Secure Sockets Layer - SSL
In a Nutshell - CIW Course Section 3, Part B3, Chapter 6
SSL Overview
Secure Sockets Layer (SSL) operates between the Application and Transport layers of the OSI reference model to provide a security protocol for communications between a Web server and a Web browser. SSL provides encryption, authentication and message integrity to the Application layer.
As an additional layer between the Application and Transport layers, SSL can operate independently of the Internet protocols. The SSL protocol comprises two processes, the SSL handshake and the SSL record.
SSL Handshake
There are six phases to the SSL handshake to establish an encrypted session between client and server:
- Hello
- Key Exchange
- Session Key Production
- Server Verify
- Client Authentication
- Finished
SSL Record
The second part of the SSL process is made up of three parts: Message Authentication Code (MAC), The Message, and any message padding. Messages are encrypted with a secret key, the server and, optionally, the client is authenticated and message integrity is ensured with hash algorithms.
Certificates Overview
Certificates help improve security by providing a level of identity validation.
There are four main types of certificate: a Certificate Authority (CA) certificate, a server certificate, a personal certificate and the software publisher certificate. Data security is improved by using SSL for encryption. This can only be done if a certificate is available on the server hosting the SSL connection.
X.509V3
X.509V3 is the current certification standard, or was when the Scheidgger course material was published. This standard determines what information will be held by the certificate. Each certificate will contain a number of fields, the X.509V3 standard defines the following fields:
- Version
- Signature Algorithm ID
- Subject Name
- Subject Public Key Information
- Signature
- Serial Number
- Validity Period
- Issuer-Unique Identifier
- Subject-Unique Identifier
- Extensions
Requesting SSL Certificates
Most of us are likely to require a certificate to use SSL to secure a Web site or an email server. The request for a security certificate is prepared from the Internet Information Services Manager. It is essential that you have a domain name registered in your name or your company's name. The certificate request must be made in the name of the domain registrant. Part of the certificate issuing process will require you to provide proof of identity.
Select the "Properties" of the default Web server and click the "Directory Security" tab.
You may notice that the "View Certificate" and "Edit" buttons are enabled. This is because this server has a certificate installed. The "Server Certificate" button will start the "Web Server Certificate Wizard" which will guide you through the request creation process. Note, at this stage you are only preparing a certificate request file. This file will be submitted to the certificate issuer at a later time, when you actually order the certificate.
I recently obtained a certificate from InstantSSL billed through a company named Comodo. They were considerably cheaper than companies like Verisign.
Installing Server Certificates
When you purchase a security certificate, it is likely that, the certificate file will be emailed to you as an attachment. This attachment should be saved to a suitable location on disk. I saved it on a disk on the IIS server for ease of access.
From the Properties of the default web site, click the "Directory Security" tab and, once again, click the "Server Certificate" button to start the Wizard. This time you will be presented with different options. Having already created a certificate request, you will now have the option to "Process the pending request".
The Wizard will then ask for the name and location of the certificate file and, if all is well, will install the certificate.