found this detailed article on what happens during the first few milliseconds of https connection. Reading through the entire article is a like a crash course on Public-Private key system and transport protocol basics.
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
Summary of steps
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
Summary of steps
- https translates to 443 as per RFC 2818
- Client sends Hello which contains
- UTC time + random bits
- Session ID (if any)
- Cipher Suites
- Server name extension
- Server sends Handshake that contins
- Hello
- UTC time
- Session ID
- the Cipher suite server side chose
- Certificate
- Hello done
- Indicating that it won't require a client certificate
- Client validated the certificate sent by the server
- checks the time on the certificate to ensure it is not expired
- computes a hash of the certificate using the certifying authorities public key to ensure that it was indeed signed by the said certifying authority
- the browser trusts the certifying authority
- Generate the Pre-master secret
- a massive random number is generated
- Trade secrets with the server
- encrypt the secret generated using the server's public key
- send to server
I've definitely simplified the last few steps as they involve a lot of mathematics, but all of the above happens in 220 ms!
0 comments:
Post a Comment