What is ssl?
All of us have met SSL protected sites many times. For example green location control on PyPal site shows us that site is SSL protected.
So, lets try to learn more about PayPal SSL certificate, double click green area and browser will show some info. We can see that this certificate was issues by VeriSign for PayPal, Inc, certificate has class 3 Extended Validation.
While it is clear what is the certificate issuer and holder, certificate validation class requires some explanation:
Domain Validation (DV) SSL Certificates (class 1): where
the Certification Authority (CA) checks the right of the applicant to use a specific domain
name. No company identity information is vetted and no
information is displayed other than encryption information within
the Secure Site Seal.
Organization Validation (OV) SSL Certificates (class 2): where
the CA checks the right of the applicant to use a specific domain
name PLUS it conducts some vetting of the organization.
Additional vetted company information is displayed to customers
when clicking on the Secure Site Seal, giving enhanced visibility
in who is behind the site and associated enhanced trust.
Extended Validation (EV) SSL Certificates (class 3 that gives us green location bar): where
the CA checks the right of the applicant
to use a specific domain name PLUS it conducts a THOROUGH vetting of
the organization. The issuance process of EV Certificates is
strictly defined in the EV Guidelines, as formally ratified by the
CA/Browser forum in 2007, that specify all the steps required for a CA
before issuing a certificate, and includes:
- Verifying the legal, physical and operational existence of the entity
- Verifying that the identity of the entity matches official records
- Verifying that the entity has exclusive right to use the domain specified in the EV Certificate
- Verifying that the entity has properly authorized the issuance of the EV Certificate
EV Certificates are available for all types of businesses, includ
ing
government entities and both incorporated and unincorporated
businesses. A second set of guidelines, the EV Audit Guidelines,
specify the criteria under which a CA needs to be successfully audited
before issuing EV Certificates. The audits are repeated yearly to
ensure the integrity of the issuance process.
Encryption algorithms
There are several encryption algorithms available, using
symmetric or asymmetric methods, with keys of various lengths. Usually,
algorithms cannot be patented, if Henri Poincare had patented his
algorithms, then he would have been able to sue Albert Einstein... So
algorithms cannot be patented except mainly in USA. OpenSSL is developed
in a country where algorithms cannot be patented and where encryption
technology is not reserved to state agencies like military and secret
services. During the negotiation between browser and web server, the
applications will indicate to each other a list of algorithms that can
be understood ranked by order of preference. The common preferred
algorithm is then chosen. OpenSSL can be compiled with or without
certain algorithms, so that it can be used in many countries where
restrictions apply.
Private & public keys
The encryption using a private key/public key pair
ensures that the data can be encrypted by one key but can only be
decrypted by the other key pair. This is sometime hard to understand,
but believe me it works. The keys are similar in nature and can be used
alternatively: what one key encrypts, the other key pair can decrypt.
The key pair is based on prime numbers and their length in terms of bits
ensures the difficulty of being able to decrypt the message without the
key pairs. The trick in a key pair is to keep one key secret (the
private key) and to distribute the other key (the public key) to
everybody. Anybody can send you an encrypted message, that only you will
be able to decrypt. You are the only one to have the other key pair,
right? In the opposite , you can certify that a message is only coming
from you, because you have encrypted it with you private key, and only
the associated public key will decrypt it correctly. Beware, in this
case the message is not secured you have only signed it. Everybody has
the public key, remember!
One of the problem
left is to know the public key of your correspondent. Usually you will
ask him to send you a non confidential signed message that will contains
his public key as well as a certificate.
Message-->[Public Key]-->Encrypted Message-->[Private Key]-->Message
Signing certificate
This process is required to confirm the identity of the certificate owned. Certification Authorities like VeriSign, Comodo or StartSSL are doing this. Or you can create
self signed ssl certificate. You can read how to
get free SSL certifcate from StartSSL.
In my later articles I will show how to install certificates on different server software.
