SSL TLS PKI Primer Part 1
The first browserIn 1995 Netscape corporation has started developing the first browser - Netscape. It would later become Firefox.
They clearly understood that when you browse the internet, then, if the browsing is not secured you (and them) are going to be in big trouble, just think of it, people would steal your credit card, your details make orders on your name, read your personal mail.
So a security solution is required, they hired a great guy (PhD) and he figured out he should create a new security protocol, namely the SSL!.
The rebirth of securitySo this guy has come with the SSL protocol, this was, because they figured out nobody is going to trust this browser unless it's really secured.
This doctor created the framework and protocol for the security of this browser, this was actually the birth and development of the excellent security protocol - the SSL.
Privacy, Integrity, it’s all there!Security means many things. Privacy for example, by privacy, you mean encryption and integrity - it's hard but it's not impossible. SSL also provides integrity by using hash functions to sign your stuff.
SSL handles for you, privacy, so no one can know what you send back and forth to websites. This is however only one expect of security, what if someone wants to manipulate the packets you send? In addition SSL works in extremely hostile environments where someone tries to take control and pretend he is you and make the SSL handshake as if he is you.
It’s not just Netscape it’s the whole world!So they saw that this security thingy that they are up to (SSL) is so much mind-blowing and all encompassing that they decided, hey this is not our responsibility I mean, this should be the whole world responsibility, so they would do what every sane developer like you and me would do, they moved it to the IETF to handle this ;).
Now what is the IETF you ask? Let me tell you this, these are the same guys that handle, TCP, the same guys that handle IP, the same guys that handle PGP. So it makes lot of sense they would be handling also SSL ain't it so?!
SSL → TLSOne of the first thing this group has done was renaming the protocol name, this was an *awful* decision, they rename it to TLS to make sure you see it’s about security for transport, however the term SSL is still being used, OpenSSL for example.
So some people say SSL some say TLS but all actually mean in most cases the same, yeah sure some might say SSL and mean the old SSL prior to TLS but in most cases both are used interchangeably.
Note that nobody is practically using the latest (old) SSL version but only the newer actual TLS and you should not be using any prior versions due to security risks.
Symmetric - aka secret codesSymmetric encryption has been here for years, they were just called secret codes, you don’t use the old secret codes because they are weak, today you use much stronger and longer secret codes because they are stronger. But modern symmetric security is pretty strong, the only problem is - how do you exchange those secret codes - via the internet
How to share secret codes via internet?So now the question is, how do you share secret codes via the internet? Without meeting in person with people? For that we have Diffie-Hellman key exchange. It’s actually pretty straight forward and involves picking two numbers, raising an arbitrary chosen number by power and then doing mod those original numbers. And both of you guys get the same number - the same symmetric key. I tell you the result I don’t tell you what number I have chosen to raise by power of one of the numbers we have chosen and thus we share some other numbers and not the numbers we use for symmetric encryption keys. And only me and you can deduce these symmetric keys. For more information see: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
Browser and keysWhen your browser connects to the internet it tells the server, hey I know how to do Diffie Hellman key exchange, I know how to do DSA symmetric encryption, basically, your browser, tells the server his set of known security cpaabilities, and they choose then which security protocol to use.
PKI (the problem with DIFFIE Hellman)Public Key Infrastructure
I can think you do the key exchange with me and you can think I do the key exchange with you while there is someone in middle key exchanging for both of us, he can eavesdrop and know exactly what we send each other.
This is what we use when we use actually HTTPS. You combine both TLS and PKI in order to have HTTPS. The problem with the previous Diffie Hellman is that how do you trust that the person who gave you the number is actually who he claims he is? The way to trust him is to move the trust problem one layer beyond into certificate owners who are hardwired to your browser, and they point to certificate owners who they trust, and so you should trust as well.
So with the certificate authority I don’t only send you some data I also sign it with the public key and I have a certificate from the certificate authority that this is my public key so you can trust I am who I say I am.
And this my friends is the basis of https.