Encryption: How HTTPS Works

Learning Objectives

You should be able to:

  • Explain how web browsers encrypt data

Video Walkthrough

Use this video to follow along with the steps in this lab.

RSA Key Exchange

Here is how your computer might communicate with https://www.google.com using TLS 1.2.

  1. Your browser tells the server hosting https://www.google.com that you want a secure connection.
  2. The web server hosting https://www.google.com sends you its public key.
  3. You generate a random, temporary key. You encrypt the key with Google's public key. (Only Google can decrypt the key).
  4. Google decrypts the temporary key with its private key.
  5. Google encrypts the https://www.google.com web page data with the temporary key and a symmetric algorithm.
  6. Your web browser decrypts the data with the temporary key and a symmetric algorithm.

Steps 1-4 are using asymmetric encryption. Steps 5-6 use symmetric encryption. Steps 5 and 6 will continue as long as you keep loading pages on https://www.google.com. When you close your web browser, or after a period of inactivity, your browser and Google will make the temporary key expire.

Elliptic Curve Diffie-Helman Key Exchange

Here is how your computer might communicate with https://www.google.com using TLS 1.3.

  1. Your browser generates an EC key pair, sends the public key to the server hosting https://www.google.com and asks for a secure connection.
  2. The web server hosting https://www.google.com generates a new EC key pair and sends you its public key.
  3. You generate a shared secret by multiplying your private key with Google's public key. You send some encrypted data using a symmetric cipher (like AES), using the shared secret key.
  4. Google generates the same shared secret by multiplying its private key with your public key. Google can decrypt the data you sent.

With TLS 1.3, new keys are created for every new browsing session. If you close your web browser, all temporary keys are discarded. TLS 1.3 provides perfect forward secrecy.

Reflection

  • Who is responsible for ensuring the secure cryptographic protocols are used? Web browser developers? Legislators? Operating system vendors? Regular users of technology?
  • Strong cryptography enables privacy. Some people use the internet for bad stuff. Should governments have a master key that can unlock all encrypted communications?

Key Terms

  • HTTPS (Hypertext Transfer Protocol Secure): An extension of HTTP that uses encryption to secure data transmitted between a web browser and a server. HTTPS ensures the confidentiality, integrity, and authenticity of the data by using protocols like SSL/TLS.
  • HTTP Session: A sequence of network request-response transactions between a client (usually a web browser) and a server. An HTTP session is initiated by opening a connection and terminated by closing it, often involving multiple requests and responses.
  • Session Key: A temporary encryption key used for the duration of a single communication session. It is generated at the beginning of the session and discarded after the session ends. Session keys are used in symmetric encryption to ensure the confidentiality and integrity of data exchanged during the session.
  • RSA Key Exchange: A method of securely exchanging cryptographic keys using the RSA algorithm. In this process, a public key is used to encrypt a session key, which is then decrypted by the recipient using their private key. This session key is used for symmetric encryption of the data. RSA key exchange lacks perfect forward secrecy.
  • TLS 1.2 (Transport Layer Security 1.2): A old version of the TLS protocol that provides secure communication over a computer network. TLS 1.2 improved upon previous versions of TLS, but allowed for less secure key exchange such as RSA.
  • ECDHE (Elliptic Curve Diffie-Hellman Ephemeral): A key exchange protocol that uses elliptic curve cryptography to securely establish a shared secret between two parties. "Ephemeral" indicates that a new key pair is generated for each session, providing perfect forward secrecy. ECDHE is widely used in modern secure communication protocols, such as TLS 1.3.
  • TLS 1.3 (Transport Layer Security 1.3): The latest version of the TLS protocol, offering enhanced security and performance over previous versions. TLS 1.3 simplifies the handshake process, reduces latency, and removes outdated cryptographic algorithms, making it more secure and efficient.