2. What is SSL?
• SSL, or Secure Sockets Layer, is a means of
securing communications over a network so that
only the sender and receiver have access to the
sensitive data that is contained within.
• This is done with the use of Certificates and Keys.
3. • A Certificate contains basic information and a digital
signature that properly identifies the client or server
that it is associated with.
• Keys - public, private, and session - work together to
establish an encrypted connection.
Certificates and Keys
4. If you’ve ever bought something from Amazon, you’ve used SSL. During
checkout you may have noticed the little padlock icon ( ) in
the status bar of your web browser, or that the URL field of your browser
begins with “https.” This is indicating that you’re communicating with the
website’s server via SSL to secure your personal information, your credit
card number, etc.
This type of SSL between a web browser and a website server includes
what is commonly referred to as Server Authentication.
Example of SSL with
5. Server Authentication
• Server Authentication is a means of authenticating and
identifying the sever to the client using a Server Certificate.
• A Server Certificate is a required part of any SSL communication.
The server certificate contains basic information and a digital
signature that properly identifies the server it is associated with.
6. Steps for SSL Communication
1) Client connects to a web server (website) secured with SSL (https). Client requests
that the server identify itself.
2) Server sends a copy of its SSL Certificate, including the server’s public key.
3) Client checks that the certificate is trusted: unexpired, unrevoked, and valid for
the website that it is connecting to. If the client trusts the certificate, it creates,
encrypts, and sends back a session key using the server’s public key.
4) Server decrypts the symmetric session key using its private key and begins an
encrypted session with the client. The server and client now encrypt all
transmitted data with the session key.
8. Mutual or “Two-Way” Authentication
• Mutual Authentication, also commonly referred to as
Two-Way Authentication, refers to the combination
of both Server and Client Authentication.
• The authentication is mutual, or two-way, because
the server is authenticating itself to the client, and
the client is authenticating itself to the server.
9. Client Authentication
• Client Authentication, similar to server authentication, is a
means of authenticating and identifying the client to the
server using a Client Certificate.
• A Client Certificate contains basic information about the
client’s identity, and the digital signature on this certificate
verifies that this information is authentic.
10. Client Authentication (Continued)
• One thing to note is that whether client authentication is
required or not is something that is specified by the server. A
server can be configured to allow connections from any client, or
it can be configured to require any clients that attempt to
connect to it to be authenticated.
• The use of client authentication is appropriate for a scenario
where the server should only accept connections from a specific
group of authorized clients. An example of such a scenario would
be where a company wants to limit connections to its server to
only be coming from the company’s legitimate business partners.
11. Steps for Mutual Authentication SSL
1) Client connects to a web server (website) secured with SSL (https). Client requests that the
server identify itself.
2) Server sends a copy of its SSL Certificate, including the server’s public key. Client responds by
sending a copy of its own SSL Certificate for the server to verify (This is the Mutual or Two-
Way Authentication).
3) Client checks that the certificate it received is trusted: unexpired, unrevoked, and valid for the
website that it is connecting to. If the client trusts the certificate, it creates, encrypts, and
sends back a session key using the server’s public key.
4) Server decrypts the symmetric session key using its private key and begins an encrypted
session with the client. The server and client now encrypt all transmitted data with the
session key.