Chapter 1
Overview of CSS SSL
SSL Cryptography Overview
Confidentiality
Confidentiality means that unintended users cannot view the data. In PKIs,
confidentiality is achieved by encrypting the data through a variety of methods.
In SSL, specifically, large amounts of data are encrypted using one or more
symmetric keys that are known only by the two endpoints. Because the symmetric
key is usually generated by one of the endpoints, it must be transmitted securely
to the other endpoint. Secure transmittal of a symmetric key is generally achieved
by two mechanisms, key exchange or key agreement.
Key exchange is the most common of these two secure transmittal mechanisms.
In key exchange, one device generates the symmetric key and then encrypts it
using an asymmetric encryption scheme before transmitting it to the other side.
Asymmetric encryption requires that both devices have a public key and a private
key. The two keys are mathematically related; data that can be encrypted by the
public key can be decrypted by the private key, and vice versa. The most
commonly used key exchange algorithm is the Rivest Shamir Adelman (RSA)
algorithm.
For SSL, the sender encrypts the symmetric keys with the public key of the
receiver. This ensures that the private key of the receiver is the only key that can
decrypt the transmission. The security of asymmetric encryption depends entirely
on the fact that the private key is known only by the owner and not by any other
party. If this key were compromised for any reason, a fraudulent Web user (or
Web site) could decrypt the stream containing the symmetric key and the entire
data transfer.
In key agreement, the two sides involved in a data exchange cooperate to generate
a symmetric (shared) key. The most common key agreement algorithm is the
Diffie-Hellman algorithm. Diffie-Hellman depends on certain parameters to
generate the shared key that is calculated and exchanged between the client and
the server.
Cisco Content Services Switch SSL Configuration Guide
1-3
OL-5655-01