Secure Sockets Layer (SSL) and its replacement, Transport Layer Security (TLS), is a protocol for establishing a secure communications channel between a client and a server. It is also used to authenticate the server to the client and, less commonly, used to authenticate the client to the server. It is usually seen in a browser application, where the lock at the bottom of the browser window indicates SSL/TLS is in effect.

TLS 1.0 is the same as SSL 3.1.

SSL/TLS uses a hybrid of three of the cryptographic building blocks already discussed in this tutorial, but all of this is transparent to the user. Here is a simplified version of the protocol:

• When a request is made to a site using SSL/TLS (usually with an https:// URL), a certificate is sent from the server to the client. The client verifies the identify of the server from this certificate using the installed public CA certificates, then checks that the IP name (machine name) matches the machine that the client is connected to.
  
  
• The client generates some random info that can be used to generate a private key for the conversation, known as a session key, and encrypts it with the server's public key and sends it to the server. The server decrypts the message with its private key and uses the random info to derive the same private session key as the client. The RSA public key algorithm is usually used for this phase.
  
  
• The client and server then communicate using the private session key and a private key algorithm, usually RC4. A message-authentication code, using yet another key, is used to ensure the integrity of the message.