Transport Layer Security & Digital Certificates (SSL/TLS)

Intro

Secure Socket Layer / Transport Layer Security

SSL and the newer TLS are technologies that allow the secure encryption and transmission of data across the internet. Without these technologies any data sent across the internet would be susceptible to interception by third parties.

This data could include:

Personal information – home address, telephone number
Sensitive information – medical information, criminal record information
Financial information – banking logins/passwords & credit card information

TLS & Digital certificates work to ensure that data cannot be read / tampered with if intercepted and that you have protection against man-in-the-middle attacks.

Why is it needed?

Handshake Protocol

The TLS Handshake is used to establish encryption and trust between the server and client. Below is the handshake used in TLS 1.2, not the newer TLS 1.3 which is a little different.

Step 1 – Client Hello

In the first step the client sends a message to the server listing the various encryption technologies that the client supports.

This includes:

The version of SLL/TLS that the client supports
The encryption algorithms that the client supports
Data compression algorithms

Step 2 – Server Hello

The server responds with:

The chosen set of encryption algorithms to be used. This is known as the Cypher Suite.
A session ID to be used for the remainder of the connection
The server’s digital certificate, which contains the server’s public key

Step 3 – Verify the digital certificate

The client contacts the certificate authority listed on the digital certificate and checks that the certificate is authentic and is still valid, thereby verifying the identity of the server.

Step 4 – Secret key sharing

The client sends a secret key, encrypted with the server’s public key, to be used as a shared key for symmetric encryption for the remainder of the session.

Note: Most web servers actually use Diffie-Hellman Ephemeral Key Exchange for the session encryption as it provides perfect forward secrecy.

Step 5 – Server responds handshake complete

The server responds with a message encrypted using the shared symmetric key, indicating that the handshake is complete and the session then begins.

Record Protocol

Once a secure session is established the remainder of the session is secured using the cypher suite, symmetric keys and compression agreed during the handshake protocol.

Digital Certificates

Digital certificates are not just used for SSL encryption, they can also be used to verify emails and documents sent from person to person through the use of a digital signature.