Transport Layer Security (TLS) Zero to Hero .. Part-2
In the part -1, I discussed basics of Asymmetric Key, digital signature and digital certificates. If you don’t have fair knowledge about those I’d suggest to read that article first and proceed with this article after that. In this article I’ll explain how data is encrypted during a client — server communication to secure the data.
Asymmetric Keys and Encryption
To recap asymmetric key is cryptographic key pair named private and public key. Private key is private to the server and public key is distributed in the form of digital certificate.
Data can be encrypted with one key and decrypted by another key. Now let’s say client C wants to talk to Server A. Both A & C will have their key pair and both can have each other’s public key (mTLS or any other means).
C can send a request to server A, encrypting the request data using it’s own private key and A can decrypt those data using public key of C. Similarly server A can encrypt the response data using it’s private key and client C can decrypt the data using A’s public key. But there is a problem. Since A and C’s public keys are available publicly, anyone in the internet can decrypt those data using respective public key. But we want only A & C should be able to decrypt the data. How to achieve that ? A little tweak can achieve that. See the below diagram.
Alternately C can send a request encrypting the data using A’s public key and A can decrypt using the A’s private key. Since other than A , none have access to private key of A , data can only be decrypted by A. Similarly when A sends response, it can encrypt the data using C’s public key and only C’ll be able to decrypt the data. So, our problem solved!!!
All good, now client and server can send data securely? But there is one problem. Encryption and decryption using asymmetric key is computationally expensive and very slow. This scheme will definitely secure the data, but data exchange will become very slow. mmm!!! Another problem!!
And The Solution …
Symmetric encryption can help here. In case of symmetric encryption, data is encrypted and decrypted with the same key and it is computationally way less expensive than asymmetric encryption algorithms. Few example of popular symmetric encryption algorithms are AES (Advanced Encryption Standard) , DES (Data Encryption Standard), 3DES (Triple DES), CAMELLIA, RC4 (Rivest Cipher 4) etc .But the problem is, in this case, client and server both needs the same key. Bummer!! How can both client & server have same key ?
We can use both asymmetric and symmetric algorithms combinations to solve our problem. Client or server can generate a symmetric key. They can use asymmetric encryption to send the key to other party.
Once both server and client have same key, they can start sending data encrypted with symmetric key !!!
In the protocol, directly symmetric key isn’t sent. Rather few asymmetrically encrypted information is exchanged between client and server and based on those both can generate the symmetric key. The real application data is encrypted using that symmetric key.
There is still a little problem. We have observed there are multiple algorithms for Hash, Encryption, Cryptographic KeyPair etc. But how server and client would know which algorithm to use ? As part of the TLS protocol, server & client will exchange information about their capability and agree upon algorithms. If there is no common algorithms supported by both, communication can’t happen.
Summery of All the Concepts we discussed ..
Asymmetric Key Pair : Cryptographic key pair, private and public key. One key can encrypt some data and only another key can decrypt that data. Public key is shared publicly while private key is private to digital entity.
Digital Signature: Hash is generated from the data using hashing algorithm and then the generated hash is encrypted using one of the cryptographic key. This encrypted hash is the digital signature. Usually sender generates the signature using own private key and data along with signature is sent. Receiver validates the signature to be sure that data is intact. Purpose of digital signature is to ensure data intigrity, NOT encryption.
Digital Certificate : Some approved CA digitally signs the public key of a digital entity. Usually certificate includes few details like Common Name, Organisation etc. details of the digital entity along with the public key. This is the identity of a digital entity. There is a concept of self-signed certificate as well. That is like an organisation trusting identity issued by them, but outside the organisation, other people might NOT trust that identity.
Certificate Authority (CA) : A certificate authority is a company or organisation that acts to validate the identities of entities (such as websites, email addresses, companies, or individual persons) and bind them to cryptographic keys through the issuance of digital certificates. They issues the digital certificates that are trusted by other digital entity. They have to undergo regular audits to make sure that they are following all rules and regulations.
Symmetric vs Asymmetric encryption: In case of symmetric algorithm encryption and decryption is done using same key whereas asymmetric encryption involves a key pair, named private and public key, and one key is used to encrypt the data and another key to decrypt the data. Asymmetric encryption/ decryption is computationally much more expensive than Symmetric encryption.
Time To Look at Packet Capture
By now you should be familiar with the key terminology, basic concepts related to TLS. I have written a seperate article to analise the packet capture to see what exactly happening.
Transport Layer Security — part 1
Transport Layer Security — part 2
Transport Layer Security — part 3
