VM:Webgateway Web Server
Select where you want to go:

Product Overview
Server Root Domain and User Pages
Files VM:Webgateway Can Serve
VM:Webgateway Content Filetypes
Filters
Worker Machines
Controlling Access to Files VM:Webgateway Serves
Locations from Which VM:Webgateway Can Serve Files
VM:Webgateway Configuration
Accounting for Serving Files
National Language Support
Securing Transmissions between VM:Webgateway and Web Browsers
Overview of SSL
Virtual Hosting
Server Log
Converting from Webshare

Overview of SSL (SSL)

Transmitting Data Privately | Ensuring the Data Is Not Altered During Transit | Authenticating the Web Server | SSL Handshake | Sample SSL Transaction

Secure Sockets Layer (SSL) is a security protocol that:

  • Ensures data is transmitted privately
  • Ensures that the content of the data is not altered during transit
  • Authenticates the web server; that is, it assures the web browser that the web server is owned by the organization it claims to be owned by
  • Authenticates the web browser; that is, the web server can optionally assure that the web browser has the required identification to access the server

Transmitting Data Privately

SSL uses encryption and decryption to ensure that data is transmitted privately. Encryption transforms data to a format that is not human readable. Decryption transforms encrypted data back into a human readable format.

Because the web server encrypts data before sending it to the web browser, web browser users are assured that only they can read the information sent by the web server. Additionally, because the web browser encrypts data before sending it to the web server, web browser users are assured that any information they enter on an HTML form can only be read by the organization that owns the web server.

SSL uses two types of encryption: public key and symmetric key.

Public key encryption

Public key encryption uses a key pair made up of a public and a private key. The keys are mathematically linked; that is, data encrypted with one key in the pair can only be decrypted using the other key in the pair. The public key can be distributed and made generally available. The private key is kept private by its owner.

A web server and web browser use public key encryption when first establishing communications in what is called the SSL handshake. During the SSL handshake, the web browser authenticates the web server. After the handshake is complete, the web server and web browser switch to the more efficient symmetric key encryption for the remainder of the transaction.

Symmetric key encryption

Symmetric key encryption uses a single key. The web browser and the web server create the key during the SSL handshake. The same key is used to both encrypt and decrypt the data. This encryption ensures that no one else can read the data being transmitted in either direction.

Ensuring the Data Is Not Altered During Transit

SSL uses cryptographic hashing to ensure that no one alters data during transit. Cryptographic hashing creates a unique hash value based on the content of transmitted data. The content of the data cannot be determined from the hash value and it is highly improbable to compose another message that computes to the same hash value. Both the web server and the web browser compute hash values using the same hashing algorithm. If the hash values are the same, the data was not altered.

When sending data to a web browser, the web server computes a hash value for data then sends the hash value and the data to the web browser. When the web browser receives this information, it computes its own hash value for the data then compares the two hash values. If they match, the web browser is assured that the data was not altered during transit. A similar process occurs when the web browser sends data back to the web server. The web browser computes a hash value then sends it and the data to the web server. The web server computes a hash value for the data and compares it to the hash value computed by the web browser.

This process assures web browser users that information they receive from the web server has not been altered and that information they enter on an HTML form is not altered before it reaches the web server.

Authenticating the Web Server

SSL uses digitally signed certificates to authenticate the web server (that is, to assure the web browser that it is communicating with the proper organization). A certificate is a data structure that contains information about an organization and attests to the identity of the organization. To assure web browser users that the information in the certificate is true, an organization has the certificate digitally signed by a certificate authority.

A certificate authority is a trusted company or organization that confirms that an organization is what it claims to be. To obtain a digitally signed certificate that attests to the identity of an organization, an organization must send a certificate signing request (CSR) to a certificate authority.

After conducting research to ensure the organization is what it claims to be, the certificate authority issues one or more certificates. The certificate authority sends either a single server certificate or a chain of certificates that is made up of a server certificate and one or more CA certificates.

A server certificate attests to the identity of the organization that requested the certificate; that is, the organization that owns the web server. A CA certificate attests to the identity of a certificate authority that signs a certificate. When a certificate authority issues a chain of certificates, the server certificate is signed by an intermediate CA certificate. An intermediate CA certificate is signed either by another intermediate CA certificate or the root CA certificate. For example: 

 Server              Intermediate        Root          
 Certificate         CA Certificate      CA Certificate
 -----------         --------------      --------------
 Subject:         +->Subject:         +->Subject:      
  Company         |   Intermediate CA |   Root CA      
                  |                   |                
 Signer:          |  Signer:          |  Signer:       
  Intermediate CA-+   Root CA  -------+   Root CA

A certificate authority has a public/private key pair. To digitally sign a certificate, the certificate authority computes a hash value based on the contents of the certificate. The certificate authority then encrypts the hash value with its private key. The digital signature is the encrypted hash value. The digital signature is stored with the certificate. When the organization that requested the certificate receives the certificate or chain of certificates from a certificate authority, it loads the certificates to its web server.

When a web browser user requests data using SSL, the web server sends the certificate or chain of certificates to the web browser. When the web browser receives the certificate, it can read the information about the organization.

To validate a certificate to ensure it contains the information digitally signed by the certificate authority, the web browser verifies the digital signature. Because the digital signature is an encrypted hash value that was computed based on the contents of the certificate, the web browser needs to compare hash values. The web browser computes a hash value based on the contents of the certificate it received. It then decrypts the digital signature to determine the hash value that the certificate authority computed. If the two hash values match, the web browser is assured that the certificate contains the information the certificate authority verified and digitally signed.

SSL Handshake

The SSL handshake occurs when a web browser user first requests information from a web server that is using SSL.

The following is accomplished during the SSL handshake:

  • The web browser and the web server negotiate the cipher suite they will use for the rest of the security services.
  • The web browser authenticates the web server.
  • The web server optionally requests the client certificate of the web browser, which it might use later to authenticate and authorize the browser.
  • The web browser selects and transmits a symmetric key to the web server.

Cipher Suites

A cipher suite is made up of three techniques:

  • Key exchange technique, which is how the web browser and web server will exchange the symmetric key that will be used for the symmetric encryption that takes place after the SSL handshake is complete.

  • Symmetric encryption technique, which is the type of symmetric encryption to be used (for example, RC2 or RC4).

  • Hashing technique, which is the type of hashing the web browser and the web server will use to ensure that the data is not altered during transit.

Authentication of the Web Server

To allow the web browser to authenticate the web server, the web server sends certificates that attest to the identity of the owner of the web server to the web browser. The certificates a web server send are the certificates it receives from a certificate authority, either a single server certificate or a chain of certificates made up of a server certificate and one or more CA certificates.

The web browser validates the certificates.

Transmission of the Symmetric Key

The web browser selects an appropriate symmetric key for the type of symmetric encryption to be used. It then encrypts the symmetric key using the web server's public key. (The web browser obtained the web server's public key from the server certificate.) The web browser then sends the encrypted symmetric key to the web server.

Using its private key, the web server decrypts the symmetric key. Now both the web browser and the web server have a secret key that they will use to send data back and forth. The handshake is complete.

Sample SSL Transaction

The following lists the steps in an SSL transaction when a browser user requests a web page that contains an HTML form, fills out the form, and submits it.

  1. The web browser user enters a URL to access information from a web server that is using SSL, for example:

    https://www.company.com:443/

  2. The web browser and web server perform the SSL handshake.

  3. The web server sends the requested data to the web browser by performing these steps:

    • Computes the hash value for the data.
    • Encrypts the data and hash value using the symmetric encryption key.
    • Sends the data and hash value to the web browser.

  4. The web browser receives the data and hash value. Then it:

    • Decrypts the data and hash value.
    • Creates a hash value for the data.
    • Compares its hash value to the hash value the web server computed.
    • Displays the data if the hash values match.

  5. The web browser user fills in information on an HTML form and uses the submit button to return the information to the web server.

  6. The web browser sends the HTML form data to the web server by performing these steps:

    • Computes the hash value for the data.
    • Encrypts the data and hash value using the symmetric encryption key.
    • Sends the data and hash value to the web server.

  7. The web server receives the data and hash value. Then it:

    • Decrypts the data and hash value.
    • Creates a hash value for the data.
    • Compares its hash value to the hash value the web browser computed.
    • Continues processing the request if the hash values match.

The process continues with steps 3-7 until the SSL transaction ends.

Top
Select where you want to go:
Copyright © 1998, Sterling Software, Inc.