vagabond/the-internet-vagabond-dot-com
1
0
Fork 0
Code Issues 3 Pull requests Projects 2 Activity Actions
the-internet-vagabond-dot-com/2015/11/10/TLS-Part-2.html
Scribe [bot] 51707a0875 Automated Publish
2025-01-09 13:43:40 -06:00

285 lines
13 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<title>The Internet Vagabond :: An Examination of TLS, Part 2</title>
<link type="application/atom+xml" rel="alternate" href="https://www.theinternetvagabond.com/feed.xml" title="The Internet Vagabond" />
<meta name="description"
content="Rants of a wandering techy, in search of truth, knowledge, and a decent ping." />
<meta name="author" content="Bill Niblock" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="canonical" href="https://www.theinternetvagabond.com/2015/11/10/TLS-Part-2.html" />
<link rel="stylesheet" type="text/css"
href="https://www.theinternetvagabond.com/src/styles/corrupt_layout.css" />
<link rel="stylesheet" type="text/css"
href="https://www.theinternetvagabond.com/src/styles/corrupt_typog.css" />
<link rel="icon" type="image/x-icon"
href="https://www.theinternetvagabond.com/src/images/favicon.ico" />
<link rel="stylesheet"
href="https://cdn.jsdelivr.net/npm/fork-awesome@1.2.0/css/fork-awesome.min.css"
integrity="sha256-XoaMnoYC5TH6/+ihMEnospgm0J1PM/nioxbOUdnM8HY="
crossorigin="anonymous">
<script data-goatcounter="https://theinternetvagabond.goatcounter.com/count"
async src="https://www.theinternetvagabond.com/src/scripts/goatcounter.js"></script>
</head>
<body>
<div class="cor_page">
<header>
<a href="/">
<div>
<span class="first">T</span>he
<span class="first">I</span>nternet
<span class="first">V</span>agabond
</div>
</a>
</header>
<main>
<article>
<h1>TLS: An examination into the Security of the Internet, Part 2</h1>
<p>TLS, more often referred to as SSL, is the means by which a secure
connection is established over a computer network. Part 1 examines how to
establish a secure connection using TLS. This article examines further the
techniques and technology that makes TLS secure. Specifically, a brief
examination of certificates, cipher suites, and public-key
authentication.</p>
<h2>Certificates</h2>
<p>A certificate is a vessel for a domain to provide authentication
information. More specifically, and perhaps most importantly, a certificate
is the package which transfers a key. TLS relies entirely upon Public-Key
Authentication to setup a secure connection. The challenge with Public-Key
Authentication is often sharing keys in a verifiable and secure manner.
This is to say that, despite public keys being public, you still need to
verify the owner of the key. This is where certificates, and Certificate
Authorities come in. Each certificate is tailored to a specific domain. It
includes not only the public key for a user to connect to the server with,
but also meta-data about the certificate: a UUID, and information about the
Certificate Authority; a signature authorizing the certificate, as well as
the encryption used for the signature; a thumbprint of the key, and details
of the algorithm used to hash the key; and a purpose for the certificate.
Certificates may contain additional details, but the aforementioned list is
required.</p>
<p>A Certificate Authority (CA) is a trusted third-party repository of
signed keys. The purpose of a CA is very specific: verification. A CA will
generate and issue a key-pair to a domain. The domain can then share the
public key using a certificate. How specifically a CA verifies the domains
and keys is out of scope of this discussion, but Wikipedia provides many
details on the techniques used.</p>
<h2>Cipher Suites</h2>
<p>A cipher is the algorithm used to encrypt information. Ciphers are
incredibly complex mathematical formulae, and are well beyond my
understanding. However, it is important to note that the strength of a key
is only as strong as the cipher suite used to generate it. Likewise, the
strength of a certificate is only as strong as the cipher used to sign
it. Keep this in mind when you generate and work with keys.</p>
<h2>Public-Key Authentication</h2>
<p>The most important part of TLS is public-key authentication. I would
argue that public-key authentication is one of the most important facets of
the technical world. Because of this, I want to recap in more general terms
how public-key authentication works:</p>
<ol>
<li>Two parties want to establish a secure connection.</li>
<li>Each party generates two keys: one to share publicly, one to keep
secret.</li>
<li>Each party then shares their public keys.</li>
</ol>
<p>Now, whenever one of the two parties wants to securely communicate with
the other, they "sign" (encrypt) the communication with their private key.
The second party can then use the public key of the first party to verify
the identify of the sender, and decrypt the message.
<h2>Conclusion</h2>
<p>Security is a very deep and involved topic, but one I feel every
Sys-Admin should know a bit about. While these posts are only meant to serve
as a high-level overview of TLS, there are many more-detailed sources
available. I would suggest a visit to your local Wikipedia as a good first
step. Thanks for reading.</p>
<h1>Sources</h1>
<ul>
<li><a href="https://en.wikipedia.org/wiki/Public-key_cryptography">
Wikipedia: Public-key Cryptography</a></li>
<li><a
href="https://security.stackexchange.com/questions/6290/how-is-it-possible-that-people-observing-an-https-connection-being-established-w">Stack
Exchange: How is it possible that people observing an HTTPS
connection being established wouldn't know how to decrypt
it?</a></li>
<li><a
href="https://security.stackexchange.com/questions/20803/how-does-ssl-tls-work">
Stack Exchange: How Does SSL/TLS work?</a></li>
</ul>
<!-- ================================= -->
<!-- ================================= -->
<!-- Notes (because why remove them?)
Asymmetric Key Authentication:
- Relies on two keys: Public key, Private key
- Both keys are related, but impossible (computationally infeasible) to
identify the private key based on the public key [1][2]
- The public key can be distributed publicly
- Used to encrypt message to the owner of the private paired key
- Used to verify signatures from the private key
- The private key is kept secret
- Used to decrypt message from the public paired key
- Used to as a digital signature
Basics of an Asymmetric Key handshake:
1. Client reaches out to server, requesting a secure connection
2. Server acknowledges request, sends back it's public key
- This is commonly known as a certificate. Often signed by a
third-party to ensure it is what it's supposed to be.
3. Client uses this public key to encrypt a secret, and sends the package
back to the server.
4. The server then uses it's private key to decrypt the public-key
encrypted secret, and uses that secret hence forth to encrypt all traffic.
5. A private connection is now established.
Basics of Certificates
1. A certificate is a vessel for a server to provide authentication
information.
2. Typically a certificate will contain the following information:
- A UUID of the certificate itself
- The subject of the certificate
- The signature, and signature algorithm used
- The issuer of the certificate, as well as dates when it is valid
- The purpose of the key
- The thumbprint, and algorithm, used to hash the key
- The public key itself
3. Certificate Authorities act as a third part to verify the integrity of
public keys.
-->
<!-- ================================= -->
<!-- ================================= -->
<div class="author_info">
Bill Niblock
<a href="https://unlicense.org/"
aria-label="Code dedicated to the public domain under Unlicense">
<span class="fa fa-cc-pd" aria-hidden="true"
title="Code dedicated to the public domain under Unlicense"</span>
</a>
<a href="https://creativecommons.org/publicdomain/zero/1.0/"
aria-label="Published to the public domain under CC0">
<span class="fa fa-cc-zero" aria-hidden="true"
title="Content dedicated to the public domain under CC0"</span>
</a>
2015-11-10
<br />
[
<a href="/topics/technology">technology</a>
]
</div>
</article>
</main>
<footer>
<nav>
<div><a href="/">home</a></div>
<div><a href="/topics/all">all</a></div>
<div><a href="/topics/gaming">gaming</a></div>
<div><a href="/topics/life">life</a></div>
<div><a href="/topics/philosophy">philosophy</a></div>
<div><a href="/topics/technology">technology</a></div>
<div><a href="/topics/writing">writing</a></div>
</nav>
<hr />
<div><a href="https://www.theinternetvagabond.com/now">Life In Progress</a></div>
<hr />
<section class="h-card">
<section class="footer_about" id="about">
<div>The Site</div>
<div>
<a href="https://www.theinternetvagabond.com/feed.xml"
aria-label="RSS feed for the site">
<span class="fa fa-rss" aria-hidden="true"
title="RSS Feed"</span>
</a> |
<a href="https://theinternetvagabond.goatcounter.com/"
aria-label="GoatCounter statistics for the site">
<span class="fa fa-bar-chart" aria-hidden="true"
title="GoatCounter Statistics"</span>
</a> |
<a href="https://codeberg.org/VagabondAzulien/the-internet-vagabond-dot-com"
aria-label="Source code repository for the site">
<span class="fa fa-code" aria-hidden="true"
title="Site Source Code"</span>
</a>
</div>
<a class="u-url u-uid" href="https://theinternetvagabond.com"></a>
<p>
This site is a small slice of internet real-estate that I use for
occasional writing. Nothing I say is visionary or profound. I
focus on technology, gaming, and philosophy. All opinions my
own.
</p>
<div>The Vagabond</div>
<div>
<a rel="me"
href="mailto:bill@theinternetvagabond.com"
aria-label="Email Bill at The Internet Vagabond dot com">
<span class="fa fa-envelope-o" aria-hidden="true"
title="Email bill at theinternetvagabond.com"</span>
</a> |
<a class="u-url" rel="me"
href="https://matrix.to/#/@vagabondazulien:matrix.org"
aria-label="Speak with me on Matrix">
<span class="fa fa-matrix-org" aria-hidden="true"
title="Speak with me on Matrix"</span>
</a> |
<a class="u-url" rel="me"
href="https://mastodon.social/@azulien"
aria-label="Find me on the Fediverse">
<span class="fa fa-mastodon" aria-hidden="true"
title="Find me on the Fediverse"</span>
</a> |
<a class="u-url" rel="me" href="https://www.twitch.tv/vagabondazulien/profile"
aria-label="Link to my Twitch channel">
<span class="fa fa-twitch " aria-hidden="true"
title="My Twitch channel"</span>
</a>
</div>
<p>
My name is <span class="p-name">Bill Niblock</span>. <span
class="p-note">I'm a computer scientist by education, a technologist
by trade, a gamer by hobby, and a philosopher by accident. I
live in <span class="p-locality">Buffalo</span>, <span class="p-region">
New York</span>, <span class="p-country-name">USA</span>.<br />
<br />
My PGP Key is <span class="u-key" id="key">CCE7 3682 331B 5614 9FAB
7383 7359 80B2 6381 C91E</span>.
</p>
</section>
<section style="display: none;">
<span class="p-category">Gaming</span>
<span class="p-category">Technology</span>
<span class="p-category">Philosophy</span>
<span class="p-category">Open Source Software</span>
<span class="p-category">Self-Hosting</span>
<span class="p-category">Coffee</span>
<span class="u-email">bill@theinternetvagabond.com</span>
</section>
</section>
</footer>
</div>
</body>
</html>
Reference in a new issue View git blame Copy permalink