Let's understand SSL/TLS/HTTPS
Vineesh ChauhanSSL: Secure Socket Layer
TLS: Transport Layer Security
HTTPS: Hyper Text Transfer Protocol Secure
SSL is an encryption protocol that is used to encrypt data transmitted between two systems over the internet. The two systems can be browser and server or server and server. SSL secure connection by encrypting data transmitted between two systems.
TLS is just an updated version of SSL. Whenever someone refers to SSL, he is referring to TLS.
HTTPS is a protocol used for secure HTTP communication over the internet. It uses SSL/TLS for delivering encrypted data.
Note: SSL is an encryption protocol and has a variety of use cases. HTTPS is just one of them.
Now let's understand how two systems communicate securely over the internet. Here 2 systems are a web browser and a web server.
The browser sends the request to the server for communication.
The server responds with two pieces of information,
a. Encrypted Hash of Digital Certificate: Used for the encryption in further communication.
b. Digital Certificate: Used for authenticating the server identity.
Once identity is established using the digital certificate, the browser generates symmetric private encryption keys. The encryption keys are encrypted using the Public Key of the server and sent to the server.
The server decrypts the symmetric encryption keys using its private key.
All further communications between the browser and server are done using private symmetric keys. No one can read communication between browser and server as it is done encrypted using secure private keys.
Now, the only puzzle is the digital certificate. The questions are
What is a digital certificate?
Where does the digital certificate come from?
How server authenticate if the digital certificate is sent by the intended server?
It includes the following steps
What is a digital certificate?
A digital certificate is an electronic file that is tied to a cryptographic key pair and authenticates the identity of a server/website/organization. It is also known as a public key certificate or identity certificate.
Where does the digital certificate come from?
Any server who wants to communicate securely first obtains a digital certificate from a certificate authority like DigiCert or Verisign.
What do they contain?
a. Domain name of the server.
b. Public Key of the server.
c. Digital Signature of the certificate encrypted with the private key of the CA.
d. Expiration Dates.
How server authenticate if the digital certificate is sent by the intended server?
When the server receives a request from the browser, the server sends a signed digital certificate to the browser.
Now, the browser has a Signed Digital Certificate. The browser will take the following steps
a. The browser will validate CA. The browser/OS contains the public key of all certificate authorities. The browser will use the public key of the certificate authority and try to decrypt the digital signature present in the certificate. If the browser can decrypt the digital signature, then the digital certificate must have been encrypted by the private key of CA.
b. Now, the browser has a decrypted digital signature of the certificate.
c. The browser will generate a hash of the digital certificate with the Algorithm mentioned in the digital certificate.
d. If the generated hash in step c(browser-generated hash) and the hash obtained in step b(obtained from decrypting digital signature) are the same then the browser can turn the server.
Cerdit
https://www.geeksforgeeks.org/digital-signatures-certificates/
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
https://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified
Subscribe to my newsletter
Read articles from Vineesh Chauhan directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by