This is what happen when you go to a HTTPS website. It basically says that you are connected to a server which is verified by a certified authority, not to a malicious web server.
A hacker can download a webpage (ex:- facebook, paypal) from internet and upload it to his web server and using a DNS spoofing he can direct your traffic to the malicious website. If this technology is not there, you will enter your credentials in to that malicious website compromising your sensitive data. This is called Phishing.. We will do a cool Phishing tutorial later..
To stop this, SSL (Secure Socket Layer) VPNs were introduced. Let's take a real world example and understand what is happening at the back end.. Let's take an online session to PayPal.com
Before the client PC even start going to PayPal.com, some things have happened at the back end. Let's take a Certificate Authority like VeriSign.
They create a Public/ Private Key pair and they create their own Digital Signature using their Private Key..
Then they create their own CA certificate containing their Public Key and their Digital Signature and they send it to web browsers all over the world regularly. So the Client PC here has the CA's public key along with CA's digital signature before even start any web session to any website.
PayPal.com also create their own Public and Private Key pair and send their Public Key to CA asking for a Digital Certificate for them..
CA verify the legitimacy of the sender and they issue a Digital Certificate to PayPal.com containing PayPal.com's Public Key and CA's Digital Signature..
Now let's see an online session..
Client sends a SYN request to PayPal.com's web server's port 443 asking for a TCP 3-Way handshake. Server acknowledges and sends a SYN and the Client sends an ACK and TCP session starts..
Now the Client sends SSL hello along with a list of Ciphers which will be used in future to build the tunnel. (Ex:- Details about the Encryption Algorithm which will be used like RC4)
Server will pickup the best Ciphers it knows later..
Server sends SSL hello and PayPal.com's Digital Certificate to the Client PC.
Finally Client sends an ACK..
Because the Client has the CA's certificate which contains the CA's Public Key, He can verify the CA's Digital Signature by decrypting the Digital Signature on PayPal.com's Digital Certificate..
Following capture shows real Certificates of PayPal.com & It's CA..
You can view PayPal.com's Certificate by clicking on the padlock mark on web browser before the URL space when you are browsing PayPal.com & you can view the CA's Certificate in the Advanced Settings in your web browser..
Now the Client creates a Session Key for the online session.
This Key is a Symmetrical Key (Ex:- generated by RC4 algorithm)
So the Client PC encrypts the Session Key by PayPal.com's Public Key and send it to PayPal.com..
Because the Session Key is encrypted by the Public Key of the PayPal.com; PayPal.com can decrypt and retrieve the Session Key using their Private Key.
So both the Client and PayPal.com has the Session Key generated by the Client now.
Using this Session Key, both ends now can decrypt rest of the data securely creating the encrypted SSL session..
No comments:
Post a Comment