American Law Institute CLE | Formerly known as ALI-ABA |

Secure Socket Layer (SSL) Protocol

The secure socket layer (SSL) is an open, non-proprietary protocol designed by Netscape Communications for securing data communications across computer networks. SSL is sandwiched between the application protocol (such as HTTP, Telnet, FTP, NNTP) and the connection protocol (such as TCP/IP, UDP). SSL provides server authentication, message integrity, data encryption and optional client authentication for TCP/IP connections.

With the addition of SSL, data security can be ensured. Information travels over the Internet through series of routings, this means information can be routed through many computer systems before it reaches the trusted server. Any one of these computer systems can represent an opportunity for the information to be accessed. SSL ensures that the intermediary computers "cannot deceive you, eavesdrop on you, copy from you, or damage your communications." SSL works to protect the Internet communication because of the following features:

Upon the initial connection, SSL does a security "handshake" used to start the TCP/IP connection. The handshake enables the client and server to agree on the level of security they will use. Once the agreement on the level of security is achieved, any authentication requirements will then be taken care of. SSL uses encryption and authentication technology developed by RSA Data Security Inc. Server authentication is accomplished by the means of ISO X.509 digital certificates in conjunction with RSA public key cryptography. A digital certificate does connection verification between a server's public key and a server's identification. These certificates are issued by trusted third parties known as certificate authorities. Once the handshake process is done, all transmission is encrypted using the RC4 stream encryption algorithm which contains a 40-bit key. A message encrypted with 40-bit RC4 key takes a 64-MIPS computer a year of dedicated processor time to break. This encryption will remain valid between client and server over multiple connections. Since the encryption changes from time to time, the same amount of effort must be expended to crack every message! Although the 40-bit RC4 encryption is not military security, the amount of effort needed to break any information transmitted is certainly nontrivial.

In order to use the SSL as part of a secure system, the server requires a digitally signed certificate. To obtain a certificate, a certificate request form must be submitted to a third-party organization that issues certificates. You must then pay an associated service fee.

The SSL protocol, like any other protocol, is designed to work with the existing network protocols (OSI or TCP/IP). It is strategically layered beneath application protocols and above the connection protocols. After initiating the security hand- shake, to start a TCP/IP connection, SSL's only role is to encrypt and decrypt the byte-stream of the application protocol being used. Because of this placement, it may operate independently of the Internet application and connection protocols.

Since the introduction of SSL in December of 1994, there are over 3 million people, including a broad spectrum of industry-leading companies and organizations, using SSL enabled products and supporting the SSL protocol for Internet security. Some of the companies that are supporters of the SSL protocol are: Apple Computer., Bank of America, Delphi Internet Services Corporation, IBM, MasterCard, Novell Inc., Microsoft Corporation, MCI Communications Corp., Sun Microsystems, Inc. and Visa International. This broad band of supporters will promote growth of electronic commerce on both the Internet and private TCP/IP networks.

Back to Top