WEB/Security

Transport Layer Security, TLS 1.2 and 1.3

Tony Lim 2022. 2. 6. 11:14

Vanilla HTTP

browser open tcp connection for you (fetch api does can do this for you)

Http can be used based on udp or tcp because it is stateless

 

 

port is different from HTTP 80 -> 443

Handshake happens before sending http request = give same symmetric(same) key to client and server

tcp blindly trasfer get request (it doesn't even know ,if request is encrpyted) -> server decrpy with key

HTTP version 1 closed connection after request respond but HTTP version 2 doesn't it keeps connection alive

 

 

client hello == tell server that what client can support for security things (RSA, AES , key exchange ...)

Server hello == gives certain certificate (like public key)

Change cipher , fin == client send encrpyt key(can be random number , it is called session key) with public key 

but this session key can be stolen if we take down server which is not secure

 

 

 

red(client) + blue(server) == they don't send these 2 keys only send public key

pink = client ususally generate this key

combining all three can give yellow private key

with this combination we can send private key

 

client hello == send client's private key with public key -> server make yellow key

server hello == send server's private key with public key -> client make yellow key

even bad guy steal client hello and sever hello they cannot get yellow key because there are 2 public(pink) key included