A beginner’s guide to understanding the SSL handshake.
SSL stands for Secure Sockets Layer, and it refers to a protocol for encrypting and securing communications that take place on the Internet. It provides a way for enterprises to encrypt data before sending it to users, preventing third parties from reading it while it’s in transit. It was first developed by Netscape in 1995.
“SSL protocol uses asymmetric cryptography to exchange session keys and symmetric cryptography to transfer the actual data securely.”
Asymmetric Cryptography (used in SSL handshake)
Asymmetric cryptography (also known as Asymmetric Encryption or Public Key Cryptography) uses a mathematically related key pair to encrypt and decrypt data. In a key pair, one key is shared with anyone interested in communication. This is called Public Key. The other key in the key pair is kept confidential and is called Private Key. Most commonly used asymmetric key encryption algorithms include ElGamal, Rivest–Shamir–Adleman (RSA), DSA, Elliptic curve techniques, and Public Key Cryptography Standards (PKCS).
Data encrypted with the public key can only be decrypted with the private key and vice versa.
SSL uses asymmetric cryptography to initiate communication, which is known as an SSL handshake.
SSL Handshake (uses asymmetric cryptography)
SSL communication sessions begin with an SSL handshake. An SSL handshake uses something called asymmetric encryption, meaning that two different keys are used on the two ends of the conversation. This is possible because of a technique called public-key cryptography.
Public Key Cryptography
In public-key cryptography, two keys are used: a public key, which the server makes available publicly (via a digital certificate), and a private key, which is kept secret and only used on the server-side.
The two interested parties share an encrypted random string of bytes called the “pre-master secret” depicted in the center of the below image. How the pre-master secret is generated/agreed upon depends on the cipher suite chosen.
Creation of session keys
Both the client and the server generate session keys using the client random, server random, and the premaster secret, using the selected cipher suite, and arrive at the same results.
Symmetric Cryptography
SSL uses symmetric cryptography using the session key after the initial handshake is done. The most widely used symmetric algorithms are Advanced Encryption Standard (AES-128, AES-192, and AES-256).
Now that the SSL handshake is complete, both the client and server are all set to transfer the actual data. The client and the server now use the shared session key generated earlier (which is only known to them) to encrypt and decrypt the actual data before transmitting it. This is done using the same session key at both ends and so, it is asymmetric cryptography.
The actual SSL data transfer uses symmetric cryptography because it is easy and takes less CPU consumption (implies reduced computation cost and faster) compared to asymmetric cryptography.
Once session keys are in use, public and private keys are not used anymore.
Session keys are temporary keys that are not used again once the session is terminated. A new, random set of session keys will be created for the next session.
While so far we’ve discussed how the confidentiality of the data is retained during transmission, let’s look into another key aspect of security known as Integrity.
Integrity Check
SSL also ensures that data has not been altered, since a message authentication code (MAC) is included with transmissions.
Digital Certificates
The SSL certificate (also known as a digital certificate) plays an important role in securing communication between two systems.
The client verifies and authenticates the digital certificate of the server before a secure link is established. If the server is not able to provide a proper digital certificate, the SSL connection is terminated. SSL
Certificates issued by Certificate Authority (CA) contain the owner’s public key and other details. The certificate is usually stored in the .cer format.
A digital certificate could be self-signed or issued via a Certificate Authority.
Technically, one can create an SSL certificate, and such certificates are called self-signed certificates. However, the client does not consider self-signed certificates to be as trustworthy as the SSL certificates issued by a certificate authority. Certification Authorities use a variety of authentication methods to verify information provided by organizations.
X.509 is a standard that defines the format of the digital certificate. SSL uses the X.509 format. In other words, SSL certificates are X.509 certificates.
Extremely difficult! Not impossible!
The logic behind asymmetric encryption rests on a one-way function, a function that is easy to solve in one direction, but difficult to solve in the other. Take mixing colors as an example. It is easy to mix light blue and dark red to make violet, but hard to transform violet into the exact two original colors.
Unraveling these colors in simple terms would mean wild calculations. Quantum computing aims to solve complex problems the world’s most powerful supercomputers cannot solve and could bring a revolution in the field of cryptography.
