Category Archives: Security

Symmetric and Asymmetric keys cryptography…

  • Asymmetric Key encryption, also known as public/private key encryption, it utilizes a pair of keys – a public key and a private key. If you encrypt data with the public key, only the holder of the corresponding private key can decrypt the data, hence ensuring confidentiality. Online transaction systems rely on asymmetric encryption to establish a secure channel. SSL, for example, is a protocol that utilizes asymmetric encryption to provide communication security on the Internet. An asymmetric encryption algorithms typically involve exponential operations, they are not lightweight in terms of performance. For that reason, asymmetric algorithms are often used to secure key exchanges rather than used for bulk data encryption.
  • Symmetric encryption – As the name suggests, means that the encryption and decryption operations utilize the same key. For two communicating parties using symmetric encryption for secure communication, the key represents a shared secret between the two. Symmetric encryption is typically more efficient than asymmetric encryption, and is often used for bulk data encryption.

SSL typically uses Asymmetric public private keys for initial hand shake and then later utilizes Symmetric key for for further communication post hand shake.

SSL has been explained in earlier blog post 


SSL – Concepts and how does it work…

SSL Certificates have a key pair: a public and a private key. These keys work together to establish an encrypted connection. The certificate also contains what is called the “subject,” which is the identity of the certificate/website owner.

The Public Key is what its name suggests – Public. It is made available to everyone via a publicly accessible repository or directory. On the other hand, the Private Key must remain confidential to its respective owner. Because the key pair is mathematically related, whatever is encrypted with a Public Key may only be decrypted by its corresponding Private Key and vice versa.

To get a certificate, you must create a Certificate Signing Request (CSR) on your server. This process creates a private key and public key on your server. The CSR data file that you send to the SSL Certificate issuer (called a Certificate Authority or CA) contains the public key. The CA uses the CSR data file to create a data structure to match your private key without compromising the key itself. The CA never sees the private key.

Once you receive the SSL Certificate, you install it on your server. You also install a pair of intermediate certificates that establish the credibility of your SSL Certificate by tying it to your CA’s root certificate.

When a browser attempts to access a website that is secured by SSL, the browser and the web server establish an SSL connection using a process called an “SSL Handshake”. Note that the SSL Handshake is invisible to the user and happens instantaneously.

Essentially, three keys are used to set up the SSL connection: the public, private, and session keys. Anything encrypted with the public key can only be decrypted with the private key, and vice versa.

Because encrypting and decrypting with private and public key takes a lot of processing power, they are only used during the SSL Handshake to create a symmetric session key. After the secure connection is made, the session key is used to encrypt all transmitted data.
How Does the SSL Certificate Create a Secure Connection?

1. Browser connects to a web server (website) secured with SSL (https). Browser requests that the server identify itself

2. Server sends a copy of its SSL Certificate, including the server’s public key.

3. Browser checks the certificate root against a list of trusted CAs and that the certificate is unexpired, unrevoked, and that its common name is valid for the website that it is connecting to. If the browser trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the server’s public key.

4. Server decrypts the symmetric session key using its private key and sends back an acknowledgement encrypted with the session key to start the encrypted session.

5. Server and Browser now encrypt all transmitted data with the session key.