Internet Security Protocols

You go to a website and you decide to buy a book or a CD or an airline ticket. You enter your credit card number into the little box, and the website says “Thank you.” A few days later, your purchase arrives at your home and at the end of the month your credit card bill shows up and nobody has stolen your number and taken a free trip to Tokyo for a shopping spree.

The sigh of relief you breathe has been brought to you in part by Daniel Simon, a cryptographer at Microsoft Research. Simon is one of many contributors to the world standard for Internet security protocols, called Transport Layer Security or TLS, an evolution of the Secure Sockets Layer first developed by Netscape Communications.

Network traffic – and the Internet is the biggest network of all - runs on a series of seven layers, each successive layer offering more reliability and automation in getting the information from one machine over the vast web of wires. TLS provides security at the Transport Control Protocol (TCP) level, the layer that guarantees that all the packets will arrive at the same time and in the right order.

Once the connection has been established between your home computer and the merchant’s server, the two machines perform a “handshake:” the server transmits the merchant’s public key code to your machine. Your machine, which is called the client, encrypts a “session key” (basically a random string of bits) using the server’s public key. For the rest of the transaction, your personal information and credit card number are encrypted and authenticated using keys derived from this single key. That way, the public key operation, which places heavy computational demands on each computer, only needs to be done once, and the rest is done using symmetric cryptography between the server and client, both of whom now know the session key.

The transmission is as secure as can be. Even with a 128-bit key now used for most ordinary ecommerce transactions, a thief using a brute force attack on the cryptosystem would have to have a trillion PCs running for the life of the universe so far in order to get your credit card number. So relax.

So far, so good, say the cryptographers at Microsoft Research, but they continue to search for new ways to encrypt information and investigate mathematical techniques they think might be useful in breaking existing cryptosystems

Testing security programs is very hard: just because the guy you hire to break in can’t do it doesn’t mean no one can. “There’s always a smarter hacker somewhere,” says Simon. These days, people try to break the cryptography of secure systems to show the world how smart they are, but when the day comes that large sums of money are at stake, they’ll redouble their efforts.

The Cryptography Group at Microsoft Research acts as security consultants to a number of Microsoft product groups. “We tell them: don’t try this at home, come to us,” Simon says. Simon believes that the basic framework for Internet security protocols is solid, and the days of people breaking secure code may be numbered. “Is it the end of an era? Maybe.”