server authentication

8/2/2019 Server Authentication

1/11

Server Authentication During

SSL Handshake


2/11

SSL or TLS?

SSL is the Secure Socket Layer. This is the security system

behind the protocol HTTPS (Hypertext Transfer Protocol

Secure) which was developed by Netscape Communications.

Strictly speaking, SSL no longer exists. After SSL version 3, it

was replaced by the Transport Layer Security (TLS) protocol.However, "SSL" became a generic name for the encryption

system of HTTPS. So, many people refer to SSL when they

really mean TLS.


3/11

Function

SSL/TLS is a security system that combines authentication and

encryption. In regular communication over a network, a client

contacts a server with a request. The server replies with a

response. Under SSL, only the client needed to present

authentication. With TLS, both the client and server mustprove their identity. The identification procedure includes an

encryption key, which is used to protect all transmissions once

the connection has been established.


4/11

Certificates

The SSL system relies on the user holding a valid certificate.The certificate validates the client or the server by showingtheir address, a validity period and a digital signature.Certificates are issued by Certificate Authorities. When aclient first contacts the server, it presents its certificate. The

server sends its certificate details to the client and checks theclients certificate with the issuing authority. The CertificateAuthority confirms the details of the certificate. If there is adiscrepancy between the details on the certificate sent by theclient and the details held by the certificate authority, the

HTTPS session cannot be established. Similarly, the certificatemust be current. While the server checks the client'scertificate, the client follows the same process to check theserver's certificate.


5/11

CAs

Worldwide, the certificate authority business is fragmented, with nationalor regional providers dominating their home market. This is because manyuses of digital certificates, such as for legally binding digital signatures, arelinked to local law, regulations, and accreditation schemes for certificateauthorities.

However, the market for SSL certificates, a kind of certificate used for

website security, is largely held by a small number of multinationalcompanies. This market has significant barriers to entry since newproviders must undergo annual security audits (such as WebTrustforCertification Authorities) to be included in the list ofweb browser trustedauthorities. More than 50 root certificates are trusted in the most popularweb browser versions. A 2009 market share report from Net Craft as of

January of that year determined that VeriSign and its acquisitions (whichinclude Thawte and Geotrust) have a 47.5% share of the certificationservices provider market, followed by GoDaddy (23.4%), and Comodo(15.44%).
http://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Barriers_to_entryhttp://en.wikipedia.org/wiki/Barriers_to_entryhttp://www.webtrust.org/http://en.wikipedia.org/wiki/Web_browserhttp://en.wikipedia.org/wiki/Web_browserhttp://en.wikipedia.org/wiki/Web_browserhttp://en.wikipedia.org/wiki/Web_browserhttp://news.netcraft.com/ssl-sample-report/CMatch/certshttp://en.wikipedia.org/wiki/VeriSignhttp://news.netcraft.com/ssl-sample-report/CMatch/certshttp://en.wikipedia.org/wiki/Thawtehttp://en.wikipedia.org/wiki/Geotrusthttp://en.wikipedia.org/wiki/VeriSignhttp://en.wikipedia.org/wiki/Thawtehttp://en.wikipedia.org/wiki/Geotrusthttp://en.wikipedia.org/wiki/GoDaddyhttp://en.wikipedia.org/wiki/Comodohttp://en.wikipedia.org/wiki/GoDaddyhttp://en.wikipedia.org/wiki/Comodohttp://en.wikipedia.org/wiki/Comodohttp://en.wikipedia.org/wiki/GoDaddyhttp://en.wikipedia.org/wiki/Geotrusthttp://en.wikipedia.org/wiki/Thawtehttp://en.wikipedia.org/wiki/VeriSignhttp://news.netcraft.com/ssl-sample-report/CMatch/certshttp://en.wikipedia.org/wiki/Web_browserhttp://www.webtrust.org/http://en.wikipedia.org/wiki/Barriers_to_entryhttp://en.wikipedia.org/wiki/Transport_Layer_Security


6/11

Enabling SSL

The concept of "SSL Enabled" expresses whether the address

the client or server is using has a valid certificate. Certification

doesn't authenticate the user. This level of security is handled

by other methods, like usernames and passwords. The SSL

Certificate-checking process is usually embedded in thebrowser of clients or in the server software of the server. The

user can enable SSL by looking through the network settings

of his browser. The server software also has an "Enable SSL"

option which the Systems Administrator should activate.

Check if SSL is enabled in your browser!!!


7/11

Server SSL

For domestic users, the certification process is handled by the

user's browser. For a server, the process is a little more

complicated. The server should have a certificate database

and needs to obtain a certificate from a trusted Certificate

Authority. After the certificate has been downloaded into thedatabase, it


8/11

Server Authentication During SSL

Handshake

SSL-enabled client software always requires serverauthentication, or cryptographic validation by a client ofthe servers identity. The server sends the client acertificate to authenticate itself. The client uses the

certificate to authenticate the identity the certificateclaims to represent.

To authenticate the binding between a public key and theserver identified by the certificate that contains the

public key, an SSL-enabled client must receive a yesanswer to the four questions shown in the followingfigure.


9/11


10/11

Public-key cryptography can be used to encrypt data communicated between two parties.This can typically happen when a user logs on to any site that implements the HTTP Secureprotocol. In this example let us suppose that the user logs on to his bank's homepagewww.bank.example to do online banking. When the user opens www.bank.examplehomepage, he receives a public key along with all the data that his web-browser displays.

When the user enters some information to the bank's page and submits the page (sends theinformation back to the bank) then the data the user has entered to the page will beencrypted by his web browser using the public key that was issued by www.bank.example.The key that can be used to decrypt the information is called the private key and it is onlyknown to the bank. Therefore, even if someone can access the (encrypted) data that wascommunicated from the user to www.bank.example, the (unencrypted) data that the userhas entered can only be decrypted by the bank, as only the bank knows the private key.

This mechanism is only safe if the user can be sure that it is the bank that he sees in his web

browser. If the user types in www.bank.example, but his communication is hi-jacked and afake web-site (that pretends to be the bank web-site) sends the page information back to theuser's browser, the fake web-page can send a fake public key to the user. The user will fill theform with his personal data and will submit the page which will be encrypted by the fakepublic key. The fake web-page will get access to the user's data since the fake web-page ownsthe fake private key.

A certificate authority is an organization that stores public keys and their owners and everyparty in a communication trusts this organization. When the user's web browser receives the

public key from www.bank.example it can contact the certificate authority to ask whether thepublic key does really belong to www.bank.example. Since www.bank.example uses a publickey that the certification authority certifies, a fake www.bank.example can only use the samepublic key. Since the fake www.bank.example does not know the corresponding private key, itcannot decrypt the user's answer.
http://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/HTTP_Securehttp://en.wikipedia.org/wiki/HTTP_Securehttp://en.wikipedia.org/wiki/HTTP_Securehttp://en.wikipedia.org/wiki/HTTP_Securehttp://en.wikipedia.org/wiki/HTTP_Securehttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Public-key_cryptography


11/11

PKI Framework

Central to the growth of e-commerce and e-governance is the issue of trust inelectronic environment. The future of e-commerce and e-governance depends on thetrust that the transacting parties place in the security of transmission and the contentof communication.

Creating trust in electronic environment involves assuring the transacting parties aboutthe integrity and confidentiality of the content of documents along with authenticationof the sending and receiving parties in a manner that ensures that both the partiescannot repudiate the transaction. The paper based concepts of identification,declaration and proof are carried through the use of digital signatures in electronicenvironment. Digital signatures, a form of electronic signatures, are created and verified

using Public Key Cryptography that is based on the concept of a key pair generated by amathematical algorithm, the public and private keys.

The Information Technology Act, 2000 provides the required legal sanctity to the digitalsignatures based on asymmetric cryptosystems. The digital signatures are now acceptedat par with handwritten signatures and the electronic documents that have beendigitally signed are treated at par with paper documents.

The IT Act provides for the Controller of Certifying Authorities(CCA) to license and

regulate the working of Certifying Authorities. The Certifying Authorities (CAs) issuedigital signature certificates for electronic authentication of users.

The CCA certifies the public keys of CAs using its own private key, which enables users inthe cyberspace to verify that a given certificate is issued by a licensed CA. For thispurpose it operates, the Root Certifying Authority of India(RCAI). The CCA alsomaintains the National Repository of Digital Certificates(NRDC), which contains all thecertificates issued by all the CAs in the country.
http://cca.gov.in/rw/pages/rw/pages/useofpkiine-governance.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/becoming_ca.en.dohttp://cca.gov.in/rw/pages/rw/pages/becoming_ca.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/becoming_ca.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/nrdc_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/rcai_about.en.dohttp://cca.gov.in/rw/pages/rw/pages/becoming_ca.en.dohttp://cca.gov.in/rw/pages/rw/pages/becoming_ca.en.dohttp://cca.gov.in/rw/pages/rw/pages/becoming_ca.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/cca_organisation.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/informationtechnologyact2000.en.dohttp://cca.gov.in/rw/pages/rw/pages/useofpkiine-governance.en.dohttp://cca.gov.in/rw/pages/rw/pages/useofpkiine-governance.en.dohttp://cca.gov.in/rw/pages/rw/pages/useofpkiine-governance.en.do

server authentication

Documents