As a security enthusiast, I always fond of the working of SSL (TLS these days). It took me days to understand the very basic working of this complex protocol. But once you understand the underlying concepts and algorithm, the entire protocol would feel quite simple. I’ve learned a lot of things while learning the working of SSL. Encryption being the first thing. I started recollecting the cryptography stuffs learned from university. Those days, I was like meh while studying them. Now, I know why teachers fed me up with all the encryption stuff. I know how much cryptography makes my life easier. I wanted to share everything I learned here at my space. And I definitely hope this will be much useful to you. So let’s begin.
History of SSL
When talking about the history of SSL, one shouldn’t miss Mozilla Foundation. The first thing that comes to our mind while talking about Mozilla is their famous browser Firefox. According to various sources, Firefox is the most popular browser after Chrome and Safari. But Netscape was the great predecessor of Firefox and during the 90’s it was the most popular browser among internet surfers. Anyway, by the introduction of Internet Explorer by Microsoft, Netscape’s era came to an end and later they started the great Mozilla Foundation and it still grows.
Netscape in 1994 introduced SSL for its Netscape Navigator browser. The primary objective was to prevent Man In The Middle attacks. Later, with increase in internet accessibility banks started to make use of internet for transactions. That time, security was a major concern and IETF(Internet Engineering Task Force), the people who standardize internet protocols, standardized SSL by making their own version. This was in 1999 and now the protocol is known as TLS(Transport Layer Security, the latest version being TLS 1.3.
Few notes about cryptography
First things first, before digging deep into the topic, we need to have a basic understanding on couple of things. Most important one is cryptography. You don’t need to be Cryptography expert to understand SSL. But a basic understanding is necessary. We will discuss the very basics here. Those who already know Asymmetric and Symmetric key encryption can skip this section and go to the next part.
So cryptography deals with numbers and strings. Basically every digital thing in the entire universe are numbers. When I say numbers, its 0 & 1. You know what they are, binary. The images you see on screen, the music that you listen through your earphone, everything are binaries. But our ears and eyes will not understand binaries right? Only brain could understand that, and even if it could understand binaries, it can’t enjoy binaries. So we convert the binaries to human understandable formats such as mp3,jpg,etc. Let’s term the process as Encoding. It’s two way process and can be easily decoded back to its original form.
Hashing is another cryptography technique in which a data once converted to some other form can never be recovered back. In Layman’s term, there is no process called de-hashing. There are many hash functions to do the job such as sha-512, md5 and so on. The sha-512 value of wst.space is,
You can verify this by going to some online hash creator website and typing wst.space.
If the original value cannot be recovered, then where do we use this? Passwords! When you set up a password for your mobile or PC, a hash of your password is created and stored in a secure place. When you make a login attempt next time, the entered string is again hashed with the same algorithm (hash function) and the output is matched with the stored value. If it’s the same, you get logged in. Otherwise you are thrown out.
By applying hash to the password, we can ensure that an attacker will never get our password even if he steal the stored password file. The attacker will have the hash of the password. He can probably find a list of most commonly used passwords and apply sha-512 to each of it and compare it with the value in his hand. It is called the dictionary attack. But how long would he do this? If your password is random enough, do you think this method of cracking would work?
We have discussed about session cookies in one of our blog posts. The value is session cookies are usually hashed. All the passwords in the databases of Facebook, Google and Amazon are hashed, or at least they are supposed to be hashed.
Then there is Encryption
Encryption lies in between hashing and encoding. Encoding is a two way process and should not be used to provide security. Encryption is also a two way process, but original data can be retrieved if and only if the encryption key is known. If you don’t know how encryption works, don’t worry, we will discuss the basics here. That would be enough to understand the basics of SSL. So, there are two types of Encryption namely Symmetric and Asymmetric encryption.
Symmetric Key Encryption
I am trying to keep things as simple as I could. So, let’s understand the symmetric encryption by means of a shift algorithm. This algorithm is used to encrypt alphabets by shifting the letters to either left or right. Let’s take a string CRYPTO and consider a number +3. Then, the encrypted format of CRYPTO will be FUBSWR. That means each letter is shifted to right by 3 places.
Here, the word CRYPTO is called Plaintext, the output FUBSWR is called the Ciphertext, the value +3 is called the Encryption key (symmetric key) and the whole process is a cipher. This is one of the oldest and basic symmetric key encryption algorithm and its first usage was reported during the time of Julius Caesar. So, it was named after him and it is the famous Caesar Cipher. Anyone who knows the encryption key and can apply the reverse of Caesar’s algorithm and retrieve the original Plaintext. Hence it is called a Symmetric Encryption.
Can we use symmetric cryptography with TLS?
As you understand, this algorithm is pretty easy to crack since the possibilities are less. We can change the value of key from 1 to anything and iterate through the 26 letters one by one. Note that the value of key is limited to 26, provided we are encrypting only small case english alphabets. It’s a matter of milliseconds for our computers to Bruteforce this process. Nowadays, there are complex algorithms such as AES (Advanced Encryption Standard) and 3DES (Triple Data Encryption Algorithm). They are considered to be really really difficult to crack.
This is the encryption technique used in SSL/TLS while sending and receiving data. But, the client and server needs to agree upon a key and exchange it before starting to encrypt the data, right? The initial step of exchanging the key will obviously be in plain text. What if the attacker captures the key while sharing it? Then there is no point in using it. So we need a secure mechanism to exchange the keys without an attacker actually seeing it. There comes the role of Asymmetric Key Encryption.
Asymmetric Key Encryption
We know that, in Symmetric encryption same key is used for both encryption and decryption. Once that key is stolen, all the data is gone. That’s a huge risk and we need more complex technique. In 1976, Whitfield Diffie and Martin Hellman first published the concept of Asymmetric encryption and the algorithm was known as Diffie–Hellman key exchange. Then in 1978, Ron Rivest, Adi Shamir and Leonard Adleman of MIT published the RSA algorithm. These can be considered as the foundation of Asymmetric cryptography.
As compared to Symmetric encryption, in Asymmetric encryption, there will be two keys instead of one. One is called the Public key, and the other one is the Private key. Theoretically, during initiation we can generate the Public-Private key pair to our machine. Private key should be kept in a safe place and it should never be shared with anyone. Public key, as the name indicates, can be shared with anyone who wish to send encrypted text to you. Now, those who have your public key can encrypt the secret data with it. If the key pair were generated using RSA algorithm, then they should use the same algorithm while encrypting the data. Usually the algorithm will be specified in the public key. The encrypted data can only be decrypted with the private key which is owned by you.
Can we use Asymmetric encryption for all the TLS
Asymmetric encryption is also known as Public Key Infrastructure a.k.a PKI, reason is self explanatory. Anyway, as long as you keep the private key secure, the data is safe. Great! So, probably by now you will be thinking, why would we still use symmetric encryption in TLS? We have a lot secure PKI in place. Yes, agree, but it should be noted that security has to be dealt without affecting usability. Since PKI involves a double key architecture and the key length is usually large, the encryption-decryption overhead is very high. It takes more time and CPU usage as compared to symmetric key encryption.
So, when sending and receiving data between client and server, the user will feel more wait time, and the browser will start to eat the CPU. So PKI is used only to exchange the symmetric key between the client and server. Thereafter symmetric key encryption comes into play and further data transmission makes use of this technique. Well, I know I am just beating around the bush here. Because I haven’t really jumped into the topic yet. Please keep the things we have discussed so far in mind and come back to this space. We are going deep from next blog post.