TLS/SSL

TLS/SSL

SSL is usually used to refer to two cryptographic protocols:

• TLS - transport layer security
• SSL - secure sockets layer (precedes TLS, but acronym more well-known)

On the web, SSL, as a protocol, sits between TCP/IP and HTTP (well <– this can be other protocols too, like FTP). It ensures that:

• communication between two computers on a network are private
• identities of at least one of the endpoints are proven
• … and messages sent between computers are not tampered with.

Privacy

A connection made through SSL/TLS is made private through symmetric cryptography. Wait, what's that? →

• same key is used for encryption of plain text into cipher text (encrypted text), as well as decryption back to plain text. uh, what's a key? →
• it's just a piece of data (think parameter in a function) given to a cryptographic algorithm that determines its output. example please… anyone know the caesar cipher or any substitution ciphier? →
• caesar uses shift as key, substitution cipher may use a keyword

Encryption - Motivation

How does encryption work for ensuring privacy? →

• if there are eavesdroppers…
• messages won't be in plain text
• so, while they can observe that communication is occurring, they won't know what the content is…

Verified Identity

• identity is verified by a cryptographically signed certificate from a trusted certificate authority that the server supplies to the client
• this is an SSL Certificate
• it's basically a way for the server to prove that they are they say they are
• why does this matter? →
  • so … some malicious 3rd party can't masquerade as the server / site

Message Integrity

A message authentication code is a code that can be used to confirm:

• that a message hasn't been tampered with
• and that it's coming from the stated sender

implemented by hashing the message with some shared secret key

Protocol Description

On a high level… once a connection is made between the client and server:

1. the client starts an SSL handshake:
   • where information is exchanged so that the actual encrypted communication can occur
   • for the client… that means sending (among other things) the highest version of TLS it supports
   • a list of supported cipher suites (what encryption algorithms do I support, what method do I use to authenticate messages, etc.)
   • …and which compression algorithms it supports
2. the server responds with (among other things):
   • the chosen TLS protocol version
   • which cipher suite to use
   • which compression algorithm to use

Protocol Description Continued

So, that handles some basic setup to configure a few things (like cipher suite, compression algorithm, etc.) Next →

1. the server sends back an SSL cert
2. once the cert is verified by the browser (was it signed by a trusted certificate authority … for example list of trusted ca's on ios 10?)
3. keys can be exchanged for encryption with symmetric cryptography
   • how? …maybe through public-key / asymmetric cryptography first
   • exchange public keys
   • generate and exchange new keys
   • why not just use public key encryption? asymmetric is slower, requires larger keys, and resulting encrypted output is slightly larger
4. client sends an encrypted message signalling that all communication will now be encrypted
5. server verifies message and returns it (which is then verified by the client)

Resources

• Great, succinct stackexchange article
• Wikipedia article