Protecting Communication with SSL

Introduction The internet has experienced phenomenal growth in the last decade. Many confidential activities are now being performed via the internet such as banking and shopping. These services require private information to be exchanged, such as credit card numbers and login passwords. As well, it is necessary to authenticate the parties involved in the transaction. Imagine if anyone was free to impersonate you and obtain your bank statements! Many protocols exist today that ensure the identity of the parties communicating as well as their privacy. Most of these protocols are invisible to the application programmer because they are implemented as part of the operating system. SSL (Secure Sockets Layer) takes a different approach by being implemented above the TCP layer.[1] The most common interface to the TCP layer is sockets which is where the name Secure Sockets Layer is derived from. The purpose of this report is not to explain the SSL protocol in detail but rather to enlighten the application programmer to the basics of SSL and its various implementations. An overview of how to add SSL to application programs is also given. For this last section, a knowledge of sockets is assumed. SSL was developed by Netscape and SSLv2 (the second version) was first deployed in 1995 as part of Netscape Navigator, a popular web browser at the time.[1] Quickly, several variations of SSL appeared, including PCT (Private Communications Technology), TLS (Transport Layer Security) and SSLv3. The purpose of each variant was to fix problems with the original specification of SSL and resulted in compatibility problems. Eventually, SSLv3 became the most widely used variant and will be the focus of this report.[1] As mentioned previously, SSL is implemented above the TCP layer. This means that application programs need to be altered to take advantage of the features that SSL offers. In addition, SSL is only compatible with TCP and cannot be used in conjunction with UDP. The goal of SSL is to provide a reliable, encrypted and integrity-protected communication stream.[1] The reliability is provided by the TCP layer, while SSL adds encryption and integrity-protection. It is important to note that the TCP stream itself is not protected by SSL, only the data that is exchanged. The most common deployment model is to only authenticate the service provider, also known as the server.[2] The consumer, or client, usually confirms their identity by providing a secret password, however SSL does …