Home

Secure Sockets Layer

Cryptography

Cryptography is the computerized enciphering and deciphering of information.

Greek Roots

Greek roots translate to "hidden writing".

  • Kyptos (Hidden): Some words we derive from kryptos: crypt or cryptic
  • Graphein (Writing): Some words we derive from graphein-graphy (photography, calligraphy), graphite

Why do we use cryptography?

  • Confidentiality
  • Integrity
  • Authenticity
  • Non-Repudiation (used in transactional exchanges to assure both the sender and receiver of the other's status in the exchange)

Symmetric Encryption

Algorithms:

  1. DES
  2. 3DES
  3. AES (Rinjdael)
  4. Blowfish
  • Uses same key for both encryption and decryption
  • The main issue with symmetric encryption is that keys have to be shared between parties, usually across a public medium

Asymmetric Encryption

Algorithms:

  1. Diffie-Hellman
  2. RSA
  3. ECC

Employs two keys - one is used for encryption, and the other is used for decryption.

It was developed to counteract the major issue with symmetric encryption: key distribution.

Diffie-Hellman

Attempt at solving symmetric key issues by Dr. Diffie and Dr. Hellman.

First asymmetric key exchange.

Both users in an exchange agree on a shared private key. There's a complex algorithm associated with it, but the basis is that if you know your key, you can then decrypt the message.

For instance, if my key is 367 and yours is 235, we end up wwith 367 x 235 = 86245.

RSA

Created by Ron Rivest, Adi Shamir, Leonard Adleman (hence the RSA from last names).

Widely used today for secure data transmissions.

In RSA, each user has a widely available public key as well as a secret private key.

When sending a message, the sender uses the receiver's public key to encrypt that message.

The only key that can be used to decrypt that message is the receiver's private key.

Public Key Infrastructure (PKI)

  1. Assymetric Encryption: Used for transactional exchanges. Not any specific technology but rather a framework based on asymmetric technologies.
  2. Certificates: Issued by a certificate authority (CA)
  3. Provides: Confidentiality, authenticity, integrity and nonreudiation.

Certificate Authority (CA)

Job is to:

  1. Issue keys
  2. Distribute keys
  3. Manage keys
  4. Revoke keys

Real World Scenario: Sending Encrypted Mail

Order of operations:

  1. Exchange public keys
  2. Sender encrypts with receiver's public key
  3. Receiver decrypts with their private key
  4. If the encrypted message is intercepted, it cannot be opened without receiver's private key

Web SSL Requests

Request order goes:

  1. User
  2. Web Server
  3. Registration Authority (RA)
  4. Certificate Authority (CA)

SSL Defined

SSL is the standard protocol by which we keep an internet connection secure and safeguards sensitive data as it is communicated between two systems. SSL has been superseded and replace by Transport Layer Security (TLS), but it is still commonly referred to as SSL.

This is accomplished through the use of encryption to scramble data in transit, preventing others (such as attackers) from being able to read it. This is done from the client's browser to the web server (ie it relies on the application itself).

SSL/TLS operates at the Transport layer of the OSI model to create a wrapper of sorts around the communications.

Communication via SSL

FTP, SMTP and HTTP operate at the Application layer of the OSI model.

When we're securing these with SSL/TLS, we put a cryptographic wrapper around the communication at the Transport layer.

Hybrid Encryption

Came about for several reasons due to issues with the encryption types.

The issue with Symmetric encryption requires both parties having to share a key, usually across an untrusted, secure medium.

The issue with Asymmetric encryption comes with its own drawbacks. Extremely slow, taking lots of processing power and thus impractical when encrypting large chunks of data.

Client - Server SSL Verification Process

  1. Client sends hello request to server
  2. Server response includes its public key
  3. Client verifies SSL certificate received from the server
  4. Client creates symmetric session key, encrypts it with server's public key
  5. Server decrypts session key with its own private key
  6. The session key is now in place, and all communications sent during session will be encrypted

This is also known as the TLS handshake.

History

  • SSL 1.0: Developed by Netscape but never released due to security flaws
  • SSL 2.0: Released in 1995, but still had major security flaws
  • SSL 3.0: 1996 major redesign. Netscape brought in external help for development
  • TLS 1.x: Developed and released in 1999. 1.2 was released in 2008 and is still used today

Although there were only minor differences between SSL 3.0 and TLS 1.0, they are not interoperable.

With that being the case, there was a fallback option built into TLS 1.0 that allowed the use of SSL 3.0.

SSL vs TLS differences

Port Number

When we select to use SSL, we are telling our systems to communicate via a specific port number. This is sometimes referred to as explicit port selection.

There particular ports (such as 443 for HTTPS) that handle secure traffic. These ports are configured on the server to initialize a connected by negotiating that secure connection first. This is the basis of SSL.

Protocol

When we use TLS, the client and server negotiate the protocol that will be used. These sessions begin with an insecure "hello" message, and only after the handshake has been completed successfully do we switch to a secure connection.

The entire handshake is conducted prior to allowing the session to continue. This is sometimes referred to as implicit port selection.