SSL (Secure Sockets Layer)

The Secure Sockets Layer (SSL) is a commonly-used protocol or set of rules for managing the security of a message transmission on the Internet. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) layer and Transport Control Protocol (TCP) layer.

HTTP is the protocol for exchanging text, graphic images, sound, video, and other multimedia files on the World Wide Web, whereas TCP is the protocol used along with the Internet Protocol, or IP, to send data in the form of message units between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the individual units of data (called packets) that a message is divided into for efficient routing through the Internet.

SSL is included as part of all popular Internet browsers, and most Web server products. Developed by Netscape, SSL also gained the support of Microsoft and other Internet client/server developers, and became the de facto standard

The "sockets" part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. SSL uses the public-and-private key encryption system from RSA, which also includes the use of a digital certificate.

RSA is an Internet encryption and authentication system that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman.

Here's the relatively easy to understand math behind RSA public key encryption:

Find P and Q, two large (e.g., 1024-bit) prime numbers.

Choose E such that E is greater than 1, E is less than PQ, and such that E and (P-1)(Q-1) are relatively prime, which means they have no prime factors in common. E does not have to be prime, but it must be odd. (P-1)(Q-1) can't be prime because it's an even number.

Compute D such that (DE - 1) is evenly divisible by (P-1)(Q-1). Mathematicians write this as DE = 1 (mod (P-1)(Q-1)), and they call D the multiplicative inverse of E. This is easy to do -- simply find an integer X which causes D = (X(P-1)(Q-1) + 1)/E to be an integer, then use that value of D.

The encryption function is C = (T^E) mod PQ, where C is the ciphertext (a positive integer), T is the plaintext (a positive integer), and ^ indicates exponentiation. The message being encrypted, T, must be less than the modulus, PQ.

The decryption function is T = (C^D) mod PQ, where C is the ciphertext (a positive integer), T is the plaintext (a positive integer), and ^ indicates exponentiation.
Your public key is the pair (PQ, E). Your private key is the number D (reveal it to no one). The product PQ is the modulus (often called N in the literature). E is the public exponent. D is the secret exponent.

You can publish your public key freely, because there are no known easy methods of calculating D, P, or Q given only (PQ, E) (your public key). If P and Q are each 1024 bits long, the sun will burn out before the most powerful computers presently in existence can factor your modulus into P and Q.

A digital certificate is an electronic "credit card" that establishes a Web site's credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains the site name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Digital certificates can be kept in registries so that authenticating users can look up other users' public keys.

Older browsers make user of a 40 bit encryption key, which is vulerable to prolonged attack. Modern encryption makes use of 128 bit encryption keys, which are almost impossible to attack.

Personal information encrypted using a 128 bit key should be proof against any attempt to discover the identity of the user or details about their credit card!