Tuesday, February 06, 2007

Daddy, what's public key cryptography?

I was working on an HTTPS issue today, and Ryan came to talk to me. While he was watching, I figured out what was causing the problem, which was related to the SSL handshake. Ryan asked about the handshake, and I tried to give him a laymans-terms overview of what it was. Before I started, I started to picture in my head what the conversation might be like:

Me: When an SSL connection is made...
Ryan: What's SSL?
Me: When you want a connection to be encrypted...
Ryan: What's "encrypted" mean?
Me: When two processes are talking...
Ryan: What's a "process"?
Me: <sigh>.

Here's how I described it:

Me: If I want to send a message to another computer, I write the message on a kind of postcard, with the address of the other computer on it, and then I send it. The postcard goes out, sometimes on a wire, in this case through the air –
Ryan: Like radio waves?
Me: Exactly. Then the other computer receives the postcard, checks the address, and figures that the postcard is for him. Then he reads the message. But, if there's another computer nearby, it can look at the postcard too, even though it's got someone else's address on it. So if I want to send a secret message to a computer that's my friend, I don't want that other computer to be able to read it. So, I take the data on the postcard, and mush* it all up, and change it, and make it look funny. My friend knows that it's mushed up, and it un-mushes it and gets the original secret message out. But the other computer doesn't know this, so it looks at the message and says "Huh? What's that mean?"
Ryan: <giggle>
Me: When we first start talking, I tell my friend "Hey, I'm going to mush up this data, and here's how I'm going to do it." and I give him some stuff that allows him to un-mush the message — that's called the "handshake".
Ryan: Like this? <shakes my hand>
Me: Yes, just like that. It's a way that two computers say "hello, I'm going to send you some mushed data, here's how to un-mush it".
Ryan: That's cool.

*Important note: Note that "mush" as used here rhymes with "bush" or "push", not "hush".

Then I gave him some examples of why you'd want to do this — when I order a book from amazon.com (I thought of this because I pre-ordered the 7th Harry Potter book today), I give them my credit card number. I don't want someone else to figure out my credit card number, or they might go to amazon.com and say "Hi amazon.com, it's me, Graeme. I'd like to buy 500 books and charge it to this credit card", and he gets the books, and I have to pay for it. Ryan has a fairly limited sense of the value of money, but he gasped at this, obviously realizing that this would be a Bad Thing. Either that, or I just gave him a brilliant idea for how to get free stuff, and started him on his way to being a career criminal. Heh heh heh... oops.

No comments: