Public Key Encryption SSL

one of the issues we face with encryption is thanks to |a way to”> the way to securely share secret keys believe opening a secure connection to a site that you’ve got never been to before what keys does one use how does one share these keys and therefore the refore the refore the refore the refore the way does one stop someone from stealing these keys we’re discussing this and far more in this text if you have been with me for the last two articles you’ll realize a sort of encryption called symmetric encryption are often “> this is often often often often often often where we’ve a secret key and that we use a cipher to encrypt some private information ready to “> we will then use an equivalent key to decrypt later on the choice to the present may be a symmetric encryption which is comparatively new as far as encryption cares asymmetric encryption uses two different keys one key could also be used for encryption and the opposite getting to be|are”> are going to be used for decryption these keys are always appear and that we got to use both so why two keys the rationale is that during a ll|one amongst|one in every of”> one among the keys is public and the other is private yes you heard me right we take one among the keys and that we provides it to anyone who wants it we still keep the private key to ourselves though nobody else may be a llowed to possess this key the general public private nature of asymmetric encryption earns the more common name public key encryption because the two keys work together ready to “> we will encrypt with either one among these keys and use the other for decryption for instance that this is my key pair and you would like to send me a message ready to “> you’ll have my public key no worries there using my public key you can then encrypt your message and send it to me if anyone intercepts the ciphertext there’s nothing they’re going to do as they don’t have the corresponding private key I’m the sole one who holds the private key so only I can decrypt the message a common cipher that uses public key cryptography is named RSA which is that the cornerstone behind many certificates that are wont to secure websites within the last article i discussed that authentication was a stimulating way to use encryption so imagine i would like to prove my identity to you here may be a simplified way that we could approach this you’ll take a random message complicated enough to form it unguessable then encrypt it with my public key at now I’m the sole one who can decrypt the message so if I can decrypt it get the random message back out then send it back to you you’ll then compare this with the original message you sent me and if the message may be a re an equivalent then I’ve proven that i’m who I say i’m as I’ve proven that i’m in possession of my private key and almost like this is digital signatures which are commonly used with software to prove that they’re from a genuine source imagine that i would like to send you a file and that i want to prove that i used to be the author of that file I can create a signature of some sort and encrypt it with my private key perhaps we could use a hash of the file I can then attach the encrypted signature to the file anyone can use my public key to decrypt the signature that’s “> and that’s fine as it isn’t really a secret the purpose is that only I could encrypt a message that is decrypted all with the general public key upon receiving the file you’ll generate a hash of the file and compare it to the hash within the signature if they’re an equivalent then you’ll trust to this file has indeed come from me in fact these examples are very simplified but you’ll get a thought of how we will use public key cryptography when using encryption over the network which is best secret key ciphers or public key algorithms secret key ciphers are in no time the sole problem is that they have the keys to be shared between anyone wanting to pass messages and it can be difficult to try to to this securely public key cryptography doesn’t have the same key sharing problem unfortunately it’s extremely slow the great news is that we can find a balance between the 2 we can use public key cryptography like RSA or diffie-hellman to compute and share secret key securely they also offer server authentication and optionally client authentication secret key cryptography quickly encrypts and decrypts the majority of the private information block ciphers like AES will need a mode of operation like CBC or GCM these combined with a security protocol ssl/tls IPSec or something else this manages the secure network connection and in fact we will contribute a hashing algorithm like md5 or one among the char algorithms to verify message integrity therefore the result’s that a secure connection will use several components this mix is named a cipher suite so our suites have long and complicated looking names just like the examples we’ve here the precise way that they’re written can change counting on the product you’re configuring but they’ll all look something like one among these first up we’ve a protocol TLS in both occasions here within the top one we can see that it’s version 1 while the other isn’t specific sometimes you will see SSL here which may mean as a sell versions 2 or 3 both are considered insecure so you ought to avoid using them we’ll have a glance soon at the way to continue to date with what’s considered secure and what’s not next we see the general public key algorithm within the second example this is DHE and RSA these are used for exchanging session keys and for authentication notice that nothing’s listed within the first one for this it’s not uncommon for a cipher suite name to emit some details I’m honestly unsure why this happens anyway i feel it might be safe to assume that RSA is employed in this instance next is that the bulk encryption cipher AES during this example and the size of the key that it uses the keys are exchanged using the general public key algorithm any block cipher will need a mode of operation which is CBC and GCM within the se examples and eventually a hashing algorithm for integrity it’s pretty common to ascertain some variant of sha in most ciphers lately so now when you’re configuring an internet server or another network device and you see a cipher suite you ought to be able to decode each of the components that it uses now let’s see this process with a really simplified example we’re going to consider an HTTP connection from a client to an internet server HTTP uses TCP therefore the conversation will always start with a three-way handshake but it’s then point that it gets really interesting the client sends a hallo message to the server asking to start out out a secure session as a part of this message the client sends an inventory of cipher suites it’s willing to support so as of preference the message also includes an outsized random number which can be used soon from the list of cipher suites within the client hello message the server will select a cipher that is happy to use that is of course assuming that there’s a cipher that they will agree on for our example we’ll assume they agreed on a cipher suite that uses RSA the server then responds with a hollow message of its own this includes the ciphers it’s chosen its certificate and a second random number we’ve not talked much about certificates as honestly this is a large enough topic for an additional article but briefly the certificate is how for the server to share its public key with the client and a way for the client to verify the server’s identity therefore the client now verifies the server certificate if you have ever seen a certificate error message in your browser then you’ve seen what happens when there is a problem with a certificate the client will now choose a third random number and encrypt it with the server’s public key it’ll then send this to the server this number is called the premaster key which only the server can decrypt using its private key the client and the server now have three random numbers they then use these three numbers to calculate a series of session keys they follow an equivalent process when they are doing this and that they have an equivalent numbers to start with in order that they will reach an equivalent result and have the same keys the client and server now send a finish message to every other and the secure connection is now established they will now use the session keys that they generated along side AES or some other box cipher to encrypt the remainder of the HTTP connection that’s a simplified explanation on how this works there may be some small variations counting on the settings and ciphers that were chosen for instance we only talked about the client authenticating the server optionally the server can also authenticate the client is an choice to use diffie-hellman key exchange instead of just using RSA on its own this is a more complicated but safer method of calculating the session Keys we’d be able to check out this in another article if you’re interested I’ve mentioned this several times now that there are ciphers and algorithms that are not any longer considered secure this is due to flaws that are found over time advancements in computing power then on this continually changing landscape results in a common expression security is a moving target this suggests that simply because something is taken into account secure today doesn’t mean that it’ll still be secure in a month’s time this results in a crucial question how can we stay secure well first remember that ciphers and encryption is simply one aspect of security but these are the whole focus of this text so that is what we’re going to seem at now there are a couple of organizations which will give their recommendations on which ciphers and protocols they consider secure one I’d wish to show you is from the open web application security project I’ll put a link to them in the description they break the cipher suites into categories a through D to be the foremost secure we only want to settle on options from category a they will also list the cipher order with the simplest at the highest so when would you think about using categories B through D there could be some cases where clients on your network do not support category a ciphers yet if that’s the case though you ought to investigate whether you’re able to update your clients now here’s another site I’d wish to show you it’s called SSL labs and that we can use this to check our web servers this goes through and scans your server for weaknesses like using insecure ciphers this takes a short time to travel through so I’m speeding up the method the ratings go from A plus all the way down to F and you furthermore may get a full report this one here is a big failure so let’s take a glance first there is a summary with some obvious problems the 2 big ones are insecure protocols SSL 2 & 3 these should be disabled further down we’ve certificate information this it’s actually looking pretty good it’s employing a nice strong 2048 bit RSA key and further down we will see the supported ciphers some are listed as insecure and definitely should not be used rc4 during this case which might be disabled entirely the remainder are listed as weak so the blokes managing this server should probably look