Monday, 24 June 2013

Some Security Stuff (PKI, SSL/TLS, Digital Signatures etc)

Authentication vs Authorisation
Authentication is about identity.  I.e. Proving you are who you claim to be.
For example logging in with a username and password is a simple Authentication mechanism.  The server authenticates you by checking your username and password.

Authorisation is about what you are authorized to do.  It comes AFTER authentication.  Once you have been authenticated, the system can then look up what rights and privileges you have, this is authorization.

Digital Certificate (X509 Certificate)
A digital certificate should contain information about the organisation that owns the certificate and the public key which 3rd parties can use to encrypt messages going to the organisation.

A digital certificate can be self signed or signed by a CA (Certifying Authority).  A certificate that is not signed by a CA will throw up red flags in your browser because it means the identity of this organisation has not been verified.  I.e. I can create a certificate and say that I am Google.  CA's job is to verify that identity of the certificate against the actual organisation so when we receive a certificate signed by the CA, we can trust the certificate does indeed come from who it claims to be.

A signed certificate should contain the organisation's details, the public key for encrypting messages going to that organisation, and a digital signature from the signing authority.

X509 is a PKI standard.  Part of it describes what a PKI certificate should look like.

PKI
What is PKI?
Is a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. The PKI creates digital certificates which map public keys to entities, securely stores these certificates in a central repository, and revokes them if needed.



SSL/TLS

What is SSL and TLS?
TLS (Transport Layer Security) is a newer version of SSL (Secure Socket Layer).
It is essentially a Protocol for secure communication over an insecure network (i.e. a network that is public and anyone can capture your packets etc..).

How to Initiate TLS/SSL?
If a server supports communication using TLS/SSL protocol, the client have 2 ways to tell the server it wants to use it.

1. Use special port numbers.  E.g. 443 for HTTPS
2. Some other ways that i don't really care about at the moment..

What Happens when I use TLS/SSL?
As mentioned TLS/SSL is a protocol.  The protocol specifies a hand shake process as follows:


  1. Client - The client tells the server it wants to use TLS/SSL.  This is done by connecting to the server on a special port (see above on Initiate TLS/SSL).
  2. Server - The server then sends it's certificate to authenticate itself to the client. The server can also request a client to send back a client certificate for authentication purpose.
  3. Client - Upon receiving the certificate the client (e.g. your browser) can verify the certificate's authenticity.  This is done using a CA (Certifying Authority)'s public key.  A certificate certified by the CA will be signed using the CA's private key.  The browser should be able to use the CA's public key to decrypt the certificate and this will prove that the certificate has not been tampered with and these guys are indeed who they claims to be.  If the authenticity of the server cannot be verified, i.e. there certificate is not signed by a CA, then the client will be warned that a secure connection cannot be established.  If the server is authenticated, then the client will use the Public Key provided in the server's certificate encrypt a "pre-master secret (generated by the client)" and send it back to the server.  If client authentication was requested, it will send the client certificate as well.
  4. Server - Once the server receives the client certificate, it will authenticate the client (i.e. the server checks to see if this certificate is trusted).  If the client can be authenicated, it will decrypt the pre-master secret using the server's private key.  It will then use the pre-master secret to generate the master secret, encrypt it using its own private key and send it back to the client.
  5. Both client and server uses the master-secret to generate a session key - which are symmetric keys.  This will be used to encrypt/decrypt futher communications between the client and server



1 comment:

  1. All these terms are interesting to study. You have provided a brief detail that gave me an idea about each one of them. Thank you for writing and sharing this article.
    digital signatures

    ReplyDelete