The Fundamentals of Key Cryptography
SSL works based on asymmetric cryptography. Each SSL session consists of two keys:
The public key is used to encrypt (scramble) the information and it’s available for anyone.
The private key is used to decrypt (unscramble) the information and restore it to its original format
so that it can be read. The private key belongs exclusively to its owner (the owner of the SSL).
Asymmetric or public key cryptography underlines how SSL cryptography works. This basic works of this are
best illustrated with an imaginary box with a lock. The box holds precious things inside and a key is used
to lock and protect them. A normal box takes one key to open it. The asymmetric box has two separate keys
required to use the box.
SSL isn’t only a priority for e-commerce site owners. These days, internet users are savvy enough to look for
the lock when visiting a website. HTTPs at the beginning of a website addresses indicates that a site is
secure and safe to use. Applying SSL is a simple way to win user trust and quell any privacy concerns when
data is offered online.
The first can only turn the lock clockwise (a-c), the second lock can only turn anticlockwise (from c-a). The
first lock is known as the private key, the second is the public key. One person, Kevin, keeps the private
key and makes hundred of copies of the second, public key. Everyone else has the public key; Kevin can hand
them out to friends, or if someone asks for their business card, leave a spare at the office.
Why go to the fuss of an extra key? Well, these keys can do something interesting things. Perhaps you want to
send Kevin a personal document or some confidential files for example. You can put them in the box and use a
copy of his public key to lock it. Since Kevin’s public key will only turn clockwise, you turn it to
position A to lock the box. The only key to turn from A to B, to unlock the box is Kevin’s private key, the
one he kept for himself.
That sums up public key cryptography, anyone with a copy of Kevin’s public key (which could be everyone since
he’s been giving them away to pretty much anyone, remember) can put documents into his box, lock it and know
that only Kevin can unlock it and access the private information.
In the computer world, this whole process takes place online. There is no need for special boxes and the keys
are just very long numbers. You can keep your number (private key) in a safe place, and your public-key
which is also a long number can go anywhere you like, your website or email signature for example
The SSL Handshake
SSL uses a key pair to encrypt data − A public key that’s known to everyone and a private key known only to
the recipient of the message. The mechanism that establishes the trust between each party does so with the
help of a cryptographic key. This key enables a digital handshake between browser and server (the SSL
handshake). Encryption-decryption takes place as a multi-step process that includes the following steps:
A browser attempts to connect to a server (the target website) that is secured with an SSL
certificate. The website first asks the web server to identify itself.
The website responds by identifying itself with a copy of the SSL certificate, sending it’s public
key back to your browser.
The client (your browser) then decides if it trusts the SSL certificate and if it’s safe to open the
page. It asks for the SSL information to verify that the server is who it says it is. Once it
receives this information, the browser contacts reputable sources to ensure the information is
If the client decides to trust the certificate, it verifies the information you will be presented
with is from the website you expect to be going to. It then sends its public key to the server.
The server then creates the encrypted message using the client’s public key and the server’s private
key, and sends the message back to the browser.
Once the client’s browser decrypts the message, the user/browser and the website/server have
established a secure connection.
During step 4, the browser connects to and retrieves a secure site's SSL Certificate. To make sure it’s safe
to open the page it will check the follow is true:
The certificate is still valid (all SSL certificates have an expiration date)
The certificate has been issued by a Certification Authority the browser trusts
The certificate is being used by the website for which it has been issued.
If it doesn’t pass on any of these three checks, the browser will automatically display a warning to the
website browser. The warning will make sure the end user knows that the site is not secured by SSL. These
warning messages are embarrassing for website owners and, in the case of e-commerce websites, such messages
result in immediate suspicion from online consumers. When the online community lack confidence in a website
or organization, they risk losing business from the majority of consumers.
The complexities and workings of the SSL protocol remain invisible to website browsers.
Website visitors look for indicators in their browser to let them know they are protected by an SSL
encrypted session. When a trusted SSL digital signature is used during a SSL connection, users will see
indicators such as a padlock icon in the left-hand corner of their address bar. Clicking on the lock icon
displays the SSL Certificate and all details about it. When an extra secure certificate known as Extended
Validation (EV) is installed, the address bar will turn green.