Open in app

Sign in

Write

Sign in

Guardian of all your communication: SSL

Shubham Gupta
9 min readJan 14, 2019

When I was diving into the vast ocean of computer networks this was one for that concept in which I was struggling because there was not much content on this topic. All the content which is present on this topic was on the websites which are doing business on SSL certificates, so the information is somewhat biased. Here are my views on the topic.
So, What is SSL?
Going by definition SSL stands for Secur Socket Layer and is the technology behind HTTPS(Hyper Text Transmission Protocol Secure)
Let me first explain what SSL with an example, there are 2 characters in the example Alice(she knows English) and Bob(Bob knows English too), Alice wants to send a love letter to Bob, so Alice wrote the letter in plain English and covered the letter with envelope, on the envelope Alice wrote her name and address of Bob and she posted that letter. When the post arrived at Bob’s home his mother picked up the letter she opened the letter and read the whole letter, after reading the whole letter Bob’s mother carefully sealed the letter again and gave it to Bob. This is called a passive attack in terms of cybersecurity and the attacker is called an Adversary( will be using this term as a supplant for the attacker). Now, this creates a problem Bob’s mother knows what was written in the letter.

How can we solve this issue?
We can use something called Encryption to convert plain English into something which Bob’s mother cannot read. Maybe Alice and Bob can learn and a new language which Bob’s mother cannot read. But that is a cumbersome process. So Alice and Bob both hired 3rd party agents who can translate their letter into another language which even Alice and Bob don’t understand, they hired Guardians of Communication(SSL). when Alice is done writing her letter she will give her letter to her guardian, the guardian will convert that message into gibberish(this process is called Encryption and the gibberish is called cipher-text) after that this new gibberish letter will be sent. Now when Bob’s mother will open the letter she will have no idea what is Alice trying to communicate with Bob. Once Bob gets the letter he will give his guardian the letter which he will convert back into English. Now let us dive deep into the concept.

Cryptography

Cryptography is the science of secret writing, etymologically speaking the world comes from a Greek root kryptos which means “to hide” and graphein “to write”. When the normal human-readable text is converted to gibberish this process is called Encryption and when this gibberish is converted into readable text it is called Decryption.
There are several methods to do encryption and decryption but majorly they are categorized into 2 major sub-domains “Symmetric key encryption” and “Asymmetric key encryption”.
So what is this key in these two?
Key is a random long string which is used to lock the text so it can be unreadable, just like our normal locks. So in symmetric key encryption, there is only one key which can lock or unlock the text, on the other hand in asymmetric key, there are 2 keys a private key and a public key when the text is locked with the private key it can only be unlocked with the public key and vice versa

Symmetric key encryption
Let's look into symmetric key encryption in brief, as discusses above in Symmetric key encryption there is only one key to encrypt and to decrypt, Symmetric key encryption is a huge topic in itself which is out of scope for this article.
Some of the symmetric key encryption Algorithms are —

  • Advanced Encryption Standard, AES in short( link)
  • Data Encryption Standard, DES in short (link)

Asymmetric key encryption
Asymmetric key encryptions, as the name suggests are asymmetric, there are 2 keys, if the text is locked with one key it can only be unlocked using another key. It is also known as Public Key Cryptography or Public Key Infrastructure( PKI in short). The public key, as the name suggests, is public and private key is private. Some of the famous Asymmetric key encryption algorithms are —

  • RSA ( these are the names of the inventors who no one remembers, link)
  • Elliptic Key Cryptography, ECC in short also used in Blockchain ( link)

Encryption used in SSL
SSL uses both asymmetric key encryption and symmetric key encryption, for asymmetric key encryption SSL uses RSA as discusses above and for symmetric key encryption SSL uses AES. But why do we use both of these encryption schemes? Well, the answer to this is performance AES encryption is much faster than RSA, so in simple terms, we use RSA algorithm to encrypt the AES key and once both the parties have the AES key all the further data is sent under AES encryption.

Digital Signature
Digital Signature is just like an original signature we do on our bank check. With Digital Signature we can verify the sender. Let’s take an example where this Digital Signature will come in handy. Imagine a scenario where Alice is trying to send a letter to Bob, but Bob’s mother intercepts the letter and changed the content, to prevent this kind of scenario Alice signed the letter with her own signature, which cannot be copied by Bob’s mother, through this concept Bob can verify whether the letter is truly coming from Alice or someone changed the content. A digital signature uses PKI( public key infrastructure, for example, RSA) first we take the hash of the file we are sending(you can read more on hash functions on this link), in a nutshell, a hash function is a mathematical function which can convert any arbitrary length of data into a fixed length string which can is Deterministic which means it is a one-to-one function each input has a different output which is same every time. So, we take the hash and append it to our message, and encrypt this hash with the senders private key after this we send it. When Bob opens the message he will again calculate the hash of the message and decrypt the hash he got in the letter with Alice’s public key and match both the hash’s if both are same then there was no tampering in the data.

SSL Certificate
Now lets put all these concepts together and understand what this SSL Certificate is. An SSL certificate is a small data file which contains the public key of the website with which you are trying to communicate with. When a website has an SSL certificate there is a lock sign in the address bar which shows that this website is using HTTPS and has an SSL certificate.

Let me take an example with which I can explain you further. Remember Alice and Bob hired 2 guardians for them so that they can translate their messages. So Bob’s guardian takes a paper and tears that paper into 2 parts, in the first part of the paper he writes the private key and in another part, he writes his public key. Now whenever Alice tries to communicate with Bob for the first time Bob’s guardian will give the paper which holds his public to Alice’s guardian so that they can communicate with each other. Remember this process only happens once, until Bob’s guardian decides to change his private key. Now the problem is how will Bob’s guardian securely send this paper to Alice’s guardian, because if he had a way he can directly send the message via that method. This paper is transferred via a process called SSL Handshake.

SSL Handshake
Step 1) In the above analogy when Alice’s guardian tries to communicate with Bob’s guardian he sends a letter to Bob’s guardian and says hello. This is called Client Hello, with hello message Alice’s guardian will include the list of cryptographic algorithms he can use.
Step 2) When Bob’s guardian receives this hello message from Alice’s guardian Bob’s sends a hello message himself. Note that even if Bob’s mother intercepts this packet there is nothing important in this messages. Bob’s guardian message is also known as the Server Hello. In server hello Bob sends his Public Key, his Digital Certificate, the name of the algorithm Bob’s guardian going to use( from the list Alice’s guardian sent), and the session id.
Step 3) Once Alice’s guardian gets the message from Bob’s guardian, he first checks the digital certificate with the CA[Certificate Authority] which is basically the place from where Bob’s guardian bought his certificate. We send a message to CA to validate whether the public key Bob’s guardian is providing is valid or Bob’s mother intercepted the letter and appended her own public key. Once we authenticate the public key is valid from CA, we sent the symmetric key locked with Bob’s guardian’s public key which we got in Server Hello message.
Step4) When Bob’s guardian gets the message from Alice’s guardian(note that the symmetric key is already encrypted with Bob’s guardian public key, even if Bob’s mother intercept the message in between she cannot read anything) Bob’s guardian unlocks the symmetric key with his own private key. Now Bob’s guardian sends a finish message encrypted with this symmetric key.

Man In The Middle Attack.
Now there is a situation what if Bob’s mother hires a guardian herself to intercept the messages. She can read all the messages, let’s see how she can do this. In server hello message which contains the public key of the server( Bob’s guardian), Bob’s mother can intercept that message and keep to the public key, she can forge another message with her own public key and replace Bob’s public key with her own.
Now Alice’s has Bob’s mother’s public key, now when Alice tries to send the symmetric key she is going to encrypt( lock ) the symmetric key with Bob’s mother’s public key and send that message, Bob’s mother can again intercept this message and because the message is encrypted with her own public key, she can decrypt that message( with her private key), once decrypted , Bob’s mother will again encrypt this key with server’s public key which she stole from the first message. Like this now Bob is thinking he is sending the message to Alice’s but that is not the case each message is going to pass through Bob’s mother, and the whole security is breached and we are back to square one. This type of attacks are called the Man-In-The-Middle attack MITM in short

Note that Pk is Bob’s public key and Pk” is Bob’s Mother’s public key

How CA authenticates if the certificate is valid or not
So how do we prevent this attack?
There is a 3rd party called Certificate Authorities ( CA in short) when the server sends the public key, It puts a digital signature on which can be Authenticated by Certificate Authorities who issues these SSL certificates. Let’s take an example, when Alice’s got the server hello message from Bob there was a public key in it, what Alice’s guardian will do is, he will encrypt this public key with CA public key which is embedded into his mind ( In real life CA’s public key is pre-installed into Brower) because guardian remembered this key there cannot be MITM attack on this, when CA gets the message which is encrypted CA tries to decrypt with his private key. Once the message has been decrypted CA checks the public key he got from Alice and the public key which is in his record and match them both, if both matches CA sends a OK message to Alice that the certificate has been verified. In this way MITM attacks can be forestalled.

Conclusion

We went through a lot of concepts in this article about cryptography, SSL certificates, CA. Cryptography is a very vast topic, which needs a good understanding of maths. Happily, for us, there are a lot of smart scientists are working on it, so that Alice can send her love letters to Bob without being caught.

Security
Ssl Certificate
Cryptography
Symmetric Encryption
Asymmetric Encryption

--

--

Shubham Gupta

Written by Shubham Gupta

4 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams