SSL/TLS protocol sits in-between the Application Layer(HTTP) and TCP/IP layer. It handles the encryption & decryption for a secure communication between the client and the server. So, SSL is not a part of HTTP and it is a separate layer.
SSL uses an encryption technique called public key cryptography, where the server end of the connection sends the client a public key for encrypting information, which only the server can decrypt with the private key it holds. The client uses the public key to encrypt and send the server it's own key, identifying it uniquely to the server. This prevents man-in-the-middle attack.
In addition to encrypting the connection, we need to ensure that the client is connecting to the right web server, before setting up an SSL connection. The verification of authenticity of the web server is done using Digital certificates issued for the web server, which is authenticated by third party certificate authorities.
The server sends the digital certificate along with a encrypted random data to the client. The client(browser) verifies the certificate before setting up a SSL session. The certificate verification is done as follows
1) The certificate must be able to decrypt the random data that was sent from the server, which is encrypted by the server's private key.
2) The certificate must have been issued by an accepted CA
3) The name on the certificate must match the host name of the server requested by the client.
4) The certificate must not have expired.
If these criteria are met, the browser will then exchange a session key with the server. The session key is a random bit of data that will be used to encrypt the rest of the session.
In Summary:
- The server sends the client its public key and certificate.
- The client checks that the certificate was issued by a trusted party (usually a trusted Certificate Authority) that the certificate is still valid, and that the certificate is related to the contacted site. If the client trusts the server, it sends a message to the server. The server sends back a digitally signed acknowledgement to start an SSL encrypted session.
- The client uses the public key to encrypt a random symmetric encryption key and sends it to the server, along with the encrypted URL required and other encrypted HTTP data.
- The server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and HTTP data.
- The server sends back the requested HTML document and HTTP data that are encrypted with the symmetric key.
- The client decrypts the HTTP data and HTML document using the symmetric key and displays the information.
Is SSL really Secure?
Data sent from browser to the server is managed unencrypted in server memory. If the server does a core dump, that it shall be possible to read all the data sent by the client to the server.
Reference:
http://stackoverflow.com/questions/6241991/how-exactly-https-ssl-works
Reference:
http://stackoverflow.com/questions/6241991/how-exactly-https-ssl-works
No comments:
Post a Comment