This is an abstract version of the SSL protocol. C -> S means a message sent from Client to Server. E(plain-text)key means the result of encrypting plain-text with key. MAC(x, y, z) ("message authentication code") means the result of running a hash function with x+y+z as input. Typically x is a secret, and the rest of the input is plain-text. 1. C -> S, ClientHello: client_version, client_random, client_cipher_list 2. C <- S, ServerHello: server_version, server_random, server_cipher_list 3. C <- S, ServerCertificate: server_certificate_list 4. C -> S, ClientKeyExchange: E(pre_master_secret)ServerPubKey 5. C -> S, ChangeCipherSpec: client_cipher 6. C -> S, Finished: MAC(master_secret, all messages) 7. C <- S, ChangeCipherSpec: server_cipher 8. C <- S, Finished: MAC(master_secret, all messages) 9. C -> S, Data: length, E(data)client_write_key, MAC(see below) 10. C <- S, Data: length, E(data)server_write_key, MAC(see below) The server's certificate contains the server's public key (ServerPubKey), cryptographically signed by a certificate authority such as Verisign. Something like this: info = "Amazon", amazon's ServerPubKey, expiration date, authority's name certificate = info, E(hash(info))AuthorityPrivateKey The pre_master_secret is a random value chosen by the client. The master_secret is a value computed by both client and server after step 4. An abbreviated version of the computation: master_secret = hash(pre_master_secret, client_random, server_random) If all goes well, the client and server will compute the same master_secret. They then chop up the master secret (more or less) to produce symmetric cipher keys and authentication MAC keys: client_write_key server_write_key client_write_MAC_secret server_write_MAC_secret Data messages are encrypted with the write keys for privacy. A MAC over the *plain text* is included with each message, computed more or less as follows: MAC(...) = hash(client_write_MAC_secret + client_seq_num + length + data) When the server is sending, it uses server_MAC_secret, server_write_key, and server_seq_num.