Blog

DECIPHERING SSL

Purnima

Published 14 Apr, 2023

In the age of the Internet, everything is available at our fingertips, we are just one click away to get any information from anywhere in the world, including our sensitive data as well. This sensitive data needs to be secured so that it does not get exposed to hackers. When we search the internet for any information, it gets transmitted to our browser from a server. The browser to server communication aka client-server communication happens over HTTP protocol. HTTP protocol by itself cannot protect our sensitive data. That’s where SSL comes to rescue.

What is SSL?

Secure Socket Layer (SSL) is an encryption-based protocol which establishes a secure and trusted connection between browser and the server over which sensitive data such as credit card numbers, login credentials, and other personal information can be transmitted. SSL ensures that all data transmitted between a web server and a browser stays private, intact and  secure when it reaches the browser.

Once the connection is established, the data can be transmitted securely over the HTTP protocol. The HTTP protocol now becomes HTTPS protocol, which is nothing but HTTP-Secure or HTTP over SSL. To be able to establish an SSL connection, the server requires an SSL certificate.

History of SSL

In 1993, the World Wide Web revolutionized internet access. By 1995, the internet was estimated to have 44 million users. “The father of SSL,” Taher Elgamal, came up with the idea of SSL. SSL was developed by a company called Netscape when Taher was their chief scientist. SSL 1.0, the first-ever SSL protocol, was never publicly released due to serious security flaws.

This led to the release of SSL 2.0 in 1995, which also included several security vulnerabilities. The Internet Engineering Task Force (IETF) published SSL 3.0 in 1996, the third and final version.

SSL Certificate

SSL certificate is an electronic document that contains a public key used to encrypt data. It also contains information about the web site which is used to prove the ownership of the public key. In simple words, it is a document that binds the encryption key with organization details. Using certificates it establishes a secure connection that builds the trust between two parties, that is, the public key shared by someone actually belongs to them and not to someone else. It can be verified by seeing the green padlock 🔒 which appears on the address bar of the browser. We can view the certificate by clicking the padlock.

These certificates are x509 standard certificates, and the encoding of these certificates is done in two formats, DER (Distinguished Encoding Rules) and PEM (Privacy Enhanced Mail). In the DER format, the certificate is stored in binary form, whereas in PEM format, the certificate is stored in a human-readable text form.

SSL Communication

After verifying certificates, the client has the public key of the server which the client can trust, so now the client generates a pre-master key which client encrypts using the public key of the server and send it to the server using Asymmetric Encryption. The server now decrypts this message using its own private key and get the pre-master key shared by the client. Now both Server and Client perform steps to generate the master secret with the agreed cipher and both client and server exchange messages to inform that future messages will be encrypted using Symmetric Encryption. Now encryption being used changes from Asymmetric Encryption to Symmetric Encryption. This is called the SSL handshake.

Let’s go through these steps in detail

1.     Client Hello

Information that the server needs to communicate with the client using SSL :

·   Highest SSL version supported

·   Client Random (for generating encryption key)

·   Session-Id (blank in case of new session)

·   Compression Method

·   Cipher Suites (most preferred at top of the list)

2.    Server Hello

The server replies to the client with the following information:

SSL version selected by the server from the list provided by the client.

·   Server Random

·   Session-Id

·   Compression Method (selected from client’s list)

·   Cipher Suites (selected from client’s list)

·   Server Certificate

3.    Client Certificate

This step is optional and is used in 2-way SSL. In this step the client sends its SSL certificate to the server if the server has requested for it in step 2. In this way, the server authenticates the client.

4.    SSL verification

Until now the server hello is done. Now the client verifies the SSL certificate provided by the server by reading the Certificate Authority (CA) from the certificate and by loading the public key of that CA from the browser’s trust store and verifying the signature. If the certificate is not valid, the browser produces a warning, otherwise, the browser shows a green padlock at the address bar showing the authenticity of the website.

5.    Key Exchange

This step aims at obtaining a symmetric key which will be used for further communication. There are various algorithms for doing it. RSA & Diffie Hellman are two of those algorithms. The RSA algorithm uses the server’s public key for confidentiality while exchanging secrets. While in the Diffie Hellman algorithm, no secret key is exchanged and the server’s public key is not used. Here, the secret key of the client and the server changes for every session.

6.    Change Cipherspec

A CipherSuite is a suite of cryptographic algorithms used by an SSL connection. A suite contains three different algorithms:

·   The key exchange and authentication algorithm used during the handshake

·   The encryption algorithm used to encipher the data

·   The MAC (Message Authentication Code) algorithm, used to generate the message digest

In this step, the client and the server have the key and now onwards the communication happens over an encrypted channel. At this step, the client and server finalizes the cipher spec. This is the last chance to change the cipher spec. After this the key exchange phase finishes.

7.    Encrypted Data Transfer

At this step, the data which is going to be transmitted, goes through a few steps:

·   The data is divided into small fragments.

·   Then, these fragments are compressed.

·   Then, the MAC is calculated and appended to the compressed fragment.

·   Then, the symmetric encryption happens.

Then, the SSL header is appended at the beginning of the encrypted fragment. This header tells about the SSL record type. For ex., Handshake type, data type, etc.

At last, after all steps, the browser now has the secure and encrypted connection with the server. This entire process happens within a fraction of seconds and  transparent.

How to check for SSL in a website?

1.      When the URL says “https://” and not “http://”.”

2.      A padlock icon will appear on the URL bar. You can click on padlock to read information about the website and the company that provided the certificate.

3.      Check if certificate is valid – Even if a weBsite has https:// and a padlock, the certificate can still be expired, meaning that the connection is not secured.

To wrap up, SSL is important since if the message is not encrypted and present in the plain format then anyone on the network can eavesdrop or see the message over the network and can also change the content of that message. This is called a man in the middle attack. This layer is used to securely communicate over the internet, it does so by encrypting the communication data between two points.  No other point/node on the network can decode it or it would take them thousands of year to decode it. Thus, preventing men in the middle attack and giving a secure connection between web-browser and web-server.