On your web browser, you might come across websites
that call for your username and password, i.e. confidential details that you
generally don’t share with anyone. For example, if I have to login to my
Outlook.com account, I have to send the username and password to the web Server
so that it can authenticate my account.
The account details
that I send to the Server go over internet which is owned by various companies
and its parts. Now some companies that have access to these networks can access
the account details. If the data that is being passed is confidential (for
example: credit card information while making online payment), it can be a
trouble if someone on the network is able to capture it. Sending data over
internet through “HTTP protocol” is
like sending a courier that does not have any lock.
In order to overcome this problem, a network
transmission protocol called “Secure
Socket Layer (SSL)” was introduced. The
“HTTPS” protocol that is used now days
is nothing but SSL and HTTP protocol working together.
This means, in HTTPS, the SSL ensures that data is
securely shared over internet. Before moving on to detailed concepts of SSL, we
must understand Cryptography!
Why
is CRYPTOGRAPHY?
Say we have a string “Outlook Email Client” and if we
apply some mathematical transformation over it, we will get completely new
value for this string like “l%m*!!!....E==” which cannot be understand by an
end user. The original text here is called “Plain Text” whereas the encrypted
text is called “Cipher Text”. The process is called encryption and the algorithm used is called encryption algorithm.
Now if I want to send this string to my friend, he/she will also need to know
the encryption algorithm to decrypt it and more importantly, the key used while
encrypting the data will be required. If the key is not available to the
friend, he won’t be able to decrypt the data, even if an encryption algorithm
is known.
In this case discussed above, same key is used for
encryption and decryption which means a “Symmetric
key” is used. This is like locking
data in a box using a lock-end key and then using the same key to unlock it.
But when with millions of users on internet, it will be
difficult and impractical to share it with all the users. Another problem is
how you would send the secret key to every user. This will create a situation
that every house is locked but there is only key to unlock all the houses. So,
the problem is, anybody can open anybody’s house. Well, to deal with such
troubles, cryptography comes to rescue.
Now, just consider a lock that can be locked only with
one key but can be unlocked with different key. In cryptography, we have a
solution to encrypt data using a key string and decrypting it using different
key. This is called “Asymmetric key”.
The key used for encryption is called “Public Key” and the key used for
decryption is called “Private Key”.
What happens between
Browser and the Server?
When a user types HTTPS URL, the browser makes a
connection on HTTPS port 443. Actually 443 is a default port on which the
Server listens to HTTPS connection. Once this is done, the process called SSL Handshake starts. First the client sends “Client Hello” message
to the Server and the message contains the highest SSL version info that the
site, the compression method it supports, suite of ciphers that it can use for
encryption etc. After this, the Server responds with the “Server Hello” message.
Now, the Server will send a
Digital certificate to the client. The certificate has two important values in
it: one is the public key so that browser can encrypt the data that it sends to
the Server and is it identity of the Server with which the web page is coming.
For example: When I connected to Outlook.com, the certificate that browser
showed is
- Now, the Server sends “Server Hello Done” message to the browser giving a hint that the browser can proceed further.
- Then, the browser can send a “Certificate Verify” to the Server. The browser than sends a “Change Cipher Spec” message to the Server telling it that from now onwards every detail sent to it will be encrypted.
- Now, the browser will send “Finished” message to the Server that will contain digest of all the messages shared between browser and the Server. The Server then again sends a “Change Cipher Spec” and “Finished” message to the browser.
- For the ongoing SSL session, the Server will generate a symmetric key for communication between the browser and the Server.
This is how when we share confidential
information over web through HTTPS connection, there is surety of no data
breaching by hackers.