Hi, I'm Bob Flynn, from Palo Alto Networks. I'm a Technical Training Engineer here at Palo Alto Networks. I want to talk to you today about how we use SSL certificates and secure web communication. So, let's take an example of a user, Bob, trying to go to his online bank, Goliath bank, to do his online banking. There are two things that Bob wants to make sure: he wants to make sure first that all of his communication when he talks to his bank is going to be secure. The second thing he wants to make sure is that all the information that he sends is actually to the bank. So, he wants to make sure that he can secure the identity of the bank and have security for his transaction. Those are the two things that the SSL certificate will provide for us is security and identification. So, let's take a look at what information is contained on the certificate on an SSL certificate. There's lots of information that's contained on there and I want to draw it out for you so you can see all the pieces. The certificate first contains information about the issuer of the certificate. The issuer of the certificate is either going to be trusted or un-trusted. So, as an example, if I go into my doctor's office and I see a Diploma hanging on the wall, the Diploma is basically a certificate of graduation. If it's from Princeton or Harvard or something like that, I feel pretty confident that my doctor is a good doctor. If his certificate is from Bob's online medical school and auto parts store, I probably don't have that same level of confidence in my doctor or in the certificate at that point. So, if the issuer is trusted by the browser, then everything goes fine. If the issue is not recognized, if it's from Bob's auto parts store or in medical school, then the browser will put up a warning, a certificate warning that pops up. The next piece of information you're going to have is information about the key issuer. You'll also going to have validity dates, from and to dates that the certificate is valid from. So, certificates expire after a year or three years or things like that. If the issuer, the key or the expiration date is not enlightened, then again you'll get certificate warnings. The next piece of information you're going to get us information about the subject. The subject information is, who the certificate was issued to? What server it goes on? What the certificate can be used for? In our case, identity, and encryption decryption. Then, the next piece of information you're going to have is actually a public key. The public key is going to be used during the transfer of information during the SSL setup. We're going to walk through that step-by-step here in just a minute. Then the last piece of information is actually a signature. The signature is actually just a hash and this signature hash represents all of the information contained on the certificate. If anything has been changed, for instance, the to or from dates or the certificate is loaded on the wrong server or somebody has tried to change the subject, then the hash will no longer match and again you'll get a certificate pop or a warning that there's something wrong. Now, what I'd like to do is take a look at how all of this information is used during an SSL session setup. Too far in it. Are you okay? All right. So, when Bob wants to do his online banking, he opens his browser and goes to goliathbank.com. As a secure connections, it's going to be https//goliathbank.com. The first thing Bob's going to do or his browser is going to do is say, "Hey, let's do SSL together." Bob's browser is going to send three pieces of information to the server at Goliath Bank. He's going to send the key algorithms he can support, the ciphers he can support, and a message hash to authenticate messages that are sent. He sends that to Goliath Bank, Goliath Bank chooses one of each from all of those three different categories and then sends his certificate and a public key. The certificate contains all the information we just talked about earlier as well as a public key. The public key is sent to Bob's browser, and Bob validates the information or more specifically his browser does checks the issuer, the validity dates, make sure that this certificate actually belongs on that server, make sure that the signature hash matches all the information. As long as everything is okay, then what Bob's browser will do, is he will send a session key that's encrypted within the public key that was sent by Goliath Bank. This session key is sent over the Internet so that now, both Goliath bank and Bob's browser have the same session key and all the information is now sent using that key to encrypt and decrypt the traffic. So, this is how SSL certificates are used in secure web communication. Thank you guys for listening. If you need any additional information, please feel free to check out paloaltonetworks.com, Wikipedia, YouTube has some great videos on this, and make sure you also check out all of our other great videos. Thank you very much.
