NetSecure Technologies has developed an innovative solution for endpoint-to-endpoint security that is fully compatible with existing SSL-enabled systems: Dynamic SSL. Dynamic SSL works seamlessly to complement and enhance the existing SSL encryption standard providing endpoint security without fundamentally changing the protocol or process. With Dynamic SSL, organizations can continue to receive information in the widely accepted SSL encrypted format without requiring a synchronized change between the organization and the end user. The fundamental difference in the process of implementing Dynamic SSL is that data is encrypted before it even enters the computer, thus eliminating the typical endpoint vulnerabilities and pre-encryption attacks at the personal computer. What is Dynamic SSL?Dynamic SSL consists of a simple software component that is installed on a personal computer or workstation, which interacts with the computer's existing SSL engine to eliminate endpoint vulnerabilities and provide comprehensive protection of sensitive information during an SSL transaction. Dynamic SSL can be implemented as a software-only solution, or enhanced with a Dynamic SSL-enabled secure hardware device, such as a USB key, Smart Card, or mobile phone. Hardware-based implementations of Dynamic SSL provide an additional layer of security by offloading the SSL cryptography from the client machine to the secure hardware device, ensuring complete immunity against advanced cryptographic attacks such as Keyjacking. Dynamic SSL is the most cost-effective way to deploy endpoint security. The advantage of Dynamic SSL is that it requires absolutely no changes to existing server systems or infrastructure. It works with your existing web infrastructure and SSL-enabled systems out of the box. The Holy Grail of Endpoint Security:
SSL Offloading using Dynamic SSL-Enabled HardwareThe underlying principle in Dynamic SSL is that encryption of sensitive information cannot be performed in an untrusted environment, such as most personal computers, where the security of the encryption process could be compromised. Rather, encryption of sensitive information must be done outside of the personal computer. In other words, when paired with a secure cryptographic hardware device, such as a USB Token or Smart Card, Dynamic SSL acts as an “SSL offloader”. Instead of having the SSL key negotiation take place on a personal computer (which is vulnerable to keyjacking and memory-sniffing attacks) – it occurs on the secure hardware device attached to the computer. Keys are securely stored within the hardware device bypassing all endpoint vulnerabilities and therefore cannot be intercepted or stolen. Secure cryptographic hardware that implements Dynamic SSL can guarantee complete security of a transaction (Dynamic SSL contains advanced Man-in-the-Middle protection to ensure the authenticity of the SSL session. Discussion of this feature is available in the supporting document, "Using Dynamic SSL to Prevent Man in the Middle Attacks"). Using a combination of SSL offloading and variable-based encryption, neither the sensitive information, nor the keys used to encrypt the sensitive information, ever exist on the user's personal computer. Complete immunity against virtually all client-side vulnerabilities can be achieved, without requiring any changes to server systems or infrastructure. How does it work?In a typical SSL session, a data stream containing the end user's sensitive information is sent to the computer's SSL engine for encryption prior to transit across the internet. Figure 2 shows how this approach is problematic. Since the data exists in plaintext until the point of encryption, a malicious user can intercept this data stream before it reaches the SSL engine, harvest the sensitive information, and send it through to the SSL engine virtually undetected. Neither the sender nor the receiver knows that the transaction has been compromised. Figure 3 shows how Dynamic SSL avoids this problem by ensuring that sensitive information is never present in the data stream until the point of encryption. The Dynamic SSL engine inserts variables, rather than the unencrypted sensitive information, into the data stream at locations where the remote server is expecting the sensitive information. Next, the Dynamic SSL engine securely redirects the data stream to a secure location where the sensitive information is stored. (For example, a Smart Card, USB device, mobile phone, etc..,or a software location such as network server or protected storage area). Inside this secure location, the Dynamic SSL engine replaces the variables with actual sensitive data (e.g. credit card number, usernames and passwords, etc.) and encrypts the data stream using the SSL session keys negotiated with the remote server. Finally, the encrypted data stream, containing the sensitive information in the format expected by the server, is then passed to the remote server via the SSL protocol. It arrives in the standard SSL format expected and can be decrypted with the same SSL keys used to protect the web session. (See Figure 4) Since the sensitive information was not present in the data stream until the point of encryption, any attempts to intercept the data stream and harvest the data would be useless. Rather than obtaining the sensitive information, a malicious user would only see meaningless variables. Figure 4: Dynamic SSL solves the endpoint vulnerabilities inherent in traditional SSL implementations, without requiring changes on the server end. Navigation: Next - Key Benefits of the Dynamic SSL Security Solution
Table of Contents
Previous - Traditional SSL: Strengths & Weaknesses | 
