Abstract
Typically, internet banking and e-commerce websites are considered to be highly secure and implements more foolproof solutions for user authentication such as client-side digital certificates rather than the user name and password combination to ensure the safety of user sensitive data. SSL not only hides sensitive data but also protects millions of users, especially during online transactions. Securing sensitive data such as user login information, bank account and credit card details, is a very essential and challenging concern among e-commerce and banking websites because such information typically travels across the wire and can be compromised or sniffed easily by executing a couple of offensive attacks such as MITM or session hijacking, while data is communicating in clear text format. Hence, this paper addresses the inherent issue of web server security and the process of SSL configuring and implementing in the form of digital certificates over an ASP.NET website.
Secure Socket Layer (SSL)
The Secure Sockets Layer (SSL) is a special security mechanism to encode communications between client (browser) and server (IIS) to prevent tampering and eavesdropping of the transmitted sensitive data.
Generally, the data that travels between a browser and a web server is sent in an un-encrypted form that leads to data snooping vulnerability. If a hacker somehow manages to intercept traffic being sent between a web server and a browser, they can easily reveal that information and exploit our private information. So, SSL ensures the privacy of sensitive data that travels across the wire, by keaping them confidential or intact.
It has always been a point of discussion and conflict whether SSL is in the OSI layer. Some references place the SSL protocol in the session layer, whereas other say that it works at the transport layer.
SSL indeed, is made up of two protocols. One actually operates at the session layer (upper segment) and another works at the transport layer (upper segment). That is why some resources state that SSL works at the session layer and others say it works at the transport later. Technically speaking, SSL operates at the Transport Layer eventually because the packets travel through this layer ultimately.
SSL in Depth
SSL technology encrypts communication over HTTP on port 443 and it is developed by Netscape and endorsed by a wide range of browsers. SSL implementation does not actually modify the HTTP request. All the encryption and decryption process is handled by the web server builtin SSL software itself. The only difference is that the URL protected by SSL begins with https:// rather than http://. The web server that supports a SSL connection must have an installed X.509 certificate. Since it is developed by Netscape, it is not an open- community protocol or free to use. Hence its specification can't be modified. So, the open-community version of SSL is TLS (Transport Layer Security) that is more extensible and backward compatible with SSL.
SSL Certificates
Using SSL digital certificates, a user can decide whether to trust a website. SSL certificates typically contain your organization's digital identity, along with both symmetric and asymmetric keys. Well, generating, configuring and installing SSL certificates on a web server, is not a part of the developer's business. It is in fact the resonsibility of website admininstration. Once a SSL Certificate is obtained, it is installed onto the webserver hosting the specific website. Visitors that are concerned about problems can confirm that your website is safe to use and your company is legitimate the moment they browse to your website and view the configured SSL certificate.
Organizations purchase a certificate from a renowned Certificate Authority (CA) and installs it on the web server. The user implicitly trusts the CA and is therefore willing to trust the certificate information signed by the CA. The CA retains information about each registered user. However, a certificate does not only ensure the trustworthiness of the server, but also provides safety for online transactions. We can view a specific certificate issued by a CA just by clicking the padlock in the URL as in the following:
The certificate itself contains identifying information. It is signed with the CA private key to guarantee that it is authentic and not altered. This private key is also known as a SSL key that is covertly connected with the SSL certificate and should reside securely on your web server. A SSL certificate effectively marries to the SSL key during installation of the certificate to the web server. Since the SSL key is only used by the web server that validates that the web server can legitimately use the SSL certificate. A typical certificate, known as a x.509v3, contains the following basic information.
- Certificate Name, organization and address
- Serial Number
- Validate date of Certificate
- Holder Public key
- Signature Algorithms
- Expiry date
- Thumbprints
There are a few CA such as VeriSign, Thawte, DigiCert and Commodo that issue digital certificates in exchange for money. If you don't want to purchase a certificate from a CA, you can even generate your own self-signed certificate. We can even create a certificate, but browsers only trust certificates that come from an organization on their list of trusted CAs because browsers come with a pre-installed list of trusted CAs, referred to as the Trusted Root CA store. An organization must comply with security and authentication standards established by the browsers to be added to the Trusted Root CA store. You can have a look at the locally installed certificates via this command or MMC as in the following:
netsh http show sslcert
How SSL works
A SSL implementation requires a web server accompanied with the SSL features and a browser. One of the most important points to remember is that SSL only imparts security for the connection (communication medium between server and client) but does not indeed, offer security for the data once received. This means data are encrypted while being transmitted, but doesn't protect the data after being received. SSL uses public key encryption and provides data encoding, message integrity and server and client authentication.
When a client accesses a website it typically may contain both secured and public segments. The secure portion mandates the user to be authenticated in some fashion. When the client goes from a public page to a secure portion, the web server starts SSL and protects this type of communication.
The server then sends a message back to the client, indicating a secure session is established and the client in response sends its security parameters. The server compares those values to its own until it finds a match. The server authenticates to the client by sending it a digital certificate and if the client decides to trust the server, the process continues otherwise it is terminated and finally a secure communication medium is established.
In some rare conditions, the server can require the client to send over a digital certificate for mutual authentication. The client generates a session key and encrypts it with the server public key and is sent across to the server and now a genuine secure channel is established where both ends use that symmetric key to encrypt data back and forth.
Note: The session ends when the client sends a FIN packet to the server.
The following diagram is showing the comprehensive process of mutual authentication of both a server and client to each other in a Secure Socket Layer.
The asymmetric encryption is the basic building block of SSL where the public key is freely distributed to encrypt the message that can only be decrypted by the corresponding private key. The Secure Socket Layer employees a third-party organization, a Certificate Authority (CA), to identify one end or both ends of the transactions. This is in short how it works as in the previous diagram.
- A browser sends a request to connect to the server and asks for a secure page (usually a document).
- The web server sends its public key with its signing certificate back to the client.
- The browser checks whether the certificate was issued by a CA it trusts. The client compares the information in the certificate with the information received from the website and verifies all the details. If so, the browser shows the purity of the server certificate by showing a green padlock and the client proceeds.
- The browser generates a random symmetric encryption key and then encrypts it to the public key of the server. Finally it sends it to the server along with the encrypted URL and other encrypted HTTP data.
- The web server decrypts the incoming packet using its private key and uses the symmetric key to decrypt the URL and HTTP data that was generated randomly at the client side.
- Then the requested document from the client, along with other data encrypted with the symmetric key, is sent back to the browser.
- Finally, the browser decrypts the packet using the symmetric key and secure handshaking is established.
SSL Advantage
SSL collectively offers subsequent advantages as used in modern e-Commerce scenarios.
- Secure online banking transactions, hide credit card details.
- Secure system and website logins credentials along with other online exchanged sensitive information.
- Secure the transfer of files over HTTPS and FTP(S) services.
- To secure hosting Control Panel logins and activity like cPanel and Parallels.
- Secure private network (intranet) based data traffic such as file sharing and database connections.
- Secure network logins and other network traffic with SSL VPNs.
- Secure webmail and applications like Exchange server, Office Communications Server and Outlook.
- Secure virtualization applications like cloud-based computing platforms.
Final Note
This article provided the internals of the Secure Socket Layer under .NET prospectus. It describes the algorithm used to encrypted communication over the wire and the role of public key / private key combinations in terms of securing sensitive data that is transmited across the network. More interestingly, it explains how SSL works and the importance of SSL certificates that are issued from a trusted CA and assists to prove the genuine identity of a website. Finally, we have come to an understanding of various advantages of implementing a SSL on a website.