OSI: Securing the Stack, Layer 6 -- Encryption

More on SSL and TLS TLS: Network encryption beyond SSL with Transport Layer Security

Let's start with a little bit of history. Netscape developed SSL in 1994 as a means of securing network communication. Specifically, SSL was designed to protect data being transported between a Web browser and a Web server. SSL offers businesses a means of secure e-commerce. While SSL is not an industry standard -- in that it was developed by Netscape -- Transport Layer Security (TLS) is. TLS was developed by the Internet Engineering Task Force (IETF). The current version of TLS is 1.1 and is described in RFC 4346. Programs that use TLS work very similarly to those that use SSL. By and large, SSL and TLS are interchangeable. Both services follow a standard handshake process to establish communication:

1. A client uses a Web browser to contact a Web server that hosts a secured URL.
2. The Web server responds to the client's request and sends the server's digital certificate to the Web browser. The X.509 certificate is the most commonly used type.
3. The client now verifies that the certificate is valid and correct. Certificates are issued by known authorities such as Thawte or Verisign. This step is important because the certificate authenticates the Web server's organization as legitimate.
4. Once the certificate is validated, the client generates a one-time session key, which will be used to encrypt all communication with the Web server.
5. The client now encrypts the session key with the Web server's public key, which was transmitted with the digital certificate. Using the Web server's session key ensures that only the Web server can decrypt the data.
6. At this point, a secure session is established, and both parties can communicate via a secure channel.

Securing the stack series Bookmark this index for our securing the stack series.

This handshake process allows the entities to communicate with confidence. The client and Web server actually pass data back and forth just as they would normally, using TCP. The difference is that the corresponding data traffic is encrypted. A few controls are also included to ensure the integrity of the message. This gives both parties confidence that the information has not been altered in transit.

Layer 6 threats

We can place a high level of confidence in SSL and TLS, but threats do exist. Two of the most likely can be categorized as fake certificate attacks and man-in-the-middle attacks. Fake certificate attacks require the attacker to provide the client with a fake certificate. Clients should notice this attack -- they will receive a pop-up dialog warning about a problem with the certificate. The certificate is very similar to a real certificate, except that it is not signed by a trusted certification authority. Man-in-the-middle attacks are difficult because the attacker must intercept communication between the client and server. The attacker then replaces the legitimate keys with his own.

Although these attacks against SSL are possible, a far greater threat comes from businesses that have decided to use no encryption at all and simply pass their customers information in clear text. All things considered, protocols such as SSL and TLS have proven themselves to be very competent. This is witnessed by the millions upon millions of secure exchanges that occur each day. If this discussion of SSL has sparked your interest to learn more about this technology, you may want check out Stunnel. Stunnel is designed to encrypt arbitrary TCP connections inside SSL.

About the author:
Michael Gregg has more than 15 years of experience in IT. He is the president of Superior Solutions Inc., a Houston-based training and consulting firm, and an expert on networking, security and Internet technologies. Michael holds two associate degrees, a bachelor's degree and a master's degree. He currently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in Security across network boundaries with Secure Mobile Architecture USB storage devices: Two ways to stop the threat to network security Network security: Using unified threat management (UTM) Network security: Empower users without endangering IT Network analysis -- Enhancing security assessments VPN security: Hiding in plain sight, using network encryption The OSI Model What network monitoring tools monitor all OSI layers? How do routers and switches differ in the OSI model? How can I define the layered approach to protocols? How does a Layer 3 switch work in a network? OSI -- Securing the stack OSI: Securing the Stack, Layer 8 -- Social engineering and security policy OSI: Securing the Stack, Layer 7 -- Applications Network security -- Taking the layered approach Is it possible to convert a Layer 2 switch to a Layer 3 switch? OSI: Securing the Stack, Layer 4 -- Fingerprinting RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ES-IS  (WhatIs.com) FTAM  (SearchNetworking.com) layer 2  (SearchNetworking.com) Network layer  (SearchNetworking.com) OSI  (SearchNetworking.com) physical layer  (SearchNetworking.com) Session layer  (SearchNetworking.com) Technical Office Protocol  (SearchNetworking.com) TP0-TP4  (SearchNetworking.com) Transport Services Access Point  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.