SSL and certificate, get Started.
You are working with the task assigned to you. Manager, Team Lead or seniors are around you and they are having a serious discussion. Only thing you can understand are these random words SSL, Certificate, Public key, Consumer, CA, Trust store, Greek, Latin, Gibberish…? Then you are at the right place. Let’s get started and learn through the cipher.
SSL is Secure Socket Layer protocol. To be naive SSL makes the HTTP, HTTP’S’. Before diving in, I would like to make clear that this post helps only in getting a rough idea of what security is and how it is working, so that you won’t feel like you are hearing gibberish again.
Let’s get familiar with the terms and breach the security.
CA – Certification Authorities are third party companies that sign a certificate. These companies verify the certificate and certificate provider and sign a certificate saying it is Authorized. I.e., they are whom they claim to be. Comodo, Symantec, GoDaddy, GlobalSign and DigiCert are popular CA companies.
Certificate – This is an electronic document, which contains a CA signature. Certificates can be signed by either any one of the CA or self. A self-signed certificate is usually used internally within an organization. Any unsigned certificate is invalid.
Encryption using Keys – We are familiar that, encryption is transforming a plain text to a cipher text. There are two types here, Symmetric key encryption and Asymmetric key encryption.
Symmetric Key – There will be a public key available to both server and client to encrypt and decrypt the message.
Asymmetric Key – There will be a public key available to both server and client but a private key for server alone. Client encrypts the message using public key and server decrypts the message using private key.
Trust store and Key Store
A keystore contains private keys and the certificates with their corresponding public keys. When server/client is requested with a certificate, server/client sends its certificate present in the keystore.
A truststore contains certificates from other parties that you expect to communicate with, or from Certificate Authorities that you trust to identify other parties. When server/client receives a certificate it verifies with the truststore if the certificate is valid.
Let’s get the BIG picture
SSL authentication is used to authenticate the server. This means that the server has to authenticate to the client by sending a digital certificate signed by a well-known trusted CA.
1. Web browser hits the URL https://mail.cognizant.com.
2. Browser act as client and request information from the server.
3. Since it is https, a secure connection should be made, client expects a certificate from the server.
4. Server sends the certificate, which is signed by a trusted CA and public key.
5. Our browsers, client in this case, trusts the CA by default. If your browser does not trust the CA, sorry better luck next time, it will not establish the connection.
6. Client verifies the certificate and sends a message encrypted using the public key provided.
If the CA is trusted by the browser, the website is safe and you will see the address bar highlighted in green. Here then, all the communication happens in cypher text with the help of the public key that is provided by the server to the client.
7. Once secure connection is established, all the data will be encrypted.
8. If the connection is intruded, it only breaks but does not leaves any vulnerability.
In Mutual Authentication, in addition to server authentication, the client also has to present its certificate to the server. The server verifies it by checking if it is signed by a trusted CA and if it is tampered. If both server and client authenticated themselves, then SSL authentication is a success.
Moral of the story: Now you don’t have to listen to your manager speaking in cipher text, you can decode the message and breach the conversation.
References:
http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html
https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise
http://logicoy.com/blogs/ssl-keystore-truststore-and-mutual-authentication
On the Run 