SSL is a multi-purpose protocol designed to create communications between two application programs on a predetermined port (socket 443) to encrypt all incoming / outgoing information used in e-transactions. such as credit card numbers, passwords, personal secret numbers (PINs) on the Internet. Preamble In e-transactions on the Internet and in online payment transactions, information / data on unsecured Internet environments is usually secured by a security mechanism implemented in the transport layer called the Port class. Secure Socket Layer (SSL) - a technique currently used in computer network operating systems. SSL is a multi-purpose protocol designed to create communications between two application programs on a predetermined port (socket 443) to encrypt all incoming / outgoing information used in e-transactions. such as credit card numbers, passwords, personal secret numbers (PINs) on the Internet. The SSL protocol was first developed in 1994 by the Netscape team led by Elgammal, and today it has become a standard practice on the Internet. The current SSL version is 3.0 and is still being added and perfected. Similar to SSL, another protocol called Private Communication Technology (PCT), proposed by Microsoft, is now widely used in computer networks running Windows NT. . In addition, an Internet Engineering Task Force (IETF) standard called the SSL-based Transport Layer Security (SSL) is also being developed and published under the IETF framework. Internet Draft is integrated and supported in Netscape products. How does the SSL protocol work? The basic point of SSL is that it is designed independently of the application layer to ensure confidentiality, security, and anti-tampering of information over the Internet between two applications, such as the webserver and the browser. ), so it is widely used in many different applications on the Internet. The whole mechanism of operation and cryptographic algorithm used in SSL is publicly available, except for temporary shared keys generated at the time of exchange between the two applications, which are random and secret. observer on the computer network. In addition, the SSL protocol requires the host application to be authenticated by a third-class object (CA) through digital public key cryptography (RSA, for example). The following is an overview of the mechanism of operation of SSL for analyzing its security level and its applicability in sensitive applications, particularly for commercial and billing applications. death The SSL protocol is based on two protocols: the "handshake protocol" and the "record protocol". The handshake protocol specifies the transaction parameters between two objects that need to exchange information or data, and the record protocol defines the format for encrypting and transmitting two-way communication between the two objects. . When two computer applications, for example, between a web browser and a web server, work together, the server and the client exchange the "hello" in the form of messages to each other with the beginning. Proactive protection from the server, while defining standards for encryption and compression algorithms can be applied between the two applications. In addition, applications also exchange unique "session IDs, session keys" for that session. Then the client application (browser) requires a digital certificate of the web server. Electronic certificates are generally endorsed by a CA Authority (Certificate Authority) such as RSA Data Sercurity or VeriSign Inc., an independent, neutral and reputable organization. These organizations provide a "certification" service for a company's identification number and issue a unique certificate to that company as the identity card for online transactions, which are the webserver server. After checking the server's electronic certificate (using a public cipher, such as RSA at the workstation), the client application uses the information in the electronic certificate to encrypt the re-sent message. the server that only the server can decrypt. On the basis of this, two master key applications - the secret key or the symmetric key - serve as the basis for encrypting the flow of information / data back and forth between the two client applications. The entire level of security and security of information / data depends on several parameters: (i) Identification by random session; (ii) the security level of security algorithms applied to SSL; (iii) The length of the key length used for the information encoding scheme. The SSL encryption and authentication algorithms used include (version 3.0): (1) DES - Data Encryption Standard (born 1977), invented and used by the US government; (2) DSA - electronic signature algorithms, electronic authentication standards, inventions and uses by the US government; (3) KEA - key exchange algorithm, invention and use by the US government; (4) MD5 - message digest algorithm, invented by Rivest; (5) RC2, RC4 - Rivest coding, developed by RSA Data Security; (6) RSA - public key algorithm, for encryption and authentication, developed by Rivest, Shamir and Adleman; (7) RSA key exchange - RSA key exchange algorithm based on RSA algorithm; (8) SHA-1 - safety jaw algorithm developed and used by the US government; (9) SKIPJACK - Classical symmetric key algorithm implemented in Fortezza hardware, used by the US government; (10) Triple-DES - DES encryption three times. The theoretical basis and operational mechanism of the algorithms used in the above security are now widespread and public, with the exception of practical implementation solutions in security products. hardware, plastic parts, software). Secure SSL protocol The security level of SSL described above depends on the key length or depends on the use of the 40bit and 128bit encryption. 40bit encryption is widely used outside of the United States, and the 128-bit version is only available in the United States and Canada. According to US law, "strong" codes are classified as "weapons" and so when used outside the United States (as exports of weapons) must be authorized by the US government or must be licensed by the US Department of Defense (DoD). This is an advantage for the implementation of commercial and electronic payment services in the United States and its Western allies, and is a disadvantage for using products that require a secure and secure mechanism. in electronic transactions in general and e-commerce in particular in other countries. The methods of attack (or cracking) of common security algorithms are based on the "brute-force attack" method by testing the spatial domain of the possible values of the key. The number of false-up attempts increases as the length of the key increases and thus exceeds the capacity and computing power, including the most modern supercomputers. For example, with a key length of 40 bits, the number of tests will be 240 = 1,099,511,627,776 combinations. However, the large key lengths are associated with a decrease in the computational speed (inverted cumulative) and thus difficult to apply in practice. Once the key is broken, all transaction information on the network will be completely controlled. However, due to the large locking length (eg, 128, 256 bits), the number of false-choice tests becomes "impossible" because it takes years or even thousands of years for the machine to generate power and computing power. the strongest today. As early as 1995, the 40-bit encryption was broken by using the shallow algorithm. In addition, some security algorithms (such as DES 56bit, RC4, MD4, ...) are now considered unsafe when applying some special attack methods and algorithms. There have been a number of proposed changes in US legislation to allow the widespread use of encryption software using 56-bit encryption, but it has not yet been approved. Some challenges and break the lock on security In the security community, one of the security / security methods of security algorithms, in addition to the theoretical basis of the algorithm, is to present "challenges" (challenge) with symbolic bonus, to test the algorithm's practicality. Here are some references: On July 14, 1995, Hal Finney placed the first SSL challenge on a Netscape browser session record using the RC4-128-EXPORT-20 algorithm. On August 16, 1995, David Byers and Eric Young along with Adam Back broke the challenge within two hours, costing an estimated $ 10,000. On August 19, 1995, Hal Finney placed a second SSL challenge for the community who encrypted a "key cracking ring" and also broke for 32 hours. On September 17, 1995, Ian Goldberg and David Wagner broke the pseudo-random-access algorithm for Netscape 1.1 within a few hours. workstation. This led to Netscape having to quickly release versions to fix the "holes" of security in its browser. Currently the latest version of Netscape is capable of high security but is only allowed within the United States. SSL and ecommerce applications In practice, the user's understanding of the security mechanisms that are "orchestrated" in electronic transactions on the Internet is small and blurry. The vast majority rely on trust, such as the names of reputable firms (VisaCard, MasterCard, ...) and well-known brands (Oracle, Microsoft, Netscape). , ...). Security and safety are important issues in deciding on eCommerce or eCommerce development and creating trust for customers and the public. By analyzing the example of security in SSL, it shows the other side of the problem: the ability to choose technology and the degree of dependence on technology, when building platform applications that include infrastructure information security. The deployment of application systems that use high-security Internet communication infrastructure (especially in banking, finance, defense, etc.) needs to be built on a class diagram. Multi-tiered security (eg Secure Electronic Transaction, Internet Keyed Protocol (IKP) or PGP (Pretty Good Privacy), even hardware. At the same time, it should be noted that the current application security products on the computer network are largely invented from the United States, protected and strictly controlled by US law that leads to the practice of developing and implementing information systems and electronic commerce transactions. We need to be careful and considerate.
