What is an SSL certificate

Posted by Safe 15/09/2014 2 Comment(s) Traveling, Branding,

What is an SSL certificate and what is it used for?


SSL certificates are used to create an encrypted channel between the client and the server. Transmission of such data as credit card details, account login information, any other sensitive information has to be encrypted to prevent eavesdropping.




With an SSL certificate, data is encrypted prior to being transmitted via Internet. Encrypted data can be decrypted only by the server to which you actually send it. This ensures that the information you submit to websites will not be stolen. Starting from 06/08/2014, Google announced that having an SSL certificate installed on your website will increase your ranking position, which is another great reason to use an SSL.



The certificate itself represents base64 encoded data that contains information about the entity the certificate was issued for, public key required for encryption and digital signature verification, and digital signature created with the private key of the certificate issuer.



Types of SSL certificates


SSL certificates can be divided into 3 validation groups:

1.Domain Validation Certificate

Requires a certificate applicant to prove his/her control over the domain name only. The issued certificate contains a domain name that was supplied to the Certification Authority within the certificate requests.


EX :


2.Organization Validation Certificate

Requires a certificate applicant to prove that his/her company is a registered and legally accountable business, and to pass domain validation. The issued certificate contains a domain and company name of the certificate applicant.




3.Extended Validation Certificate

Includes validation requirements of two validation types mentioned above and additional requirements. The issued certificate contains a domain and company name of the certificate applicant. It is worth mentioning that only Extended Validation certificates display a green bar with an owner’s company name in web browsers.








Technical Overview:


  • Asymmetric cryptography - ciphers that imply different keys for encryption and decryption processes
  • Cipher suite - set of key exchange, authentication, encryption and message authentication code (MAC) algorithms used within SSL/TLS protocols
  • Handshake - protocol use within SSL/TLS for the purpose of security parameters negotiation
  • Key exchange - in the context of SSL/TLS, the way client and server securely establish a pre-master secret for a session
  • Master secret - key material used for generation of encryption keys, MAC secrets and initialization vectors (IVs)
  • Message Authentication Code (MAC) - one-way hash function computed over a message and a secret
  • Pre-master secret - key material used for the master secret derivation
  • Symmetric cryptography - ciphers that imply the same key both for encryption and decryption processes



Symmetric & Asymmetric cryptography


Two types of cryptography are being used by SSL/TLS protocols: symmetric and asymmetric.


                    Symmetric cryptography (also called “bulk encryption”) implies the same key for encryption as well as for decryption. In SSL/TLS symmetric ciphers are generally used for application data encipherment.
Examples of symmetric ciphers: AES, RC4, DES


                    Asymmetric cryptography (also called “public key cryptography”) implies different keys for encryption and decryption.
Public key contained in a CSR and subsequently in an SSL certificate is used for encryption and signature verification. A private key which is typically kept on the server may be used, depending on the cipher suite negotiated during the handshake, either for decryption of a pre-master secret required for computation of a master secret, or for signing parameters required to compute a master secret.


                     In plain words, in the context of SSL/TLS protocols, asymmetric encryption serves the purpose of secure symmetric encryption key computation for both sides (client/server).

Example of asymmetric cryptosystems: RSA, DHE, ECDHE



Cipher Suite


Cipher suite is a set of key exchange, authentication, encryption and message authentication code (MAC) algorithms used within SSL/TLS protocols.



Cipher suite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 implies
- DHE for key exchange
- RSA for authentication
- AEC_256_GCM for bulk encryption
- SHA384 is a hash function used for MAC computations





Handshake is a protocol used within SSL/TLS for the purpose of security parameters negotiation. Depending on the cipher suite, a handshake can consist of different messages that parties send to each other.


The diagram below describes one of the most common handshake message flows that imply premaster key encipherment with an RSA public key. Such a handshake message flow is applicable for cipher suites as follows (examples):




Key exchange


To preserve data confidentiality during transmission, secure file transfer protocols like FTPS, HTTPS, and SFTP have to encrypt the data through what is known as symmetric encryption. This kind of encryption requires the two communicating parties to have a shared key in order for them to encrypt and decrypt messages.In SSL/TLS-protected file transfer protocols like FTPS and HTTPS, the key exchange process is performed during what is known as the SSL handshake - that preliminary step prior to the encrypted message/file exchanges. 



The client application, which is usually a Web browser (e.g. Firefox, Chrome, Internet Explorer, or Safari) or a file transfer client (e.g. AnyClient), requests a connection to the server by sending a message known as the Client Hello. The Client Hello message typically consists of some random data and the cipher suites supported by the client. It may also contain a session ID and a compression



As soon as the server receives the Client Hello, it will look up its own list of supported cipher suites, compare it with the list sent by the client, and (ideally) choose the best. Once the server has chosen its desired cipher suite, it would likewise have effectively chosen the desired key exchange algorithm. Immedaitely after, the two (client and server) would start the key exchange process using the key exchange algorithm defined in the cipher suite


Popular key exchange algorithms


The two most popular key exchange algorithms are RSA and Diffie-Hellman (now known as Diffie-Helmlman-Merkle). It probably wouldn't be too much of a stretch to say that the advent of these two key exchange protocols accelerated the growth of the Internet, especially businesswise.



Master secret


A master secret is always 48 bytes. So now that we have a fixed length value, we can derive 4 keys from it:

  • client_write_MAC_key
  • server_write_MAC_key
  • client_write_key
  • server_write_key

As you can probably guess, MAC keys are for the authentication and integrity with whatever MAC algorithm you chose in the cipher suite, write keys are for the symmetric encryption.


Interestingly, two keys are generated for every purpose: one key per side. This is mostly by respect of good practices. Always segregate the use of your keys.


The symmetric ciphers chosen in the handshake will dictate how long these keys we generate need to be. Note that AEAD ciphers that combine both authentication and encryption will not need MAC keys but will need two other keys instead: client_write_IV and server_write_IV. This is because their MAC keys are directly derived from the encryption keys.


Message Authentication Code (MAC)


MAC algorithm is a symmetric key cryptographic technique to provide message authentication. For establishing MAC process, the sender and receiver share a symmetric key K.

Essentially, a MAC is an encrypted checksum generated on the underlying message that is sent along with a message to ensure message authentication.

The process of using MAC for authentication is depicted in the following illustration −




Pre-master secret


The pre-master key is the value you directly obtain from the key exchange (e.g. 

gab(modp) if using Diffie-Hellman). Its length varies depending on the algorithm and the parameters used during the key exchange.

To make things simpler, we would want a fixed-length value to derive the keys for any cipher suite we would want to use. This is the reason behind a pre master secret. The fixed-length value we'll call master secret




Trust makes all the difference in the world of online business. Investment in technology to protect customers and earn their trust is a critical success factor for any company that does business online or hosts an e-commerce website. 

The effective implementation of SSL certificates and correct placement and use of trust marks are proven tools in the establishment of customer trust.When you choose SSL, you can rest assured that your website and your reputation are protected by the CA with a proven track record and the most recognized trust mark on the Internet.

2 Comment(s)

15/09/2014, 12:08:31 PM

I must say, the Journal Blog is a fantastic addition to an already outstanding theme. Keep up the good work guys, it's amazing what you come up with for the Opencart community.

03/11/2014, 03:21:51 PM

Super Theme, I'm going to buy it for my handmade jewellery store.

15/09/2014, 12:08:54 PM

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam iaculis egestas laoreet. Etiam faucibus massa sed risus lacinia in vulputate dolor imperdiet. Curabitur pharetra, purus a commodo dignissim, sapien nulla tempus nisi, et varius nulla urna at arcu.

Leave a Comment