This is very basic. This will help in case you are just starting with SSL. I have kept things simple to make it easy to understand. For folks seeking more in depth details, i will cover each area in more details in follow up blogs.
SSL \ TLS is protocol to communicate securely between 2 system\computers. It works at transport layer. The 2 system can be client to server, server to server. SSL use PKI – public key infrastructure.
PKI uses concept of private key and public key. As name suggest – private key is private and kept securely with entity (can be either server or client) it belongs to. Let call this entity 1. Entity 1 will distribute its public key to everyone. Private key and public key are unique pair, complex mathematical algorithm is used to generate the pair. So its impossible to reverse engineer private key from public key.
If you encrypt message using public key, it can only be decrypted with private key and vice versa.
So when entity 2 wants to send secure message to entity 1. Entity 2 uses entity 1’s public key (which is publicly available) to encrypt message. So only entity 1 which has private key can decrypt the message.
Conversely, entity 1 can sign message with its private key so that when entity 2 received it use entity 1’s public key to valid the message is indeed coming from entity 1.
So this simple.
But there is loop hole in this, public key are exchanged on internet. Communication between 2 systems passes through lot of intermediate entities (router, other servers), so how do know for sure that public of entity 1 is true entity 1’s public key. There would intermediate entity 3 which can represent itself to be entity 1, and provide it public key as entity 1’s public key. This man in the middle (MITM) attach. (more detailed explanation is at http://en.wikipedia.org/wiki/Man-in-the-middle_attack)
So we require neutral 3 party entity that can be trusted on the internet. Those entities are called Certificate Authority (CA). Verisign, Geotrust, Comodo etc are some of CA out there. We understand CA, which try to resolve MITM issue.
All CAs have cert publicly available and distributed with installation of software. There is list of CA already included in all browsers, Java installations. If you are interest you can google to find how to look at CAs in our browser and java. This is called as trust store, so store of all the Cert Authorities that software or entity trusts.
So what difference between Cert and Public key? In simple term certificate is nothing but entity’s public key which is signed by CA and has some additional information regarding usage of that certificate. Certificate has information as to which CA signed it and CA’s own public certificate or key. It also has information when certificate was issued and till when its validate.
So now coming back to MTIM attack. So instead of distributing public key, we take entity 1’s public key sent to CA like Verisign to get public certificate. And distribute that public certificate instead of public key. So Verisign is vouching that this is public certificate belonging only to entity 1.
So when entity 2 receives entity 1’s public certificate it does following
1. Get the entity’s CA from certificate.
2. Validate if that CA is present in Trust Store.
3. Validate if certificate is valid (not expired etc, there are few more things it will check but not going into details at this point).
If the presented certificate is valid, it initiate the communication.
In case MITM attack is avoided because CA will never (almost likely) issue certificate to entity 3 saying ti entity 1.
Https is nothing but http protocl that use SSL protocol to secure http communication between 2 system.