What is TLS?
Overview
HTTP stands for Hyper Text Transfer Protocol, FTP for File Transfer Protocol, SMTP stands for Simple Mail Transfer Protocol, NNTP stands for Network News Transfer Protocol while TELNET stands for teletype network protocol. All five are used to transfer information over a computer network and creates the basis of today’s internet. TLS (Transport Layer Security) formerly known as SSL (Secure Socket Layer) is used to secure all communications done via these protocols. It encrypts all of the protocol-related data. For example, HTTP uses TLS for secure communication. For this TLS-capable web server and web browser are needed. In this article, we are going to dive into TLS and how it works. TLS aims to provide security for communications done over a computer network. When it comes to protection there are two levels.
- Lower Level: Provides channel protection at the packet(message) level. It ensures security between the browser and not between the user and the application.
- Application/User Level: A higher level of protection that provides security between the user and the server application(s).
Where does TLS fit?
TLS runs on top of TCP (Transmission Control Protocol). It changes the port number used by the application-level protocol, hence securing it. E.g. — HTTP on 80, HTTPS on 443
Why TLS?
TLS addresses the issues of authentication, privacy, and integrity when transferring data over the network.
Authentication : How to make sure you are communicating with the website who it claims to be? Cannot rely on DNS (Domain Name System).
Privacy : How to make sure others look into your messages transferred via the network?
Integrity : How to make sure others don’t alter what you send?
TLS Architecture
TLS Handshake
Public key cryptography is used to share a key between the client and the server. This shared key generated is used to protect communication between the client and the server.
Establish a session:
- Negotiate cipher-suite algorithms: symmetric cipher, key exchange method, message digest function
- Establish and share the master secret
- Perform authentication: client/server
Transfer Data:
- Ensures the privacy and integrity
Let’s look at this process in detail.
Step 1: Browser sends the supported crypto algorithms to the server
Step 2: Server chooses the strongest algorithm it supports
Step 3: Server sends the certificate
Step 4: Client verifies the certificate
Step 5: Client and server agree on secret value by R by exchanging messages
Step 6: From the secret value R, secret symmetric keys are generated and exchanged
Step 7: Exchange messages encrypted using the shared key
TLS: Key exchange
Public key encryption is used to exchange the secret key. “key pair” is used. One is public and the other is private. One key can encrypt and the other can decrypt. The process is slower than conventional cryptography. We are going to talk about two options here.
- RSA
- Diffie Helman
RSA Algorithm — Basic key exchange
Client (Sender) has the servers’(receiver) public key. A trusted third party called as certification authority guarantees the ownership of the key. The document that binds the public key to the identity of the server is called a digital certificate. This digital certificate is shared with the client in Step 3 (Refer TLS handshake section). The algorithm is as follows:
Step 1: Client generates a random value R
Step 2: Client encrypts the value R using servers’ public key
Step 3: The client sends the encrypted R value to the server.
Step 4: Server decrypts the encrypted R value using the servers’ private key and derives the value R
However, TLS with basic key exchange does not provide forward secrecy. If the server’s private key gets stolen attacker can derive encryption keys using the compromised R value.
Diffie Helman Algorithm
Diffie Helman achieves forward secrecy because even if a key is compromised in the future, it can’t be used to decrypt all of the past messages. Below is a diagram showing all the steps of the Diffie-Hellman exchange.
