Secure Sockets Layer (SSL) provides client/server authentication and encrypted communications on the Internet. To understand how it fits into the big picture, it would be good if you knew the Open Systems Interconnection (OSI) model for network communications. This is a sever layer model to represent a network. TCP/IP is pretty low operating at the network layer in this model. On top of that is where SSL works, which is the transport layer. Much high in the application layer is protocols such as HTTP and LDAP.
SSL makes use of certificate authorities to verify certificates. It also has two sub protocols: the SSL Record Protocol for formatting, and the SSL Handshake Protocol which negotiates the keys and techniques used for encryption. One way to perform this negotiation is to employ the RSA Key Exchange. There are many options available. The exchange algorithm lets the both ends of the network determine which option to use. I will review these options from the least secure to the strongest.
The simplest and least secure is to do no encryption. This option uses something called MD5 which stands for Message Digest algorithm 5. It is a cryptographic hash function written by Ron Rivest. This technique allows the receiver of network communications to detect whether the messages sent have been tampered with. MD5 is essentially being replaced by SHA-1 which I shall explain below.
Next the RSA Key Exchange can use something called RC2 with 40 bit encryption and MD5. RC2 is a block cipher also invented by Ron Rivest. A block cipher is a symmetric key cipher (encryption and decryption use the same key) that operates on fixed length blocks at a time. This cipher had a 64 bit block with a variable sized key. It is slower than another option of using RC4 with 40 bit encryption and MD5. RC4 uses a stream cipher and is the most widely used software based stream cipher. Both RC2 and RC4 can also be used with 128 bit encryption which makes them more secure.
There are more modes that the RSA Key Exchange can choose. I will cover them in a future posting. SSL can also use techniques other than the RSA Key Exchange to determine how to choose a method and key for encryption. I hope to also go over these in a future post. There are a lot of details to this SSL.
Analysis Failure - My new team leader asked me to cost a fix to a bug the customer found. I looked up the ticket in our system. Somebody had already done an analysis and pro...