vagabond/the-internet-vagabond-dot-com
1
0
Fork 0
Code Issues 3 Pull requests Projects 2 Activity Actions
the-internet-vagabond-dot-com/2015/05/06/TLS-Part-1.html
Scribe [bot] 51707a0875 Automated Publish
2025-01-09 13:43:40 -06:00

302 lines
13 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<title>The Internet Vagabond :: An Examination of TLS, Part 1</title>
<link type="application/atom+xml" rel="alternate" href="https://www.theinternetvagabond.com/feed.xml" title="The Internet Vagabond" />
<meta name="description"
content="Rants of a wandering techy, in search of truth, knowledge, and a decent ping." />
<meta name="author" content="Bill Niblock" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="canonical" href="https://www.theinternetvagabond.com/2015/05/06/TLS-Part-1.html" />
<link rel="stylesheet" type="text/css"
href="https://www.theinternetvagabond.com/src/styles/corrupt_layout.css" />
<link rel="stylesheet" type="text/css"
href="https://www.theinternetvagabond.com/src/styles/corrupt_typog.css" />
<link rel="icon" type="image/x-icon"
href="https://www.theinternetvagabond.com/src/images/favicon.ico" />
<link rel="stylesheet"
href="https://cdn.jsdelivr.net/npm/fork-awesome@1.2.0/css/fork-awesome.min.css"
integrity="sha256-XoaMnoYC5TH6/+ihMEnospgm0J1PM/nioxbOUdnM8HY="
crossorigin="anonymous">
<script data-goatcounter="https://theinternetvagabond.goatcounter.com/count"
async src="https://www.theinternetvagabond.com/src/scripts/goatcounter.js"></script>
</head>
<body>
<div class="cor_page">
<header>
<a href="/">
<div>
<span class="first">T</span>he
<span class="first">I</span>nternet
<span class="first">V</span>agabond
</div>
</a>
</header>
<main>
<article>
<h1>TLS: An Examination Into the Security of the Internet, Part 1</h1>
<p>TLS, more often referred to as SSL, is the means by which a secure
connection is established over a computer network. Most often these
connections are established over the Internet, between a client (ex., web
browser) and a server (ex., a web site). In the specific case of web sites,
HTTP is layered on TLS/SSL to ensure a secure and private connection; HTTPS
is not a separate protocol, rather a combination or protocols. Establishing
a secure connection thus requires a few steps:</p>
<h2>Step 1: Establish an TCP connection</h2>
<p>TCP is a transport-layer protocol that establishes a connection which is
reliable and fault-tolerant. As opposed to UDP, TCP will seek to verify
that information is transferred successfully and as intended. This is
important for the next step. The connection is established as follows:</p>
<ol>
<li>A client will contact a server and announce it wishes to
establish a connection. (Called a SYN, short for synchronize). This
SYN is a number, stored as part of the TCP header; we'll call it
A.</li>
<li>The server will respond to the client announcing it has
received the client's wish, and also state that it wishes to establish
a connection. (Called a SYN-ACK, short for synchronize-acknowledge).
Ths SYN-ACK is actually two values: One is the ACK value, A+1. The
second is the server's SYN value, which we'll call B.</li>
<li>The client then acknowledged the server's wish, thus
establishing a connection (Called simply an ACK). Because it was
expecting an ACK value in step 2, and expecting that value to be A+1,
it can verify that this connection is the same as the one it started.
Additionally and similarly, the ACK which gets returned to the server
as B+1.</li>
<li>At this point, the connection is established. Both client and
server have assured themselves of a proper connection thanks to the
three-way handshake described above. From this point forward, the
server has bound a specific port to listen for any further
communications with the client. </li>
</ol>
<h2>Step 2: Establish an SSL/TLS Connection</h2>
<p>TLS, Transport Layer Security, is appropriately on the same layer as
TCP, the transport layer. TLS relies on public key authentication to
establish a secure connection between the aforementioned client and server.
The connection is established as follows:</p>
<ol>
<li>A client will announce to the server it wishes to establish a
TLS/SSL connection. It will include information such as it's TLS/SSL
version, the ciphersuites it wishes to use, and which compression
methods it wishes to use.</li>
<li>The server then uses the highest possible TLS/SSL version, chooses
one of the ciphersuites available to the client, chooses one of the
compression methods available to the client, and sends it's
certificate. A certificate is basically a container for a server's
public key, but with many additional details, and often signed by a
certificate authority, to further verify the certificate contains the
proper key. More on certificates in part 2.</li>
<li>The client then uses the server's public key to encrypt a secret.
This secret is then sent back to the server.</li>
<li>The server decrypts the secret with it's private key. This secret
is now shared by only the client and the server, and from this point
on is used for symmetric encryption.</li>
</ol>
<p>From this point forward, the connection is encrypted and secure from
external threats. Of course, this all depends on a trusted certificate and
proper encryption algorithms.</p>
<h2>Step 3: Establish an HTTP connection</h2>
<p>HTTP is an application-layer protocol, and is responsible for translating
the information from the transport layer into information used by an
application. Your web browser, for example, will utilize HTTP to translate
a bunch of hexidecimal information into alpha-numeric information, which is
then formatted and presented to you as a web page. Security is previously
established thanks to TLS/SSL, and reliability is previously established
thanks to TCP.</p>
<p>Part 2 focuses more on the specifics of TLS: certificates, cipher
suites, and public key authentication.</p>
<h1>Sources</h1>
<ul>
<li><a href="https://en.wikipedia.org/wiki/Public-key_cryptography">
Wikipedia: Public-key Cryptography</a></li>
<li><a
href="https://security.stackexchange.com/questions/6290/how-is-it-possible-that-people-observing-an-https-connection-being-established-w">Stack
Exchange: How is it possible that people observing an HTTPS
connection being established wouldn't know how to decrypt
it?</a></li>
<li><a
href="https://security.stackexchange.com/questions/20803/how-does-ssl-tls-work">
Stack Exchange: How Does SSL/TLS work?</a></li>
</ul>
<!-- ================================= -->
<!-- ================================= -->
<!-- Notes (because why remove them?)
Asymmetric Key Authentication:
- Relies on two keys: Public key, Private key
- Both keys are related, but impossible (computationally infeasable) to
identify the private key based on the public key [1][2]
- The public key can be distributed publicly
- Used to encrypt message to the owner of the private paired key
- Used to verify signatures from the private key
- The private key is kept secret
- Used to decrypt message from the public paired key
- Used to as a digital signature
Basics of an Asymmetric Key handshake:
1. Client reaches out to server, requesting a secure connection
2. Server acknowledges request, sends back it's public key
- This is commonly known as a certificate. Often signed by a
third-party to ensure it is what it's supposed to be.
3. Client uses this public key to encrypt a secret, and sends the package
back to the server.
4. The server then uses it's private key to decrypt the public-key
encrypted secret, and uses that secret hence forth to encrypt all traffic.
5. A private connection is now established.
Basics of Certificates
1. A certificate is a vessel for a server to provide authentication
information.
2. Typically a certificate will contain the following information:
- A UUID of the certificate itself
- The subject of the certificate
- The signature, and signature algorithm used
- The issuer of the certificate, as well as dates when it is valid
- The purpose of the key
- The thumbprint, and algorithm, used to hash the key
- The public key itself
3. Certificate Authorities act as a third part to verify the integrity of
public keys.
-->
<!-- ================================= -->
<!-- ================================= -->
<div class="author_info">
Bill Niblock
<a href="https://unlicense.org/"
aria-label="Code dedicated to the public domain under Unlicense">
<span class="fa fa-cc-pd" aria-hidden="true"
title="Code dedicated to the public domain under Unlicense"</span>
</a>
<a href="https://creativecommons.org/publicdomain/zero/1.0/"
aria-label="Published to the public domain under CC0">
<span class="fa fa-cc-zero" aria-hidden="true"
title="Content dedicated to the public domain under CC0"</span>
</a>
2015-05-06
<br />
[
<a href="/topics/technology">technology</a>
]
</div>
</article>
</main>
<footer>
<nav>
<div><a href="/">home</a></div>
<div><a href="/topics/all">all</a></div>
<div><a href="/topics/gaming">gaming</a></div>
<div><a href="/topics/life">life</a></div>
<div><a href="/topics/philosophy">philosophy</a></div>
<div><a href="/topics/technology">technology</a></div>
<div><a href="/topics/writing">writing</a></div>
</nav>
<hr />
<div><a href="https://www.theinternetvagabond.com/now">Life In Progress</a></div>
<hr />
<section class="h-card">
<section class="footer_about" id="about">
<div>The Site</div>
<div>
<a href="https://www.theinternetvagabond.com/feed.xml"
aria-label="RSS feed for the site">
<span class="fa fa-rss" aria-hidden="true"
title="RSS Feed"</span>
</a> |
<a href="https://theinternetvagabond.goatcounter.com/"
aria-label="GoatCounter statistics for the site">
<span class="fa fa-bar-chart" aria-hidden="true"
title="GoatCounter Statistics"</span>
</a> |
<a href="https://codeberg.org/VagabondAzulien/the-internet-vagabond-dot-com"
aria-label="Source code repository for the site">
<span class="fa fa-code" aria-hidden="true"
title="Site Source Code"</span>
</a>
</div>
<a class="u-url u-uid" href="https://theinternetvagabond.com"></a>
<p>
This site is a small slice of internet real-estate that I use for
occasional writing. Nothing I say is visionary or profound. I
focus on technology, gaming, and philosophy. All opinions my
own.
</p>
<div>The Vagabond</div>
<div>
<a rel="me"
href="mailto:bill@theinternetvagabond.com"
aria-label="Email Bill at The Internet Vagabond dot com">
<span class="fa fa-envelope-o" aria-hidden="true"
title="Email bill at theinternetvagabond.com"</span>
</a> |
<a class="u-url" rel="me"
href="https://matrix.to/#/@vagabondazulien:matrix.org"
aria-label="Speak with me on Matrix">
<span class="fa fa-matrix-org" aria-hidden="true"
title="Speak with me on Matrix"</span>
</a> |
<a class="u-url" rel="me"
href="https://mastodon.social/@azulien"
aria-label="Find me on the Fediverse">
<span class="fa fa-mastodon" aria-hidden="true"
title="Find me on the Fediverse"</span>
</a> |
<a class="u-url" rel="me" href="https://www.twitch.tv/vagabondazulien/profile"
aria-label="Link to my Twitch channel">
<span class="fa fa-twitch " aria-hidden="true"
title="My Twitch channel"</span>
</a>
</div>
<p>
My name is <span class="p-name">Bill Niblock</span>. <span
class="p-note">I'm a computer scientist by education, a technologist
by trade, a gamer by hobby, and a philosopher by accident. I
live in <span class="p-locality">Buffalo</span>, <span class="p-region">
New York</span>, <span class="p-country-name">USA</span>.<br />
<br />
My PGP Key is <span class="u-key" id="key">CCE7 3682 331B 5614 9FAB
7383 7359 80B2 6381 C91E</span>.
</p>
</section>
<section style="display: none;">
<span class="p-category">Gaming</span>
<span class="p-category">Technology</span>
<span class="p-category">Philosophy</span>
<span class="p-category">Open Source Software</span>
<span class="p-category">Self-Hosting</span>
<span class="p-category">Coffee</span>
<span class="u-email">bill@theinternetvagabond.com</span>
</section>
</section>
</footer>
</div>
</body>
</html>
Reference in a new issue View git blame Copy permalink