Encryption at Transit

The TLS handshake involves:

1. Protocol Version Exchange: Client and server agree on TLS versions (e.g., TLS 1.2, 1.3).

2. Cipher Suite Selection: Negotiate a mutually supported cipher suite (e.g., AES for encryption).

3. Server Authentication: Server sends its certificate, validated by the client using a trusted CA.

4. Session Key Generation: Create temporary symmetric keys for encrypted communication post-handshake.

• Date Check: Verify certificate validity (start/end dates).

• Signer Trust Check: Confirm the CA that signed the certificate is trusted (e.g., pre-installed root certificates).

• Signature Check: Validate the certificate’s integrity using the CA’s public key.

• Site Identity Check: Ensure the certificate’s domain matches the server’s domain (e.g., example.com).

A cipher suite is a combination of algorithms for creating and managing secure sockets.

• TLS: Protocol identifier -> using TLS protocol.

• RSA: Key exchange and authentication algorithm (server uses RSA keys -> asymetric encryption).

• AES_256_CBC: Symmetric encryption algorithm (256-bit AES in CBC mode).

• SHA256: Hash function for message integrity (HMAC).

• TLS: Protocol identifier.

• AES_256_GCM: Encryption algorithm (256-bit AES in GCM mode, providing authenticated encryption).

• SHA384: Hash function for integrity (SHA-384).

  
  

Note: TLS 1.3 removes explicit key exchange names (e.g., RSA), favoring ephemeral keys.

HTTPS adds a security layer (TLS/SSL) between the application and transport layers:

1. Application Layer: HTTP (handles data).

2. Security Layer: TLS/SSL (encrypts data).

3. Transport Layer: TCP (ensures data delivery).

4. Network Layer: IP (routes packets).

5. Data Link Layer: Network interface (physical transmission).

Example:

• HTTP Layers: HTTP → TCP → IP → Network Interface.

• HTTPS Layers: HTTP → TLS → TCP → IP → Network Interface.