When transferring any data between a server and client in digital communication, security is always among the major concerns and organizations spend huge sum of money to ensure that information is secured while being transferred over the network. When it comes to transport layer security, SSL/TLS is used to achieve transport level security which first builds a relationship of trust between the communicating parties and then all message communication happens in an encrypted and secure manner.
While SSL/TLS has become a part and parcel of all our online activities while accessing any secure websites through HTTPS protocol where data security is important including any web sites for banking services, online shopping, business services and even in case of any B2B server to server communications. However, underlying basic SSL concepts about how SSL works and how a secure communication model is achieved using SSL; yet remains unclear to many who are either new to such technical concepts or those who never bothered to dig deeper in this area.
In this article, I will explain basic SSL concepts, how SSL Works, How SSL handshake happens, what is Asymmetric and Symmetric cryptography and how encryption is used in SSL/TLS based communication and what roles are played by CA (Certificate Authority) in SSL handshake.
SSL/TLS Basic Concepts: What is SSL Certificate?
SSL (Secure Sockets Layer) is a standard or a security protocol which is used to secure connections between two communicating parties in order to achieve an encrypted, trusted communication over the network for any sensitive, private or critical data without any risks of getting such data stolen, altered, fabricated or compromised by any potential attackers.
SSL can be used to secure the communication between a client and server (for B2C communication) or even between two servers (for B2B communication) by using one way or two way SSL.
SSL is deprecated with release of its successor TLS (Transport Layer Security) but the word SSL is still widely used even for TLS version of security. TLS is more secure and it is updated version of its predecessor SSL protocol and latest TLS version as of now is TLS V 1.3 which is considered as most secure SSL/TLS version as of now.
SSL/TLS Basic Concepts: How SSL/TLS Works?
SSL/TLS works on the principle of trust by forming a chain of trust with a Root CA (Certificate Authority) which is considered as authorized and trust-worthy entity for issuing any certificates. Let us summarize in simple manner how SSL works.
SSL based secure communication is achieved in two steps: First SSL handshake happens between the two parties based on public-private key pair (Asymmetric cryptography) and then in second step all commination between the two parties takes place in encrypted format using a symmetric session key.
SSL/TLS Handshake Explained: How SSL Handshake Happens
SSL Handshake consists of a series of sub-steps for building a relationship of trust between client and server using chain of trust. For SSL handshake, Public Private Key pairs are used where a server shares its public key with the clients and uses its private key for asymmetric encryption. The client used server’s public key for decryption in the handshake process.
Below is the summary of SSL handshake process:
Let’s take an example that a client (our web browser) wants to access a secure website https://abc.com
For this secure SSL commination, following steps are involved in SSL Handshake mechanism:
1. The client (browser) will send a Client Hello to the abc server. This client hello will include some useful information that client intends to share with the server including SSL protocol, SSL version and other encryption related information that client considers important to be shared with sever for starting the handshake process.
2. abc server after receiving client hello, will respond back to the client with server hello. This server hello is basically a confirmation from the server based on the SSL options that were sent by the client during client hello. In case if server doesn’t support the protocol or version that was specified by the client, SSL handshake failure will occur at this step.
3. Now server will send its public certificate to the client. This server certificate (certificate chain) must be a valid certificate signed and issued by a trusted CA.
4. Once client receives server certificate, It validates server certificate from its trust store. In case of chain of trust with server certificate issued by intermediate CA which in turn issued by a Root CA; this chain of trust must get validated with a Root CA available in the client trust store. In case if trust can’t be confirmed with a Root CA, server certificate will get rejected by the client and handshake will fail.
5. Once the client has validated server certificate chain, now client will generate a pre-master key and send it to the server. This pre-master key is encrypted by the client using Server Public key.
6. Server will decrypt this pre-master key using its private key.
7. Once pre-master key has been shared by client with the server and server has decrypted it; now both client and server will compute a shared secret using the pre-master key.
8. Now client and server will use this shared secrete and all subsequent communication between client and server will be encrypted by this symmetric key.
Note that above steps are for one-way SSL and in case of Mutual SSL (Two Way SSL), client also shares its public key with the server and server needs to validate client as well contrary to one way SSL where only client validates server during handshake process.
You can refer to my other article to know how one way and two way SSL work for SSL based secure communication.
SSL/TLS Basic concepts: What is Asymmetric and Symmetric Encryption
Asymmetric encryption works on the principle of key pairs where a combination of Public and Private Key is used for encryption and decryption. A public key is used to encrypt any message while its corresponding private key can be used to decrypt the message. In SSL handshake, asymmetric encryption is used during handshake mechanism in order to negotiate between client and server to build a trust relationship before reaching to an agreement of a shared secret.
Asymmetric encryption works on the principle of a shared secret where same key is used for encryption and decryption. In case of SSL, symmetric key is used for all the message commination once handshake has happened between client and server. This symmetric key is in the form of a shared secret which is used by both client and server. Shared secret is also known as a session key for SSL commination.
SSL TLS Frequently Asked Questions
As SSL Tutorial for Beginners, I am outlining some of the frequently asked questions about SSL/TLS which will help you to further understand various concepts and terminologies related to SSL/TLS.
What is meant by a CA and what is difference between Root Certificate, Intermediate Certificate and Leaf (Server) Certificate
CA (Certificate Authority) is a well known and trusted legal entity which is authorized to issue certificates. There are various CAs which are trusted and they are authorized to issue digital certificates to its clients (usually intermediate CAs).
Root CA certificates are available in the trust-store and a certificate validity is confirmed only if its chain of trust reaches to a trusted CA.
Intermediate certificates are the certificates which belong to some intermediate CA which is not directly trusted but a chain of trust is obtained as such intermediate CAs are in turn trusted by a Root CA. Intermediate certificate(s) act as a middle man between the Root CA and the server certificates.
A Server Certificate (also known as Leaf Certificate) is a certificate that has been issued to a server by a CA. A certificate issued to a server is usually by an intermediate CA and a chain of certificates in the form of a certificate bundles gets linked to the Root CA to build a trust chain.
You can refer to another article that I wrote explaining how SSL Certificate chain works.
What is the Difference Between One Way and Mutual SSL/TLS?
One way and Two Way SSL are two mechanisms used for SSL communication depending on whether only client needs to trust server certificate or server also needs to establish a trust with client before starting a secure commination.
In case of one way SSL, server shared its certificate with client and client validates server certificate using its trust-store while in case of mutual SSL/TLS, client also shares its certificate with server and server verifies client’s certificate as well before completing handshake process. You can refer to another article that I wrote about one way and two way SSL and how they differ from each other.
What is difference between SSL and TLS?
SSL vs TLS is a common question for newbies. In fact, SSL is a widely used term even for TLS now a days due to popularity of this word. TLS is a successor of SSL with more security features as SSL has been deprecated as it was considered as insecure due to various security flaws.
Historically, SSL has three version SSL 1.0, SSL 2.0 and SSL 3.0. SSL 1.0 developed in 1995 couldn’t be released due to security issues while SSL 2.0 also got deprecated in 2011 while SSL V3 was also considered flawed due to security issues in 2004.
To deal with the SSL issues, TLS was relapsed with first TLS version (TLS 1.0) in 1999 and later TLS 1.1, 1.2 and 1.3 were released with every version dealing with the issues related to previous version and with added security features.
TLS V 1.3 which was released in 2018 is currently the latest version and is widely used and considered as most secure TLS version.