SSL is one method of securely authenticating and protecting data by encrypting it in such a way that in can only be unencrypted by the intended recipient. This is accomplished by a method known as public-key encryption (PKE).

The principal behind this is that each party possesses a pair of digital 'keys,' (numeric values used to encrypt and decrypt data) a public key and a private key. The public key is freely available to anyone who wishes to communicate, while the private key is kept, well, private.

Information encrypted with the public key can only be successfully decoded by the matching private key. The idea is that if you wish to create a secure connection between two computers, each would grab the other's public key and use that to encrypt the data that is sent between them. They would then use their individual private keys to decipher the data that had been encrypted with their freely available public key.

The disadvantage of public-key encryption is that encrypting and decrypting data in this way is rather slow, not a good thing for commercial communications. SSL therefore uses a hybrid method with elements of symmetrical encryption.

Symmetrical encryption uses a single key shared by both parties to secure the data. While faster than Public key encryption, it has some disadvantages. For one thing, the key to be used must be known to both parties before the connection is established in order to encrypt data, and if it is broken, the whole transfer is compromised. In contrast, with public key encryption, nothing is needed to form a connection besides the other computer's freely available public key.

SSL uses public key encryption to form the initial secure connection, then uses faster symmetrical key encryption to transfer the majority of the data. Only one side of the connection (the 'merchant' or server side) needs to possess a public/private key pair.

The public key is transferred to any clients who request it by means of a digital certificate, a method of validation which both confirms the identity of the server and passes the public key over to allow the encryption process to begin. When a company wishes to secure a portion of its website with SSL, it must obtain one of these certificates from a valid certificate authority.

Now technically, anyone can generate a valid certificate with freely available software, but since SSL is often used commercially, a method is needed to put customer's minds at ease and verify that the merchant web sites using SSL are using proper and secure key values, and that they are who they say they are.

This is where third-party certificate authorities such as Verisign come in. For a certain amount of money, a company can obtain a valid digital certificate from Verisign, complete with a public/private key pair. This certificate can then be distributed to clients when they attempt to access secured sections of the company's site.

Verisign guarantees the authenticity of the certificate, and the Client's web browser can check this automatically when it downloads the certificate.