Introduction to Secure Socket Layer (SSL)
Secure Socket Layer (SSL) is a protocol designed to provide secure communication over a computer network. It ensures privacy, authentication, and data integrity between two communicating applications, such as a web browser and a web server. Although SSL has been succeeded by Transport Layer Security (TLS), the terms SSL and TLS are often used interchangeably.
Key Features of SSL:
- Encryption:
- SSL uses encryption to ensure that data transferred between a client and server remains confidential and cannot be read by unauthorized parties. It employs symmetric encryption for data transfer and asymmetric encryption for key exchange.
- Authentication:
- SSL uses digital certificates to authenticate the identity of the parties involved. Certificates are issued by trusted Certificate Authorities (CAs).
- Data Integrity:
- SSL ensures data integrity by using message authentication codes (MACs) to verify that the data has not been altered during transmission.
- Secure Key Exchange:
- SSL uses asymmetric encryption (e.g., RSA) to securely exchange symmetric encryption keys.
How SSL Works:
- Handshake Protocol:
- The SSL handshake is the initial phase where the client and server negotiate security parameters and establish a secure connection.
- Client Hello: The client sends a “hello” message to the server, which includes the client’s SSL version, cipher settings, and session-specific data.
- Server Hello: The server responds with its SSL version, selected cipher settings, session-specific data, and its digital certificate.
- Server Authentication and Pre-Master Secret: The client verifies the server’s certificate and sends a pre-master secret encrypted with the server’s public key.
- Session Keys Creation: Both client and server generate session keys from the pre-master secret to encrypt and decrypt data.
- Finished Messages: Both parties send finished messages encrypted with the session keys to confirm that the handshake was successful.
- The SSL handshake is the initial phase where the client and server negotiate security parameters and establish a secure connection.
- Record Protocol:
- After the handshake, the SSL record protocol manages the secure data transfer. Data is encrypted, fragmented into manageable blocks, and then transmitted.
- Closure Protocol:
- When the communication session ends, both parties send closure alerts to ensure a clean termination of the secure connection.
Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET) is a protocol developed to secure online credit card transactions. SET was designed to provide a secure method of purchasing goods and services over the Internet while ensuring the confidentiality and integrity of payment information.
Key Features of SET:
- Confidentiality:
- SET ensures that payment information is encrypted, keeping it confidential and protected from eavesdroppers.
- Integrity:
- SET uses digital signatures and hashing to ensure that the transaction data is not altered during transmission.
- Authentication:
- SET verifies the identities of all parties involved (cardholder, merchant, and payment gateway) using digital certificates.
- Non-repudiation:
- Digital signatures provide non-repudiation, ensuring that parties cannot deny their involvement in the transaction.
How SET Works:
- Participants:
- The main participants in a SET transaction are the cardholder, merchant, issuer (the cardholder’s bank), acquirer (the merchant’s bank), and payment gateway.
- Digital Certificates:
- Each participant has a digital certificate issued by a trusted Certificate Authority (CA). These certificates authenticate the identities of the participants and establish trust.
- Transaction Process:
- Initiation: The cardholder initiates a purchase by sending an order and payment information encrypted with the merchant’s public key.
- Order Information Encryption: The payment information is encrypted separately with the payment gateway’s public key to ensure that only the gateway can decrypt it.
- Merchant Processing: The merchant receives the encrypted order and payment information, verifies the cardholder’s certificate, and forwards the payment information to the payment gateway.
- Payment Authorization: The payment gateway decrypts the payment information, verifies it with the card issuer, and sends an authorization response back to the merchant.
- Completion: The merchant completes the transaction by confirming the order and payment to the cardholder.
SSL and SET are protocols designed to secure different aspects of online communication and transactions:
- SSL: Ensures secure communication between clients and servers, commonly used to secure web traffic and prevent eavesdropping and tampering. It achieves this through encryption, authentication, and data integrity mechanisms established during the SSL handshake and maintained throughout the session.
- SET: Specifically designed to secure electronic transactions, particularly credit card payments over the internet. It employs encryption, digital signatures, and certificates to ensure the confidentiality, integrity, and authenticity of transaction data, providing a secure framework for online payments.
While SSL (and its successor TLS) is widely used today for securing web traffic, SET is less commonly used but set important precedents for secure transaction protocols. Understanding both protocols highlights the evolution and diversity of methods used to secure online communications and transactions.