Thursday, January 15, 2015

Link between SSL, HTTPS, Certificate, Browser, Server

I have tried to draw a link between SSL, HTTPS, Certificate, Browser, Server using simple language in following steps: 

 Process of obtaining Certificate:
  •  A web site operator obtains a certificate by applying to a certificate provider (a CA that presents as a commercial retailer of certificates) with a certificate signing request. 
  • The certificate provider generate a certificate with public and private key.
  • Now web site operator send a request to certificate Authority to sign the request. For security reasons the private key is not part of the request and is not sent to the certificate authority. 
  • The certificate provider signs the request, thus producing a public certificate. 
  • During web browsing, this public certificate and public key is served to any web browser that connects to the web site and proves to the web browser that the provider believes it has issued a certificate to the owner of the web site.
 SSL flow:
    • End-user enter a secure site to connects to
    • Browser identify it site is secure, it request SSL certificate from the site.
    • SSL certificate contains following information:
      • Domain name
      • Company name
      • City
      • State
      • Country
      • Expiration date
      • issuing Authority
    • Browser verifies following three items:
      • Certificate is not expired
      • Certificate has been issued by the Authority that browser trusts
      • Certificate has been issued to browser from the site for which it has been generated
    • If any of the above condition does not meet then browser shows error for the certificate about the same. ex: This Connection is Untrusted / Certificate Error
    • With certificate Browser also receives a Public key
    • Based on this initial exchange, browser and the website then initiate the 'SSL handshake'. The SSL handshake involves the generation of shared secrets to establish a uniquely secure connection between yourself and the website. This involves following steps:
      • The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
      • The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
    • SSL used asymmetric Public key Infrastructure (PKI). This used two keys: Public keys to encrypt and Private key to decrypt. Anything encrypted with the public key can only be decrypted by the private key and vice-versa.
    • In Symmetric Public Key Infrastructure, same key is used for encryption and decryption.