Trying to simplify and explain how SSL works. Hope I have not complicated it further.  

Let us consider that someone is trying to call me over the phone and he/she is going to talk to me for the first time. In this case, how does he/she understand that I am the person on the other side of the phone OR is he/she connecting to the right person? Not possible.  

Now if you are in a large organization and the organization maintains an updated directory which lists the contact person, his office location, extension number etc, this is one place for validation and you can be sure that you are reaching the person that you intended too.  

But still there is a chance that someone else might pick up the extension instead of the person you are looking for. Once you have reached the intended person, you will now require to be sure that your conversation is not heard or interpreted by a third party.

Similarly while accessing a website, how sure are we that we are accessing the website that we intended too and how sure are we that the information that we pass through is not read by anyone else?  

SSL is a solution that would give us an assurance to a great extent.  

I shall explain each step with reference to the below diagram.  

  

Server – Obtaining the certificate  

1. The server initiates a request for procuring a certificate from a trusted authority. This authority is called Certificate Authority (CA). Similar to Verisign, Thawte, Trustwave etc.  

2. The CA validates www.xyz.com after verifying related information.   

Client/Server – Establishing secure connection  

3. Client initiates a connection to www.xyz.com on the secure port, to check the website.  

4. Since the connection is initiated on the secure port, the server sends back it’s public key and the cipher it supports, back to the client.  

5. Now the client needs to verify if response was genuinely from www.xyz.com and that it is not from any person in the middle trying to give false information. The client contacts the certificate authority (CA) and provides www.xyz.com’s public key for verification.  

6. Let us consider the request been genuine. The certificate authority sends back the information (valid public key) to the client by encrypting the information using the CA’s private key. Now why is the encryption been done? The client just asked for a validation. The encryption is done to tell the client the CA is the one sending this information and the client call only decrypt it using the CA’s public key. This means the information is authentic and is sent by the CA itself.  

7. The client decrypts the information sent by the CA using CA’s public key and reads the message (valid public key).  

8. Now the client is happy that the public key of www.xyz.com is genuine. Next the client chooses the cipher and the symmetric key (password) that it needs to use for data encryption. The possible ciphers that can be used are received from the server at step 4. All this information is encrypted using the public key of www.xyz.com. Now why is this done? Encrypting the information using www.xyz.com’s public key means that only www.xyz.com can decrypt the information using its private key.  

9. www.xyz.com received the information, decrypts the information using its private key. Now the client and server are ready to transmit information which is encrypted using the chosen cipher and password.  

Step 3 – initiation of the connection  

Step 6 – confirmed that we are communicating with whom we want to communicate  

Step 8 – decided on protecting the data and hence chose the cipher and password  

Step 9 – secure communication established  

Hope this makes it clear and simple. If you have any questions or you feel that this can be further simplified, please do let me know.