SSL/TLS

A common application of cryptography is SSL (Secure Socket Layer), now known as TLS (Transport Layer Security). TLS is the IETF standardized version of SSL. SSL ended life at version 3.0, which is now deprecated. TLS is currently at version 1.2. TLS is used to secure TCP based Client/Server connections for HTTP, LDAP, IMAP, POP3 and other application layer protocols.

A TLS compliant Server can be secured by installing an X.509 public key Server Certificate. A Server Certificate binds a fully qualified nodename and an organization name (and possibly other information, such as city, state and country) to the public key. It is used to identify a node (e.g. a web server).

When a TLS compliant client connects to a secured server, the server sends its Server Certificate to the client. The client validates the certificate (makes sure it can be traced up to a trusted root certificate), and checks to see if the certificate has expired or been revoked. It then encrypts a challenge string with the server’s public key (from its certificate) and sends that as a cryptographic challenge to the server. The server decrypts the challenge with its private key and sends the result back to the client. If the result is the same as the original random string, that establishes that the server possesses the private key corresponding to the public key in the server cert, which provides Server to Client Authentication. The client then creates a random symmetric session key, encrypts it with the server’s public key and sends it to the server. The server decrypts it with its private key. The server and client now have securely shared a symmetric session key. All remaining traffic in both directions can be encrypted using a symmetric key algorithm and that shared key.

SSL/TLS provides privacy and Server to Client authentication for web client to server connections, email client to server connections, and other uses.