11.2 Understanding SSL
The main role of SSL is to provide security for Web traffic. Security includes confidentiality, message integrity, and authentication. SSL achieves these elements of security through the use of cryptography, digital signatures, and certificates.
11.2.1 Cryptography
SSL protects confidential information through the use of cryptography. Sensitive data is encrypted across public networks to achieve a level of confidentiality. There are two types of data encryption: secret key cryptography and public key cryptography.
Secret key cryptography – known as symmetric cryptography. It uses the same key for encryption and decryption. An example of symmetric cryptography is a decoder ring. Alice has a ring and Bob has the same ring. Alice can encode messages to Bob using her ring as the cipher. Bob can then decode the sent message using his ring. In cryptography, the “decoder ring” is considered a preshared key. The key is agreed upon by both sides and can remain static. Both sides must know each other already and have agreed upon what key to use for the encryption and decryption of messages.
Figure 11-1 Secret Key Encryption/Decryption
Public key cryptography – It uses one key for encryption of data, and then a separate key for decryption. It is more favorable than secret key cryptography because even if the encryption key is learned in one direction, the third party still needs to know the other key in order to decrypt the message in the other direction.
Figure 11-2 Public Key Encryption/Decryption
11.2.2 Digital Signatures
To ensure the integrity of messages transmitted via the Internet, each message exchanged via SSL has a digital signature attached to it. A digital signature is a hashed message digest which is encrypted by hash algorithm and contains public key information. The message digest is generated based on the checksum results on the message. The message digest cannot be reversed by algorithm. Thus, both parties will compute the message digest separately and then compare the hashed results. If their computing results match, it means the message has not been altered during transission on Internet, which minimizes the chances of information leakage.
Figure 11-3 Digital Signatures
11.2.3 Certificates
Certificates contain information identifying the user/device. They are digital documents that will attest to the binding of a public key to an individual or other entity. They allow verification of the claim that a specific public key does, in fact, belong to the specified entity. Certificates help prevent someone from impersonating the server with a false key. SSL uses X.509 standard certificates to validate identities. X.509 standard certificates contain information about the entity, including public key and name. A certificate authority then validates this certificate.
Table 11-1 X.509 Certificate
| Certificate Information |
| Algorithm Identifier |
| Serial Number |
| Version |
| Certificate Information |
| Issuer |
| Period of Validity |
| Subject |
| Subject’s Public Key |
| Issue Unique ID |
| Subject Unique ID |
| Extensions |
| Signature |
11.2.3.1 Client Certificate Parse
A backend real service needs information of a client certificate before processing the client requests. But the backend server itself cannot recognize and analyze a complete SSL certificate. FortiBalancer appliance will parse the client certificate into many fields and then transfer them to the backend server through HTTP URL request parameters or HTTP headers.
The FortiBalancer appliance supports using the certificate parser (Fortinet patent) to verify the client certificate in a fast way.