11 Mar

SSL / TLS encryption for beginners

When you log on to your bank’s site, the connection is always https for security reasons. You can check this will always be the case (or so change your bank!)

But what would happen if the communication was done in HTTP?

Well it’s simple, all the information exchanged would transit in clear. Which means that a malicious person can intercept the exchanges with your bank and thus have all the information that passes through it.

In fact the HTTPS is an HTTP connection in an encrypted SSL / TLS tunnel. And this tunnel will secure your exchanges because even if a malicious person intercepts your exchanges, the information is encrypted and therefore incomprehensible to them.

SSL wants Secure Sockets Layer. TLS means Transport Layer Security. SSL and TLS are protocols for securing exchanges on the Internet. Today it is TLS which is used, SSL being obsolete. But sometimes we talk about SSL / TLS to just talk about TLS.

Now let’s see what happens behind this SSL / TLS encryption.

Encryption consists of transforming your data to make it unreadable thanks to an encryption algorithm and an encryption key

The encryption key is used by an algorithm to encrypt and decrypt useful data (the information that we want to transit). The encryption key is a given (basically it’s a sequence of bits like a sentence or a series of numbers) that can be seen as a password. An encryption algorithm is just an encryption method, which is a way to make your data unintelligible.

In order to read this data again, it is necessary to know the algorithm and the encryption key to decrypt them.

Now that you’ve understood that, let’s move on to the concept of symmetric cryptography:

Imagine two people: Alice and Bob

  1. In this case Alice and Bob have the same secret key.
  2. Alice wants to send a message to Bob. She wants no one but Bob to read this message. So, she takes her secret key and will encrypt the message with
  3. She sends the encrypted message to Bob
  4. When Bob receives Alice’s message, he can not understand it at the reception yet. It must first decipher the message with the same secret key.
  5. And only then can he read the message And if Bob wants to answer Alice in a secure way, he can use the secret key to encrypt his answer and then send it to Alice.

So there is only one key to encrypt and decrypt a message

The big problem of symmetric cryptography is the exchange of these keys. Indeed, the fact that the 2 people must use the same key requires to have a secure channel for the exchange of the key because if someone else gets to seize the key … he will be able to read the message …

Let’s move on to asymmetric cryptography

The principle of asymmetric encryption is based on the use of 2 keys:

  • one of the two keys is called the private key and the other the public key.
  • When the user encrypts with the first key, he can decrypt with the second key
  • When the user encrypts with the second key, he can decrypt with the first key.
  • It does not matter the order of the keys used because in fact these 2 keys or encryption algorithm are linked mathematically

Let’s go back to Alice who now has a private key and a public key:

  • The private key is never transmitted to anyone (that is well its name by the way).
  • On the other hand, Alice can broadcast her public key to anyone,
  • So Alice sent her public key to Bob so the 2 could communicate

Now let’s see how it works:

  1. In this case Bob and Alice shared their public key and keep their private key.
  2. Bob wants to send a message to Alice and wants only Alice to read the message. So he encrypts his message with the public key of Alice
  3. Alice decrypts the message with her private key (only she has this key). Alice is the only one able to decipher the messages addressed to her
  4. Similarly, if Alice wants to answer Bob. Alice uses Bob’s public key to send the message;
  5. Bob will use his own private key to decipher the message

This process ensures the confidentiality of the exchange that is to say to be sure that Alice and Bob are the only ones to exchange.

Bob is sure that only Alice can read her message since Bob used Alice’s public key to encrypt her message. Only Alice’s private key can decipher bob’s message. Bob is sure that only Alice can read the message and conversely for Alice with the public key of Bob

Then asymmetric cryptography also guarantees the authenticity of the sender:

  • That is to say that for Bob is to be on Alice’s message comes Alice)
  • Yes, because if Bob succeeds in deciphering the message with Alice’s public key, it means that the message was encrypted with Alice’s private key
  • Anyone with the public key can read Alice’s message, but only Alice has her private key
  • If Bob can decipher the message with Alice’s public key, he knows that the message is from Alice.

The problem will come from the transmission of the public key. Especially if a malicious person, who will be called M for the future, positions himself between Alice and Bob, and pretends to be one of them and gives his public key instead. It’s the attack of the MITM or the middle man in French

He will broadcast a public key to Bob posing as Alice. Bob thinks that’s Alice’s public key. Alice and Bob both have the public key of M, thinking that they have that of their interlocutor. M intercepts and modifies the exchange of keys between Alice and Bob.

So, when Alice wants to send a message to Bob, she will send it by encrypting with the public key supposed to belong to Bob. In fact, M will intercept the message, he will decipher it with his private key and read the message. Then, to avoid arousing suspicion, he will encrypt the message with Bob’s public key and send the message to Bob.

Like that Bob decrypts with his private key to read the message. M is able to read the conversations between the two and retrieve important information.

And conversely, when bob wants to exchange with alice, he uses the public key of M to encrypt and M does the same thing that he intercepts the message, opens it, reads it and re-encrypts it with the public key of ‘alice.

To avoid that problem of MITM, it would be necessary to be able to certify the identity of the bearer of this key. And that’s the role of the certificate.

A certificate is a file with a dataset containing:

  • a public key (at least)
  • information that can identify the person: name, e-mail, location …
  • information related to the certificate, including its date of validity
  • And an electronic signature of a certification authority

The electronic signature is the proof the certificate has been verified by the certification authority since there is its signature. It is the guarantee of its integrity (ie the proof that the document was not altered between the moment it was signed by its author and the one where it was consulted).

Note that the electronic signature of the certificate is the combination of your information and your public key, all encrypted by the private key of the certification authority

a Certificate Authority is the institution responsible for issuing these certificates and it ensures that the information contained in these certificates is correct.

In our case, if Alice wants to create her certificate, she has to provide her public key and information about her to the certification authority and sub (because it’s not free), who she checks all that , The CA will create a certificate for Alice with the CA’s electronic signature,

The certificate attests that the public key of the certificate belongs to the person named in the certificate.