Secure Sockets Layer, or SSL (pronounced as separate letters), is a protocol which is used to communicate over the Internet in a secure fashion. It was replaced by Transport Layer Security, or TLS, in 1999. Today, the term SSL is still widely used, although in practice SSL has been fully replaced by TLS.
So lets start to understand how TLS work.
The Main porpuse of TLS is to encrypt and secure our data.
There are 2 options to encrypt the data. using “symmetric encryption” or “asymmetric encryption”
Symmetric Encryption :
Symmetric encryption incorporates only one key for encryption as well as decryption.
Symmetric encryption is a simple technique and its working very fast.
Algorithms Employed : RC4, AES, DES, 3DES, QUAD
Asymmetric Encryption :
Asymmetric Encryption consists of two cryptographic keys. These keys are regarded as Public Key and Private Key.
Because of encryption and decryption by two separate keys and the process of comparing them make it a tad slow procedure.
Algorithms Employed: RSA, Diffie-Hellman, ECC, El Gamal, DSA
You understand what is asymmetric encryption and symmetric encryption. Let’s make sure you do…
Asymmetric encryption When I send information to a remote server I encrypt the information with his public key and he decrypt using his private key
Symmetric encryption – that we using only one password to encrypt and decrypt
I recommend to watch this video before continue with this POST.
You must have questions now like…
- Where do certificates come into the picture and why?
- Where does he get the public key?
- when the server sends me back encrypted data how do I decrypt it when I do not have the private key?
So let’s answer the first 2 questions…
- The Certificate is there to ensure us that we get the right public key and that the site that we create session with him is trusted.
The certificate is signed by the Issuing Certificate authority, and this it what guarantees the keys.
Now when someone wants your public keys, you send them the certificate, they verify the signature on the certificate, and if it verifies, then they can trust your keys.
To illustrate we will look at a typical web browser and web server connection using SSL. (https).
This connection is used on the Internet to send email in Gmail etc and when doing online banking,shopping etc.
- Browser connects to server Using SSL (https)
- Server Responds with Server Certificate containing the public key of the web server.
- Browser verifies the certificate by checking the signature of the CA. To do this the CA certificate needs to be in the browser’s trusted store
- Browser uses this Public Key to agree a session key with the server.
- Web Browser and server encrypt data over the connection using the session key.
To Understand Certificate and the Digital Signature i recommend to watch this video.
So, for now, we understand that public key is coming from the certificate and the certificate come from the server when we create TLS session with him.
So now let’s answer the 3 questions…
Let me tell you little secret TLS uses both asymmetric encryption and symmetric encryption.
Its called hybrid Encryption.
I will explain.!
First, let’s look at this.
In this section the client needs to create a symmetric key using these protocols RSA, Diffie-Hellman to create a session key.
the client then encrypts this symmetric session key using the servers public key and sends it to the server.
the server decrypts it using its private key ( which is only known to the server) and both the client and the server use this session key for the rest of the communication.