Skip to main content

Security Primer Part 1

By

SSL TLS PKI Primer Part 1

The first browser

In 1995 Netscape corporation has started developing the first browser - Netscape. It would later become Firefox.

They clearly understood that when you browse the internet, then, if the browsing is not secured you (and them) are going to be in big trouble, just think of it, people would steal your credit card, your details make orders on your name, read your personal mail.

So a security solution is required, they hired a great guy (PhD) and he figured out he should create a new security protocol, namely the SSL!.

The rebirth of security

So this guy has come with the SSL protocol, this was, because they figured out nobody is going to trust this browser unless it's really secured.

This doctor created the framework and protocol for the security of this browser, this was actually the birth and development of the excellent security protocol - the SSL.

Privacy, Integrity, it’s all there!

Security means many things. Privacy for example, by privacy, you mean encryption and integrity - it's hard but it's not impossible. SSL also provides integrity by using hash functions to sign your stuff.

SSL handles for you, privacy, so no one can know what you send back and forth to websites. This is however only one expect of security, what if someone wants to manipulate the packets you send? In addition SSL works in extremely hostile environments where someone tries to take control and pretend he is you and make the SSL handshake as if he is you.

It’s not just Netscape it’s the whole world!

So they saw that this security thingy that they are up to (SSL) is so much mind-blowing and all encompassing that they decided, hey this is not our responsibility I mean, this should be the whole world responsibility, so they would do what every sane developer like you and me would do, they moved it to the IETF to handle this ;).

Now what is the IETF you ask? Let me tell you this, these are the same guys that handle, TCP, the same guys that handle IP, the same guys that handle PGP. So it makes lot of sense they would be handling also SSL ain't it so?!

SSL → TLS

One of the first thing this group has done was renaming the protocol name, this was an *awful* decision, they rename it to TLS to make sure you see it’s about security for transport, however the term SSL is still being used, OpenSSL for example.

So some people say SSL some say TLS but all actually mean in most cases the same, yeah sure some might say SSL and mean the old SSL prior to TLS but in most cases both are used interchangeably.

Note that nobody is practically using the latest (old) SSL version but only the newer actual TLS and you should not be using any prior versions due to security risks.

Symmetric - aka secret codes

Symmetric encryption has been here for years, they were just called secret codes, you don’t use the old secret codes because they are weak, today you use much stronger and longer secret codes because they are stronger. But modern symmetric security is pretty strong, the only problem is - how do you exchange those secret codes - via the internet

How to share secret codes via internet?

So now the question is, how do you share secret codes via the internet? Without meeting in person with people? For that we have Diffie-Hellman key exchange. It’s actually pretty straight forward and involves picking two numbers, raising an arbitrary chosen number by power and then doing mod those original numbers. And both of you guys get the same number - the same symmetric key. I tell you the result I don’t tell you what number I have chosen to raise by power of one of the numbers we have chosen and thus we share some other numbers and not the numbers we use for symmetric encryption keys. And only me and you can deduce these symmetric keys. For more information see: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

Browser and keys

When your browser connects to the internet it tells the server, hey I know how to do Diffie Hellman key exchange, I know how to do DSA symmetric encryption, basically, your browser, tells the server his set of known security cpaabilities, and they choose then which security protocol to use.

PKI (the problem with DIFFIE Hellman)

Public Key Infrastructure

I can think you do the key exchange with me and you can think I do the key exchange with you while there is someone in middle key exchanging for both of us, he can eavesdrop and know exactly what we send each other.

This is what we use when we use actually HTTPS. You combine both TLS and PKI in order to have HTTPS. The problem with the previous Diffie Hellman is that how do you trust that the person who gave you the number is actually who he claims he is? The way to trust him is to move the trust problem one layer beyond into certificate owners who are hardwired to your browser, and they point to certificate owners who they trust, and so you should trust as well.

So with the certificate authority I don’t only send you some data I also sign it with the public key and I have a certificate from the certificate authority that this is my public key so you can trust I am who I say I am.

And this my friends is the basis of https.


See you next time in part 2.

Comments

Post a Comment

Popular posts from this blog

Functional Programming in Scala for Working Class OOP Java Programmers - Part 1

By
Introduction Have you ever been to a scala conf and told yourself "I have no idea what this guy talks about?" did you look nervously around and see all people smiling saying "yeah that's obvious " only to get you even more nervous? . If so this post is for you, otherwise just skip it, you already know fp in scala ;) This post is optimistic, although I'm going to say functional programming in scala is not easy, our target is to understand it, so bare with me. Let's face the truth functional programmin in scala is difficult if is difficult if you are just another working class programmer coming mainly from java background. If you came from haskell background then hell it's easy. If you come from heavy math background then hell yes it's easy. But if you are a standard working class java backend engineer with previous OOP design background then hell yeah it's difficult. Scala and Design Patterns An interesting point of view on scala, is
14 comments
Read more

Alternatives to Using UUIDs

By
  Alternatives to Using UUIDs UUIDs are valuable for several reasons: Global Uniqueness : UUIDs are designed to be globally unique across systems, ensuring that no two identifiers collide unintentionally. This property is crucial for distributed systems, databases, and scenarios where data needs to be uniquely identified regardless of location or time. Standardization : UUIDs adhere to well-defined formats (such as UUIDv4) and are widely supported by various programming languages and platforms. This consistency simplifies interoperability and data exchange. High Collision Resistance : The probability of generating duplicate UUIDs is extremely low due to the combination of timestamp, random bits, and other factors. This collision resistance is essential for avoiding data corruption. However, there are situations where UUIDs may not be the optimal choice: Length and Readability : UUIDs are lengthy (typically 36 characters in their canonical form) and may not be human-readable. In URLs,
Post a Comment
Read more

Dev OnCall Patterns

By
Introduction Being On-Call is not easy. So does writing software. Being On-Call is not just a magic solution, anyone who has been On-Call can tell you that, it's a stressful, you could be woken up at the middle of the night, and be undress stress, there are way's to mitigate that. White having software developers as On-Calls has its benefits, in order to preserve the benefits you should take special measurements in order to mitigate the stress and lack of sleep missing work-life balance that comes along with it. Many software developers can tell you that even if they were not being contacted the thought of being available 24/7 had its toll on them. But on the contrary a software developer who is an On-Call's gains many insights into troubleshooting, responsibility and deeper understanding of the code that he and his peers wrote. Being an On-Call all has become a natural part of software development. Please note I do not call software development software engineering b
1 comment
Read more