Encryption and Authentication Process

When transferring encrypted data or email messages, encryption alone is not always sufficient to ensure the integrity of the data or the authenticity of the sender. A layer of authentication in the encryption process provides a level of trust and prevents hackers from impersonating legitimate users. The use of digital certificates, digital signatures, and encryption using public and private key pairs, ensure the origination and legitimacy of transmitted information.

Most modern dynamic encryption uses a combination of

1. symmetrickey,
2. asymmetric-key, and
3. hash encryption.

This combination capitalizes on the strengths of each type of encryption, while minimizing their weaknesses. Programs such as Internet Information Server (IIS), Tomcat, PGP, Microsoft Exchange Server, and Windows Server 2012, as well as protocols such as (S/MIME) Secure Multipurpose Internet Mail Extension, PGP MIME (PGP/MIME), and SSL, all employ a combination of symmetric-key, asymmetric-key, and hash encryption. (VPN) Virtual private networks, which are extended local area networks that allow a company to conduct secure, real-time communication, and protocols such as (S-HTTP) Secure HTTP also use such combinations.

Secure HTTP (S-HTTP) uses the asymmetric process to secure online transactions, but as soon as this connection is made, it uses a symmetric key. Most browsers support this protocol, including Microsoft Internet Explorer, Mozilla, and Chrome.

The Secure Sockets Layer (SSL) protocol allows users to configure their applications to privately exchange data over public networks. SSL helps prevent eavesdropping, tampering, and message forgery. SSL 3.0 is an Internet Engineering Task Force (IETF) specification. (The IETF is an organization that determines the standards and protocols for the Internet. You can learn more about the IETF at www.ietf.org.) All major web browsers and many e-mail clients support SSL, as do many additional applications used in the security industry. SSL sessions occur on TCP port 443 by default.

SSL uses a digital certificate to enable two applications to authenticate over a network. A digital certificate is created by a certificate authority, which is a trusted third party that attempts to determine the validity of a certificate request from person or host. Once a digital certificate is signed by a certificate authority, it enables a server to prove its identity to a client. A digital certificate can also ensure data confidentiality because it encrypts all information between the client and the server. Finally, SSL provides data integrity services, because it uses one-way encryption to ensure that data has not been altered in transit. Essentially, a digital certificate is a specific form of an asymmetric key, except that digital certificates contain several fields that help a client (e.g., a web browser) determine authentication. Each of these fields is governed by the X.509 standard, as defined by RFC 2459. SSL encryption occurs above the Transport layer of the (OSI/RM) Operating Systems Interconnection Reference Model.
SSL uses a six-step handshake process to build a connection between a client and a server.