SSL in a nutshell
Concise coverage of the SSL technology and its ecosystem. Aim to provide you an overview of what the
Concise coverage of the SSL technology and its ecosystem. Aim to provide you an overview of what the key concepts are. Basic knowledge of HTTP, Encryption, Web is assumed.
- Digital Certificate
- SSL working
- SSL handshake
- Public Key Infrastructure (PKI)
What is HTTPS?
A secure way of transferring HTTP messages over the internet. Almost the entire HTTP message is encrypted before sending it to another party. Only the part which is essential to route the message to the recipient is left as unencrypted.
What is SSL?
Technology to establish a secure link between two systems. Using the SSL, the data transfer between two parties can be done in an encrypted and private way. SSL secures the World Wide Web by providing the encryption mechanism for HTTP messages.
HTTPS is also referred to as HTTP over SSL.
What is TLS?
TLS is the successor of SSL. Over the years the cyber-attackers found many vulnerabilities and loopholes in the SSL protocol which gradually lead to its decline, and eventually, its deprecation.
TLS protocol addressed those gaps. It is now considered much more secure than SSL. It is now globally adopted as the de-facto protocol to secure the Web.
Note: Even though all SSL protocol versions are now deprecated, the name “SSL” survived. One ought to get confused by it. Just remember, whenever you hear people talking about using SSL layer/tunnel/protocol to secure their web traffic, what they are actually referring to is making use of one of the TLS protocols (TLS 1.3, 1.2, 1.1, etc).
What is an SSL certificate?
It is also referred to as the Digital certificate. It is assigned to the organizations by Certificate Authorities (CAs) to prove their identity. Think of it as an official ID card that is assigned to organizations by mutually and globally trusted third parties.
When a system communicates with other systems over the network it can show this certificate to gain their trust.
How did it work?
The SSL based communication has two distinct stages in its life-cycle,
1. The Setup Stage
This stage is usually referred to as the SSL handshake. At first, the two parties validate each other’s identity to make sure they are who they say they are. Then they also secretly share a symmetric key (known as the session key) with each other which is used to secure the data.
2. Data Transfer Stage
In this stage, both parties use the session key to encrypt the HTTP messages to securely exchange information with each other.
There are few more things going on under the hood but this is the crux of the SSL handshake.
- Client greets the server with a “hello” HTTP message indicating that it wants to communicate securely.
- Server responds with the “hello” HTTP message as a good mannered gesture.
- The server then sends its SSL certificate which it must have, presumably, procured from a trusted third party.
- The client performs a bunch of validations on this SSL certificate (whether it is signed by a valid trusted third party, it’s expiry date, whether it got revoked in recent times, etc).
- After it is assured fully, it generates a Session key (a symmetric cryptographic key).
- It encrypts this Session key with the public key of Server which, you guessed it, is present in the SSL certificate itself.
- This encrypted session key is shared with the server which it can decrypt easily with its private key.
Once both parties have the session key with them, the SSL handshake is complete. The session key is then used to encrypt/decrypt data during the rest of the data transfer.
What is X.509?
It is the widely adopted standard that defines the format of the Digital certificate. It mandates that every Digital Certificate should have certain critical fields.
- Public Key
- Subject (Owner’s name, address, country, domain name).
- Issuer (Name of the CA who issued the certificate).
- Valid-To (Expiry date)
- and few more.
Public Key Infrastructure (PKI)
It is a system with a set of roles and rules to manage digital certificates and public key encryption. Roles defines the key entities involved in this management process. Rules govern how they play their part.
- Root Certificate Authorities (Root CAs): Who authenticates the identity of machines, individuals or organizations by giving them a unique public key.
- Registration Authority: A subordinate CAs who issues certificates on behalf of Root CAs.
- SSL Certificate: The data file which contains the public key and other details.
- Certificate Management System: Which stores, validates and revokes certificates.
It is an open-source, commercial-grade library with implementations of SSL and TLS protocols. It is widely used in many web servers for HTTPS communication.
It is also a general purpose cryptography library with implementations of all major encryption algorithms.
The library is available for all major operating systems. On most Linux distros OpenSSL comes pre-compiled. On windows and Mac, you need to install it separately.
It allows you to perform all critical SSL related tasks like generating private-public key pair, conversion between various ‘Digital Certificate formats’, generating ‘Certificate Signing Request’, etc.
Follow up Article