62 lines
2.6 KiB
Text
62 lines
2.6 KiB
Text
TLS: An examination into the Security of the Internet, Part 2
|
|
|
|
In Part 1, I went over how a connection is established with TLS. In this part, I
|
|
want to examine the more involved details of TLS itself. Namely, I want to
|
|
examine certificates, cipher suites, and public key authentication.
|
|
|
|
Certificates
|
|
A certificate is a vessel for a server to provide authentication informat
|
|
|
|
Cipher Suites
|
|
A cipher is the algorithm used to encrypt the information to be transmitted.
|
|
|
|
Public-Key Authentication
|
|
Big topic, very important
|
|
|
|
|
|
|
|
============================
|
|
Sources
|
|
[1] https://en.wikipedia.org/wiki/Public-key_cryptography
|
|
[2]
|
|
https://security.stackexchange.com/questions/6290/how-is-it-possible-that-people-observing-an-https-connection-being-established-w
|
|
[3]
|
|
https://security.stackexchange.com/questions/20803/how-does-ssl-tls-work
|
|
|
|
============================
|
|
Notes
|
|
Asymmetric Key Authentication:
|
|
- Relies on two keys: Public key, Private key
|
|
- Both keys are related, but impossible (computationally infeasable) to
|
|
identify the private key based on the public key [1][2]
|
|
- The public key can be distributed publicly
|
|
- Used to encrypt message to the owner of the private paired key
|
|
- Used to verify signatures from the private key
|
|
- The private key is kept secret
|
|
- Used to decrypt message from the public paired key
|
|
- Used to as a digital signature
|
|
|
|
Basics of an Asymmetric Key handshake:
|
|
1. Client reaches out to server, requesting a secure connection
|
|
2. Server acknowledges request, sends back it's public key
|
|
- This is commonly known as a certificate. Often signed by a
|
|
third-party to ensure it is what it's supposed to be.
|
|
3. Client uses this public key to encrypt a secret, and sends the package
|
|
back to the server.
|
|
4. The server then uses it's private key to decrypt the public-key
|
|
encrypted secret, and uses that secret hence forth to encrypt all traffic.
|
|
5. A private connection is now established.
|
|
|
|
Basics of Certificates
|
|
1. A certificate is a vessel for a server to provide authentication
|
|
information.
|
|
2. Typically a certificate will contain the following information:
|
|
- A UUID of the certificate itself
|
|
- The subject of the certificate
|
|
- The signature, and signature algorithm used
|
|
- The issuer of the certificate, as well as dates when it is valid
|
|
- The purpose of the key
|
|
- The thumbprint, and algorithm, used to hash the key
|
|
- The public key itself
|
|
3. Certificate Authorities act as a third part to verify the integrity of
|
|
public keys.
|