📚Https

What is https?

In the internet we will have a communication between client and server via http protocol but http does not secure.

Overview when we send request via Http protocol

Every request via http protocol it's able to look into the content because it send the data with plain text format in order to avoid this vulnerability the https is occurred. For the data was sent via https protocol it will be encrypted by using TLS protocol.

Overview when we send request via Https protocol

What is Asymmetric key and Symmetric key?

Asymmetric key is a key pair include public key and private key. so we use public key for encrypt the data and private for decrypt.

Asymmetric key Flow

Symmetric key is only one key that we use for encrypt and decrypt. For share this key we can use MAC algorithm to do that (It's algorithm that require IP ,Port etc. some identity data to make sure it's a key that was generated by our destination.

Symmetric key Flow

How does Https working ?

TCP Handshake

1. Client create connection with server (Called TCP Handshake)

Certification Check

1. Client send like "Hello" to server and send about (1) What are TLS version of this browser support (2) What are Cyber suite (set of encryption algorithm) of this browser support

2. Server will check about TLS version and Type of Algorithm for encryption

3. Server will respond to the client with Certification (include public key was generated by server (Asymmetric key) and signature was signed by CA private key) that was created by CA (Certification Authority).

4. Client need to verify Certification on browser with CA whether this Certificate can trust or not (In browser we will have list of public key that was created by CA so we can verify this signature is valid.

Key Exchange

1. After It pass for verification with CA then client will generate new secret key or session key (Symmetric key) and encrypt with server public key and send back to server so client and server will use this key for encrypt and decrypt.

Https workflow

How to setup Https to server?

1. We created our own server and generate key pair (Asymmetric key).

2. In CA side they will have own key pair

3. server will create CSR (Certification sign request) and send to CA

4. CA will verify server . If it can trust they will sign in the certification with CA private key (that can be verify the valid sign by using CA public key) and send back to server

5. In the first time when server send the certification back to client (browser) the browser will verify this certification whether the signature is valid because in browser they will have public key of CA

Setup Https with CA

In case that we don't trust the other CA then we can create own CA and new service for verify signature instead of browser

(Self sign certification)

Reference:

1. https://www.youtube.com/watch?v=j9QmMEWmcfo (Basic Level)
2. https://www.youtube.com/watch?v=T4Df5_cojAs&t=559s (Mid Level)
3. https://www.youtube.com/watch?v=-f4Gbk-U758 (Advance Level)