SSL involves two main functions: encryption and authentication of the certificate. Encryption is a part of data confidentiality and authentication is important for the identification of the source of data.
SSL requires the use of a server certificate that is issued by a trusted CA.
Certificate Basics
A certificate is an important component for SSL communication that is issued by the Certificate Authority (CA) once we raise a Certificate Signing Request (CSR) to the CA. A public-private key pair is generated when we create a CSR on the device where we are generating the CSR. This CSR includes organization name, locality, address and entity name for which we need the certificate. Most importantly, it sends its public key along with the CSR to the CA.
As soon CA receives this request, it will validate the company’s information and sends us the certificate, signing with CA’s private key.
Important Certificate Attributes:
Version – Certificate version
Serial Number – Unique SN # issued by CA for this specific certificate
Subject – Hostname of the website/machine to which the certificate is issued to
Subject Alternate Name – Other host names for which this certificate can be used
EKU – applications for which this certificate can be used for
Public Key identifier
Signature – Identifies the signature algorithm used to sign the certificate
Validity – duration in which the CA maintains the information of the certificate
Issuer – Public key information of the certificate issuing CA
Messages for SSL tunnel formation
Client Hello – It is always the client who initiates the SSL communication with a session ID and random number (used in secret master key generation) with SSL version. This session ID is null if it is a new session. The message also includes the key exchange methods, encryption methods and hashing methods that it would like to use for SSL handshake.
Key Exchange Methods: Algorithms to generate the shared secret key between two parties who would require a secure communication between them.
Diffie Hellman, RSA (Upto 4096 bits of key size), DSA (Upto 1024 bits of key size)
Cipher Suites: Encryption algorithms
RC4, 3DES, AES
Hashing Algorithms – Entire certificate content is condensed into a single number using some hashing algorithm to create a digital signature. This signature is encrypted by the private key of the sender and should be decrypted at the receiver by the public key of the sender.
SHA, MD5
Server Hello
This message includes the key exchange methods, encryption and hashing algorithms that it supports and sends it to the client.
Server Key Exchange and Client Key Exchange
Server key exchange message is optional message that is sent when the server does not have a certificate or the certificate or when the server cert does not have DH parameters.
Client key exchange message calculates a pre-master secret key using some random number and then sends to the server by encrypting it with server public key.
Server Hello Done indicates the end of Server Hello and associated messages and awaits for client response to verify the certificate and send the certificate and client key exchange.
Change Cipher Spec is the last message sent by each party without encryption. After which, any message sent is encrypted; including the Finished message.
References:
Home 
