When we want to communicate securely between two devices we need a shared secret key that the two computers share.
The sender encrypts the data with their copy of the key and then sends the data to the recipient, who uses the key to decrypt the data the send has sent.
When we connect to websites that we haven’t been to before then we have a problem in that we don’t have a shared key in which to perform encryption/decryption. We need a way of create a shared secret key, without sending the key to the other person in plain text, as this would leave you open to a man in the middle attack. In order to solve this problem we need to use Asymmetric encryption.
SSL & TLS
Secure Sockets Layer and Transport Layer Security
The standard protocol for connecting securely to a website is SSL/TLS. SSL was invented by Netscape back in the earl 1990s to allow internet shopping and secure logins to websites. Over the following years SSL was improved, security flaws were fixed and the wider industry adopted the technology. In the late 1990s a major improvement was released for SSL and it was renamed TLS (SSL 3.1 —> TLS 1.0).
TLS Protocol Steps
- The sender and receiver agree on what protocols and encryption techniques are going to be used. They usually agree on a standard collection of protocols known as a cypher suite.
- Both parties create a private key.
- Both parties use mathematical one way functions to create public keys from their private keys.
- Both parties send their public keys to each other.
- Both parties combine their private keys with the other person’s public key to create a shared key.
- The computers then switch to standard symmetric key using the shared key that they have just created.