preface

Any activity on the network can be attributed to sending and receiving messages before the server. We can think of these messages as being sent and received by pigeons. It’s ridiculous, but it’s true.

Http

One day Alice sends Bob an “I love you” message via pigeon. But Mallory, Alice’s rival in love, intercepts the pigeon and modifies the message to “I don’t love you”. But Bob had no way of knowing. The message had been altered. This is how Http works, and it’s very unreliable.

A password

Alice and Bob, prepare to encrypt the message. For example, offset the letter by 3 bits. For example, “A” is represented by “D” and “B” is represented by “E”. Even if Mallory intercepted the pigeon, he could not modify it because he did not understand the encryption and could not understand the content of the message. But Bob could easily decrypt the message.

This is called symmetric key cryptography, where you know how to encrypt and you know how to decrypt. In real production, more sophisticated encryption methods are used, but the main idea is the same.

How to determine the key

If Alice and Bob don’t meet before sending the message, they can’t establish a secure key. If in the message itself, the key is carried. Mallory would know what the message was, decrypt it and alter it.

This is a classic MITM (man in the middle attack), to avoid a man in the middle attack we have to change the encryption system.

A box

Alice and Bob have devised a better encryption system, and here’s how

  1. Bob sends Alice a pigeon with no message
  2. Alice tied a lock box to the pigeon’s leg. The box was open, but Alice kept the key. The pigeon flew back to Bob.
  3. Bob wrote the good news, put it in the box and locked it away. The pigeon then brought the news back to Alice.
  4. Alice receives the pigeon, uses the key to open the box, and reads the message

The communication between Alice and Bob uses asymmetric key cryptography. You can encrypt messages (put them in a box), but you can’t decrypt them (you don’t have a key)

A box can also be called a “public key,” and the key to the box is called a “private key.”

Is it a reliable box?

There is one more problem. What if Mallory intercepted the pigeon and replaced the box with his own?

Alice can add her signature to the box, and Bob will know if the box is from Alice. So how does Bob recognize the signature in the first place?

Alice and Bob decide to have Ted sign the box instead of Alice. Ted is a very famous and trustworthy person. Ted will only sign the box if he’s sure it’s Alice’s. And Mallory won’t get Ted’s autograph.

And Ted is the Certification Authority.

The box is heavier

What if pigeons with boxes fly more slowly than those without?

Using asymmetric encryption is slower than using symmetric encryption. Alice Bob decided to use only boxes (asymmetric encryption) to exchange encryption keys. The message is then symmetrically encrypted using the key.

  1. Bob sends Alice a pigeon with nothing in it
  2. Alice returned a dove with a box
  3. Bob generates a key locally (for symmetric encryption), then puts the key in a box and sends it to Alice
  4. Alice decrypts the box using the private key to obtain the key generated by Bob
  5. After sending the message, Bob just needs to use the key to encrypt it symmetrically (which makes it fast)

That’s how Https works.

The original

  • HTTPS explained with carrier pigeons

reference

  • Man-in-the-middle attack
  • How does HTTPS actually work?