PGD

Posted on Apr 5

HTTPS note

SSL (Secure Socket Layer)

SSL is a strategy of communication on the web, developed by Netscape in 1995.
Since data transferred via web is composed of string, anyone can intercept and read the sensitive data. For security, SSL is used for encryption data to be transmitted.
SSL is implemented by what is called SSL certificate. SSL certificate contains information of identity of client and asymmetric key. One that is stored on the website or application server contains private key and the other contains public key. The public key is used for encryption of data, and private key is for decryption. The private key keeps secret in the server.

SSL handshake

SSL authentication is executed by a series of process called handshake.

The client, at first, initiates SSL handshake by sending "ClientHello" to the server. The "ClientHello" message contains information about security such as SSL/TLS version it can accept and cipher suites.
Then the server responds to the message and sends "ServerHello" to the client. The "ServerHello" message also contain information about which SSL/TLS version to use by the both parties of the communication.
After that, the server sends its Digital Certificates, verified by Certificate Authority (CA) such as www.SSL.com, to the client.
And then the browser validates the server's credential. Once it is verified, the client uses server's public key to encrypt a "premaster secret", a unique session key, and sends it back to the server.
The server decrypts the premaster secret with the server's private key. The server and client then compute the session key, which will be used as a symmetric encryption of every communication.

Components of SSL/TLS handshake

Asymmetric Encryption

There are private key and public key, which private key is for decryption, whereas public key is for encryption

Symmetric Encryption

A single shared by both client and server. It is used for encryption and decryption. Symmetric encryption is faster than asymmetric encryption. SSL/TLS handshake uses asymmetric encryption to share symmetric session key.

Digital Certificates

Digital Certificate is a digital document bind a public key to an entity like a website. Digital Certificate enables secure authentication on the internet. Digital Certificates are issued by Certificate Authorities (CAs) like www.SSL.com

Cypher Suite

Cypher Suite is a set of algorithm defines the cryptographic parameters for an SSL/TLS session. It includes key exchange methods, encryption ciphers, and hash functions.

Session Key

A session key is a temporary symmetric key generated by client and server. A session key is unique to each session. During the session, all data transmission is encrypted and decrypted by the temporary session key.

Types of SSL Certificates

Single-domain: is applied to a single domain.
Wildcard: is similar to single-domain, but it includes subdomains of the domain. For instance, a wildcard certificate includes sampledomain.com, api.sampledomain.com, auth.sampledomain.com, while a single-domain certificate could only cover the first.
Multi-domain: can apply to multiple unrelated domains.

Certificate

To verify whether the website is authenticated/certified or not (uncertified websites can be a evil website). An authenticated website has a unique personal certificate purchase from one of the CA's.

CA

Globally trusted companies, like GoDaddy, GeoTrust, VeriSign, etc. who provide digital certificate to the websites.

How a website get a certificate

Website owner first generates a public key and private key. He gives a Certificate Signing Request file (CSR) and his public key to the CA.
CA then creates a personal certificate based on CSR including domain name, owner name, expiry date, serial number, etc. and also adds an encrypted text (=digital signature) to the certificate and finally encrypts the whole certificate with the public key of the server and sends it back to the website owner.
This certificate is decrypted with the private key of the website owner and he installs it on the website.

The encrypted text is the digital signature of the CA. That text is encrypted by the private key of the CA and can only be decrypted by a public key of CA. When installing operating system or browser, root-certificates form many trusted CAs come with it. These root-certificates contain the public key of that CA provider which helps decrypt the signature.

HTTPS security split into 2 parts (handshake)

1. To validate the certificate of a website

1) When you enter the URL www.google.com, Google's server gives its public key and certificate (which was signed by GeoTrust) to the browser.
2) Browser ahs to verify the authenticity of the certificate, in other words, it's actually signed from GeoTrust or not. As browsers come with a pre-installed list of public keys from all the major CA's, it picks the public key of the GeoTrust and tries to decrypt the digital signature of the certificate which was encrypted by the private key of GeoTrust.
3) If it's able to decrypt the signature (which means it's a trustworthy website) then it proceeds to the next step, otherwise it stops and shows a red cross before the URL.

2. To create a secure connection

1) Google sends its public key when you enter www.google.com. Any data encrypted with the public key can only be decrypted by Google's private key which Google doesn't share with anyone.
2) After validating the certificate (phase 1 above), browser creates a new key, which is session key.
3) Browser encrypts a copy of session key and other request data with the Google's public key. Then it sends it back to the Google server.
4) Google's server decrypts the encrypted data using its private key and gets the session key (Someone says that the session key is never transmitted at all. It is established via a secure key negotiation algorithm. The premaster secret is not the session key. For now, I will understand the session key as a symmetric key), and other request data. Client and server are the only one that has the key. The key will be used for both decryption and encryption the data.
5) When google sends the data like requested HTML document and other HTTP data to the browser it first encrypts the data with the session key and browser decrypts with the other copy of the session key.
6) Similarly, when browser sends the data to the Google server, it encrypts the data with the session key which server decrypts on the other side.
The session key is only used for that session only. If the user closes the website and opens again, a new session key would be created.

TLS (Transport Layer Security)

TLS was derived from SSL, but it is developed not by Netscape. Since TLS is no longer associated with Netscape, the protocol name had been changed. By historical reason, SSL and TLS can be used interchangably.

What TLS does

Encryption: hides the data being transferred.
Authentication: ensures that the parties exchanging information are who they claim to be.
Integrity: verifies that the data has not been forged or tampered with.

TLS certificate

TLS certificate (a.k.a. SSL certificate) should be installed on the origin server of a website or application to use TLS. A TLS certificate contains important information about who owns the domain, along with the server's public key, both of which are important for validating the server's identity.

HTTPS (Hypertext Transfer Protocol Secure)

HTTPS simply uses SSL/TLS encryption on top of HTTP. HTTPS occurs based upon the transmission of SSL/TLS certificates, which verify that a particular provider is who they claim to be.
Any website, especially uses sensitive information or requires login credentials, should use HTTPS.

Port

HTTPS uses port 443.

In networking, a port is a virtual software-based point where network connections start and end. All network-connected computers expose a number of ports to enable them to receive traffic. Each port is associated with a specific process or service, and different protocols use different ports.

DEV Community