|Web Server Management: Securing Access to Web Servers|
|Prev||Chapter 2. A crash course in cryptography||Next|
Given the cryptographic building blocks that we have now discussed, establishing an HTTPS connection turns out to be fairly straightforward. At least at the high level at which we are working - in practise there is quite a lot of additional complication to guard against various possible attacks.
The client web browser initially connects to the server on an agreed TCP port (443 by default)
The client and server agree mutually available TLS/SSL protocol versions, cipher specifications, compression algorithms, etc.
The server sends its public key certificate to the client
The client verifies the server certificate (can the client verify the signature? does the client trust the CA who signed the certificate? is the website identified in the certificate the one that is being accessed? has the certificate expired?)
The client and server agree a shared secret, either by using the server's public key from its certificate or otherwise
The client and the server use the secret to create the same symmetric encryption key
The client and the server switch to communicating using the previously agreed symmetric cipher and the key just established. Sequence numbers included in the encrypted message exchanges ensure that components can not be removed or replayed.