Secure Communication is really vital for every business today and Secure Socket Layer (SSL) is one of the most used mechanisms to perform this task. In this writing I will just give a brief concept about SSL, there are different variations to this according to your usage.
Before talking about SSL, Let us introduce some people who will help us talk about cryptography and SSL/TLS.
Alice – A normal person like us who wants to communicate with Bob.
Bob – Another normal person like us who wants to communicate with Alice.
Eve – Fascinated by Alice and Bob and she wants to eavesdrop on what they are talking about.
Mallory – A malevolent person, who not only tries to listen to what Alice and Bob are talking about but also tries to alter, delete and substitute their messages by fooling them. He is known as the man in the middle.
Long Time Ago
Back in time around 1981, Data Encryption Standard (DES) was published as a symmetric algorithm. It was used with the 56 bit key that could be shared but kept secret. Once the key was agreed on, all of their communications would be opaque to man in the middle.
There was one problem – how could they agree on a key? Alice couldn’t send a key to Bob because both Eve and Mallory would see it as she had to send it unencrypted. After that, Mallory could intercept messages from Alice to Bob, decrypting them with the real key, reading them, then encrypting them with the fake key and sending them on. The same thing would happen on the return journey. Alice and Bob’s messages would be nowhere near secure.
So the best was to share the key for them is to meet in person and decide the key and even if that key gets hacked then again meet up and decide new key. (By the way, Alice and Bob are living very far from each other).
Some Time Ago
Standard DES has been supplanted with variations (triple-DES) and new algorithms (AES) with longer keys, but for Alice and Bob, the same old problem is still present: how to agree on and exchange a key securely.
Even though they were already facing difficulty in communication and with advancements of computers the malevolent man in the middle become fast enough to brute force the decryption of DES, thus the public key cryptography was invented.With public key cryptography, things are different. Public key cryptosystems use two separate keys: a public key and a private key. The cryptosystem (the most famous one is RSA, named after its inventors Rivest, Shamir, and Adleman) uses special mathematical algorithms so that the encryption of a plain text message and the decryption of that encrypted message use different keys.
The keys are related mathematically, but knowing one doesn’t really help you discover the other, Because there are different keys for encrypting and decrypting, these cryptosystems are known as asymmetric algorithms. This is how Alice would encrypt a message to send to Bob with a public key algorithm.
Both she and Bob have private/public key pairs, properly generated according to the algorithm they’re using. Alice will encrypt the plain text message with her private key (known only to her), and then encrypt the result of that with Bob’s public key. She knows Bob’s public key because he publishes it (similarly she publishes her own public key).
She then sends this twice-encrypted message to Bob. He receives the encrypted message from Alice. He then decrypts the message with his private key (this key is a secret known only to him) and then decrypts the result of that with Alice’s public key.
If the result is legible, he knows a couple of things with certainty: only he could read it (neither Eve nor Mallory could, since only his private key could decrypt it), and Mallory couldn’t have slipped in a fake message since the original message could only have been encrypted with Alice’s private key. So everything is well, and he and Alice can communicate with abandon.
In fact, since public key crypto-systems are much slower at encrypting and decrypting than symmetric algorithms, in general only one message is sent using a public key cryptosystem: which is a randomly generated key for a symmetric algorithm and used for further communication.
All of a sudden, Alice and Bob’s original problem with a symmetric encryption algorithm is removed: Alice just sends Bob a brand new 256-bit key encrypted using RSA in the manner I just described, and then they communicate using AES with that 256-bit key. They don’t have to meet at all.
It sounds full proof but still one flaw: how do Alice and Bob exchange their public keys securely? Alice can’t send an unencrypted message to Bob containing her public key, because Mallory may intercept that message and substitute his own public key. (Ditto for Bob informing Alice of his public key.) If that did happen, Mallory would be in complete control of the message channel.
Let’s call the two key pairs that Mallory generates, fakeAlice and fakeBob; Alice thinks fakeBob is actually Bob, and Bob thinks fakeAlice is Alice. Suppose Alice sends a message to Bob. She encrypts it with her private key and then with fakeBob’s public key and then sends it.
Mallory gets it, decrypts it with the fakeBob’s private key and with Alice’s public key, and reads the message. He then encrypts a new message with fakeAlice’s private key and Bob’s public key and sends it to Bob. Bob can decrypt it with his private key and fakeAlice’s public key.
Alice and Bob still have to meet in order to exchange their public keys. We’re no better off than we were before.
Secure Sockets Layer: A Superhero!!
In practice, this problem is solved by one more level of indirection: the CA or certificate authority.
A CA issues digital certificates that identify a particular person or entity and the public key used by that person or entity. In essence, a digital certificate is a name (usually a domain name) and the associated public key encrypted by the CA’s private key. You can check the validity of a certificate by decrypting it with the CA’s public key.
But still one question comes to the mind, how do Alice and Bob know the CA’s public key? Can’t Mallory just intercept this and replace with his own public key?
Technically yes, but in practice, the CA’s public key is provided as a certificate with the browser or as part of the operating system. CA certificates are truly publicly published. You trust that these certificates are valid because they’re delivered to you with your operating system or browser.
Once Alice and Bob buy their digital certificates from a particular CA, they can send them to each other with impunity, in essence by trusting the CA. Alice can check Bob’s certificate (and discover his public key) by decrypting it with the CA’s certificate, and vice versa. Once that’s done, they can send each other secure messages.
In a crux
- Assume Alice and Bob both have public and private keys
- If Alice encrypts something with Bob’s public key, she ensures that only Bob can decrypt it (using his private key)
- If Alice encrypts something with her own private key, anyone can decrypt it (using her public key), but they will know that it was encrypted by her
- Therefore, if Alice encrypts a message first with her own private key, then with Bob’s public key, she will ensure that only Bob can decrypt it and that Bob will know the message is from her.
Regarding SSL certificates, here’s what is important to know:
- You generate a request for a certificate. In that request, you put your own public key and a bunch of information about yourself like company name, email etc.
- The certificate issuer (in theory) checks you out to make sure it knows who you are and are you a secure channel or not.
- If they’re satisfied, the certificate issuer then encrypts the hash of your request with their private key. Anyone who decrypts it with their public key knows that they vouch for the information it contains: they agree that the public key is your and that the information stated is true about you. This encrypted endorsement is the certificate that they issue to you.
- When somebody connects to your site or server, You send them the certificate.
- Their browser/OS already knows the issuer’s public key because their browser/OS came installed with that information.
- Their browser uses the issuer’s public key to decrypt what you sent to them. The fact that the issuer’s public key works to decrypt it proves that the issuer’s private key was used to encrypt it, and therefore, that the Issuer really did create this certificate.
- Inside the decrypted information is your public key, which they now know has been vouched for. They use that to encrypt some data to send to you.
It should be noted that the whole system is essentially a technical implementation of the idea “you trust the certificate issuer, and they trust me, therefore you can trust me.” Unfortunately, sometimes the certificate issuer isn’t trustworthy (like the case of DigiNotar which led to almost 300,000 Gmail users hack)