Course : WEB ENGINEERING

Paper Code: ETCS-308

TOPIC: HTTPS and certificates

(Security protocol)

UNIT-III HTTPS (Security Protocol)

 Digital cryptography
• Ciphers
• Keys
• Symmetric-key cryptosystems
• Asymmetric-key cryptosystems
• Public-key cryptography
• Digital signatures
• Digital certificates

UNIT-III HTTPS (Security Protocol)

 Cryptography

• Cryptography is the science to encrypt and decrypt data that

enables the users to store sensitive information or transmit it
across insecure networks so that it can be read only by the
intended recipient.
• Data which can be read and understood without any
special measures is called plaintext while the method of
disguising plaintext in inorder to hide its substance is
called encryption.
• Encrypted plain text is known as ciphertext and process
of reverting the encrypted data back to plain text is
known as decryption.

UNIT-III HTTPS (Security Protocol)

 Plaintext and Ciphertext

Plaintext Ciphertext
Meet me at the Phhw ph dw wkh
pier at midnight slhu dw plgqljkw

Encoder

Plaintext
Meet me at the
pier at midnight

Decoder
UNIT-III HTTPS (Security Protocol)
 Cryptography
How Encryption Works
A cryptographic algorithm works in
combination with a key(can be a word,
number, or phrase) to encrypt the plaintext
and the same plaintext encrypts to different
ciphertext with different keys.
Hence, the encrypted data is completely
dependent on couple of parameters viz- the
strength of the cryptographic algorithm and
the secrecy of the key.

UNIT-III HTTPS (Security Protocol)

 Services Provided by Cryptography

• Confidentiality
– provides privacy for messages and stored data by hiding
• Message Integrity
– provides assurance to all parties that a message remains unchanged
• Non-repudiation
– Can prove a document came from X even if X’ denies it
• Authentication
– identifies the origin of a message
– verifies the identity of person using a computer system

6
UNIT-III HTTPS (Security Protocol)
 Cryptography Techniques
Symmetric Encryption -
Encryption conventional cryptography, also known
as Conventional encryption in which one key is used both for
encryption and decryption. Strength of encryption technique
depends on key length

Known symmetrical algorithms

Data Encryption Standard (DES)
56 bit key
Triple DES, DESX, GDES, RDES
168 bit key
RC2, RC4, RC5
variable length up to 2048 bits
IDEA - basis of PGP
128 bit key
Blowfish
variable length up to 448 bits

7
UNIT-III HTTPS (Security Protocol)
 Rotate-by-3 cipher example

Cipher ABCDEFGHIJKLMNOPQRSTUVWXYZ

ABCDEFGHI JKLMNOPQRSTUVWXYZABC

Plaintext MEET ME AT THE AT PIRE AT MIDNIGHT

Ciphertext PHHW PH DW WKH DW SLHU DW PLGQLJKW

UNIT-III HTTPS (Security Protocol)

Keyed Ciphers (rotate-by-n), using
different keys
Plaintext Meet me at the
(a) pier at midnight
Ciphertext
Key=1 nffu nf bu uif
qjfs bu njeojhiu
Rotate(n) encoder

Plaintext Meet me at the

(b) pier at midnight
Ciphertext
Key=2 oggv og cv vjg
rkgt cv okfpkijv
Rotate(n) encoder
Plaintext Meet me at the
(c) pier at midnight
Ciphertext
Key=3 phhw ph dw
wkh slhu dw
plgqlijkw
Rotate(n) encoder
 Char 1 2 3 4 5 6 7 8 9
a b c d e f g h i j
b c d e f g h i j k
c d e f g h i j k l

Encryption d
e
f
e
f
g
f
g
h
g
h
i
h
i
j
i
j
k
j
k
l
k
l
m
l
m
n
m
n
o

Caesar Cipher g
h
h
i
i
j
j
k
k
l
l
m
m
n
n
o
o
p
p
q

3 changes
i j k l m n o p q r
j k l m n o p q r s
The shift is linear and equidistributed k l m n o p q r s t
l m n o p q r s t u

I agree lcdjuhh m
n
o
n
o
p
o
p
q
p
q
r
q
r
s
r
s
t
s
t
u
t
u
v
u
v
w
v
w
x
i+3=l p q r s t u v w x y
q r s t u v w x y z
r s t u v w x y z 0
Space=c [+3] s t u v w x y z 0 1
t u v w x y z 0 1 2

Key Cipher u
v
v
w
w
x
x
y
y
z
z
0
0
1
1
2
2
3
3
4

269
w x y z 0 1 2 3 4 5
x y z 0 1 2 3 4 5 6
The shift is linear (cyclic) y z 0 1 2 3 4 5 6 7
z 0 1 2 3 4 5 6 7 8

k.n.gupta 62 mewam3rzjba 0
1
1
2
2
3
3
4
4
5
5
6
6
7
7
8
8
9 .
9

2 3 4 5 6 7 8 9 .
3 4 5 6 7 8 9 . a
k+2=m 4 5 6 7 8 9 . a b
5 6 7 8 9 . a b c
(dot)=e [+6] 6 7 8 9 . a b c d
7 8 9 . a b c d e
8 9 . a b c d e f
9 . a b c d e f g
n=w [+9]
. (Dot) a b c d e f g h
UNIT-III HTTPS (Security Protocol)
Space a b c d e f g h i
 Cryptography Techniques
Asymmetric Encryption 
Encryption - It is a Public key
cryptography that uses a pair of keys for encryption:
a public key, which encrypts data, and a private key
used for decryption. Public key is published to the
people while keeping the private key secret.

Most common algorithm is the RSA (Rivest Shamir

Adelman) algorithm with key lengths from 512 to
1024 bits.

11
UNIT-III HTTPS (Security Protocol)
 Public-Key Cryptography
Using different keys for encoding and decoding

client
Plaintext
Public Private
Encrypted key=ds
key=es ciphertext
Internet

Plaintext

UNIT-III HTTPS (Security Protocol) server

 Public-Key cryptography assigns a single,
public encoding key to each host
(a) Symmetric-key cryptography (b) Public-key cryptography

A A

kAX ex

B kBX D B D
kDX ex ex

kCX
ex

C C

UNIT-III HTTPS (Security Protocol)

 Cryptography Techniques
Hashing -
Hashing Hashing is a ONE way non-reversible
“quick” encryption method. It produces a fixed
length value called a hash or message digest,
which is used to authenticate contents of a
message. It is used to create Digital Certificates,
Digital signatures, Storage of passwords,
Verification of communications.
Common message digest functions
MD4 and MD5
produces 128 bit hashes
SHA
produces 160 bit hashes
14
UNIT-III HTTPS (Security Protocol)
 Cryptographic Services Allow
• Digital Signatures
– sign messages to validate source and integrity of the contents

• Digital Envelopes
– secure delivery of secret keys

• Message Digests
– short bit string hash of message

• Certificates (Digital Ids)

– used to authenticate: users, web sites, public keys of public/private pair, and
information in general

• Secure Channels
– Encryption can be used to create secure channels over private or public networks

UNIT-III HTTPS (Security Protocol)

 Digital Signatures
• Digital Signature
– Encrypt sender’s identity string with sender’s private key
– Concatenate the encrypted text and the identity string
together
– Encrypt this message with receiver’s public key to create
message
– Receiver decrypts the encrypted text with their private
key
– the cipher text portion of the message is decrypted with
sender’s public key
– The decrypted text can be compared with the normal text
to checks its integrity

16
UNIT-III HTTPS (Security Protocol)
 Signatures Are Cryptographic
Checksums

A Plaintext B
Message
message digest

Message
digest D E Same?
Signature
Message
digest

Private Public
key=dA key=eA

UNIT-III HTTPS (Security Protocol) 17

 Digital Envelope
• Public/Private key encryption / decryption useful for internet
• Limitations
– encryption / decryption slow
– not reasonable for large documents
• Combine symmetric and asymmetric methods
– sender creates and uses symmetric (session) key to create cipher
text
– sender uses receiver’s public key to encrypt the symmetric key -
digital envelope
– sender transmits both cipher text and digital envelope to
receiver

18
UNIT-III HTTPS (Security Protocol)
 Message Digests
• How to create and use a message digest
– sender uses message as input to digest function
– “sign” (encrypt) output (hash) with sender’s private
key
– send signed hash and original message (in plain text) to
receiver
– receiver decrypts hash with sender’s public key
– receiver runs plain text message through digest
function to obtain a hash
– if receiver’s decrypted hash and computed hash match
then message valid.
UNIT-III HTTPS (Security Protocol)
 Digital Certificates (ID)
• Certification Authorities (CA)
– used to distribute the public key of a public/private pair
– guarantees the validity of the public key
• does this by verifying the credentials of the entity associated with the public
key
– Some Case
• Versign - http://www.versign.com
• U.S. Post Office - http://www.ups.gov
• CommerceNet - http//www.commerce.net
– certificates contain
• public key
• e-mail
• full name

• Digital certificates are secure

– cannot be forged nor modified
20
UNIT-III HTTPS (Security Protocol)
 Digital Certificates (ID)
• Process to create Digital Certificate
– User generates public/private pair
– User creates and sends a certificate request
• contains: identifying information and user’s public key
– CA verifies this information
– CA creates a certificate containing user’s public key
and information
– CA creates message digest from certificate and signs it
with CA’s private key
– This a signed certificate
21
UNIT-III HTTPS (Security Protocol)
 How to Obtain a Certificate?
• Define your own CA (use
openssl or Java Keytool)
– Certificates unlikely to be
accepted by others
• Obtain certificates from
one of the vendors:
VeriSign, Thawte, and
many others

UNIT-III HTTPS (Security Protocol)

 Digital Certificates (ID)

• Using a Digital Certificate

– before sending a secure message sender request a
signed certificate from receiver
– sender decrypts signed certificate with CA’s known
public key to obtain message digest of info and
public key provided to CA by receiver
– sender creates a message digest of public key and
info provided by the receiver for sender’s use
– sender compare the message digests if they match
then receiver is validated.
23
UNIT-III HTTPS (Security Protocol)
 Digital Certificates (ID)
• Types of Digital Certificates
– site certificates
• used to authenticate web servers
– personal certificates
• used to authenticate individual users
– software publishers certificates
• used to authenticate executables
– CA certificates
• used to authenticate CA’s public keys
– All certificates have the common format standard of
X.509v3
24
UNIT-III HTTPS (Security Protocol)
 CAs and Trust
• Certificates are trusted if signature of CA verifies
• Chain of CA’s can be formed, head CA is called root
CA
• In order to verify the signature, the public key of
the root CA should be obtain.
• TRUST is centralized (to root CA’s) and hierarchical

UNIT-III HTTPS (Security Protocol)

 Key Agreement: Diffie-Hellman
Protocol
Key agreement protocol, both A and B contribute to the key
Setup: p prime and g generator of Zp*, p and g public.

ga mod p
gb mod p

Pick random, secret (a) Pick random, secret (b)

Compute and send ga mod p Compute and send gb mod p

K = (ga mod p)b = gab mod p

K = (g mod p) = g mod p
b a ab

UNIT-III HTTPS (Security Protocol)

 HTTP AND HTTPS PROTOCOL

UNIT-III HTTPS (Security Protocol)

 HTTP
 HTTP stands for Hypertext Transfer
Protocol.
 HTTP provides a set of rules and
standards that govern how information
is transmitted on the World Wide
Web.
 Computers on the World Wide Web
use the HyperText Transfer Protocol to
talk with each other
 http://www.google.co.in

 The first part of an address (URL) of a

site on the Internet, signifying a
document written in Hypertext
Markup Language (HTML).

UNIT-III HTTPS (Security Protocol)

 HTTP
HTTP is a client-server protocol by which two machines
communicate using a reliable, connection-oriented
transport service such as the TCP.
 A browser is an HTTP client because it sends requests to an
HTTP server (Web server), which then sends responses back to
the client
 An HTTP server is a program that sits listening on a machine's
port for HTTP requests.
 The standard (and default) port for HTTP servers to listen on is
80, though they can use any port.
HTTP can be "implemented on top of any other protocol
on the Internet, or on other networks.“
 HTTP only presumes a reliable transport; any protocol
that provides such guarantees can be used.” e.g. TCP.
UNIT-III HTTPS (Security Protocol)
 HTTP

HTTP is stateless. The lifetime of a connection

corresponds to a single request-response sequence
 An HTTP client opens a TCP/IP connection to the server
via a socket, transmits a request for a document, then
waits for a reply from the server. Once the request-
response sequence is completed, the socket is closed.
 There is no "memory" between client connections.
 The pure HTTP server implementation treats every
request as if it was brand-new.

UNIT-III HTTPS (Security Protocol)

 How HTTP Works
HTTP Server is implemented by Apache HTTP Server ·
Microsoft IIS · Jigsaw · Zope etc.
Each client-server transaction, whether a request or a
response, consists of three main parts
 A response or request line
 Header information
 The body

UNIT-III HTTPS (Security Protocol)

 Advantages of HTTP

Platform independent- Allows Straight cross

platform porting.
No Runtime support required to run properly.
Usable over Firewalls! Global applications
possible.
Not Connection Oriented- No network overhead
to create and maintain session state and
information.

UNIT-III HTTPS (Security Protocol)

 HTTP Limitations
Security Concerns
 Privacy -Anyone can see content
 Integrity -Someone might alter content. HTTP is insecure
since no encryption methods are used. Hence is subject to
man in the middle and eavesdropping of sensitive
information.
 Authentication -Not clear who you are talking with.
Anyone who intercepts the request can determine the
username and password being used.
 Stateless - Need State management techniques to
maintain the information across multiple request-
response cycles.

UNIT-III HTTPS (Security Protocol)


 HTTPS
HTTPS stands for Hypertext
Transfer Protocol over Secure
Socket Layer, or HTTP over
SSL.

• SSL acts like a sub layer under

regular HTTP application
layering.

HTTPS encrypts an HTTP

message prior to transmission
and decrypts a message upon
arrival.
UNIT-III HTTPS (Security Protocol)
 HTTPS (cont.)

HTTP Application layer

HTTP Application layer SSL or TLS Security layer

TCP Transport layer TCP Transport layer

IP Network layer IP Network layer

Network interfaces Data link layer Network interfaces Data link layer

(a) HTTP (b) HTTPS

UNIT-III HTTPS (Security Protocol) 35
 HTTPS
HISTORY


Netscape Communications created HTTPS in
1994 for its Netscape Navigator web browser.


Originally, HTTPS was used with SSL protocol. As
SSL evolved into Transport Layer Security (TLS), the
current version of HTTPS was formally specified
by RFC 2818 in May 2000.

UNIT-III HTTPS (Security Protocol)

 HTTPS
HTTPS by default uses port 443 as opposed to the standard
HTTP port of 80.

URL's beginning with HTTPS indicate that the connection

between client and browser is encrypted using SSL
e.g.: https://login.yahoo.com/config/login_verify2?&.src=ym

SSL transactions are negotiated by means of a key based

encryption algorithm between the client and the server, this
key is usually either 40 or 128 bits in strength (the higher
the number of bits the more secure the transaction).

UNIT-III HTTPS (Security Protocol)

 HTTPS
Need SSL if…
 you have an online store or accept online orders and
credit cards
 you offer a login or sign in on your site
 you process sensitive data such as address, birth date,
license, or ID numbers
 you need to comply with privacy and security
requirements
Certification Authority (CA) is an entity that
issues digital certificates for use by other parties.
It is an example of a trusted third party.
e.g. VeriSign, Thwate, Geotrust etc
UNIT-III HTTPS (Security Protocol)
 HTTPS
Ability to connect to server via HTTP
secure consists of:
 Generating key
 Generating certificate signing request
 Generating self signed certificate
 Certificate Authority signed certificate
 Configuring web server.

UNIT-III HTTPS (Security Protocol)

 SSL Diagram
When any modern browser is
installed, it is sent with several CA
issuer certificates. These issuer
certificates contain a public key for
the issuer, among other information.
When a web designer decides to use
SSL he needs to purchase a
certificate that is signed using the
CA's private key.
The web browser starts a connection
to an HTTPS site. Along with this
request the client sends all
supported encryption schemes.

UNIT-III HTTPS (Security Protocol)

 SSL Diagram
As a response to the browser's
connection request, the Server sends
a copy of the certificate from step 2.
Along with this transmission is the
server's answer to the encryption
negotiation.
Once a certificate is downloaded, the
signature of the certificate (that was
signed using the CA's private key) is
checked using the CA's public key
(installed in the browser in step 1.
The connection succeeds, the client
can now download and upload to the
web site with the security of
encryption.
UNIT-III HTTPS (Security Protocol)
 Part One: SSL Handshake
UNIT-III HTTPS (Security Protocol)
 Part One: SSL Handshake
UNIT-III HTTPS (Security Protocol)
 Part Two: Transfer of Confidential Information
UNIT-III HTTPS (Security Protocol)
 Part Three: Secure Session Closure
UNIT-III HTTPS (Security Protocol)
 How SSL Overcomes HTTP Security Concerns

Secure Sockets Layer technology protects your Web site

and makes it easy for your Web site visitors to trust you in
three essential ways:
Privacy
 An SSL Certificate enables encryption of sensitive information
during online transactions.
Integrity.
 A Certificate Authority verifies the identity of the certificate
owner when it is issued.
Authentication.
 Each SSL Certificate contains unique, authenticated
information about the certificate owner.

UNIT-III HTTPS (Security Protocol)

 Limitations of HTTPS

HTTPS cannot prevent stealing confidential

information from the pages cached on the
browser.
 Since in SSL data is encrypted only during transmission
on the network, it is in clear text in the browser
memory

HTTPS is slightly slower than HTTP.

HTTPS adds computational overhead as well as
network overhead.

UNIT-III HTTPS (Security Protocol)

 Conclusion
The HTTP network protocol is fundamental to the way the
World Wide Web works, and the encryption involved in
HTTPS adds an essential layer if confidential information or
sensitive data are to be exchanged over the public internet.

Hence, If a website ever asks you to enter your credit card

information, you should automatically look to see if the web
address begins with https://. If it doesn't, there's no way you're
going to enter sensitive information like a credit card number!

UNIT-III HTTPS (Security Protocol)

 THANK YOU

UNIT-III HTTPS (Security Protocol)