For complete explanations, please have a look at : https://www.enib.fr/~harrouet
For the moment we exchange messages without any security. Any bad people sniffing the connection can know exchanged messages between the client and the server.
The solution is encrypting messages. To encrypt and decrypt a dialog, we need a key.
If the key is the same for both sides, it’s a symetric encryption .
The encryption is represented by a locked box.
If both guys own the key already, the problem is over, they can exchange messages in a safe way.
Now we consider we have to transmit the key.
The client asked for connection to the server.
We consider a locked box with 2 locks : one to open, one to close.
As a result we need 2 different keys to encrypt and decrypt the message.
The private key belongs to the server, nobody else can get it.
The client receives a public key with the message.
There is still a problem.
If a bad guy relays those messages, he will decode everything. This is the man in the middle attack.
The Client needs to know the server identity .
The identity card is a certificate given by a trusted certification authority.
1. The Server sends a certification request and his public key to the certfication authority.
2. A signed certificate is produced
3. and encrypted by the certification authority private key.
This new key permits exchanging messages with symetric encryption, which is quicker than asymetric one.
Once done, both guys can exchange in a safe way.
We consider we are the certification authority. We will produce a self-signed certificate, which will trigger a web browser warning.