- Published on
How TLS works?
- Authors
- Name
- Lucian Oprea
- @LucianDSA_
Maybe the Biggest Security Breach in History
In 2017, Equifax, a multinational in the consumer industry had been the victim of a major security breach.
In this incident, attackers were able to exploit a vulnerability in the company's website software.
They gained access to Social Security numbers, addresses, and credit card credentials of 143 million consumers.
Later investigations revealed that this could have been prevented, if the web servers were properly configured to use the latest version of the TLS (SSL) protocol.
TLS is the newer, updated, and more secure version of SSL.
Latest version of SSL (3.0) has been deprecated since 2015.
However, the name is still in wide use even today.
What does TLS do? 🔐
Simply put, TLS does 3 things:
Authentication, Data Encryption, and Data Integrity.
But to understand better what TLS does, let’s imagine for a second a world without TLS.
First, online banking and shopping would be at high-risk.
Credit card numbers, login credentials, and other sensitive information could be intercepted, and read by attackers.
Since, anyone with good or bad intentions, and a with a good software to analyze the network traffic (wireshark - freely available) can capture data in transit, it’s essential for sensitive data, but not only to not be transferred in plain text over the network.
It’s essential for Data to be encrypted.
Also, without TLS, email would not be a secure method of communication.
Emails sent over the internet could be intercepted and read by attackers, making it easy for them to steal sensitive information.
Second, Without TLS, there would be no way to ensure that you’re interacting, with a legitimate website, rather than a phishing site, set up to steal your personal information.
This would greatly increase the risk of identity theft and other types of fraud.
Third, Without TLS, data can be intercepted and modified.
So, next time you're browsing the web or sending an email, think of TLS as your own personal bodyguard, keeping you safe and secure, in the digital world.
SSL vs TLS vs HTTPS
Secure Sockets Layer is the security veteran of the internet.
Its last version, 3.0, has been deprecated since 2015; but the name SSL stuck until today.
Its grandchild, TLS, is the updated more secure version of SSL.
Moreover, any website that uses HTTPS is employing TLS encryption.
Therefore, HTTPS is an implementation of TLS encryption on top of the HTTP protocol.
Why did the SSL certificate go to therapy? It was feeling so insecure because it wasn't upgraded to TLS!
How does TLS work? ⚙️
A TLS session consists of 2 phases:
the
Handshake phase.
the ongoing
Encryption phase.
First, let’s understand what a session is in the context of TLS.
A session is essentially a conversation between two parties.
It can either be for a fixed period of time.
Or it can last for as long as the two parties are communicating.
After a session ends, the two devices would have to exchange again identity information to reopen the connection.
Now, why is the Handshake phase necessary?
The main purpose of the handshake is for authentication
.
Before doing anything, the client has to trust the identity of the server.
To build trust, the server provides a TLS certificate
, historically known as SSL certificate, and they then they use the public key protocol for authentication.
We’ll see how this work in a bit.
The second purpose of the handshake, is to establish a shared secret key
that will be used in the next phase for encryption.
In the second phase, the shared secret key
established will be used to encrypt All ongoing messages.
First, the encrypted messages are transmitted to the other side.
Then, they will be verified to see if there were any modification during the transmission.
If not, the messages will be decrypted with the same symmetric secret key.
It’s called symmetric
because the same secret key is used to encrypt messages but also to decrypt them.
Will see later why symmetric keys are preferred, only for the encryption phase.
How TLS / SSL certificates are obtained?
The certificate is a data file that contains the domain name, the person or organization that owns the certificate, the authority that issued the certificate, the server's public key and other data.
For an TLS certificate to be valid, it needs to obtained from a certificate authority
(CA).
A CA is an outside organization, a trusted third party that generates and gives out TLS (SSL) certificates.
The CA will also digitally sign the certificate with their own private key, allowing client devices to verify it.
Once the certificate is issued it needs to be installed and activated on the website's server.
Web hosting services can usually handle this for website operators.
Once it's activated on the server, the website will be able to load over HTTPS, and all traffic to and from the website will be encrypted and secure.
So, TLS (SSL) certificates are what enable websites to move from HTTP to HTTPS.
How is the public key used by TLS / SSL? 🔑
The public key encryption is utilized only in the handshake phase with the of purpose of authentication.
More specifically we use the Public key cryptography to encrypt data.
The other key is known as the private key, and is used to decrypt data.
This is also known as asymmetric encryption.
SSL/TLS uses public-key encryption to certify the identity of a server.
The client verifies the server's certificate, generates a random string, encrypts it with the server's public key, and sends it to the server.
The server decrypts the message with its private key, and both parties use the resulting secret string to generate a master secret and session key
.
This process helps prevent man-in-the-middle attacks.
Why is TLS Encryption so fast?
How good is the TLS encryption?
Encryption involves converting a message into a ciphertext.
However, we have to consider the huge amounts of data transferred over the network.
And, all data must be encrypted.
So, the first requirement of TLS Encryption is to be really fast for huge amounts of data.
In order to encrypt and decrypt data really fast, TLS uses 2 things.
- a symmetric encryption algorithm
- a symmetric secret key.
Symmetric encryption is faster and uses the same key for encryption and decryption, making it ideal for encrypting large amounts of data.
Asymmetric encryption is slower but is used in the handshake phase to share secret keys between parties.
Both types of encryption must be impossible to break, and the most common symmetric algorithms are considered extremely secure, taking billions of years to break using current technology and methods.
How Data Integrity is achieved? 📄
And last, TLS provides data integrity.
This helps to ensure that the data exchanged between parties has not been forged or tampered with.
For each message exchange, an additional code is calculated, using the message, a cryptographic hash function, and a secret MAC key.
The MAC key is generated during the TLS handshake.
Then, along with the message a MAC code is also sent.
When the receiving party gets a message, it calculates the MAC for the message.
It will use the same MAC key and hash function, as the sender, and it will compare it to the MAC included in the message.
If the MAC codes match, it means that the message has not been tampered with, and it can be trusted.
How does TLS affect web application performance?
While the process of setting up a TLS connection can be complex and time-consuming, newer versions of TLS have features such as one-round-trip handshakes and session resumption that help to minimize these impacts.
As a result, the impact on load times and computational costs is mostly negligible by today's standards.
Implementing TLS on a website - overview 👨💻
Implementing Transport Layer Security (TLS) on your website, involves several steps.
Here is an overview of the steps you should take:
Obtain a security certificate First, in order to use TLS, you will need to obtain a security certificate from a trusted certificate authority (CA). The certificate will need to be verified by the CA, and will include information about your website and your organization.
Configure your web server Once you have obtained a security certificate, you will need to configure your web server to use it. This will typically involve installing the certificate on your server, and configuring your server software to use it. Depending on your setup this could be as easy as enabling a checkbox, or it can mean configuring a lot of server configuration files.
Update your website's code: Third, we need to update the links within website to point to the (https) secure version of the website, instead of the unsecured (http) version.
Then you might Test your website: This can involve testing the website on multiple browsers and devices, and checking for any errors or issues.
Monitor and maintain your certificate: Finally, It's important to keep track of the expiration date of your certificate, and renew it before it expires. The good news is that we can automate this process using scripts.
Conclusions
In conclusions, TLS protocol accomplishes 3 things:
- Encryption: it hides the data being transferred from third parties.
- Authentication: it ensures that the parties exchanging information are who they claim to be.
- Integrity: verifies that the data has not been forged or tampered with.
The encryption part is done using symmetric cryptography, because it’s fast and therefore suitable for bulk encryption.
However, symmetric cryptography can’t provide authentication.
For that we use asymmetric cryptography, with the public-private key protocol.
And last we use the MAC algorithm to verify that the data hasn’t been modified in transit.