HTTPS and SSL/TLS
When HTTP requests are travelling back and forth over the Internet, if they are left in an unencrypted form the data can be easily looked at by anyone who might intercept and spy on it. This is fine if it's publicly available information like a news article or a menu for your favourite fast food outlet, but it's not so good if the data contains passwords and other private information. To add security here we use another protocol called Transport Layer Security (TLS) in conjunction with HTTP to make HTTPS (Hyper Text Transfer Protocol Secure). TLS encrypts HTTP packets using public key encryption and symmetric encryption.
Side note: Often when we refer to the use of TLS we call it SSL, this is merely because SSL was the first encryption method used for HTTPS and the term has kind of just stuck around. TLS was defined in 1999 by the Internet Engineering Task Force (IETF) as an upgrade to SSL 3.0. TLS became widely used in place of SSL in the early 2000s. Nowadays if "SSL" is said, it is most likely that they are actually talking about TLS.
|
Task: In 150 of your own words, with your current understanding of encryption, state why we might want to encrypt things. Make note of a few things that we use the Internet for that you feel would be important to use encryption for.
Creating an HTTPS connection using TLS
When a URL starts with "https://", the client knows that it needs to ask for TLS to be used. The process of creating an HTTPS connection is as follows:
|
Tasks:
1) Write your own notes for the above process. Memorise your process notes. Write them out again from memory.
2) Find a neighbour and recite your steps to them. Check each other for correctness and fix your notes if necessary.
3) Why did the IETF change from SSL to TLS?
4) What are some of the differences between SSL and TLS? (You might need to do some research)
1) Write your own notes for the above process. Memorise your process notes. Write them out again from memory.
2) Find a neighbour and recite your steps to them. Check each other for correctness and fix your notes if necessary.
3) Why did the IETF change from SSL to TLS?
4) What are some of the differences between SSL and TLS? (You might need to do some research)
Symmetric & Asymmetric Encryption
Two types of encryption are mentioned in the process above: symmetric and asymmetric. Please watch the video to the right to get a good understanding. Basic notes: Asymmetric encryption: - The person/server wanting data encrypted sends out their public key. This is available for anyone to encrypt data, but it can only encrypt. - The original person/server keeps their private key a secret as it is the only thing that can decrypt the data. This should not be given to anyone. - This is very secure as it means that even if someone snooped and got the public key and some encrypted data, they can't get any information out. - Slower than symmetric encryption. The keys are bigger and the algorithms are more complex, this makes the time to compute higher. |
|
Symmetric encryption:
- One key is used to do all encryption. Data that is encrypted with a symmetric key can be decrypted with that same key.
- Less secure. If someone is able to acquire a symmetric key - by hacking or by snooping in on packets on a network as it is sent (or some other method) - then they can decrypt and look at data as they please.
- Much faster than asymmetric. The keys are smaller and the algorithms are less complex, making the computation time shorter.
Tasks:
1) What are the basic differences between symmetric and asymmetric encryption?
2) In 150 words, discuss why it is more efficient to use asymmetric encryption only in the set up of HTTPS, then continue with symmetric encryption.
3) In a few sentences, discuss what using the Internet would be like: a) if we only used asymmetric encryption, b) if we only used symmetric encryption.
- One key is used to do all encryption. Data that is encrypted with a symmetric key can be decrypted with that same key.
- Less secure. If someone is able to acquire a symmetric key - by hacking or by snooping in on packets on a network as it is sent (or some other method) - then they can decrypt and look at data as they please.
- Much faster than asymmetric. The keys are smaller and the algorithms are less complex, making the computation time shorter.
Tasks:
1) What are the basic differences between symmetric and asymmetric encryption?
2) In 150 words, discuss why it is more efficient to use asymmetric encryption only in the set up of HTTPS, then continue with symmetric encryption.
3) In a few sentences, discuss what using the Internet would be like: a) if we only used asymmetric encryption, b) if we only used symmetric encryption.