SSL in pictures

Here is my summary on SSL (or as I like to call it 'SSL for dummies')

Basic idea of SSL (Secure Socket Layer)

SSL provide secure connection over the net. This way one can connect over the net with basic security requirements: secure authentication of both sides (who am I and who you are) and encryption (hide what I say).

TLS (Transport Layer Security) is a security protocol from the IETF that is based on the Secure Sockets Layer (SSL) 3.0 protocol developed by Netscape.

Client Authentication 

Without SSL, authentication of client is done by username and password. With SSL, server can authenticate client with digital certificate and signature to make sure the client is really who who it claims to be.

Without SSL:

With SSL:

Encryption of the information

The user information that is sent both ways is encrypted so it can be read by 3rd party. in order to do so, there is "handshake" of secrets between server and client.

In the "handshake" public/private keys are used between server and client to decide on a secret number that will be later used by symmetric encryption to encrypt user data (link):

Here is high level diagram of connection setup:

Note that the user information is encrypted using symmetric key that was decided by both sides. But this negotiation was done via encrypted channel that used public/private keys which is very hard to break. Each few minutes, the secret is changed to avoid breaking it.

Here is a more detailed diagram:

SSL two way authentication

In two-way SSL authentication, the SSL client application verifies the identity of the SSL server application, and then the SSL server application verifies the identity of the SSL-client application.

Two-way SSL authentication is also referred to as client authentication because the application acting as an SSL client presents its certificate to the SSL server after the SSL server authenticates itself to the SSL client: (link)

SSL one way authentication

In such mode, the SSL-client application is not verified by the SSL-server application. Only the server is verified:


digital signature software said...

Very helpful article ! I was always curious about all these complex algorithms that are being used in these ssl encryptions.

Anonymous said...


Anonymous said...

Nicely detailed! Thanks!

Anonymous said...

Nice explanation. Thanks. Almost understood everything except one thing. What is the "pre-master secret" and how are the public and private keys used? How can the server decrypt the replies from the client with its private key, if these have been encrypted with a different key (its public key)? I'm not an encryption specialist, but I would have thought that you have to use the same key to en- and decrypt.

Ziv said...

Sorry for the late reply....

It was years since I worked on this area :-(
I don't remember this area good enough to help you.