πHttps
What is https?
Last updated
What is https?
Last updated
In the internet we will have a communication between client and server via http protocol but http does not secure.
Every request via http protocol it's able to look into the content because it send the data with plain text format in order to avoid this vulnerability the https is occurred. For the data was sent via https protocol it will be encrypted by using TLS protocol.
What is Asymmetric key and Symmetric key?
Asymmetric key is a key pair include public key and private key. so we use public key for encrypt the data and private for decrypt.
Symmetric key is only one key that we use for encrypt and decrypt. For share this key we can use MAC algorithm to do that (It's algorithm that require IP ,Port etc. some identity data to make sure it's a key that was generated by our destination.
How does Https working ?
TCP Handshake
Client create connection with server (Called TCP Handshake)
Certification Check
Client send like "Hello" to server and send about (1) What are TLS version of this browser support (2) What are Cyber suite (set of encryption algorithm) of this browser support
Server will check about TLS version and Type of Algorithm for encryption
Server will respond to the client with Certification (include public key was generated by server (Asymmetric key) and signature was signed by CA private key) that was created by CA (Certification Authority).
Client need to verify Certification on browser with CA whether this Certificate can trust or not (In browser we will have list of public key that was created by CA so we can verify this signature is valid.
Key Exchange
After It pass for verification with CA then client will generate new secret key or session key (Symmetric key) and encrypt with server public key and send back to server so client and server will use this key for encrypt and decrypt.
How to setup Https to server?
We created our own server and generate key pair (Asymmetric key).
In CA side they will have own key pair
server will create CSR (Certification sign request) and send to CA
CA will verify server . If it can trust they will sign in the certification with CA private key (that can be verify the valid sign by using CA public key) and send back to server
In the first time when server send the certification back to client (browser) the browser will verify this certification whether the signature is valid because in browser they will have public key of CA
In case that we don't trust the other CA then we can create own CA and new service for verify signature instead of browser
(Self sign certification)
Reference:
https://www.youtube.com/watch?v=j9QmMEWmcfo (Basic Level)
https://www.youtube.com/watch?v=-f4Gbk-U758 (Advance Level)
