Web Security

HTTPS & Cryptography

Mike North

Mike North

Stripe
Web Security

Check out a free preview of the full Web Security course

The "HTTPS & Cryptography" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

Mike illustrates how cryptography is used in securing communication, especially with the use of public key encryption.

Preview
Close

Transcript from the "HTTPS & Cryptography" Lesson

[00:00:00]
>> Mike North: So in order to communicate securely with another server, we need to deal with two types of encryption. Symmetric encryption and Public Key encryption. Symmetric encryption is really fast. It is quite fast. And the idea here is you have a secret, and that is used both to write Right encrypted data and read from encrypted data.

[00:00:23]
So the mental model here is a file with a password. We've all dealt with that before. Imagine we just had an object where we change letters like every Z becomes a Q, every H becomes an I. You can think of that as the magic key that can be used both to translate garbled data or to create garbled data but it's the same key.

[00:00:43]
I want you to imagine that it's that easy that you can use that to sort of almost like a decoder ring. So we don't wanna reuse keys because randomness when you're dealing with cryptography randomness is great, we love randomness because it means that. What's working right now will not necessarily be the same thing, same way it's gonna work in the future.

[00:01:06]
So it would be great if we could generate some key on a per-connection basis. But the problem we run into is how do we share that secret? If I was trying to talk securely to Johnny here, at some point, I have to say the password is banana. And now everybody in the room knows the password is banana, right?

[00:01:28]
So how do I get that to him in a way that doesn't expose that secret to the outside world? So for that, we need what it's called Public Key cryptography. And the idea there is that with Public Key cryptography you have two keys. A private key and a public key.

[00:01:49]
The public key is used to create encrypted messages. The private key is used to read encrypted messages. And this is a really complicated algorithm. I mean, that the class of algorithms that can do this they’re really complicated because it is not as simple as like having some cipher were I can just say this letter goes to that letter and this letter goes to another one.

[00:02:12]
It’s sort of like the tools I have for making a message are not the same as the tools I need for reading that message. It’s almost like an irreversible process to make a message. So we'll describe how it works, and then we'll dive a little bit into how this encryption, the mental model I like to use for public encryption.

[00:02:36]
So but know that public key is for writing, private key is for reading. So we begin with public key encryption just for a phase of this TLS handshake called the key exchange. Public key encryption is really slow relative to symmetric encryption. It involves some much more complex math.

[00:02:57]
But the idea is the server makes its public key available to anyone that wants to use it that's just for sending messages that can only be read by the server and it sends it's certificate along the way. The client then compares something called cipher suites and cipher suites are basically the methodologies used for that faster, symmetric encryption later on.

[00:03:18]
The client then generates what's called the session key. So this is that disposable, one-time use just for that session. One-time use key is for that fast symmetric encryption. So it's generated on the client, but the client then uses the server's public key to encrypt it in such a way that by the time it leaves the client, even if there's a man-in-the-middle that's sniffing all the packets going by.

[00:03:43]
It's just gonna look at this and its garbled nonsense. Only the server can read that. And the client never let go of that session key that it generated. So then, when the server gets that, it of course can open up this locked box, grab the session key out, and then they have exchanged the secret successfully.

[00:04:05]
So that they can have that fast, efficient, symmetric, encrypted communication between them.
>> Mike North: So going back to this public key encryption just for a moment, we write messages with the public key, we read messages with the private key. And a popular algorithm for this is called RSA, they are the initials of some of the discoverers.

[00:04:29]
And the exponential math is involved, so the size of the message is limited. Just think of it like exponents can only get so big before it's prohibitively expensive for us to do this calculation. Like rounding errors for floating point numbers start to degrade the message, and we lose accuracy, and we can't get the message back out reliably.

[00:04:52]
So what I wanna describe to you is, let's imagine that instead of this algorithm that is based on keys being used to encrypt and decrypt messages. I'm just gonna convince you that there are situations where math can be more difficult in one direction than another. And essentially, public key encryption operates under the principle that some math is damn near impossible in one direction and pretty easy in the other.

[00:05:20]
So squares and square roots. So if I gave you a pocket calculator everyone could square that number no problem. 17.47 squared, 17.47 times 17.47 you don't even need an exponent ability here. It's pretty easy everyone would be able to figure that out. Coming up with the square root is considerably harder if we don't know what the square root of this number is, right.

[00:05:44]
So, addition and subtraction obviously symmetric, right? We can add and subtract with relative ease. Here you can square something but we don't necessarily, you might need some help to get the square root. And let's pretend the private key is like maybe a secret mechanism for computing square roots really easily, and we can get that out.

[00:06:06]
So that should convince you that like now we have that imbalance and difficulty. And now take that to the extreme, make it so that we can encrypt messages in a millisecond and take a thousand years to guess the algorithm correctly, to decrypt an RSA message. We can also use private keys to sign messages, so basically we'll take a known value that's not currently encrypted.

[00:06:31]
And the server will basically perform their decryption algorithm and they'll form, some people call this a hash. But they will create something for us that when we encrypt it, it becomes that known value again. So if we give a server 64 and it gives us back this mysterious value, 8.

[00:06:53]
It turns out when we use squaring. That's our public key, right? Anyone can square numbers. When we square it, magically, we get back to 64. So that is how we can determine if I have a known value, I pass it to a server, it gives me something back.

[00:07:08]
Think of it almost like doing the decryption one level too far. And then when we encrypt it, we get back to the normal value again. And then we can say, yes, only in that server, because they're the only ones with that private key. Only that server could have given me this because when I encrypt it, now I am back to the normal value that I expect.

[00:07:31]
This is readable text, I can see this now. Does that make sense to everyone, how signing works?

Learn Straight from the Experts Who Shape the Modern Web

  • In-depth Courses
  • Industry Leading Experts
  • Learning Paths
  • Live Interactive Workshops
Get Unlimited Access Now