Convergence Conversation - brought to you by Intellect

Serving secure webpages - how does it work?

When is a webpage secure?

A webpage is secure when the URL starts "https://" rather than "http://", and there is usually a lock symbol displayed somewhere on your browser – not on the webpage but on the browser itself.

 

These signs indicate that everything sent from your browser to the Web server and everything sent from the Web server to your browser is encrypted so that, if the data was intercepted, it would be meaningless to the interceptor.

Occasionally, a webpage can be secure without either of the visual indications described above.  This is when a secure webpage is served within (a frame of) another webpage. This is an example of poor website design, and if you are unsure if a webpage is secure, just do not send or access sensitive information.

Why not make all webpages secure?

Securing a webpage involves cryptography and this places a considerable calculation burden on the processor power of Web servers and your own PC. Whilst the latter is unlikely to be tasked for long, highly popular websites would really struggle to encrypt all pages and the time taken to access these pages would take longer.

Therefore, browsing for the latest weather report or tonight's TV schedule, is not encrypted – after all, these need not be secured anyway. Undertaking online banking most definitely is encrypted.

How does this encryption work exactly? Let's get the acronyms out of the way, and then we'll take a look at the basic mathematics. If you can read clocks then the mathematical basis is a breeze!

Acronyms

Hypertext Transfer Protocol (HTTP) is a set of rules for transferring data files over the World Wide Web. Transmission Control Protocol (TCP) is used with Internet Protocol (IP) to divide this data up into manageable little packets for efficient shipping across the Internet.

Transport Layer Security (TLS) is inserted between the HTTP and TCP layers to undertake the encryption and decryption task for secure webpages.

The predecessor of TLS was originally developed by the company behind the first popular browser, Netscape, and reached near ubiquitous application across all makes of browser. TLS is included in all modern browsers.

I have a key to secure my home, a key to secure my car.  Where's the key here?

TLS use something known as public private key encryption. This is a different kind of key to the physical ones you use for your home or car. The most striking difference is that, whilst the same key is used to lock and unlock your car, TLS uses one key to lock (encrypt) the information and another key to unlock (decrypt) it.

This feature is critical to the success of TLS. It means that there is no need to restrict access to or be secretive about the key used to lock the information as it is useless for unlocking the information. This key is therefore known as the public key. The unlocking key is known as the private key.

It is the openness surrounding the public key that means the general user is unaware of the process being undertaken. As there is no security risk associated with knowing the public key, your browser automatically requests the public key for locking information on secure webpages. It goes ahead and locks it up when you click "submit" (or whatever the link or button may be called on that webpage).

Walk me through this locking and unlocking process

For anyone interested in mathematics, this whole cryptography revolution harks back to the work done on clock calculators by Gauss and on a theorem proved by Fermat – not his last one, but one known as Fermat's Little Theorem. In hindsight, it's amazingly simple.

If you ask anyone to add the numbers 9 and 4 you will get the answer 13. Similarly, if you ask them at 9 o'clock what the time will be in 4 hours, they will tell you 1 o'clock. Why do we get the answers 13 and 1 to very similar questions? In the instance of telling the time we know there are 12 hours on the clock, so we are actually adding 9 and 4 and, if it is greater than 12, subtracting 12. We keep moving round a clock with 12 numbers.

12%20hour%20clock

Another question could be "It's 9 o'clock now, what time will it be in 20 hours?" in which case the answer is 9 + 20 - 12 - 12 = 5 o'clock.

It seems we keeping subtracting twelves until we get an answer that lies between 0 and 12. This is known as modular arithmetic – a form of arithmetic where numbers are considered equal if they leave the same remainder when divided by the same number (the modulus).

In modular arithmetic where the modulus is 12 (as for our clock example here):

9 = 21 = 33 = 45 because

  • 12's go into 21 once, leaving a remainder of 9
  • 12's go into 33 twice, leaving a remainder of 9
  • 12's go into 45 three times, leaving a remainder of 9

The hard bit!

Gauss found an appealing characteristic related to an earlier discovery by Fermat if he undertook similar calculations using clocks with a prime number of hours on it instead of 12.

A prime number is a number than cannot be divided exactly by any other number except itself and 1. The numbers 1, 2, 3, 5, 7, 11, 13, 17 and 19 are all prime numbers. All the other numbers up to 20 are not prime as they can be divided exactly by other numbers. For example 15 can be divided by itself and 1, but also by 3 and 5.

Now the next bit sounds a bit abstract but read straight through it to an example that will, hopefully, make it clear.

When using a prime number clock with P hours, if you take a number X and raise it to the power P then you get back to the same number you started with.

So, that example...

Using the 7-hour clock shown here (P=7) and the initial number 3 (X=3), then 3 to the power 7 = 3 x 3 x 3 x 3 x 3 x 3 x 3 = 2187. Now sevens go into this number 312 times leave a remainder of 3. Back where we started!

7%20hour%20clock

Or to put it another way, we go forward 2187 hours on our 7-hour clock and see what time we come to – 3 o'clock.

Although Fermat claimed to have proved this theorem, he rather inconveniently died before telling anyone! It was left to another distinguished mathematician, Leonard Euler, to provide the proof in 1736 that this worked for all prime numbers and any number X.

Euler took things further by looking at near-prime numbers too.

A near-prime can only be divided by itself, 1 and two prime numbers. In other words, a near-prime N = p x q where both p and q are prime numbers. For near-prime number clocks, Euler found that the pattern got back to the beginning after raising the original number to the power of (p-1) x (q-1) + 1.

Let's go shopping

We are now nearly there!  Let's look at how you give Amazon your credit card number, securely.

Amazon's computers select two very large prime numbers, p and q, of around 60 digits each and multiply them together to make a third number N. We are therefore using a clock with a massive number of hours. In fact, the number is usually bigger than there are atoms in the universe (considered to be in the order of 1 followed by 80 zeroes)!

The number N is published as part of the public key, but p and q are kept secret. It is very very difficult, almost impossible without many years and an incredibly powerful computer, to work out what p and q are from N. There is simply no known mathematical way to do it. In fact it is so secure that Amazon will continue to use the same number N for several months.

The other part of the public key is called the encoding number, E. So now what happens to your credit card number C?

Your browser does a calculation on C based on the clock with the massive number of hours and the encoding number E. It raises C to the power E and works out what the number is on the clock in the same way we did for much smaller numbers above, and transmits this number to Amazon. In other words, your browser has used the public key to encrypt your credit card number.

If anyone intercepted the transmission they could not calculate your credit card number. They know Amazon's public key (N and E) but you cannot use these to reverse the calculation.

However, Amazon can calculate the credit card number because they know p and q, the private key. They know that if your credit card number was raised to the power of (p-1) x (q-1) + 1, that the same number reappears, as it did for us above on the 7-hour clock.

As your browser has raised the number to the power of E already, it simply remains for Amazon's computer to raise the result further, by (p-1) x (q-1) + 1 - E on the same clock with N hours, to get back to the same number. Mission accomplished, and your order will be dropping on your doormat soon.

So next time you use a secure webpage, think of Fermat, Gauss, Euler, and the three mathematicians at RSA who brought this work from the 17th Century and applied it to the world of the Internet - Rivest, Shamir and Adleman.

Comments on this post

Add your comment

Your response to "Serving secure webpages - how does it work?":

Additional information

Because you are not logged in, we need you to complete the following additional fields.


Cancel
  1. No comments on this post yet

Cite or link to this post  Add your comment

Manage this post

About the authors

User profile picture

Primary author
Philip Sheldrake
London

Contributors
Camilla Young

Attached files

Bookmark this post

Change feature settings

Choose a feature level and image for this post

Feature image
Uploads should be PNG files measuring 337 x 138 pixels
Save Cancel

Post information

Posted 17 Mar 2009
Last edited 29 Jun 2009
Latest revision: 3

Sharing

  • Philip Sheldrake can edit
  • Anyone can comment

Categories:

Communities:

  • No communities

Tags: