The SSL protocol operates between the application layer
and the TCP/IP layer. This allows it to encrypt the data stream itself,
which can then be transmitted securely, using any of the application
layer protocols.
SSL uses two encryption techniques:
- Public key cryptography standard (PKCS), which encrypts and decrypts
certificates during the SSL handshake. Encryption keys are created
in pairs, a public key and its associated private key. Data encrypted
with a given public key can be decrypted only with the associated
private key; this means that data is readable by only the intended
recipient. Data encrypted with a given private key can be decrypted
only with the associated public key; this means that authentication
data is assured to originate from the owner of the private key.
- A
mutually agreed symmetric encryption technique, such as DES (data
encryption standard), or triple DES, is used in the data transfer
following the handshake.
PKCS, as used by SSL, works briefly as follows:
- When a certificate is created, an algorithm based on two random
numbers is used to create a private key and public key for the certificate
owner. The private and public keys which result are related to each
other such that:
- It is not feasible to deduce the value of the private key from
the public key, nor the public key from the private key
The
private key is stored securely, and is not made known to anyone but
its owner. The public key can be made freely available to any user,
with no risk of compromising the security of the private key.
- Information encrypted using the public key can be decrypted
only with the private key
Information can be encrypted by any
user, and sent securely to the holder of the private key. A third
party cannot use the public key to read the information.
- Information encrypted using the private key can be decrypted
only with the public key
Only the holder of the private key
can encrypt information that can be decrypted with the public key.
A third party cannot pose as the sender of the information.