Now I’m sure we’ve all bought something online or done a bit of internet banking. If you have you’ve probably noticed that little lock picture in the corner of your browser somewhere.But I wonder how many people know what it means and what that little lock signifies. Well if you’ve ever wondered, then let me explain some of the basics behind SSL and exactly how it works.
To begin with – SSL actually stands for Secure Socket Layer. It was developed in the Mid-90s by a company called Netscape. They owned a popular browser of the time called Navigator which was actually the first browser to allow secure and safe ecommerce functionality. Up to then it was rather a large drawback that your communications should be spied on with the minimum of fuss. Often it wouldn’t matter but if you were transmitting a credit or debit card number or some other confidential information – then you were risking a lot.
Netscape were well aware of this and what they designed was a new protocol. That is a way for two different computers to talk to each other, however this protocol was different – the communication was encrypted in transit so they couldn’t be read by anyone. Making the communication secure and ensuring that whatever information that was transmitted was safe. This was especially important due to the distributed design of the internet – your data could pass through hundreds of hops before it reached it’s destination. Without encryption anyone could just sit on a European, US or UK proxy server and analyse your data.
This works by the owner of the web server, obtaining something called a digital certificate from a company known as a Certification Authority or CA for short. Every certificate is unique and is linked to the company who issued it, this link eventually leads to the Root CA.
So each browser has access to a list of these CAs which are considered safe and secure. So when you make a secure connection to a web site that owns a digital certificate, your own browser will look up the chain of command and check the validity of each certificate. If the browser goes all the way back to the Root CA and still doesn’t find the certificate listed then you’ll get a warning that the certificate is not a trusted one.
Public Key Exchange
When a certificate is not trusted then you won’t know for sure if the information listed e.g. company name, address etc is valid. Trusted Certificate Authorities (CAs) verify all the business and contact information for you. However even if the certificate is not trusted and the contact information unverified, at least the traffic from your browser to the web server is secured.
The next stage after the browser has established the certificate’s trust or you confirm you’re willing to trust it anyway is for the two computers involved to exchange keys.
A ‘Key’ is just a very large number which is related mathematically to another number in a defined way. The form in which these two numbers are chosen is quite complicated, in fact an explanation of the process involved is likely to start something like this –
“Agree on a finite cyclic group G with a generating element g in G.”
Unless you’re very interested in the cryptography behind these calculations, it’s probably just to consider it ‘magic’!
Each of the computers will create it’s own set of two keys. Because of the special relationship of these two keys, any data encrypted with one key can only be decrypted by the other key. One key is kept as a secret whilst the second is sent to the other machine. After these keys are exchanged, each of the machines uses it’s own secret key and the key sent by the other machine to encrypt all data communicated between them.The same process is repeated at the second machine, which will decrypt using the two keys it has.
Remember the keys will only work to decrypt data which has been encrypted with the matching keys. Each machine knows that the message came from the known source and was only intended for this machine.This effectively secures the data and ensures it cannot be intercepted.
Hope that clarifies a little – if it didn’t well I tried !
Further Reading and a recommendation for the UK VPN Access available.