Transport Layer Security

Transport Layer Security is used to protect against man in the middle attacks. HTTPS (also called HTTP over SSL/TLS) is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security or its predecessor, Secure Sockets Layer. The main purpose of HTTPS is to authenticate the server and protection of the privacy and integrity of the exchanged data.

What Is TLS/SSL and how it works?

Transport Layer Security(TLS) and its predecessor Secure Sockets Layer(SSL) both are a standard security protocols for establishing a secure connection between a server and a client typically used for web server and mobile device/browser. The most common use of SSL is to provide protection for confidential data, such as personal details or debit/credit card information sent by any client.

The TLS/SSL layer has following main purposes:
  • Verifying that you are talking to the server which you want to talk.
  • Ensuring that only the server can read what you send to it and only you can read what it sends back.



What is Digital Certificate?

A digital certificate is an electronic document use to exchange information securely over the internet using the public key infrastructure (PKI). It is also known as public key certificate or identity certificate.
It contains the name of certificate holder, expiry date and serial number, certificate holder's public key and digital signature of the Certificate Authority (CA).

Versions of TLS/SSL 

SSL 1.0, 2.0 and 3.0
Because of security flaws in the protocol all the SSL version are deprecated
SSL 2.0 was deprecated in 2011 by RFC 6176.
SSL 3.0 was deprecated in June 2015 by RFC 7568.

TLS 1.0
TLS 1.0 was defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0

TLS 1.1
TLS 1.1 was defined in RFC 4346 in April 2006 as an upgrade of TLS version 1.0. 

TLS 1.2
TLS 1.2 was defined in RFC 5246 in August 2008. It is based on the earlier TLS 1.1 specification. 

TLS 1.3(draft)
As of July 2016, TLS 1.3 is working draft and details are provisional and incomplete. It is based on the earlier TLS 1.2 specification. 


How TLS/SSL connection established?

The secure connection is established by a handshake. The goal of this is -

·         To ensure the integrity of data means the data is not altered in between communication. Each message which is transmitted over network includes a message integrity check using a message authentication code (MAC). 
·         Authenticates the communicating parties using public-key cryptography. For each connection validate the certificates presents on both the parties (Server and client).

·         To ensure that only the valid server is able to decrypt the sent data. To make the connection private (or secure) symmetric key cryptography is used to encrypt the transmitted data. For each connection a unique key, algorithm etc. are shared secretly at the start of the session. 

Once the connection is established, both client and server can use the agreed algorithm and keys to send the data securely to each other.

To elaborate the handshake, we can break this into 3 main processes -

1. Hello Message

Client sends a Hello message to initiate the handshake. During this process client also sends all the required information which server needs to create a SSL connection along with various cipher suites (key algorithm) and maximum SSL version that it supports.
Based on client’s preferences server takes the decision on cipher suite (key algorithmand version of SSL and sends the response to the client with Hello message. This response also contains similar information required by the client.

2. Certificate Exchange
Now both the parties have to prove themselves. First server has to prove its identity to the client. To achieve this server shares its certificate to the client. The client validates the server certificate either via one of self signed certificate or via one of several Certificate Authorities (CAs) that implicitly trusted.
Similarly client also proves itself to the server.

3. Key Exchange
The encryption of the actual exchanged data will be done using a symmetric algorithm which was already agreed in process 1(Hello Message). The client generates a random key. It encrypts this key using the algorithm which agreed during Hello process and server’s public key (From certificate received during certificate exchange). Client sends this encrypted key to server. Server decrypted the key using the server its private key and the handshake process completed.

Now both the parties established secure HTTPS connection and all the data exchange is in encrypted format so no man in middle can understand the data transfer over network.

Below are the image displaying the flow of SSL handshake-


To find more interesting topics on Software development follow me at https://medium.com/@ankit.sinhal

You can also find my Android Applications on play store

Comments

  1. Thank you for sharing such an informative article. I really hope I can see other interesting posts. Keep up the good work!


    Melbourne SEO Service

    ReplyDelete

Post a Comment

Popular posts from this blog

Android Performance: Avoid using ENUM on Android

Secure and smaller APK size using Proguard

Smart way to update RecyclerView using DiffUtil