Welcome to the second post of the series on All about HTTPS.
In the prev post, we talked about why do we need HTTPS connection. In this post we will talk about how the encryption keys work.
HTTPS needs a way to provide privacy, integrity and identification on the web that we talked about last time by converting the plain text into some unreadable data. And that mechanism is called encryption. For that we have two types of encryption algorithms.
1. Symmetric key algorithm
In this scenario, there is only one type of key to encrypt and decrypt a message. Lets try to understand this by taking a simple example. Before sending the message to Bob, Alice encrypted the message with a key. You can think of the encryption process like putting the message in a box and locking the box with a key. Only the person that has a copy of the key can open the box and read the message.
This guarantees that the box cannot be opened until it reaches the person with the right key. When Bob gets the box, he uses his key to open it and read the message. It's important that the key is kept private. You should not share the key in plain text, or send it with the box. Remember, anyone with the key can open the box. Using the box is a nice visual to understand encryption, but it's really oversimplifying it. In reality, anyone looking at the message without the key only sees nonsense text like below.
To decrypt a message, we just need to apply the same steps, but in reverse order.
The encryption key is mixed in with the message, so even if you know the encryption algorithm, without the key, the message is still nonsense.
One main issue with symmetric keys is that they are hard to share. You have to be super careful with how you distribute the key. This brings us to the next topic of discussion asymmetric keys.
2. Asymmetric keys algorithm
This time instead of one like in symmetric, we have two keys. One key is public, the other one is private. They are paired and work together. Share your public key with anyone. Send it in plain text, make stickers, tattoos. Anything you want! It's public!. Alice is sending his public key to Bob and now Bob is sending a message back to Alice encrypting it with Alice's public key. In other words, Bob puts the message in a box and locks it with Alice's public key. Bob can now use his private key to read the message. That's the main idea. Only the private key can open a box locked with the public key pair. Alice uses Bob's public key to send him another message. This is great not only for privacy, but also for identification since we know for sure that only the owner of the 2 keys can open the message.
Next, we'll be looking at how symmetric and asymmetric keys play a role when we connect to a site with SSL. See you in the next post.