This page builds every word, symbol, and picture the parent note leans on, from absolute zero. Read it before the parent and nothing there will feel like magic.
Before any crypto, understand the two states a message can be in.
Look at the figure: the same envelope travels the wire twice. On top it is readable — the pickpocket in the middle just reads it. On the bottom it is shredded gibberish — the pickpocket copies it but learns nothing. Why the topic needs this: the whole point of TLS (Transport Layer Security) is to move the message from the top wire to the bottom wire. Every other concept exists to make that switch possible and safe.
Why the topic needs it: HTTPS scrambles bulk data with a shared key. Everything about the "handshake" is really the struggle to get both sides holding the same key without ever mailing that key across the open wire.
This is the single most important fork. The parent calls it "hybrid crypto".
In the figure, the symmetric case (left) shows one identical key on both sides. The asymmetric case (right) shows a lock everyone can snap shut (public key) but only the owner's separate key (private key) can open. Why two directions matter:
Anyone locks with your public key → only you open it → this delivers a secret to you.
You lock with your private key → anyone opens it with your public key → this proves the box came from you (a signature — see §5).
Full detail lives in Symmetric vs Asymmetric Encryption.
The parent's Diffie–Hellman box writes gamodp. Two symbols to earn: the exponent and mod.
Why the topic needs it: this is the mathematical engine of key exchange — see Diffie–Hellman Key Exchange. It lets two strangers agree on a secret in public because reversing gamodp (the discrete log problem) is believed too slow to compute — provided the parameters above are chosen well.
Trace the figure top to bottom: document → hash (fingerprint) → locked with the sender's private key = signature. On the right, the receiver unlocks with the public key and independently re-hashes; equal fingerprints = authentic.
Why the topic needs it: certificates are signed documents, and the handshake's "Finished" message is a signed/MAC'd fingerprint of the whole conversation — this is how tampering is caught. Depth in Digital Signatures & Hashing.
The figure is a ladder: your browser stands on the root it trusts (bottom, pale yellow). Each rung above is signed by the rung below. If every signature checks out up to the leaf, you trust the leaf's public key.
Why the topic needs it: key exchange alone is useless if an attacker hands you their public key mid-wire (MITM). The certificate + chain proves the public key really belongs to the domain — and expiry + revocation stop stale or stolen certs from being reused. This is the world of Public Key Infrastructure (PKI).
TLS does not run in a vacuum; it sits on top of existing layers.
Why the topic needs it: "HTTPS on port 443" means: DNS finds the server, TCP connects, TLS negotiates the tunnel, then HTTP flows safely. The parent's handshake is step 3 of that chain.
hash + digital signature → builds on asymmetric crypto → feeds certificate + CA + chain.
nonces + MAC + transcript → build on symmetric crypto.
DNS + TCP + HTTP → the plumbing underneath.
HTTPS / TLS handshake ← is fed by all four streams above: Diffie–Hellman (agree a secret), certificate chain (prove identity), nonces/MAC/transcript (freshness + integrity), and the DNS/TCP/HTTP plumbing.
HTTP = plain web request/response language; TLS = Transport Layer Security, a tunnel giving encryption+authentication; HTTPS = HTTP running inside a TLS tunnel.
Difference between cleartext and ciphertext
Cleartext is human-readable; ciphertext is scrambled noise an eavesdropper cannot understand without the key.
What a "key" is and what encrypt/decrypt do
A key is a secret number; encrypt mixes cleartext+key→ciphertext, decrypt reverses it.
Symmetric vs asymmetric in one line each
Symmetric = one shared key (fast); asymmetric = public/private pair where one locks and the other opens.
What locking with a public key achieves vs locking with a private key
Public-key lock delivers a secret only the owner can open; private-key lock proves the box came from the owner (a signature).
Meaning of gamodp
g multiplied by itself a times, then the remainder after dividing by prime p (arithmetic that wraps like a clock).
Why p must be a large prime and g a proper generator
A small or non-prime p lets an attacker try every exponent and crack the secret; g=1 or a weak generator produces only a few values anyone can guess — so security depends on good parameters.
Why gab=gba matters for DH
Both parties reach the identical shared secret from opposite exponents, in public, without sending it.
The three properties of a cryptographic hash
One-way (can't reverse), avalanche (one bit changes everything), and collision resistance (can't find two inputs with the same fingerprint).
Does signing hide the message?
No — signing locks only the fingerprint to prove sender+integrity; the message stays readable. Encryption hides content; signing does not.
What a nonce (rc, rs) is for
A fresh single-use random number that makes each session's keys unique, defeating replay.
What a transcript is and why it is MAC'd
The ordered record of all handshake messages; MAC'ing it at the end detects any tampering that happened before encryption switched on.
What a certificate binds and who signs it
It binds a domain name to a public key; a Certificate Authority signs it.
Two checks beyond the signature on a certificate
Expiry (not-before/not-after dates) and revocation (CRL or OCSP) — a stale or cancelled cert is rejected even if correctly signed.
What the chain of trust does
Links leaf→intermediate→root so trust flows via verified signatures up to a root already in your browser.
Which lower layers TLS depends on
DNS (name→IP), TCP (reliable pipe), and HTTP (the language riding inside the tunnel).