SSL TLS

Symmetric encryption

Sender and receiver have the same key that is used to encrypt and decrypt.

A challenge is to exchange the key between both

Asymmetric encryption

There is a public key that allows all to encrypt, but this key can not be used to decrypt.

To decrypt just the receiver has the private key that is used to decrypt. The private key is a secret and will never be transmitted.

Encryption

TLS is used to encrypt https connections.

SSL (Secure Socket Layer) is an old protocol deprecated in favor of TLS (Transport Layer Security). SSL is rarely used anymore but SSL is used as a synonym for TLS.

TLS has different ways and versions. TLS1.3 is the standard today.

Obvious in https there is a goal of minimizing the overhead for the encryption and authentication.

Simple http uses a GET http message to the server requesting a web page, the server responds then with a http message containing the web page.

With https and TLS1.3 there is a first (Diffie Hellman) exchange between client and server that does the server authentication and initializes the encryption, after that the GET is sent and the web page retrieved.

TLS1.3 uses asymmetric encryption in the first exchange and then uses symmetric encryption to get the web page.

The client sends its public key plus the private key that is encrypted using the same pubic key to the server. The private key is encrypted so it can not be extracted.

The server uses its private key and the encrypted private key of the client to create the symmetric key, but it does not send the symmetric key back to the client. Instead it takes the public key of the client and encrypts a (not the) private key with it and sends it to the client.

Since the client knows it private key it can extract the servers private key and create the symmetric key. The symmetric key is therefore also not transmitted.

Authentication and TLS

Encryption is not enough, authentication to make sure the one we talk to is really the one we think it is.

The server authenticates himself to the client using standardized X.509 Certificates. Those certificates are usually signed by «Certification Authorities» (CA). The certificates expire. The expiration time is some months.

The server can send its private key as a certificate request to a CA, the CA then signs the certificate. The certificate holds the: public key of the server, public key of the CA and a with the CA's public key encrypted version of the servers public key.

Before client communicates with the server it checks the certificate. It sees in the certificate (if the certificate is not expired or revoked) the servers public key. It can take the public key of the CA and encrypt it to get the same signature as in the certificate.

The root certificates are used to certificate the CA's. The root certificated are self signed and installed with the clients operating systems.

Self signing certificates is alls common during software development.


Linurs startpage