S 5.66 Use of SSL

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator, users

The security protocol most commonly used on the WWW is SSL (Secure Socket Layer). SSL was developed by Netscape, and is supported by all the latest browsers. With SSL, connections can be protected

• by encryption of the connection content,

• by checking the completeness and integrity of the transmitted data,

• by checking the identity of the server,

• optionally, by checking the identity of the client.

With SSL, a connection is established between a user's browser and a provider's server, and first of all the certificates with the public keys are exchanged over this connection. Next a symmetric key is exchanged by secure means, protected by the RSA asymmetric encryption procedure. A symmetric procedure is then used to encrypt the actual data transmission, because this can encrypt large quantities of data more quickly. A different symmetric key is negotiated as the session key for each transaction. This is then used to encrypt the connection.

A user can tell if a given Web page allows SSL-protected data transmission, for example, from the fact that the initial part of the address contains an extra "s" (https://www...), in Netscape Navigator from the fact that the padlock at the bottom left of the screen is closed instead of open, or in Internet Explorer from the appearance of a closed padlock on the bottom right.

The use of SSL is not restricted to HTTP clients and servers. Applications such as Telnet or FTP can also use SSL for secure communications. This does require, however, that the clients and servers concerned have each been adapted to do this.

SSL consists of two layers. The SSL handshake protocol operates on the upper layer. This is used by the client and the server to identify and authenticate themselves to each other, and to negotiate a key and an encryption algorithm to be used for the subsequent data communication traffic. The lower layer, the SSL record protocol, which forms the interface to the TCP layer, encrypts and decrypts the actual data traffic. Because SSL resides on the socket interface for access to TCP and replaces this interface with an enhanced-security version, it can also be used for other services. As a result, SSL also runs transparently in the background of any Internet service. The only action required of users is selection of a certificate. This means that, in contrast to S-HTTP, they do not have the opportunity to configure the security functions and adapt them to their specific security requirements. On the other hand, users may find SSL more convenient as they do not have to stop to configure security functions every time there is a Web query.

Only Version 3 or higher of SSL should be used, because the additional server authentication these versions provide means that man-in-the-middle attacks are no longer possible, as was the case with SSLv2.

Key length

Various cryptographic algorithms with different key lengths can be used with SSL, for example RC2 or RC4 with a 40-bit or 128-bit key length, DES with a 56-bit key length, triple-DES with a 112-bit key length, or IDEA with a 128-bit key length, as well as hash functions such as MD5 or SHA-1 (see also S 3.23 Introduction to Basic Cryptographic Terms in this connection). The client and server must agree on the procedures to be used in the session at the time when the connection is established.

Some browsers from US vendors the integrated encryption procedures have only extremely short key lengths (40-bit), on account of the US export restrictions. These cannot withstand a brute-force attack for long, i.e. an attack involving simply trying out all possible keys. If the protection requirements for the transmitted data are low, this short key length may be adequate, and it at least protects against opportunist offenders. Otherwise, browser versions which offer encryption procedures based on at least an 80-bit key length should be used. International versions of the commonly used browsers which support 128-bit key lengths are now available.

Alternatively, add-on products developed by German companies which likewise permit the use of longer keys inside standard browsers should be used. Public domain software such as SSLeay or OpenSSL can also be used for this purpose.

Certificates

One difficult problem with data communication across open networks is how to check the identity of communication partners, because one cannot rely on the stated name actually being correct. With SSL, the identity of communication partners is checked by means of certificates. Certificates contain their public keys together with confirmation provided from another authority of the correct assignment of the public key to its "owner", in this case therefore a server or client. The value of a certificate is therefore dependent not least on the trustworthiness of this verification entity (also known as a trust centre or certification body). The genuineness of the certificate can, in turn, be checked using the public key of the verification entity.

Three different types of certificates may be distinguished with SSL:

• user certificates, which are required for client authentication,

• certificates from certification bodies, although some certification bodies have several certificates, depending on their underlying security policy, and

• Certificates from software producers or from operators of Web pages

All browsers come supplied with SSL certificates from certain certification bodies when they are installed. These certification bodies have very different security guidelines and conditions under which they grant certificates. Initially, therefore, all certificates should be deactivated, and only reactivated when you are convinced that their security policy satisfies your own security needs.

When a new certificate is adopted, care should be taken to ensure that it is not activated until its fingerprint has been checked. The fingerprint is a hexadecimal number that is transmitted together with the certificate. It should also be transmitted via a different route and compared, to ensure that the certificate is correct.

Operators of WWW servers who intend exchanging security-relevant data with visitors to their websites should offer a channel protected by cryptographic techniques, e.g. SSL, for this purpose.

Note: If the users are protected against active content and computer viruses by a firewall, they must implement their own protective measures against these risks if they are using SSL, as described for example in S 4.33 Use of a Virus Scanning Program on Exchange of Data Media and During Data Transfer and S 5.69 Protection Against Active Content.

Additional controls:

• Is the use of SSL compatible with the existing security guidelines for the firewall or on the use of WWW services?

• Do the users know what needs to be taken into account when using SSL?