{"id":225,"date":"2025-02-12T13:35:02","date_gmt":"2025-02-12T11:35:02","guid":{"rendered":"https:\/\/itraft.com\/?p=225"},"modified":"2025-02-12T13:41:34","modified_gmt":"2025-02-12T11:41:34","slug":"https-transaction-process","status":"publish","type":"post","link":"https:\/\/itraft.com\/?p=225","title":{"rendered":"HTTPS transaction process"},"content":{"rendered":"\n<p>In this post I am walking through the HTTPS transaction process starting from the ClientHello request until the encryption of real data.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-large-font-size\"><strong>1. TCP Handshake<\/strong><\/h2>\n\n\n\n<p>The client initiates a three-way TCP handshake with the server to establish a reliable communication channel:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Client sends SYN:<\/strong> Requests to start communication.<\/li>\n\n\n\n<li><strong>Server responds with SYN-ACK:<\/strong> Acknowledges the request.<\/li>\n\n\n\n<li><strong>Client sends ACK:<\/strong> Final confirmation.<\/li>\n<\/ul>\n\n\n\n<p>Once the TCP connection is established, the TLS handshake begins.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading has-large-font-size\"><strong>2. TLS Handshake Steps<\/strong><\/h2>\n\n\n\n<p>The TLS handshake involves several steps to establish a secure, encrypted connection:<\/p>\n\n\n\n<p class=\"has-medium-font-size\"><strong>A. ClientHello<\/strong><\/p>\n\n\n\n<p>The client sends a <code>ClientHello<\/code> message to the server. This message includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Supported TLS versions.<\/li>\n\n\n\n<li>A randomly generated number (<code>Client Random<\/code>).<\/li>\n\n\n\n<li>Cipher suites supported by the client.<\/li>\n<\/ul>\n\n\n\n<p class=\"has-medium-font-size\"><strong>B. ServerHello<\/strong><\/p>\n\n\n\n<p>The server responds with a <code>ServerHello<\/code> message. It contains:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The chosen TLS version and cipher suite.<\/li>\n\n\n\n<li>Another randomly generated number (<code>Server Random<\/code>).<\/li>\n<\/ul>\n\n\n\n<p class=\"has-medium-font-size\"><strong>C. Server Certificate and Validation<\/strong><\/p>\n\n\n\n<p>The server sends its digital certificate to the client. A certificate consists of two main sections:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Certificate Data<\/strong> \u2013 Includes fields like Subject, Issuer, Validity, Public Key, etc.<\/li>\n\n\n\n<li><strong>Signature Section<\/strong> \u2013 Contains:\n<ul class=\"wp-block-list\">\n<li><strong>Signature Algorithm<\/strong> (e.g., <code>sha256WithRSAEncryption<\/code>)<\/li>\n\n\n\n<li><strong>Signature<\/strong> (the actual cryptographic signature)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>The signature is created as follows:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Hashing<\/strong>: The certificate authority (CA) takes the <strong>Certificate Data<\/strong> (such as the public key, owner details, expiration date, etc.) and generates a hash using the <strong>Signature Algorithm<\/strong> (e.g., SHA-256).<\/li>\n\n\n\n<li><strong>Encryption (Signing)<\/strong>: The CA encrypts this hash using its private key. This encrypted hash is the <strong>digital signature<\/strong>.<\/li>\n\n\n\n<li><strong>Appending the Signature<\/strong>: The CA attaches the <strong>Signature Section<\/strong> to the certificate and issues it to the website owner.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>Verification Process<\/strong><\/h3>\n\n\n\n<p>When a browser receives the certificate, it verifies the signature as follows:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Hash Calculation<\/strong>: The browser extracts the certificate contents (excluding the signature) and computes the hash using the same hash algorithm found in the certificate.<\/li>\n\n\n\n<li><strong>Signature Decryption<\/strong>: The browser uses the CA&#8217;s <strong>public key<\/strong> (from the CA&#8217;s certificate) to decrypt the digital signature, which reveals the original hash.<\/li>\n\n\n\n<li><strong>Comparison<\/strong>: The browser compares the computed hash with the decrypted hash.\n<ul class=\"wp-block-list\">\n<li>If they match, the certificate is valid.<\/li>\n\n\n\n<li>If they don\u2019t match, the certificate may be tampered with or forged.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p class=\"has-medium-font-size\"><strong>D. Key Exchange<\/strong><\/p>\n\n\n\n<p>There are two common methods:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>RSA:<\/strong> The server&#8217;s public key encrypts the <code>Pre-Master Secret<\/code> that the client generates.<\/li>\n\n\n\n<li><strong>ECDHE (Elliptic Curve Diffie-Hellman Ephemeral):<\/strong> Both parties contribute to generating a shared secret without transmitting it.<\/li>\n<\/ol>\n\n\n\n<p>The result of this key exchange is the <strong>Session Key<\/strong> used for encryption.<\/p>\n\n\n\n<p class=\"has-medium-font-size\"><strong>E. Finished Messages<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Both client and server compute a cryptographic hash of the entire handshake.<\/li>\n\n\n\n<li>They exchange <code>Finished<\/code> messages encrypted with the session key to confirm the handshake.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>3. Secure Data Transmission<\/strong><\/h2>\n\n\n\n<p>After the TLS handshake:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All communication between the client and server is encrypted using symmetric encryption (e.g., AES) with the session key.<\/li>\n\n\n\n<li>This encryption ensures data confidentiality and integrity.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>This process ensures secure, authenticated, and encrypted communication between a client and a server during an HTTPS transaction.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this post I am walking through the HTTPS transaction process starting from the ClientHello request until the encryption of real data. 1. TCP Handshake The client initiates a three-way TCP handshake with the server to establish a reliable communication channel: Once the TCP connection is established, the TLS handshake begins. 2. TLS Handshake Steps &#8230; <a title=\"HTTPS transaction process\" class=\"read-more\" href=\"https:\/\/itraft.com\/?p=225\" aria-label=\"Read more about HTTPS transaction process\">Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,26,1,22],"tags":[24,23],"class_list":["post-225","post","type-post","status-publish","format-standard","hentry","category-https","category-security","category-system-administration","category-tls","tag-https","tag-tls"],"_links":{"self":[{"href":"https:\/\/itraft.com\/index.php?rest_route=\/wp\/v2\/posts\/225","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itraft.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itraft.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itraft.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/itraft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=225"}],"version-history":[{"count":13,"href":"https:\/\/itraft.com\/index.php?rest_route=\/wp\/v2\/posts\/225\/revisions"}],"predecessor-version":[{"id":254,"href":"https:\/\/itraft.com\/index.php?rest_route=\/wp\/v2\/posts\/225\/revisions\/254"}],"wp:attachment":[{"href":"https:\/\/itraft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itraft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=225"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itraft.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}