Skip to main content

SSL

Secure Sockets Layer (SSL) is a protocol. It sets up a secure connection between a client and a server.

What SSL achieves

SSL does two things. One is for the client to authenticate the server. The other is to encrypt the data between the client and server.

It counts as authentication because the client can be sure it talks to the right server.

Certificate and Trust

Trust starts when the client gets a certificate from the server. The certificate holds the server's public key. A trusted Certificate Authority (CA) signs it.

  1. The public key is used initially to verify if the server really has the corresponding key.
  2. The client uses the digital signature to confirm the certificate came from a CA it trusts.
x.509 format

It's the format of the certificate's content. Think of it like a JSON schema that describes the structure.

SSL Handshake Process

ssl-handshake-flow

Certificate Verification

  1. The CA signs by generating an hash of the certificate contents.
  2. The CA uses its private key to encrypt the hash.
  3. The encrypted hash is included in the certificate.
  4. The hash algorithm used to hash the certificate is also included in the certificate.

The client first decrypts the signature with the CA's public key. Then it hashes the certificate contents with the same algorithm. Finally, it compares the decrypted signature with the new hash.

This is a combination of hashing and encryption technologies.

ECDHE Key Pair

This is an ephemeral key pair. Both the client and server generate it when a new TLS connection starts.

  • Private Key - A huge random number. Generated using standard random number generators.
  • Public Key - Made by multiplying the private key by another huge number. That number is fixed and known to all.
Only public keys are transferred

In the whole handshake, only the public keys travel over public networks.

The shared secrets, private keys, and symmetric key all stay local. The algorithms let both sides build the same secret values.

PublicKey = PrivateKey × G

Where G is the **generation point**.
It has a known x and y co-ordinates in a graph.
why is this secure?

The numbers are so huge that you can't get the private number by division, even with the public key and the fixed number.

In an elliptic curve, the private and public key values define the curve. G is a specific point on it. Adding G to itself many times gives another point. It's nowhere near the original G.

Note that this isn't multiplication on a linear scale. It's done on an elliptic curve. There, adding two points gives a third point on the curve. This is exactly why finding the private key from the public key is hard.