SSL Certificate Managed PKI Personal ID MyTRUST MyKAD ID SSL VPN Managed Security Services VeriSign Certified Training Application Development
WhitePapers PKI Glosary Brochures

 

  Support - SSL
 

 

FAQ - SSL Basic
 
   What is SSL?
   How does Public Key Cryptography work?
   What is the relationship between Public Keys and Certificates?
   What is a Certification Authority?
   How do SSL Certificates enable secure authenticated e-commerce on the Web?
   What is Secure Sockets Layer ("SSL") and how does it work?
   What level of browser compatibility do VeriSign's SSL certificates offer?
   What size keys does VeriSign use?



What is SSL?

Secure Socket Layer (SSL) is a protocol developed by Netscape in 1996 which was quickly adopted around the world as the method of choice for securing data transmissions across the Internet. SSL is an integral part of virtually all web browsers and web servers and makes use of a public-and-private key encryption system originally developed by RSA.

In order to establish an SSL connection, the SSL protocol requires that a server have a digital certificate installed. A digital certificate is an electronic file that uniquely identifies individuals and servers. Digital certificates allow the client (Web browser) to authenticate the server prior to establishing the SSL session. Typically, digital certificates are signed by an independent and trusted third party to ensure their validity. The "signer" of a digital certificate is known as a Certification Authority (CA), such as VeriSign.

SSL enables secure online transactions by combining the following three important elements:
1.
Authentication: A digital certificate is associated with a specific domain name. Before issuing a digital certificate, the CA has the responsibility to perform a number of checks (called "authentication and verification" checks) to confirm the identity of the organization requesting the certificate and whether it has the right to use the domain name that will be associated with that certificate. This strong binding between certificate and domain name provides users with an assurance that they are interacting with a legitimate organization's Web site, not an imposter's.
2.
Encryption: Encryption is the process of transforming information to make it unintelligible to all but the intended recipient. This forms the basis of data integrity and privacy necessary for secure online transactions. An SSL certificate, a special kind of digital certificate, binds an identity to a pair of electronic keys that can be used to encrypt and sign digital information transmitted over the Internet via the "https" protocol. Once the CA confirms the identity of the organization requesting the certificate and whether it has responsibility for the domain name that will be associated with that certificate, the CA uses its private key to sign the certificate containing, among other things, the organization's public key and "issues" the certificate to the organization
3.
Message Integrity: After an SSL session has been established, the contents of all communications between client and server are protected from tampering on route. All parties to the transaction know that the information they have received is exactly what originated from the other side of the SSL session.

Combining the three elements above, SSL becomes a simple yet extremely powerful security solution, enabling you to conduct authenticated and encrypted online transactions with visitors to your Web site. With a VeriSign SSL certificate installed on your Web site, visitors will be able to submit credit card numbers or other sensitive information to you, with complete assurance that they are really doing business with you (and not an impostor) and that the information they are sending to you can not be intercepted or tampered with during transmission.
[back to top]


How does Public Key Cryptography work?

Public key cryptography (or asymmetric encryption) eliminates the key distribution issues and other shortcomings of private key cryptography (or symmetric encryption), which makes it suitable for securing online transactions. In public key cryptography, an individual or organization has two complimentary keys, one called a "public key" and the other called a "private key". Any information encrypted using the private key can only be decrypted using the public key. Conversely, any information encrypted using the public key can only be decrypted using the private key.

Here's an example:
1. Bob has two complimentary keys
2. What one key encrypts the other key can decrypt
3. Bob keeps one key private (private key) and makes one key available to the public (public key)
4. If Alice needs to send Bob a message, Bob sends Alice a copy of his public key
5. Alice encrypts a message with Bob's public key and sends it to Bob
6. Bob decrypts the message with his private key

Bob and Alice's use of public key cryptography provides each of them with several advantages:
 
Bob doesn't need to worry about securely sending his public key to Alice. If someone finds his public key, they can only use it to send Bob a private message. The finder can't use it to decrypt messages sent to Bob or to imitate Bob. Thus, Bob can send his public key to Alice using e-mail. Or, he can even post it on a public directory
 
Bob and Alice don't not need to worry about someone intercepting and then decrypting and reading Alice's message to Bob. Only Bob, using his Private Key, can decrypt Alice's message. Even if someone did intercept Alice's message to Bob on route, he would not have Bob's Private Key, so he would be unable to decrypt the message.
 
Bob doesn't need to worry about Alice being a double agent. Alice can neither intercept messages sent to Bob, nor can she imitate him
 
Large organizations don't have problems. Everybody who wants to send Bob a private message can do so using the same public key. So, organizations with n people need only have n public key pairs. With private key cryptography (symmetric encryption), they would need n! key pairs.
 
Bob can sign messages. Because Bob is the only person with his private key, if he encrypts a message with his private key, it is equivalent to using a Digital Signature.

#Note about protecting private keys: With public key cryptography, it is essential that private keys never be shared. If someone other than Bob gets Bob's private key, that person could decrypt and read messages intended only for Bob and impersonate Bob by signing messages as if they were Bob.
[back to top]

What is the relationship between Public Keys and Certificates?

In Public Key Cryptography, if Alice wants to send a secret message to Bob, she must obtain a copy of his public key. Before doing so, however, she needs to make sure that the public key really belongs to Bob.

Digital certificates address this problem. A certificate is an electronic document that binds a public key to a particular individual or organization. Certificates are issued by a trusted third party, called a Certification Authority (CA). Before issuing a certificate, a good CA will perform a number of checks (called "authentication and verification" checks) to make sure Bob really is who he claims to be, and that the public key that will in the certificate really belongs to Bob.

A public key certificate contains the following information:
 
The Subject of the certificate. In the case of an SSL certificate, this would include your organization name and common name (e.g. VeriSign, Inc., www.verisign.com)
 
Certificate Validity Period (e.g., Valid from 1-Jan-2004 to 1-Jan-2005)
 
Subject's Public Key
 
Issuer (an independent and trusted third party such as VeriSign)
 
Issuer's signature. The issuer creates this signature by encrypting a hash of the certificate contents with its private key. Any application or system, such as a Web browser on a PC, that trusts the issuer's public key can be assured of the certificate's legitimacy.
[back to top]

What is a Certification Authority?

A Certificate Authority is a trusted third party responsible for issuing, revoking, renewing, and providing directories of digital certificates. Good Certificate Authorities follow rigorous procedures for authenticating and verifying the individuals and organizations to whom they issue certificates. All digital certificates are "signed" with the Certificate Authority's private key to ensure authenticity.

Typically, a Certificate Authority's Public Key is widely distributed. When establishing an SSL session between client and server (between browser and Web site), the server sends the client a certificate chain, starting with the server's public key certificate and ending with the Certificate Authority's root certificate. Before the client will trust the server's certificate, it inspects the certificate signatures and validity period (and, if configured, revocation status). The client must also determine if it "trusts" the CA who issued the server's certificate.

Typically, most popular Web browsers [clients] will inherently trust server (SSL) certificates issued by public CAs such as VeriSign because the CA's public key has been installed in the Web browser software prior to distribution to users. As a result, Web sites that wish to take advantage of this inherent in Web browsers must obtain their respective server (SSL) certificates from one of these popular public CAs.
[back to top]

How do SSL certificates enable secure authenticated e-commerce on the Web?

By obtaining and installing an SSL certificate, you enable the use of SSL at your Web site. When a browser connects via "https" to a Web site with an SSL certificate, the browser and the server will exchange information during what is called the "SSL handshake." Once the SSL session has been negotiated, all information that passes between the browser and the server will be encrypted.

Most all browsers are equipped to recognize VeriSign SSL certificates automatically, enabling almost every visitor in the world to safely exchange sensitive information and conduct e-commerce transactions with your Web site.
[back to top]


What is Secure Sockets Layer and how does it work?

Secure Socket Layer (SSL) is a technology developed by Netscape and adopted by all vendors producing related Web software. It negotiates and employs the essential functions of mutual authentication, data encryption, and data integrity for secure transactions.

This exchange between the client and server is performed using the Secure Sockets Layer (SSL). SSL V2.0 supports server authentication only; SSL V3.0 supports both client and server authentication.
[back to top]

What level of browser compatibility do VeriSign's SSL certificates offer?

As the oldest operating public Certificate Authority, VeriSign offers SSL certificates that are compatible with all browsers shipped since 1995, certificates with greater browser compatibility than that of any other provider.
[back to top]

What size keys does VeriSign use?
The VeriSign private key, used to sign certificates, is 1024 bits.
Depending on your server software settings, the public key in your certificate will be either 512 bits or 1024 bits. Note: VeriSign recommends a minimum of 1024-bits.
The size of session key dictates the "strength" of the SSL encryption that will be used for that session. Typical session key sizes are 128-bit, which is the strongest available, and 40-bit. The size of the session key used depends on the type of SSL certificate installed on the server, the browser software and, in many cases, the operating system on the PC.
[back to top]