intended to be a definitive guide to the SSL protocol, nor does it discuss
specific techniques for managing certificates in an organization, or the
important legal issues of patents and import and export restrictions.
-Rather, it is intended to provide a common background to mod_ssl users by
-pulling together various concepts, definitions, and examples as a starting
-point for further exploration.</p>
+Rather, it is intended to provide a common background to <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> users by pulling together various concepts, definitions,
+and examples as a starting point for further exploration.</p>
-<p>The presented content is mainly derived, with permission by the author,
-from the article <a href="http://home.earthlink.net/~fjhirsch/Papers/wwwj/article.html">Introducing
-SSL and Certificates using SSLeay</a> from <a href="http://home.earthlink.net/~fjhirsch/">Frederick J. Hirsch</a>, of The
+<p>The presented content is mainly derived, with the author's permission,
+from the article <a href="http://home.comcast.net/~fjhirsch/Papers/wwwj/">Introducing
+SSL and Certificates using SSLeay</a> by <a href="http://home.comcast.net/~fjhirsch/">Frederick J. Hirsch</a>, of The
Open Group Research Institute, which was published in <a href="http://www.ora.com/catalog/wjsum97/">Web Security: A Matter of
Trust</a>, World Wide Web Journal, Volume 2, Issue 3, Summer 1997.
Please send any positive feedback to <a href="mailto:hirsch@fjhirsch.com">Frederick Hirsch</a> (the original
money. Alice would like the message to be private, since it will
include information such as her account number and transfer amount. One
solution is to use a cryptographic algorithm, a technique that would
- transform her message into an encrypted form, unreadable except by
- those it is intended for. Once in this form, the message may only be
- interpreted through the use of a secret key. Without the key the
- message is useless: good cryptographic algorithms make it so difficult
+ transform her message into an encrypted form, unreadable until it is
+ decrypted. Once in this form, the message can only be
+ decrypted by using a secret key. Without the key the message is useless:
+ good cryptographic algorithms make it so difficult
for intruders to decode the original text that it isn't worth their
effort.</p>
<dt>Conventional cryptography</dt>
<dd>also known as symmetric cryptography, requires the sender and
receiver to share a key: a secret piece of information that may be
- used to encrypt or decrypt a message. If this key is secret, then
- nobody other than the sender or receiver may read the message. If
- Alice and the bank know a secret key, then they may send each other
- private messages. The task of privately choosing a key before
- communicating, however, can be problematic.</dd>
+ used to encrypt or decrypt a message. As long as this key is kept
+ secret, nobody other than the sender or recipient can read the message.
+ If Alice and the bank know a secret key, then they can send each other
+ private messages. The task of sharing a key between sender and recipient
+ before communicating, while also keeping it secret from others, can be
+ problematic.</dd>
<dt>Public key cryptography</dt>
<dd>also known as asymmetric cryptography, solves the key exchange
(the public key) and keeping the other secret (the private key).</dd>
</dl>
- <p>Anyone may encrypt a message using the public key, but only the
+ <p>Anyone can encrypt a message using the public key, but only the
owner of the private key will be able to read it. In this way, Alice
- may send private messages to the owner of a key-pair (the bank), by
+ can send private messages to the owner of a key-pair (the bank), by
encrypting it using their public key. Only the bank will be able to
decrypt it.</p>
is still a concern that someone might modify her original message or
substitute it with a different one, in order to transfer the money
to themselves, for instance. One way of guaranteeing the integrity
- of Alice's message is to create a concise summary of her message and
- send this to the bank as well. Upon receipt of the message, the bank
- creates its own summary and compares it with the one Alice sent. If
- they agree then the message was received intact.</p>
+ of Alice's message is for her to create a concise summary of her
+ message and send this to the bank as well. Upon receipt of the message,
+ the bank creates its own summary and compares it with the one Alice
+ sent. If the summaries are the same then the message has been received
+ intact.</p>
<p>A summary such as this is called a <dfn>message digest</dfn>, <em>one-way
-function</em> or <em>hash function</em>. Message digests are used to create
-short, fixed-length representations of longer, variable-length messages.
-Digest algorithms are designed to produce unique digests for different
-messages. Message digests are designed to make it too difficult to determine
-the message from the digest, and also impossible to find two different
-messages which create the same digest -- thus eliminating the possibility of
-substituting one message for another while maintaining the same digest.</p>
-<p>Another challenge that Alice faces is finding a way to send the digest to the
-bank securely; when this is achieved, the integrity of the associated message
-is assured. One way to do this is to include the digest in a digital
-signature.</p>
+ function</em> or <em>hash function</em>. Message digests are used to create
+ a short, fixed-length representation of a longer, variable-length message.
+ Digest algorithms are designed to produce a unique digests for each
+ message. Message digests are designed to make it impractically difficult
+ to determine the message from the digest, and (in theory) impossible to
+ find two different messages which create the same digest -- thus
+ eliminating the possibility of substituting one message for another while
+ maintaining the same digest.</p>
+
+ <p>Another challenge that Alice faces is finding a way to send the digest
+ to the bank securely; if the digest is not sent securely, its integrity may
+ be compromised, and with it, the possibility for the bank to determine the
+ integrity of the original message. Only if the digest is sent securely can
+ the integrity of the associated message be determined.</p>
+
+ <p>One way to send the digest securely is to include it in a digital
+ signature.</p>
<h3><a name="digitalsignatures" id="digitalsignatures">Digital Signatures</a></h3>
<p>When Alice sends a message to the bank, the bank needs to ensure that the
-message is really from her, so an intruder does not request a transaction
+message is really from her, so an intruder cannot request a transaction
involving her account. A <em>digital signature</em>, created by Alice and
included with the message, serves this purpose.</p>
<p>Digital signatures are created by encrypting a digest of the message,
and other information (such as a sequence number) with the sender's
-private key. Though anyone may <em>decrypt</em> the signature using the public
-key, only the signer knows the private key. This means that only they may
+private key. Though anyone can <em>decrypt</em> the signature using the public
+key, only the sender knows the private key. This means that only they can
have signed it. Including the digest in the signature means the signature is
only good for that message; it also ensures the integrity of the message since
no one can change the digest and still sign it.</p>
<p>Although Alice could have sent a private message to the bank, signed
it, and ensured the integrity of the message, she still needs to be sure
that she is really communicating with the bank. This means that she needs
-to be sure that the public key she is using corresponds to the bank's
-private key. Similarly, the bank also needs to verify that the message
-signature really corresponds to Alice's signature.</p>
+to be sure that the public key she is using is part of the bank's key-pair,
+and not an intruder's. Similarly, the bank needs to verify that the message
+signature really was signed by the private key that belongs to Alice.</p>
<p>If each party has a certificate which validates the other's identity,
-confirms the public key, and is signed by a trusted agency, then they both
-will be assured that they are communicating with whom they think they are.
+confirms the public key, and is signed by a trusted agency, then both
+can be assured that they are communicating with whom they think they are.
Such a trusted agency is called a <em>Certificate Authority</em>, and
certificates are used for authentication.</p>
<p>A Certificate Authority may define a policy specifying which
distinguished field names are optional, and which are required. It
may also place requirements upon the field contents, as may users of
- certificates. As an example, a Netscape browser requires that the
- Common Name for a certificate representing a server has a name which
- matches a wildcard pattern for the domain name of that server, such
+ certificates. For example, a Netscape browser requires that the
+ Common Name for a certificate representing a server matches a wildcard
+ pattern for the domain name of that server, such
as <code>*.snakeoil.com</code>.</p>
<p>The binary format of a certificate is defined using the ASN.1
Rules (DER), which are based on the more general Basic Encoding Rules
(BER). For those transmissions which cannot handle binary, the binary
form may be translated into an ASCII form by using Base64 encoding
- [<a href="#MIME">MIME</a>]. This encoded version is called PEM encoded
- (the name comes from "Privacy Enhanced Mail"), when placed between
- begin and end delimiter lines as illustrated in the following
- example.</p>
+ [<a href="#MIME">MIME</a>]. When placed between begin and end delimiter
+ lines (as below), this encoded version is called a PEM ("Privacy Enhanced
+ Mail") encoded certificate.</p>
<div class="example"><h3>Example of a PEM-encoded certificate (snakeoil.crt)</h3><pre>-----BEGIN CERTIFICATE-----
MIIC7jCCAlegAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkx
<h3><a name="certificateauthorities" id="certificateauthorities">Certificate Authorities</a></h3>
- <p>By first verifying the information in a certificate request
+ <p>By verifying the information in a certificate request
before granting the certificate, the Certificate Authority assures
- the identity of the private key owner of a key-pair. For instance,
- if Alice requests a personal certificate, the Certificate Authority
- must first make sure that Alice really is the person the certificate
- request claims.</p>
+ itself of the identity of the private key owner of a key-pair.
+ For instance, if Alice requests a personal certificate, the
+ Certificate Authority must first make sure that Alice really is the
+ person the certificate claims she is.</p>
<h4><a name="certificatechains" id="certificatechains">Certificate Chains</a></h4>
<p>As noted earlier, each certificate requires an issuer to assert
the validity of the identity of the certificate subject, up to
the top-level Certificate Authority (CA). This presents a problem:
- Since this is who vouches for the certificate of the top-level
+ who can vouch for the certificate of the top-level
authority, which has no issuer? In this unique case, the
certificate is "self-signed", so the issuer of the certificate is
- the same as the subject. As a result, one must exercise extra care
- in trusting a self-signed certificate. The wide publication of a
+ the same as the subject. Browsers are preconfigured to trust well-known
+ certificate authorities, but it is important to exercise extra care in
+ trusting a self-signed certificate. The wide publication of a
public key by the root authority reduces the risk in trusting this
key -- it would be obvious if someone else publicized a key
- claiming to be the authority. Browsers are preconfigured to trust
- well-known certificate authorities.</p>
+ claiming to be the authority.</p>
<p>A number of companies, such as <a href="http://www.thawte.com/">Thawte</a> and <a href="http://www.verisign.com/">VeriSign</a>
have established themselves as Certificate Authorities. These
<p>Establishing a Certificate Authority is a responsibility which
requires a solid administrative, technical, and management
framework. Certificate Authorities not only issue certificates,
- they also manage them -- that is, they determine how long
- certificates are valid, they renew them, and they keep lists of
- certificates that have already been issued but are no longer valid
- (Certificate Revocation Lists, or CRLs). Say Alice is entitled to
- a certificate as an employee of a company. Say too, that the
- certificate needs to be revoked when Alice leaves the company. Since
- certificates are objects that get passed around, it is impossible
- to tell from the certificate alone that it has been revoked. When
- examining certificates for validity, therefore, it is necessary to
- contact the issuing Certificate Authority to check CRLs -- this
- is not usually an automated part of the process.</p>
+ they also manage them -- that is, they determine for how long
+ certificates remain valid, they renew them, and they keep lists of
+ certificates that were issued in the past but are no longer valid
+ (Certificate Revocation Lists, or CRLs).</p>
+
+ <p>For example, if Alice is entitled to a certificate as an
+ employee of a company, but has now left
+ that company, her certificate may need to be revoked.
+ Because certificates are only issued after the subject's identity has
+ been verified, and can then be passed around to all those with whom
+ the subject may communicate, it is impossible to tell from the
+ certificate alone that it has been revoked.
+ When examining certificates for validity, therefore,
+ it is necessary to contact the issuing Certificate Authority to
+ check CRLs -- this is usually not an automated part of the process.</p>
<div class="note"><h3>Note</h3>
- <p>If you use a Certificate Authority that is not configured into
- browsers by default, it is necessary to load the Certificate
+ <p>If you use a Certificate Authority that browsers are not configured
+ to trust by default, it is necessary to load the Certificate
Authority certificate into the browser, enabling the browser to
validate server certificates signed by that Certificate Authority.
Doing so may be dangerous, since once loaded, the browser will
[<a href="#TLS1">TLS</a>] protocol standard, currently in development by
the Internet Engineering Task Force (IETF).</p>
-<h3><a name="session" id="session">Session Establishment</a></h3>
+<h3><a name="session" id="session">Establishing a Session</a></h3>
<p>The SSL session is established by following a handshake sequence
between client and server, as shown in <a href="#figure1">Figure 1</a>. This sequence may vary, depending on whether the server
is configured to provide a server certificate or request a client
- certificate. Though cases exist where additional handshake steps
+ certificate. Although cases exist where additional handshake steps
are required for management of cipher information, this article
- summarizes one common scenario: see the SSL specification for the full
+ summarizes one common scenario. See the SSL specification for the full
range of possibilities.</p>
<div class="note"><h3>Note</h3>
- <p>Once an SSL session has been established it may be reused, thus
- avoiding the performance penalty of repeating the many steps needed
- to start a session. For this the server assigns each SSL session a
+ <p>Once an SSL session has been established, it may be reused. This
+ avoids the performance penalty of repeating the many steps needed
+ to start a session. To do this, the server assigns each SSL session a
unique session identifier which is cached in the server and which the
- client can use on forthcoming connections to reduce the handshake
- (until the session identifer expires in the cache of the server).</p>
+ client can use in future connections to reduce the handshake time
+ (until the session identifer expires from the cache of the server).</p>
</div>
<p class="figure">
</ol>
<p>The first step, Cipher Suite Negotiation, allows the client and
- server to choose a Cipher Suite supportable by both of them. The SSL3.0
+ server to choose a Cipher Suite supported by both of them. The SSL3.0
protocol specification defines 31 Cipher Suites. A Cipher Suite is
defined by the following components:</p>
<p>The key exchange method defines how the shared secret symmetric
cryptography key used for application data transfer will be agreed
upon by client and server. SSL 2.0 uses RSA key exchange only, while
- SSL 3.0 supports a choice of key exchange algorithms including the
- RSA key exchange when certificates are used, and Diffie-Hellman key
- exchange for exchanging keys without certificates and without prior
- communication between client and server.</p>
+ SSL 3.0 supports a choice of key exchange algorithms including
+ RSA key exchange (when certificates are used), and Diffie-Hellman key
+ exchange (for exchanging keys without certificates, or without prior
+ communication between client and server).</p>
<p>One variable in the choice of key exchange methods is digital
signatures -- whether or not to use them, and if so, what kind of
- signatures to use. Signing with a private key provides assurance
+ signatures to use. Signing with a private key provides protection
against a man-in-the-middle-attack during the information exchange
- used
in generating the shared key [<a href="#AC96">AC96</a>, p516].</p>
+ used
to generating the shared key [<a href="#AC96">AC96</a>, p516].</p>
<h3><a name="ciphertransfer" id="ciphertransfer">Cipher for Data Transfer</a></h3>
- <p>SSL uses the conventional cryptography algorithm (symmetric
- cryptography) described earlier for encrypting messages in a session.
- There are nine choices, including the choice to perform no
- encryption:</p>
+ <p>SSL uses conventional symmetric cryptography, as described earlier,
+ for encrypting messages in a session.
+ There are nine choices of how to encrypt, including the option not to
+ encrypt:</p>
<ul>
<li>No encryption</li>
</ul></li>
</ul>
- <p>Here "CBC" refers to Cipher Block Chaining, which means that a
+ <p>"CBC" refers to Cipher Block Chaining, which means that a
portion of the previously encrypted cipher text is used in the
encryption of the current block. "DES" refers to the Data Encryption
Standard [<a href="#AC96">AC96</a>, ch12], which has a number of
- variants (including DES40 and 3DES_EDE). "Idea" is one of the best
- and cryptographically strongest available algorithms, and "RC2" is
- a proprietary algorithm from RSA DSI [<a href="#AC96">AC96</a>,
- ch13].</p>
+ variants (including DES40 and 3DES_EDE). "Idea" is currently one of
+ the best and cryptographically strongest algorithms available,
+ and "RC2" is a proprietary algorithm from RSA DSI [<a href="#AC96">AC96</a>, ch13].</p>
<h3><a name="digestfuntion" id="digestfuntion">Digest Function</a></h3>
</ul>
<p>The message digest is used to create a Message Authentication Code
- (MAC) which is encrypted with the message to provide integrity and to
- prevent against replay attacks.</p>
+ (MAC) which is encrypted with the message to verify integrity and to
+ protect against replay attacks.</p>
<h3><a name="handshake" id="handshake">Handshake Sequence Protocol</a></h3>
<p>The encapsulation of SSL control protocols by the record protocol
means that if an active session is renegotiated the control protocols
- will be transmitted securely. If there were no session before, then
- the Null cipher suite is used, which means there is no encryption and
- messages have no integrity digests until the session has been
+ will be transmitted securely. If there was no previous session,
+ the Null cipher suite is used, which means there will be no encryption and
+ messages will have no integrity digests, until the session has been
established.</p>
<p>The SSL Record Protocol, shown in <a href="#figure3">Figure 3</a>,
is used to transfer application and SSL Control data between the
- client and server, possibly fragmenting this data into smaller units,
+ client and server, where necessary fragmenting this data into smaller units,
or combining multiple higher level protocol data messages into single
units. It may compress, attach digest signatures, and encrypt these
units before transmitting them using the underlying reliable transport
- protocol (Note: currently all major SSL implementations lack support
+ protocol (Note: currently, no major SSL implementations include support
for compression).</p>
<p class="figure">
<h3><a name="securehttp" id="securehttp">Securing HTTP Communication</a></h3>
<p>One common use of SSL is to secure Web HTTP communication between
- a browser and a webserver. This case does not preclude the use of
- non-secured HTTP. The secure version is mainly plain HTTP over SSL
- (named HTTPS), but with one major difference: it uses the URL scheme
- <code>https</code> rather than <code>http</code> and a different
- server port (by default 443). This mainly is what <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> provides to you for the Apache webserver...</p>
+ a browser and a webserver. This does not preclude the use of
+ non-secured HTTP - the secure version (called HTTPS) is the same as
+ plain HTTP over SSL, but uses the URL scheme <code>https</code>
+ rather than <code>http</code>, and a different server port (by default,
+ port 443). This functionality is a large part of what <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> provides for the Apache webserver.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
projects / thirdparty / apache / httpd.git / commitdiff
