PKI and a regular https browser session
What is PKI used for?
PKI is used for two things – one that you may be familiar with (encryption of data in transit) – and another that you may not be as familiar with – digital signatures (basically, identifying an entity who claims to be someone. The entity could be a user or a server). Let us call these the ‘data encryption use case’ and the ‘Identity Use Case’.
What happens when my browsers hits an https URL?
Remember that PKI is used for two different use cases. When a browser access a secure url (https), BOTH of these PKI uses cases come into play.
The first thing the browser does is VALIDATE that the server is indeed who it’s claiming to be (this is the Identity Use Case).
Once validated, the browser, then creates a session key that is encrypted using the Server’s public key (so only the server can decrypt the data). This way, a session is established using a key that is only accessible to the server. From here on, all data that is transmitted is encrypted using this newly created session key (created by the browser – using the server’s public key).
PKI and Browsers Summary
There’s obviously more to it. For a great treatment of SSL and TLS, I would recommend, Implementing SSL by Joshua Davis….Complete links here
Need a cloud security and data protection audit? Anuj Varma offers a specialized AWS Security audit as well as a GCP Security Audit.
Leave a Reply