Securing data transfered between Client and Server.

Client sends the first HTTP request to a server, Three-way handshake

Server sends its digital certificate to the client, The server responds by sending its digital certificate. This certificate contains the server's public key and information about the server verified by a trusted third-party called a Certificate Authority (CA).

Client verifies the certificate: The client's software checks the certificate. It verifies the validity of the certificate and ensures it hasn't been tampered with by checking the CA's signature.

Key Negotiation: If the certificate is valid, the client generates a secret key (often using a symmetric algorithm like AES) for encrypting the data transfer. This key is random and temporary, only used for this specific connection.

Client generates a temporary symmetric session key.

Client encrypts the session key with the server's public key from the certificate. The client encrypts the secret key using the server's public key from the certificate. This ensures only the server with the corresponding private key can decrypt it.

Client sends the encrypted session key and additional data to the server. The client sends the encrypted secret key and some additional data to the server. The server will be able to decrypt it using its private key, as the public key is used to encrypt the symmetric key on the client side, therefore the private key can decrypt the public key to get the symmetric key. From this point on, all communication between the client and server is encrypted with the shared secret key (symmetric key).

Server decrypts the session key using its private key. Both sides use the shared session key to encrypt and decrypt data.