SlideShare ist ein Scribd-Unternehmen logo

Understanding transport-layer_security__ssl

Mainak Goswami
Mainak Goswami

Useful document and tutorial on SSL, encryption, TLS, cryptography, JEE security

TechnologieBildung
1 von 4
Downloaden Sie, um offline zu lesen
Secured website example http://idiotechie.com/understanding-transport-layer-security-secure-socket-layer/ May 12, 2013 Understanding Transport Layer Security / Secure Socket Layer IdioTechie Transport Layer Security (TLS) 1.0 / Secure Sockets Layer (SSL) 3.0, is the mechanism to provide private, secured and reliable communication over the internet. It is the most widely used protocols that provides secure HTTPS for internet communications between the client (web browsers) and web servers. It ensures that the transport of sensitive data are safe from cyber crimes which steals valuable client information. TLS/SSL enables server authentication, client authentication, data encryption, and data integrity over internet. Earlier most of the payment based web applications were involved in secured communication to prevent hacking and keep the critical payment information safe. The disadvantage of SSL is the performance hit. Since the data passed over the secured layer has to be encrypted by the server it uses more server resources than the unencrypted communication. However in recent days with faster internet most of the authentication based web applications prefer secured HTTPS. E.g. Google, Facebook, Twitter etc. and HTTPS is not limited to e-commerce or banking websites only. What is the difference between TLS and SSL? There are subtle differences between TLS and SSL. TLS is the successor to the SSL but TLS 1.2 cannot be interchangeable with SSL 3.0. TLS uses Hashing for Message Authentication Code (HMAC) algorithm over the SSL Message Authentication Code (MAC) algorithm. HMAC is more secured than the standard SSL MAC algorithm. How to recognize a secured website? Most of the browsers helps the visitors to identify if any website is secured by showing the ‘https’ in the address bar and also the certificate authority which has validated the website. Before we explore on how SSL works let’s try to understand more about some of the key terminologies. Encryption – In cryptography terminology encryption is a process of encoding information which is sent from one computer to another in such a way that unauthorized persons cannot get access to the original data. Identification – Identification is a process through which one system confirms the identity of another person / entity/ computer system. Authentication – Authentication is a process to verify the credentials of the principal or the system. The JEE platform requires that all the application servers provide support for authentication mechanisms likes HTTP basic authentication, SSL mutual authentication, form based login. Authorization – It is a process by which the principal is either granted access or disallowed to protected resources. Only the trusted principal can be granted secure access. Why do we need encryption? © http://idiotechie.com
Unencrypted Message Example Encrypted Message 1. SSL Handshake 2. SSL Handshake If we do not use encryption then the critical credit card information can be stolen by the unauthorised persons who might hijack the session between the client and server communication. When we use encryption the credit card information are encrypted and it is passed through a secured HTTPS connection which prevents any hackers from unauthorized access of the data. How does this Encryption process works between the client and server? There are several steps before the actual encrypted message is sent. The first process starts with SSL Handshake or establishing a secured connection between the client and the server. This process requires total of nine handshake messages to be communicated between server and client. One the handshake is completed then encrypted messages are communicated between client and server. One way SSL authentication Step 1: Client and server agrees on the medium of encryption Step 2: Server sends a certificate message to the client Server sends Hello message to the client. Server sends a Certificate message to the client which consists of the server’s certificate including the server’s public key. Before the client computer requests to start encryption the server concludes its part of the negotiation with ServerHelloDone message. Step 3: Client computer requests to start encryption Client then sends the session key information which is encrypted with server’s public key in the Client Key Exchange message. Both client and server calculates the master secret code and in future this code is used to encrypt the messages between the client and server.Client sends Change Cipher Spec message to activate the negotiated SSL encryption options which was agreed during the Hello message communication for all future messages it will send. And then the client requests finish which finally will request the server to start the encryption. © http://idiotechie.com
3 SSL Handshake 4 SSL Handshake 1. SSL Handshake 2 Mutual SSL Handshake Step 4: Server confirms to start the encryption Server sends Change Cipher Spec message to activate the previously negotiated options for all future messages it will send. Server then sends the Finished message to the client and requests it to check the newly activated options. When the finished message is delivered it is sent in encrypted mode. This completes all the handshake process. Step 5: The messages are encrypted Now the client and servers communicates securely through encrypted messages only. Two way SSL communication (Mutual SSL Authentication) Step 1: Client and server agrees on the medium of encryption Step 2: Server sends a certificate message to the client • Server sends Hello message to the client. • Server sends a Certificate message to the client which consists of the server’s certificate including the server’s public key. • Server requests client’s certificate in Certificate Request message, so that the connection can be mutually authenticated. • Before the client computer requests to start encryption the server concludes its part of the negotiation with Server Hello Done message. Step 3: Client computer requests to start encryption • Client responds to the server with Certificate message, which contains the client’s certificate. • Client then sends the session key information which is encrypted with server’s public key in the Client Key Exchange message. • Client sends a Certificate Verify message to let the server know it owns the sent certificate. Both client and server calculates the master secret code and in future this code is used to encrypt the messages between the client and server. • Client sends Change Cipher Spec message to activate the negotiated SSL encryption options which was agreed during the Hello message communication for all future messages it will send. • And then the client requests finish which finally will request the server to start the encryption. Step 4: Server confirms to start the encryption © http://idiotechie.com
3 Mutual SSL Handshake 4 SSL Handshake Step 4: Server confirms to start the encryption Server sends Change Cipher Spec message to activate the previously negotiated options for all future messages it will send. Server then sends the Finished message to the client and requests it to check the newly activated options. When the finished message is delivered it is sent in encrypted mode. This completes all the handshake process. Step 5: The messages are encrypted Now the client and servers communicates securely through encrypted messages only. In our next series we will discuss more into the code level details and security implementation in web servers. Please keep watching this space. © http://idiotechie.com

Empfohlen

Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
SSL TSL;& SET
SSL TSL;& SETSSL TSL;& SET
SSL TSL;& SETRamesh Ogania
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL CertificateCheapSSLUSA
 
Web Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerWeb Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerAkhil Nadh PC
 
web security
web securityweb security
web securityChirag Patel
 
Web Security
Web SecurityWeb Security
Web SecurityRam Dutt Shukla
 
Web Security
Web SecurityWeb Security
Web SecurityDr.Florence Dayana
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIMERohit Soni
 

Empfohlen

Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
SSL TSL;& SET
SSL TSL;& SETSSL TSL;& SET
SSL TSL;& SETRamesh Ogania
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL CertificateCheapSSLUSA
 
Web Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerWeb Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerAkhil Nadh PC
 
web security
web securityweb security
web securityChirag Patel
 
Web Security
Web SecurityWeb Security
Web SecurityRam Dutt Shukla
 
Web Security
Web SecurityWeb Security
Web SecurityDr.Florence Dayana
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIMERohit Soni
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
How to design a digital signature in odoo
How to design a digital signature in odooHow to design a digital signature in odoo
How to design a digital signature in odooPlanetOdoo
 
Cryptography
CryptographyCryptography
CryptographyTanviGogri
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signaturejolly9293
 
Digital Signature
Digital SignatureDigital Signature
Digital SignatureJonathon Dosh
 
HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??SEONetsolITSolutions
 
Digital signature
Digital signatureDigital signature
Digital signatureCHESStest{perfect Kadhu}
 
Information and network security 43 digital signatures
Information and network security 43 digital signaturesInformation and network security 43 digital signatures
Information and network security 43 digital signaturesVaibhav Khanna
 
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commercemahesh tawade
 
SSl and certificates
SSl and certificatesSSl and certificates
SSl and certificatesNetri Chowdhary
 
Digital signature Brief Introduction
Digital signature Brief IntroductionDigital signature Brief Introduction
Digital signature Brief IntroductionGanesh Kothe
 
Digital signatures and e-Commerce
Digital signatures and e-CommerceDigital signatures and e-Commerce
Digital signatures and e-CommerceNaveen Jakhar, I.T.S
 
Otp api specifications
Otp api specificationsOtp api specifications
Otp api specificationsRouteMob
 
E business--dig sig
E business--dig sigE business--dig sig
E business--dig sigravik09783
 
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesVivaka Nand
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Introduction of an SSL Certificate
Introduction of an SSL CertificateIntroduction of an SSL Certificate
Introduction of an SSL CertificateCheapSSLUSA
 
Digital Signature
Digital SignatureDigital Signature
Digital Signaturesaurav5884
 
Digital certificate & signature
Digital certificate & signatureDigital certificate & signature
Digital certificate & signatureNetri Chowdhary
 
Digital Certificate
Digital CertificateDigital Certificate
Digital CertificateSumant Diwakar
 
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptSonukumarRawat
 
The last picks
The last picksThe last picks
The last picksNafiur Rahman Tuhin
 

Weitere ähnliche Inhalte

Was ist angesagt?

SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
How to design a digital signature in odoo
How to design a digital signature in odooHow to design a digital signature in odoo
How to design a digital signature in odooPlanetOdoo
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signaturejolly9293
 
Information and network security 43 digital signatures
Information and network security 43 digital signaturesInformation and network security 43 digital signatures
Information and network security 43 digital signaturesVaibhav Khanna
 
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commercemahesh tawade
 
Digital signature Brief Introduction
Digital signature Brief IntroductionDigital signature Brief Introduction
Digital signature Brief IntroductionGanesh Kothe
 
Otp api specifications
Otp api specificationsOtp api specifications
Otp api specificationsRouteMob
 
E business--dig sig
E business--dig sigE business--dig sig
E business--dig sigravik09783
 
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesVivaka Nand
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Introduction of an SSL Certificate
Introduction of an SSL CertificateIntroduction of an SSL Certificate
Introduction of an SSL CertificateCheapSSLUSA
 
Digital Signature
Digital SignatureDigital Signature
Digital Signaturesaurav5884
 
Digital certificate & signature
Digital certificate & signatureDigital certificate & signature
Digital certificate & signatureNetri Chowdhary
 

Was ist angesagt? (20)

SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
How to design a digital signature in odoo
How to design a digital signature in odooHow to design a digital signature in odoo
How to design a digital signature in odoo
 
Cryptography
CryptographyCryptography
Cryptography
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signature
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
 
HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Information and network security 43 digital signatures
Information and network security 43 digital signaturesInformation and network security 43 digital signatures
Information and network security 43 digital signatures
 
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commerce
 
SSl and certificates
SSl and certificatesSSl and certificates
SSl and certificates
 
Digital signature Brief Introduction
Digital signature Brief IntroductionDigital signature Brief Introduction
Digital signature Brief Introduction
 
Digital signatures and e-Commerce
Digital signatures and e-CommerceDigital signatures and e-Commerce
Digital signatures and e-Commerce
 
Otp api specifications
Otp api specificationsOtp api specifications
Otp api specifications
 
E business--dig sig
E business--dig sigE business--dig sig
E business--dig sig
 
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificates
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
Introduction of an SSL Certificate
Introduction of an SSL CertificateIntroduction of an SSL Certificate
Introduction of an SSL Certificate
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
 
Digital certificate & signature
Digital certificate & signatureDigital certificate & signature
Digital certificate & signature
 
Digital Certificate
Digital CertificateDigital Certificate
Digital Certificate
 

Ähnlich wie Understanding transport-layer_security__ssl

WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptSonukumarRawat
 
Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Mumbai Academisc
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systemsAbdulaziz Mohd
 
OWASP London 16 Jan-2017 - Identities Exposed by David Johansson
OWASP London 16 Jan-2017 - Identities Exposed by David JohanssonOWASP London 16 Jan-2017 - Identities Exposed by David Johansson
OWASP London 16 Jan-2017 - Identities Exposed by David JohanssonDavid Johansson
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
presentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfpresentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfGumanSingh10
 
Describe- in your own words- the mechanism for establishing a HTTPS co.docx
Describe- in your own words- the mechanism for establishing a HTTPS co.docxDescribe- in your own words- the mechanism for establishing a HTTPS co.docx
Describe- in your own words- the mechanism for establishing a HTTPS co.docxearleanp
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptxRushikeshChikane2
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonDavid Johansson
 

Ähnlich wie Understanding transport-layer_security__ssl (20)

WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
 
The last picks
The last picksThe last picks
The last picks
 
Ssl
SslSsl
Ssl
 
ch17.ppt
ch17.pptch17.ppt
ch17.ppt
 
Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systems
 
OWASP London 16 Jan-2017 - Identities Exposed by David Johansson
OWASP London 16 Jan-2017 - Identities Exposed by David JohanssonOWASP London 16 Jan-2017 - Identities Exposed by David Johansson
OWASP London 16 Jan-2017 - Identities Exposed by David Johansson
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
SSL
SSLSSL
SSL
 
presentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfpresentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdf
 
Describe- in your own words- the mechanism for establishing a HTTPS co.docx
Describe- in your own words- the mechanism for establishing a HTTPS co.docxDescribe- in your own words- the mechanism for establishing a HTTPS co.docx
Describe- in your own words- the mechanism for establishing a HTTPS co.docx
 
Unit 5
Unit 5Unit 5
Unit 5
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptx
 
SSL-image
SSL-imageSSL-image
SSL-image
 
Lecture17
Lecture17Lecture17
Lecture17
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
ssl
sslssl
ssl
 
E-Business security
E-Business security E-Business security
E-Business security
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 

Kürzlich hochgeladen (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 

Understanding transport-layer_security__ssl

  • 1. Secured website example http://idiotechie.com/understanding-transport-layer-security-secure-socket-layer/ May 12, 2013 Understanding Transport Layer Security / Secure Socket Layer IdioTechie Transport Layer Security (TLS) 1.0 / Secure Sockets Layer (SSL) 3.0, is the mechanism to provide private, secured and reliable communication over the internet. It is the most widely used protocols that provides secure HTTPS for internet communications between the client (web browsers) and web servers. It ensures that the transport of sensitive data are safe from cyber crimes which steals valuable client information. TLS/SSL enables server authentication, client authentication, data encryption, and data integrity over internet. Earlier most of the payment based web applications were involved in secured communication to prevent hacking and keep the critical payment information safe. The disadvantage of SSL is the performance hit. Since the data passed over the secured layer has to be encrypted by the server it uses more server resources than the unencrypted communication. However in recent days with faster internet most of the authentication based web applications prefer secured HTTPS. E.g. Google, Facebook, Twitter etc. and HTTPS is not limited to e-commerce or banking websites only. What is the difference between TLS and SSL? There are subtle differences between TLS and SSL. TLS is the successor to the SSL but TLS 1.2 cannot be interchangeable with SSL 3.0. TLS uses Hashing for Message Authentication Code (HMAC) algorithm over the SSL Message Authentication Code (MAC) algorithm. HMAC is more secured than the standard SSL MAC algorithm. How to recognize a secured website? Most of the browsers helps the visitors to identify if any website is secured by showing the ‘https’ in the address bar and also the certificate authority which has validated the website. Before we explore on how SSL works let’s try to understand more about some of the key terminologies. Encryption – In cryptography terminology encryption is a process of encoding information which is sent from one computer to another in such a way that unauthorized persons cannot get access to the original data. Identification – Identification is a process through which one system confirms the identity of another person / entity/ computer system. Authentication – Authentication is a process to verify the credentials of the principal or the system. The JEE platform requires that all the application servers provide support for authentication mechanisms likes HTTP basic authentication, SSL mutual authentication, form based login. Authorization – It is a process by which the principal is either granted access or disallowed to protected resources. Only the trusted principal can be granted secure access. Why do we need encryption? © http://idiotechie.com
  • 2. Unencrypted Message Example Encrypted Message 1. SSL Handshake 2. SSL Handshake If we do not use encryption then the critical credit card information can be stolen by the unauthorised persons who might hijack the session between the client and server communication. When we use encryption the credit card information are encrypted and it is passed through a secured HTTPS connection which prevents any hackers from unauthorized access of the data. How does this Encryption process works between the client and server? There are several steps before the actual encrypted message is sent. The first process starts with SSL Handshake or establishing a secured connection between the client and the server. This process requires total of nine handshake messages to be communicated between server and client. One the handshake is completed then encrypted messages are communicated between client and server. One way SSL authentication Step 1: Client and server agrees on the medium of encryption Step 2: Server sends a certificate message to the client Server sends Hello message to the client. Server sends a Certificate message to the client which consists of the server’s certificate including the server’s public key. Before the client computer requests to start encryption the server concludes its part of the negotiation with ServerHelloDone message. Step 3: Client computer requests to start encryption Client then sends the session key information which is encrypted with server’s public key in the Client Key Exchange message. Both client and server calculates the master secret code and in future this code is used to encrypt the messages between the client and server.Client sends Change Cipher Spec message to activate the negotiated SSL encryption options which was agreed during the Hello message communication for all future messages it will send. And then the client requests finish which finally will request the server to start the encryption. © http://idiotechie.com
  • 3. 3 SSL Handshake 4 SSL Handshake 1. SSL Handshake 2 Mutual SSL Handshake Step 4: Server confirms to start the encryption Server sends Change Cipher Spec message to activate the previously negotiated options for all future messages it will send. Server then sends the Finished message to the client and requests it to check the newly activated options. When the finished message is delivered it is sent in encrypted mode. This completes all the handshake process. Step 5: The messages are encrypted Now the client and servers communicates securely through encrypted messages only. Two way SSL communication (Mutual SSL Authentication) Step 1: Client and server agrees on the medium of encryption Step 2: Server sends a certificate message to the client • Server sends Hello message to the client. • Server sends a Certificate message to the client which consists of the server’s certificate including the server’s public key. • Server requests client’s certificate in Certificate Request message, so that the connection can be mutually authenticated. • Before the client computer requests to start encryption the server concludes its part of the negotiation with Server Hello Done message. Step 3: Client computer requests to start encryption • Client responds to the server with Certificate message, which contains the client’s certificate. • Client then sends the session key information which is encrypted with server’s public key in the Client Key Exchange message. • Client sends a Certificate Verify message to let the server know it owns the sent certificate. Both client and server calculates the master secret code and in future this code is used to encrypt the messages between the client and server. • Client sends Change Cipher Spec message to activate the negotiated SSL encryption options which was agreed during the Hello message communication for all future messages it will send. • And then the client requests finish which finally will request the server to start the encryption. Step 4: Server confirms to start the encryption © http://idiotechie.com
  • 4. 3 Mutual SSL Handshake 4 SSL Handshake Step 4: Server confirms to start the encryption Server sends Change Cipher Spec message to activate the previously negotiated options for all future messages it will send. Server then sends the Finished message to the client and requests it to check the newly activated options. When the finished message is delivered it is sent in encrypted mode. This completes all the handshake process. Step 5: The messages are encrypted Now the client and servers communicates securely through encrypted messages only. In our next series we will discuss more into the code level details and security implementation in web servers. Please keep watching this space. © http://idiotechie.com