How does the SSL Certificate work?

We know that https in the website URL (Uniform Resources Locator) makes a website more secure.

But have you ever thought what makes a https website more secure than an http website? It is an SSL certificate that makes the https website more secure.

Before understanding how it works, we need to learn the types of encryption:

1. Symmetric Encryption

• In this, one key performs both the function of encryption of the data and decryption of the data.

2. Asymmetric Encryption

• In this, we have two keys (public and private keys). Public key encrypts the data, whereas private key decrypts the data.

• The public key can be accessed by anyone, but we need to keep the private key safe and ensure it isn't shared with anyone.

The SSL certificate is issued by a third-party authority to ensure secure communication and authenticate the ownership of the domain. The authority can charge money for this service, but some provide the service for free as well. For Example: Let's Encrypt.

The issuing authority creates a hash of the server's public key using a cryptographic function. The hash from the function and other information on the certificate are encrypted using the authority's private key, referred to as the digital signature on the SSL certificate.

The client initiates the handshaking by sending a "Client Hello" message to the server to establish the connection between server and client; it produces the hash for the server's public key using the same function issuing authority used. It also decrypts the digital signature of the SSL certificate using the issuing authority's public key and compares both hash values.

• If both values match, it signifies that the response is coming through an authenticated server and it isn't altered by anyone in data-in-transmit.

• If values don't match with each other, it signifies that the response has been tampered with while data-in-transmit.

If the connection is established successfully, further communication is done using symmetric encryption by shared secret keys during the connection establishment, which are possessed by both the server and the client.

The shared secret keys aren't directly exchanged; they are generated through a process. The symmetric encryption ensures data integrity and authenticity for the messages once connection is established.

Now, you may be wondering in the asymmetric encryption, the public key is used to encrypt the data and the private key is used to decrypt the data. But in the case of verifying the signature, encryption of the server's public key is done using CA's private key, and decryption happens with CA's public key.

For in-depth understanding, let's understand SSL and TSL protocols. SSL stands for Secure Socket Layer Protocol that was developed by Netscape to protect user privacy, which allowed encryption of data during transit time. So that data cannot be understood by anyone. But it is now deprecated for major security concerns.

SSL is replaced by TSL. It stands for Transport Layer Security and was developed by the Internet Engineering Task Force. Both of these are used interchangeably by the user and organization, but both are different at protocol levels.

I hope you understand the concept well. If you liked it, share it. And reply to me with what fascinates you in the blog or what technical concept you would like me to cover. I would be reading all the replies.

Thank you,

Lakshay Mahajan