Monday, August 8, 2011

HTTPS encryption and handshaking

About the detail steps of HTTPS encryption and handshaking, here is it

here is diagram.


Here is a concentrated diagram about handshaking.


Here is a rough conclusion:

In handshaking

The client get the certificate from the server. If it is a trusted one, use the public key from the certificate to encrypt a key (pre-master, a random generated by the browser) and send it to the server

The server uses its private key to decrypt the message and get the client key (pre-master)

Both server and client compute a symmetric key from the pre-master. (pre-master secret –> master secret –> session key)

Then the session is established.

In the session both server and client use the created symmetric key for both encryption and decryption.

So, the business data transferred in the HTTPS session is using symmetric encryption. The certificate and its asymmetric encryption is only used in handshaking to guarantee that only the server and the client browser has the symmetric key.

No comments:

Post a Comment