Secure Websites

How a Secure Sockets Layer (SSL) session is established

When you exchange data over a secure connection with a website (E.G. an online bank account, or an online shop), data transferred in both directions is encrypted. This process must not only be secure, but also quick and transparent. When the connection is first established, an ‘SSL handshake’ takes place; asymmetric key cryptography is used to exchange a symmetric key which is then used for all further communication during the session.

The steps are as follows:

  1. User’s browser requests a connection to the website’s server using SSL (https://).
  2. Browser asks the website’s server to identify itself.
  3. Server sends the browser a copy of its digital certificate, which includes its public key.
  4. Browser checks website’s digital certificate is valid against its own list of trusted certification authorities.
  5. Browser generates a ‘unique’ symmetric key for this session only.
  6. Browser uses the website’s public key (from the digital certificate) to encrypt the symmetric key.
  7. The encrypted symmetric key is sent to the website.
  8. Website decrypts the encrypted symmetric key using its private key. asymmetric key encryption was used to exchange the symmetric key.
  9. Symmetric key encryption is used for all further communication between the browser and the website. This is much faster than asymmetric encryption.
  10. The symmetric key is discarded when the session is terminated

Transport Layer Security

Transport Layer Security (TLS), sometimes referred to as SSL 3.1, works in much the same way as SSL. The differences between the two protocols are minor. TLS uses stronger encryption algorithms and can work on different ports. SSL and TLS are not interoperable.

Hacking the connection

Only someone with the private key can decrypt something encrypted with the public key. To crack an asymmetric key, a hacker may try to guess all possible private key combinations. Older, short, keys can be broken by trial and error, if a hacker has access to significant computer resources and plenty of time. Newer asymmetric encryption keys, as used by SSL, are generally 2048 bit (3 x 10612 combinations), making them much safer from attack (for a while at least). Similarly, symmetric encryption keys, as used by SSL, are 128 bit or greater (3 x 1038 combinations). There are so many possible combinations with 128 bits that it would take significantly longer than the age of the universe to ‘guess’ one.