TLS is a certificate ensures the communication is encrypted and server is actually what it actually say it is
For example, assume that you are john and want to access to your account from the website my-bank.com
A hacker might hack the traffic and get your password and then claim your account.
To solve this issue, we use a secret key which is then applied to your password to make it unique
Now, once you want to get access to the server, your encrypted data is passed on the traffic and the hacker might get the data. Still he can't decrypt it
But here is an issue, you need to send a copy of your password to the server to decrypt it.
While doing so, hacker can get the key as well!!! This is called symmetric encryption (uses same key to encrypt and decrypt)
To solve this issue, we use assymmetric encryption (public and private key)
Let's call public key as public lock for now.
Firstly, we encrypt the data with public key/lock. Then we share the name and password along the public key/public lock
But the password can be decrypt only with the private key
So, how we generate these keys?
We generate using ssh-keygen
id_rsa is the private key and id_rsa.pub is the public key/lock
You can now lock your server using the public key.
You can also check that the key under /.ssh/autorized_keys. You can see the public key there.
Let's go back to the bank's situation
Now, we will generate public and private keys on the server.
Then the public key/lock is sent to the user and the hacker might get that as well
The user has a key (symmetric) earlier created to encrypt the data. Now this symmetric key and the lock will combine together and will be sent to the server.
The hacker also gets that
The server uses private key to decrypt the public lock/key.
So, this is how the server gets the symmetric key . Now the server can decrypt the user password and get access to data
But the hacker is not happy and somehow copies the whole website in his server and somehow takes you there
You then share your symmetric key to the server
Now, the hacker decrypt your password and you got hacked!!
But how to know know if a public lock that was shared to me is genuine from the bank server or the hacker?
Basically that public key was shared with a certificate.
The certificate looks like this
Anyone can generate the certificate.So, how to know that?
We know that by the signature. If the hacker did that, the hacker will have a signature on it (self signed)
So, this is how it looked once the hacker sent the user public lock
Gladly, all browser has certificate validation
It checks if a certificate is valid or not!
But for the original certificates, we have CA (certificate authorities). Some are Symantec etc.
So, how to generate trusted certificate?
Using the public key, you request for a signing request (CSR). How to do that?
You use openssl to send your public key and domain name to CAs and it generates a CSR request
The certificate authority then checks and it all information is right, they sign the certificate.
For the hackers case, the certificate will not be validated by CAs
So, these CAs can help validating public websites.To solve issue for private websites, you can install their private version and install in your company PC
The real bank server can also ask for the client to generate a csr to verify if he/she is the real user
Using the CA, the user can generate csr and send to the real server.
The whole thing is called as PKI (Public key infrastructure)
Examples of public key/lock and private keys
Mutual TLS
Assume that mybank.com wants to send some data to abc-financials.com
So, how will abc-financials will know that mybank.com is actually sending data?
This is where mutual TLS works and client and sever will now verify the authenticity of each other.
Assuming my-bank (client) sends some data to abc-financials (server)
Client first requests the server's public certificate.
THe server replies back it's public certificate
The client checks with the CA, if the certificate is valid
Once verified, the client sends a certificate to the server and also shares a symmetric key which is encrypted with the public key of the server.
The server now validates with the CA if the client indeed belong to the mybank
So, in this way, they have both mutually verified each other.
Top comments (0)