tags:

views:

109

answers:

5

I want to know how it(HTTPS) is implemented. Whether the data is encrypted or path is encrypted (through which data is passed).I will be thankful if someone provides me implementation details.

+2  A: 

You can read all the details in the RFC

klausbyskov
I will read but tell me first whether data is encrypted or not ...
Jagan
Data is encrypted.
klausbyskov
+3  A: 

If you are new to the subject, Wikipedia is usually a nice place to start: HTTP Secure artice.

mdrg
+3  A: 

In two ways.

  1. By ensuring that all information transmitted between you and the website is encrypted. It does this via a key-exchange process using RSA (which exchanges a 'session key', which is used for the actual encryption).

  2. By (trying to) demonstrate trust in the website you visit. Certificates are provided to domains, and the idea is that on your machine you trust only certificates from various reputable sources. Then, you can (in theory) be assured that when a certificate pops up for "Your Bank", it is really "Your Bank" website, and not some other website. In practice, very few people care/notice this aspect of SSL.

It's transport layer security. It is not application level. You still need to follow secure coding practices and various other techniques to ensure that your site is secure.

Noon Silk
A: 

Server and client do not have control over the path that is used to transmit the data. The path used is a matter for the network layer (Internet Protocol - IP), not for the Transport Layer Security (TLS)

The data itself is encrypted, and there are also means for checking server autenticity, as mentioned by Noon Silk.

http://en.wikipedia.org/wiki/Transport_Layer_Security

lgomide
+4  A: 

Very simply, HTTPS uses Secure Socket Layer to encrypt data that is transferred between client and server. SSL uses the RSA algorithm http://en.wikipedia.org/wiki/RSA , an asymmetric encryption technology. The precise details of how the algorithm works is extremely complex, but basically it leverages the fact that whilst multiplying two large prime numbers together is easy, factoring the result back into the constituent primes is very, very hard. How all SSL/RSA encryption works is:

The server generates two large prime numbers, and multiplies them together. This is called the "public key". This key is made available to any client which wishes to transmit data securely to the server. The client uses this "public key" to encrypt data it wishes to send. Now becuase this is an asymmetric algorithm, the public key cannot be used to decrypt the transmitted data: only encrypt it. In order to decrypt, you need the original prime numbers. Only the server has the these (the "private key"). On receiving the encrypted data, the server uses his private key to decrypt the transmission.

In the case of you browsing the web, your browser gives the server it's public key. The server uses this key to encrypt data to be sent to your browser, which then uses it's private key to decrypt.

So yes all data transmitted to/from server over https is encrypted - and encrypted well. Typical SSL implementations use 128 or 256 digits for their keys. To break this you need a truly vast amount of computing resources.

As far as I am aware the request for a server asset is not encrypted - use httpfox https://addons.mozilla.org/en-US/firefox/addon/6647/ or wireshark http://www.wireshark.org/ or something to confirm.

Richard
Your explanation flow is good.
Jagan
There are some mistakes in your answer. The public key is typically 2048 bits long and it is only used to exchange a key for a symmetric cipher e.g. RC4. The reason is that a symmetric cipher is much more secure for a given key length and also encryption and decryption is much faster. All the actual data passing over the link is then encrypted with the symmetric key.
JeremyP
@JeremyP - was assuming 1 byte per digit which is 1024 or 2048 bits. And you are of course correct about RSA being used only to exchange keys with symmetric algorithm being used to encrypt data.
Richard
@Richard: One byte per digit does not make sense (except in base 256). An RSA key is literally a single 1024 bit or 2048 bit binary number.
JeremyP
By the way, SSL is transport layer encryption. Everything that is transmitted across the TCP connection after the client gets the public key is encrypted. That includes the first line of the HTTP request containing the server resource asked for.
JeremyP