CKA Notes: Overview of TLS(Transport Level Security)

TLS (Transport Layer Security) is a cryptographic protocol to encrypt and secure communication over a network. HTTP(Hypertext Transfer Protocol) is the foundational communication protocol over the World Wide Web. HTTPS is a combination of HTTP and TLS that uses TLS to secure web communication.

Why do we need TLS?

In the earlier age of the web, HTTP was the dominant protocol. However, HTTP sends/receives all the data transferred between the client and servers in plaintext. This made communication over the internet insecure — a malicious agent could easily snoop on the network and see all the data being communicated. This is especially problematic for sensitive sites such as banking. As the web permeated deeper into our lives, the need for a secure communication protocol became much more critical. One solution was to encrypt our data over the network.

Encryption

There are two commonly used encryption techniques:

1. Symmetric Encryption — same key is used for encryption and decryption
2. Asymmetric Encryption — separate keys are used for encryption and decryption (public-private keypair)

The main issue with symmetric encryption is how to transfer the encryption key to the other party securely. Asymmetric encryption solves this problem by having separate keys for encryption and decryption. Each user has two keys — public and private. The public key is known to everyone while private keys are highly restricted and kept secure. During communication, the first user encrypts the data with the public key of the second user and sends it across the network. The second user has his/her private key and uses it to decrypt the message. Even, if an attacker snoops the message and has the public key, they cannot decrypt the message.

Certificates

Now, that the problem of secure communication is resolved, the next challenge is how we can trust that the client/server we communicate with on the internet is real or a malicious agent. What if the above server is not the actual “mybank.com” server but a malicious agent pretending to be the real one? To resolve this, we have the concept of certificates.

Certificates are used to establish the authenticity and identity of the entities involved in the TLS communication (such as web servers and clients). When a server presents its digital certificate, it contains its public key and its domain information. This certificate is signed by a Certificate Authority(CA) that signs the certificate that this server is indeed who they claim to be. Certificate Authorities are trusted entities such as Entrust, DigiCert, etc. which verify the identity of the server and present a certificate of authenticity by signing the certificate with their private key. All the major browsers come with pre-installed root certs and public keys of well-known CA’s and are able to trace the certificate’s chain of trust to one of the root certificates. This is how our browsers are able to verify if the certificate presented by a website is actually signed by the mentioned CA or not.

TLS Handshake Process

When using TLS, a client and server follow the following handshake process:

1. The Server presents its digital certificate and shares its public key
2. The Client verifies the server’s certificate to make sure the server is actually who they are intending to be
3. (If it is a 2-way SSL, similarly the server will verify the client’s certificate as well) Then, the client generates a symmetric key, encrypts it using the server's public key to create a session key, and sends it to the server
4. The server decrypts the key using its private key. Now, both the client and server use this session key to have a secure communication

Notes:

1. Another thing to keep in mind is that private and public keys in an asymmetric key pair are complementary to each other. If something is encrypted with one, it can be decrypted with another. Therefore, we should always encrypt with our public key, so that decryption can only be done by private key, which is guarded securely. If we encrypt something with a private key, anyone can access the data by decrypting it, as the public key is freely accessible.
2. Most of the well-known CA’s also provide the option of creating a private CA server for internal TLS communications inside a company’s network.