4.8.1 SSL Protocol

The SSL (Secure Sockets Layer) protocol was initially developed by Netscape

Introduction to E-commerce

Communication, and primarily used to enhance the security of data between application programs. The concept of SSL protocol can be summarized as a protocol that ensures the transaction security of any client/server, which is related with all TCP/IP applications.

SSL protocol primarily provides three aspects of services: (1) Authenticating user and server, which guarantees that the data can be sent

to the correct client and server. (2) Encrypting data to hide the transmitted data. (3) Maintaining the integrity of data to ensure that data are not modified in the

process of transmission. The operational procedure of SSL protocol includes six steps: (1) Connection. The client notifies the service provider via network, and the

service provider responds.

(2) Password exchange. The client and service provider exchange their authorized password, and RSA is usually employed. Some may choose Diffie-Hellman and Fortezza-KEA.

(3) Session password negotiated. The client and the service provider negotiate about the session password. (4) Verification. The password obtained by the service provider is verified. (5) Client authentication. The credibility of the client is verified. (6) End. The client and server exchange the ending information. When the actions above are ended, the information being sent will be encrypted

and restored after it is received at the other end. Even if the attacker obtains encrypted message, he will not be able to know any information without the pre-compiled encryption algorithm.

SSL protocol is divided into two layers: SSL handshake protocol and SSL record protocol. The relation between SSL protocol and TCP/IP is illustrated in Fig. 4.8.

Figure 4.8 The relation between SSL and TCP/IP SSL handshake protocol is used to establish the secure communication channel

between both sides, and the functions it realizes are: (1) Authenticate the server at the client terminal, and SSL protocol uses public key system to authenticate the identity. (2) Authenticate the client at the server terminal (optional). (3) Both client and server negotiate the encryption algorithm and one-way Hash algorithm

4 Security Technologies in E-commerce

that both sides support; the encryption algorithms available include IDEA, RC4, DES, 3DES, RSA, DSA, Diffie-hellman, MD5, and SHA. (4) Generate the session key for symmetric encryption. (5) Establish SSL connection. A typical handshake process is illustrated in Fig. 4.9.

Figure 4.9 Handshake process of SSL protocol

The handshake process is divided into four steps: (1) Initialize logical connection. The client sends the “Client Hello” message,

and the server responds with a “server hello” message; the two messages are used to test the security capability of both sides, including protocol version, random parameter, session ID, exchange key algorithm, symmetric encryption algorithm and one-way Hash algorithm.

(2) The server should send the server certificate (including the public key of the server) and the session key; if the server requests to authenticate the client, it should send a “CertificateRequest” message. Finally the server sends a “ServerHelloDone” message indicating the end of hello, and waits for the response from the client.

(3) If the server requests to authenticate the client, the client should send the “Certificate” message first, and then generate the session key, and encrypt it with the server’s public key and encapsulate it into ClientKeyExchange; if the client sends his certificate, he has to send Certificate authenticate to authenticate the certificate as well.

(4) The client sends a “ChangeCipherSpec” message, notifying the server to encrypt the future messages with the agreed security parameter, and then sends an encrypted “Finished” message. After the server receives these two messages, it sends its own “ChangeCipherSpec” message and “Finished” message. Till now

Introduction to E-commerce

the handshake process is complete, and data can be transmitted between both sides.

SSL establishes appropriate session state information, as illustrated in Table 4.1.

Table 4.1 Session state of SSL protocol

Session state information Description

Session identification A dialogue mark selected by a server to signify an active and restarted dialogue

Peer certificate

X509 certificate of peer entity

Hash algorithm

Data hashing algorithm that is used

Encryption specification Data encryption algorithm and MAC algorithm that are used Session key

Session key shared by terminals and server Able to restart

Signify whether the dialogue can be used to initialize the new mark

The data received by SSL record protocol will be sectioned, hashed and encrypted, and then transmitted through the transmission layer. In the SSL protocol, all data are encapsulated into the record, and SSL record protocol prescribes the record header and the data format.

Each SSL record contains the following information: (1) Content type: SSL high-level protocol. (2) Protocol version: there are 2.0 and 3.0 versions at present. (3) Length: the length of recorded data, and the maximum length is 16,383 bytes. (4) Effective load of data: it is the result of processing data with Hash method and encryption. (5) MAC: MAC is computed before the encryption of effective data and placed into the SSL record to check the integrity of the data. If MD5 algorithm is used, the data length of MAC is 16 bytes. SSL record protocol uses the revised version of HMAC in RFC2104, and places a serial number into the message before HASH function works in order to resist the re-send attacks in various forms. The serial number is a 32-digit incremental counter.

In the process of e-commerce transactions, because of the involvement of banks, the purchase information is first sent to the vendor, and then forwarded by the vendor to the bank; after the bank verifies the validity of the information, it notifies the vender of the success of payment, and then the vendor sends the commodity to the client.

SSL is the earliest protocol that is applied to e-commerce. SSL improves the principle of mail purchase. In the traditional mail orders, the client first searches for commodity information and remits money to the vendor, who then sends the commodity to the client. Here the vendor is credible, so the client should pay first. In the initial stage of e-commerce, the vendor is also worried about the fact that the client will not pay after purchase or use overdue credit card. So the bank verification is required. SSL security protocol comes out in such a context.

The foundation of SSL is the vendor’s commitment to keep the client’s information confidential. But we also notice that SSL is beneficial to the vendor

4 Security Technologies in E-commerce

rather than the customer. The customer’s information is indispensable, but the whole process is lacking in the authentication of the vendor. In the initial phase of e-commerce, the vendors are usually big companies with high reputation; however, now it is not the case any more. And the authentication of vendors is becoming more and more imperative. SSL will be replaced by new protocols gradually.