Hi, I'm Bob Flynn from Palo Alto Networks, I'm at a technical training engineer here at Palo Alto Networks, and I want to talk to you today about how we use SSL certificates and secure Web communication. Let's take an example of a user, Bob, trying to go to his online bank, Goliath Bank, to do his online banking. There are two things that Bob wants to make sure. He wants to make sure first that all of his communication when he talks to his bank is going to be secure. The second thing he wants to make sure is that all the information that he sends is actually to the bank. He wants to make sure that he can secure the identity of the bank and have security for his transaction. Those are the two things that the SSL certificate will provide for us, is security and identification. Let's take a look at what information is contained on an SSL certificate. There's lots of information that's contained on there, and I want to draw it out for you so you can see all the pieces. The certificate first contains information about the issuer of the certificate. The issuer of the certificate is either going to be trusted or untrusted, so as an example, if I go into my doctor's office, and I see a diploma hanging on the wall, the diploma is basically a certificate of graduation. If it's from Princeton or Harvard or something like that, I feel pretty confident that my doctor is a good doctor. If his certificate is from Bob's online medical school and auto parts store, I probably don't have that same level of confidence in my doctor, or in the certificate at that point. If the issuer is trusted by the browser, then everything goes fine. If the issuer is not recognized, if it's from Bob's auto parts store and medical school, then the browser will put up a warning, a certificate warning that pops up. The next piece of information you're going to have is information about the key issuer. You'll also going to have validity dates from, and to dates that the certificate is valid from. Stupid to expire after a year or three years or things like that. If the issuer, the key or the expiration date is not in line, then again, you'll get certificate warnings. The next piece of information you're going to get this information about the subject. The subject information is who the certificate was issued to? What server it goes on? What the certificate can be used for, in our case, identity and encryption, decryption? Then the next piece of information you're going to have is actually a public key. The public key is going to be used during the transfer of information during the SSL setup. We're going to walk through that step by step here in just a minute. Then the last piece of information is actually a signature. This signature is actually just a hash. This signature hash represents all of the information contained on the certificate. If anything has been changed, for instance, the to or from dates or the certificate is loaded on the wrong server, or somebody has tried to change the subject, then the hash will no longer match. Again, you'll get a certificate pop or a warning that there's something wrong. Now, what I'd like to do is take a look at how all of this information is used during an SSL session set up. Up to far in it. You are okay. All right. When Bob wants to do is online banking, he opens his browser and goes to goliathbank.com. As a secure connection is going to be https clydebank.com. The first thing Bob is going to do or his browser is going to do is say, "hey, let's do this SSL together." Bob's browser is going to send three pieces of information to the server at Goliath Bank. He's going to send the key algorithms he can support, the ciphers he can support, and a message hash to authenticate messages that are sent. He sends that to Goliath Ban, Goliath bank chooses one of each from all of those three different categories and then sends his certificate and a public key. The certificate contains all the information we just talked about earlier, as well as a public key, and the public is sent to Bob's browser. Bob validates the information or more specifically, his browser does. Checks the issuer, the validity dates, make sure that this certificate actually belongs on that server, make sure that the signature hash matches all the information. As long as everything is okay, then what Bob's browser will do is he will send a session key that's encrypted within the public key that was sent by Goliath Bank. This session key is sent over the Internet so that now both Goliath Bank, and Bob's browser have the same session key and all the information is now sent using that key to encrypt and decrypt the traffic. This is how SSL certificates are used in secure web communication. Thank you guys for listening. If you need any additional information, please feel free to check out paloltonetworks.com, Wikipedia, YouTube has some great videos on this. Make sure you also check out all of our other great videos. Thank you very much.
