In the last several posts we discussed the use of a key to encrypt messages. When both parties have the same keys, these are referred to as “symmetric”. Current technology uses symmetric keys for most secure interactions, but we have a problem with getting the key to the computer/person we want to talk to. In order to do this securely, we need to encrypt our key and send it over the Internet. Of course, the remote entity can’t decrypt our encrypted key because we haven’t given it to them yet – a bit of a Catch-22.
We can exchange symmetric keys for the session by using “asymmetric” keys. These are two different, but related, keys, one that is kept private and one that is given to everyone in the world. When my computer connects to a shopping site, for example, the site’s computer sends my web browser the public key for the site. My web browser uses that public key to encrypt my browser’s symmetric key and send it to the shopping site’s computer where the symmetric key is decrypted using its private key. The symmetric key (i.e. mine) is then used for any further communication between us for the session. When we end the session, those keys are thrown away and the next session gets new symmetic keys.
So, to be clear, my web browser creates a symmetric key for any shopping or banking session – this is the one that will actually be used for encrypting all communication during a session. There is only one key and somehow we need to get that key to the bank/store computer securely. The remote computer has asymmetric keys – this is two different keys, one that can be shared with anyone, and one the bank/store computer keeps private. Before we establish a secure connection the situation looks like Fig. 1
My computer creates a single key for the session – this is the symmetric one. The remote computer has public and private keys. The public key can be sent to everyone.
The animated GIF demonstrates the process of setting up a secure connection. This happens in several steps as shown in Fig. 1:
- My web browser requests a page from a remote computer. This could be a bank or a shopping site. Let’s say it’s a shopping site that we are interested in: BuyLotsOfStuff.ca
- The remote computer belonging to BuyLotsOfStuff.ca sends my computer their public key.
- The BuyLotsOfStuff.ca public key is used to encrypt my symmetric key and send it to BuyLotsOfStuff.ca
- BuyLotsOfStuff.ca’s computer encrypts a response using my symmetric key and sends it to me
- My computer decrypts the response and now we have a secure connection using symmetric keys provided by my computer
- technically, this is called an “SSL handshake”
Let’s look at an example. Suppose that our dog (a Portuguese Water Dog (or Portie)) needs a new bed – the duct tape to cover some tears is getting a bit annoying. We use a web browser to look for information. After a bit of research we find the perfect bed and wish to order it. My browser has already grabbed the public key from the server when I went to the online shopping site. We have established a secure connection when we asked for the Home page, or the first time we ask for any page from that site.
Assuming we start from the Home page at BuyLotsOfStuff.ca, as demonstrated in Fig. 3, we can:
- click on a link or a picture to get more information. This is a request for a specific page from BuyLotsOfStuff.ca
- my computer encrypts the request for that page using my symmetric key and sends the request to BuyLotsOfStuff.ca
- the server at BuyLotsOfStuff.ca encrypts the page I requested, text and pictures, using the same symmetric key I’m using, and sends it back to me
- my computer decrypts the page and I can look at the details
- I can keep going through this cycle, looking at all the items that interest me
- some items I can add to the shopping cart
The last step in our shopping trip to BuyLotsOfStuff.ca is to make the purchase. We click on the shopping cart link to see the list of items that we’ve chosen. As shown in Fig. 4:
- the request to see the cart is encrypted and sent to BuyLotsOfStuff.ca
- BuyLotsOfStuff.ca’s computer encrypts the contents of my cart and sends it to me as a webpage
- my computer decrypts the shopping cart page and lets me look at it
- when I decide to pay I am taken to a page where I can enter payment information
- if you are not using a secure connection (see below!) do not enter any payment information
- once I enter my payment information and send it to BuyLotsOfStuff.ca, the shopping site sends the charge to my bank, if it’s a credit card
- if the payment is accepted by the bank, BuyLotsOfStuff.ca will pack up my purchases and send them to me, often by courier
- a truck gets my package from the warehouse and drives to where I live
- the box is left by my front door, the doorbell is rung and the driver runs away so they don’t have to interact with me (during Covid-19 :-))
Businesses with secure websites have asymmetric keys to share with us. These are part of an “SSL certificate” that businesses buy so they can provide secure web transactions. Our browser creates the symmetric session key to be sent to the remote computer. Once the exchange of keys has been completed, our web browser will indicate that we are connected to a secure website, often with a padlock or the word “Secure”. Google Chrome shows a lock
and clicking on the lock gives more information
When you go to a banking site, a shopping site, or any website where you provide personal information, ensure that you have a secure (i.e. encrypted) connection.
The process we describe for seting up a secure connection and exchanging encrypted information is common on the Internet – the use of a symmetric key is one of the primary means of sending coded messages and the asymetric key is used to exchange the symmetric key.
This is basically the way that shopping and banking sites ensure that we can securely exchange information on the Internet. This allows to do a great deal from home without ever leaving our comfy couch.