Communication between your computer (client) and the material data system (server) is based on the Secure Socket Layer Protocol (SSL). Two types of encryption are used under SSL:
Symmetrical encryption: Here sender and recipient have the same key. Messages are encoded and decoded using the same key. The key must be known only to the sender and recipient and must therefore be exchanged via a secure channel.
Asymmetric encryption: Here, a pair of keys is used which consists of a public key and a private key. A message encoded with one of the keys can be decoded only with the other key. Asymmetric encryption has the advantage that one of the keys need not be kept secret. SSL uses asymmetric encryption in accordance with the RSA procedure. RSA stands for the inventors of this procedure: Rivest, Shamir and Adleman.
Asymmetric encryption is, however, much slower compared to the symmetric procedure. Thus it is used only for the secure exchange of a symmetric key - the session key. All customer and transaction data are then encoded with this session key. In detail, a secure connection is made under SSL in the following way:
- The client informs the server that it wants to set up a session.
- The server sends its public key to the client. This key is then used to transmit the session key. The server sends the key in the form of a certificate so that the client can be sure that the public key does indeed come from the correct server. The certificate has been issued by a trustworthy independent institution, a certification authority, and contains information uniquely identifying the server in addition to the public key of the server. The certificate is signed with the private key of the certification authority to guarantee the authenticity and integrity of the key. The material data system uses VeriSign certificates in accordance with the ISO X.509 standard.
- The VeriSign public key has been integrated in the client's browser as standard. The browser uses this key to check the signature of the certificate. If this check is successful, the authenticity of the certificate has been proven.
- The client generates a session key by means of random numbers. This session key is valid only for this one session. The client encodes the session key with the public key of the server so that it can be decoded only by the server.
- The client sends the session key to the server. This decodes the session key with its own private key. This completes the setup of a secure session.
- Now the actual exchange of messages between client and server starts. All messages during this session are encoded and decoded with the symmetric session key. To be able to recognise changes to the message, if any, during transmission, a message authentication code (MAC) is added to each transmitted message.
- At the end of the session, the session key is deleted on client and server.
To use the security protocol SSLv3, the browsers contain certificates of so-called CAs (certification authorities). These CA certificates are integrated with the browser software from the start and thus removed from our direct influence. In general, certificates only have a limited validity. When selecting a page protected with the SSLv3 security certificate, an expired CA certificate can cause an error message - depending on the browser version. The security of the connection is not affected by this, but in some case disconnection may occur. Thus connection problems may arise when selecting secure servers with old browser versions. Specifically, you may no longer be able to use the material data system.
The problem referred to here is caused by the fact that certificates only ever have limited periods of validity. So-called server certificates, for example, have a validity of one year and are then extended by a further year before expiry. These server certificates are under the direct control of the operator; the certificates on our servers are kept current by us. Before expiry, the validity is extended by us for a further year. The CA certificates affected are, however, part of the browsers and thus already supplied with the browser software. The above-mentioned older browser versions may contain older CA certificates; the periods of validity have been set by the relevant certification authority on issue. Newer browser versions generally contain CA certificates with longer periods of validity.
Further detailed technical information
Experts or persons interested in the technical aspects of this topic, can obtain further interesting background information (in English) from Verisign.