First, some quotation from Microsoft TechNet's Managing Microsoft Certificate Services and SSL:
To recap, secure SSL sessions are established using the following technique:
The user's Web browser contacts the server using a secure URL.
The IIS server sends the browser its public key and server certificate.
The client and server negotiate the level of encryption to use for the secure communications.
The client browser encrypts a session key with the server's public key and sends the encrypted data back to the server.
The IIS Server decrypts the message sent by the client using its private key, and the session is established.
Both the client and the server use the session key to encrypt and decrypt transmitted data.
So, basically speaking, the SSL use the asymmetric encryption (public/private key pair) to deliver the shared session key, and finally achieved a communication way with symmetric encryption.
Is this right?
I am using IIS to host my websites. Suppose I have multiple sites on my single machine, and I want the client brower to use SSL URL to connect my sites. How many certificates do I need? Which of the following approach should I take?
1 - Apply for a single certicate and associate it to my single server machine which hosts mutiple sites.
2 - Apply for several certificates and associate each of my sites with its own certificate.
In IIS7, it seems I could only do approach 1.
I figure it out. I could install mutiple certificates on my server machine and bind each site with seperate certificate as necessary.
SSL/TLS uses both asymmetric and symmetric encryption to protect the confidentiality and integrity of data-in-transit. Asymmetric encryption is used to establish a secure session between a client and a server, and symmetric encryption is used to exchange data within the secured session.
Asymmetric and symmetric encryption are typically used together: use an asymmetric algorithm such as RSA to securely send someone an AES (symmetric) key. The symmetric key is called the session key; a new session key may be retransmitted periodically via RSA. This approach leverages the strengths of both cryptosystems.
In two-way SSL authentication, the client application verifies the identity of the server application, and then the server application verifies the identity of the client application. Both parties share their public certificates, and then validation is performed.
SSL uses port number 443, encrypting data exchanged between the browser and the server and authenticating the user. Therefore, when the communications between the web browser and server need to be secure, the browser automatically switches to SSL — that is, as long as the server has an SSL certificate installed.
Yes, that's right. Asymmetric encryption is necessary to verify the others identity and then symmetric encryption gets used because it's faster.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With