Friday 3 April 2015

SSL

In the earlier posts, we have discussed symmetric/asymmetric key infrastructure, digital signatures and Digital certificates.

Now we will cover how information exchange is made secure on web using SSL.
i.e. when you enter sensitive information like credit card details or bank login credentials, how is it ensured that data is transferred securely from your browser to server.

For this websites rely on HTTPS (Hyper Text Transfer Protocol Secure), which uses SSL (Secure Socket Layer).

If a webserver needs to communicate with client over https, it first needs to get a valid SSL certificate.

SSL Certificate:
It is a digital certificate that identifies the webserver (Organisation owning the webserver). It is issued by Certificate Authorities

For getting a SSL certificate you need to first create a CSR request. A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR (But is not sent to CA).
As discussed in the previous post, CA signs the information contained in your CSR request with their private key and provide you with SSL certificate.

You add the certificate on your web server. 

How SSL certificate creates a secure connection

Now lets see how secure communication takes place between browser and web server.




1. Browser requests a secure page (https:\\..) (or if it request for a secure page via http, webserver redirects it to https)

2. Web server sends its public key to browser via the SSL certificate.

3. As browser already have CA public key (CA Root certificate), it can decrypt the certificate and get web servers public key. It also validates that the certificate was issued by a trusted party and that the certificate is still valid and is related to the site contacted.

4. Once the verification is complete, browser uses the public key to encrypt a random symmetric encryption key and sends it to the server.

5. Server then decrypts the key using its private key and sends an acknowledgement back to browser.

This complete process is called SSL handshake, where browser and webserver exchanged a symmetric key.


6. Now both browser and server have exchanged a symmetric key and data can be exchanged securely between them by encrypting it with the symmetric key. As only browser and webserver have the symmetric key, no one else can read the secure data.

The reason to use symmetric key instead of directly using web servers public key to encrypt future messages is that symmetric encryption is faster than asymmetric key encryption. So we use asymmetric key to encrypt and exchange the symmetric key, and actual content is then encrypted by the symmetric key.


Monday 17 March 2014

Digital Certificates

We discussed digital signatures in my previous post. Digital signatures involves two keys:
  1. Public key 
  2. Private key
Private key is supposed to be kept private and is never disclosed, on the other hand public key can be distributed as widely as owner wants.

The distribution of public key causes security issues of its own.

Suppose you want to get Alice's public key, what options do you have ?
  1.  If you know him personally you can invite him over tea or call him directly to get his public key.
  2. If Alice is unknown, you can take his public key from his website.
  3. Drop  him an email to send his public key to you 
  4. Or you can google it.



Issue with Public Key distribution

But the problem is that how do you know that the public key you receive is really the public key of Alice ?

The difficulty of public key distribution is that no matter what means of communication you use, the public key can be potentially tampered with.
For e.g. if you visit Alice website, someone can intercept the web page and change the key en route to your browser.
If someone, lets say John is able to successfully replace Alice's public key with his own, he can pretend to be Alice and can take advantage of trust you place in Alice's signature.

Certificate Authorities

To address these difficulties of public key distribution several certificate authorities (CAs) have been established for the purpose of vouching for public keys.

To get a drivers license you typically apply to a Govt agency like department of motor vehicles which verify your identity , your ability to drive, you address and other information before issuing a license. To get a student ID, you apply to school or college , which performs different checks (if you have paid tuition fees, your class etc) before issuing you the ID.

Certificates work much the same way as any of these familiar forms of identification. Certificate Authorities are entities that validate identities and issue certificates.

So Alice can go to a Certificate Authority, complete their formalities to prove that he is indeed Alice.
CAs can use different methods to validate the identity of individuals based on their policies.

There are many CAs to choose from :










What does certificate contains ?

Digital certificate contains following information:
  1. Name of the entity it identifies
  2. Public key of entity
  3. Digital Signature of CA
  4. Expiration Date of certificate
  5. Name of the CA that issued it
  6. Serial number etc.

How is a certificate created ?

The certificate issued by CA binds identity information (i.e. name of the entity like employee, server, company etc) of entity with entities public key.

CA takes entity's identity information, entity's public key and name of CA itself , creates a message digest out of this information and signs it with its own private key. The end product is called Digital Certificate.


 

How it works ?


Coming back to our original problem, distributing public key for Alice.
Now Alice has obtained a certificate from CA. You can get Alice certificate from any medium email, website etc. Once you get the certificate you decrypt it with CAs public key and you will get Alice public key

As the certificate is signed with CAs private key, you can verify the validity of certificate if you are able to decrypt it using CAs public key, as only the certificate signed by CAs private key can be decrypted by its public key.

The only question now remains, where to get CAs public key ?

Well you need not to worry for that, CAs public key is already available on your system. For e.g. browsers/OS already have public key for CAs embedded in them.

So using digital certificates, one can distribute his public key without the risk of someone using fake public keys for impersonation.

Sunday 22 December 2013

Digital Signatures

I recommend you to read my previous post "cryptography basics" before starting on this one.

So as discussed previously, Alice has two keys a public key and a private key. Alice's Public key is available to anyone who needs it, but he keeps his Private Key to himself. 


Keys are used to encrypt information, so that only a person with the appropriate key can make it readable again. Either one of Alice's two keys can encrypt data, and the other key can decrypt that data.

Using his private key and helping software, Alice can digitally sign documents. 
  • Digital signatures are used to verify that a message really comes from the claimed sender. 
  • They can also ensure that the original content of the message has been sent unchanged. 
  • They are also difficult to forge (if Alice keep his private key secret)
  • They can also be used to time stamp documents, i.e. testifying that the document existed at the stated time.

How Digital signatures are created and how they work

 1.  First, the message is transformed in to just few lines using hashing. 
(hashing uses a hash function that takes an arbitrary block of data and returns a fixed-size bit string, the "cryptographic hash value", such that any (accidental or intentional) change to the data will (with very high probability) change the hash value, also it impossible to get the original message back from a given hash value)


 2.  Now this generated message digest is encrypted using Alice's private key, this resulted encrypted data is a digital signature.

 3. The generated signature is appended to the original document, to create a signed document.



Now suppose, Alice sends this signed document to his lawyer Bob.

Bob

 

1. Bob decrypts the signature using Alice's public key

If Bob is able to successfully decrypt the signature using Alice public key, it confirms that Alice only signed this document (as he only has the private key).

2. Next, Bob generates message digest (using hashing) of that document

3. If the message digest created in step 2, matches the message digest created in step 1, it indicates that message content was not changed. So now Bob is sure that this document was sent by Alice and no one changed the message content in between.

In next post I will discuss digital certificates and role of Certificate Authorities.

Friday 20 December 2013

Cryptography Basics


Cryptography

 Its a science of writing in secret code, i.e. to protect message from being viewed by unauthorised parties.
A message is converted to a form, that even if its intercepted by unauthorised parties, they can not make any sense out of that message.

 Cryptography Terminology

 Plaintext: the actual message

Encryption: Encoding of message content to hide it contents.

Ciphertext: encrypted message

Decryption: Process of retrieving plain text from cypher text. 

Cryptographic Algorithms


Encryption/decryption usually make use of  a key, following are the two classes of key based encryption algorithms:

1. Symmetric (Secret key)
2. Asymmetric (Public key)

Symmetric (secret key) Cryptography

 Single key is used for both encryption & decryption


  • It is called symmetric as single key is used for both encryption & decryption.
  • Obviously key must be known to both sender and receiver, but it should remain secret for outside world.
  • Biggest difficulty with this system is distribution of key
  • e.g. DSA algorithm 

 Asymmetric (public key) cryptography 

  • This system uses separate keys for encryption and decryption.
  • Computationally infeasible to determine decryption key from encryption key and vice-versa.

  • One key is designated as public and advertised as widely as owner wants, the other key is private and is never revealed.
  • For e.g. suppose Alice publishes its encryption key, anyone can use that key to encrypt message, but only Alice can decrypt it (as he only has the private key) 
  • e.g. RSA algorithm

Private key Vs Public key

Computing public key cipher takes much longer than using symmetric key for encoding the same message.
But with symmetric key, distribution of key in safe manner is difficult.

So In practice, below approach is used:
  • Message is encrypted using secret key cryptography
  • secret key itself is encoded using public key cryptography
  • i.e. public key system "transports" the secret key
  • As secret key is usually much shorter than the message, it results in significantly faster processing than using public key cryptography alone.




Summary

In this post we discussed basic concepts of cryptography. We understood two types of cryptographic systems: public key and secret key.

In next post we will discuss what are digital signatures and digital certificates.