Hi,
I access my account online. The bank account provides secure connection through HTTPS. I give my user name and password to access my account. What's happening behind the scenes here? What about encryption, public/private key? Who does the handshake/encryption? How does it take place? ON the client side (browser) and server side what's happening?
I read a few book and articles about security. But, they talk about security concepts and definitions in general, NOT with real life example.
Can you please explain what / how of behind the scenes?
If you have any article with real life soultion, Can you please send it across?

I sincerely appreciate your guidance on this.

Thanks for reading..!

Regards,
Satish

It is based on PKI.

In fact every thing about security is based on PKI.
In order to provide https connection, server must has the PKI key pair. Server publish the public key.

Browser, know the CA, certification authority. It is used to verify the public key.

SSL works the same way.

PGP is also similar, but it use a session key to improve the performance.

===================================================================
You just have to understand.
1) Every thing is based on PKI.
2) Then you have to figure out how public key, private key are used in each case.

Thanks, Hu, for your reply.

How does the browser check that the certificate is valid. Does the browser make a call to CA to check?

The server present public key as certificate.
The cerficate is a document contains public key and again signed by the public key of CA.

The Browser knows the CA. I is hard coded inside Explorer, I think, since I can not find where to specify it.

Browser trust CA, CA sign the public of https server, so if CA say the server's public is real, browser believe it.


But in JDK, it is a file. Under C:\j2sdk1.4.2_03\jre\lib\security