Invented by Netscape in the mid 1990’s, SSL, or the Secure Sockets Layer has become the de-facto standard for secure transactions on the Internet. SSL uses a combination of symmetric and asymmetric cryptography to provide end to end security. The process is as follows.
The client initiates an SSL session by connecting to a URL using the prefix HTTPS://.
The HTTP server replies to the request by sending it’s public key to the client stored on a digital certificate. (See my Windows 2003 article series on PKI for more information)
The client validates the certificate and then generates a session (secret) key.
The client encrypts the secret key using the public key of the server and attaches a hash to the message.
The encrypted message and has are received and processed by the HTTP server. The server uses the hash to validate the message has not changed and it’s private key to decrypt the session key.
The server sends a challenge to the client encrypted using the session key.
The client uses the session key to decrypt the challenge and if successful beings to request data.
The major venerability that exists in SSL is that an attacker may attempt to capture the message generated in step 4, alter it, and rehash the message. This risk is mitigated by the challenge in step 7. If the session key is altered in any way, the challenge will fail and the process will reset itself. The secret key is protected from being discovered by the strength of the public key encryption algorithm.