Topic 35

Encryption and SSL by Nitish Gautam

SSL (Secure Sockets Layer) is a cryptographic protocol and applies cryptographic methods for such services like web email, web browsing, Internet faxing, etc. It provides authentication and privacy over the Internet using cryptography. SSL runs under protocols like HTTP, FTP, SMTP, etc. It also runs under various other applications, which form the TCP/IP protocol suite.

Encryption is the process of obscuring or hiding information so it is not read without any special knowledge. An example can be emails, and how passwords can be considered as special knowledge.

SSL was developed by Netscape and was released in 1996. Therefore, Netscape takes all responsibility for releasing it and developing it. And later, it served as a basis for TLS (Transport Layer security), later to be used by financial institutions like Visa, Master Card, etc. SSL had a big impact on the Internet. People started encrypting web pages, thereby making web pages hard to 'attack' and take over, as compared to earlier days, where there was no encryption and only normal encrypting methods were used.

It affected financial institutions the most, as they started using SSL on their home pages where people would log in and view their bank accounts on line. This was a big boom, and it provided safety for the company's website too. Also, before, companies would get attacked and they couldn't go anything about it. But now, their web pages were protected, and were secure. It had an effect on everybody, even on normal people who aspired to open websites and have SSL on them.

Some early weak points of SSL were that SSL could use only 40 Bit keys, because of legal restrictions. This was made so that they could read encrypted traffic. The US government explicitly imposed a 40-bit key space small enough to be broken by law enforcement agencies-wishing to read the encrypted traffic, while sting ll presenting obstacles to less-well-funded attackers.

There was also a time when the government wanted to encrypt emails and other forms of communication with their own encryption method. This was called (clipper?). This encrypted all emails, so that only the intended user can see them. But the government claims that it would have the encryption/decryption keys. This would result in our loss of privacy, and the government reading our stuff.

As SSL was introduced, people started using it incorrectly. Some websites only used SSL on the form submission page, but not securing the login page. This is hazardous, and SSL is not being used correctly, and also it is exposed to other people and can result in tampering and loss of information.

Basically, SSL is directly related to privacy. Companies used SSL to respect privacy and to ensure privacy. Now that web pages were more secure, users felt more secure, and started using the Internet more, as it became a safer zone.
And another form of insecure SSL is when it is not fully used. Sometimes, a website used SSL and other media and scripts along with it. This can also result in illegal results and furthermore, lower the safety of the website. The website is exposed more and can be attacked.

The advantages of SSL are that it secures the web page. It is also easy to use. It provides security more than any other protocol and it is used widely. Also, it cannot be broken easily, and prevents many attacks, including -man in the middle- attacks and so on. Also the data which is put in is processed with a different hash each time.

Along with advantages, are disadvantages. SSL can be broken into, it is not full proof. Also, many websites who use SSL tend to include other media and tamper with it, thereby making it insecure. Another disadvantage is that the certificates can expire, resulting in the same situation as without the SSL. Also, it is server dependent. This means that if a person gets into the server, then the SSL has no meaning. Another one is that it is used for only ONE page/email. This has limitations.

The advantage for Netscape is that it gets widespread publicity. SSL is used widely and they are also getting paid for it. This helps them and provides a cause. Also, another advantage can be that they are getting recognized. But also, SSL is like a open-source project now.

People have made many different forms of SSL using their source code, and added their name onto it. As we can see on the Internet, there are many free open source SSL projects out there. This is a disadvantage to Netscape, as their project is being literally 'plagiarized' by other people, or little companies.

Also, another point concerning encryption is a cipher. A cipher is basically an algorithm which encrypts. The cipher depends on a key. A key must be selected to encrypt a packet. Some types of ciphers include classical ciphers, polyalphabetic substitution ciphers, etc. Modern encryptions methods include symmetric key algorithms and asymmetric key algorithms.


Points to consider:
- Although SSL is encrypting information, it is creating a major gateway bottleneck. As secure sessions become more common, the gateway architecture is becoming less suitable for the servers.

- With encryption, there is a lot of server load since it encrypts each packet of information.

- It has a lot of cost for the systems handling encryption.

- Legal restrictions apply, as a company or the government cannot encrypt too much of a packet. A firm cannot encrypt more than a certain bit of information.

- During encryption, there are a lot of system crashes. And systems do not keep ‘backup keys’. The data, therefore, cannot be recoverable.