1
00:00:03,110 --> 00:00:10,720
Let's now examine the HTP protocol it's used for data transfer between clients and web servers.

2
00:00:12,230 --> 00:00:16,970
This is not a problem because most of the data published on the web is open to the public anyway.

3
00:00:17,970 --> 00:00:24,850
It makes no sense to encrypt during the transmission however some information is confidential.

4
00:00:24,920 --> 00:00:27,370
For example log ins and passwords

5
00:00:35,550 --> 00:00:36,920
to protect this information.

6
00:00:36,910 --> 00:00:43,220
The HTP protocol was introduced to use the HTP channel.

7
00:00:43,270 --> 00:00:49,040
You don't have to install anything on the client computer just a simple web browser is enough

8
00:00:54,500 --> 00:00:56,640
when you type an address into the browser.

9
00:00:56,930 --> 00:01:04,740
Type HGT us instead of the standard HTP by sending such a request to the server you can connect to the

10
00:01:04,740 --> 00:01:06,900
default port number four for three

11
00:01:09,700 --> 00:01:10,720
in response.

12
00:01:10,720 --> 00:01:19,150
It'll send back its certificate it contains among other things the public key of the server.

13
00:01:19,190 --> 00:01:24,670
It also contains information uniquely identifying this server including the address of the computer

14
00:01:24,680 --> 00:01:31,250
it was issued for information about the certification center where it can be used for and for how long

15
00:01:31,250 --> 00:01:42,030
it will be valid.

16
00:01:42,190 --> 00:01:47,230
From this moment on the browser must verify this certificate is correct and valid in order to check

17
00:01:47,230 --> 00:01:50,650
whether someone is not trying to carry out the man in the middle attack.

18
00:01:52,960 --> 00:01:59,320
If everything is correct the TTP as protocol will send to the web server selecting cryptographic protocols

19
00:01:59,320 --> 00:02:01,260
and pseudo random strings of data.

20
00:02:05,320 --> 00:02:09,460
This data will be encrypted before sending with the public key for the server.

21
00:02:10,370 --> 00:02:15,200
The public key is available to everyone but only you know the encrypted data because it's been generated

22
00:02:15,200 --> 00:02:17,100
from your computer.

23
00:02:17,240 --> 00:02:23,220
A person listening to the packets won't be able to read them in order to do that.

24
00:02:23,260 --> 00:02:30,550
The private key that matches the public key is needed only the server with the public key has the private

25
00:02:30,550 --> 00:02:32,100
key.

26
00:02:32,260 --> 00:02:38,960
In this way you're able to transmit confidential data over a known trusted channel.

27
00:02:38,980 --> 00:02:46,070
From this point on only you the browser and the server presents the session key no one else knows your

28
00:02:46,070 --> 00:02:48,150
session key.

29
00:02:48,420 --> 00:02:55,470
You know it because you have generated the server also knows that because it had the private key that

30
00:02:55,470 --> 00:02:58,190
matches the public key used to encrypt the session key

31
00:03:00,980 --> 00:03:05,730
with the session key you no longer need to encrypt data using an asymmetric algorithm.

32
00:03:07,910 --> 00:03:11,950
You can use a symmetric algorithm instead.

33
00:03:12,110 --> 00:03:20,530
There's no need for two kilobyte keys as in the case of for example the RSA if everything on the Internet

34
00:03:20,530 --> 00:03:28,690
was encrypted with the RSA algorithm it would take a simple website at least 20 minutes to load asymmetric

35
00:03:28,690 --> 00:03:32,700
encryption is about an order of magnitude slower than symmetric encryption.

36
00:03:35,340 --> 00:03:38,640
It is not suitable for encryption of large data sets.

37
00:03:39,800 --> 00:03:44,900
The first stage is needed to exchange a symmetric sesshin key which allows us to encrypt data symmetrically

38
00:03:47,150 --> 00:03:48,860
designing web applications.

39
00:03:48,890 --> 00:03:56,170
Developers often boast that their application is secure because it uses a for kilobyte RSA key.

40
00:03:56,350 --> 00:04:03,110
After such a complex key is used to exchange the session key the rest is encrypted with the 56 bit D.S.

41
00:04:03,130 --> 00:04:04,200
key anyway.

42
00:04:06,520 --> 00:04:12,110
The safety of the entire application is the sum of all the individual factors.

43
00:04:12,170 --> 00:04:15,310
You should always look for the weakest link.

44
00:04:15,390 --> 00:04:20,490
If the user ignores the warning about the invalid certificate nothing will protect them against the

45
00:04:20,490 --> 00:04:22,060
man in the middle attack.

46
00:04:25,090 --> 00:04:31,990
In the slide you have an example of such a situation you can see captured secure communications that

47
00:04:31,990 --> 00:04:38,560
didn't need decrypting the attacker didn't need to decrypt anything because everything had been encrypted

48
00:04:38,560 --> 00:04:39,610
with his own key.