The Fundamentals of Key Cryptography
SSL works based on asymmetric cryptography. Each SSL session consists of two keys:
The public key is used to encrypt (scramble) the information. The public key is available for anyone.
The private key is used to decrypt (unscramble) the information and restore it to its original format
so that it can be read. The private key belongs exclusively to its owner (the SSL Certificate’s
Asymmetric or public key cryptography underlines how SSL cryptography works. This basic works of this are
best illustrated with an imaginary box with a lock. The box holds precious things inside and a key is
used to lock and protect them. A normal box takes one key to open it. The asymmetric box has two separate
keys required to use the box.
SSL isn’t only a priority for e-commerce site owners. These days, internet users are savvy enough to look
for the lock when visiting a website. HTTPs at the beginning of a website addresses indicates that a
site is secure and safe to use. Applying SSL is a simple way to win user trust and quell any privacy
concerns when data is offered online.
The first can only turn the lock clockwise (a-c), the second lock can only turn anticlockwise (from c-a).
The first lock is known as the private key, the second is the public key. One person, Kevin, keeps the
private key and makes hundred of copies of the second, public key. Everyone else has the public key;
Kevin can hand them out to friends, or if someone asks for their business card, leave a spare at the
Why go to the fuss of an extra key? Well, these keys can do something interesting things. Perhaps you want
to send Kevin a personal document or some confidential files for example. You can put them in the box
and use a copy of his public key to lock it. Since Kevin’s public key will only turn clockwise, you turn
it to position A to lock the box. The only key to turn from A to B, to unlock the box is Kevin’s private
key, the one he kept for himself.
That sums up public key cryptography, anyone with a copy of Kevin’s public key (which could be everyone since
he’s been giving them away to pretty much anyone, remember) can put documents into his box, lock it and
know that only Kevin can unlock it and access the private information.
In the computer world, this whole process takes place online. There is no need for special boxes and the
keys are just very long numbers. You can keep your number (private key) in a safe place, and your public-key
which is also a long number can go anywhere you like, your website or email signature for example
The SSL Handshake
SSL uses a key pair to encrypt data − A public key that’s known to everyone and a private key known only
to the recipient of the message. The mechanism that establishes the trust between each party do so with
the help of a cryptographic key. This key enables a digital handshake between browser and server (the
SSL handshake). Encryption-decryption takes place as a multi-step process that includes the following
A browser attempts to connect to a server (the target website) that is secured with an SSL certificate.
The website first asks the web server to identify itself.
The website responds by identifying itself with a copy of the SSL certificate, sending it’s public
key back to your browser.
The client (your browser) then decides if it trusts the SSL certificate and if it’s safe to open
the page. It asks for the SSL information to verfity that the server is who it says it is. Once
it receives this information, the browser contacts reputable sources to ensure the information
If the client decides to trust the certificate, it verifies the information you will be presented
with is from the website you expect to be going to. It then sends its public key to the server.
The server then creates the encrypted message using client’s public key and server’s private key,
and sends the message back to the browser.
Once the client’s browser decrypts the message, the user/browser and the website/server have established
a secure connection.
During step 4, the browser connects to and retrieves a secure site's SSL Certificate. To make sure it’s safe
to open the page it will check the follow is true;
The certificate is still valid (all SSL certificates have an expiration date)
The certificate has been issued by a Certification Authority the browser trusts
The certificate is being used by the website for which it has been issued.
If it doesn’t pass on any of these three checks, the browser will automatically display a warning to the
website browser. The warning will make sure the end user knows that the site is not secured by SSL. These
warning messages are embarrassing for website owners and, In the case of e-commerce websites, such messages
result in immediate suspicion from online consumers. When the online community lack of confidence in
a website or organizations, they risk losing business from the majority of consumers.
The complexities and workings of the SSL protocol remain invisible to website browsers. Website visitors
look for indicators in their browser to let them know they are protected by an SSL encrypted session.
When a trusted SSL digital signature is used during a SSL connection, users will see Indicators such
as a padlock icon in the lower right-hand corner. Clicking on the lock icon displays the SSL Certificate
and all details about it. When an extra secure certificate (EV) is installed, the address bar will turn