How SSL Certificates work

A so called SSL Certificate is used to verify the security of a website. With such a certificate the communication between a client and a webserver can be secured by encrypting the communication so that no one outside of the connection can read the data which is transferred between them. This is used to make sure no one can read sensitive data like credit card information passwords or anything else. A SSL Certificate must be validated by an authorized web security company to verify its security.

Create Certificate

To use SSL you need to purchase a certificate from an authorized web security company. First you need to create a Certificate Signing Request (CSR) on your server. During this process, you will create a public and a private key. After you created the .csr file, you need to send it to a CA, a Certificate Authority. The CA will create and send back another file, which contains the public key.

Attention: The CA will never receive your created private key!

The new file you received is the one you need to install on your webserver. Installing the certificate differs based on the webserver you’re hosting.

Connection with a Secured Website

Usually when you connect to a website, which uses a valid and trusted SSL Certificate, your browser will display that with either a lock or a green bar on the search bar.
If a browser tries to access a website, which uses SSL, the browser and the server do a SSL Handshake.

SSL Handshake

The SSL Handshake is a process with 5 steps:

  1. The browser requests the server to identify itself
  2. The server sends back its SSL certificate
  3. The browser checks, if the CA, which created the certificate, is trusted
  4. The browser creates, encrypts and sends back a symmetric (explained below) session key using
    the public key of the certificate
  5. The server decrypts the session key using its private key and sends back an acknowledgement
    to start the encrypted session

Now the browser and the server encrypt all data transferred between them.

Such a certificate encrypts either with a symmetric or an asymmetric encryption. The major difference between these types is, that symmetric encryption uses the same key to encrypt and decrypt data and the asymmetric encryption uses two different keys.

Symmetric Encryption

As mentioned before, in the symmetric encryption the certificate uses the same key to encrypt and decrypt data. Let’s have a look at a very trivial example. Assuming we have the word Hello and as key we take the number 5. Now let’s specify our personal encryption. We take the numeric index of each character and add our key to it. For example, H is the 8th letter in the alphabet. Now we add our key (5) to 8 which results in 13. L is the 13th character of the alphabet, so H becomes L with our key.

Now let’s encrypt our word:

Original character index in the alphabet add our key (5) encrypted character
H 8 13 L
E 5 10 J
L 13 18 R
L 13 18 R
O 15 20 T

As you can read in our table, our word Hello becomes Ljrrt, which can’t be read and used properly. This is the word which would be sent. To decrypt our message, we reverse our encrypt algorithm, which means that we take again the numeric index of each letter and deduct our key to our given index.

Let’s decrypt our word.

encrypted character index in the alphabet deduct our key (5) Original character
L 13 8 H
J 10 5 E
R 18 13 L
R 18 13 L
T 20 18 O

As you can see, our encrypted word Ljrrt became Hello again.

Asymmetric Encryption

Asymmetric encryption is a little more complicated. It uses, two different keys. A so called public and a private key. The public key is (obviously) public and everyone can use this key to encrypt data. The encrypted data can only be decrypted with the private key, which is held by the receiver of the data only. Since it’s a much more complicated system we can’t just use any key we want as example. We need to use special algorithms, i.e. the RSA algorithm.
Here is a link which explains neat how to do encryption and decryption using RSA.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: