SSL performs two functions. Firstly it authenticates the web sites and secondly it ensures secure data transmission between the web server and the client. This is achieved by symmetric encryption or asymmetric encryption.....


SSL (Secure Sockets Layer):-

Secure Sockets Layer is a protocol layer, placed between a reliable connection-oriented network layer protocol (e.g. TCP / IP) and the application protocol layer (e.g. HTTP). SSL provides secure communication between client and server by allowing mutual authentication, integrity by the use of digital signatures and privacy by encryption. SSL performs two functions. Firstly it authenticates the web sites and secondly it ensures secure data transmission between the web server and the client. This is achieved by symmetric encryption or asymmetric encryption.

The protocol is designed in such a way that users can have a range of choices for specific algorithms used for cryptography, digests, and signatures. This allows algorithm selection for specific server to be made based on legal, export or other concerns, and also enables the protocol to take advantage of new algorithms. Choices are negotiated between client and server at the start of establishing a protocol session. SSL was developed by Netscape, there are several version of SSL 1.0, 2.0, 3.0 etc.

Version 3.0 has been implemented in many web browsers (e.g. Netscape Navigator and MS Internet Explorer) and web servers and widely used on the Internet. SSL v3.0 was specified in an Internet Draft (1996). It later changed into TLS specified in RFS 2246. TLS can be viewed as SSL v3.1.

Architecture of SSL:-

SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol Applications (e.g. HTTP)

                                                                                  SSL Record Protocol



   The different components of SSL are:-

1) SSL Handshake Protocol:- This negotiates security algorithm and parameters for key exchange. It is also responsible for server authentication and optionally client authentication.

2) SSL Record Protocol:- This is responsible for the fragmentation of data, compression of data, message authentication and integrity protection and encryption.

3) SSL Alert Protocol:- This is responsible for transmitting error messages which includes fatal alerts and warnings.

4) SSL Change Cipher Spec Protocol:- This a single message that indicates the end of the SSL handshake.


     Authentication:- The origin of all messages is assured.

     Reliable:- The message transport uses a message integrity check (using a MAC) that ensures the quality of the data being transmitted.

     Private:- Messages between the components are encrypted, after a handshake to define a  secret key. This ensures that the contents of the messages can not be read by a third party. If all of the components are behind a firewall, or some other means of protection,  and do not require encryption, privacy can be disabled without comprising the authentication and reliability aspects of SSL.

How SSL works:-

l). Obtaining an SSL Certificate 

XYZ Inc. intends to secure their customer checkout process, account management, and internal employee correspondence on its website,

Step 1:- XYZ creates a Certificate Signing Request (CSR) and during this process, a private key is generated.

Step 2:- XYZ goes to a trusted, third-party Certificate Authority, such as Trustwave. Trustwave takes the certificate signing request and validates XYZ in a two-step process. Trustwave validates that XYZ has control of the domain and that XYZ Inc. is an official organization listed in public government records.

Step 3:- When the validation process is complete, Trustwave gives XYZ a new public key (certificate) encrypted with Trustwave's private key.

Step 4:- XYZ installs the certificate on their web server(s).

ll). How Customers Communicate with the Server using SSL

Step 1:- A customer makes a connection to on an SSL port, typically 443. This connection is denoted with HTTPS instead of HTTP.

Step 2:- sends back its public key to the customer. Once the customer receives it, his/her browser decides if it is alright to proceed.

 The public key must NOT be expired.
The public key must be for only
The client must have the public key for Trustwave installed in their browser certificate scores. 99.9% of all modern browsers (1998+) include the Trustwave root certificate. If the customer has Trustwave trusted public key, then they can trust they are really communicating with XYZ, Inc.

Step 3:- If the customer decides to trust the certificate, then the customer will be sent to his/her public key.

Step 4:- will next create a unique hash and encrypt it using both the customer's public key and's private key, and send this back to the client.

Step 5:- Customer's browser will decrypt that hash. This process shows that sent the hash and only the customer is able to read it.

Step 6:- Customer and website can now securely exchange information.

In any case, on the off chance that you need to guarantee that individuals can just utilize explicit pages safely regardless of what joins they originate from, it's ideal to utilize a server-side way to deal with divert the client if it's not HTTPS. You can do that with a code piece embedded on your protected page. Here's one in PHP:

// Require https
if ($_SERVER['HTTPS'] != "on") {
    $url = "https://". $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
    header("Location: $url");