Lesson 10	SSL transactions
Objective	Describe the SSL protocol and its use in secure communications.

SSL Transactions (Secure Communications)

You now understand certificates. Enterprise-grade Web servers allow you to use certificates for authentication and SSL encryption. The SSL protocol allows applications to exchange data over public networks privately, preventing eavesdropping, tampering, and message forgery. SSL enables two applications to communicate over the network using authentication with digital certificates. In addition, message reliability is ensured with SSL's use of encryption and message digests.
When using the SSL protocol, the top-level sequence of events is:

The client and server applications using the asymmetric keys in the form of certificates are authenticated.
A random symmetric session key is encrypted to the server's public key and transmitted to the server.
All data is encrypted using the random symmetric key.
A message authentication that has an algorithm is applied to envelop all information to ensure integrity.

The SSL specification details the data structures, client/server handshake protocol, certificate and key exchange procedures, messages, constants, and so on. It is not necessary to know all the internal details to use the SSL protocol.

(SSL) Secure Socket Layer

SSL encrypts communications between two points. It is not as ambitious as SET, which outlines a more ambitious information exchange procedure in addition to encryption. Although SSL helps prevent eavesdropping from hackers, it is not completely secure. Most nations have embraced the use of SSL, but e-commerce will likely move to protocols such as SET or radically improved uses of SSL to ensure that customers feel completely secure about transacting online. The following series of images demonstrates the latest in SSL protocol technologies
An SSL connection can be in two phases, as shown in the ssl-connection below.

SSL Connection

1) SS Connection 1 — 1) First the server authenticates itself to the client by sending its properly signed certificate. This phase is mandatory.

2) SS Connection 2 — 2) The client takes the server's certificate and creates a master key or (session key). The client then encrypts this master with the server's public key.

3) SS Connection 3 — 3) The client transmits the master or (session key) to the server.

4) SS Connection 4 — 4) The server checks this master or (session key) and creates the session.

5) SS Connection 5 — 5) The remainder of the session (all remaining information) is encrypted using the master or (session key).

6) SS Connection 6 — 6) The optional client authentication phase occurs after the initial phase. In this phase the server sends a challenge response message.

7) SS Connection 7 — 7) The client proves its identity by returning the original challenge, the client's digital signature, and the client's public key.

For more information about SSL, go to www.ssl.com.
For more information about cryptography in general, go to rsa.com

The next lesson will cover the SET protocol.