Sidebar: Public Key Cryptography

The most widely used verification of both the client and server identity in SSL is based on RSA, a public key encryption algorithm. Public key encryption is based on the following principle. You have two keys, a public one and a private one. The public one, as the name indicates, may be known to anyone. The private key should only be known to the owner.

The trick is that a message that has been encrypted with one of these keys can only be decrypted by the other key. So, if someone wants to send you some private email, he or she can encrypt this message with your public key. Upon receipt only you can decrypt it, because as you are the only person who knows the private key.

If the sender wants to sign the message, it can be encrypted with his or her private key. Then this message is encrypted with your public key and sent to you. Upon receipt, you decrypt it with your private key, but you then need the sender's public key to decrypt to the plaintext message.

The strength of the public key system is based on the fact that it is very hard to deduce one key from the other. Both are derived from a large prime number through a mathematical process. This, and the actual process of signing and verifying, which is far more complicated than explained here, is described in Schneier's Applied Cryptography. This method of encrypting is sometimes referred to as asymmetric encryption, because you need different keys for encrypting and decrypting.

Another form of encryption is symmetric encryption, meaning that encrypting and decrypting are done with the same key. An example of symmetric encryption is DES, which is available in a number of flavors.

In SSL, both forms of encryption are used. RSA is used to verify client and server and to exchange the encryption keys. Normal data is encrypted with some form of DES, using the key that was established during the initial handshake.