Tuesday, June 8, 2010

HTTPS Process

When studying for the CompTIA Security+ exam, you'll come across some cryptography objectives.  One thing that confuses many people is how SSL works with HTTPS.

I've broken it down to the following steps with a diagram at the end that may help you understand it a little better.
  1. The client starts the HTTPS session by clicking on the link.
  2. The server responds by sending a certificate. The certificate includes the server's public key that is part of a matched private/public key pair. The private key is always kept private by the server.
  3. The client creates a random session key (such as 13579BDF2468ACE).
  4. The client encrypts the session key with the server's public key.
  5. The client then sends the encrypted session key to the server.
  6. The server then decrypts the session key with the server's private key.
  7. Rest of session uses symmetric session key.

Question:  What type of encryption does SSL use to privately share the session key? 
Answer: Asymmetric

Question: What type of encryption does SSL use to encrypt the session data?
Answer: Symmetric

Trick Question: What type of encryption does SSL use ?

Answer: Asymmetric and symmetric

You can find more details on cryptography in this chapter 9 of this book:
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide

You can also watch a video on YouTube here:
SSL Asymmetric and symmetric encryption

HTH,

Darril Gibson