On your web browser, you might come across websites that call for your username and password, i.e. confidential details that you generally don’t share with anyone. For example, if I have to login to my Outlook.com account, I have to send the username and password to the web Server so that it can authenticate my account.
The account details that I send to the Server go over internet which is owned by various companies and its parts. Now some companies that have access to these networks can access the account details. If the data that is being passed is confidential (for example: credit card information while making online payment), it can be a trouble if someone on the network is able to capture it. Sending data over internet through “HTTP protocol” is like sending a courier that does not have any lock.
In order to overcome this problem, a network transmission protocol called “Secure Socket Layer (SSL)” was introduced. The “HTTPS” protocol that is used now days is nothing but SSL and HTTP protocol working together.
This means, in HTTPS, the SSL ensures that data is securely shared over internet. Before moving on to detailed concepts of SSL, we must understand Cryptography!
What is CRYPTOGRAPHY?
Say we have a string “Outlook Email Client” and if we apply some mathematical transformation over it, we will get completely new value for this string like “l%m*!!!….E==” which cannot be understand by an end user. The original text here is called “Plain Text” whereas the encrypted text is called “Cipher Text”. The process is called encryption and the algorithm used is called encryption algorithm. Now if I want to send this string to my friend, he/she will also need to know the encryption algorithm to decrypt it and more importantly, the key used while encrypting the data will be required. If the key is not available to the friend, he won’t be able to decrypt the data, even if an encryption algorithm is known.
In this case discussed above, same key is used for encryption and decryption which means a “Symmetric key” is used. This is like locking data in a box using a lock-end key and then using the same key to unlock it.
But when with millions of users on internet, it will be difficult and impractical to share it with all the users. Another problem is how you would send the secret key to every user. This will create a situation that every house is locked but there is only key to unlock all the houses. So, the problem is, anybody can open anybody’s house. Well, to deal with such troubles, cryptography comes to rescue.
Now, just consider a lock that can be locked only with one key but can be unlocked with different key. In cryptography, we have a solution to encrypt data using a key string and decrypting it using different key. This is called “Asymmetric key”. The key used for encryption is called “Public Key” and the key used for decryption is called “Private Key”.
Now, why these are called so? This is because over internet the Server distributes a key used for encryption to all users who wants to send data to it in a secure way. That is why it is called the public key. While the key used for Server by decryption is not shared with anyone and thus is called private key. So, when login details for an account are sent to the Server for validation, it will encrypted in the way and will be decrypted only by the Server.
What happens between Browser and the Server?
When a user types HTTPS URL, the browser makes a connection on HTTPS port 443. Actually 443 is a default port on which the Server listens to HTTPS connection. Once this is done, the process called SSL Handshake starts. First the client sends “Client Hello” message to the Server and the message contains the highest SSL version info that the site, the compression method it supports, suite of ciphers that it can use for encryption etc. After this, the Server responds with the “Server Hello” message.
Now, the Server will send a Digital certificate to the client. The certificate has two important values in it: one is the public key so that browser can encrypt the data that it sends to the Server and is it identity of the Server with which the web page is coming. For example: When I connected to Outlook.com, the certificate that browser showed is
- Now, the Server sends “Server Hello Done” message to the browser giving a hint that the browser can proceed further.
- Then, the browser can send a “Certificate Verify” to the Server. The browser than sends a “Change Cipher Spec” message to the Server telling it that from now onwards every detail sent to it will be encrypted.
- Now, the browser will send “Finished” message to the Server that will contain digest of all the messages shared between browser and the Server. The Server then again sends a “Change Cipher Spec” and “Finished” message to the browser.
- For the ongoing SSL session, the Server will generate a symmetric key for communication between the browser and the Server.