<HTML>

<HEAD>

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">

<META NAME="Generator" CONTENT="Microsoft Word 97">

<TITLE>Hacking Truths: What they don't teach you in Manuals!!!!</TITLE>

<META NAME="Template" CONTENT="C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\html.dot">

</HEAD>

<BODY LINK="#0000ff" VLINK="#800080">



<FONT SIZE=2><P>______________________________________________________________</P>

<P>Secure Sockets Layer or SSL Torn Apart By Ankit Fadia </FONT><A HREF="mailto:ankit@bol.net.in"><FONT SIZE=2>ankit@bol.net.in</FONT></A></P>

<FONT SIZE=2><P>_______________________________________________________________</P>

<P>Secure Sockets Layer or SSL is a secure protocol, which is the reason why secure E-Commerce and E-Banking is possible. It has become the de facto standard for secure and safe only transactions. When Netscape first developed SSL, the main aim or motive behind it was to ensure that the client and host can communicate or transfer data and information securely.</P>

<P>What SSL does in short would be, encrypt data at the sender抯 end and decrypt data at the receiver抯 end. This encrypted data cannot be picked up or hijacked in between and any tampering would not only be very difficult, it would easily be detected. Not only that, SSL also provides for two-way authentication i.e. verification of the client抯 and the server抯 identity.</P>

<P>The various functions or features of SSL can be divided into three main categories-:</P>

<OL>



<LI>SSL Encrypted Connection-: Provides for secure and safe transaction of encrypted data between the client and the host.</LI>

<LI>SSL Client Authentication: is an optional feature, which allows for verification of the client抯 identity. </LI>

<LI>SSL server Authentication: provides for verification of the server抯 Certificate Authority (CA) which is nothing but a trusted safe host certificate given to the server by companies like Verisign, Cybertrust, Thawte and more.</LI></OL>



<P>The main SSL protocol is made up of two smaller sub-protocols-:</P>

<OL>



<LI>The Secure Sockets Layer Record Protocol or The SSL Record Protocol.</LI>

<LI>The Secure Sockets Layer Handshake Protocol or The SSL Handshake Protocol.</LI></OL>



<P>The SSL Record Protocol looks after the transmission and the transmission format of the encrypted data. Also it is this sub-protocol of SSL, which ensures data integrity in the transfer process. On the other hand the SSL Handshake protocol basically helps to determine the session key. To understand both these protocols better, read on.</P>

<P>****************</P>

<P>Hacking truth: A session key is a secret symmetrical key, which is used to encrypt data, after a SSL connection has been established between the client and the host.</P>

<P>****************</P>

<P>Secure Sockets Layer: The Working</P>

<P>Now as soon as you enter a secure site, SSL comes into play. But how do you know whether the connection is secure or not? Well, there are several things, which reveal the fact that whether your connection is unsafe or safe. </P>

<P>The most common way to check whether your connection is secure or not is to look at the status bar of your browser. If you see a closed padlock, then the connection is secure, else if you see a open padlock, then the connection is not secure. Another area to watch out for is the browser URL box. Now on an unsecured connection you will see only a http:// before the other part of the URL of the site you are visiting. On the other hand, if the connection is secure then you will see a https:// instead.</P>

<P>Another technique to ensure that you are on a secure connection is to have a look at the Certificate Authority or CA or the server. How do I do that? Well, simply right click on the page that you suspect to be on a unsecured connection, and select Properties. A properties box pops up. Now look for the Connection field. A typical Connection field would be as follows-:</P>

<P>SSL 3.0, DES with 40 bit Encryption [Low]; RSA with 128 bit exchange.</P>

<P>This means that SSL 3.0 is running, DES is the crypto system being used and it has 40-bit encryption level. And RSA is the public key encryption algorithm being used and in this case it used 128 bits.</P>

<P>Anyway, let me start from what happens, once you are already on a secure connection. Now as soon as the browser knows that a secure connection is present, The SSL Handshake Protocol jumps into action. It sends the browser抯 SSL version number, Encryption settings and other crypto information to the remote host. Once the remote server receives this, it in turn sends back to the client, its SSL number and cipher settings.</P>

<P>Also, if the server wants to, then this is the time when it verifies the client抯 certificate. [This is done only if </P>

<P>an optional SSL feature, The SSL Client Authentication feature is present.] </P>

<P>NOTE: Client Authentication can also be done at a later stage. It basically varies from Server to server, as to when this authentication is done, or whether it is done at all.</P>

<P>Then, the client verifies the server抯 Certificate Authority. This is done to ensure that the public key received by the client is that of the correct authentic server. If the server does not have a CA certificate or if the certificate has expired, then a dialog box pops up informing the user. [Warning the user]</P>

<P>Once the server抯 identity has been authenticated, then the client creates a 慞remaster Secret