Introduction to SSL
Updated: May 24, 2020
The Little Padlock
"Make sure you see the little padlock icon to verify you are accessing online banking services or e-commerce websites 'securely'," — This is very common cybersecurity advice given to laymen. But what do the padlocks mean?
The padlock means you are browsing the particular website using HTTPS rather than HTTP. HTTPS simply means HTTP on SSL (Secure Socket Layer). SSL can be used to secure many other protocols, not limited to HTTP, including SFTP, SSH, IMAPS, POP3S, etc.
How does SSL Secure the Communication Session?
Confidentiality. Network traffics on SSL are encrypted using a secret key. The establishment of this secret key is performed using public-key cryptography so that only intended parties possess the secret key and are the only one that can read the content of the session.
Authenticity. A digital certificate is issued by a certificate authority (CA) to whoever is providing the service. This certificate is a claim that the identity of the organisation/person ties to the domain name, enabling end-user to verify they are communicating with the authenticated server.
Non-repudiation. The combination of confidentiality and authenticity establish non-repudiation.
Drawback of SSL
SSL only provides communication security. It does not provide security to data at rest. The largest drawback of SSL is still users' understanding of digital certificate. It is very common that users do not check the digital certificate to verify the authenticity of the server and ignore security warning such as certification expiry.
Do users understand security warnings?
Do users really pay attention?
Now we take a look at the protocol design of SSL (version 3.0). TLS (Transport Layer Security, RFC 2246) was introduced lately as a continuum of the SSL development. The current version 1.0 of TLS is very similar to SSL 3.0 with minor tweaks. As the name suggested, SSL provides security by its presence between the transport and application layer. It also means that SSL can provide security to any application layer protocol and not only HTTP which all of us are already so familiar with.
There are 2 layers involves in an SSL architecture, the record protocol provides a secure and reliable channel to the upper layer.
The record protocol carries application and manages data in sessions created by the handshake protocol.
Amongst all SSL protocols at the upper layer, the handshake protocol is the most important one, and the other 2 provides more as a support facility.
SSL uses a secret key to provide data origin authentication, integrity and encryption to the application datagram. The record protocol uses this secret key, and it's the handshake protocol that establishes it.
The SSL Handshake protocol
Message 1: Client -> Server
Client initiates connection;
Client sends its SSL/TLS version number, list of cipher suites, and client nonce.
Message 2: Server -> Client
Server sends SSL/TLS version number;
Server sends selected cipher from client's cipher suites;
Server sends certificate message, allowing client to validate server's public key; and
A server nonce and session ID.
Message 3: Client -> Server
Client sends an encrypted pre-master-secret key using server's public key;
Client sends a generated MAC (message authentication code) based on all messages sent so far using the computed master-secret.
Message 4: Server -> Client
Server sends a generated MAC based on all messages sent so far using the computed master-secret.
As for the remaining support protocol:
Alert protocol produces error messages, fatal error and warning; and
Change cipher specification protocol can be used to change recently agreed cipher suite.
Deploying HTTPS on an Apache Web Server
Now I will be demonstrating how you can add SSL module to an Apache web server to secure web sessions connected to your web site.
In my set up, I have a Ubuntu client, and a CentOS running an Apache service.
1st, install the SSL module on the web server, and generate an asymmetric key pair:
yum install mod_ssl openssl genrsa -des3 -out webserver.key 1024
The key generated via this command is the private key. Ensure it is stored in a secured environment with proper access control. Using this private key, generate a digital certificate request:
openssl req -new -key webserver.key -out webserver.csr
With the certificate request, submit to a certificate authority (CA) to obtain a digital certificate. For this demo, I generated a digital certificate using my private CA.
With the private key and digital certificate on hand, configure the Apache SSL configuration file (/etc/httpd/conf.d/ssl) with parameter SSLCertificateFile pointing to the digital certificate and SSLCertificateKeyFile point to the private key.
Restart the Apache server.
Now you can access the web server via HTTPS!
Although all connection to the web server are encrypted, it is not authenticated because it's signed by an unrecognised CA (i.e. me). Users are warned before they enter the web site, but do they understand the risk?
Shared by Emil Tan, Skipper & Co-Founder of Div0.