How Does SSL Work? What is TLS security? Digital certificates, Asymmetric Encryption, SSL vs TLS Explained

To understand how does SSL work, we first need to understand what Digital Certificates are

Digital Certificate toils 3 objectives

  1. Authentication: Confirms that the server who is serving the file is the one it claims to be
  2. No-Repudiation: The sender can’t deny they sent a message which they sent (because no one else has the certificate they have)
  3. Integrity: Ensures message were not altered

Two keys are generated by the party

  • Public key: used for encryption
  • Private key: used for decryption

Symmetric encryption

Identical keys are generated and passed using asymmetric encryption. Both keys can do both encryption and decryption.

SSL certificates.

Digital certificates (called SSL certificate in case of the web use case) are created from CA’s private key and all major browsers have public keys from all major CA

CA has a procedure for issuing a digital certificate for domains most commonly you will have to prove control over the server

Like when your employer gives you an ID card it needs to confirm it is you who is getting the ID card otherwise someone else can imposterise you

Step 1: When a browser requests for a page. The server generates asymmetric keys, it sends its public key along with its digital certificate and keeps the private key.

Step 2: Browser validates the certificate, from the already installed public key given by CA (digital signatures are created by CA’s private key). If validation succeeds a green padlock appears in the address bar

Problem: Two way encryption is not possible with asymmetric keys. Following steps overcome this problem

Step 3: Browser generates two symmetric keys and sends one of them to the verified server but that symmetric key is not sent as a plain text, it is encrypted by the asymmetric public key which was provided by the server along with the SSL certificate

Part 2: secure communication

Step 4: The server decrypts the sent encrypted message with its asymmetric private key and obtains the symmetric key.

From now on all messages will ride encrypted but SSL (secure socket layer) is not full proof. It was replaced by TLS (transport layer security) which is actually just a rename of SSL v3.1

Commonly TLS is referred to as SSL

Practically SSL certificate is different from a TLS certificate and TLS protocol is different from an SSL protocol. SSL certificate won’t work on TLS protocol and TLS certificate won’t work on SSL protocol but Industry uses them interchangeably

SSL is 25 years old if you are reading this in 2020

If you are not https you are running on technology less secure than 1995 tech

Loosely speaking (writing) the core concept behind TLS and SSL are mostly similar but TLS comes with huge security improvements.

If generating a free certificate interest you, there you go

Finding Magic.