Firstly, understanding asymmetric vs. symmetric encryption (of which SSL uses both)
Definition of encryption - the process of encoding/scrambling messages so that it cannot be properly read. Encryption does not of itself prevent interception, but since the message is scrambled in some way the interceptor cannot properly interpret what is being communicated. In internet banking, all of the transactions need to be encrypted so that sensitive financial data cannot be read; this includes information that could be used for fraud attempts, such as user name and password.
(This example happens to be symmetrical encryption.)
From: http://www.howtogeek.com/howto/33949/htg-explains-what-is-encryption-and-how-does-it-work/
Definition of an encryption key - An encryption key is a variable value that is applied using an algorithm to a string or block of unencrypted text to produce encrypted text, or to decrypt encrypted text. The length of the key is a factor in considering how difficult it will be to decrypt the text in a given message.
To understand what encryption keys are, here are two simple examples of encryption:
Example 1 - Caeser Cypher, in which each letter is shifted by a certain number, so 3, for example:
ABCDEFGHIJKLMNOPQRSTUVWXYZis shifted 3 places to
DEFGHIJKLMNOPQRSTUVWXYZABCIn which JOHN would be encrypted to MRKQ, and then decrypted back to JOHN.
In this case, the encryption key is: 3
Example 2 - Substitution Cypher:
plain alphabet : abcdefghijklmnopqrstuvwxyz cipher alphabet: phqgiumeaylnofdxjkrcvstzwbAn example encryption using the above key:
plaintext : defend the east wall of the castle ciphertext: giuifg cei iprc tpnn du cei qprcniSo in this case the key is: phqgiumeaylnofdxjkrcvstzwb
(This key would be harder to brute force crack since there are 26 ^ of 26 different combinations of letters which wold have to be tried; whereas if you knew the key above was a one digit number, than just 26 tries, worse case scenario would be needed to crack it.)
Basic Definition of symmetrical/asymmetrical encryption: symmetrical encryption uses only one key, which the sender and receiver both use. It is not so secure though, since if they key has to somehow be sent in any given interaction, its "public" nature means that it can be intercepted. Symmetrical encryption could be used safely in cases where, for example, in days of old, you just whisper the key to your intended recipient, and later on when you send an encrypted message to his castle, he knows how to decrypt it.
Symmetric |
Asymmetric Encrypting |
|
| Number of keys | 1 | 2 (public and private) |
| Speed | faster | slower |
| Security | weaker | stronger |
Symmetric Encryption -
- Older encryption
- a single key is applied to the data. For example, the key is "add one ASCII value to each letter". The key is know by both sender and receiver.
JOHN becomes KPIM, and KPIM is sent. Upon receipt, since the receiver knows the key, they can decrypt it back to JOHN.
Faster than asymmetrical, but less secure since the key can be stolen.
Asymmetric Encryption -
(Courtesy of Microsoft's explanation):
The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands. Anyone who knows the secret key can decrypt the message. One answer is asymmetric encryption, in which there are two related keys--a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it.
Any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key.
This means that you do not have to worry about passing public keys over the Internet (the keys are supposed to be public). A problem with asymmetric encryption, however, is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the content of the message.
SSL and TLS are both protocols or sets of rules for encryption and security on the transport level of the OSI model. SSL was the predecessor to TLS (i.e. SSL came first).
SSL stands for Secure Socket Layer, and TLS stands for Transport Layer Security - and both offer a standard way to encrypt, and so assure a certain level of security.
https://www.digicert.com/ssl.htm
SSL uses both symmetric and asymmetric encryption.
The following is, I think, the best of this page explaining SSL's use of both asymmetric and symmetric encryption:
How SSL uses both symmetric and asymetric to provide security for an internet session. (And note that this is likely important to understand for a top grade in Challenge # 1.)
Keep in mind with the asymetric part of this that:
The public key encrypts, but cannot decrypt. Everybody can see the key, for example "3", or "asdfasddsaffdfd", but they don't know what to do with it; i.e. how to use that variable.
Only the private key of the pair can decrypt what the public key of the pair has encypted.
1. The server's public key is shared to the browser.
2. The browser makes a session key, which is in turn, itself encrypted by the server's public key.
(Note that it can do that since it now has the server's public key)
(And note that now, across the internet, only someone with the private key pair to that public key can use it; i.e. only the server.)
3. The server decrypts (using both its public key, but also it private key) the session key sent from the browser. And now it has been given, in a secure way - not by whispering in the ear, but by asymmetric encryption - the symmetric session key.
So this is the main point, the message being sent back, which is itself, at this point, the symmetrica key from the browswer, has been encrypted by something that only the server can decrypt.
4. Now they both have the same (i.e. a symmetric) session key, and so can communicate using it.
This is the best short video to show the above, along with a bit on the SSL certificate itself:
https://www.youtube.com/watch?v=3p_e00tEZM8
(See also: https://www.digicert.com/ssl-cryptography.htm - the section called "
How SSL Uses both Asymmetric and Symmetric Encryption ")