SSL

SSL(Secure Sockets Layer) is a technology that provides secure communication between a browser and a web server and is used to protect important data such as credit card information, user's passwords, etc. SSL technology relies heavily on encryption and digital signatures.

Asymmetric and symmetric cryptography To encrypt user's data SSL technology uses both asymmetric (public key) and symmetric cryptography. Public key cryptography is a form of encryption that uses pairs of keys: one key is public and can be shared with anyone and second one is private and should be kept in secret. These keys are mathematically linked. Information encrypted using the public key can be decrypted only with the private key and vice versa. That's how it is different from symmetric cryptography in which both sides use identical secret keys for encryption and decryption. Since asymmetric cryptography is based on very complex algorithms it is much slower than symmetric cryptography and is usually used to exchange short messages, typically to transfer a symmetric session key. This key is used to create a connection encrypted with symmetric cryptography.

PKI
Asymmetric cryptography exists due to PKI (Public Key Infrastructure) — a set of services for keys and certificates management. A certificate is a digital ID that is issued by a trusted third party and can confirm reliability of it's owner. An SSL certificate is a good example. Briefly, the core ideas of PKI are:


1. Pairs of keys are created by a trusted third party (certificate authority)
2. Public and private keys are bound to the owner by a certificate, published by a certificate authority.
3. Nobody can use the private key, except it's owner.

Certificate Authorities

Certificate authority (CA) is a trusted third party that issues digital certificates. Certificates are verified with a digital signature.

There are two kinds of CAs: root and intermediate. Root certificates are produced by several biggest and most trusted CAs, such as Comodo, Thawte, Symantec, etc, and can sign certificates of smaller CAs. A certificate that is signed by root certificate is called intermediate or chained, also it inherits right to sign other certificates. This is called the chain of trust. All operating systems and browsers have a regularly updating list of trusted root certificates, so it is possible to verify certificates without applying to the CA.

Digital signature Digital signature is a small block of data that is attached to a file and confirms that the file was not changed since it was signed, it also authenticates sender of a file. It is in fact an encrypted compressed representation of the file and if the file is changed a signature will become invalid.

1.Hash To derive a compressed representation of the file something called hashing is used. Hashing algorithm converts a group of characters into a compressed value of certain length (hash value or hash). Hash value is normally much smaller than the original, also it is nearly impossible for two different data files to have identical hash values. A function that determines the hashing algorithm is called a hash function.

2. Encryption

To authenticate the signer of the file asymmetric cryptography is used.

According to PKI only a certificate owner has access to the private key. And only the linked public key can be used to decrypt a file encrypted with the private key. So if the file hash can be decrypted with a public key specified by trusted certificate authority we can assume that it was encrypted by a linked private key.

There are also schemes that use symmetric cryptography, but they are not very popular. 3. How to acquire a digital signature? Digital signatures are a part of PKI. It means that if one wants to sign his files with a digital signature he will need to apply to a trusted third party organization (CA). The certificate authority creates a pair of keys, and publishes a digital certificate. The certificate contains public key, hash function and information about the digital signature owner.

A simple scheme showing algorithms of signing and verification of a digital signature:

Signing - a hash of the file is created - the hash is encrypted with the private key

- encrypted hash and a digital signature certificate are attached to the signed file and sent to the receiver Verification

- receiver decrypts the hash using the public key specified in the certificate - receiver hashes the received file using the hash function specified in the certificate - If two resulting hash values are identical the digital signature is valid

SSL Certificate

To establish an SSL connection with a client's web browser a server must have an SSL certificate. It can be called a digital ID that confirms reliability of a web site, also it participates in data encryption process.

What information does an SSL certificate contain? - domain name associated with the certificate or Common Name - certificate owner's name - owner's public key - certificate's date of issue - certificate's expiration date - certificate authority (CA) name

- serial number - certificate issuer's digital signature Process of establishing an SSL connection The process of establishing a secure SSL connection can be described in this simplified scheme: 1. Browser makes a request for secure connection. 2. Web server sends its SSL certificate signed by a Certificate Authority and server's public key. 3. Browser checks it's own list of trusted root certificates. If the certificate is not signed by any of the root CAs, it checks the list of intermediate CAs and so on, until the match is found. Then it checks if the certificate is not expired and that it is related to the requested web site. If some of the requirements are not met, browser will display a warning that the web site is not secure. 4. If the certificate is valid, browser generates a sequence of random numbers, that will be used as a session key, encrypts it with a public key and sends it to the server. Session key is a secret symmetric key used for encryption and decryption until a session is over. 5. Server decrypts it using it's private key. 6. Now browser and server can exchange messages encrypted with a session key, secure connection is established. The most common SSL-related issues 1. Сertificate is not trusted If a browser displays a warning that the website certificate is not trusted there can be two reasons. The website may be using a self-signed certificate, or the problem may be that the intermediate certificate is not installed on the web server. Self-signed certificates are signed not by Certificate Authority but by a web server itself. They are free, but they can't be used for a public web site, because a browser will always display a warning that the requested site certificate is not signed by any trusted CA.

2. Name mismatch A message saying something like: "ERR_CERT_COMMON_NAME_INVALID" (can be different in different browsers) means that the requested domain name does not match the domain name associated with the certificate. It can happen if you type a web site adress without "www" in the adress bar. For example, if a certificate is issued for a web site with a domain name "www.hdsoft.ru" and you are trying to access it as "hdsoft.ru", you will get an error message. One more reason for this error may be that the web site was accessed using it's internal host name, which mismathes a domain name in the certificate.

3. Expired certificate CAs provide their certificates for a certain period of time and if a certificate expires it is no longer valid. To avoid it a certificate owner should renew it at term. 4. Certificate digital signature is not valid

That would mean a certificate was damaged or falsified.

SSL-related issues on user's end If a browser shows an SSL-related warning, it can really mean, that somebody is trying to steal your crucial information, but it's not always the case. Sometimes a problem can be on the user's end. For example, first thing you need to do is to check system time on your computer, this is important because a browser can use system time to determine that a certificate is expired or even not yet valid.

Antivirus and browser addons can also cause SSL-related problem warning.

And finally outdated browser or operating system may be the case.