How HTTPS Works

Aug 17, 2018

Why we want to use HTTPS? The answer is: Encryption and Identification.

First your traffic is encrypted, no one can eavesdrop on your messages. and then make sure you are talking to the server which is you expected. let's see how it works:

Client sends some info to server to say hello:

graph LR Client -->|Hello| Server

What includes in Hello
- a random number generated by client: `num1`
- TLS version & encryption method supported by client and so on

Server responses to client:

graph LR Server -->|Here| Client

What includes in Here
- another random number generated by server: `num2`
- TLS version & encryption method to be used and so on
- certification
  - domain list
  - Server's RSA public key
  - other info

Client verify the certification (This is what we said identification).

How Client verify the certification

- use local certification(CA's RSA public key) to verify if the certification from server was signed by CA's RSA private key
- check if the domain we want to access is in certification

once Client verified the certification is trusted, then it gets Server's RSA public key from certification

Client knows that the server is indeed the one we want to access now. so it generates a pre-master key, encrypt it by Server's public key and then send it to Server.

graph LR Client -->|encrypted key| Server

Server dencrypts the pre-master key by it's RSA private key.

Both client and server have num1 num2 and pre-master key now, so they can generate a session key to encrypt all data. This is what we said encryption.

Another post