SSL is one method of securely authenticating and protecting data
by encrypting it in such a way that in can only be
unencrypted by the intended recipient. This is accomplished by a method known
as public-key encryption (PKE).
The principal behind this is that each
party possesses a pair of digital 'keys,' (numeric values used to encrypt and decrypt
data) a public key and a private key. The public key is
freely available to anyone who wishes to communicate, while the private key
is kept, well, private.
Information
encrypted with the public key can only be successfully decoded by the matching private
key. The idea is that if you wish to create a secure connection between two
computers, each would grab the other's public key and use that to encrypt the
data that is sent between them. They would then use their individual
private keys to decipher the data that had been encrypted with their
freely available public key.
The disadvantage of public-key encryption is that
encrypting and decrypting data in this way is rather slow, not a
good thing for commercial communications. SSL therefore uses a hybrid method with
elements of symmetrical encryption.
Symmetrical encryption uses a single key shared by
both parties to secure the data. While faster than Public key encryption, it has
some disadvantages. For one thing, the key to be used must be known to both
parties before the connection is established in order to encrypt data, and if it
is broken, the whole transfer is compromised. In contrast, with public key
encryption, nothing is needed to form a connection besides the other computer's
freely available public key.
Digital certificates
SSL uses public key encryption to form
the initial secure connection, then uses faster symmetrical key encryption to transfer
the majority of the data. Only one side of the connection
(the 'merchant' or server side) needs to possess a public/private key
pair.
The public key is transferred to
any clients who request it by means of a digital certificate, a method of
validation which both confirms the identity of the server and passes the
public key over to allow the encryption process to begin. When a
company wishes to secure a portion of its website with SSL,
it must obtain one of these certificates from a valid certificate
authority.
Now technically, anyone can generate a valid
certificate with freely available software, but since SSL is often used commercially,
a method is needed to put customer's minds at ease and verify
that the merchant web sites using SSL are using proper and
secure key values, and that they are who they say they
are.
This is
where third-party certificate authorities such as Verisign come in. For a certain amount of money,
a company can obtain a valid digital certificate from Verisign, complete with
a public/private key pair. This certificate can then be distributed to
clients when they attempt to access secured sections of the company's
site.
Verisign guarantees the authenticity of the certificate, and the
Client's web browser can check this automatically when it downloads the
certificate.
RSS Newsletter
