Server Authentication During SSL Handshake

SSL or TLS?
SSL is the Secure Socket Layer. This is the security system behind the protocol HTTPS (Hypertext Transfer Protocol Secure) which was developed by Netscape Communications. Strictly speaking, SSL no longer exists. After SSL version 3, it was replaced by the Transport Layer Security (TLS) protocol. However, "SSL" became a generic name for the encryption system of HTTPS. So, many people refer to SSL when they really mean TLS.

Function
SSL/TLS is a security system that combines authentication and encryption. In regular communication over a network, a client contacts a server with a request. The server replies with a response. Under SSL, only the client needed to present authentication. With TLS, both the client and server must prove their identity. The identification procedure includes an encryption key, which is used to protect all transmissions once the connection has been established.

Certificates
The SSL system relies on the user holding a valid certificate. The certificate validates the client or the server by showing their address, a validity period and a digital signature. Certificates are issued by Certificate Authorities. When a client first contacts the server, it presents its certificate. The server sends its certificate details to the client and checks the clients certificate with the issuing authority. The Certificate Authority confirms the details of the certificate. If there is a discrepancy between the details on the certificate sent by the client and the details held by the certificate authority, the HTTPS session cannot be established. Similarly, the certificate must be current. While the server checks the client's certificate, the client follows the same process to check the server's certificate.

CAs
Worldwide, the certificate authority business is fragmented, with national or regional providers dominating their home market. This is because many uses of digital certificates, such as for legally binding digital signatures, are linked to local law, regulations, and accreditation schemes for certificate authorities. However, the market for SSL certificates, a kind of certificate used for website security, is largely held by a small number of multinational companies. This market has significant barriers to entry since new providers must undergo annual security audits (such as WebTrust for Certification Authorities) to be included in the list of web browser trusted authorities. More than 50 root certificates are trusted in the most popular web browser versions. A 2009 market share report from Net Craft as of January of that year determined that VeriSign and its acquisitions (which include Thawte and Geotrust) have a 47.5% share of the certification services provider market, followed by GoDaddy (23.4%), and Comodo (15.44%).

Enabling SSL
The concept of "SSL Enabled" expresses whether the address the client or server is using has a valid certificate. Certification doesn't authenticate the user. This level of security is handled by other methods, like usernames and passwords. The SSL Certificate-checking process is usually embedded in the browser of clients or in the server software of the server. The user can enable SSL by looking through the network settings of his browser. The server software also has an "Enable SSL" option which the Systems Administrator should activate. Check if SSL is enabled in your browser!!!

Server SSL
For domestic users, the certification process is handled by the user's browser. For a server, the process is a little more complicated. The server should have a certificate database and needs to obtain a certificate from a trusted Certificate Authority. After the certificate has been downloaded into the database, it

Server Authentication During SSL Handshake

SSL-enabled client software always requires server authentication, or cryptographic validation by a client of the servers identity. The server sends the client a certificate to authenticate itself. The client uses the certificate to authenticate the identity the certificate claims to represent. To authenticate the binding between a public key and the server identified by the certificate that contains the public key, an SSL-enabled client must receive a yes answer to the four questions shown in the following figure.

Public-key cryptography can be used to encrypt data communicated between two parties. This can typically happen when a user logs on to any site that implements the HTTP Secure protocol. In this example let us suppose that the user logs on to his bank's homepage www.bank.example to do online banking. When the user opens www.bank.example homepage, he receives a public key along with all the data that his web-browser displays. When the user enters some information to the bank's page and submits the page (sends the information back to the bank) then the data the user has entered to the page will be encrypted by his web browser using the public key that was issued by www.bank.example. The key that can be used to decrypt the information is called the private key and it is only known to the bank. Therefore, even if someone can access the (encrypted) data that was communicated from the user to www.bank.example, the (unencrypted) data that the user has entered can only be decrypted by the bank, as only the bank knows the private key. This mechanism is only safe if the user can be sure that it is the bank that he sees in his web browser. If the user types in www.bank.example, but his communication is hi-jacked and a fake web-site (that pretends to be the bank web-site) sends the page information back to the user's browser, the fake web-page can send a fake public key to the user. The user will fill the form with his personal data and will submit the page which will be encrypted by the fake public key. The fake web-page will get access to the user's data since the fake web-page owns the fake private key. A certificate authority is an organization that stores public keys and their owners and every party in a communication trusts this organization. When the user's web browser receives the public key from www.bank.example it can contact the certificate authority to ask whether the public key does really belong to www.bank.example. Since www.bank.example uses a public key that the certification authority certifies, a fake www.bank.example can only use the same public key. Since the fake www.bank.example does not know the corresponding private key, it cannot decrypt the user's answer.

PKI Framework Central to the growth of e-commerce and e-governance is the issue of trust in electronic environment. The future of e-commerce and e-governance depends on the trust that the transacting parties place in the security of transmission and the content of communication. Creating trust in electronic environment involves assuring the transacting parties about the integrity and confidentiality of the content of documents along with authentication of the sending and receiving parties in a manner that ensures that both the parties cannot repudiate the transaction. The paper based concepts of identification, declaration and proof are carried through the use of digital signatures in electronic environment. Digital signatures, a form of electronic signatures, are created and verified using Public Key Cryptography that is based on the concept of a key pair generated by a mathematical algorithm, the public and private keys. The Information Technology Act, 2000 provides the required legal sanctity to the digital signatures based on asymmetric cryptosystems. The digital signatures are now accepted at par with handwritten signatures and the electronic documents that have been digitally signed are treated at par with paper documents. The IT Act provides for the Controller of Certifying Authorities(CCA) to license and regulate the working of Certifying Authorities. The Certifying Authorities (CAs) issue digital signature certificates for electronic authentication of users. The CCA certifies the public keys of CAs using its own private key, which enables users in the cyberspace to verify that a given certificate is issued by a licensed CA. For this purpose it operates, the Root Certifying Authority of India(RCAI). The CCA also maintains the National Repository of Digital Certificates(NRDC), which contains all the certificates issued by all the CAs in the country.