When an application that deals with the personal data, security is the first priority. SSL is a secure protocol much like HTTP in that it can receive and transfer data over the Internet. If you’re a webmaster or someone just interested in learning about SSL certificates this blog should be perfect for you.
What is SSL
SSL protocol stands for Secure Socket Layers and was originally developed by Netscape. In SSL the communication between user and the server is encrypted/decrypted so that no one can your personal data and the HTTPS is nothing but the HTTP protocol working in with SSL, i.e in , SSL takes care of making sure that the data goes securely over the internet.
HTTPS = HTTP + SSL
SSL behaves as a digital passport which verifies the credentials of both client and the end web server. When both identities are verified, SSL grants a secured connection through HTTPS. This process is performed using certificates.
HOW SSL WORKS:
Let us take an example to understand what happens between and the server when we use .
when the user clicks on the links or type the browser and send, the first thing that the browser does is to make the connection on 443, after the connection is successful, the process of what is called ‘SSL handshake’ starts.
>>> SSL HANDSHAKE:
For this handshake:
Step 1. 1st the browser sends a message called “CLIENT HELLO” Message to the server this This message contains information like:
>> The Highest SSL version that the browser support.
>> Compression Method that the browser support.
>> Cipher that it can use for encryption.
>> And it will also generate some Random data that will later used when generating the symmetric key for the session
Step 2. Then the server with what is called “SERVER HELLO” Message. Which Includes the:
>> SSL version that will be used for the session and the server will decide that, on the max version that the client support which caught in “Client Hello” message previously.
>> Cipher Method that will be used
>> Compression Method
>> SessionID for the SSL Session.
Some Random data. This data will also be used in key generation .
Step 3. After the “SERVER HELLO” message, Server sends its Digital certificates to which is digitally signed by signing . The SSL certificates includes:
>> The owner’s name
>> Certificate’s serial number used for identification
>> The Certificate’s expiration date
>> The Certificate’s public key used to encrypt information
>> The Certificate’s private key used to decrypt (usually coming from a web server).
The Certificates serves two purposes:
>> 1st it contains the public key of the server so that the browser can use this key to encrypt the data that it sends to .
It can optionally send the chain of the certificates with the certificate of the authority that issued the server certificate.
>> The 2nd purpose that the certificate serves is that it the server identification from which the web pages are coming.
Step 4. Then the server sends the “SERVER HELLO DONE” message.
Step 5. Browser respond by sending “CERTIFICATE VERIFY” message, telling the server that it the server certificate.
Step 6. Then the browser the “CHANGE CIPHER SPEC” command to the server telling that now on the data that the browser sends to the server over this session will be encrypted.
Step 7. After browser the “FINISHED” message, which also contain the digest of all the messages that had been exchanged between the browser and the server till now.
This is done so that the server can validate none of send earlier had been tampered during the transit.
Step 8. The server then response with the similar “CHANGE CIPHER SPEC” command, telling the browser that data sent from now on during the session will be encrypted.
Step 9. Then the server send the “FINISHED” message the digest of all the messages that had been exchanged between the browser and server till now so that browser can also verify, none of command send earlier had been tampered with.
At this the SSL Handshake is set to be complete.
>>> The browser then can generate “SYMMETRIC SECRETE KEY” just to use this SSL session, and encrypt with the public key of the server and send to the server, so This key can only be decrypt the server. it remains between both the browser and the server.
Now all the data exchanged over this SSL Connection will /decrypted using this Symmetric key.
If any validation failed in any step then connection failed and shows an error.
In my next I am going to write about HOW TO CREATE SELF SIGNED DIGITAL CERTIFICATES and about One way SSL and SSL.