Why we want to use HTTPS? The answer is: Encryption and Identification.
First your traffic is encrypted, no one can eavesdrop on your messages. and then make sure you are talking to the server which is you expected. let’s see how it works:
Client sends some info to server to say hello:
What includes in Hello
- a random number generated by client: `num1`
- TLS version & encryption method supported by client and so on
Server responses to client:
What includes in Here
- another random number generated by server: `num2`
- TLS version & encryption method to be used and so on
- domain list
- Server's RSA public key
- other info
Client verify the certification (This is what we said identification).
How Client verify the certification
- use local certification（CA's RSA public key） to verify if the certification from server was signed by CA's RSA private key
- check if the domain we want to access is in certification
once Client verified the certification is trusted, then it gets Server's RSA public key from certification
Client knows that the server is indeed the one we want to access now. so it generates a pre-master key, encrypt it by Server’s public key and then send it to Server.
Server dencrypts the pre-master key by it’s RSA private key.
Both client and server have
pre-master key now, so they can generate a session key to encrypt all data. This is what we said encryption.