Function of the SSL Certificate nightmare

GHOSTRIDER2016GHOSTRIDER2016 ■■□□□□□□□□ Posts: 35Member ■■□□□□□□□□
Chaps,

I am trying to get my head around this sorry if this is a simple question but its doing my head in so to speak icon_sad.gif.

I understand that SSL certificates are used to setup a SSL connection between the web browser and web server. So i assume this is encrypted tunnel right ?. So if SSL certification does this. Why does the private/public key have to also be used ? or is this a second layer of security like another wrapper around the data sent to the web browser ?

Thanks

Comments

  • docricedocrice ■■■■■■■■■■ Posts: 1,706Member ■■■■■■■■■■
    The private/public key pair is the basis of asymmetric crypto. The public key is on the certificate shown to the world while the private key is held confidentially on the server. For the security to remain intact, everything depends on ensuring this private key is not leaked out.

    SSL/TLS involves the handshake where the server sends the client a copy of its cert, the client validates it (trust chain, validity period, CN matching FQDN, etc.), then the client essentially generates a session key for the SSL/TLS channel but encrypts it using the server's public key. Only the server with the private key will be able to decrypt this.

    After that, the SSL/TLS connection is set up since both client and server know the value of the session key and starts using symmetric crypto (based on the cipher suite agreed on at the beginning of the SSL/TLS handshake). In theory asymmetric crypto could be used to send data encrypted, but unlike symmetric crypto there's a ton more computational overhead, hence why the encrypted channel is ultimately done using symmetric crypto like AES. Keep in mind this explanation isn't 100% accurate since there are more nuances than this, but it should give you an idea.

    Understanding SSL/TLS, certificates, PKI, and asymmetric/symmetric crypto and hashing functions as it relates to digital signatures, etc. is not a trivial thing to learn. Most beginner material covering this only gloss over it because it takes a while to get your head around it. It's not a straight-forward intuitive subject by any means.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • GHOSTRIDER2016GHOSTRIDER2016 ■■□□□□□□□□ Posts: 35Member ■■□□□□□□□□
    Thanks docrice i think the waters are becoming less muddy now i can see the bottom of the lake so to speak :)
    docrice wrote: »
    The private/public key pair is the basis of asymmetric crypto. The public key is on the certificate shown to the world while the private key is held confidentially on the server. For the security to remain intact, everything depends on ensuring this private key is not leaked out.

    SSL/TLS involves the handshake where the server sends the client a copy of its cert, the client validates it (trust chain, validity period, CN matching FQDN, etc.), then the client essentially generates a session key for the SSL/TLS channel but encrypts it using the server's public key. Only the server with the private key will be able to decrypt this.

    After that, the SSL/TLS connection is set up since both client and server know the value of the session key and starts using symmetric crypto (based on the cipher suite agreed on at the beginning of the SSL/TLS handshake). In theory asymmetric crypto could be used to send data encrypted, but unlike symmetric crypto there's a ton more computational overhead, hence why the encrypted channel is ultimately done using symmetric crypto like AES. Keep in mind this explanation isn't 100% accurate since there are more nuances than this, but it should give you an idea.

    Understanding SSL/TLS, certificates, PKI, and asymmetric/symmetric crypto and hashing functions as it relates to digital signatures, etc. is not a trivial thing to learn. Most beginner material covering this only gloss over it because it takes a while to get your head around it. It's not a straight-forward intuitive subject by any means.
Sign In or Register to comment.