SSL Cryptography uses Public Key Cryptography which requires asymmetric keys to encrypt and decrypt data sent between a server and a client—typically a website and a browser, or a mail server and a mail client, like Microsoft Outlook.
The history of SSL, or Secure Sockets Layer, is closely intertwined with the history of the internet. In fact, the first viable version of SSL was released as SSL 2.0 in 1995 by the internet browser Netscape and upgraded to SSL 3.0 in 1999 before being deprecated due to several vulnerabilities. Then it was replaced by TLS, or Transport Layer Security, which is now considered a more secure version of SSL. However, many people still refer to TLS (the current internet security protocol in use) as SSL, and often the terms are used interchangably.
Learn more about the Evolution of TLS/SSL cryptography here.
TLS/SSL cryptography and encryption is most widely used to secure websites across the internet and is the reason you see HTTPS in your browser address bar. TLS/SSL encrpytion also secures sensitive information such as credit card numbers, social security numbers, and login credentials while in transit. To establish this connection, the browser and the server need a digital certificate, also known as a TLS/SSL certificate.
The technology at work behind the scenes of TLS/SSL encryption includes asymmetric and symmetric keys. These public and private keys are made up of different types of algorithms such as RSA and Elliptic Curve Cryptography (ECC), which make them virtually impossible to crack.
Asymmetric encryption, also known as Public Key Cryptography or SSL Cryptography, uses two separate keys for encryption and decryption. With asymmetric encryption, anyone can use the public key to encrypt a message. However, decryption keys are kept private. This way only the intended recipient can decrypt the message.
The most common asymmetric encryption algorithm is RSA. RSA stands for Ron Rivest, Adi Shamir, and Leonard Adleman— the men who first publicly used the algorithm in 1977. Asymmetric keys are typically 1024- or 2048-bits. However, keys smaller than 2048-bits are no longer considered safe to use. 2048-bit keys have plenty of unique encryption codes with 617 digits in use.
Though larger keys can be created, the increased computational burden is so significant that keys larger than 2048 bits are rarely used. To put it into perspective, it would take an average computer more than 14 billion years to crack a 2048-bit certificate.
Symmetric encryption (or pre-shared key encryption) uses a single key to both encrypt and decrypt data. Both the sender and the receiver need the same key to communicate. Symmetric key sizes are typically 128 or 256 bits—the larger the key size, the harder the key is to crack. For example, a 128-bit key has 340,282,366,920,938,463,463,374,607,431,768,211,456 encryption code possibilities. As you can imagine, a ‘brute force’ attack (in which an attacker tries every possible key until they find the right one) would take quite a bit of time to break a 128-bit key. Whether a 128-bit or 256-bit key is used depends on the encryption capabilities of both the server and the client software. TLS/SSL certificates do not dictate what key size is used.
Since asymmetric keys are bigger than symmetric keys, data that is encrypted asymmetrically is tougher to crack than data that is symmetrically encrypted. However, this does not mean that asymmetric keys are better. Rather than being compared by their size, these keys should be compared by the following properties: computational burden and ease of distribution.
Symmetric keys are smaller than asymmetric, so they require less computational burden. However, symmetric keys also have a major disadvantage—especially if you use them for securing data transfers. Because the same key is used for symmetric encryption and decryption, both you and the recipient need the key. If you can walk over and tell your recipient the key, this isn’t a huge deal. However, if you have to send the key to a user halfway around the world (a more likely scenario) you need to worry about data security.
Asymmetric encryption doesn’t have this problem. As long as you keep your private key secret, no one can decrypt your messages. You can distribute the corresponding public key without worrying who gets it. Anyone who has the public key can encrypt data, but only the person with the private key can decrypt it.
Public Key Infrastructure (PKI) is the set of hardware, software, people, policies, and procedures that are needed to create, manage, distribute, use, store, and revoke digital certificates. PKI is also what binds keys with user identities by means of a Certificate Authority (CA). PKI uses a hybrid crypto-system and benefits from using both types of encryptions. For example, in TLS/SSL communications, the server’s TLS certificate contains an asymmetric public and private key pair. The session key that the server and the browser create during the SSL Handshake is symmetric.