Question about how HTTPS works

[Graimer]

Hey. I've been reading alot lately about PKI and certificates. It's going well and I've learned alot, but I've just scrathed the surface I guess. I do have one problem though. I just can't get to understand how HTTPS works. I got this far:

- Server has certificated signed with issuer private key

- You contact server, and it sends you the certificate, which you can decrypt with Your pre-installed Public key

- You sign uploaded traffic to the server with the Public key(certificate) you recieved, so only the server can open.

But how the h*ll is the downloaded data encrypted? Because 99% of the Clients don't have a personal certificate so they could do mutual ssl/tls or what it's called(when signed with both, Your private and his public).

The server can't just encrypt with his private, since then everyone who has talked to him before, could pickup the packets through sniffing, and decrypt with the Public key(which everyone has).

Anyone who could share some knowledge on this one? Would really appreciate it :)

[GreenMartian]

computer.howstuffworks.com/encryption4.htm

The key point is this: you can only *encrypt* with public keys. You decrypt with private keys.

The server sends a public key to the browser.

The browser then generates a random shared (symmetric)key.

The shared key is then *encrypted* with the server's public key, and sent back to the server.

The server, having the private key to decrypt the message, now has possession of the shared key.

All subsequent transmissions are encrypted with the shared key, which is then discarded by both parties at the end of the session.

I.e. the server's keys were only used to exchange the shared key generated by the browser.

EDIT : also read this: http://en.wikipedia.org/Certificate_authority

[Graimer]

okey, thanks. That's what I was thinking, but my teacher didn't really know. So thanks alot for clearing it up :)

[+BudMan MVC]

"but my teacher didn't really know"

Really? Who is your teacher? At least he was honest enough to say that vs making some up some ****..

What exactly is this class your taking? Guessing its not a protocol type level class, but more an introduction to such technologies?

[Graimer]

Yeah, she?s a security consultant or something for a big company, who works with IDS and such and just teach 2 hours a week. But since she never really focused on setting up https servers, she couldn?t be 100% sure. And yes, it?s a class for "network security" where we barely scratch the surface of topics as PKI, vlans, firewall, ids/ips, antivirus and other related topics. Very basic. No wonder people don?t feel ready for work after a Bachelor grade these days ^^

[+BudMan MVC]

"she?s a security consultant or something for a big company"

I would have to go with "something", more in a manager type role than tech if she could not break down the protocol for you. Did she at least mention that there are different protocols SSL 1, 2, 3 TLS 1, 1.1, 1.2 etc..And different ciphers that could be used depending on what the client and server both support. They have to agree on what they are going to use.

[Graimer]

"she?s a security consultant or something for a big company"

I would have to go with "something", more in a manager type role than tech if she could not break down the protocol for you. Did she at least mention that there are different protocols SSL 1, 2, 3 TLS 1, 1.1, 1.2 etc..And different ciphers that could be used depending on what the client and server both support. They have to agree on what they are going to use.

Yes, she did. She knows encryption, but couldn't remember what https used for downloads at that moment. But I Guess some People can forget that when they don't use it daily. She is a Security consultant, but again; https isn't a part of her job. :) We've been through most encryption modules, ssl/tls, CA(root and issuing), EV ssl and such. Heavy stuff, especially when you don't see much in practice. It's a good thing that i like to try stuff out in a Virtual lab :)

btw.. what the hell is up With Windows 8 or IE10? big letters on every other Word :s

[+BudMan MVC]

There were some theme problems going on - see the site section, noticed a few posts about it last night.

Did she point you to some good tools in checking on ssl/tls? Like openssl? Must have on your box if going to play with this stuff, or sslscan again comes in quite handy! http://sourceforge.n...ojects/sslscan/ also here is a quick site for check a sites ssl/tls capabilities and lots of good info https://www.ssllabs.com/

[Graimer]

There were some theme problems going on - see the site section, noticed a few posts about it last night.

Did she point you to some good tools in checking on ssl/tls? Like openssl? Must have on your box if going to play with this stuff, or sslscan again comes in quite handy! http://sourceforge.n...ojects/sslscan/ also here is a quick site for check a sites ssl/tls capabilities and lots of good info https://www.ssllabs.com/

Thanks for the links and News about the theme. Seems like a good read.SSLscan and ssllabs.com, is that to check the grade of the certificates so you know how validated they are and such? What about elliptic curve encryption or what it's called. Is that certificate-based too, or? Just heard the name and that it is a lot more effective, using Shorter keys.

[+BudMan MVC]

Yeah ECC (Elliptic Curve Cryptography) could be used in TLS, rfc 4492 goes over this http://www.ietf.org/rfc/rfc4492.txt

To be honest I have not that much into the differences and or benefits of different ciphers all that much, but sure it could be used in a cipher set that a server could offer, etc.

So for example https://www.google.com offers a ECC cipher using Elliptic Curve

TLS_ECDHE_RSA_WITH_RC4_128_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

etc.. etc..

You can use either the sslcan or ssllabs.com to find out what a specific server presents as possible ciphers to be used, etc.

[grunger106]

Yeah, she?s a security consultant or something for a big company, who works with IDS and such and just teach 2 hours a week. But since she never really focused on setting up https servers, she couldn?t be 100% sure. And yes, it?s a class for "network security" where we barely scratch the surface of topics as PKI, vlans, firewall, ids/ips, antivirus and other related topics. Very basic. No wonder people don?t feel ready for work after a Bachelor grade these days ^^

To be fair to her, IDS/IDP, F/W, A/V are things you do to protect your LANs from intrusions and VLANs are again used internally for security/logical reasons, so she is probably miore internal LAN than external.

Her deep level protocol knowledge probably gets hazy as the packets exit the building

I work in a similar role - I design and run networks, so L2/L3 swiching, Vlans, firewalls, routers, IDS/IPS, NBAR, VPNs but I don't get involved HTTPS much more than installing certs.

You can't be an expert at everything, and being honest this kind of stuff is hard to learn in class, but its nice to even be able to get a taste for it in a class.

[+BudMan MVC]

Exactly - I applaud the fact that she stated she was not sure in the answer to the question vs just making up some **** or taking a stab at it without being 100% sure of the answer.

[Graimer]

Thanks for a lot of good answers :)