SSL (Secure Sockets Layer) is a standard security technology that establishes an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and secure. SSL is an industry standard and is used by millions of websites in applications like web banking and shopping carts to protect online transactions.
Understanding SSL helps keep user data secure and private. Here is an in-depth look at how does SSL work.
Understanding SSL
SSL is a security technology that creates an encrypted link between a web server and a browser. This link ensures that all data passed between the server and browsers remain private and secure.
SSL stands for Secure Sockets Layer. It is also sometimes referred to as TLS or Transport Layer Security.
How SSL Works?
The SSL process begins when a browser tries to connect to a web server that supports SSL. The browser and server perform an SSL handshake. This handshake establishes the encrypted link between the browser and server:
- The browser requests that the server identify itself. The server sends a copy of its SSL certificate to the browser.
- The browser checks the certificate root and issuer. If valid, the browser creates a session key for the encrypted link.
- The browser encrypts the session key and sends it to the server.
- The server decrypts the session key. Both systems now have a shared session key for encrypting and decrypting data.
The SSL/TLS Handshake Process
The SSL or TLS handshake is the process that initializes an encrypted session between a browser and server. It enables both systems to securely exchange keys and establish trust.
Here are the steps of the SSL/TLS handshake process:
- Client sends a “ClientHello” message:This message contains information about the client including supported SSL versions, cipher suites, and other settings. The client also sends a random number that will be used later in the process.
- Server responds with a “ServerHello” message:This message confirms the SSL version and cipher suite to be used. The server also sends its own random number.
- Server sends its certificate:The server sends its SSL certificate which contains its public key as well as its identity such as domain name, company name, etc.
- Client verifies the certificate:The client will verify that the certificate is valid and trusted. This involves checking if it is issued by a trusted certificate authority, checking the domain name matches the URL, and checking if it is within the valid date range.
- Client sends a “ClientKeyExchange” message:The client generates a random symmetric encryption key called the “pre-master secret” and encrypts it with the server’s public key. This encrypted pre-master secret is sent to the server.
- Client and server generate session keys:Both the client and server use the pre-master secret to generate the same symmetric session keys which will be used to encrypt and decrypt information securely.
- Client sends a “ChangeCipherSpec” message:This indicates future messages will now be encrypted using the session key.
- Client and server exchange “Finished” messages:This final handshake message verifies that the key exchange and authentication processes were successful.
Encryption
SSL uses both asymmetric and symmetric encryption to securely transfer information:
- Asymmetric encryption:Uses public-key cryptography with a public/private key pair. The public key encrypts data while only the corresponding private key can decrypt it. This is used during the initial SSL handshake to establish a shared secret.
- Symmetric encryption:Uses a single shared key to encrypt and decrypt data. After the asymmetric encryption in the handshake, the client and server agree on a symmetric session key. Bulk data transfer then uses this faster symmetric encryption.