Information travels over the Internet through series of routing, this means information can be routed through many computer systems before it reaches the trusted server. Any one of these computer systems can represent an opportunity for the information to be accessed. SSL ensures that the intermediary computers "cannot deceive you, eavesdrop on you, copy from you, or damage your communications." [2]
SSL works to protect the Internet communication by the following features:
Upon the initial connection, SSL does a security "handshake" used to start the TCP/IP connection. The handshake enables the client and server to agree on the level of security they will use. Once the agreement on the level of security is achieved, any authentication requirements will then be taken care of. SSL uses encryption and authentication technology developed by RSA Data Security Inc. [2] Server authentication is accomplished by the means of a ISO X.509 digital certificates in conjunction with RSA public key cryptography. A digital certificate does connection verifications between server's public key and server's identification. These certificates are issued by trusted third parties known as certificate authorities. Once the handshake process is done, all transmission is encrypted by RC4 stream encryption algorithm with a 40-bit key.[2] A message encrypted with 40-bit RC4 takes a 64-MIPS computers one year of dedicated processor time to break. [2] This encryption will remain valid between client and server over multiple connections. But since the encryption change from time to time, the same amount of effort must be expended to crack every message! Although the 40-bit RC4 encryption is not military security, but the amount of effort needed to break any information transmitted is certainly nontrivial. [4]
In order to use the SSL as part of a secure system, the server requires a digitally signed certificate. To obtain a certificate, a certificate request form must be submitted to a third-party organization that issues certificates, and pay an associated service fee. RSA Certificate Services, a division of RSA Data Security, Inc., will issue certificates to Netscape Server product to customers at this time. In the future Netscape will engage other certificate authorities over time for other products.[2]
SSL protocol like any other protocol, is designed to work with the existing network protocols(OSI or TCP/IP). It is strategicly layered beneath application protocols and layered above the connections protocols.[1] After initiating security hand shake to start to TCP/IP connection, SSL's only role is to encrypt and decrypt the byteststream of the application protocol being used. [4] Because of this placement, it may operate independently of the Internet application protocols. and the Internet connection protocols. [1]
Since the introduction in December of 1994, currently, over 3 million people including broad spectrum of industry-leading companies and organizations are using SSL-enabled products and supporting the SSL protocol for Internet security. Some of the companies that are supporters of the SSL protocol are Apple Computer, Inc., Bank of America, Delphi Internet Services Corporation, IBM, MasterCard, Novell Inc., Microsoft Corporation [3], MCI Communications Corp., Sun Microsystems, Inc., Visa International. [5] This broad band of supporters will promote growth of electronic commerce on the Internet and private TCP/IP networks. [5]