At MAEASaM we do our best to keep you safe while browsing our website and to keep your data private. HTTPS has been implemented on our public website (www.maeasam.org) and on each of our experimental databases. Mahmoud Abdelrazek, champion database developer for the project, explains what this means for strengthening the security of data on the web and in wider cyberspace.
In the few or long moments that your browser takes to load a website after you type the web address, some internet marvels take place. Your computer communicates with many other computers across the globe to find the exact computer hosting the website you are requesting access to and then collects the site and displays it on your screen. This process takes place in a few seconds or sometimes milliseconds, thanks to the robust infrastructure of the internet.
To examine this process, it helps to think about webpages in their original forms as text. When you visit a website, your browser receives a string of text and then translates it to the website you view on your screen. This text is transferred from a computer that hosts the website through HTTP Hypertext Transfer Protocol. HTTP is one of the most fundamental protocols that power the whole internet. It is used to transfer data back and forth between your browser and the server. This includes username and passwords during the authentication process when signing in. However, HTTP uses plain text, meaning that all the communications between your computer and the website server are sent without encryption. For anyone who has access to view the data travelling through the communication routes between you and the web server, this text is easily seen. Without the use of encryption your internet service provider can view the pages you visit and the information you exchange with the website.
Resolving this issue requires the use of cryptography to protect your confidential information. Cryptography works in two steps: first your data is turned into a string of unintelligible text using a special algorithm; then the data is sent through the internet to the server which uses a similar special algorithm to turn your message back to readable text. The two steps are known as Encryption and Decryption, respectively.
For many decades symmetric cryptography was used as the main system for protecting information. Symmetric cryptography uses a common key shared between the sender and the receiver to perform both the encryption and the decryption, respectively. This common key can be agreed upon between the sender and the receiver before the start of the communication and using different means. Historically, the key could be anything from a line in a book to a random set of numbers and letters. The key must be kept secret at all costs and revealing it means that the encryption is broken. The result would be that anyone who has access to it will be able to decrypt the message and view its contents.
When your browser communicates with a server, it has no means to agree on a common key except using the same communication channel intended for the data transportation – the internet. If someone is monitoring this connection, they can view this negotiation on the key and use the key to view your data. Thus, this solution is incomplete, and a method to communicate the key securely between your browser and the server would still be needed.
The introduction of asymmetric cryptography was aimed to improve on symmetric cryptography and avoid some of its shortcomings. Asymmetric cryptography, also known as public key cryptography, uses a pair of keys, a private and a public key. As the name illustrates, private keys are kept secret and public keys are announced for everyone on the internet.
One of the main differences between symmetric and asymmetric cryptography is the reversibility of the encryption process. In symmetric cryptography, the steps taken by the encryption algorithm are performed in reverse by the decryption algorithm using the encryption key. While in asymmetric cryptography, reversing the encryption steps is not possible. Rather, the encryption is performed using the public key of the receiver and then the decryption takes place using the private key of the receiver. This design ensures that the information gets encrypted without access to the private key but cannot be decrypted without the private key.
Asymmetric cryptography sounds like an amazing solution to the internet communication problem. There is one downside, however. Performing the mathematics behind the asymmetric encryption takes a lot of computation, which translates into time delays in communication. Thus, a system that uses both symmetric and asymmetric cryptography was invented. The system uses asymmetric cryptography to communicate an encryption key for the symmetric cryptography in a process known as the handshake. Your browser reaches out to the server with a “Hello” message and the server responds by beginning the key exchange process. Once the key is communicated then your browser and the site can use it to encrypt the information and keep it safe from prying eyes. This system is commonly referred to as HTTPS. You can also read more about it in the amazing comics how https works. It is particularly important for the safety of your information to ensure your privacy on the internet. Although HTTPS solves a big problem, it is not a shield to all dangers online. We encourage you to read and learn more about the internet and cyber security.
Mahmoud Abdelrazek
MAEASaM Database Developer,
University of Cambridge