I. What is SSL Certificate?
The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. This SSL certificate will have lot of information like owner details, location, email id, Encryption method, thumb print, expiration details, who digitally signed this certificate and etc.
II. How does SSL work?
Step-1,2,3: Before Browser sends the request a quick basic TCP 3-way handshake is performed to synchronize information with packet size details, source-destination info and etc. Once this is done the SSL Hello session starts.
Step-4: A browser requests a secure page (usually https://). Client will send Ciphers details ( i.e. information about encryption method and hashing algorithm that client is going to use)
Step-5: The web server receives the Cipher details, and sends its Public key with SSL certificate in return.
Note: Server will always have a key pair (Private Key + Private Key). It will never share the Private key with outside world, it can only share the Public Key with others. The interesting fact is anything encrypted using public Key can only be decrypted using Private key and vice-versa.
Step-6: Client sends acknowledgment
Step-7: Before sending critical information over the internet. First, The browser checks that the SSL certificate that server sent is correct one and was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site.
Step-8,9: The browser then encrypt the URL using a randomly generated key called as Session Key or Symmetric Key. Then it encrypts the Symmetric key using Public key. Then it combines both encrypted symmetric key with encrypted URL and encrypt the whole message using the public key that it received from the web server and passes it over the network to the server
Step-10: Web Server will decrypt the encrypted message using its PRIVATE Key. Once decrypted it will get an encrypted Symmetric Key and an encrypted URL data
Step-11: The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
Step-12: The web server sends back the requested html document and http data encrypted with the symmetric key.
Step-13: The browser decrypts the http data and html document using the symmetric key and displays the information.
Now both the sides have the symmetric key and can send/receive the information securely by encrypting the data using symmetric key(session key).
0 comments :
Post a Comment