Wednesday, February 22, 2012

SSL - How it works

Idiots Guide to how SSL Works

There are 3 elements to SSL
  • Asymmetric cryptography (public-key)
  • Symmetric cryptography
  • Digital certificates

Asymmetric cryptography involves a public and private key pair. The server keeps the private key secret, and passes the corresponding public key to any client that wants to communicate securely. Anything encrypted by the public key can only be decrypted by the private key, and vice versa.

Symmetric cryptography involves a shared key that can both encrypt and decrypt information.

A digital certificate verifies that the server holds a valid key issued by an approved Certificate Authority for a particular domain.

Here is a very simplified, cut-down sequence of events that initiate an SSL session between a browser and a web server:-

  1. The browser makes a request to initiate an SSL connection.
  2. The web server responds with the digital certificate which includes the public key of its public/private key pair.
  3. The browser validates the certificate then generates a symmetric key which it encrypts using the public key and sends it back to the web server.
  4. The web server decrypts this symmetric key using its private key, and subsequent communication is encrypted using this symmetric key which is only known by the browser and web server.

Q: The SSL initiation involves the public key being passed from the web server to the browser in the clear. So why can't a packet sniffer pick this up and pretend to be the browser?

A: The browser generates the symmetric key, and encrypts it using the public key. As only the corresponding private key on the web server can decrypt this, a sniffer that has picked up the public key can't get hold of the symmetric key.