Traditional data transmission protocol on the Internet such as HTTP (Hypertext Transfer Protocol), does not provide adequate protection of the information on its way from the server to the user and vice versa. When the connection is unprotected attackers can easily intercept data packets, change their content, or redirect to a fake server. This is the risk that the fraudsters will be able to get your personal information such as credit card data, and transactions made on behalf of its owner may be the subject of legal proceedings. To avoid special problems special protocols for securing transmitted data and digital certificates have been developed.
SSL certificate — is a special digital certificate on your website, using an SSL certificate ensures that communication between you and your client is carried out through a secure channel using encrypted HTTPS protocol (letter “s” means Secure).
If you are engaged in e-commerce, own an online store, or receive confidential information from your clients, SSL certificate will help to ensure the highest protection of data transmission using a strong encryption algorithm. The presence of a digital certificate guarantees that the data will not be available to third parties for unauthorized viewing and editing.
SSL certificate will ensure three necessary conditions for the safe data transfer:
- Genuine transmitted data. Your client can always be sure that the information he receives is sent from the specified address and the address belongs to the organization to which the certificate was issued.
- Confidentiality. With reliable data encryption interception of information transmitted from the client to the server and back is impossible.
- Data integrity. Information secured with SSL certificate can not be changed during a session of data transmission via the Internet.
How does SSL work?
The principle of SSL protocol operation is based on the algorithm of encryption with asymmetric keys when you create a public key that is available to any user, and a private key known only to the owner of the certificate. One key performs transformation inverse to transformation made with the second key. That is, if the message is encoded with public key then only the owner of the private key will able to read it, and vice versa, if the message is encoded with the private key, only the owner of the public key will able to read it.
Imagine that a person carries out a bank transaction over the Internet, and he is required to provide his credit card information. The client must be sure that his data will be received by the appropriate bank and no one else. In this case, the exchange of messages may look like this.
The client sends a random message to the bank. This message is encrypted with the private key of the bank and sent back to the client. The client decrypts the message with public key. And comparing the decrypted message with the previously sent he can make sure that it is an appropriate bank.
But in fact, for the bank is not a good idea to encrypt the client’s message with its private key. This is similar to signing the document the bank knows very little about. From this position, the bank itself should come up with a message and send it to the client in duplicate. In the clear and encrypted with its private key. The encrypted message is called a message digest. A method to encrypt a message using your private key is called a digital signature.
Of course, now the question is how to distribute public keys. For this (and other purposes) was created a special form – a digital certificate (certificate).
The certificate contains the following information:
- name of the Certification Center (the company that issues certificates);
- certificate subject (to whom the certificate was issued);
- public key of the subject;
- issue date and expiration date of the certificate.
The certificate is “signed” with the private key of the certification center (Certificate authority). If you go to the Security section of a standard browser you can see a list of well-known organizations that sign the certificates.
Now let’s look at how the data will be shared on the Internet.
Customer: Good afternoon.
Bank: Good afternoon. You’ve come to the bank.
Client: Are you really the bank?
Bank: Yes. This is the bank. (The message is sent twice, once in the open, the second time encrypted with the private key of the bank).
Customer: All right, you’re really the bank. (And the sends the bank a secret message encrypted with the public key of the bank).
Bank: How can I help you? ( Sends a message that was encrypted using client secret message).
As the bank knows the client’s message (it is decoded it with the private key), and the client knows the content of his messages, they can now use an asymmetric encryption algorithm where the secret key is the client’s message. In order to protect messages against accidental or intentional changes special MAC (Message Authentication Code) algorithm is also used thereby increasing the accuracy of the messages to be transmitted several times, and making changes in the exchange process almost impossible.