The SSL protocol operates between the application layer and the TCP/IP layer. This allows it to encrypt the data stream itself, which can then be transmitted securely, using any of the application layer protocols.
Many different algorithms can be used for encrypting data, and for computing the message authentication code. Some algorithms provide high levels of security but require a large amount of computation for encryption and decryption. Other algorithms are less secure but provide rapid encryption and decryption. The length of the key that is used for encryption affects the level of security; the longer the key, the more secure the data. SSL defines cipher suites to specify cryptographic algorithms that are used during an SSL connection.
SSL Encryption techniques
- Public key cryptography standard (PKCS), which encrypts and decrypts certificates during the SSL handshake. Encryption keys are created in pairs, a public key and its associated private key. Data encrypted with a given public key can be decrypted only with the associated private key; this means that data is readable by only the intended recipient. Data encrypted with a given private key can be decrypted only with the associated public key; this means that authentication data is assured to originate from the owner of the private key.
- A mutually agreed symmetric encryption technique, such as DES (data encryption standard), or triple DES, is used in the data transfer following the handshake.
- When a certificate is created, an algorithm based on two random numbers is used to create a
private key and public key for the certificate owner. The private and public keys which result are
related to each other such that:
- It is not feasible to deduce the value of the private key from the public key, nor the public
key from the private key
The private key is stored securely, and is not made known to anyone but its owner. The public key can be made freely available to any user, with no risk of compromising the security of the private key.
- Information encrypted using the public key can be decrypted only with the private key
Information can be encrypted by any user, and sent securely to the holder of the private key. A third party cannot use the public key to read the information.
- Information encrypted using the private key can be decrypted only with the public key
Only the holder of the private key can encrypt information that can be decrypted with the public key. A third party cannot pose as the sender of the information.
- It is not feasible to deduce the value of the private key from the public key, nor the public key from the private key