Security for Commerce on the Internet

Security for Commerce on the Internet

Secure Socket Layer (SSL) Secure Socket Layer provides security at the lowest level of the protocol hierarchy. The security furnished is transparent to the user; it is provided at a level just above the basic TCP/IP service. Software using TCP often specifies a "socket" at each end of a communication, which maps the software processes at each end to the communication. At this level SSL can encrypt all communication between the sockets on the fly and transparently. Therefore, it can support security for virtually any Internet application. In particular, electronic mail, TELNET, and FTP transactions as well as Web exchanges can be protected using SSL. Most of the SSL process is involved with the initial exchange of information to set up the secure channel. The protocol begins with the client-requesting authentication from the server, the request from the client specifies the encryption algorithms it understands and has some challenge text. (Challenge text is essentially random material that is returned in encrypted material to prevent retransmission of earlier ciphertext, which would be different challenge text).

The authentication that is returned by the server is in the form of a certificate with a public-key signature of the server. The authentication also includes the server's preferences for encryption algorithms. The client then generates a master key, encrypts with the server's key, and sends the result to the server. The server then returns a message encrypted with the master key. This key is used to generate the keys used to send messages.