Https

How does HTTPS provide security

The primitive promotion of HTTPS over http is security. Messages are transferred nakedly in http which may be utilized by an eavesdropper.
It’s pretty natural to think that we can encrypt the plain text with a key. There are two kinds of encrytion with different
combinations of keys.

  • Symmetric Encryption : public key
  • Asymmetric Encryption : public key + private key

In symmetric encryption, both the server and the client use public key for encryption and decryption. The client can encrypt message with public key and then send it to the server where the encrypted message is decrypted with the same public key, and vice versa.
Things becomes differrent in asymmetric encryption, we can not decrypt the encrypted message with public key in above cases. A private key is needed for decryption. The basic steps for data transmission are:

  1. the client encrypt message with public key
  2. encrypted message is transferred to the server
  3. the server get the raw message by decryption with private key

The public key and private key pair is one to one, for example, private key is a pair of very large prime number, and public key is their product.

Vulnerability

We haven’t metion how does the server/client side get the public/private key yet. The private key is very easy to implement, both the server and the client can appoint the private key themselves and do not transfer it to the other one by internet while the public key has to be visible to the other one. The vulnerability happens in the procedure of public key transmission.

In the symmetric encryption algorithm, if a third party intercept your public key he can decrypt any message from client or server!

Imaging you’re using a public wifi in market, all your infomation is exposed to the wifi owner

The problem comes from the transmission of public key. It’s plain text! The asymmetric encryption can solve this problem by a private key, the third party can get the public key but he cannot decrypt the message without private key. But there is a limitation for asmmetric encryption, it’s one-way transmission! Only the side with private key can read the message, and another side just have public key to encrypt message.

Maybe we can use two pairs of public+private key for asymmetric encryption?

TLS

TLS(Transfer Layer Security) is the underlying implementation for HTTPS. It’s kernel priciple is pretty similar the above:

  • At first, The server has a pair of public+private key (Suppose they are prime numbers and their product) and
    the client has nothing.
  • The client sends a HTTPS request to the server, and the server gives the public key to the client.
  • The client generates a key refferd as pre-master key which is a private key, and then transfer it to the server after
    encrypting it with the public key.

Note that pre-master key is still a private key because we transferred the encrypted key,
if a third party get the message he will never know the pre-master key without private key from the server side.

  • The server decrypt the message and get the pre-master key.
  • Now both the client and the server have pre-master key, which means we can use symmetric encryption from now on. This symmetric encryption is quite different from the above, because we use a private key (pre-master key) for encryption, it’s invisible from third part.

Things to note:

  1. In the above procedure, the public key is known as digital certification.(You can find it on the left side of url field of your browser.)
  2. The server-side private key is top secrete, it can never be exposed to anyone else.
  3. Actually in TLS, we encrypt pre-master key with two another random number(public key) generated by the client and the server to get the final session key. As you can guess from the literal, pre-master key is a material private key for the final session key and the session key is unique for each session because we used two random number.

Summary

Symmetric encryption with private key is the most secure way for encryption. In order to share the private key(pre-master key), we use asymmetric encryption.

Gossip

Public key and private key certification is usually published by CA institute, they are the only one who knows your secrete private key except yourself. The bank does not believe CA institute so usually they use their own certification on their own server and let CDN prividers get public key from their private server.

Referrence

How does HTTPS provide security?

TLS