Hypertext Transfer Protocol Secure (HTTPS)

What is HTTPS?

  • The HTTPS protocol was designed with security in mind. Data that is exchanged between a client and server is encrypted to ensure that it remains private.

  • Encryption is important for keeping communication safe from anyone who might try to access the data packets. Encryption makes the data unreadable, so even if someone does get access to the packets, they won't be able to understand them.

  • TLS/SSL is added to HTTP to create HTTPS, which encrypts communication between the client and server. This encryption helps to prevent data interception and tampering by third parties.

When a client tries to establish a connection with a server, the following things can happen:

  1. TCP Handshake

  2. Certificate check

  3. Key exchanged

  4. Data transmission

TCP Handshake:

Before any data can be exchanged using the TCP protocol, a connection needs to be established between the client and server. This connection is known as a "handshake."

This happens with a "three-way handshake"

  • The client sends "SYN" to Server.

  • The server sends "SYN + ACK" back to the client.

  • The client sends "ACK" back to the client.

A connection is established with the server and client at the end of this, but it is not a secure connection.

Certificate check:

After the "certificate check" step, both the client and server will have the cipher suite to be used and the version of TLS to be used.

The following steps will take place:

  1. The client-hello message contains information about the client's supported cipher suites and TLS version. This information helps the server determine which encryption methods to use for communications.

  2. Server-Hello looks at the cipher suite and TLS version that the client has selected to continue communication and shares the server certificate.

    1. A server certificate contains many things, but one of the main elements is the public key. This public key is used by the client for encryption.
  3. Server-Hello Done.

Key Exchange:

Asymmetric encryption is a type of encryption that uses two keys: one for encryption (public key) and one for decryption (private key).

In this process, the server's public key is used to encrypt the "secret key/client encryption key" before sending it safely to the server.

The client-encryption-key or secret key is then used to encrypt/decrypt the request and response.

Client-encryption-key or Secret-Key:

  1. It depends on the cipher suite decided during the certificate check step.

  2. For the sake of understanding, let's assume the client uses an RSA cipher suite to generate a secret key/client-encryption key.

  3. In RSA, a Client-encryption-key/secret-key/session-key is generated.

  4. The generated key is encrypted using the public key of the server.

  5. "Client-encryption-key" is encrypted by the Client and decrypted by the Server using the server's "private key" [asymmetric encryption].

Now that the "Client-encryption-key" has been securely exchanged between the server and client, symmetric encryption will be possible.

For symmetric encryption, the same key [Client-encryption-key] is used for encrypting and decrypting.

Data-Transmission:

From this point on, it is a symmetric encryption

A "client-encryption-key" is used to encrypt and send requests and responses.

Note:

  1. Since asymmetric encryption is computationally expensive, it is only used for key exchange, not data transmission.

  2. The RSA cipher suite is not used for key exchange in practice and is vulnerable or less effective.

    • Currently, Diffe-Helmen is one of the most popular cipher suites on the market.

Did you find this article valuable?

Support Ashwin Padiyar's blog by becoming a sponsor. Any amount is appreciated!