HTTPS Mechanism
Try to explain how HTTPS work using pigeon as an example. Let’s assume Bob is the client, Alice is the server, Mallory is the hacker, Ted is the certification authority.
How HTTP works
If Alice wants to send a message to Bob, she attaches the message on the carrier pigeon’s leg and sends it to Bob. Bob receives the message, reads it and it’s all is good. In this scenario Mallory can intercept Alice’s pigeon in flight and changed the message.
Symmetric key cryptography
- Now Alice and Bob agree that they will write their messages using a secret code. They will shift each letter by 3 positions in the alphabet.
- The issue is that if Alice and Bob don’t meet before starting to send messages with the pigeon, they would have no way to establish a key securely. If they send the key in the message itself, Mallory would intercept the message and discover the key.
- This would allow Mallory to then read or change the message as she wishes before and after Alice and Bob start to encrypt their messages.
Asymmetric key cryptography
- Bob sends a pigeon to Alice without any message.
- Alice sends the pigeon back carrying a box with an open lock, but keeping the key.
- Bob puts the message in the box, closes the locks and sends the box to Alice.
- Alice receives the box, opens it with the key and reads the message.
How do I trust the box?
When Bob receives that open box how can he be sure that it came from Alice and that Mallory didn’t intercept the pigeon and changed the box with one she has the key to?
- Alice decides that she will sign the box, this way when Bob receives the box he checks the signature and knows that it was Alice who sent the box.
- To ensure the box is trustworthy, instead of Alice signing the box, Ted will sign the box. Ted is a very famous, well known and trustworthy guy. Ted gave his signature to everyone and everybody trusts that he will only sign boxes for legitimate people.
- Ted will only sign an Alice box if he’s sure that the one asking for the signature is Alice. So Mallory cannot get an Alice box signed by Ted on behalf of her as Bob will know that the box is a fraud because Ted only signs boxes for people after verifying their identity.
Boxes are heavy
Alice and Bob now have a reliable system to communicate, but they realize that pigeons carrying boxes are slower than the ones carrying only the message.
- They decide that they will use the box method (asymmetric cryptography) only to choose a key to encrypt the message using symmetric cryptography with.
- This way they get the best of both worlds. The reliability of asymmetric cryptography and the efficiency of symmetric cryptography.