What is SSL and How does it Work?

In this tutorial, we are going to see What is SSL and How does it Work?

SSL (Secure Sockets Layers) is a process for securing transactions over the Internet. The SSL standard was developed by Netscape, in collaboration with Mastercard, Bank of America, MCI, and Silicon Graphics. It is based on a public key cryptography process to guarantee the security of data transmission on the Internet. Its main idea is to establish a secure (encrypted) communication channel between two machines (a client and a server) after an authentication step.

The SSL system is independent of the protocol used, which means that it can secure transactions made on the Web using the HTTP protocol as well as connections via the FTP, POP, or IMAP protocol. In fact, SSL acts as an additional layer to ensure data security, located between the application layer and the transport layer (TCP protocol for example).
 

 
In this way, SSL is transparent to the user (which means that the user can not be aware that he is using SSL). For example, a user using a web browser to connect to an e-commerce site secured by SSL will send encrypted data without any manipulation required on his part.

Almost all browsers now support the SSL protocol. For example, Netscape Navigator displays a locked padlock to indicate a connection to an SSL-secured site and an open padlock otherwise, while Microsoft Internet Explorer displays a padlock only when connecting to an SSL-secured site.

SSL-secured web servers have a URL starting with https://, where the “s” obviously stands for secured.
 

 
 

How does SSL Work?

 

 
^{Image source: https://commons.wikimedia.org/wiki/File:1258X489_How-SSL-Certificates-Work.jpg}
 
The security of transactions by SSL 2.0 is based on an exchange of keys between client and server. The transaction secured by SSL is done according to the following model:

1. First, the client connects to the SSL-secured website and asks it to authenticate itself. The client also sends the list of cryptosystems it supports, sorted in descending order by key length.
2. The server receives the request and sends a certificate to the client, containing the server’s public key, signed by a certificate authority (CA), and the name of the highest cryptosystem in the list with which it is compatible (the length of the encryption key – 40 bits or 128 bits – will be one of the common cryptosystems with the largest key size).
3. The client checks the validity of the certificate, then creates a random secret key, encrypts this key using the server’s public key, and sends the result (the session key) to the server.
4. The server is able to decrypt the session key with its private key. Thus, both entities are in possession of a common key of which they are the only ones to know. The rest of the transactions can be done using session keys, guaranteeing the integrity and confidentiality of the data exchanged.

 
Computer Security MCQs – Multiple Choice Questions and Answers – Part 1Multiple choice questions and answers (MCQs) on Computer Security to prepare for exams, tests, and certifications. These questions are taken from a real written exam…Read More