Secure Computing SSL Scanner Bedienungsanleitung PDF herunterladen (Seite 3)

Figure 2 illustrates an SSL transaction:

The handshake begins when a client connects to an SSL-enabled server, requests a secure connection, and presents a list of 1

supported ciphers and versions.

From this list, the server picks the strongest cipher and hash function that it also supports and notiﬁes the client of the decision. 2

Additionally, the server sends back its identiﬁcation in the form of a digital certiﬁcate. The certiﬁcate usually contains the server

name, the trusted certiﬁcate authority (CA), and the server’s public encryption key. The server may require client authentication via a

signed certiﬁcate as well (required for some on-line banking operations); however, many organizations choose not to widely deploy

client-side certiﬁcates due to the overhead involved in managing a public key infrastructure (PKI).

The client veriﬁes that the certiﬁcate is valid and that a Certiﬁcate Authority (CA) listed in the client’s list of trusted CAs issued it. 3

These CA certiﬁcates are typically locally conﬁgured.

If it determines that the certiﬁcate is valid, the client generates a master secret, encrypts it with the server’s public key, and sends 4

the result to the server. When the server receives the master secret, it decrypts it with its private key. Only the server can decrypt it

using its private key.

The client and server then convert the master secret to a set of symmetric keys called a keyring or the session keys. These 5

symmetric keys are common keys that the server and browser can use to encrypt and decrypt data. This is the one fact that makes

the keys hidden from third parties, since only the server and the client have access to the private keys.

This concludes the handshake and begins the secured connection allowing the bulk data transfer, which is encrypted and decrypted 6

with the keys until the connection closes. If any one of the above steps fails, the SSL handshake fails, and the connection is

not created.

Though the authentication and encryption process may seem rather involved, it happens in less than a second. Generally, the

user does not even know it is taking place. However, the user is able to tell when the secure tunnel has been established since

most SSL-enabled web browsers display a small closed lock

at the bottom (or top) of their screen when the connection is

secure. Users can also identify secure web sites by looking at the web site address; a secure web site’s address begins with

https rather than the usual http.

SSL Crypto Algorithms

SSL supports a variety of different cryptographic algorithms, or ciphers, that it uses for authentication, transmission of

certiﬁcates, and establishing session keys. SSL-enabled devices can be conﬁgured to support different sets of ciphers, called

cipher suites. If an SSL-enabled client and an SSL-enabled server support multiple cipher suites, the client and server

negotiate which cipher suites they use to provide the strongest possible security supported by both parties.

A cipher suite speciﬁes and controls the various cryptographic algorithms used during the SSL handshake and the data

transfer phases. Speciﬁcally, a cipher suite provides the following:

Key exchange algorithm: The asymmetric key algorithm used to exchange the symmetric key. RSA and Difﬁe Hellman are >-

common examples.

Public key algorithm: The asymmetric key algorithm used for authentication. This decides the type of certiﬁcates used. RSA and DSA >-

are common examples.

Bulk encryption algorithm: The symmetric algorithm used for encrypting data. RC4, AES, and Triple-DES are common examples.>-

Message digest algorithm: The algorithm used to perform integrity checks. MD5 and SHA-1 are common examples.>-

Technology Primer: Secure Sockets Layer (SSL)

1 2 3 4 5 6 7 8 ... 21 22

Keine Kommentare

Secure Computing SSL Scanner Bedienungsanleitung Seite 3