How Internet Security and SSL Works
- Introduction to Hacking
- History of Cryptography
- Why Privacy Matters
- Supercookies in the Wild
- Ultimate Guide to SSL for the Newbie
- How Internet Security and SSL Works
- Man in the Middle Hacking and Transport Layer Protection
- Cookie Security and Session Hijacking
- What is Cross Site Scripting? (XSS)
- What is Internal Implementation Disclosure?
- Parameter Tampering and How to Protect Against It
- What are SQL Injection Attacks?
- Protection Against Cross Site Attacks
The techniques described here are greatly simplified, but serve to illustrate how the system works on the basic level.
Basic encryption for data transmission as we have seen is fairly easy to implement and also easy to hack. If you haven't read the article, it involves one or many methods for encrypting data and a password required to decrypt the data at the other end. A basic encryption algorithm is ROT13 where each letter of the alphabet is rotated 13 places (Hello becomes Uryyb). A more advanced system uses passphrase substitution, and this can only be cracked when you know (or defeat) the password.
Actual systems use more sophisticated algorithms where the password is generally 128 bits or higher giving a password length of 2128 characters, randomly generated.
Now the problem with using this over the internet is that you have to transmit the encrypted data, and the key (we'll start calling these long random generated passwords keys now) so that the person at the destination can decrypt the data. This is obviously open to hacking as both encrypted data and the key are sent together. A secure way of doing this would be to send the encrypted data over the internet, and send the key separately in a different format, such as in person on a USB stick or CD.
This wouldn't really work on the internet for browsing your online banking or doing your shopping would it? Every time you go to logon, you have to wait for a CD to arrive in the post.
The solution here is to use a set of public and private keys and have these exchanged in a secure way.
Let's have a look at how we might be able to send a secure key between two computers without eavesdropping or anyone stealing the secure key.
In this example we are trying to convey a copy of the blue key, which is our secure private key that nobody else must know about, to the receiver. We will do this by using two public locks, green and red. First, the blue secure key is placed inside a container which is then locked with the senders red padlock. Only the red key can open this padlock.
The locked container is then sent to the receiver, who at this stage cannot open the container.
The receiver then puts their padlock (green) on the container, and sends the doubly locked container back to the sender.
When the receiver gets the container back, they then remove the red padlock using their red key and sends the container back to the receiver again.
Now the receiver has a container which only has the green padlock on, which can be opened using the green key and thus the receiver now has access to the blue secure key. From now on all communication between the sender and receiver can be securely send and received by locking with a blue padlock.
As I said, this is a greatly over simplified example to illustrate how the system works. In reality the systems use complex mathematical calculations and long encryption keys to secure the data transmission. The simplified technique illustrates how secure keys can be transmitted over insecure lines without eavesdropping, snooping or hacking.