What is ssl?
All of us have met SSL protected sites many times. For example green location control on PyPal site shows us that site is SSL protected.So, lets try to learn more about PayPal SSL certificate, double click green area and browser will show some info. We can see that this certificate was issues by VeriSign for PayPal, Inc, certificate has class 3 Extended Validation.
While it is clear what is the certificate issuer and holder, certificate validation class requires some explanation:
Domain Validation (DV) SSL Certificates (class 1): where the Certification Authority (CA) checks the right of the applicant to use a specific domain name. No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal.
Organization Validation (OV) SSL Certificates (class 2): where the CA checks the right of the applicant to use a specific domain name PLUS it conducts some vetting of the organization. Additional vetted company information is displayed to customers when clicking on the Secure Site Seal, giving enhanced visibility in who is behind the site and associated enhanced trust.
Extended Validation (EV) SSL Certificates (class 3 that gives us green location bar): where the CA checks the right of the applicant to use a specific domain name PLUS it conducts a THOROUGH vetting of the organization. The issuance process of EV Certificates is strictly defined in the EV Guidelines, as formally ratified by the CA/Browser forum in 2007, that specify all the steps required for a CA before issuing a certificate, and includes:
- Verifying the legal, physical and operational existence of the entity
- Verifying that the identity of the entity matches official records
- Verifying that the entity has exclusive right to use the domain specified in the EV Certificate
- Verifying that the entity has properly authorized the issuance of the EV Certificate
Encryption algorithms
There are several encryption algorithms available, using symmetric or asymmetric methods, with keys of various lengths. Usually, algorithms cannot be patented, if Henri Poincare had patented his algorithms, then he would have been able to sue Albert Einstein... So algorithms cannot be patented except mainly in USA. OpenSSL is developed in a country where algorithms cannot be patented and where encryption technology is not reserved to state agencies like military and secret services. During the negotiation between browser and web server, the applications will indicate to each other a list of algorithms that can be understood ranked by order of preference. The common preferred algorithm is then chosen. OpenSSL can be compiled with or without certain algorithms, so that it can be used in many countries where restrictions apply.Private & public keys
The encryption using a private key/public key pair ensures that the data can be encrypted by one key but can only be decrypted by the other key pair. This is sometime hard to understand, but believe me it works. The keys are similar in nature and can be used alternatively: what one key encrypts, the other key pair can decrypt. The key pair is based on prime numbers and their length in terms of bits ensures the difficulty of being able to decrypt the message without the key pairs. The trick in a key pair is to keep one key secret (the private key) and to distribute the other key (the public key) to everybody. Anybody can send you an encrypted message, that only you will be able to decrypt. You are the only one to have the other key pair, right? In the opposite , you can certify that a message is only coming from you, because you have encrypted it with you private key, and only the associated public key will decrypt it correctly. Beware, in this case the message is not secured you have only signed it. Everybody has the public key, remember!One of the problem left is to know the public key of your correspondent. Usually you will ask him to send you a non confidential signed message that will contains his public key as well as a certificate.
Message-->[Public Key]-->Encrypted Message-->[Private Key]-->Message
Signing certificate
This process is required to confirm the identity of the certificate owned. Certification Authorities like VeriSign, Comodo or StartSSL are doing this. Or you can create self signed ssl certificate. You can read how to get free SSL certifcate from StartSSL.In my later articles I will show how to install certificates on different server software.