HTTPS combines HTTP with SSL/TLS to provide encryption and secure identification of the server. SSL/TLS uses public/private key encryption and digital certificates to provide data encryption and ensure the server is who it claims to be. During the SSL/TLS handshake, the server sends its certificate to the client, which verifies the certificate with a Certificate Authority's public key to establish an encrypted and authenticated connection.

1. +HTTPS = HTTP SSL

2. What is HTTP
• HTTP:
– Application level protocol to transfer data across
web
– Communication protocol between clients and
servers.
– Request Response protocol
– Defines how messages are formatted and
transmitted.

3. HTTP Limitations
• Data Integrity:
– Hackers can have access to data and can steal
• Passwords
• Credit card Info
• Social Security Numbers
• Identity Assurance:
– No guarantee that you are interacting with
intended party
– You may be interacting with a hacker

4. What’s the solution?
Secure Socket Layer
(SSL)

5. SSL Introduction
• SSL
– Secure Socket Layer
– Makes data transfer secure
• Provides
– Encryption
• Allows data to be transmitted over computer networks in a secure
manner
• Hiding what is sent from one computer to another
– Identity Assurance (validation)
• Allows the business running the site to 'prove' that they are who
they claim to be
• Making sure the computer you are speaking to is the one you trust

6. Security Certificates
• Who gives SC:
– Certificate Authority ( C.A.)
• A trusted 3rd party Organization that issues Security Certificate/Digital Certificate
• How to get SC:
– Company/WebSite contacts CA(Certificate Authority)
– CA verifies the authenticity of Company.
– CA creates certificate and digitally signs it.
• Create hash of certificate
• Encrypts the hash using CA’s private key)
– Certificate installed on company’s server.
• What it contains?
– Company details
– Validity period
– Public key of company
– Unique Serial number
– Thumbprint algorithm
• The hash algorithm that generates a digest of data (or thumbprint) for digital signatures.
– Thumbprint
• The digest of the certificate data(ie, the hashed content)

7. How SSL solves - Identity Assurance?
• SSL uses Security Certificates:
– Solves Identity assurance issue
– Guarantees that you are talking to correct website
– So major websites gets Security Certificates

8. How SSL works - Encryption?
Encryption on Decryption
Private/Public Key Public/Private Key
Plain Text
Encrypted
Text
Plain Text

9. SSL Handshake

10. SSL Handshake in Detail
• Server sends the client a certificate to authenticate
itself.
• Client verifies the certificate:
– Checks validity period.
– Is the issuing Certificate Authority (CA) a trusted CA?
• Browser/Client maintains a list of trusted CA certificates.
• Checks If the issuing CA matches with the client's list of trusted
CAs.
• Does the issuing CA's public key validate the issuer's digital
signature
– Client uses public key from CA's certificate (which it found in its list of
trusted CA) to validate digital signature
– At this point, the client has determined that the server certificate is valid.

11. SSL Handshake in Detail …
• Client will also check:
– Does the domain name in the server's certificate match the
domain name of the server itself?
• Client creates a session key and encrypts with public key of
server and send back.
• Server decrypts session key and uses it further.
• Further encryption/decryption will happen with session key
– Symmetric key enc/dec is faster than Asymmetric key enc/dec.
• Now, your data is transferring SECURELY!!

12. Security Certificate providers
• Verisign/Symantec
• Thawte
• GoDaddy
• Comodo
• DigiCert
• GeoTrust

13. What you need to pickup?
• Hashing?
• Digest?
• Digital Signature
• Encryption
• Message Integrity
• Symmetric Encryption
• Asymmetric Encryption
• Encryption Algorithms

14. Videos
• http://www.networksolutions.com/SSL-
certificates/how-ssl-works.jsp
• http://www.youtube.com/watch?v=iQsKdtjwtYI
• http://www.youtube.com/watch?v=JCvPnwpWVUQ