SSL/TLS-Secure Connection

Whenever we browse the internet, we see some site URLs, there is a padlock present and in some, it is absent. The presence of this padlock symbolizes secure communication between the user and the server. This padlock consists of a secure communication certificate and that certificate communication is called SSL Certificate communication i.e., Secure Socket Layer. SSL's function is to build a secure chain of trust between the user and the server. The certificate is provided by a Certificate Authority (CAs) like Let’s Encrypt, Bypass, Comodo, GeoTrust et cetera, which actually builds the chain of trust running the certificate validation in a hierarchical manner.

Most modern web browsers have flagged sites without SSL/TLS as insecure or unsafe. Going forward, SSL/TLS certificate may become a mandatory website hosting requirement. By hosting a website with SSL/TLS certificate, it provides security to the data transferred between the website and the Website visitor, by encrypting the communication, in addition to this the SSL/TLS certificate also helps to verify the identity of the site, thereby helping users to surf on a secure and encrypted connection. The SSL certificate consists of Website Owner information including Domain and sub-domain name, the Validity period of the certificate, Public key used for encryption

TLS is the new or updated version of SSL; TLS has evolved from SSL (Secure Socket Layer) only, which was developed by Netscape Communication in 1994. SSL 1.0 was never used but followed by SSL and 3.0. TLS 1.0 is based on SSL 3.0. TLS 1.3 is the latest version, published in the year 2018  and almost all Cas are using or moving to TLS1.3. The presence of secure connection or TLS can be seen through HTTPS presence in URL, which is an implementation of TLS encryption on top of HTTP protocol, which is used by all the websites running web services. Hence, any website over https is deploying TLS only.


                       USER--------(SSL/TLS HANDSHAKE)--------CLIENT


SSL CERTIFICATE VALIDATION AT DIFFERENT LEVELS:

1)    DOMAIN VALIDATED CERTIFICATE: In this validation, only a domain name is validated and a certificate is issued in this validation name only. That’s why it is the easiest validation in the SSL certificate validation game. It is beneficial for servers who are just willing to take SSL for namesake or blogs, and small enterprises not dealing with products or selling.

2)    ORGANISATION VALIDATED CERTIFICATE: In this validation, additional details like the address of that particular server with the domain name will be required for the validation check to pass. Thus, it is a bit more stringent than domain one. The additional details validation makes it more trustworthy on the user’s end.

3)     EXTENDED VALIDATION CERTIFICATE: This is the most cost-equipping, trustworthy, time taking validation. This is required by all the large e-commerce, enterprises and business to mark up with the customer trust level.

 

TYPES OF SSL CERTIFICATES:

1)    Single Domain SSL: As the name defines, it is a single domain name, thus, only and only single name domain SSL will be generated, and no other name or sub-domain name will be able to use the certificate.

2)    Wildcard SSL certificate: The domain and all sub-domain along with this will be able to use the certificate known as Wildcard SSL. The sub-domain list can be seen by clicking on the padlock icon in the URL.

3)    Multidomain SSL certificate: Multiple distinct domains can use a single certificate issued in the name of all the distinct domains. The domains are neither the sub-domain of a single domain nor the multiple pages of a single domain.

 

TLS/SSL HANDSHAKE:


(Image Source: https://www.geeksforgeeks.org/secure-socket-layer-ssl/)




Phase 1:  This is Establish Connection Phase. The client sends a ‘HELLO’ message with its TLS version, List of Cipher Suites and Random Client’s Number and the server replies with a ‘Hello’ message along with its SSL certificate, Cipher suite chosen and a Random Server’s number.

Phase 2: This is the Pre-secret master key Generation Phase. A client sends one more random string which is encrypted with a Public key (which is taken from Server’s SSL certificate), commonly called a ‘pre-secret master key’. The server decrypts this secret key with the private key of its certificate.

Phase 3: This is thesession key Generation Phase. The client as well as the server generates the session key using its own random numbers and pre-secret master key. The session key at both ends generated will be the same.

Phase 4: Handshake Ends. The session key will be verified and authenticated at both ends, it should be the same, then only a secure connection is established and the data moves now in an encrypted manner. If anyhow the key differs, the connection won’t be established. Once the connection is established both client and server send a ‘Finished’ message to each other and a green signal for encrypted data transfer will proceed.

 

This TLS/SSL handshake is validated till TLS1.2, in TLS 1.3 the handshake has been changed a little bit. In place of a 4-way handshake, it is now based on 2-step handshake validation or completed in just one round trip of a handshake. The TLS1.3 is more secure, encrypted and less time taking than all the previous versions.


UPGRADE IN TLSV1.3:


                              (Image Source: https://timtaubert.de/images/tls-hs-static-rsa.png)




Phase 1: Establish Connection. Same as TLS1.2 Phase 1, TLS1.3 also commences the handshake with the “Hello” message with an add-on of a list of supported cipher suites and a guess of which key agreement protocol will be chosen by the server along with the Client’s chosen key agreement protocol.

Phase 2: Validation Completion. The server replies with a “Hello” message with the key agreement protocol that it has chosen, key share, certificate and ‘Finished’ message.

The Server “Finished” message, which was sent in the 6th step in the TLS1.2 handshake, is sent in the second step in TLS1.3. Thus, completing the round trip in just 2 steps.

Phase 3: Finished Message. In the last step, the client will validate the server certificate, and generate a key share while using the key of the server. Once all the checklists are done client sends a “Finished” message. Now, the data encryption begins.

 

Cipher Suite:  A complete set of cryptographic algorithms require to secure a network connection through SSL/TLS. For each set, there is a specific algorithm. The SSL/TLS does the Handshake process for building the secure connection and during the handshake, the client and the web server will use the following cipher suite components:

O  key exchange algorithm is used to determine how symmetric keys in the handshake will be exchanged. Example: RSA (Rivert-Shamir-Adleman).

O  An authentication algorithm, which function is to tell how the authentication at both ends client as well as server will be implemented and finished. Example: DSA (Digital Signature Algorithm).

O  An Encryption cipher, to encrypt the data. Example: AES (Advanced Encryption Standard)

O  Message Algorithm, a function is to check and administrate how the data integrity checks will be carried out. Example: SHA (Secure Hash Algorithm)

 

 

Comments

Post a Comment

Popular posts from this blog

NetMission.Asia Ambassador: A journey of Exploring Internet Governance through an Asia Pacific Perspective"

Initially, my encounter with the term " internet governance " left me with a vague understanding, as Google's explanation provided only a basic overview. However, my curiosity was piqued, prompting me to delve deeper into the subject. This journey into the realm of internet governance commenced last year, around mid-April, with my involvement in 'Youth Internet Governance-INDIA' (https://youthigf.in/). Through YIGF-India, I gained valuable insights into Internet governance, particularly from the perspective of my home country, India. Expanding my horizons to encompass the Asia Pacific region, I embarked on a new path with NetMission.Asia (https://netmission.asia/). NetMission.Asia is described as a network comprising passionate young individuals from Asia, committed to engaging and empowering youth in internet governance discourse. Their goal is to foster youth mobility and effect positive change within Asia through impactful initiatives in Internet governance. Th...
Read more

ICANN78: A fellow journey!!

Image
My journey as an ICANN fellow began just a few months back when I received that all-important email from our fellowship program manager, letting me know that I had been selected. But, here's the twist - I didn't actually check that email until the following day. I guess I was caught up in the busyness of life and didn't realize what a significant moment it was. Yes, before proceeding further, for those who don't know what ICANN is?  Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit, American-based organization that operates as a multi-stakeholder group. It is tasked with overseeing the management and protocols governing various databases associated with the naming and numbering systems on the Internet. Its primary mission is to guarantee the stable and secure functioning of the global network. Returning to my account of this journey, once I had confirmed my participation, our fellowship manager quickly became my primary point of contact. This w...
Read more

Networking!!

Image
Networking!! Networking or computer networking is a conduit that connects one node to another (devices) in network information. Networking is all about connecting, designing, using, managing and operating a network. The information can be between two users or segments and be sent in a local area network (LAN) or in a wide area network (WAN) connectivity. Networking works segments include diverse zones like calls, messages, video streaming, or other Internet of things (IoT). Network Types:  Networking can be defined in various types on the basis of designing, layers in the OSI model, components etc. We describe on the basis of the Physical layer of the OSI Model and Designing.       On the basis of the Physical layer of the OSI Model: Wired: The network requires a physical medium to travel to send the information from one device to another device. For example usage of ethernet cables in connecting computer devices to a common network in offices. This type of network i...
Read more