neraliu's blog internet profession in between hongkong/china and silicon valley (no longer, but the world!)

doing similar on http like https

when you are going to have a secure web connection, the most obvious solution is to use https. however, in some cases, https is not the ideal solutions, not neccessary to talk about its cost and performance, especially you are just a personal website owner, still, you can use the https with self-signed certificate, but the warning from the browser makes you stop thinking about it.

so how can we transmitting data through plain http securely? before we go, we assume that we are going to achieve some of the characteristics of https, but not all of them, what we wanna to achieve are of two

• transmitting data securely, and
• identify the identifier of the server

i am assuming that both alice and bob have shared the same secret already, and now alice want to send data to bob, the most obvious way is to encrypt the data with the share secret and job done. look simply!!

however, how can alice know she is actually talking with bob? as he can continue to recieve the data from alice without repsoning, what alice can do is to chanllenge the identity of bob. what alice can do is to embed some random string into the encrypted message and ask bob to response, if bob can decrypt the secret, then bob can tell alice what the random string is, finally alice knows that she is talking to bob.

disclaimer: this is not the comprehensive design of the secure protocol, it is simply a blog article in describing security topic.