Practical SSL/TSL and Cryptography

Author - Santoshkumar C Pandey (CEO SKP)

How SSL/TSL is used to obtain Data Confidentility, Itegrity and Authentication. How Symmetic, Asymmetic Encrytion works and when is it used. what is Public Key, Private Key in a key pair. what is a Signature and how is it generated and how is it used. what is a CA and PKI and what is its role in SSL/TLS and more.. 

HTML is transferred over internet with/using HTTP.
SSL/TLS builds a secure hypothetical tunnel between client and server to protect Your Data.
SSL/TLS can protect any data is SSL VPN, like corporate connection with Client, tunnel , 
corporate firewall (and behind this Apps/database/Emails … of Corporate).
SSL/TLS can hide identity of client as if from where they are via VPN Provider.

Why 2 names
    SSL - Created by Netscape in 94 
    TLS - SSL maintenance by IETF in 99, IETF renamed from SSL to TLS. 

How SSL/TLS can protect?
    Confidentiality( using Encryption using public key of Server)
    Integrity (using hashing, hacker can modify by server will know as signature will fail)
    Authentication : using PKI, Client and server’s identification is confirmed by ss/tls (from their certificates)

Anti Replay
    This Feature will help detect any duplicate copies of data packets which is created by hacker(e.g increasing account
     by 100USD for 10 times)
    SSL/TLS provides this feature inbuilt, When Data packets of message is created, it gets a sequence #. 
    if this data packet is copied and replayed then it will be caught at server side and extra data packet will be rejected.

Non Repudiation 
    It means SSL/tls feature of Integrity and confidentiality doesn’t allow a client to lie about a sent message 
    (eg if some message is sent which has some incriminating evidence then Client cannot disown the data due to 
    Integrity and Authentication.

KeyPlayers

Client 
    Client will initiate TLS Handshake
    eg: Browser/iot (any device which can connect to Internet) 
    Optionally Authenticated
    Need not be verified by a Certificate, like me logging on BankOfAmerica.com from Browser.
Server
    Server will receive the TLS Handshake
    eg : Apache Server… Engine X, it can be load balance or SSL Accelerator
    Always Authenticated.
    BankOfAmerica.com will show a Certificate which is provided to it by a CA.
    Client Browser will Accept BankOfAmerica Cert if it is Authorized  by a CA.
    Since Client trust’s the CA , so by common sense client will also trust any
     certificate which is certified by the CA, it is called Trust Anchor.
            
CA
    CA ie Certificate Authority is a known organization, like Digital Cert, Entrust etc.
    CA’s job is to verify and Approve an Organization’s Certificate before giving it a Certificatie
     (for its Identity, during ssl/tls hand shake).
    All Client trust’s the CA , so by common sense client will also trust any certificate which is
     certified/approved by the CA, it is called Trust Anchor.

Hashing
    Hashing is simply applying a function to a data input to produce a different o/p,
     which is also called as a digest.
    So “I am Ram” —> (hashing) —> 52
    So 52 is the o/p of hashing.

4 Requirement for a Hashing Fun(Algorithm)
    Infeasible (not feasible) to produce same digest.
    Impossible to extract input using digest.
    Slight change in input produces drastic change in digest.
    change in input produces digest of same length.

In Hashing Collision is inevitable. Collision is when 2 messages produce same digest.

What makes it possible to see such collision.
    If the Hashing Algo is of smaller bit capacity then chances of collision is more.
    Eg 3 bit Algo (eg MY-ALGO-3). It can support maximum 2 to power 3 ie 8 possible Digest value.
    So 9th input will result in any one of previous 8 Hashing value and this is called Collision.

Example of Hashing Algo
    SHA2 Family
    SHA-256.  (256 bits digest will be produced )
    Sha-512 etc…

How Hashing Provides Real works Integrity?
    Using Hashing Data Integrity is maintained.

For Authentication: 
    Both Parties must agree to a Mutual SSL.

Using Hashing with a Common Key (by Client during Encryption and by Server during Decryptuin )
Authentication is Obtained.
For Encryption/Decryption Common Key is used which must be only known by Client and Server
hence Data Integrity is Maintained Plus Server will know Client as same Common Key is held by both parties.

Client uses Key + Message to Produces Digest
Server uses Same Key + message to Produce its Digest which matches with incoming Digest.
Combining Message + Secret Key to produce digest is called Message Authentication Code.

Industry Std of Combing Key with message to produce digest is called HMAC.
.i.e Hash based Message Authentication Code.

Encryption
    Its all About Confidentiality.
    A message Encrypted for a intended End Party must only be able to Decrypt it.
    Any other Party should not be able to Decrypt it.

    To do this Key based Encryption must be used, because hackers can reverse Engineer Known
     Algorithm to Decrypt the data. So adding a Secret Key in the message and then running Encryption
     on it will make it impossible for hacker.

Encryption Algorithm are created to Work with Mathematically Linked Keys.
Which means Encryption with One Key (X) can be decrypted by its Mathematically Linked Key (Y).
These 2 Keys are called as Public Key and Private Key.
So Users Can Share its Public Key to the Worlds and World can use this Pub Key to Encrypt when message is intended or this User.
And Only this user can Decrypt the message using Mathematically linked Private Key which it only has.

Eg of Asymmetric Encrption Algo
    DSA
    RSA
    Diffie-Hellman
    .
    .

Symmetric Encryption Algo
    DES
    RC4
    3DES
    AES

Public and Private Key
    Pub and Private Key together is know as Key Pair

Pam               and                   Jim
Pu1. Pk1                                Pu2 Pk2

Confidentiality (asymmetric key pair ensures Confidentiality)
    Jim can send message securely to Pam over internet via Encrypting message using Pams Public Key which can be Decrypted by Pam by using Her Private Key.

What if Pam doesn’t care about Confidentiality but wants to Prove that it was Definitely her who send the message.
    Pam Can encrypt her message using her Private Key.
    Which Jim Can decrypt using Pams Public Key Only, hence confirming  2 things
    that its Pam who sent the message(hence Authentication is Provided).
    It Also Proves that Data was not modified in Transit by a Hacker (hence Data Integrity is Provided)

Above Process is Called as Message Signature.

So Asymmetric Encryption is used to create Signature which provides Data Integrity and Authentication.
    Basically Asymmetric Key Pair is used to Provide both,
    Encryption to get Confidentiality.
    Signature to get Integrity and Authentication.


Limits of Asymmetric Encryption
    Slower to process Bulk Data.

What is a Hybrid Approach
    Bulk Data Should be Protected using Symmetric Encryption.
    And Use Asymmetric Encryption to Share/obtain a Symmetric Key.

Pam               and                Jim
Pu1. Pk1                             Pu2 Pk2

Pam will Generate a Random Key and share with Jim using Jim’s Public Key.
Only Jim will be able to Decrypt this Data using his own Private Key and Now Both Pam and Jim as Common Key.

Going forward Both PAM And JIM will use Symmetric Encryption to Send Bulk Data in either Direction.
This Concept is Called Hybrid Approach.

This is how SSL TLS SSH Protects Data.


What about Signatures:
    With Signatures You get Integrity and Authentication by Encrypting something with Your own Private Key.
    But Asymmetric Encryption has its Limitation, You cannot ASymertically encrypt whole message as it has performance impact.
    Instead Client Can use Hashing Algorithm to create/convert to a Fixed length (small is size) FingerPrint(hashed value).
    So Signature will use hashing Algorithm to simplify the process.

Pam               and                Jim
Pu1. Pk1                             Pu2 Pk2

So Lets Say Pam will Run Hashing Algo over a Part of message and create a Hash(Fingerprint/digest)
 now Pam will use its Private Key Pk1 to Encrypt and that will Result into a Signature.
Pam will now attach the Signature to the Message and send it to Jim.
Jim will now use Pam’s Public key and decrypt the Signature to get the Message Digest which Pam Created originally.
Jim will also create a Digest by Applying Hashing Algorithm to Message and Compare His Digest
 (freshly generated by Jim) with Pams Digest(obtained by decrypting Signature using Pams Public Key).

If Both Digest Match then we Obtain Integrity (Because Both Digest match)
And 
Authentication (as Signed Value was decrypted by Pams Public Key)

hope this summary helps.