SSL notes

the secure socket layer protocol was created by netscape to ensure secure transactions b/w webservers and browsers.The protocol uses 3rd party,a certificate authority(CA),to identify one end or both ends of the transactions.

how it works?
steps:
1. a browser requests a secure page.
2. the webserver sends its public key with its certificate.
3. the browser checks the certificate was issued by a trusted party(usually a trusted root CA),that the certificate is still valid and that the certificate is related to the site contacted.
4. the browser then uses the public key,to encrypt a random symmetric encryption key and sends it to the server with the encrypted url required as well as other encrypted http data.
5. the web server decrypts the symmetric encryption key using its privete key and uses the symmetric key to decrypt the url and http data.
6. the web server sends back the requested html document and http data encrypted with the symmetric key.
7. the browser decrypts the http data and html document using the symmetric key and displays the information.

the encryption using a private key/public key pair ensures the data can be encrypted by one key but can only be decrypted by the other key pair.The keys are similar in nature and can be used alternatively;what one key encrypts,the other key pair can decrypt.The key pair is based on prime numbers and their length in terms of bits ensures the difficulty of being able to decrypt the message without the key pairs.The trick in a key pair is to keep one key secret (private key) and to distribute other key (public key) to every body.

A certificate, contains information about the owner of the certificate,like e-mail address,owner's name,certificate usage,duration of validity,resource location or Distinguished Name(DN)which includes the Common Name(CN)(web site address or e-mail address depending of the usage)and the certificate ID of the person who certifies this information.It contains also the pyblic key and finally a hash to ensure that the certificate has not been tampered with.

A certificate authority is an entity which issues digital certificates to organizations or people after validating them.Certification authorities have to keep detailed records of what has been issued and the information used to issue it, and are audited regularly to make sure that they are following defined procedures.Every certification authority provides a Certification Practice Statement(CPS) that defiles the procedures taht will be issued to verify applications .there are many commercial CAs that charge for their services,Institutuions and governments may have their own CAs,and there are also free certificate authorities.