A so called SSL Certificate is used to verify the security of a website. With such a certificate the communication between a client and a webserver can be secured by encrypting the communication so that no one outside of the connection can read the data which is transferred between them. This is used to make sure no one can read sensitive data like credit card information passwords or anything else. A SSL Certificate must be validated by an authorized web security company to verify its security.
To use SSL you need to purchase a certificate from an authorized web security company. First you need to create a Certificate Signing Request (CSR) on your server. During this process, you will create a public and a private key. After you created the .csr file, you need to send it to a CA, a Certificate Authority. The CA will create and send back another file, which contains the public key.
Attention: The CA will never receive your created private key!
The new file you received is the one you need to install on your webserver. Installing the certificate differs based on the webserver you’re hosting.
Connection with a Secured Website
Usually when you connect to a website, which uses a valid and trusted SSL Certificate, your browser will display that with either a lock or a green bar on the search bar.
If a browser tries to access a website, which uses SSL, the browser and the server do a
The SSL Handshake is a process with 5 steps:
- The browser requests the server to identify itself
- The server sends back its SSL certificate
- The browser checks, if the CA, which created the certificate, is trusted
- The browser creates, encrypts and sends back a symmetric (explained below) session key using
the public key of the certificate
- The server decrypts the session key using its private key and sends back an acknowledgement
to start the encrypted session
Now the browser and the server encrypt all data transferred between them.
Such a certificate encrypts either with a symmetric or an asymmetric encryption. The major difference between these types is, that symmetric encryption uses the same key to encrypt and decrypt data and the asymmetric encryption uses two different keys.
As mentioned before, in the symmetric encryption the certificate uses the same key to encrypt and decrypt data. Let’s have a look at a very trivial example. Assuming we have the word
Hello and as key we take the number
5. Now let’s specify our personal encryption. We take the numeric index of each character and add our key to it. For example,
H is the 8th letter in the alphabet. Now we add our key (
5) to 8 which results in
L is the 13th character of the alphabet, so
L with our key.
Now let’s encrypt our word:
|Original character||index in the alphabet||add our key (5)||encrypted character|
As you can read in our table, our word
Ljrrt, which can’t be read and used properly. This is the word which would be sent. To decrypt our message, we reverse our encrypt algorithm, which means that we take again the numeric index of each letter and deduct our key to our given index.
Let’s decrypt our word.
|encrypted character||index in the alphabet||deduct our key (5)||Original character|
As you can see, our encrypted word
Asymmetric encryption is a little more complicated. It uses, two different keys. A so called public and a private key. The public key is (obviously) public and everyone can use this key to encrypt data. The encrypted data can only be decrypted with the private key, which is held by the receiver of the data only. Since it’s a much more complicated system we can’t just use any key we want as example. We need to use special algorithms, i.e. the RSA algorithm.
Here is a link which explains neat how to do encryption and decryption using RSA.