Netscape’s Secure Sockets Layer (SSL) protocol is currently the most widely used method for performing secure transactions on the Web and is supported by most Web servers and clients including Netscape Navigator and Microsoft Internet Explorer.
The Secure Sockets Layer (SSL) protocol provides several features that make it particularly suitable for use in e-commerce transactions.
Privacy is guaranteed through encryption. Although information can still be intercepted by a third party they will be unable to read them as they have no access to the encryption key.
Integrity is also ensured through encryption. If information is received that will not decrypt properly then the recipient knows that the information has been tampered with during transmission.
Authentication is provided through digital certificates. Digital certificates provide the basis for secure electronic transactions as they enable all participants in a transaction to quickly and easily verify the identity of the other participants.
Encryption Process
Essentially, SSL is secret-key encryption nested within public-key encryption, authenticated through the use of certificates.
The reason that both secret-key and public-key encryption methods are used is because of the relatively slow speed of public-key encryption compared to secret-key encryption. Initially, the client and server exchange public keys, and then the client generates a private encryption key that is used only for this transaction. This is referred to as a session key. The client then encrypts the session key with the server’s public key and sends it to the server. Then, for the rest of the transaction, the client and the server can use the session key for private-key encryption.
An SSL connection is initiated by the client (normally a Web browser) by requesting a document to be sent through the HTTPS protocol as proposed to the standard HTTP protocol. This is done by by simply prefixing the URL by “https” as opposed to “http”.
For example:
http://server.domain.com/index.html
requests the document index.html be sent through the standard HTTP protocol, whilst
https://server.domain.com/index.html
requests the same document be sent using the HTTPS protocol which incorporates SSL.
Here in detail are the steps taken during a SSL transaction:
- The client sends a request for a document to be transmitted using the HTTPS protocol by prefixing the URL with “https”.
- The server sends its certificate to the client.
- The client checks if the certificate was issued by a Certificate Authority (CA) it trusts. If not, it gives the user the option to continue or to terminate the transaction.
- The client compares the information in the certificate with the information it just received concerning the site: its domain name and its public key. If the information matches, the client accepts the site as authenticated.
- The client tells the server what ciphers, or encryption algorithms, it can communicate with.
- The server chooses the strongest common cipher and informs the client.
- The client generates a private (or session) key using the agreed cipher.
- The client then encrypts the session key using the server’s public key and sends it to the server.
- The server receives the encrypted session key and decrypts it with its private key.
- The client and the server then use the session key for the rest of the transaction.
An alternative secure protocol is the Secure Electronic Transaction (SET) protocol developed by Visa and MasterCard specifically for enabling secure credit card transactions on the Internet. Designed for cardholders, merchants, banks and other card processors, SET uses digital certificates to ensure the identities of all parties involved in a purchase. SET also encrypts credit and purchase information before transmission on the Internet.
Related Posts:
- Enabling Technologies – Secure Electronic Transactions (SET) - SET is the Secure Electronic Transaction protocol developed by Visa and MasterCard specifically for enabling secure credit card transactions on the Internet. It uses digital...
- Enabling Technologies – Frequently Asked Questions (FAQ) - Why is encryption needed for Web commerce? Encryption performs four key functions which enable secure Web transactions to take place: Authentication allows customers to be...
- Enabling Technologies – Public Key Encryption - Public-key encryption, or asymmetric encryption involves the use of two keys, one that can be used to encrypt messages (the public key) and one that...
- Digital Signatures & Digital Certificates - Digital Signatures Digital signatures are implemented through public-key encryption and are used to verify the origin and contents of a message. One advantage of public-key...
- Enabling Technologies – Smart Cards - Introduction At first glance, smart cards look like normal credit or debit cards. However, closer examination reveals the absence of a magnetic stripe as smart...