HTTPS

Transcript

1. What is HTTPS and how does it work?

2. Agenda • HTTP overview • HTTPS defini0on • What is

   TLS and how it works

3. What it HTTP? • Protocol for client server communica2on •

   Different request methods (GET, POST, etc.) • Headers provide addi2onal informa2on • Client makes an HTTP request • Server sends an HTTP response

4. HTTP Request Example GET / HTTP/1.1 Host www.google.ca Accept text/html

   Accept-Encoding gzip, deflate, sdch Accept-Language en-US,en;q=0.8

5. HTTP Response Example HTTP/1.1 302 Found Location https://www.google.ca/?gws_rd=ssl Content-Type text/html;

   charset=UTF-8 Date Thu, 01 Sep 2016 00:11:37 GMT Server gws Content-Length 230 Proxy-Connection Keep-alive <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="https://www.google.ca/?gws_rd=ssl">here</A>. </BODY></HTML>
6. None

7. OSI Model1 1 h$ps:/ /en.wikipedia.org/wiki/OSI_model

8. What is HTTPS?

9. HTTPS is... • Communica*on using HTTP • Connec*on encrypted by

   TLS (Transport Layer Security) or SSL (older TLS) • Some*mes HTTPS is referred to as HTTP over SSL/TLS

10. We know how HTTP works But how does TLS/SSL work?

11. TLS has two layers 1. Record protocol 2. Handshake protocol

12. Record Protocol Ensures the connec0on is private • Data encrypted

    with symetric encryp,on (both par3es share the secret key) • Keys are generated by TLS Handshake Protocol

13. Record Protocol Ensures the connec0on is reliable • Message integrity

    verified using a MAC (message authen6ca6on code) • Secret key + message => MAC Algorithm => MAC code • MAC code sent with every message • Receiver runs the message through the MAC algorithm to check the MAC code matches

14. Handshake Protocol • Ensures nego+a+on of a shared secret is

    secure • the nego+ated secret is unavailable to eavesdroppers • The nego+a+on is reliable • The par+es will know if an a:acker tries to modify the nego+a+on

15. TLS Handshake Security • Done using public key cryptography (asymmetric

    key cryptography) • Server sends it's public key to the client • Client encrypts messages with public key • Server decrypts using private key

16. The TLS Handshake 1) Exchange hello messages to agree on

    TLS version and session ID 2) Server sends cer,ficate along with chosen cipher suite

17. The TLS Handshake 3) Client generates a secret key and

    sends it to the server 4) Each side generates master secret using the secret key and random values sent in prior messages 5) Provide security parameters to the record layer

18. The TLS Handshake 6) Server sends a FINISHED message 7)

    Client decrypts the FINISHED message and uses MAC to verify it
19. None

20. A"er the Handshake • Secure connec*on has been established •

    Messages are encrypted/decrypted by the record layer

21. Further Reading • TLS Protocol • High Performance Browser Networking

    • Diffie-hellman Key Exchange