How SSL works tutorial – with HTTPS example



hi there my name is Simon Dennis and I'm gonna give you a tutorial but how SSL works SSL is something that's given me a lot of trouble over the years and I know it's quite difficult to wrap your head around I have the whole thing fits together so this presentation is gonna aim to do just that what we're gonna cover today well we're gonna cover why SSL Certificates exists broadly there are two reasons why as the certificates exist that's encryption and identification so I'm going to go into encryption and finding out why we encrypt things and what good it does and how that encryption actually works on your computer and on the web server and they're going to go into identification and that's how your web browser can trust what computer is on the other end okay okay now like I said there's two facets to why SSL exists that's encryption and identification now encryption is basically hiding what's sent from one computer to another by changing the content so it's like speaking in a code I don't know what do you remember Pig Latin or Morse code well these are all examples of code but the code we use to encrypt our communication between two computers is obviously a lot more complex than that because we don't it to be cracked easily there's also identification now how can you trust what computers on the other hand how can you trust the computer on the other end is the computer you think it is and we'll go into both of these first we're gonna cover encryption okay now typically if you're going to send your credit card details to a server over the web here we can see your computer on the left the server on the right we want to send the credit card details so they go across now without SSR this information can be grabbed by another computer we see here on the bottom so if you don't use SSL any computer on any of the networks between you and the web server can get your details that you send over so SSL aims to put a barrier around that so that when you when this other computer looks at it it will just see garbage okay so let's take an example at Google's Gmail service will encrypt using SSL the username and password you send it to now how do we know this if you look at the HTML behind the page you see that when it submits the login details the action in the HTML code begins with HTTPS so that's indicating that it wants to submit the form securely now once you press submit there's several steps before the actual encrypted data is sent this is called the handshake number one the computers agree on how to encrypt the data between them number two the server sends a certificate containing details about itself and a key to encrypt the data number three your computer says start encrypting for the server says start encrypting now all messages are encrypted so what I'm going to do I'm gonna take you through each one of these five steps explains in detail how that works now the first part of the SSL handshake has the computers agreeing on how to encrypt with each other first the client computer on the left here sends a hello message to the server here shown on the right the information in that hello message contains the key exchange method here thus in the first column Russian RSA diffie-hellman and DSA second is the cipher that's the way of encrypting the data between the two servers and then third is the hash and that's used to generate something called a message authentication code which is sent along with these different messages and so they can ensure the integrity of them the key exchange method for more information if you look up transport layer security or public key encryption on Wikipedia you should have more information about that it's kind of beyond the scope of this slide also sent is the version of SSL in this case 3.3 indicating TLS and the random number which is used to compute the master secret which is then used from then on to calculate the encryption keys now once the client sends that message to the server the server then sends a hello message back to the client saying I choose this key this cipher and this hash method so now they've agreed the client has said this is what I can do the server said right I pick these and now they're ready to go on to the next stage now the next stage the server sends a certificate to the client now the certificate contains information about who the server belongs to how long the certificate is valid for various serial numbers and more importantly the public key now for more information about public key encryption I guess I'd go to Wikipedia they've got a great bit of information about that so the server sends a certificate to the client now the next step is your computer says let's start encrypting to the server there's actually three messages that accomplished this first is the client key exchange now once this message is sent both computers can calculate a master secret code and from then on that master secret code is used to encrypt all the communications from then on yeah you can be then says let's change to the cipher spec now that Seif respect will be the one that was previously agreed in the hello messages and then your computer says right I'm finished so saying let's start now the next step is then the server says right let's start encrypting so it gives the cypher spec and then it says unfinished let's go now the only thing is when when this message gets sent to the client it gets encrypted so the finished message after the cypher spec is then encrypted completely and against sent back to your computer now all messages are encrypted so in our Google example perhaps our login is Jane Doe and our password could be someone with this now when it's encrypted this will be garbage to anyone watching and that's how encryption works now the other reason SSL exists is identification that's making sure the computer you're speaking to it's the one you trust because you can have an SSL certificate but that doesn't mean necessarily that the computer that you are talking to is the one you think it is it just means that communication between it and you will be secure which isn't enough so let's look a bit more into this now when you're about to send some information to people over SSL usually there's a way of finding out who that information is going to go to usually you double click the padlock and a window will come up telling you now behind that there's a whole lot of infrastructure firstly there's a process that they that the organisation you're going to send your data to has to go through they have to communicate with another organization called a certificate authority so an example of that would be Verisign now the organisation has to ask the certification authority for a certificate the certification authority will then look up the details that company verified its true create a certificate and cryptographically sign it in a way that cannot be forced then they send the certificate back to the company who then stores it in a web server now you on the other hand have a web browser and you want to view the information on that certificate all your browser will only tell you if there's a problem but it can tell there's a problem because it's got a whole lot of certificates which in a way can vote for the certificate you get from the organization are you holding on your browser will trust correctly signed certificates but it will not trust incorrectly signed certificates or certificates that have come from a different certification authority that is not trusted but we'll go into each step of this so don't worry hold on no first the company asks the certification authority for a certificate in order to do this the company has to give a whole lot of information about the web server that they're running it on what the company is where it's located now the certification authority checks the correctness of this information and the authenticity of the company by going through public records receiving less or headed paper and generally is checking up a bit like an application for a passport the next step is the certification authority creates the certificate and signs it so here we've got a certificate this is the information you typically find that you've got the version the serial number the certificate the algorithm ID the issuer when the certificate is valid so two dates the details of the company called the subject that's applying for the certificate the public key information that includes the algorithm and the actual key issuing company identifications possibly and then a signature algorithm and a signature now the signature itself is created by condensing all the details in a certificate apart from obviously the signature algorithm and the signature into a number through a hash function you can find out more information about hash functions by looking up say Wikipedia on md5 which is a hash function so all the information on the right will be condensed into one number and then the certification Authority encrypts that number with the private key so anyone holding the public key from there Fyers correct there's a signature now that certificate is then given back to the company who installed it in the server so the company will run a web server and that certificates installed into it they may run Apache or Tomcat or WebSphere or WebLogic most likely Apache who knows this certificate is a stall down and you can configure the web service and then use the certificate and then on that certificate is going to be used in the handshake process we have now let's go to the other side where you on your browser trying to get information from a site through SSL now how does your browser know whether to alert you or not well the answer is is shipped out of the box with certificates from certification authorities all around the world and that enables it to check the authenticity of any certificates it gets now each one of the certificates that your browser is shipped with has the public key of that certification Authority in it so when it receives a certificate from the site it's able to verify that the signature at the bottom is absolutely correct my key now that concludes this tutorial if you have any feedback I'd love it whether it's positive or negative you can either catch on s Dennis at leading quarter comm or you can leave comments on the blog that would be fantastic thank you very much

31 thoughts on “How SSL works tutorial – with HTTPS example

  1. Thanks for the information about the SSL certificate.

    I have purchased an SSL certificate from www.datasoft.ws

  2. Great video. I'm a security engineer and this is very well explained. For those looking for more detail, note that in this video he uses RSA but sometimes Diffie-Hellman is used which means that instead of the public/private key, there is a different mathematical way to get the shared secret to both parties which also ensures forward secrecy.

  3. If some thirdparty gets the message from between server and client And ThirdParty has the private key and public key . Can it decrypt that message. How is this prevented.

  4. Gmail has never been secure for me I pray we have discovered the problem and prevent it from happening again.

  5. 9:42 I thought encryption is done with the public key while the private key is for decryption… What do I miss?

  6. if you need help installing ssl on your new or used website http://www.konker.io/services/19256?affid=7591b8 Google Chrome starts adding warning labels.

Leave a Reply

Your email address will not be published. Required fields are marked *