The Fundamentals of Key Cryptography
SSL works based on asymmetric cryptography. Each SSL session consists of two keys:
The public key is used to encrypt (scramble) the information and it’s available for anyone.
The private key is used to decrypt (unscramble) the information and restore it to its original format so that it can be read. The private key belongs exclusively to its owner (the owner of the SSL).
Asymmetric or public key cryptography underlines how SSL cryptography works. This basic works of this are best illustrated with an imaginary box with a lock. The box holds precious things inside and a key is used to lock and protect them. A normal box takes one key to open it. The asymmetric box has two separate keys required to use the box.
SSL isn’t only a priority for e-commerce site owners. These days, internet users are savvy enough to look for the lock when visiting a website. HTTPs at the beginning of a website addresses indicates that a site is secure and safe to use. Applying SSL is a simple way to win user trust and quell any privacy concerns when data is offered online.
The first can only turn the lock clockwise (a-c), the second lock can only turn anticlockwise (from c-a). The first lock is known as the private key, the second is the public key. One person, Kevin, keeps the private key and makes hundred of copies of the second, public key. Everyone else has the public key; Kevin can hand them out to friends, or if someone asks for their business card, leave a spare at the office.
Why go to the fuss of an extra key? Well, these keys can do something interesting things. Perhaps you want to send Kevin a personal document or some confidential files for example. You can put them in the box and use a copy of his public key to lock it. Since Kevin’s public key will only turn clockwise, you turn it to position A to lock the box. The only key to turn from A to B, to unlock the box is Kevin’s private key, the one he kept for himself.
That sums up public key cryptography, anyone with a copy of Kevin’s public key (which could be everyone since he’s been giving them away to pretty much anyone, remember) can put documents into his box, lock it and know that only Kevin can unlock it and access the private information.
In the computer world, this whole process takes place online. There is no need for special boxes and the keys are just very long numbers. You can keep your number (private key) in a safe place, and your public-key which is also a long number can go anywhere you like, your website or email signature for example
The SSL Handshake
SSL uses a key pair to encrypt data − A public key that’s known to everyone and a private key known only to the recipient of the message. The mechanism that establishes the trust between each party does so with the help of a cryptographic key. This key enables a digital handshake between browser and server (the SSL handshake). Encryption-decryption takes place as a multi-step process that includes the following steps:
A browser attempts to connect to a server (the target website) that is secured with an SSL certificate. The website first asks the web server to identify itself.
The website responds by identifying itself with a copy of the SSL certificate, sending it’s public key back to your browser.
The client (your browser) then decides if it trusts the SSL certificate and if it’s safe to open the page. It asks for the SSL information to verify that the server is who it says it is. Once it receives this information, the browser contacts reputable sources to ensure the information is correct.
If the client decides to trust the certificate, it verifies the information you will be presented with is from the website you expect to be going to. It then sends its public key to the server.
The server then creates the encrypted message using the client’s public key and the server’s private key, and sends the message back to the browser.
Once the client’s browser decrypts the message, the user/browser and the website/server have established a secure connection.
During step 4, the browser connects to and retrieves a secure site's SSL Certificate. To make sure it’s safe
to open the page it will check the follow is true:
The certificate is still valid (all SSL certificates have an expiration date)
The certificate has been issued by a Certification Authority the browser trusts
The certificate is being used by the website for which it has been issued.
If it doesn’t pass on any of these three checks, the browser will automatically display a warning to the website browser. The warning will make sure the end user knows that the site is not secured by SSL. These warning messages are embarrassing for website owners and, in the case of e-commerce websites, such messages result in immediate suspicion from online consumers. When the online community lack confidence in a website or organization, they risk losing business from the majority of consumers.
The complexities and workings of the SSL protocol remain invisible to website browsers. Website visitors look for indicators in their browser to let them know they are protected by an SSL encrypted session. When a trusted SSL digital signature is used during a SSL connection, users will see indicators such as a padlock icon in the left-hand corner of their address bar. Clicking on the lock icon displays the SSL Certificate and all details about it. When an extra secure certificate known as Extended Validation (EV) is installed, the address bar will turn green.