Secure communication is one of the important aspects of the Data Transmission between 2 places, Almost all the web applications were using HTTPS/TLS layer transmission since long time, lets uncover how exactly does this Secure communication between client and server takes place using Handshake mechanism, and we will also algorithms that were typically used for this purpose.
TLS (Transport Layer Security):
TLS is a Security protocol that is usually operated in OSI model between Layer 4(Transport) and Layer 7(Application). In simple terms it is responsible for the making the Encrypted communication between 2 sides.
Both TLS 1.2 and 1.3 uses both Symmetric & Asymmetric Encryption mechanism for exchanging the information between client & server.
Before we see the both algorithms in action lets understand what exactly is the Symmetric & Asymmetric Encryption.
Symmetric Encryption :
In Symmetric Encryption, the PlainText is Encrypted to CipherText using a single key, and CipherText can only be Decrypted back to PlainText using the same key that encrypted.
Asymmetric Encryption :
In Asymmetric Encryption, there will be 2 keys involved in the process which are mathematically related to each other(using Prime Numbers), where PlainText would be encrypted with one of the key usually referred to as Public Key. Combining the Plaintext with Public key provides the CipherText which will only be decrypted using the second key usually referred to as Private Key to get back the PlainText.
TLS 1.2 :
In TLS 1.2 there is a lot of flexibility between Client & Server in choosing algorithm as encryption strategy. However this led to issues related to choosing weak algorithm in terms of security. We will take a look at this picture to see how it works.
PS: I am ignoring the some of the information about CA (Certificate Authority) role in this context, in short it will be sending Digital Signature as part of the Certificate. Digital Signature is created with CA's private key, which will only be validated and trusted by CA's public key & corresponding algorithm that was sent in Certificate.
Following are steps that were followed like it was shown in the above picture.
- When User enters https://testing.example.com endpoint after DNS lookup it will try to establish TCP connection with the target & gets the acknowledgement.
- In the typical Asymmetric encryption the Key-Pair(public key& private key) is generated at the Server before it was registered with CA in the first place.
- Once Connection is established, Client sends an initialize Hello Message requesting Certificate which contains lot of information such as Validity, Issue of the certificate, Digital Signature & Public Key of the Server.
- Once Client gets Public Key, it generates a temporary Session Key and encrypts this Session key with Public Key, and send this information to Server in the second round trip.
- When Server gets this encrypted data, it will only be decrypted using the Private Key of Key-Pair that was registered in the Asymmetric encryption.
- Once the Session key is available at the both ends, its ready for Secure communication between Client & server. From now on both ends will use this Session key as part of Symmetric Encryption to encrypt and decrypt the data between 2 ends.
TLS 1.3
In TLS 1.3, with additional security in mind Servers will offer only a secure Algorithm as part of Key-Exchange Strategy and i.e Diffie-Hellman Algorithm, in this process it will also reduce one round-trip and optimises the whole process.
First, We will understand the basics of the Diffie-Hellman Algorithm
Using this algorithm there will be total of 3 different keys involved in Key-Exchange process, Combining all of the 3 will yield Session key. Result of combination any 2 of the 3 keys cannot be easily de-mystified to know what key's are being used in the process.
It will make sense by looking at the implementation of the TLS 1.3.
Following are steps that were followed like it was shown in the above picture.
- Firstly, TCP connection gets established just like it happens in TLS 1.2
- Client will generate Key-Pair of Public & Private Key where Public Key and Private key will be combined together to get a secure temporary key which can't be tampered on the fly by anyone (Here Public Key is GREEN, Private Key is BLUE -> generates secure key CYAN).
- Once secure temporary key is generated, both the secure temporary key & Public Key will be sent to Server.
- At server side combining the Private Key of the Server with the secure temporary key will yield the final Session key which will be used Symmetric Encryption (Here secure temporary key is CYAN, Private Key of server is RED -> generates Session Key BROWN).
- In Response to this first round trip server will send back combination of Public Key of Client with Private Key of the server to Client (Here Public Key is GREEN & Private Key is RED -> generates PURPLE key).
- This temporary key will be again combined with the initial secure temporary key to get the Session Key. (Here temporary key is PURPLE & secure temporary key is CYAN -> generates Session Key BROWN).
- Once the Session key is available at the both ends, its ready for Secure communication between Client & server. From now on both ends will use this Session key as part of Symmetric Encryption to encrypt and decrypt the data between 2 ends.
Conclusion
TLS is very important aspect in establishing the Secure communication, we have seen how exactly TLS communication is working behind the scenes. TLS 1.3 is latest protocol in optimising & reducing one round trip in establishing the Symmetric Encryption.
I hope you guys enjoyed this article, please feel free to comment and share your thoughts.
Top comments (0)