This post comes from my share with my team. Many people may not understand HTTPS well, and why the https codes is like that? So I want to share it into Internet too.

Cipher

Java 1.2 has imported a system called “JCE”(Java Cryptography Extension), which is in charge of key and certificates in Java.

We all know if we want to encrypt or decrypt some information, I have to have a key. It’s like if you want to open a door, or lock a door, you have to have a key.

The Key can be generated in Java with KeyGenerator or KeyPairGenerator. The former one is used to generate the symmetric key, and the latter one is used to generate the asymmetric key.

  • symmetric cryptography — the encryption and decryption use a same key.

  • asymmetric cryptography

    — the encryption and decryption use different keys. Keys are usually is generated as a public key and a private key.

    The public key may be widely distributed, while the private key is known only to its proprietor.

    In a secure asymmetric key encryption scheme, when a message is encrypted with the public key, only the private key can decrypt it. So if a hacker get you public-key-encrypted message, he cannot decrypt it, because he has no the paired private key. So the transportation of this message is secure.

Https

Finally, we reach the “https” part. Https contains the above “cipher” and “certificate” part, that’s why I talked them before.

Https(Http over SSL) is designed for secure communication over Internet.

2. How about Asymmetric Cryptography?

The last solution is not secure at all. So we move on. How about asymmetric cryptography?

This is a great idea. The sever gives you its public key. You use the public Key to encrypt the messages. Since the server is the only one who has the private key, which means only this server can decrypt your encrypted messages. Even if hackers intercept the communication, hackers can do nothing because they have the corresponding private key.

But, asymmetric cryptography takes much longer time to do its job than symmetric cryptography. For the user experience’s sake, it is not a good idea to use asynmmetric cryptography to encrypt/decrypt the whole long content.

Conclusion

Since the symmetric cryptography is faster than asymmetric cryptography, https decides to use symmetric cryptography to encrypt the data, and use asymmetric cryptography to encrypt the symmetric key to make sure the secruity. In this way, the encryption is fast and secure.

btw. Understanding how HTTPS works is important, because you may use this thoughts in your real life work to keep your data secure.