In this blog post, we’ll explain the basic concepts and process of SSL communication in simple terms using a real-life example of online shopping.

Why Is SSL Necessary?

With the widespread adoption of smartphones and the ability to connect to the internet anytime, anywhere becoming part of our daily lives, the need to securely protect personal and financial information has become more critical than ever. Recent large-scale data breaches clearly demonstrate how easily the data we transmit can be exposed over the network. In this environment, if you see “https://” instead of “http://” in a website’s address bar, it indicates that the communication between you and the website is secured, and one of the core technologies behind this security is SSL (Secure Sockets Layer).
Simply put, SSL is a technology that encrypts data transmitted over a network to protect it from eavesdropping and tampering. Many websites use HTTPS to securely exchange data between users and servers, and it is essential especially when exchanging sensitive information, such as in online shopping or internet banking.

Encryption Methods: Symmetric-Key and Asymmetric-Key

Encryption methods are broadly divided into symmetric-key and asymmetric-key methods. Symmetric-key encryption is a method that encrypts information using a single secret key and decrypts it using the same key. Just like the relationship between a lock and a key in real life, anyone who knows the key can read the encrypted content. It has the advantages of fast processing speed and simple implementation.
In contrast, asymmetric encryption uses a different public key for encryption and a private key for decryption. The issuer creates a pair of public and private keys and widely distributes the public key to others. Since content encrypted with the public key can only be decrypted with the corresponding private key, a high level of confidentiality is ensured if the private key is kept secure. However, the calculations are complex, resulting in relatively slower speeds.
SSL combines the strengths and weaknesses of these two methods. Asymmetric encryption is used for security-sensitive but brief computational processes, such as server authentication and session key exchange, while actual data transmission uses fast symmetric-key encryption to achieve both efficiency and security.

How SSL Communication Works — An Example Using an Online Store

Let’s examine how SSL works using a typical online shopping scenario. Suppose a student named Ms. CM enters her information to purchase clothes on the online shopping site “12th Street” and clicks the “Purchase” button. During this process, sensitive information such as credit card numbers is transmitted; if the shopping site is a fake, impersonating a legitimate one, Ms. CM’s information could be stolen. To prevent this problem, SSL first goes through a server authentication phase.
The initial process by which the client (CM) and server (12th Street) establish a connection is called a “handshake,” during which they verify each other’s status. During the handshake, the client sends a message to the server indicating that it “wants a secure connection,” and the server transmits its certificate and public key. This certificate is issued by a trusted Certificate Authority (CA) and guarantees that the server’s public key is linked to the server’s identity. The client verifies the certificate to confirm that this public key belongs to the genuine 12th Street, and then proceeds with the communication with confidence.
The next step is the process of sharing the keys that will be used for the actual encrypted communication. The client generates a token known only to both parties (e.g., a pre-agreed secret value or ‘pre-master secret’) and encrypts it using the server’s public key before sending it. The server decrypts this using its private key to retrieve the token, and both parties use this value to generate the symmetric keys to be used in the session. This ensures that even if an eavesdropper intercepts the message in the middle, they cannot generate the subsequent symmetric keys without the token.
The session keys actually used in SSL are typically divided into four types. These are: a key for encrypting data sent by the client, a key for encrypting data sent by the server, a key for verifying the integrity and origin of messages sent by the client, and a key for verifying the integrity and origin of messages sent by the server. In other words, the system consists of two types of keys for encryption and two types of keys for message verification, ensuring the confidentiality, integrity, and authenticity of the communication.
In practice, when exchanging messages, each party appends its own verification information to the data it sends, encrypts it, and transmits it. The receiving party decrypts the data and verifies this information to confirm that the message has not been tampered with or forged during transmission. This process prevents anyone from modifying or forging the message in transit.

Summary and Personal Precautions

In summary, SSL communication is a method that authenticates the identity of the other party and encrypts data using a session key known only to the two parties. This prevents third parties from reading or altering the data content and verifies both the origin and integrity of the message. However, attackers’ methods continue to evolve, and security technologies are advancing accordingly.
In a lifestyle where we are constantly connected via smartphones, personal information can be widely dispersed, and there are many cases where authorized institutions or service providers legally collect and use such information. Alongside efforts to strengthen technical security, it is paramount for users to recognize the importance of their information and develop the habit of verifying whether a site is trustworthy.