api specifications
Otp api specificationsOtp api specifications
Otp api specificationsRouteMob
 
E business--dig sig
E business--dig sigE business--dig sig
E business--dig sigravik09783
 
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesVivaka Nand
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Introduction of an SSL Certificate
Introduction of an SSL CertificateIntroduction of an SSL Certificate
Introduction of an SSL CertificateCheapSSLUSA
 
Digital Signature
Digital SignatureDigital Signature
Digital Signaturesaurav5884
 
Digital certificate & signature
Digital certificate & signatureDigital certificate & signature
Digital certificate & signatureNetri Chowdhary
 
Digital Certificate
Digital CertificateDigital Certificate
Digital CertificateSumant Diwakar
 
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptSonukumarRawat
 
The last picks
The last picksThe last picks
The last picksNafiur Rahman Tuhin
 

More Related Content

What's hot

SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
How to design a digital signature in odoo
How to design a digital signature in odooHow to design a digital signature in odoo
How to design a digital signature in odooPlanetOdoo
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signaturejolly9293
 
Information and network security 43 digital signatures
Information and network security 43 digital signaturesInformation and network security 43 digital signatures
Information and network security 43 digital signaturesVaibhav Khanna
 
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commercemahesh tawade
 
Digital signature Brief Introduction
Digital signature Brief IntroductionDigital signature Brief Introduction
Digital signature Brief IntroductionGanesh Kothe
 
Otp api specifications
Otp api specificationsOtp api specifications
Otp api specificationsRouteMob
 
E business--dig sig
E business--dig sigE business--dig sig
E business--dig sigravik09783
 
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesVivaka Nand
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Introduction of an SSL Certificate
Introduction of an SSL CertificateIntroduction of an SSL Certificate
Introduction of an SSL CertificateCheapSSLUSA
 
Digital Signature
Digital SignatureDigital Signature
Digital Signaturesaurav5884
 
Digital certificate & signature
Digital certificate & signatureDigital certificate & signature
Digital certificate & signatureNetri Chowdhary
 

What's hot (20)

SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
How to design a digital signature in odoo
How to design a digital signature in odooHow to design a digital signature in odoo
How to design a digital signature in odoo
 
Cryptography
CryptographyCryptography
Cryptography
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signature
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
 
HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Information and network security 43 digital signatures
Information and network security 43 digital signaturesInformation and network security 43 digital signatures
Information and network security 43 digital signatures
 
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commerce
 
SSl and certificates
SSl and certificatesSSl and certificates
SSl and certificates
 
Digital signature Brief Introduction
Digital signature Brief IntroductionDigital signature Brief Introduction
Digital signature Brief Introduction
 
Digital signatures and e-Commerce
Digital signatures and e-CommerceDigital signatures and e-Commerce
Digital signatures and e-Commerce
 
Otp api specifications
Otp api specificationsOtp api specifications
Otp api specifications
 
E business--dig sig
E business--dig sigE business--dig sig
E business--dig sig
 
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificates
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
Introduction of an SSL Certificate
Introduction of an SSL CertificateIntroduction of an SSL Certificate
Introduction of an SSL Certificate
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
 
Digital certificate & signature
Digital certificate & signatureDigital certificate & signature
Digital certificate & signature
 
Digital Certificate
Digital CertificateDigital Certificate
Digital Certificate
 

Similar to Understanding transport-layer_security__ssl

WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptSonukumarRawat
 
Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Mumbai Academisc
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systemsAbdulaziz Mohd
 
OWASP London 16 Jan-2017 - Identities Exposed by David Johansson
OWASP London 16 Jan-2017 - Identities Exposed by David JohanssonOWASP London 16 Jan-2017 - Identities Exposed by David Johansson
OWASP London 16 Jan-2017 - Identities Exposed by David JohanssonDavid Johansson
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
presentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfpresentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfGumanSingh10
 
Describe- in your own words- the mechanism for establishing a HTTPS co.docx
Describe- in your own words- the mechanism for establishing a HTTPS co.docxDescribe- in your own words- the mechanism for establishing a HTTPS co.docx
Describe- in your own words- the mechanism for establishing a HTTPS co.docxearleanp
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptxRushikeshChikane2
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonDavid Johansson
 

Similar to Understanding transport-layer_security__ssl (20)

WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
 
The last picks
The last picksThe last picks
The last picks
 
Ssl
SslSsl
Ssl
 
ch17.ppt
ch17.pptch17.ppt
ch17.ppt
 
Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systems
 
OWASP London 16 Jan-2017 - Identities Exposed by David Johansson
OWASP London 16 Jan-2017 - Identities Exposed by David JohanssonOWASP London 16 Jan-2017 - Identities Exposed by David Johansson
OWASP London 16 Jan-2017 - Identities Exposed by David Johansson
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
SSL
SSLSSL
SSL
 
presentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfpresentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdf
 
Describe- in your own words- the mechanism for establishing a HTTPS co.docx
Describe- in your own words- the mechanism for establishing a HTTPS co.docxDescribe- in your own words- the mechanism for establishing a HTTPS co.docx
Describe- in your own words- the mechanism for establishing a HTTPS co.docx
 
Unit 5
Unit 5Unit 5
Unit 5
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptx
 
SSL-image
SSL-imageSSL-image
SSL-image
 
Lecture17
Lecture17Lecture17
Lecture17
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
ssl
sslssl
ssl
 
E-Business security
E-Business security E-Business security
E-Business security
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
 

Recently uploaded

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 

Recently uploaded (20)

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 

Understanding transport-layer_security__ssl

  • 1. Secured website example http://idiotechie.com/understanding-transport-layer-security-secure-socket-layer/ May 12, 2013 Understanding Transport Layer Security / Secure Socket Layer IdioTechie Transport Layer Security (TLS) 1.0 / Secure Sockets Layer (SSL) 3.0, is the mechanism to provide private, secured and reliable communication over the internet. It is the most widely used protocols that provides secure HTTPS for internet communications between the client (web browsers) and web servers. It ensures that the transport of sensitive data are safe from cyber crimes which steals valuable client information. TLS/SSL enables server authentication, client authentication, data encryption, and data integrity over internet. Earlier most of the payment based web applications were involved in secured communication to prevent hacking and keep the critical payment information safe. The disadvantage of SSL is the performance hit. Since the data passed over the secured layer has to be encrypted by the server it uses more server resources than the unencrypted communication. However in recent days with faster internet most of the authentication based web applications prefer secured HTTPS. E.g. Google, Facebook, Twitter etc. and HTTPS is not limited to e-commerce or banking websites only. What is the difference between TLS and SSL? There are subtle differences between TLS and SSL. TLS is the successor to the SSL but TLS 1.2 cannot be interchangeable with SSL 3.0. TLS uses Hashing for Message Authentication Code (HMAC) algorithm over the SSL Message Authentication Code (MAC) algorithm. HMAC is more secured than the standard SSL MAC algorithm. How to recognize a secured website? Most of the browsers helps the visitors to identify if any website is secured by showing the ‘https’ in the address bar and also the certificate authority which has validated the website. Before we explore on how SSL works let’s try to understand more about some of the key terminologies. Encryption – In cryptography terminology encryption is a process of encoding information which is sent from one computer to another in such a way that unauthorized persons cannot get access to the original data. Identification – Identification is a process through which one system confirms the identity of another person / entity/ computer system. Authentication – Authentication is a process to verify the credentials of the principal or the system. The JEE platform requires that all the application servers provide support for authentication mechanisms likes HTTP basic authentication, SSL mutual authentication, form based login. Authorization – It is a process by which the principal is either granted access or disallowed to protected resources. Only the trusted principal can be granted secure access. Why do we need encryption? © http://idiotechie.com
  • 2. Unencrypted Message Example Encrypted Message 1. SSL Handshake 2. SSL Handshake If we do not use encryption then the critical credit card information can be stolen by the unauthorised persons who might hijack the session between the client and server communication. When we use encryption the credit card information are encrypted and it is passed through a secured HTTPS connection which prevents any hackers from unauthorized access of the data. How does this Encryption process works between the client and server? There are several steps before the actual encrypted message is sent. The first process starts with SSL Handshake or establishing a secured connection between the client and the server. This process requires total of nine handshake messages to be communicated between server and client. One the handshake is completed then encrypted messages are communicated between client and server. One way SSL authentication Step 1: Client and server agrees on the medium of encryption Step 2: Server sends a certificate message to the client Server sends Hello message to the client. Server sends a Certificate message to the client which consists of the server’s certificate including the server’s public key. Before the client computer requests to start encryption the server concludes its part of the negotiation with ServerHelloDone message. Step 3: Client computer requests to start encryption Client then sends the session key information which is encrypted with server’s public key in the Client Key Exchange message. Both client and server calculates the master secret code and in future this code is used to encrypt the messages between the client and server.Client sends Change Cipher Spec message to activate the negotiated SSL encryption options which was agreed during the Hello message communication for all future messages it will send. And then the client requests finish which finally will request the server to start the encryption. © http://idiotechie.com
  • 3. 3 SSL Handshake 4 SSL Handshake 1. SSL Handshake 2 Mutual SSL Handshake Step 4: Server confirms to start the encryption Server sends Change Cipher Spec message to activate the previously negotiated options for all future messages it will send. Server then sends the Finished message to the client and requests it to check the newly activated options. When the finished message is delivered it is sent in encrypted mode. This completes all the handshake process. Step 5: The messages are encrypted Now the client and servers communicates securely through encrypted messages only. Two way SSL communication (Mutual SSL Authentication) Step 1: Client and server agrees on the medium of encryption Step 2: Server sends a certificate message to the client • Server sends Hello message to the client. • Server sends a Certificate message to the client which consists of the server’s certificate including the server’s public key. • Server requests client’s certificate in Certificate Request message, so that the connection can be mutually authenticated. • Before the client computer requests to start encryption the server concludes its part of the negotiation with Server Hello Done message. Step 3: Client computer requests to start encryption • Client responds to the server with Certificate message, which contains the client’s certificate. • Client then sends the session key information which is encrypted with server’s public key in the Client Key Exchange message. • Client sends a Certificate Verify message to let the server know it owns the sent certificate. Both client and server calculates the master secret code and in future this code is used to encrypt the messages between the client and server. • Client sends Change Cipher Spec message to activate the negotiated SSL encryption options which was agreed during the Hello message communication for all future messages it will send. • And then the client requests finish which finally will request the server to start the encryption. Step 4: Server confirms to start the encryption © http://idiotechie.com
  • 4. 3 Mutual SSL Handshake 4 SSL Handshake Step 4: Server confirms to start the encryption Server sends Change Cipher Spec message to activate the previously negotiated options for all future messages it will send. Server then sends the Finished message to the client and requests it to check the newly activated options. When the finished message is delivered it is sent in encrypted mode. This completes all the handshake process. Step 5: The messages are encrypted Now the client and servers communicates securely through encrypted messages only. In our next series we will discuss more into the code level details and security implementation in web servers. Please keep watching this space. © http://idiotechie.com