Here's the soap...
(1) The bulk of the data that is sent along any secured conversation is encrypted using a randomly-generated "symmetric" (that is, conventional) key. The conversation is encrypted using a well-known symmetric algorithm such as DES3 or AES. The reason for this is simple... speed. The randomly-generated key is produced using a cryptographically strong algorithm that produces "good" random numbers... it's therefore impractical to guess them. The key is used only for THIS conversation and it is never used again.
(2) Obviously, with a symmetric cipher, the correct randomly-generated key must be supplied to the other party in the conversation, and this key must be exchanged securely. The certificate provides the means for them to do this. The random key is sent as the payload of a message that is encrypted using the public-key that is provided in the certificate. For every public key, there is a corresponding (unknown) private key that is held, and closely guarded, by the owner of the certificate. Therefore, only the intended recipient can decrypt the message that contains the randomly-generated key. Upon doing so, both parties now have the correct random-key for this conversation and they can now begin to exchange information. If the conversation continues for a long time, the two parties might decide to "re-key," that is, switch to a new random symmetric-key on the fly.
(3) "Signing" is a method that can be used to avoid accidental use of forged certificates. The signature consists of a checksum that has been encrypted using some other "trusted" key held by a "certifying authority." The public-keys used by those authorities are known, and are used to verify the signature.
(4) I have only described the keying protocol... systems like SSL contain mechanisms that allow us to continuously verify that traffic being exchanged has not been intercepted or modified in transit, and that encrypted matter captured from some previous conversation is not being "re-played" and injected into the stream.
Last edited by sundialsvcs; 12-05-2006 at 06:26 PM.