2 years ago 🥁 for day 119, 2020 with 485 words.

Hardened Web Pt 3/n

Days sheltering in place?: 43
Days to normality: 33 (at least)
Spare rolls of toilet paper left: NONE (now it gets interesting).

Event that isn't happening today: Tour of the Morgan Factory, these are cars that are still built by hand as they always have been. You'll recognize the design style if you saw one. Think Downton Manor - when they got cars that is.

Apologies for the diversion over the last few days, now where were we, oh yes....

We take it for granted that most connections on the Internet are secure nowadays, which is achieved by using something called SSL (although technically it is called TLS) but you know it as 'https' and the padlock icon at the start of the URL when displayed in a browser.

The question is: for the data to be secure it must be encrypted and therefore there is some cipher involved and an encryption key. A key that both the server and the browser know, a key that nobody else knows, that is different for everybody and can be worked out by the browser even though it has never visited the site before.

So how does it do this. Very cleverly - of course.

There are several types of encryption. Some are one-direction (why this is useful is left as an exercise for the reader), some are symmetrical in that you can encrypt the data, then if you know the password you can decrypt it and there is a very special third kind which are asymmetrical - invented in the '70's at GCHQ in the UK - and are commonly referred to as public key encryption.

With public-key encryption the key used to encrypt the data is public, everyone who wants to know it can as there is nothing to hide, and this is because the same key won't decrypt the data. There are two keys, one which is used to encrypt the data (the public key) and one that is used to decrypt the data (the private key).

When the browser connects to the server it receives the public key which it then uses to encrypt the data sent to the server, where the server uses its private key to decrypt it. Magic, right?

Well, it's not this simple. Public key cryptography is CPU intensive and the browser would need to have its own private key so the server can send the results back. Instead what happens is this - in a simplified manner.

  1. Browser generates a long-complex key
  2. Browser connects to server to get the public key
  3. The long complex key is encrypted using the public key
  4. This is sent to the server
  5. The server uses its private key to decrypt the message and now has a secure, unique, long-complex key with which to encrypt all future communications using symmetric encryption.

Even more magical right.

User Photo

By Yorick Phoenix 🥁

Chief WriteTogether Bug Finder & character stringer. Generally, to create computer code, but sometimes actual words and paragraphs. Listens to lots of music, takes lots of photos, & invests in stocks for the long haul.

Get Yorick Phoenix's newsletter

Almost there! Check your inbox and click the link to confirm.

Subscribe to Yorick Phoenix's latest writing to get it right in your inbox.