Misc - How do HTTPS and SSL work?
Sat, 02/16/2013 - 16:07 | 
adminSSL (Secure Socket Layer) is a protocol for secure transactions over internet. Together with HTTP, forms HTTPS.
This is the handshake:
1) The client sends a request
2) The server sends back the server public key into the certificate with a digital signature, encrypted using the certification authority private key. This guarantees integrity, authenticity and non-repudiation.
3) The client verifies the authenticity of the certificate, using the certification authority public key.
4) Client and server share a symmetric key using one cipher, and the most common is the Diffie-Hellman Key Exchange. But there are also more simple methods like the client generating a random number and sending it to the server using its public key.
Client and server can now exchange information using the shared secret. The client trusts the server because of the certificate and the server knows the transaction can't be hijacked because the shared secret is not known by anyone else.
The asymmetric exchange usually uses an algorithm called RCA.
The symmetric exchange use DSA or AES. These algorithms are technically known as block ciphers. There are some block cipher modes that add padding and other stuff to make the message harder to decipher (i.g. ECB and CBC modes). There is also an IV (initialization vector) that is a continuously changing number, in combination with a key, to make two identical blocks different in the output.