• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

HTTPS: behind the scenes with real life example

 
Satish Kumar
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I access my account online. The bank account provides secure connection through HTTPS. I give my user name and password to access my account. What's happening behind the scenes here? What about encryption, public/private key? Who does the handshake/encryption? How does it take place? ON the client side (browser) and server side what's happening?
I read a few book and articles about security. But, they talk about security concepts and definitions in general, NOT with real life example.
Can you please explain what / how of behind the scenes?
If you have any article with real life soultion, Can you please send it across?

I sincerely appreciate your guidance on this.

Thanks for reading..!

Regards,
Satish
 
Hu Rui
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It is based on PKI.

In fact every thing about security is based on PKI.
In order to provide https connection, server must has the PKI key pair. Server publish the public key.

Browser, know the CA, certification authority. It is used to verify the public key.

SSL works the same way.

PGP is also similar, but it use a session key to improve the performance.

===================================================================
You just have to understand.
1) Every thing is based on PKI.
2) Then you have to figure out how public key, private key are used in each case.
 
Satish Kumar
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks, Hu, for your reply.

How does the browser check that the certificate is valid. Does the browser make a call to CA to check?
 
Hu Rui
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The server present public key as certificate.
The cerficate is a document contains public key and again signed by the public key of CA.

The Browser knows the CA. I is hard coded inside Explorer, I think, since I can not find where to specify it.

Browser trust CA, CA sign the public of https server, so if CA say the server's public is real, browser believe it.


But in JDK, it is a file. Under C:\j2sdk1.4.2_03\jre\lib\security
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic