How Does HTTPS Secure Your Data? Inside SSL/TLS Handshake Explained

HTTPS Overview

HTTPS is essentially HTTP combined with the SSL/TLS protocol to provide secure communication.

While HTTP handles basic data transfer, it lacks security; SSL/TLS adds encryption, integrity, and authentication.

HTTPS guarantees three things:

Data encryption

Data integrity protection (hash, digital signature)

Identity authentication

Key points of HTTPS security:

Handshake phase uses asymmetric encryption with the public key.

Transmission phase uses symmetric encryption for the message.

Because HTTPS adds an asymmetric encryption step, establishing a connection takes longer than plain HTTP.

Encryption Concepts

Symmetric Encryption

Aliases: private‑key encryption, single‑key algorithm, classic cipher.

Concept: The same key is used for both encryption and decryption, so knowing one reveals the other.

Common algorithms: DES, AES, RC4, IDEA.

Asymmetric Encryption

Aliases: public‑key encryption.

Concept: A public key is shared openly while the private key remains secret; each side holds a key pair for encryption and decryption.

Limitation: The encrypted data length cannot exceed the key length.

Digital Digest

Alias: digital fingerprint.

Concept: A fixed‑length (e.g., 128‑bit) ciphertext generated from plaintext using a one‑way hash function.

Digital Signature

Combines asymmetric encryption with a digital digest.

Digital Signature Process

1. The sender hashes the original text to produce a digital digest A.

2. The sender encrypts digest A with their private key, creating ciphertext CypherA.

3. The ciphertext and the original text are sent to the receiver.

Signature Verification Process

1. The receiver hashes the received text to obtain digest B.

2. The receiver decrypts CypherA with the sender’s public key to get digest B'.

3. If B' equals B, the message is intact and authenticated.

Pseudocode

// Single‑way hash function
function Hash(plainText) {
  // encrypt the plaintext
  const encryptedAbstract = encrypt(plainText)
  // return fixed‑length (128‑bit) digest
  return encryptedAbstract
}

// Sender encrypts digest with private key
function doEncrypt(senderPrivateKey, encryptedAbstract) {
  const CypherA = encrypt(senderPrivateKey, encryptedAbstract)
  return CypherA
}

// Send message
function sendMessage(plainText) {
  const encryptedAbstract = Hash(plainText)
  const CypherA = doEncrypt(senderPrivateKey, encryptedAbstract) // encrypt
  return {
    CypherText: CypherA,
    originText: plainText
  }
}

// Receiver decrypts with public key
function doDecrypt(publicKey, encryptedAbstract) {
  const decryptedAbstract = decrypt(publicKey, encryptedAbstract)
  return decryptedAbstract
}

// Receive message
function receiveMessage(CypherA, plainText) {
  const encryptedAbstract = Hash(plainText)
  const decryptedAbstract = doDecrypt(publicKey, encryptedAbstract) // decrypt
  if (decryptedAbstract === encryptedAbstract) {
    console.log('1、the sender is true')
    console.log('2、the message is complete')
  }
}
const message = sendMessage(plainText) // digital signature process
receiveMessage(message.CypherText, message.originText) // verification process

Digital Certificate

Certificates ensure the public key is trustworthy; they are issued by a Certificate Authority (CA) after identity verification.

When a browser connects to an HTTPS site, the server presents its certificate; the browser checks its validity and the trust chain.

Signature verification chain:

client <- server <- CA

Certificate Contents

CA name

Certificate’s digital signature

Public key of the holder

Hash algorithm used for the signature

…etc.

SSL/TLS

SSL (Secure Socket Layer)

Uses encryption to prevent data interception during network transmission.

TLS (Transport Layer Security)

Provides confidentiality and integrity between two applications, building on SSL 3.0 with enhanced security measures.

SSL/TLS Handshake

Client announces supported protocol version, cipher suites, compression methods, and a random number (CRandom1).

Server responds with its protocol version, cipher suite, compression method, a random number (SRandom), and its digital certificate.

Client validates the certificate, generates a new random number (CRandom2), encrypts another random (CRandom3) with the server’s public key, and sends a ChangeCipherSpec message together with hashed messages and encrypted data.

Server decrypts CRandom3 with its private key, verifies the data, sends its own ChangeCipherSpec, and encrypts a Finished message with the derived Session Secret.

After these steps, both parties share a symmetric Session Secret used for encrypting application data.

Q&A

1. How does a client verify a received certificate?

The certificate contains the method to generate its own identifier; the client recomputes the identifier and compares it to the one in the certificate.

2. How is the issuing CA trusted?

Through a certificate chain: root CA → intermediate CAs → end‑entity certificate.

Conclusion

Secure data transmission relies on SSL/TLS, which underpins HTTPS. HTTPS achieves efficient, safe communication by negotiating a symmetric encryption algorithm via an asymmetric handshake secured with digital certificates, then using the symmetric key for actual data exchange.