Effectiveness of SSL and Certification Authentication to Protect Clients - Research Paper Example

The Effectiveness of SSL and Certification Authentication and how the Client can be Better Protected The Effectiveness of SSL and Certification Authentication and how the Client can be Better Protected Chapter One: Introduction Introduction Data security today is an increasingly hot topic amongst the global community, particularly in an age where information exchanged digitally is vulnerable to misuse should it fall into the wrong hands. While the days of storing data on paper might appear now to have been cumbersome, from a logistics and security perspective it was often easier to maintain the integrity of the data from getting into the hands of the wrong people (Alnatheer, 2014). Today, data stored digitally can be accessed by nearly anyone from any location around the globe if it is now properly secured. Clients deserve to know how their personal information is being stored and what it being done to protect their information from getting into the wrong hands. To this end, the SSL and Certificate Authentication processes have been developed and refined over the years to better protect the client and enhance the security of information stored digitally and electronically via the Internet and other mediums (Alnatheer, 2014). Problem Statement The problem is that the Internet is increasingly becoming a place where the transmission of private information, such as credit card data, is a potentially dangerous activity that could result in the data being intercepted by hackers that would seek to do harm. Purpose of the Study The purpose of this study is to examine and analyze the concepts of the secure socket layer (SSL) and certificate authentication in order to determine how the client can be better protected. The objective is to determine how this technology is currently being utilized to make the transmission of electronic data via the Internet safer and more secure, while also looking at potential barriers to security that must be addressed moving forward. Failure to address these important issues will undermine the very integrity of the Internet and potentially lead to a general populace that is leery of trusting Web sites with their most private and confidential of information. Research Question Research questions are invaluable to the researcher in terms of guiding hi or her in the proper direction, in addition to working to ensure that the project remains focused and relevant to the reader. In consideration of this, this particular study has several main questions that, when answered, will lead to the conclusions that form the basis for chapter 5. This will enable the reader to effectively ascertain the need to keep clients safe when transmitting information online, and how SSL and certificate authentication can help to make this possible. Primary Research Question What are the functions of SSL and certificate authentication? Subsidiary Questions How does SSL and certificate authentication lead to better client safety and security when transmitting data online? What are the threats still as of yet unaccounted for when transmitting private data online and what can be done to enhance security measures in the future? Definition of Terms Authentication Certificate - Digital certificate with which access is granted to a particular online system for the purpose of completing electronic transactions or other secure electronic dealings. It is meant to act as an electronic document that contains information in five key areas: 1) the entity that it belongs to; 2) the entity that issued and authorized it; 3) the unique serial number of some other form of unique identification; 4) the dates that the certificate is valid for; and 5) a digital fingerprint (El-Hajj, 2012). Secure Socket Layer (SSL) - This is meant to be the current standard in security technology that is designed to established an encrypted link between a web server and a corresponding browser. The link works to make certain that the data that passes between the web server and browsers remains private and confidential (El-Hajj, 2012). Remote Timing Attack - Terms used to describe a situation where the attacker observes the time taken to execute specific cryptographic parameters (El-Hajj, 2012). Truncation Attack - Occurs when an attacker prematurely closes the SSL session between two users (El-Hajj, 2012) Limitations of the Study There are certain limitations to this study, most revolving around the fact that Internet security is a constantly changing and fluid topic. One patch in Internet security developed by service providers and IT specialists today, for example, is likely to be hacked by individuals desiring to do harm tomorrow. As such, studies such as this one will need to constantly be updated in order to provide the most relevant and timely information to the end user. At the same time, the basis for this research is sound to the degree that is demonstrate why clients need to be protected, and the measures that must be implemented moving forward to maintain the security and safety of electronic data transmission. Chapter Two: Review of the Literature Review of the Literature Since the concept of the secure socket layer was established, attacks have been targeting its very concept because there is a certain element within society that aims to threaten the very integrity and security of transactions taking place on the Internet. The attacks that are being perpetrated today have either exploited certain vulnerabilities in the SSL system itself, or they have highlighted the vulnerabilities in the verst services that the SSL itself uses. These services include certificates and web browsers (Tarkeshwar, 2011). From the perspective of the end user, or client, it is imperative that these vulnerabilities be patched up to the greatest extend possible in order to provide individuals with the security they need when conducting transactions online. This issue is so important today because of the growing evolvement of the Internet. People today now realize, more than ever before, the importance of securing data of a sensitive and confidential nature. This includes information that might be transmitted over a public Internet accessible by individuals who might seek to do harm, such as the interception of credit card information, usernames, passwords, and a host of other personal information that individuals desire to keep private (Tarkeshwar, 2011). Out of this desire to maintain the security and integrity of data transmitted openly over the Internet, the secure socket layer have been developed as one of the most critical and well known protocols whose sole function is to maintain data confidentiality and integrity. The SSL system is also designed to provide authentication services for all affected transactions occurring on the Internet. There are two primary levels of attacks that most Internet users are susceptible to, aptly names as either Category 1 or Category 2 attacks. Individual users are also susceptible to remote timing attacks, without even being aware of, which results in compromised SSL security. In addition, when a truncation attack occurs, unsuspecting users who believe they have established an SSL connection begin to share private data through a now open connection that is not encrypted (Chou, 2012). While these might be the most common types of attacks that have necessitated certificate authentication procedures, research shows an ever-growing list of possible modes of attack that Web users are prone to experience. It should be noted that, “When someone tries to access a secure website such as Gmail or Paypal, some sensitive information, for instance passwords, might need to be exchanged between the client and server” (El-Hajj, 2012, p. 115). When this need arises, the user is able to exchange such secure information securely, as noted by the change from HTTP to HTTPS. Most clients, however, must be able to reasonably trust the SLL connection that they are operating under as they will not be able to notice any signs of Category 1 or 2 attacks, or remote access or truncated attacks as well. While SSL was designed as a cryptographic protocol by the Netscape Corporation, it is now seamlessly integrated into most well known Internet browsers. Among these are included Internet Explorer, Mozilla Firefox, Opera, Safari, and Google Chrome. In addition, most Web server based products offer some level of SSL protection. Establishing an SSL connection works to provide the end user with confidentiality of information, integrity of the data, and a certain level of authentication that enables communication over TCP/IP networks (Chou, 2012). An SSL connection is established by the means of server authentication. This feature of the process enables the end user, or client, to verify the identity of the server. This is critical to the integrity of the entire system. At this stage, the SSL enabled client software component works to use an encrypted public key to verify that both the server’s certificate and public identification are actually valid (Sikorski & Peters, 2009). Assuming that is case, the system will then work to confirm that the certificate has actually been issued a trust certifying authority, and that this company is actually on the listed of trusted authentication companies as per the client. This part of the verification process is critical for any user that might be sending private information that must remain secure, such as credit card information, over a network. The SLL authentication process, then, serves as a mechanism that can help the user be certain that the server on the other end of the line is truly who it claims to be. Assuming all of these checks are verified to be in proper work order and authenticated, then an SSL connection is made (Sikorski & Peters, 2009). A review of the literature also reveals the importance of SLL client authentication. With the SLL protocol itself is the built in feature that enables one serve to verify the client’s identity by the very same process as that of the SSL server authentication, only in reverse. While this might be an optional feature in many situations, such as a client to business environment, it has become essential and mandatory in most business to business environments. Within this context, any SSL-enabled server software package can work to verify the validity of both a client’s certificate and the public ID that they are working off of (Okyeon, 2014). In addition, such software is designed to check if the certificate itself has truly been issued by a server that is trusted. In this regard, the verification of the server is essential for the security of the client’s information, as can be seen in the case of a bank server that has the responsibility of sending confidential finical information to a particular customer. In so doing, the bank wants to be certain that the client is exactly who he or she claims to be. Failing to do so can result in sensitive information being wrongly intercepted and received by a third party. Chapter Three: Methodology Methodology The approach for this study was that of a meta analysis. Under such a methodology, it was important to follow a set process that enabled the researcher to better analyze currently studies in the field of SSL and certificate authentication in an effort to determine that factors that will enhance client satisfaction and trust with the process. In an effort to efficiently accomplish each of the aim and goals of this particular study, a four step process of finding, selecting, abstracting, and analyzing relevant data and information that related directly to the topic was utilized. Findings The first part of this project involved searching for relevant articles related to the topic SSL and client authentication certificates, with a particular focus on understanding how the client can be better protected. There were several critical sources of information that assisted the research in this endeavor, which included utilizing online electronic resources, scholarly journal in the information technology fields, and relevant websites devoted to the explanation of SSL and authentication certificates. Databases there were utilized during this search included ProQuest and EBSCO, making use of the researcher online search capabilities of libraries around the globe. Selection As soon as a healthy number of sources were located that were directly related to the topic under investigation, this methodology entailed the research beginning the procedure of selecting individual studies that, in the end, would prove host helpful for a Meta Analysis study. Having a suitable number of studies compiled assisted in the review process. Must of this was narrowed down by looking at the year of publication, the design of the information located in a particular study, and the relevance to better understand how the client can be better protected. After these studies were selected, an effort was made in the end to compile the data and write up the results. Abstraction Upon having located a group of studies that were recently published, and depending on other search parameters predetermined from the outset of the search itself, the process of abstracting data commenced. This was in an effort to compile only the data from each study that was truly relevant to this particular study. In order to minimize any errors that could possibly occurring during this step of the process, an independent review process was utilized. Once the data from that abstraction was collect, it was subsequently reported, and the percentage of agreement between the respective reviewers was written down. This step was useful in ensuring that accurate data was compiled based on currently published research and trends in the field related to SSL and certificate authentication. Analysis After the preceding three steps were completed in their entirety, the researcher was able to take all of the assembled data and analyze it in order to compile a report that could lead to conclusions about the ways to better protect clients using SSL and certificate authentication technology. This meta analysis was accomplished primarily by analyzing assembled studies in a homogenous manner. In so doing, teach study was examined from the perspective of gleaning accurate information about SSL technology and certificate authentication and how these process work to enable safe transmission of private data across the Internet. Chapter Four: Data Analysis and Results Data Analysis and Results In examining various studies for this meta analysis, it became apparent that the focus of SSL today is on the recent attacks that have been occurring. Study after study reveals that security remains vulnerable today because of the persistence of hackers. As such, it is important to constantly upgrade certificates, make sure they are authenticated by a reputable body, and to safeguard against future attempts and vulnerabilities. It seems that many of the recent attacks aimed at SSL are based entirely on exploiting certain design vulnerabilities with the encryption system itself (Mogos, 2011). Many times, it is not necessarily the security protocol itself that is being attacked, but it is the lack of design features incorporating trust models and web browsers that seem to be the main factor causing many of the dangerous attacks today. In recent years, there have been numerous attacks aimed directly against SSL. Many of these were attempts aimed at targeting the actual design of the web browsers by acting as if the request was coming from a trusted certificate. Once the validation process is complete, then the browser that the client is using will deem that the forged certificate is actually an original and trusted one, establishing a secure channel with the hacker and the online attack becomes successful. This reality alone illustrates the importance of the topic to better understand client safety and security protocols (Mogos, 2011). Many studies consulted for this meta analysis discuss SSLSniff version 5. This particular version was designed specifically to exploit a vulnerability inherent to Internet Explorer by Microsoft. There was a possible leak that allowed leaf certificates to actually sign other certificates, which could potentially open them up to hacking attempts. The vulnerability itself appears to have originated from the program simply bypassing the basic constraint within the scope of validating a particular field. That attack is actually based on the MitM strategy, which incorporates a tool referred to as an arpspoof. This is used to actually redirect traffic between the client and the server to the machine that is instigating the attack (Mishra, 2011). When the actual server sends a reply back to the client providing the necessary certificate, the attacker can then intercept the message. In essence, this enables that attacker to take on the actual identify of the client. Security breaches, such as this one, are serving to undermine the very system inherent to SSL and certificate authentication. Attacks are too easily implemented today, almost to the point that any password parser can retrieve the credentials capture during an attack and them use them to cause harm. No operating system is immune from this, from Linnux to Windows to the Mac Operating System (Houssam, 2014). Once an attacker gains the credentials of a victim, then the information can be used to steal credit card information and a host of other invaluable and private information. Chapter Five: Conclusions Purpose of the Study The purpose of this study was to examine and analyze the concepts of the secure socket layer (SSL) and certificate authentication in order to determine how the client can be better protected. The objective was to determine how this technology is currently being utilized to make the transmission of electronic data via the Internet safer and more secure, while also looking at potential barriers to security that must be addressed moving forward. Failure to address these important issues will undermine the very integrity of the Internet and potentially lead to a general populace that is leery of trusting Web sites with their most private and confidential of information. Summary A through understanding of SSL encryption technology is important due to the reality that information sent via the Internet is highly vulnerable as it is transported from the host computer to the ultimate server that is its destination. In an era where credit card numbers, usernames, passwords, and a host of other private information is sent back and forth, it is important to trust the end server is who it claims to be. There is no way for the average client to know otherwise, so they must grow to trust the integrity of the SSL encryption system itself. Whenever an SSL certificate is in use, then the information will truly be unreadable to anybody except for the destination server, thereby protecting the client from potential hackers and identity thieves. In the end, it is important to better understand potential threats and to continuously work to better enhance the system to safeguard the increasing amount of private and confidential data being transmitted electronically around the world today. Conclusions This study has also shown that, in order to gain the trust of the client, a proper and valid SSL certificate is required in order to authenticate the encryption of data. Doing so enables the user to have a reasonable assurance that their private and confidential information is actually being sent directly to the correct server, as opposed to that of a hacker or criminal. This is of critical importance due to the very nature of the Internet itself. There are many times when a client will be sending their own private information via several different computers and servers. At any point along the way, if any of these computer gains access to the host server, it can actually act as an exact replica of the computer sight, thereby tricking individuals into giving it their private information, such as credit card data, usernames, or passwords. This can only be safely avoided by using a correct public key infrastructure, in addition to obtaining an SSL certificate authenticated by a certified provider. Significance of the Study This study is significant because SSL is currently the industry standard fro encrypting sensitive information that is transmitted electronically. The process of SSL has been designed with the purpose of keeping sensitive information private by first encrypting it such that only the intended end user can read and understand the data that is received. With such a security feature, clients are not protected and they do not feel safe in using electronic mediums to communicate otherwise private and confidential information with an outside party. This study has highlighted the importance of SSL and certificate authentication, while drawing attention to potential attacks that are all to common place today. Suggestions for Further Research There is a great deal of research to be conducted in this area. One must consider, for example, whether there is a better system than the existing SSL encryption and corresponding certificate authentication. While these mechanisms have worked well thus far, research shows that they are still highly vulnerable to attacks. Until some type of new technology becomes available, however, specialists in the field will need to continue to research and develop new methods for ensuring the safe transmission of electronic data via a secure socket layer. At the same time, individual users must become more confident that a trust certificate is truly speaking to the intended server. As of now, this is not always the case and it has led to a great deal of frustration on all fronts worldwide. Hackers and attackers will likely always be a threat to the integrity of the Internet, but with technological innovation to come this can possibly be minimized to the greatest extent possible. References Alnatheer, M. (2014). Secure society layer impact on web server performance. Journal of Advances in Computer Networks, 2(3), 211-217. Chou, W. (2012). Inside SSL: The secure sockets layer protocol. IT Professional, 4(4), 47-52. El-Hajj, W. (2012). The most recent SSL security attacks: Origins, implementation, evaluation, and suggested countermeasures. Security and Communication Networks, 5(1), 113-124. Houssam, E. (2014). A secure electronic transaction payment protocol design and implementation. International Journal of Advanced Computer Science and Applications, 5, 172-180. Mishra, A. (2011). Loopholes in secure socket layer and sniffing. International Journal of Computer Science and Information and Security, 9, 81-84. Mogos, G. (2011). Secure socket layer protocol with entangled qutrits. Journal of Computer Science and Control Systems, 4, 93-96. Okyeon, Y. (2014). Performance of converged secure society layer and CMVP. International Journal of Security and its Applications, 8(1), 273-282. Sikorski, R. and Peters, R. (2009). Digital security. Science, 283(5405), 1133. Tarkeshwar, N. (2011). Enhanced security in secure socket layer 3.0 specification. International Journal on Computer Science and Engineering, 3, 3259-2364. Weaver, A. (2012). Secure socket layer. Computer, 39(4), 88-90. Read More

 

Read More