Security and privacy is a concern for everyone who uses the
Internet, and the ability to provide secure transactions over the
Internet has become one of the key requirements for many business
applications. SocketWrench .NET has the ability to establish
secure, encrypted connections with remote hosts using one of
several standard security protocols. Although most of the technical
issues such as data encryption are handled internally by the
component itself, a general understanding of the standard security
protocols is useful when designing your own applications.
When you establish a connection to a server over the Internet (for
example, a web server), the data that you exchange is typically
routed over dozens of computer systems until it reaches its
destination. Any one of these systems may monitor and log the data
that it forwards, and there is no way for either the sender or
receiver of that data to know if this has been done. Exchanging
information over the Internet could be likened to talking with
someone in a public restaurant. Anyone can choose to listen to what
you're saying, and unless they introduce themselves, you have no
idea who they are or if they've even heard what you said.
To ensure that private information can be securely exchanged over
the Internet, two basic requirements must be met: there must be a
way to send that information so that only the sender and the
receiver can understand what is being exchanged, and there must be
a way for them to determine that they each are in fact who they
claim to be. The solution to the first problem is to use
encryption, where a key is used to encrypt and decrypt the data
using a mathematical formula. The second problem is addressed by
using digital certificates. These certificates are issued by a
certificate authority (CA), which is a trusted third-party
organization who verifies the individual or company which is issued
a certificate are who they claim to be. These two concepts,
encryption and digital certificates, are combined to provide the
means to send and receive secure information over the
Internet.
The Secure Sockets Layer (SSL) protocol was originally developed by
Netscape as a way to exchange information securely over the
Internet, and is still the most common protocol in use today. The
latest improvements to SSL have resulted in the Transport Layer
Security (TLS) protocol, and it is beginning to replace SSL as the
standard for secure communications over the Internet. Microsoft
also developed a protocol similar to SSL called the Private
Communication Technology (PCT) protocol. All of these protocols
were designed to provide essentially the same thing: a private
exchange of encrypted data between the sender and receiver, making
it unreadable by an intermediate system. Using the restaurant
analogy, it would be as if two people were speaking in a language
that only they could understand. Although someone sitting at the
next table could listen in on the conversation, they wouldn't have
any idea what was actually being said.
A secure connection, for example between a web browser and a
server, begins with what is called the handshake phase where the
client and server identify themselves. When the client first
connects with the server it sends a block of data to the server and
the server responds with its digital certificate, along with its
public key and information about what type of encryption it would
like to use. Next, the client generates a master key and sends this
key to the server, which authenticates it. Once the client and
server have completed this exchange, keys are generated which are
used to encrypt and decrypt the data that is exchanged. With the
handshake completed, a secure connection between the client and
server is established. SocketWrench handles the handshake phase of
the secure connection automatically and does not require any
additional programming. If a secure connection cannot be
established, an error is returned and the network connection is
closed.
After the handshake phase has completed, the client may choose to
examine the digital certificate that has been returned by the
server. The information contained in the certificate includes the
date that it was issued, the date that it expires, information
about the organization who issued the certificate (called the
issuer) and to whom the certificate was issued (called the subject
of the certificate). The client may also validate the status of the
certificate, determining if it was issued by a trusted certificate
authority and was returned by the same company or individual it was
issued to. There may be certain cases where the client determines
that there's a problem with the certificate (for example, if the
certificate's common name does not match the domain name of the
server), but chooses to continue communicating with the server.
Note that the connection with the server will still be secure in
this case. In other cases, for example if the certificate has
expired, the client may choose to terminate the connection and warn
the user.