Secure Socket Layer (SSL) accepts a combination of asymmetric and symmetric (public-key) encryption to accomplish integrity, confidentiality, authentication and non-repudiation for Internet interaction. In a nutshell SSL uses public key encryption to confidentially transmit a session key which can be needed to conduct symmetric encryption. SSL allows the public key technology to negotiate a shared session key between the server and the client. The public key is stored in an X.509 certificate that generally has a digital signature from a trusted 3rd party.
- Client requests a document from a secure https server https://www.myapp.com.au.
- The server gives its X.509 certificate to the client with its public key stored in the certificate.
- The client validate whether the certificate has been issued by a CA it trusts.
- The client checks the information in the certificate with the site's public key and domain name.
- Client gives the server what cipher suites it has available.
- The server obtains the strongest mutually available ciphers suite and notifies the client.
- The client creates a session key (symmetric key or private key) and encrypts it using the server's public key and sends it to the server.
- The server accepts the encrypted session key and decrypts it using its private key.
- The server and client use the session key to decrypt and encrypt the data they send to each other.