Client-server and message security
Hypertext Transfer Protocol Secure (HTTPS) is a network protocol for secure communication over internet. Technically, it adds layer the Hypertext Transfer Protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP. SSL/TLS uses long term public and secret keys to exchange a short term session key to encrypt the data flow between client and server. HTTPS is HTTP-within-SSL/TLS which establishes a secured bidirectional tunnel for data transfer on internet between a server and client which request data from server. The partial green address bar below, indicates that connection is HTTPS and website’s certificate details are also shown.
The Secure Sockets Layer (SSL) protocol was designed by Netscape as a method for secure client-server communications over the Internet. SSL offers a mechanism so that clients and servers can authenticate each other and then connect in secure communication. SSL/TLS uses long term public and secret keys to exchange a short term session key to encrypt the data flow between client and server. Both are cryptographic protocol which uses X.509 certificates and hence asymmetric cryptography to encrypt data moving on internet and thus provide data/message confidentiality, and message authentication as well as message integrity. TLS is the new name for SSL. Namely, SSL protocol got to version 3.0; TLS 1.0 is “SSL 3.1”. TLS versions currently defined include TLS 1.1 and 1.2. Each new version adds a few features and modifies some internal details. We sometimes say “SSL/TLS”.
During an initial handshaking phase, the client and server select a secret key for using after which, the client sends it’s secret key to the server using the server’s public key from the server’s certificate. Thus, the information exchanged between the client and server is encrypted. As shown in the diagram, the message between the server and client during SSL/TLS
SSL/TLS is an intermediate networking protocol which is between TCP and higher-layer application. SSL/TLS is just used for securing HTTP communication and it’s usage is denoted by the https:// in URL by using the TCP port 443. At its heart, SSL/TLS is not a payment protocol at all. SSL’s goal is to provide a secure connection between two devices connected over internet. Despite SSL’s popularity, MasterCard, Visa, and several other companies developed the Secure Electronic Transaction (SET) protocol.
A public key certificate also called as digital certificate verifies a public key belonging to an individual. It is an electronic document that uses a digital signature to bind a public key (used for encrypting messages) with an identity information like sender’s name, address and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. It is issued by a certification authority (CA).
An individual sending an encrypted message applies for a digital certificate from a CA which issues an encrypted digital certificate containing the applicant’s public key and other identification information. The CA makes its own public key available on the Internet for issuer verification.
The recipient of an encrypted message uses the CA’s public key to decode the digital certificate attached to the message, verifies it as issued by the CA and then obtains the sender’s public key and identification information held within the certificate. With this information, the recipient can send an encrypted reply.