How SSL provides authentication

 

During both client and server authentication there is a step that requires data to be encrypted with one of the keys in an asymmetric key pair and decrypted with the other key of the pair.

For server authentication, the client uses the server's public key to encrypt the data that is used to compute the secret key. The server can generate the secret key only if it can decrypt that data with the correct private key.

For client authentication, the server uses the public key in the client certificate to decrypt the data the client sends during step 5 of the handshake. The exchange of finished messages that are encrypted with the secret key (steps 7 and 8 in the overview) confirms that authentication is complete.

If any of the authentication steps fail, the handshake fails and the session terminates.

The exchange of digital certificates during the SSL handshake is part of the authentication process. For more information about how certificates provide protection against impersonation, refer to Digital certificates. The certificates required are as follows, where CA X issues the certificate to the SSL client, and CA Y issues the certificate to the SSL server:

For server authentication only, the SSL server needs:

and the SSL client needs:

If the SSL server requires client authentication, the server verifies the client's identity by verifying the client's digital certificate with the public key for the CA that issued the personal certificate to the client, in this case CA X. For both server and client authentication, the SSL server needs:

and the SSL client needs:

Both the SSL server and the SSL client might need other CA certificates to form a certificate chain to the root CA certificate. For more information about certificate chains, refer to How certificate chains work.

 

Parent topic:

Secure Sockets Layer (SSL) concepts


sy10670_