In my previous post I explained what is HTTP and how is it helpful.
This post explains how it is achieved.
So far we know that symmetric and asymmetric key's role is played over when we connect to a site with SSL. This connection can happen with the help of Handshake.
Let's say, My browser is trying to connect a website https://pizzaonline.dominos.co.in, and this website is hosted on some Server.
A two-way connection is established between my browser and Server.
But before that, they need to discuss how secure will be its communication. Based on the agreement following signs are displayed.
a. Exclamation mark: It's a warning!
b. Green padlock: It's secure, chillax...
This process...i.e. discussing and coming to an agreement is Handshake.
How does it work?
Here is where
symmetric and asymmetric key comes in the picture.
Continuing the same example lets understand what's happening behind the scene.
- My browser will send a list of SSL/TLS versions and encryption algorithms it has to the Server.
- Server will check the list. Chooses the best one that benefits both. Sends reply with its certificate and Public key.
- My browser will check if the Server's certificate is legal. Once my browser is sure, it will generate a
Master key. Now it will blend
server's Publick key...i.e. encryption is happening. It then sends encryption to Server..i.e. sending
- Server will Decrypt it with its
So far Asymmetric Algorithm is followed. None of my messages is encrypted. Only my browser and server have established a connection using an asymmetric algorithm. In short sharing
Master keyover the web using Asymmetric algorithm.
- Now both have the same
Master key. A unique key is generated, which can only be decrypted using this
Master key, which only my browser and Server has it.
Here Symmetric algorithm is followed.
- Its time to test the connection. They both will test the connection, makes sure it is safe and both can decrypt successfully and securely.
- When both are satisfied and have come to an agreement, the browser will set the status..in this case, green padlock.
The above process happens in a fraction of seconds and we don't even realize it. It is fascinating.
- It's a Green padlock! Which means I can order Extravaganza pizza :p
Since my browser and server (where dominos website is hosted) have secured the connection, the entire
sessionwill be secure. what all credit card information is fed will be unknown to attackers.