HTTPS and TLS (SSL 3+)

Reading Time: 3 minutes

encryption02-580x358

TLS is Next Generation SSL

When people talk about SSL(Secure Socket Layers) protocol, what they actually mean is TLS(Transport Layer Security). TLS is the successor and the new name of SSL.

SSL 3.1 is actually TLS 1.0. TLS 1.1 is SSL 3.2 and TLS 1.2 is SSL 3.3. TLS 1.3 is the latest version proposed on 21 March 2018.

Now that you know these, let’s get into TLS.

What is TLS?

TLS is a protocol operating directly on top of TCP layer. Although, there are implementations of it for Datagram Based Protocols like UDP. By working on TCP layer, protocols on higher level layers(Application layer …) are left unchanged while still being secure. Below TLS layer, HTTP is identical to HTTPS.

OSI Model

When you use TLS properly on your connections, attackers can only see which IP and port you are connecting, roughly how much data you are sending and what kind of encryption algorithm and compression are being used.

Why do We Use TLS and What the Benefits are?

There are three reasons, benefits:

  • Authentication
  • Encryption
  • It is cool to be secure

Authentication

Authentication part of the TLS is to ensure that we are connecting and sending sensitive data to the correct website. If you don’t use TLS over our connections, you might not see if we are connecting to the correct website or not. Attacker can use phishing attack to imitate the website and we might send our sensitive data to the attacker by not knowing it.

The authentication process is like this:

  1. Client requests connection and sends these information to server:
    • which version of SSL/TLS it is running,
    • what ciphersuites it wants to use, and
    • what compression methods it wants to use.

    (Client Hello)

  2. Server checks the highest TLS version that is supported by both client and the server.(Server Hello)
  3. Server picks a ciphersuite(set of algorithms) from one of the client’s options(if it supports one), and optionally picks a compression method.
  4. After this setup is done, server sends its certificate and its public key to client.(Server sends its certificate)
  5. If the certificate is trusted by the client, authentication is completed and client is sure that there is no man in the middle.(Server Hello Done)

For example, if client trusts GeoTrust(Digital certificate provider), it can trust google.com. Because google.com’s certificate is cryptographically signed by GeoTrust.

Capture3

After authentication is completed, encryption begins.

Encryption

We are in the encryption stage now. The steps for this stage are:

  1. Client will send the key info to server which is encrypted by the server’s public key. Client picks a random value (the “premaster secret”, you can think of it as the session key) and encrypts by the server’s public key. Or simply send nothing, depending on the chosen ciphersuite.
  2. Server decrypts the key with its private key and generates a symmetric key. Why didn’t we use PKE insted of symmetric key encryption? This is the answer.
  3. At this point client and the server have the same Premaster Secret key. Hence, the data that client is sending and receiving can be encrypted and decrypted by the client and the server, respectively.

Capture4

 

 

Leave a Reply