When studying for the CompTIA Security+ exam, you’ll come across some cryptography objectives and it’s useful to understand the HTTPS process. One thing that confuses many people is how TLS (and previously SSL) works within the HTTPS process.
I’ve broken it down to the following steps with a diagram at the end that may help you understand it a little better.
- The client starts the session by clicking on the link.
- The server responds by sending a certificate. The certificate includes the server’s public key that is part of a matched private/public key pair. The private key is always kept private by the server.
- The client creates a random session key and encrypts the session key with the server’s public key. In the figure, the encrypted session key is UcaNP@$$.
- The client then sends the encrypted session key to the server.
- The server decrypts the session key with the server’s private key.
- The rest of the session uses the symmetric session key.
Can You Answer These Security+ questions?
- Question: What asymmetric key is used to encrypt when creating a secure web session within the HTTPS process?
- Question: What asymmetric key is used to decrypt when creating a secure web session within the HTTPS process?
- Question: What key is used to encrypt a secure web session within the HTTPS process?
You can find more details on cryptography in chapter 10 of this book:
If you just want some practice test questions to check your readiness for the Security+ exam, check out this book available in paperback and Kindle versions.
Security+ Practice Test Answers
Question: What asymmetric key is used to encrypt when creating a secure web session within the HTTPS process?
Answer: The web site’s public key.
Question: What asymmetric key is used to decrypt when creating a secure web session within the HTTPS process?
Answer: The web site’s private key.
Question: What key is used to encrypt a secure web session within the HTTPS process?
Answer: Symmetric
While it isn’t as important for cryptography, you should also know which ports are used by HTTP and HTTPS. HTTP uses port 80 and HTTPS uses port 443.