httpS and SSL/TLS handshake

What is HTTPS?

HTTPS stands for "Hypertext Transfer Protocol Secure". This is an extension of Hypertext Transfer Protocol (HTTP) for secure communication over a computer network. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or Secure Socket Layer (SSL).
Here servers and clients are still using HTTP to communicate with each other, but over a secure SSL connection that encrypts and decrypts the client-server requests and responses. 
SSL ensures that all the requests and responses are directed to the legitimate destination and from a legitimate source, and also it ensures that only a legitimate server or a client can view the content of a request/response.
Eavesdroppers will monitor the traffic, but they will not be able to read the content in the traffic since its encrypted.

How SSL Works? 

A Secure Socket Layer connection between client and server initiate with a "handshake". The goal is to satisfy the client about the server, to have an agreement on a "cipher suite" which has the encryption algorithm that both the parties are going to use in future communication, and the key agreement for this algorithm. 
Once the connection is established, both parties can use the agreed algorithm and keys to securely communicate with each other.

SSL/TLS Handshake

  1. First, "The Client Hello". Here, the client sends the cipher suites and client-compatible SSL/TLS versions.

  2. Server responds with the server-compatible cipher suite from the list of cipher suites that came from the client, and also the SSL/TLS version that both the client and server are compatible to use. Also, server will send the session ID for the particular session and the server certificate which contain the server's "Public Key". So now, the server and the client both agreed on a cipher suite and a SSL/TLS version. Cipher suite is a set of algorithms. The set of algorithms that cipher suites usually contain includes,
        1. A key exchanging algorithm.
        2. A bulk encryption algorithm.
        3. A message authentication code (MAC) algorithm.  

  3. Client validate and verify the server certificate and extract the public key. At the same time, client generates a random seed (a random string).

  4. Client encrypt the previously created random seed using the server's public key, and send it back to the server. 

  5. Server decrypt the message from server's private key and gets the random seed generated by the client.

  6. Now finally since both the parties have the random seed, using it as the input for an algorithm, they generate a symmetric key for message encryption. This key is called as the "shared secret key". Normally for this "Diffie-Hellman" key exchange algorithm will used. 😊  


**Below is a simple diagram to make your life easy 😂**   


   

Comments

Popular posts from this blog

RMI (intro)

Let's Configure HTTP'Secure' in Apache-Tomcat

Mitigate CSRF with Double Submit Cookies