Connect with me

Understanding the HTTPS Handshake

all security cryptography new security concepts ssl Feb 08, 2024

Introduction

In the world of web security, the HTTPS handshake plays a pivotal role in safeguarding our online interactions. Whether we're a digital explorer curious about how our information is protected or a tech-savvy individual looking for a deeper dive into encryption protocols, this blog post combines insights from two perspectives to offer a thorough understanding of HTTPS and its critical handshake process.

What is HTTPS?

HTTP ((Hypertext Transfer Protocol) is the basic protocol used for sending data between our web browser and the websites we visit. HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP. HTTPS adds a layer of security through the SSL/TLS (Secure Socket Layer/Transport Layer Security) protocols on top of HTTP to provide encryption, authentication, and integrity.

The HTTPS Handshake Explained

The HTTPS handshake is essentially a digital "secret handshake" that establishes a secure session between our browser and a website's server. It's a multi-step process designed to verify the authenticity of the website, exchange encryption keys, and set up a secure communication channel. Here's how it unfolds:

Step 1: Initiation with ClientHello and ServerHello

  • ClientHello: Our browser initiates the handshake by sending a "ClientHello" message, which includes the TLS version it supports, a list of supported cipher suites (encryption algorithms), and a random byte string for security.
  • ServerHello: The server responds with a "ServerHello" message, selecting the encryption methods from the client’s list, specifying its TLS version, and sending a unique random byte string.

Step 2: Server Identification with Digital Certificates

  • The server shows its ID: The server presents its SSL/TLS certificate, a digital ID, proving its legitimacy. This certificate contains the server's public key and is validated by a trusted Certificate Authority (CA).
  • Browser checks the certificate: Our browser examines this certificate to ensure it's valid, not expired, and issued by a trusted authority. It's like checking the ID card's authenticity before proceeding further.

Step 3: Key Exchange and Encryption Protocols

  • ServerKeyExchange (if necessary): Depending on the cipher suite, the server may send additional key exchange information.
  • ClientKeyExchange: The client generates a pre-master secret, encrypts it with the server's public key (from the server's certificate), and sends it back. Here, asymmetric encryption is used to ensure that only the server can decrypt it with its private key. 

Step 4: Finalizing the Secure Connection

  • Pre-Master Secret to Master Secret: Both the client and the server use the pre-master secret along with ClientRandom and ServerRandom (exchanged during the Hello messages) to generate the master secret. This master secret is then used to generate the session keys.

  • ChangeCipherSpec: After the session keys are generated but before the handshake is finalized, both the client and the server send a ChangeCipherSpec message. This message is not technically part of the TLS handshake protocol but rather a signal that subsequent messages from that point will be encrypted using the session keys derived from the master secret using symmetric encryption. It indicates a transition from the handshake phase to secure communication.

  • Finished Message: Finally, both the client and server exchange encrypted 'Finished' messages, which verify that the handshake process was completed successfully and that key exchange and authentication processes were successful. This is the first message encrypted with the session keys to ensure the integrity and authenticity of the handshake.

The Significance of Asymmetric and Symmetric Encryption

This handshake intricately blends asymmetric and symmetric encryption to secure data. 

  • Asymmetric Encryption is pivotal at the beginning of the HTTPS handshake for the secure exchange of encryption keys. In this phase, the client uses the server's public key (obtained from the server's digital certificate) to encrypt information such as the pre-master secret. Because this public key is paired with a private key that only the server possesses, only the server can decrypt the information encrypted with its public key. This ensures that even if the communication is intercepted, the encrypted data cannot be decrypted by anyone other than the server. Asymmetric encryption is ideal for the initial key exchange because it does not require the client and server to have shared secrets beforehand; however, it is computationally more intensive than symmetric encryption.

  • Symmetric Encryption comes into play once a secure channel is established, utilizing a shared secret key known only to the client and the server. This shared key is derived from the pre-master secret that was securely exchanged using asymmetric encryption. Symmetric encryption is used for the bulk of the data transfer because it is much less resource-intensive than asymmetric encryption, allowing for faster and more efficient communication. The symmetric key encrypts and decrypts the data exchanged during the session, ensuring that the information remains confidential and secure from eavesdropping.

Important Notes

  • Verifying Trust in Browser: The presence of HTTPS and the lock icon in our browser's address bar signals a secure connection, fostering trust in the website we're visiting.
  • Server and Client Authentication: The SSL/TLS server is always authenticated, but the client is rarely authenticated. Client authentication, while less common in everyday web usage, is employed in scenarios requiring stringent security measures, ensuring that only authorized clients can access specific services or information on a server.

Conclusion

The HTTPS handshake is a cornerstone of web security, silently working behind the scenes to protect our online interactions. Whether we're engaging in casual browsing or delving into the technical depths of web encryption, a comprehensive understanding of the HTTPS handshake enhances our awareness and appreciation of internet security. Remember that the presence of HTTPS and the lock icon in your browser's address bar signals a secure connection, fostering trust in the website we're visiting.

See also

Read more about SSL, TLS and HTTPS at secdops.com/blog/ssl-tls-and-https-a-beginners-guide-to-web-security.

Stay connected with news and updates!

JoinĀ the mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.