How Does SSL Work? What is TLS security? Digital certificates, Asymmetric Encryption, SSL vs TLS Explained
To understand how does SSL work, we first need to understand what Digital Certificates are
Digital Certificate toils 3 objectives
- Authentication: Confirms that the server who is serving the file is the one it claims to be
- No-Repudiation: The sender can’t deny they sent a message which they sent (because no one else has the certificate they have)
- Integrity: Ensures message were not altered
Two keys are generated by the party
- Public key: used for encryption
- Private key: used for decryption
Identical keys are generated and passed using asymmetric encryption. Both keys can do both encryption and decryption.
Digital certificates (called SSL certificate in case of the web use case) are created from CA’s private key and all major browsers have public keys from all major CA
CA has a procedure for issuing a digital certificate for domains most commonly you will have to prove control over the server
Like when your employer gives you an ID card it needs to confirm it is you who is getting the ID card otherwise someone else can imposterise you
How Does SSL Work
Part 1: handshake
Step 1: When a browser requests for a page. The server generates asymmetric keys, it sends its public key along with its digital certificate and keeps the private key.
Step 2: Browser validates the certificate, from the already installed public key given by CA (digital signatures are created by CA’s private key). If validation succeeds a green padlock appears in the address bar
Problem: Two way encryption is not possible with asymmetric keys. Following steps overcome this problem
Step 3: Browser generates two symmetric keys and sends one of them to the verified server but that symmetric key is not sent as a plain text, it is encrypted by the asymmetric public key which was provided by the server along with the SSL certificate
Part 2: secure communication
Step 4: The server decrypts the sent encrypted message with its asymmetric private key and obtains the symmetric key.
From now on all messages will ride encrypted but SSL (secure socket layer) is not full proof. It was replaced by TLS (transport layer security) which is actually just a rename of SSL v3.1
SSL vs TLS
Commonly TLS is referred to as SSL
Practically SSL certificate is different from a TLS certificate and TLS protocol is different from an SSL protocol. SSL certificate won’t work on TLS protocol and TLS certificate won’t work on SSL protocol but Industry uses them interchangeably
SSL is 25 years old if you are reading this in 2020
If you are not https you are running on technology less secure than 1995 tech
Loosely speaking (writing) the core concept behind TLS and SSL are mostly similar but TLS comes with huge security improvements.
If generating a free certificate interest you, there you go