First we're going to look at a protocol that's not quite TLS.
This'll give you a basic idea of how TLS works, but there is some vulnerability in the protocol,
which we'll talk about fixing next.
Here's our client, which is typically a web browser, and a our server, which is a web server.
The first step in the protocol is the client connects to the server, sending a message "hello"
--without the exclamation point.
It also sends information about what ciphers it is able to use.
Different versions of browsers will have different ciphers implemented.
The server and the client need to agree on a particular server
The client will also send a list of the ciphers and the hash functions that it has implemented.
Different browsers will have different ciphers implemented.
It's up to the client and server to agree on the one to use.
In the second step, the server responds.  That response includes several things.
It will pick the cipher and the hash function to use.
Those'll be selected from the list that the client sent based on the ones the server can use.
It should pick the strongest ones that are acceptable to both.
It also sends a certificate.
What that certificate is is something that gives the public key of the server to the client
in a way that the client can trust it.
What's in the certificate is the domain, the name of the server,
as well as its public key.
There is some other information like expiration times--these certificates expire.
The important thing about the certificate is that it's signed by a certificate authority.
We'll talk more about certificates later, but the important thing the certificate does
is give the client access to the servers public key
in a way that the client can trust it.
The next step is for the client to verify the certificate.
Since the certificate is signed by the private key of some certificate authority,
that means the client needs the corresponding public key to verify the signature.
The client also extracts the public key from that certificate.
The next thing the client will do is select a random number--
some random value that will be used to generate the session key.
In the third step the client wants to send back that random value to the server,
but in a way that's secure.
Let's make that a quiz to see if you can figure out how to do that.
The question is how should the client securely send the random value to the server.
Check the best answer from the list below.
