Handshakes and cryptography

- [Instructor] In this movie, we will learn about the handshakes and cryptography that make HTTPS possible. We won't go too deep into technical details so that anyone can follow along. Let's begin by learning about symmetric-key cryptography. The key is a password, which works like a key on a lock. The idea is that we can encrypt data using a password. We put data and a password into an encryption algorithm, and we get back encrypted data that can't be read. It's locked up. Later, the encrypted data can be decrypted using the same password. We put the data and the password into a decryption algorithm and get back readable data. Symmetric key is a fancy way of saying that the same key is used for both encryption and for decryption. They are symmetrical. In fact, we can think of symmetric-key cryptography as being a lockable box. We can open it up and put data inside of it, and then we can close it and lock it with the key. The data is then locked up with encryption. The only way to unlock it again is by using the same key to decrypt it. That's symmetric-key cryptography. Public-key cryptography works a little differently. It's also named asymmetric-key cryptography, which gives you a hint about what's different. The keys that are used to encrypt and decrypt are not the same key. Instead, they are a pair of mathematically linked numbers. These numbers are derived from multiplying large prime numbers together. You don't need to worry about those details though. You just need to know that the two keys are related and that we refer to them as the public key and the private key. As the name suggests, the private key should always be kept secret and secure. It belongs to you and to you alone. However, the public key can be shared widely. We don't care who has it. We can post it on the internet. We can send it out in emails. We can share it with the whole world. Data can be encrypted by anyone using our public key, which is widely available. But that encrypted data cannot be decrypted with the same public key. So other members of the public can't discover the contents. It can only be decrypted using the matching private key. This should be a key that only the recipient possesses. So it allows any member of the public to send a private message that can only be read by the recipient possessing the private key. Now you understand why it's important to keep that key private. Let's return to our locked box example. This time, the box has two locks. There's a lock for the public key on one side and a lock for the private key on the other. Anyone in the public can get a copy of the public key, put data inside the box and lock it up. Once it's locked, the public cannot see what's inside anymore. We can send or share this encrypted data even over the public internet, and no one can snoop on it or alter its contents. When the encrypted data is received by someone who holds that special private key, though, they can use it to unlock the private side of the box. This will decrypt the data and allow them to read the contents. That's how public-key cryptography works. Now we're able to learn how SSL and TLS handshakes work. The handshake will use public-key cryptography to establish a secure communication channel. Let's walk through the steps. First, a browser sends an HTTPS request to a server. The server will send back its SSL certificate, which contains a public key as well as some identity information. The browser confirms that the certificate is valid and can be trusted. It will look at the expiration date and validate that it was issued by a trusted certification authority. If everything looks good, the browser will use the public key to encrypt a very long password and send it to the server. The password is secure because it can only be decrypted if someone has the corresponding private key available. It's like our locked box example that can be shared over the internet. The server receives this encrypted data and decrypts it using the private key. Now, here's the important point. The browser and the server now both possess the same very long password. It was transmitted securely across the public internet. That's the beauty of public-key cryptography. Symmetric key cryptography works great for sharing information as long as both the sender and the recipient possess that same password. But when a browser's communicating with the server for the first time, they don't have a common password that they both possess. Public-key cryptography provides a way to establish one. Once the browser and the server both have that same very long password, they can switch over to using symmetric-key cryptography. They can use the shared very long password to encrypt all their future communications. You may wonder why it switches to symmetric-key cryptography after successfully using public-key cryptography at the start. That's because it leverages the strengths of both technologies. Public-key cryptography is great for private communication in public, but the algorithms that it uses to do that are rather slow. Symmetric-key cryptography is difficult if both parties do not already possess a common key to use for their encryption. But once both parties have a shared key, the algorithms are very fast. So we use public-key cryptography to establish a shared password and then switch to symmetric-key cryptography to get that speed advantage. This is what happens during the handshake that sets up the secure channel between the browser and the server. Let's recap. The SSL certificate certifies the ownership of the public key. The public key is used to exchange a very long password over the internet. That long password is used to encrypt all data exchange between the browser and the server from then on. And one additional advantage is that the passwords used for this encrypted communication are temporary and not reused. Each connection uses a one-time password. Other connections to the server will initiate a new handshake and set up a new password to use.