How Secure is SSL, really?
(If you have 200 computers, a degree from Harvard and about 500 hours of time, you might crack the code.)
Secure Sockets Layer uses public key encryption mechanisms which were developed by RSA Data Security Inc. These are well known, secure algorithms. In the export version of SSL (such as the version included in Navigator and other Netscape products available outside the US), a 40 bit key is used for the encryption. It was recently reported that using brute force methods, the key was cracked. Brute force methods basically implies trying every possible combination of bits until the correct one is found. The number of combinations which would need to be examined is 2 to the power of 40, which is 1,099,511,627,776 different keys; and you need to analyse the data for each test key to find out if you've actually hit upon the correct one. Clearly, without a very very significant computing resource, a brute force technique is not really going to be viable. One of the first examples of a crack of the 40 bit export version key used a network of 120 computers, as well as a number of parallel computers, and it took about 8 days to search half the keyspace. However, more recently, RSA challenged users to break the cipher for a reward of $1000. A graduate student claimed to have succeeded in just three and a half hours. However, he used 250 computers. Obviously, it probably isn't going to be worthwhile cracking a 40 bit key for a credit card number.
For US-Domestic versions of the protocol, 128 bit keys are used. Such a key is realistically impossible to crack by brute force methods using current computing technologies. We don't have a computer fast enough to break the key in any reasonable length of time; for this reason, it is often stated that the amount of time required to break the key is infinite, although there would be a finite time to completion and too bad if the universe ends before you have the key.
So What is SSL?
Secure Sockets Layer is actually an industry standard protocol which makes use of public key encryption technologies outlined above to provide a secure service between hosts.
There are basically three different services provided by SSL, and all use public key techniques; message privacy, message integrity, and message authentication.
Message privacy in SSL is accomplished through a combination of both public key and symmetric key encryption techniques. Basically, all the traffic between a client and server system is encrypted using a key and and encryption algorithm which is decided by both the client and server during the initial negotiation of the connection.
Message integrity makes sure that the traffic between two hosts using SSL is not modified in transit. SSL uses a technique called hashing to make sure that the integrity of the messages is guaranteed between hosts. A special algorithm (in computer science terms, a hashing function) is decided between the hosts which generates a message digest of data being sent. The message digest is appended to the data being transmitted. At the recipent's end of the connection it is recomputed and compared with the original. Exact matches indicate a message which has not been modified in transit.
Mutual authentication is carried out by SSL using X.509 certificates, which are exchanged by the communicating machines at the time they initiate connections. The authentication is generally carried out by the server, which is attempting to verify its identity to the client, but can also be requested by the server, if it's necessary for the client to prove its identity as well.
SSL is an interesting protocol, because it sits between the application and the normal TCP/IP protocol stack. In other words, applications need to be rewritten to take advantages of its facilities. Once the secure session is established, however, applications can treat the connection just like any other data stream between hosts.