In order to establish an SSL connection, the SSL protocol
requires that a server have a digital certificate installed.
A digital certificate is an electronic file that uniquely
identifies individuals and servers. Digital certificates
allow the client (Web browser) to authenticate the server
prior to establishing the SSL session. Typically, digital
certificates are signed by an independent and trusted
third party to ensure their validity. The "signer"
of a digital certificate is known as a Certification Authority
(CA), such as VeriSign.
SSL enables secure online transactions by combining the
following three important elements: |
| 1. |
Authentication:
A digital certificate is associated with a specific
domain name. Before issuing a digital certificate,
the CA has the responsibility to perform a number
of checks (called "authentication and verification"
checks) to confirm the identity of the organization
requesting the certificate and whether it has
the right to use the domain name that will be
associated with that certificate. This strong
binding between certificate and domain name provides
users with an assurance that they are interacting
with a legitimate organization's Web site, not
an imposter's. |
| 2. |
Encryption: Encryption
is the process of transforming information to
make it unintelligible to all but the intended
recipient. This forms the basis of data integrity
and privacy necessary for secure online transactions.
An SSL certificate, a special kind of digital
certificate, binds an identity to a pair of
electronic keys that can be used to encrypt
and sign digital information transmitted over
the Internet via the "https" protocol. Once
the CA confirms the identity of the organization
requesting the certificate and whether it has
responsibility for the domain name that will
be associated with that certificate, the CA
uses its private key to sign the certificate
containing, among other things, the organization's
public key and "issues" the certificate to the
organization |
| 3. |
Message Integrity:
After an SSL session has been established, the
contents of all communications between client
and server are protected from tampering on route.
All parties to the transaction know that the
information they have received is exactly what
originated from the other side of the SSL session. |
|
| Combining the three elements above, SSL becomes a simple
yet extremely powerful security solution, enabling you
to conduct authenticated and encrypted online transactions
with visitors to your Web site. With a VeriSign SSL certificate
installed on your Web site, visitors will be able to submit
credit card numbers or other sensitive information to
you, with complete assurance that they are really doing
business with you (and not an impostor) and that the information
they are sending to you can not be intercepted or tampered
with during transmission. |
| |
| How does Public
Key Cryptography work?
|
In Public Key Cryptography, if Alice wants
to send a secret message to Bob, she must obtain a copy
of his public key. Before doing so, however, she needs
to make sure that the public key really belongs to Bob.
Digital certificates address this problem. A certificate
is an electronic document that binds a public key to a
particular individual or organization. Certificates are
issued by a trusted third party, called a Certification
Authority (CA). Before issuing a certificate, a good CA
will perform a number of checks (called "authentication
and verification" checks) to make sure Bob really
is who he claims to be, and that the public key that will
in the certificate really belongs to Bob.
A public key certificate contains the following information:
| The Subject of
the certificate. In the case of an SSL certificate,
this would include your organization name and
common name (e.g. VeriSign, Inc., www.verisign.com)
|
| Certificate Validity Period
(e.g., Valid from 1-Jan-2008 to 1-Jan-2009) |
| Subject's Public Key |
| Issuer (an independent and
trusted third party such as VeriSign) |
| Issuer's signature. The
issuer creates this signature by encrypting
a hash of the certificate contents with its
private key. Any application or system, such
as a Web browser on a PC, that trusts the issuer's
public key can be assured of the certificate's
legitimacy. |
|
| Bob and Alice's use of public key cryptography
provides each of them with several advantages: |
| Bob
doesn't need to worry about securely sending
his public key to Alice. If someone finds his
public key, they can only use it to send Bob
a private message. The finder can't use it to
decrypt messages sent to Bob or to imitate Bob.
Thus, Bob can send his public key to Alice using
e-mail. Or, he can even post it on a public
directory |
| Bob and Alice don't not
need to worry about someone intercepting and
then decrypting and reading Alice's message
to Bob. Only Bob, using his Private Key, can
decrypt Alice's message. Even if someone did
intercept Alice's message to Bob on route, he
would not have Bob's Private Key, so he would
be unable to decrypt the message. |
| Bob doesn't
need to worry about Alice being a double agent.
Alice can neither intercept messages sent to
Bob, nor can she imitate him. |
| Large organizations don't
have problems. Everybody who wants to send Bob
a private message can do so using the same public
key. So, organizations with n people need only
have n public key pairs. With private key cryptography
(symmetric encryption), they would need n! key
pairs. |
| Bob can
sign messages. Because Bob is the only person
with his private key, if he encrypts a message
with his private key, it is equivalent to using
a Digital Signature. |
|
|
| What is the relationship
between Public Keys and Certificates? |
In Public Key Cryptography, if Alice wants to send a
secret message to Bob, she must obtain a copy of his public
key. Before doing so, however, she needs to make sure
that the public key really belongs to Bob.
Digital certificates address this problem. A certificate
is an electronic document that binds a public key to a
particular individual or organization. Certificates are
issued by a trusted third party, called a Certification
Authority (CA). Before issuing a certificate, a good CA
will perform a number of checks (called "authentication
and verification" checks) to make sure Bob really
is who he claims to be, and that the public key that will
in the certificate really belongs to Bob.
A public key certificate contains the following information:
| The Subject of the certificate. In the case
of an SSL certificate, this would include your
organization name and common name (e.g. VeriSign,
Inc., www.verisign.com) |
| Certificate Validity Period
(e.g., Valid from 1-Jan-2004 to 1-Jan-2005)
|
| Subject's Public Key |
| Issuer (an independent and
trusted third party such as VeriSign) |
| Issuer's signature. The
issuer creates this signature by encrypting
a hash of the certificate contents with its
private key. Any application or system, such
as a Web browser on a PC, that trusts the issuer's
public key can be assured of the certificate's
legitimacy. |
|
|
| What is a Certification
Authority? |
A Certificate Authority is a trusted third party responsible
for issuing, revoking, renewing, and providing directories
of digital certificates. Good Certificate Authorities
follow rigorous procedures for authenticating and verifying
the individuals and organizations to whom they issue certificates.
All digital certificates are "signed" with the
Certificate Authority's private key to ensure authenticity.
Typically, a Certificate Authority's Public Key is widely
distributed. When establishing an SSL session between
client and server (between browser and Web site), the
server sends the client a certificate chain, starting
with the server's public key certificate and ending with
the Certificate Authority's root certificate. Before the
client will trust the server's certificate, it inspects
the certificate signatures and validity period (and, if
configured, revocation status). The client must also determine
if it "trusts" the CA who issued the server's
certificate.
Typically, most popular Web browsers [clients] will inherently
trust server (SSL) certificates issued by public CAs such
as VeriSign because the CA's public key has been installed
in the Web browser software prior to distribution to users.
As a result, Web sites that wish to take advantage of
this inherent in Web browsers must obtain their respective
server (SSL) certificates from one of these popular public
CAs. |
|
| How do SSL Certificates
enable secure authenticated e-commerce on the Web? |
By obtaining and installing an SSL certificate, you
enable the use of SSL at your Web site. When a browser
connects via "https" to a Web site with an SSL
certificate, the browser and the server will exchange
information during what is called the "SSL handshake."
Once the SSL session has been negotiated, all information
that passes between the browser and the server will be
encrypted.
Most all browsers are equipped to recognize VeriSign SSL
certificates automatically, enabling almost every visitor
in the world to safely exchange sensitive information
and conduct e-commerce transactions with your Web site. |
|
| What is Secure
Sockets Layer ("SSL") and how does it work? |
Secure Socket Layer (SSL) is a technology developed
by Netscape and adopted by all vendors producing related
Web software. It negotiates and employs the essential
functions of mutual authentication, data encryption, and
data integrity for secure transactions.
This exchange between the client and server is performed
using the Secure Sockets Layer (SSL). SSL V2.0 supports
server authentication only; SSL V3.0 supports both client
and server authentication. |
| |
| What level of browser
compatibility do VeriSign's SSL certificates offer? |
| As the oldest operating public Certificate Authority,
VeriSign offers SSL certificates that are compatible with
all browsers shipped since 1995, certificates with greater
browser compatibility than that of any other provider. |
| |
| What size keys
does VeriSign use? |
| The VeriSign private key,
used to sign certificates, is 1024 bits. |
| Depending on
your server software settings, the public key
in your certificate will be either 512 bits
or 1024 bits. Note: VeriSign recommends a minimum
of 1024-bits. |
| The size of session
key dictates the "strength" of the SSL encryption
that will be used for that session. Typical
session key sizes are 128-bit, which is the
strongest available, and 40-bit. The size of
the session key used depends on the type of
SSL certificate installed on the server, the
browser software and, in many cases, the operating
system on the PC. |
 |
|
|
