STRENGTHENING SSL SECURITY WITH ATTRIBUTE CERTIFICATE

Now-a-days many people do multiple activities, transactions in fields such as finance, banking, business sector etc over internet. These activities, transaction should be secure. Providing security and authorization control has became the major concern in the globalization of internet. We are inspired by the need and urgency to handle the present situations and to put forward a strong authorization methodology in the globalization of web environment. Public Key Infrastructure which we are using now is meant to provide strong authentication by the use of digital certificates. In this paper we introduce a new technology of Privileged Management Infrastructure which provides strong authorization by the use of attribute certificates. Also in order to introduce attribute certificate we primarily need to check the genuineness of SSL digital certificate i.e. whether the SSL digital certificate is genuine or it’s a fake certificate.


Introduction
Secure Socket Layer(SSL) is one of the reputed methods for providing securing for the internet transactions all over the world through world wide web(WWW).SSL was primarily introduced in 1994 by the Netscape company which have got familiarized very rapidly among various web browsers such as Microsoft and Netscape [1].Its main intention is to provide security for the confidentiality of on-line transactions.It also provides security for the E-commerce.
SSL has now developed to pave the way of communicating various types of tactful data like tax returns, bill payments, banking statements, and stock purchases on the Internet.Through various forms of Internet spies or intruding such as hacking, uncertified people can steal privileged data, such as PIN numbers, credit card numbers and other peculiar data.SSL protocol has made rapid progressed to dispatch the data confidentially and firmly over the Internet.In SSL protocol handshake process (Figure1, Figure2), there exists a procedure of reciprocating each other's certificates among client and server for individual attestation which will increase the safety of the connection established among client and server, while still there are some limitations or security flaws: SSL protocol doesn't allow control of access function, diverse users connect to the same server use the same access rights(authorization) which is inadequate for real time applications; SSL protocol can reinforce only peer-topeer(one-to-one) SSL connection ,we cannot acquire multiple certificate and multilevel chain of trust relationship.For the above limitations this paper introduces Attribute Certificate to increase the security of faith on both client and server entities.Also it improves the SSL handshake process.The property of an object such as role, security clearance, group, access of identity can be represented by an attribute.These attributes can be used for many real time applications involving online transactions, authentication, access authorization etc.An X.509 certificate provides the users with keys [5].These certificates may be extended to provide attribute based secure services.These extensions further adds to security services based on authentication, integrity and confidentiality.The clients can validate the servers by verifying their X.509 digital certificates, exchanged using SSL.The digital certificate is issues by a trusted certificate authority (CA).In the process of verification the client verifies if the certificate is issued by a trusted CA [3].If the server certificate is not issued by trusted CA, the client can decline connection to server.SSL is used to enable secure HTTP among browsers and websites.It is also used for secure email transfer, and secure exchange of chat messages.The key in certificate exchanged using SSL is used for encrypting the data over internet.SSL enables the confidentiality, integrity, availability for various transactions and activities over internet.In Man in-the-middle (MITM) attack, the attacker sends forged certificate to client as imposter for server.The client may exchange data with attacker thinking it as actual server.MITM can be prevented by verification of certificate by client.The application for a websites cannot detect the MITM attack for multiple set of clients.Many clients do not use the certificate at all [2].Those clients cannot attest server certificate.Hence, the server cannot depend on attestation of server certificate from a SSL client.It is also difficult for server to distinguish between normal client and a MITM attacker.In addition, there are latent SSL connection and the web applications use networking Application programming Interface (API) such as WebSocket, XMLHttpRequest.They do not access SSL handshake directly.Hence, they can not authorize the SSL certificates.A certificate is a signed document by a CA.It contains the keys for encryption.The CA is the trusted third party, who can be contacted for getting validity of certificate.CA signs the document with its private keys and can decrypted using the public key of CA.For well-known third party, everyone has the public key of well-known third party and can decrypt, ensure the information present in the certificate is authentic and has not been altered.It establishes the trust for information present in the certificate document.The CA identifies the subject in certificate in a proper manner with a property and context for a certificate type.The subject is identified with a id or name and property attached is public key.Such certificate may be extended to bind the identity with a set of attributes.Such a extended certificate is useful for access control in distributed systems, role of a user in a system [2].The TTP which can extend such a certificate is named as Attribute Authority (AA).The AA issue Attribute Certificate (AC) with binding of user to identification and access rights.For an entity which is responsible for access control of objects under its control, can use the attribute certificate to verify the access rights.The entity then can allow the user with established identity to access objects as per access control.With this the need for Access Control List (ACL) goes away.The advantage with AC is the identity of user is established and the entity in control of object need not repeat verification of subject-identity each time access to object is required like ACL or other methods.Attribute Certificates which we are introducing here provides a solution for authorization of services.The AC's are designed to say (potentially short-span) attributes about a given subject to provide flexible and scalable privilege management.AC points to a public key certificate which is used for authenticating the identity of AC holder.Access control decisions are made by an authorization policy, and the authorization policy in-turn is driven and verified by an AC.Privilege Management Infrastructure (PMI) authorizes access to objects after authentication has been completed [4].AC is use in PMI.PKI uses general digital certificate.The difference between PKI and PMI is former binds identified subject to a public key and later bind a identified subject to set of attributes related to access management.An authorization mechanism is developed in this paper by use of AC, PMI, and PKI.

Proposed work
Attribute certificate (AC) is introduced in this paper to enhance the trust level between server and client for real time applications that needs Identity authentication and access to type of data user is authorized to access such as category of informationclassified, secret top secret, or access to certain information in database .Handshake process in SSL protocol is changed by applying AC.It improves identity authentication function of SSL.In addition, it helps detect MITM [3] [8] attack on top websites around the globe.Some minute changes or modifications are needed to increase or strengthen the security.The way cryptographic keys are enlarged from the formerly exchanged secret will be improved.The MAC construction is changed to HMAC.Implementations are further required to enhance support for Diffie-Hellman key agreement, the Digital Signature Standard, and Triple DES encryption.

Checking Attribute Certificate
Handshake process of SSL protocol is analyzed to introduce additional functionality to add AC and to verify the attributes of communication matching the AC.In handshake process the server verifies general certificate of client and then uses two newly introduced functions first one to to load the AC and second to verify it.Identity is verified at server using OID, Returns the role for user as int values (role1=secret) } Correct character type (role of client) is represented by positive return value.Client will be able to access information as per role type.Client will not be authorized to access information if return value is zero.This is contribution of AC for improved trust between client and server.
In the process of client verification, the sever asks the client both general certificate (PKC) and attribute certificate verification.Client shares the public key certificate and attribute certificate with server.The server checks the certificate received from the client, extracts the primary attribute values in attribute certificate and shares it with to AA for further verification.AA verifies the authenticity of attribute values present in AC.Subsequently, the AA determines the job or role of client as in its database.The role data is shared with the server.The handshake process concludes with verification of both the certificates.The server knows the role determined by AA.The server guarantees the client access to system as per role.The client is able to communicate with the server and system as per its role in the attribute certificate.The figure3, figure4 depicts the usage of attribute certificates.

Figure 3
Figure 3 Attribute Certificate

Figure 4 .Figure 5 .
Figure 4. Trusted Third Party relation for Digital certificate After loading the AC, authenticity of AC must be verified.Few of attributes verify are Public Key Certificate(PKC), issuer of public key, user values, role of attribute values as given in Object Identifier(OID).For authentication, we have to verify the owner item present in the server.Attribute values are sent to Attribute Authority(AA).AA verifies the identity of attributes and result is sent to the server.