TLS and Web Certificates
Hello!
And here we are running on the sly one of the most unusual courses for us - “Digital Signature in Information Security” . Despite everything, we sort of managed it and attracted people, let's see what happens. And today we will analyze the remaining interesting material and see briefly how TLS works, as well as the difference between untrusted and trusted web certificates.
Translation - dzone.com/articles/a-look-at-tls-transport-layer-security
Author - Arun Pandey
TLS, short for Transport Layer Security, is based on SSL. As the name suggests, this is a protocol that works at the transport level.
As you know, communication security is a very common headache, but the correct implementation of TLS can take web security to a new level. In an environment with embedded TLS, an attacker can get information about the host to which you are trying to connect, find out what encryption is being used, terminate the connection, but doing something other than that will not work.
')
Almost all communication protocols have three main parts: data encryption, authentication and data integrity.
In this protocol, data can be encrypted in two ways: using a public key cryptosystem or symmetric cryptosystems. The public key cryptosystem, as a realization, is more perfect than symmetric cryptosystems.
Overview of Cryptosystems with Public Key and Symmetric Cryptosystems
A public key cryptosystem, which is a type of Asymmetric Encryption, uses an open-private key. So, public key B is used to encrypt A data (B shared the public key with A), and after receiving the encrypted data B decrypts it using its own private key.
In Symmetric Cryptosystems, the same key is used for both decryption and encryption, therefore the secret key of A and B will be the same. And this is a big disadvantage.
Now let's see how authentication works in TLS. To ensure the authenticity of the sender of the message and provide the recipient with the means to encrypt the response, authentication can be achieved using digital certificates. Operating systems and browsers store lists of trusted certificates that they can confirm.
Trusted vs. Untrusted Certificates
Digital certificates come in two categories. Trusted certificates are signed by the Certificate Authority, CA for short, while untrusted certificates are self-signed.
Trusted Certificates
Trusted certificates are in a web browser and signed by the CA. This is necessary to ensure the highest level of reliability. Suppose that the site “xyz.com” wants to receive a trusted digital certificate from the well-known certification center “Comodo”.
The steps will be as follows:
Untrusted Certificates
An untrusted certificate is signed by the site owner. This method is suitable if the problems of reliability are not relevant.
Note that it is not customary to use an untrusted certificate in the TLS implementation.
How TLS Certificate Replacement Works
THE END
As usual, we are waiting for questions and comments.
And here we are running on the sly one of the most unusual courses for us - “Digital Signature in Information Security” . Despite everything, we sort of managed it and attracted people, let's see what happens. And today we will analyze the remaining interesting material and see briefly how TLS works, as well as the difference between untrusted and trusted web certificates.
Translation - dzone.com/articles/a-look-at-tls-transport-layer-security
Author - Arun Pandey
TLS, short for Transport Layer Security, is based on SSL. As the name suggests, this is a protocol that works at the transport level.
As you know, communication security is a very common headache, but the correct implementation of TLS can take web security to a new level. In an environment with embedded TLS, an attacker can get information about the host to which you are trying to connect, find out what encryption is being used, terminate the connection, but doing something other than that will not work.
')
Almost all communication protocols have three main parts: data encryption, authentication and data integrity.
In this protocol, data can be encrypted in two ways: using a public key cryptosystem or symmetric cryptosystems. The public key cryptosystem, as a realization, is more perfect than symmetric cryptosystems.
Overview of Cryptosystems with Public Key and Symmetric Cryptosystems
A public key cryptosystem, which is a type of Asymmetric Encryption, uses an open-private key. So, public key B is used to encrypt A data (B shared the public key with A), and after receiving the encrypted data B decrypts it using its own private key.
In Symmetric Cryptosystems, the same key is used for both decryption and encryption, therefore the secret key of A and B will be the same. And this is a big disadvantage.
Now let's see how authentication works in TLS. To ensure the authenticity of the sender of the message and provide the recipient with the means to encrypt the response, authentication can be achieved using digital certificates. Operating systems and browsers store lists of trusted certificates that they can confirm.
Trusted vs. Untrusted Certificates
Digital certificates come in two categories. Trusted certificates are signed by the Certificate Authority, CA for short, while untrusted certificates are self-signed.
Trusted Certificates
Trusted certificates are in a web browser and signed by the CA. This is necessary to ensure the highest level of reliability. Suppose that the site “xyz.com” wants to receive a trusted digital certificate from the well-known certification center “Comodo”.
The steps will be as follows:
- Create a web server for the application: xyz.com;
- Create a pair of secret keys (public-private key) using public key encryption (because of its reliability);
- Generate a Certificate Signing Request (CSR for short) for a certification center, in my case Comodo. On disk, the file may be called “certreq.txt”;
- Submit an application to a certification center, include a CSR;
- The certification center (Comodo in my case) will verify your request, including the public-private key;
- If everything is in order, the certification center will sign the request using its own private key;
- The center will send the certificate to be installed on the web server;
- All is ready!
Untrusted Certificates
An untrusted certificate is signed by the site owner. This method is suitable if the problems of reliability are not relevant.
Note that it is not customary to use an untrusted certificate in the TLS implementation.
How TLS Certificate Replacement Works
- Open the address “xyz.com” in the browser;
- The web server receives the request;
- The web server sends a certificate in response to the request;
- The web browser evaluates the response and verifies the certificate;
- During the validation process, the web browser learns that the certificate is signed by the Comodo Center;
- A web browser checks the certificate database (for example, IE -> Internet Options -> content -> certificate) for a Comodo certificate;
- Once it is located, the web browser uses the Comodo public key to verify the certificate sent by the web server;
- If validation is successful, the browser considers this association to be secure.
THE END
As usual, we are waiting for questions and comments.
Source: https://habr.com/ru/post/431242/
All Articles