If we want to transfer sensitive data over the unsecured Internet, we need to encrypt it. Many of us might have heard the terms SSL and TLS. What is SSL, actually? How does it work? Let’s understand that in detail.
What is SSL?
SSL or Secure Sockets Layer is a standard security technology for establishing a secure connection between a server and a client, for example, a web server and a browser or a mail server and a mail client (e.g., Outlook). Sometimes, a user shares sensitive information like credit card numbers, social security numbers, etc, over the Internet. Usually, data between a web server and a client is transferred in raw format if we do not encrypt it. Attackers can exploit that to intercept the connection or steal sensitive data. To prevent that, we use SSL so that the data is transmitted between the server and the clients in an encrypted format.
How does SSL work?
Usually, all browsers have the capability of connecting with a secured web server using the SSL protocol. The web server and the client need an SSL certificate to establish a secure connection.
SSL certificate contains a public key, which is used to establish a secure connection between a server and a client. The corresponding private key is kept secret. One has to get an SSL certificate for a server from the CA or Certificate Authority and then install it on the server.
After installing that, when a browser wants to communicate with the web server, it establishes a secure connection using a process called SSL Handshake.
Mainly, three keys are used at this time: a public and private key pair and a session key. Usually, it takes lots of processing power to encrypt and decrypt all the data transmitted between the server and the client using public-key encryption and it does not maintain Perfect Forward Secrecy also (What is Perfect Forward Secrecy?). So, a symmetric session key is used to encrypt the actual sensitive data.
So, to summarize, here is how a secure connection gets established between a server and a client using SSL:
- The web browser requests the web server for a copy of the SSL certificate containing the public key of the web server.
- The server sends a copy of its SSL certificate to the client. This SSL Certificate contains the server’s public key.
- The client then verifies the authenticity of the certificate with a list of trusted CAs.
- After the authenticity of the SSL certificate is verified, the client and the server negotiate a symmetric key using some secure key exchange algorithm, like the Diffie-Hellman Key Exchange algorithm (What is the Diffie-Hellman Key Exchange algorithm and how does it work?).
- The secured communication starts. All data transferred between the server and the client are now encrypted with the symmetric session key.
So, this is how SSL works. You can get more information on SSL and TLS here :
0 Comments