Overview
What is SSL? SSL stands for Secure Sockets Layer, an encryption technology that was originally created by Netscape in the 1990s. SSL creates an encrypted connection between your web server and your visitors' web browser allowing for private information to be transmitted without the problems of eavesdropping, data tampering, and message forgery.
To enable SSL on a website, you will need to get an SSL Certificate that identifies you and install it on your web server. When a web browser is using an SSL certificate it usually displays a padlock icon but it may also display a green address bar. Once you have installed an SSL Certificate, you can access a site securely by changing the URL from http:// to https://. If SSL is properly deployed, the information transmitted between the web browser and the web server (whether it is contact or credit card information), is encrypted and only seen by the organization that owns the website.
HTTP is insecure and is subject to eavesdropping attacks which can let attackers gain access to online accounts and sensitive information if critical information like credit card details and account logins is transmitted and picked up. Ensuring data is either sent or posted through the browser using HTTPS is ensuring that such information is encrypted and secure.
Millions of online businesses use SSL certificates to secure their websites and allow their customers to place trust in them. In order to use the SSL protocol, a web server requires the use of an SSL certificate. SSL certificates are provided by Certificate Authorities (CAs).
SSL (Secure Sockets Layer), is the standard security technology for encrypting a connection between a web server and a browser. Once established, this connection will encrypt all traffic and ensure that all data passed between the web server and browser remains private. SSL is a standard and is used by millions of websites to protect their online transactions with their customers. Many software applications support SSL such as web browsers (Internet Explorer, Firefox, Chrome), file transfer programs (SFTP), and email programs. However, in order to have an SSL encrypted connection, a web server requires an SSL Certificate
What
is an SSL Certificate?
SSL Certificates provide secure, encrypted communications
between a website and an internet browser. SSL stands for Secure Sockets Layer, the
protocol which provides the encryption. SSL
Certificates are typically
installed on pages that require end-users to submit sensitive information over
the internet like credit card details or passwords. Example pages include
payment pages, online forms and login pages.
An SSL certificate ensures safe, easy, and convenient
Internet shopping. Once an Internet user enters a secure area — by entering
credit card information, email address, or other personal data, for example —
the shopping site's SSL certificate enables the browser and Web server to build
a secure, encrypted connection. The SSL "handshake" process, which
establishes the secure session, takes place discreetly behind the scene without
interrupting the consumer's shopping experience. A "padlock" icon in
the browser's status bar and the "https://" prefix in the URL are
the only visible indications of a secure session in progress.
SSL stands for
Secure Sockets Layer, the protocol which provides the encryption. SSL Certificates are typically installed on pages that
require end-users to submit sensitive information over the internet like credit
card details or passwords. Example pages include payment pages, online forms
and login pages.
Trusted SSL Certificates are
issued by and are available in three basic types - Domain Validated,
Organization Validated and Extended Validation.
Trusted
SSL Certificates are issued by Certificate Authorities (CAs) and are available
in three basic types –
1. Domain Validated,
2. Organization Validated and
3. Extended Validation.
Domain validated certificates are generally the
least expensive and are issued after the CA has verified that the applicant has
control of the domain mentioned in the certificate. Domain Validation certificates are perfect for
small non-e-commerce websites like blogs and personal sites. They simply
require you to prove ownership over the domain and you can encrypt. In fact,
some companies have even begun to offer no-frills, encryption only DV
certificates for free.
Organization Validated certificates are issued after
the CA has verified domain control and conducted background checks into the
company that owns the website. These offer a degree of business authentication,
meaning that the Certificate Authority that’s issuing it will vet your company
to ensure that it is indeed legitimate. The downside to OV certs is that the
visual indicators are nearly identical to EV certs and often people miss the
vital details that come with having your business authenticated. These
certificates are good for larger enterprise businesses that already have
outstanding reputations
Extended validation certificates offer the highest
level of trust to the end-user and turn the address bar green during secure
sessions. EV certificates are issued according the guidelines set out by the
CA/Browser forum. The top-of-the-line SSL/TLS certificates are Extended Validation. These require the most vetting
but also unlock the most obvious visual indicators a green address bar with
your organization’s name in it. These certificates offer an ideal level of
business authentication, come with the best trust seals – another visual
indicator of SSL encryption – and are often packaged with other high-end
security products to make them a better value. They’re also proven to increase
conversions and ultimately will pay for themselves.
Each extended validation SSL certificate EV SSL Certificate displays the green address bar during
secure sessions so customers see the reassurance they need to complete their
transaction.
What is an Extended Validation Certificate?
As the
highest ‘class’ of SSL available, Extended Validation SSL Certificates (EV SSL) activate both the padlock and
the green address bar in all major browsers. EV SSL Certificates provide the
strongest encryption level available and enable the organization behind a
website to present its own verified identity to website visitors. EV SSL
Certificates offer a stronger guarantee that the owner of the website passed a
thorough, and globally standardized, identity verification process defined
within the EV guidelines. The Extended Validation identity verification process
requires the applicant to prove exclusive rights to use a domain, confirm its
legal, operational and physical existence, and prove the entity has authorized
the issuance of the Certificate.
A site with an EV SSL Certificate (Advanced SSL)
A Site Without an EV SSL Certificate (Standard SSL)
Why Is an SSL Certificate Required?
All
communications sent over regular HTTP connections are in 'plain text' and can
be read by any hacker that manages to break into the connection between your
browser and the website. This presents a clear danger if the 'communication' is
on an order form and includes your credit card details or social security
number.
With a HTTPS connection, all communications are securely encrypted.
This means that even if somebody managed to break into the connection, they
would not be able decrypt any of the data which passes between you and the
website
EV SSL Features and Advantages
- Green bar builds immediate customer trust and helps with conversion
- Highest strength 2048-bit signatures with 256 bit encryption
- Recognized by 99.9% of browsers and mobile devices
- Free TrustLogo site seal
- Unlimited server licenses
- Priority phone support
- Customer information, like credit card numbers, is encrypted and cannot be intercepted
- Visitors can verify you are a registered business and that you own the domain
- Customers are more likely to trust and complete purchases from sites that use HTTPS
HTTP VS HTTPS
Hyper
Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the
protocol over which data is sent between your browser and the website that you
are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all
communications between your browser and the website are encrypted. HTTPS is
often used to protect highly confidential online transactions like online
banking and online shopping order forms.
Web
browsers such as Internet Explorer, Firefox and Chrome also display a padlock
icon in the address bar to visually indicate that a HTTPS connection is in
effect
What is HTTPS?
HTTP is the now 15-year-old protocol
on which the world wide web was built. HTTP stands for “hypertext transfer
protocol” and offers a method of data communication for the Internet.
The
problem with HTTP connections is
that they are unsecured. This means that any data transferred with the HTTP
protocol is out in the open-it means that it can be intercepted and even
manipulated by third parties.
How Does HTTPS Work?
HTTPS
pages typically use one of two secure protocols to encrypt communications - SSL
(Secure Sockets Layer) or TLS (Transport Layer Security). Both the TLS and SSL
protocols use what is known as an 'asymmetric' Public Key Infrastructure (PKI) system. An asymmetric system uses
two 'keys' to encrypt communications, a 'public' key and a 'private' key.
Anything encrypted with the public key can only be decrypted by the private key
and vice-versa.
As the names suggest, the 'private' key should be kept
strictly protected and should only be accessible the owner of the private key.
In the case of a website, the private key remains securely ensconced on the web
server. Conversely, the public key is intended to be distributed to anybody and
everybody that needs to be able to decrypt information that was encrypted with
the private key.
Definition - What does Encryption mean?
Encryption
can be thought of as locking something valuable into a strong box with a key.
Conversely, decryption can be compared to opening the box and retrieving the
valuable item. On computers, sensitive data in the form of e-mail messages,
files on a disk, and files being transmitted across the network can be
encrypted using a key. Encrypted data and the key used to encrypt data are both
unintelligible.
Encryption
- Encryption is the process of
making data unreadable by other humans or computers for the purpose of
preventing others from gaining access to its contents.
Encryption is
the process of translating plain text data (plaintext) into something that
appears to be random and meaningless (ciphertext). Decryption is the process of converting
ciphertext back to plaintext. To encrypt more
than a small amount of data, symmetric encryption is used.
In cryptography, encryption is the process of encoding messages or
information in such a way that only authorized parties can read it
The purpose of encryption is to ensure that only somebody who
is authorized to access data (e.g. a text message or a file), will be able to
read it, using the decryption key
Ciphertext
-A message that has been encrypted
Plaintext - A
message that is not encrypted. Plaintext messages are sometimes referred to as
cleartext messages.
symmetric
key - A secret key used with a symmetric cryptographic algorithm (that is,
an algorithm that uses the same key for both encryption and decryption). Such a
key needs to be known to all communicating parties.
There are two main types of
encryption:
Asymmetric
encryption (also called public-key encryption) and
Symmetric
encryption
The main
purpose of Encryption is to secure sensitive or confidential data stored on
computer or transmitted via internet. Encryption play a vital role in the
security like SSL Certificate etc.
Encryption
is the process of using an algorithm to transform information to make it
unreadable for unauthorized users. This cryptographic method protects sensitive
data such as credit card numbers by encoding and transforming information into
unreadable cipher text. This encoded data may only be decrypted or made
readable with a key. Symmetric-key and asymmetric-key are the two primary types
of encryption.
Encryption is essential for ensured and trusted delivery of sensitive information
Encryption is essential for ensured and trusted delivery of sensitive information
Symmetric-key encryption uses two secret, often identical
keys or codes for computers involved in message transmission. Each secret key's
data packet is self-encrypted. The first symmetric encryption algorithm is the
Data Encryption Standard (DES), which uses a 56-bit key and is not considered
attack-proof. The Advanced Encryption Standard (AES) is considered more
reliable because it uses a 128-bit, a 192-bit or a 256-bit key.
Asymmetric-key encryption, also known as public-key encryption, uses private and public keys in tandem. The public key is shared with computers attempting to communicate securely with the user’s computer. This key handles encryption, rendering the message indecipherable in transit. The private matching key remains private on the user’s computer. It decrypts the message and makes it readable. Pretty good privacy (PGP) is a commonly used public-key encryption system.
Asymmetric-key encryption, also known as public-key encryption, uses private and public keys in tandem. The public key is shared with computers attempting to communicate securely with the user’s computer. This key handles encryption, rendering the message indecipherable in transit. The private matching key remains private on the user’s computer. It decrypts the message and makes it readable. Pretty good privacy (PGP) is a commonly used public-key encryption system.
Public key encryption, in which a message is encrypted with a recipient's public key. The message cannot be decrypted by anyone who does not possess the matching private key, who is thus presumed to be the owner of that key and the person associated with the public key. This is used in an attempt to ensure confidentiality.
Definition - What does Decryption mean?
Definition - What does Decryption mean?
Decryption
- Decryption is the
process of taking encoded or encrypted text or other data and converting it
back into text that you or the computer can read and understand. This term
could be used to describe a method of un-encrypting the data manually or with
un-encrypting the data using the proper codes or keys.
Decryption
is the process of transforming data that has been rendered unreadable through
encryption back to its unencrypted form. In decryption, the system extracts and
converts the garbled data and transforms it to texts and images that are easily
understandable not only by the reader but also by the system. Decryption may be
accomplished manually or automatically. It may also be performed with a set of
keys or passwords.
2.2.
Decryption The decryption process involves converting the encrypted data back
to its original form for the receiver’s understanding. The same process is
performed at the beginning of the encryption and decryption process (connection
established) as described in the encryption part at the sender side to generate
the same private position at the receiver side to eliminate the key from the
cipher text.
Encrypt
key:
a=e, b=f, c=g, d=h, e=i, f=j, g=k, h=l, i=m, j=n, k=o, l=p, m=q, n=r, o=s, p=t, q=u, r=v, s=w, t=x, u=y, v=z, w=a, x=b, y=c, and z=d.
a=e, b=f, c=g, d=h, e=i, f=j, g=k, h=l, i=m, j=n, k=o, l=p, m=q, n=r, o=s, p=t, q=u, r=v, s=w, t=x, u=y, v=z, w=a, x=b, y=c, and z=d.
Decrypt
key:
a=w, b=x, c=y, d=z, e=a, f=b, g=c, h=d, i=e, j=f, k=g, l=h, m=i, n=j, o=k, p=l, q=m, r=n, s=o, t=p, u=q, v=r, w=s, x=t, y=u, and z=v
a=w, b=x, c=y, d=z, e=a, f=b, g=c, h=d, i=e, j=f, k=g, l=h, m=i, n=j, o=k, p=l, q=m, r=n, s=o, t=p, u=q, v=r, w=s, x=t, y=u, and z=v
Password
- lwoosvz
Authentication
Authentication
is crucial in making communication more secure. Users must be able to prove
their identity to those with whom they communicate and must be able to verify
the identity of others. Authentication of identity on a network is complex
because the communicating parties do not physically meet as they communicate.
This can allow an unethical person to intercept messages or to impersonate
another person or entity.
Privacy
Whenever
sensitive information is transmitted between computing devices on any type of
network, users should generally use some sort of encryption to keep their data
private.
Definition - What does 256-Bit Encryption mean?
256-bit
encryption is a data/file encryption technique that uses a 256-bit key to
encrypt and decrypt data or files.
It is
one of the most secure encryption methods after 128- and 192-bit encryption,
and is used in most modern encryption algorithms, protocols and technologies
including AES and SSL.
256-bit
encryption is refers to the length of the encryption key used to encrypt a data
stream or file. A hacker or cracker will require 2256 different combinations to break a
256-bit encrypted message, which is virtually impossible to be broken by even
the fastest computers.
Typically,
256-bit encryption is used for data in transit, or data traveling over a
network or Internet connection. However, it is also implemented for sensitive
and important data such as financial, military or government-owned data. The
U.S. government requires that all sensitive and important data be encrypted
using 192- or 256-bit encryption methods.
Who should use EV SSL Certificates?
EV SSL
Certificates should be used in all applications that require identity
assurance, visible trust and strong encryption. High profile websites often
targeted for phishing attacks, such as major brands, banks or financial
institutions, should use EV SSL Certificates for all public facing websites,
but any website collecting data, processing logins or online payments can also
benefit from the increased trust provided by this higher class of SSL. EV SSL
Certificates also allow less well known brands to use a standardized level of
trust to compete against the more familiar brands already established on the
Internet.
What are the
benefits of using an EV SSL Certificate?
The
primary benefit of EV SSL is to render trust and security in a simple, visible
way that visitors both see and understand - helping organizations establish
online trust and increase their perceived credibility. This directly translates
into increased conversions and customer loyalty.
When
visitors experience trusted browsing and know that any data exchange with the
website is secure, their confidence will be increased. Website visitors will
feel safer when buying on a website that has been verified and secured, and as
such EV SSL Certificates provide the virtual equivalent of an accredited, safe
and known location of a bricks and mortar retail shop. Combine visible security
with good service and expect higher conversions and repeat business.
The sections that follow introduce the use of keys for
encryption and decryption.
Symmetric-Key Encryption
Public-Key Encryption
Key Length and Encryption Strength
Symmetric-Key
Encryption
With symmetric-key encryption, the encryption key can be
calculated from the decryption key and vice versa. With most symmetric
algorithms, the same key is used for both encryption and decryption, as shown
in Figure
Implementations of symmetric-key encryption can be highly
efficient, so that users do not experience any significant time delay as a
result of the encryption and decryption. Symmetric-key encryption also provides
a degree of authentication, since information encrypted with one symmetric key
cannot be decrypted with any other symmetric key. Thus, as long as the
symmetric key is kept secret by the two parties using it to encrypt
communications, each party can be sure that it is communicating with the other
as long as the decrypted messages continue to make sense.
Symmetric-key encryption is effective only if the
symmetric key is kept secret by the two parties involved. If anyone else
discovers the key, it affects both confidentiality and authentication. A person
with an unauthorized symmetric key not only can decrypt messages sent with that
key, but can encrypt new messages and send them as if they came from one of the
two parties who were originally using the key.
Symmetric-key encryption plays an important role in the
SSL protocol, which is widely used for authentication, tamper detection, and
encryption over TCP/IP networks. SSL also uses techniques of public-key
encryption, which is described in the next section.
Public-Key
Encryption
The most commonly used implementations of public-key
encryption are based on algorithms patented by RSA Data Security. Therefore,
this section describes the RSA approach to public-key encryption.
Public-key encryption (also called asymmetric encryption)
involves a pair of keys-a public key and a private key-associated with an
entity that needs to authenticate its identity electronically or to sign or
encrypt data. Each public key is published, and the corresponding private key
is kept secret. Data encrypted with your public key can be decrypted only with
your private key. Figure 2 shows a simplified view of the way public-key encryption
works.
The scheme shown in Figure 2 lets you freely distribute a
public key, and only you will be able to read data encrypted using this key. In
general, to send encrypted data to someone, you encrypt the data with that
person's public key, and the person receiving the encrypted data decrypts it
with the corresponding private key.
Compared with symmetric-key encryption, public-key
encryption requires more computation and is therefore not always appropriate
for large amounts of data. However, it's possible to use public-key encryption
to send a symmetric key, which can then be used to encrypt additional data.
This is the approach used by the SSL protocol.
As it happens, the reverse of the scheme shown in Figure 2
also works: data encrypted with your private key can be decrypted only with
your public key. This would not be a desirable way to encrypt sensitive data,
however, because it means that anyone with your public key, which is by definition
published, could decrypt the data. Nevertheless, private-key encryption is
useful, because it means you can use your private key to sign data with your
digital signature-an important requirement for electronic commerce and other
commercial applications of cryptography. Client software such as Firefox can
then use your public key to confirm that the message was signed with your
private key and that it hasn't been tampered with since being signed. "Digital Signatures" describes how this confirmation
process works.
Key
Length and Encryption Strength
Breaking an encryption algorithm is basically finding the
key to the access the encrypted data in plain text. For symmetric algorithms,
breaking the algorithm usually means trying to determine the key used to
encrypt the text. For a public key algorithm, breaking the algorithm usually
means acquiring the shared secret information between two recipients.
One method of breaking a symmetric algorithm is to simply
try every key within the full algorithm until the right key is found. For
public key algorithms, since half of the key pair is publicly known, the other
half (private key) can be derived using published, though complex, mathematical
calculations. Manually finding the key to break an algorithm is called a brute
force attack.
Breaking an algorithm introduces the risk of intercepting,
or even impersonating and fraudulently verifying, private information.
The key strength of an algorithm is determined by finding
the fastest method to break the algorithm and comparing it to a brute force
attack.
For symmetric keys, encryption strength is often described
in terms of the size or length of the keys used to perform the encryption: in
general, longer keys provide stronger encryption. Key length is measured in bits.
For example, 128-bit keys for use with the RC4 symmetric-key cipher supported
by SSL provide significantly better cryptographic protection than 40-bit keys
for use with the same cipher. Roughly speaking, 128-bit RC4 encryption is 3 x
1026 times stronger
than 40-bit RC4 encryption. (For more information about RC4 and other ciphers
used with SSL, see "Introduction to SSL.") An
encryption key is considered full strength if the best known attack to break
the key is no faster than a brute force attempt to test every key possibility.
Different ciphers may require different key lengths to
achieve the same level of encryption strength. The RSA cipher used for
public-key encryption, for example, can use only a subset of all possible
values for a key of a given length, due to the nature of the mathematical
problem on which it is based. Other ciphers, such as those used for symmetric
key encryption, can use all possible values for a key of a given length, rather
than a subset of those values.
Because it is relatively trivial to break an RSA key, an
RSA public-key encryption cipher must have a very long key, at least 1024 bits,
to be considered cryptographically strong. On the other hand, symmetric-key
ciphers can achieve approximately the same level of strength with an 80-bit key
for most algorithms.
