HTTP and HTTPS ( Certification )

HTTP stands for Hyper Text Transfer Protocol, which is standard web communication protocol. The problem with HTTP is that all the data sent and recieved during the communication is visible and completely identifiable by the whole network, which stands in the way of sending secure and sensitive information through the network. To overcome this a protocol was introduced called HTTPS, which stands for HTTP Secure. Communication involving HTTPS as a protocol is completely encrypted and only the end parties have access to meaningful information, what passes through the network is gibberish without any meaning.

The encryption in case of HTTPS is provided by TLS/SSL that refers to protocol which provide data encryption and authentication between applications and servers communication. The terms SSL and TLS are used interchangebly. TLS is a successor to SSL or a more secure version of SSL. SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1.

TLS stands on a lower level than HTTPS which is actually a fancy way to say that during a web request TLS connection occurs before HTTP. TLS is a hybrid cryptographic system making use of multiple crypto paradigms.

  • Public Key Cryptography
  • Symmetric Key Cryptography

The encryption of information during the connection occurs from a single secret shared by both the sides(Client and the Server).

There must be an exchange of key from the client to server or vice versa for encryption purposes. The key exchange occurs by the use of very common Diffie-Hellman key exchange that provides both the parties with a single shared key without anyone in the network knowing about the key. This process allows the client and the server to agree upon a shared secret that is used to encrypt and decrypt information during the communication.

  • First of all the during the initiation of connection the server sends its public key to the client, this key being the public key cannot be abused by anyone on the network(One of the main feature of assymtric key encryption).

  • Now the client generates a random key(the shared key for the connection) for the connection and then encrypts it with the public key recieved from the server.

  • The encrypted shared key is then sent to the server, and since it is encrypted using assymtric key encryption it cannot be decrypted without the knowledge private key of the server that is a secret and in any case must not be revealed by the server.

  • On recieving the key server decrypts it with its private key obtaining the shared key generated by the client. Now both the client and the server have a key no one in the network knows about.

  • Further encryption of communication is done with this shared key using symmetric key encryption.

The problem with the above method is the initial communication between the server and the client, since it can be hijcaked and the attacker that can send its own public key to client and get the shared key from the client, since the client in no way can know if its talking the actual server or the attacker. To solve this authentication problem we need a public key infrastructure to make sure that entities are who they say they are. Certificates are used for this purpose.

HTTPS Certificates

Certificates.

A certificate (or public key certificate) is a file that uses a digital signature to bind a public key with an identity. The digital signature on the certificate is someone vouching for the fact that a particular public key belongs to a particular individual or organization. This digital signature prevents the attacker from mimicing as a server using its own public key, and if it is using the server’s public key there is no way it can get the data decrypted without the private key.

Certificates are provided by Certification Authority(CA) for a certificate to be trusted by the browser it must be issued by a trusted CA. CA companies performs a manual check to review that the applying entity is what it say it is. Once verified it is signed by CA that is sign of a validated certificate.

There exist a layer of trust between us and our browser and between the browser and the certification authority. We trust the certificates that our browser trusts.

References