how SSL works:
In this post, we are going to understand how SSL works. Understanding SSL can be difficult in the beginning but with a good explanation, we can easily understand a complex topic like SSL. This post is divided into several parts. The first part deals with why we need SSL.
Why do we need SSL:
We can easily state that there are two main reasons why SSL exists. The first reason is security and the second reason is identity. When we talk about encryption, it is usually about hiding information from people who are not supposed to see the information. As it goes to say, it also comes with ensuring that only the desired recipient is able to read the information. Thus when there is communication between two computers, they can ensure that they are talking to the right computer only.
When we send confidential information across the internet without SSL, the information can be seen by another computer. Internet is made up of several computing devices interconnected in such a way that it transfers data between them to establish communications. All these computing nodes are actually able to read all the information that is being sent through them. When the transmitting node uses SSL the information gets encrypted and so the other nodes in the network are able to see only the encrypted information.
When the data reaches the recipient, the data first gets decrypted and the information is extracted from the data.
Where do we use SSL:
SSL is important when we have to do operations such as login and authentication. For example, when we login using a normal login page, the username and the password that we type will be sent in plain text across the network until it reaches the destination node. If someone was to physically tap into one of the nodes in the network, they can easily see the username and password and gain access to the account.
When we login into the website that is using SSL, the username and password gets encrypted and transmitted from the browser to the destination server through several nodes. Even when someone physically taps into one of the nodes, he will see only encrypted data. Encrypted data is very hard to decrypt without the decryption key. When the data reaches the destination server, it gets decrypted using the right key there.
We can know that a site is secure or not by looking at the starting of the link and it should be HTTPS. Using this we know that the site is passing data only in the encrypted format.
How the encryption happens:
Once the user agrees to send information using the site that is using SSL, there are several things that happen. We will explain everything here.
There are several encryption standards. The server and the browser should agree on a single encryption standard first. Secondly, the server sends a certificate and the key to encrypt the information. The computer starts the encryption process. The server starts the encryption process second. Now this point onwards, the server and the computer are communicating using encryption.
Let us see all the steps in detail now.
In the first step, the server and the computer must agree on the standard of the encryption. That is the highest standard that the server and the browser are able to follow. This is done with a starting message. The starting message is for saying hello to the server. The information in the hello message contains the key exchange method. The various key exchange methods involve RSA, DSA and more. The second part contains the cipher, that is the way of encrypting the data. The third part is the hash. It is to ensure that the information that is being sent is intact and all the necessary bits are there.
The first message from the browser to the server also contains other information. This message also contains the version of SSL. Then there is also the random number, which is then used to calculate the master keys. It will also contain a list of keys, cipher, hash. Once the server has received the message, it will select the key, cipher, and hash and send its selection back to the browser.
Beyond this point, it is the server that has to respond to the message. Now the server sends a certificate to the client. The certificate contains the information about who this server belongs to, the validity of the certificate, the serial number and more importantly the public key. Sending the public key completes the client key exchange and both the server and the browser are able to calculate the master key.
Once the master key is calculated, it is used to encrypt and decrypt information by the server and the browse at both ends of the communication.
Other uses of SSL:
The other reason why SSL exists is identification. That is to ensure that the computer that we are speaking to is the one we can trust. The company asks the certificate authority for a certificate.
The company has to give the information about the web server, what the company is, where it is located and various other information. Only the certificate authority checks the correctness and the authenticity of the company and issues a certificate.
Now the certificate authority creates the certificate and signs it. The signature is created by condensing all the details of the company into a value using a complex algorithm. This signature is encrypted using a private key. Now that certificate is given back to the company to be installed into the server. Now the web server is configured to use the certificate.
Anyone with a public key is able to verify if the certificate is correct or not. A browser is shipped with lots of certificates from the certificate authority around the world. Each one of these certificates ships with the public keys. When the browser receives a certificate from a server, it can verify if the signature at the bottom is correct or not.
In this post, we learned how SSL works. We learned how they use public key and private key to prevent anyone to get the information that is being transmitted between the server and browser by physically tapping into the network. SSL is important for sending the information especially when the information is sensitive such as the login credentials.
SSL is issued by a Certificate Authority that oversees the proper verification of an organization that is offering the SSL.
The last part of SSL comes with the browser. The browser being used already comes with pre-installed certificate keys that are being used to verify the authenticity of the company.
- Content Quality
- Content accuracy