Introduction to HTTPS, SSL/TLS, and Related Encryption Technologies

HTTPS Introduction

HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) is the secure version of HTTP that adds an SSL/TLS layer to provide encryption, authentication, and data integrity.

Functions of HTTPS

Content Encryption: Establishes a secure channel to protect data in transit.

Identity Authentication: Verifies the authenticity of the website.

Data Integrity: Prevents tampering or impersonation of content.

Disadvantages of HTTPS

Encryption and decryption introduce latency compared to plain HTTP, requiring asymmetric cryptography and additional handshakes.

Modern browsers cache HTTPS content only in memory, but it can be cached to disk when the HTTP response includes appropriate Cache-Control headers.

Differences Between HTTP and HTTPS

HTTPS requires a certificate issued by a Certificate Authority (CA).

HTTP transmits data in clear text; HTTPS encrypts data using SSL/TLS.

HTTP uses port 80; HTTPS uses port 443.

HTTPS combines SSL with HTTP to provide encrypted transmission and authentication.

HTTP defaults to port 80, HTTPS defaults to port 443.

The following diagram (not shown) illustrates the typical HTTPS architecture, now based on TLS rather than the older SSL.

Encryption Fundamentals

Symmetric Encryption

Symmetric (or private-key) encryption uses the same key for both encryption and decryption. Common algorithms include DES, AES, RC4, and IDEA.

Asymmetric Encryption

Asymmetric encryption uses a public key and a private key pair. The public key encrypts data, while the private key decrypts it. The length of data that can be encrypted is limited by the key size (e.g., a 2048‑bit key can encrypt up to 256 bytes).

Hash (Digest) Algorithms

A hash function produces a fixed‑length digital fingerprint of the plaintext, ensuring data integrity and preventing tampering.

Digital Signatures

Digital signatures combine asymmetric encryption with a hash of the message. The sender hashes the message, encrypts the hash with their private key, and sends both the original message and the signature. The receiver decrypts the signature with the sender’s public key, hashes the received message, and compares the two hashes.

The signing process can be represented as:

plaintext --> hash operation --> digest --> private‑key encryption --> digital signature

Digital signatures provide two main benefits: they verify the sender’s identity and ensure message integrity.

Digital Certificates

Why Certificates Are Needed

Certificates, issued by trusted third‑party CAs, bind a public key to an entity’s identity, preventing man‑in‑the‑middle attacks and ensuring that the public key truly belongs to the claimed server.

Certificate Issuance Process

The user generates a key pair, submits the public key and identity information to a CA, which validates the request and returns a signed certificate containing the public key and CA signature.

Certificate Contents

Issuer (CA) name

Certificate’s digital signature

Subject’s public key

Hash algorithm used for the signature

Certificate Validation

Check if the issuing CA is trusted.

Use the CA’s public key to verify the certificate’s signature.

Re‑compute the hash of the certificate and compare it with the decrypted hash.

Check revocation status via OCSP or CRL; if revoked or expired, the certificate is invalid.

SSL and TLS

SSL (Secure Socket Layer)

Developed by Netscape, SSL provides encryption, authentication, and data integrity. It consists of the SSL Record Protocol (for data encapsulation, compression, encryption) and the SSL Handshake Protocol (for negotiating algorithms and exchanging keys).

TLS (Transport Layer Security)

TLS is the successor to SSL 3.0, defined by the IETF. It also has a Record layer and a Handshake layer, operating over a reliable transport such as TCP.

Purpose of SSL/TLS

Authenticate client and server.

Encrypt data to prevent eavesdropping.

Maintain data integrity during transmission.

Advantages of TLS over SSL

Uses HMAC for message authentication, providing stronger integrity checks.

Improved pseudo‑random function (PRF) with dual hash algorithms.

Enhanced finished‑message verification.

Standardized certificate handling.

More detailed alert messages.

SSL/TLS Handshake Process

The handshake establishes a shared secret and negotiates encryption parameters.

Client Hello

The client sends a list of supported cipher suites, a random number, supported protocol versions, and optional compression methods.

Server Hello

The server selects the protocol version and cipher suite, sends its own random number and its certificate.

Client Key Exchange

The client verifies the server’s certificate, generates a pre‑master secret, encrypts it with the server’s public key, and sends it along with a ChangeCipherSpec message.

ChangeCipherSpec is a single‑byte protocol message indicating that subsequent records will be protected using the newly negotiated cipher suite.

Server Finished

The server decrypts the pre‑master secret, derives the session keys, sends its own ChangeCipherSpec, and a Finished message encrypted with the session key to confirm the handshake.

Secure Communication

After the handshake, both parties exchange application data encrypted with the negotiated symmetric key.

During the handshake, asymmetric encryption is used; during data transfer, symmetric encryption is employed for efficiency.

Session Resumption

Two methods allow a client to resume a previous session without a full handshake:

Session ID: The client presents a previously assigned identifier; the server retrieves the stored session parameters.

Session Ticket: The server issues an encrypted ticket containing the session state; the client returns it on reconnection.

Conclusion

HTTPS inserts SSL/TLS between TCP and HTTP to secure web communication, employing symmetric encryption for data transfer, asymmetric encryption for key exchange, hash functions for integrity, and digital certificates for authentication.

References (various online articles on digital certificates, HTTPS, SSL/TLS, OpenSSL, etc.)