Manualshelf

Specifications

ManualsBrandsMaxxus ManualsExercise BikePRO SPK-23
351352353354355356357358359360
SSL is theoretically capable of providing a secure transmission environment for protocols other
than HTTP, but is normally only used for HTTP. Other protocols can be used because the SSL
layer is essentially transparent. The SSL layer provides the same interface to protocols above it
as the underlying transport layer. It then transparently deals with handshaking, encryption, and
decryption.
When a Web browser connects to a secure Web server via HTTP, the two need to follow a
handshaking protocol to agree on things such as authentication and encryption.
The handshake sequence involves the following steps:
1. The browser connects to an SSL enabled server and asks the server to authenticate itself.
2. The server sends its digital certificate.
3. The server might optionally (and rarely) request that the browser authenticate itself.
4. The browser presents a list of the encryption algorithms and hash functions it supports.
The server selects the strongest encryption that it also supports.
5. The browser and server generate session keys:
5.1 The browser obtains the servers public key from its digital certificate and uses it to
encrypt a randomly generated number.
5.2 The server responds with more random data sent in plaintext (unless the browser
has provided a digital certificate at the servers request in which case the server
will use the browsers public key).
5.3 The encryption keys for the session are generated from this random data using
hash functions.
Generating good quality random data, decrypting digital certificates, and generating keys and
using public key cryptography takes time, so this handshake procedure takes time. Fortunately,
the results are cached, so if the same browser and server want to exchange multiple secure
messages, the handshake process and the required processing time only occur once.
When data is sent over an SSL connection, the following steps occur:
1. It is broken into manageable packets.
2. Each packet is (optionally) compressed.
3. Each packet has a message authentication code (MAC) calculated using a hashing algo-
rithm.
4. The MAC and compressed data are combined and encrypted.
5. The encrypted packets are combined with header information and sent to the network.
The entire process is shown in Figure 15.4.
E-commerce and Security
P
ART III
334
19 7842 CH15 3/6/01 3:40 PM Page 334