Secure Sockets Layer
Cryptography
Cryptography is the computerized enciphering and deciphering of information.
Greek Roots
Greek roots translate to "hidden writing".
- Kyptos (Hidden): Some words we derive from
kryptos:cryptorcryptic - Graphein (Writing): Some words we derive from
graphein-graphy (photography, calligraphy),graphite
Why do we use cryptography?
- Confidentiality
- Integrity
- Authenticity
- Non-Repudiation (used in transactional exchanges to assure both the sender and receiver of the other's status in the exchange)
Symmetric Encryption
Algorithms:
- DES
- 3DES
- AES (Rinjdael)
- Blowfish
- Uses same key for both encryption and decryption
- The main issue with symmetric encryption is that keys have to be shared between parties, usually across a public medium
Asymmetric Encryption
Algorithms:
- Diffie-Hellman
- RSA
- ECC
Employs two keys - one is used for encryption, and the other is used for decryption.
It was developed to counteract the major issue with symmetric encryption: key distribution.
Diffie-Hellman
Attempt at solving symmetric key issues by Dr. Diffie and Dr. Hellman.
First asymmetric key exchange.
Both users in an exchange agree on a shared private key. There's a complex algorithm associated with it, but the basis is that if you know your key, you can then decrypt the message.
For instance, if my key is 367 and yours is 235, we end up wwith 367 x 235 = 86245.
RSA
Created by Ron Rivest, Adi Shamir, Leonard Adleman (hence the RSA from last names).
Widely used today for secure data transmissions.
In RSA, each user has a widely available public key as well as a secret private key.
When sending a message, the sender uses the receiver's public key to encrypt that message.
The only key that can be used to decrypt that message is the receiver's private key.
Public Key Infrastructure (PKI)
- Assymetric Encryption: Used for transactional exchanges. Not any specific technology but rather a framework based on asymmetric technologies.
- Certificates: Issued by a certificate authority (CA)
- Provides: Confidentiality, authenticity, integrity and nonreudiation.
Certificate Authority (CA)
Job is to:
- Issue keys
- Distribute keys
- Manage keys
- Revoke keys
Real World Scenario: Sending Encrypted Mail
Order of operations:
- Exchange public keys
- Sender encrypts with receiver's public key
- Receiver decrypts with their private key
- If the encrypted message is intercepted, it cannot be opened without receiver's private key
Web SSL Requests
Request order goes:
- User
- Web Server
- Registration Authority (RA)
- Certificate Authority (CA)
SSL Defined
SSL is the standard protocol by which we keep an internet connection secure and safeguards sensitive data as it is communicated between two systems. SSL has been superseded and replace by Transport Layer Security (TLS), but it is still commonly referred to as SSL.
This is accomplished through the use of encryption to scramble data in transit, preventing others (such as attackers) from being able to read it. This is done from the client's browser to the web server (ie it relies on the application itself).
SSL/TLS operates at the Transport layer of the OSI model to create a wrapper of sorts around the communications.
Communication via SSL
FTP, SMTP and HTTP operate at the Application layer of the OSI model.
When we're securing these with SSL/TLS, we put a cryptographic wrapper around the communication at the Transport layer.
Hybrid Encryption
Came about for several reasons due to issues with the encryption types.
The issue with Symmetric encryption requires both parties having to share a key, usually across an untrusted, secure medium.
The issue with Asymmetric encryption comes with its own drawbacks. Extremely slow, taking lots of processing power and thus impractical when encrypting large chunks of data.
Client - Server SSL Verification Process
- Client sends hello request to server
- Server response includes its public key
- Client verifies SSL certificate received from the server
- Client creates symmetric session key, encrypts it with server's public key
- Server decrypts session key with its own private key
- The session key is now in place, and all communications sent during session will be encrypted
This is also known as the TLS handshake.
History
- SSL 1.0: Developed by Netscape but never released due to security flaws
- SSL 2.0: Released in 1995, but still had major security flaws
- SSL 3.0: 1996 major redesign. Netscape brought in external help for development
- TLS 1.x: Developed and released in 1999. 1.2 was released in 2008 and is still used today
Although there were only minor differences between SSL 3.0 and TLS 1.0, they are not interoperable.
With that being the case, there was a fallback option built into TLS 1.0 that allowed the use of SSL 3.0.
SSL vs TLS differences
Port Number
When we select to use SSL, we are telling our systems to communicate via a specific port number. This is sometimes referred to as explicit port selection.
There particular ports (such as 443 for HTTPS) that handle secure traffic. These ports are configured on the server to initialize a connected by negotiating that secure connection first. This is the basis of SSL.
Protocol
When we use TLS, the client and server negotiate the protocol that will be used. These sessions begin with an insecure "hello" message, and only after the handshake has been completed successfully do we switch to a secure connection.
The entire handshake is conducted prior to allowing the session to continue. This is sometimes referred to as implicit port selection.