Comments on: How Does Secure Socket Layer (SSL or TLS) Work? http://luxsci.com/blog/how-does-secure-socket-layer-ssl-or-tls-work.html News, solutions and insider insight from LuxSci: provider of Secure Email and Web Security Thu, 08 Mar 2012 02:57:09 +0000 hourly 1 http://wordpress.org/?v=110 By: iPhone Security Apps and Configuration Tips | LuxSci FYI http://luxsci.com/blog/how-does-secure-socket-layer-ssl-or-tls-work.html/comment-page-1#comment-1286 iPhone Security Apps and Configuration Tips | LuxSci FYI Wed, 18 May 2011 16:55:22 +0000 http://luxsci.com/blog/?p=1500#comment-1286 [...] your iPhone for general access to email (sending or receiving), be sure that your provider supports SSL or TLS for POP/IMAP/SMTP access.  Without use of  SSL or TLS, your usernames, passwords, and message [...] [...] your iPhone for general access to email (sending or receiving), be sure that your provider supports SSL or TLS for POP/IMAP/SMTP access.  Without use of  SSL or TLS, your usernames, passwords, and message [...]

]]> By: Steps for Protecting Your Passwords from Theft | LuxSci FYI http://luxsci.com/blog/how-does-secure-socket-layer-ssl-or-tls-work.html/comment-page-1#comment-1263 Steps for Protecting Your Passwords from Theft | LuxSci FYI Tue, 03 May 2011 15:49:11 +0000 http://luxsci.com/blog/?p=1500#comment-1263 [...] should always use connections encrypted using SSL or TLS, so no one can eavesdrop on you.  This is especially true in public places, like wifi hot [...] [...] should always use connections encrypted using SSL or TLS, so no one can eavesdrop on you.  This is especially true in public places, like wifi hot [...]

]]> By: Erik Kangas http://luxsci.com/blog/how-does-secure-socket-layer-ssl-or-tls-work.html/comment-page-1#comment-965 Erik Kangas Thu, 16 Sep 2010 12:34:54 +0000 http://luxsci.com/blog/?p=1500#comment-965 For SSL and other asymmetric encryption systems, there are two keys involved. The key built into the SSL certificate is the asymmetric key. Due to how the math works, the asymmetric keys are easier to break than symmetric encryption keys. As a result, asymmetric keys must be longer (have larger bit lengths, like 1024, 2048, or more). The asymmetric key is used together with the asymmetric encryption algorithm during the initial client-server communications. During that phase, identity is checked and verified, etc. Also, because asymmetric encryption is much slower than symmetric encryption, the client and server agree on a symmetric encryption algorithm and new symmetric key to use for the remainder of their communications session. They then switch from asymmetric to symmetric encryption (using something like AES) for the rest of the session. The 128bit or 256bit encryption key is that used for the specific symmetric encryption session. So: * The 1024+ key is the asymmetric key used for all initial communications over SSL with a specific server. * The 128-256 bit key is the symmetric encryption session key used for a single specific session of encrypted communications between client and server. It is negotiated during the start of the session, that communication protected using the asymmetric encryption. * Because of the mathematical nature of asymmetric encryption, the key length for asymmetric keys must be much longer than that for symmetric keys to ensure security For SSL and other asymmetric encryption systems, there are two keys involved. The key built into the SSL certificate is the asymmetric key. Due to how the math works, the asymmetric keys are easier to break than symmetric encryption keys. As a result, asymmetric keys must be longer (have larger bit lengths, like 1024, 2048, or more).

The asymmetric key is used together with the asymmetric encryption algorithm during the initial client-server communications. During that phase, identity is checked and verified, etc. Also, because asymmetric encryption is much slower than symmetric encryption, the client and server agree on a symmetric encryption algorithm and new symmetric key to use for the remainder of their communications session. They then switch from asymmetric to symmetric encryption (using something like AES) for the rest of the session. The 128bit or 256bit encryption key is that used for the specific symmetric encryption session.

So:
* The 1024+ key is the asymmetric key used for all initial communications over SSL with a specific server.
* The 128-256 bit key is the symmetric encryption session key used for a single specific session of encrypted communications between client and server. It is negotiated during the start of the session, that communication protected using the asymmetric encryption.
* Because of the mathematical nature of asymmetric encryption, the key length for asymmetric keys must be much longer than that for symmetric keys to ensure security

]]> By: Dan Rogers http://luxsci.com/blog/how-does-secure-socket-layer-ssl-or-tls-work.html/comment-page-1#comment-963 Dan Rogers Thu, 16 Sep 2010 03:30:07 +0000 http://luxsci.com/blog/?p=1500#comment-963 Thanks for the great article! Could you please explain the difference between the following two terminologies and if they are related in any way 1028 - 2048 bit keys 128 - 256 bit encryption i know that the 128 & 256 is the encryption level that the client-server agree on using, what about the term 1024 or 2048, where dose this fit in? Thanks Thanks for the great article!

Could you please explain the difference between the following two terminologies and if they are related in any way

1028 – 2048 bit keys
128 – 256 bit encryption

i know that the 128 & 256 is the encryption level that the client-server agree on using, what about the term 1024 or 2048, where dose this fit in?

Thanks

]]> By: Erik Kangas http://luxsci.com/blog/how-does-secure-socket-layer-ssl-or-tls-work.html/comment-page-1#comment-875 Erik Kangas Mon, 26 Jul 2010 12:47:14 +0000 http://luxsci.com/blog/?p=1500#comment-875 Not correct. In public key cryptography, any message encrypted with a private key can be decrypted only with the public key and any message encrypted with the public key can be decrypted only with the private key. Encrypting with the private key allows anyone to open it, but the process of opening it proves it was sent by someone with the private key, and thus validates identity. Encrypting with the public key ensures that only someone with the private one can open it, and thus ensures security (only the recipient can open it). Used together, these mechanisms permit validation and prevent eavesdroppng, among other things. Not correct. In public key cryptography, any message encrypted with a private key can be decrypted only with the public key and any message encrypted with the public key can be decrypted only with the private key. Encrypting with the private key allows anyone to open it, but the process of opening it proves it was sent by someone with the private key, and thus validates identity. Encrypting with the public key ensures that only someone with the private one can open it, and thus ensures security (only the recipient can open it).

Used together, these mechanisms permit validation and prevent eavesdroppng, among other things.

]]> By: Eitam Doodai http://luxsci.com/blog/how-does-secure-socket-layer-ssl-or-tls-work.html/comment-page-1#comment-873 Eitam Doodai Mon, 26 Jul 2010 10:44:22 +0000 http://luxsci.com/blog/?p=1500#comment-873 There is another mistake, It is stated that Thawte's public key is stored on the computer of the client. This does not mean that the computer can decrypt messages encrypted by Thawte with their private key. It may be the other way around, but it's most surly not like it's mentioned right now. There is another mistake, It is stated that Thawte’s public key is stored on the computer of the client. This does not mean that the computer can decrypt messages encrypted by Thawte with their private key.

It may be the other way around, but it’s most surly not like it’s mentioned right now.

]]> By: Is Blackberry HIPAA Compliant? What You Need To Know | LuxSci FYI http://luxsci.com/blog/how-does-secure-socket-layer-ssl-or-tls-work.html/comment-page-1#comment-849 Is Blackberry HIPAA Compliant? What You Need To Know | LuxSci FYI Wed, 14 Jul 2010 01:39:24 +0000 http://luxsci.com/blog/?p=1500#comment-849 [...] email over POP or IMAP on your Blackberry as long as your email provider supports secure, SSL-enabled POP and IMAP connections, and can ensure that the Blackberry will not be permitted to make insecure [...] [...] email over POP or IMAP on your Blackberry as long as your email provider supports secure, SSL-enabled POP and IMAP connections, and can ensure that the Blackberry will not be permitted to make insecure [...]

]]> By: Erik Kangas http://luxsci.com/blog/how-does-secure-socket-layer-ssl-or-tls-work.html/comment-page-1#comment-802 Erik Kangas Sat, 29 May 2010 02:31:08 +0000 http://luxsci.com/blog/?p=1500#comment-802 Thanks for your comments. However, the terminology here is targeted at the newbie and is thus errors on the side of common parlance versus being explicitly technically accurate. Most people refer to needing an "SSL certificate" or buying an "SSL Certificate" and by this they mean the public key, private key, and even the signing of the public key by the authority. While "certificate" technically means only the signed public key, people generally use it inclusively and thay is why it was used as such here. This is the same reason why we state that Thawte gives back a new "public key with more information". True, the key itself is the same, but the file is modified with more information. For a common, simple description of the process, this gets the point across. That you for your clarifications, however. Thanks for your comments. However, the terminology here is targeted at the newbie and is thus errors on the side of common parlance versus being explicitly technically accurate. Most people refer to needing an “SSL certificate” or buying an “SSL Certificate” and by this they mean the public key, private key, and even the signing of the public key by the authority. While “certificate” technically means only the signed public key, people generally use it inclusively and thay is why it was used as such here.

This is the same reason why we state that Thawte gives back a new “public key with more information”. True, the key itself is the same, but the file is modified with more information. For a common, simple description of the process, this gets the point across.

That you for your clarifications, however.

]]> By: John Belushi http://luxsci.com/blog/how-does-secure-socket-layer-ssl-or-tls-work.html/comment-page-1#comment-801 John Belushi Fri, 28 May 2010 23:16:50 +0000 http://luxsci.com/blog/?p=1500#comment-801 This is a pretty good article, but you've got some incorrect information. For example: (i) You state: "They create a public and private key for company.com (this is also known as a “certificate”)". Not true. The "certificate" does not contain the private key. It contains only the public key of the entity (along with a digital signature of the CA and other useful identifying information). (ii) You state: "Once the verification is complete, Thawte gives the company a new public key that has some additional information in it..." Again, not true. You're confusing the public key with the digital certificate here. A public key has only one corresponding private key. If a "new public key" was issued, the existing private key would no longer work. Thawte would provide company.com with a digitally signed certificate certifying that company.com's public key (which company.com provided to Thawte) is in fact their public key. There is no need for anyone at Thawte to see company.com's private key. This is a pretty good article, but you’ve got some incorrect information. For example:
(i) You state: “They create a public and private key for company.com (this is also known as a “certificate”)”. Not true. The “certificate” does not contain the private key. It contains only the public key of the entity (along with a digital signature of the CA and other useful identifying information).
(ii) You state: “Once the verification is complete, Thawte gives the company a new public key that has some additional information in it…” Again, not true. You’re confusing the public key with the digital certificate here. A public key has only one corresponding private key. If a “new public key” was issued, the existing private key would no longer work. Thawte would provide company.com with a digitally signed certificate certifying that company.com’s public key (which company.com provided to Thawte) is in fact their public key. There is no need for anyone at Thawte to see company.com’s private key.

]]> By: SecureForm Now Support SMTP TLS for Secure Form Email Delivery | LuxSci FYI http://luxsci.com/blog/how-does-secure-socket-layer-ssl-or-tls-work.html/comment-page-1#comment-720 SecureForm Now Support SMTP TLS for Secure Form Email Delivery | LuxSci FYI Fri, 09 Apr 2010 20:54:53 +0000 http://luxsci.com/blog/?p=1500#comment-720 [...] the emailed form data can be secured using PGP or S/MIME.  This, combined with enforced use of SSL, ensures that the form data is secured from end-to-end … from submission by the end user to [...] [...] the emailed form data can be secured using PGP or S/MIME.  This, combined with enforced use of SSL, ensures that the form data is secured from end-to-end … from submission by the end user to [...]

]]>