Previous Post: Click here
The SSL Encryption
The SSL (Secure Socket Layer) encryption is perhaps the most crucial part of internet that has made internet what it’s. Its existence is the direct result of innovation in Cryptography.
Have you ever noticed that there are several types of urls? Some start like this:
..sometimes certain part is different, like this one:
This part of URL is called the protocol. There are other protocols, some of them which are more popular. If an Ip address or Domain name is analogous to Home address then Protocol can be considered as Mail vs Telephone. A protocol dictates how the communication should take place.
Some examples of Protocols:
URLs have other parts, but they are not relevant to SSL topic, however, here is a picture of all other parts:
Domain name, which includes TOP level domain, helps in DNS or Domain name lookup for ip address work. The Query part is a way to pass information between client and server, which can be used by server to send appropriate information.
Before I begin, lets get clear about terms I’m going to be using to explain.
Server: is where content of a website lives and is served to user.
Client: is the browser like Chrome or Firefox.
Cryptography: a field of encryption.
Hacker: Anyone who is trying to listen to, or alter our data without our permission.
Http requests are sent in plain text, they are stateless, and, therefore, can easily be read and altered. This makes it almost impossible to send sensitive information, that means that if there was no SSL the only types of sites that would thrive are like wikipedia. And rest, where Server needs to know who you are, won’t be able to function. As hacking would be too easy and no one would use it for anything serious.
What is Cryptography?
General Goal of Cryptography is to encrypt a message in a reliable way that only the intended receiver can read it and no one else.
There are three types of functions in Cryptography that we need to be aware of:
- One-Way Functions (Md5, Bcrypt, and SHA-1)
- Symmetric Key Functions (AES, Blowfish, CAST5, and RC4)
- Public Key Functions/asymmetric cryptography (RSA)
These are called functions. Given the input they create hash. The type of hash depends on the type of functions.
Oneway functions take some input, generate a unique string, which is a list of random numbers. In a good function, there would be no two identical hashes for two different inputs. And Just slightest variation in an input would completely change the hash. The reason they are called one way function is because even if you knew the function that was used to encrypt, and the encrypted hash. You can’t get the original message.
These types of functions are usually used to check authenticity of files. We encountered them in one of the git labs. Where we had to answer 30 or so questions about the git commands. The test would take our answer, encrypt it and then compare hash under the question with hash generated from our answer. If they matched exactly, answered was marked correct. Further uses of this type of function includes storing password, checking integrity of files and so on.
Symmetric key function
Symmetric Function has to have all qualities of One way function for it to be considered a good function, like no duplicates and extreme randomness in hashes generated. It has one difference, you can get original message back.
In this kind of function you input a random secret key and the message into a function. Then you get a hash. If you have a hash, know this function was used, and have a key then you can reverse it to get a original message back.
This function allows you to exchange information privately given the key was exchanged secretly.
Public Key Functions
Public Key functions are just like symmetric function except they key used to encrypt a message is not the key used to decrypt the message. Each time you generate keys you get two keys, one to lock the door and one to open the door. This is what we are going to be talking about from now on. Implications of this are huge, and it’s nothing short of magic that such a function can exists that is not only one way for one key but symmetric like for other key.
This means that you can give out a key to everyone you know, put it on your Facebook. And then anyone can use it, take his/her message, encrypt it and then post it on your wall. Only you who has the second key, private key, can decrypt it. Others can see it but they can understand it.
The SSL overview
The https protocol uses the method of Public Key to ensure secure communication. It’s lot more involved and has more policies in place but this is the general overview of steps.
- Your Browser, Chrome, makes a request to Server at http://www.google.com
- Server tells your browser to switch to https://www.google.com
- your browser connects to https://www.google.com
- Server sends the public key to your browser
- Your browser asks the third party, like Geo Trust, to confirm if the public key is indeed of https://www.google.com
- They reply back to browser “yes, this key does belong to google.com”
- your browser generate a key for itself.
- encrypts it using server’s public key
- sends it to google’s server
- now both google’s server and your browser have public key of each one and can exchange information securely by encrypting it using other’s public key then which only one who has they private key can decrypt it.
An Example of Attack that this prevents
Man in middle when contacting to server:
The hacker could still overcome the limits of Public key function by simply intercepting the client’s request to server and then returning a Public key of his own. Then Browser will use that to encrypt the message thinking it’s using the Server’s key and only it can see it but in reality only the hacker would be able to see it and either server won’t receive the request at all or if it does it would be incomprehensible. But since, 3rd party is used to verify if it’s authentic this problem becomes obvious. If key provided supposedly by server doesn’t match with what third party says, then your browser shows the error.
SSL is a monopoly right now
Currently there are handful of companies that enjoy this, and there is serious lack of competition. You have to pay at least 100 dollars per site per year to get an SSL certificate.
But there is progress, there has been an effort by non profit companies to make SSL free so internet could become more secure. Among this organizations is Mozilla.
They are going to be releasing in September.
Where to learn more:
- Deeper Explanation
- Cryptography- A thorough course from Coursera
- Journey into cryptography from Khan Academy
- Encryption/Cookies and How Web Works from Udacity