TLS/SSL Explained: TLS/SSL Terminology and Basics

In Part 1 this series we asked, What is TLS/SSL? In this part in the series, we will be describing some of the TLS/SSL terminologies.

Before diving deeper into TLS, let’s first have a look at the very basics of SSL/TLS. Understanding the following will help you gain a better understanding of the topics discussed and analyzed later on.

Encryption

Encryption is the process in which a human-readable message (plaintext) is converted into an encrypted, non-human-readable, format (ciphertext). The main purpose of encryption is to ensure that only an authorized receiver will be able to decrypt and read the original message. When unencrypted data is exchanged between two parties, using any medium, a third-party can intercept and read the communication exchanged.

If the exchange contains sensitive information, that implies a loss of confidentiality. Furthermore, if the third-party can intercept and read the messages, they might as well tamper with the data which means they can change the information being exchanged thus compromising the integrity of the message.

Imagine sending a payment over an unencrypted channel. The payment includes your bank account details as well as the amount that you authorized. An attacker could use a man-in-the-middle attack to tamper the information and change the amount from $100 to $10,000. The bank receives the tampered data from the third-party instead of you which means that there is no authenticity. By using encryption, an attacker might still be able to intercept the traffic but they will not be able to read or tamper the data.

Symmetric Encryption

Symmetric encryption is the process in which the same key is used for encrypting and decrypting data.

If Thomas wants to send information to Bob, he will use a shared key to encrypt the data and Bob will decrypt the data using the same key.

The biggest problem with symmetric key encryption is that the data exchanged must be encrypted and decrypted with the same key. That means that all of the parties exchanging data must have the shared key.

The major drawback in this is that if the shared key is exposed, an attacker would be able to decrypt all the communication encrypted with that key. That is why the shared key distribution between the parties must be done over an already established secure encrypted communication channel. Another disadvantage is that you cannot authenticate the sender of a message, which compromises authenticity.

Advantages of Symmetric Encryption

• Fast, low resource usage.
• Simple operation.
• Secure.

Disadvantages of Symmetric Encryption

• Same key used for encryption/decryption.
• Key distribution must be done over an already established, secure channel.
• A different key is needed for different parties – key management/distribution.
• Cannot authenticate users.

Asymmetric Encryption

Unlike symmetric key encryption, asymmetric encryption (also referred to as Public Key Cryptography) uses a pair of keys, a public key, and a private key. These cryptographic keys are uniquely related which means that whatever is encrypted with one key, can be decrypted with the other. The public key, as the name implies, can be shared with anyone. The private key must be known only to the server.

Asymmetric encryption can be used for authentication of the sender. If Bob signs and encrypts a message using his private key, whoever decrypts it with Bob’s public key can be sure that Bob is the sender.

This is why keeping a private key secure is critical.

Advantages of Asymmetric Encryption

• Key distribution is easy.
• Authenticity.
• Integrity.
• Secure.

Disadvantages of Asymmetric Encryption

• Slower than symmetric encryption.
• Needs more resources.

Ciphers

Ciphers are methods/algorithms used to encrypt and decrypt data.

Block Ciphers

In this method, data is split into fixed-length blocks and then encrypted (e.g. 64-bit or 128-bit blocks). If the last block of the data is less than the specified block length, padding will be used to fill the “empty” space. Popular Block Ciphers include AES, Blowfish, 3DES, DES, and RC5.

Padding

Block ciphers have a specified fixed length and most of them require that the input data is a multiple of their size. It is common that the last block contains data that does not meet this requirement. In this case, padding (usually random data) is used to bring it to the required block length.

Initialization Vector (IV)

An Initialization Vector is a random (or pseudorandom) fixed-size input used in encryption methods. If this input is not repetitive on each message, then, it is also called as a nonce, which means that it can only be used once.

The main purpose of an IV is to start off an encryption method. In Cipher Modes, like Cipher Block Chaining (CBC), where each block is XORed with the previous block, in the first block there is no previous block to XOR with, so an Initialization Vector is used as an input to the first block to start off the process.

A nonce is also used to prevent attackers from decrypting all messages by guessing the IV. A nonce, which should be random and unpredictable, allows the same message to be encrypted with the same key and yet have a different result (ciphertext).

XOR (Exclusive Or)

XOR is an easy to implement logical function which is used in cryptography (among its many other uses). XOR takes two-bit patterns and it returns true only if the two inputs are different.

The following is an example of an XOR encrypt operation.

The following is an example of an XOR decrypt operation.

Block Cipher Algorithms

Electronic Code Book (ECB)

Each block of data is encrypted separately and concatenated at the end. A major drawback of ECB is that if the same block of data is encrypted, it will always generate the same ciphertext. Parallel processing is possible since blocks do not depend on one another.

Cipher Block Chaining (CBC)

Each block is XORed with the previous ciphertext before encryption. An Initialization Vector is needed for the first plaintext block encryption to happen. Parallel processing is not possible since the blocks are chained.

Cipher Feedback (CFB)

Turns a block cipher into stream cipher by selecting a number of bits to XOR on each iteration.

Output Feedback (OFB)

Similar to CFB, but instead of the result of XOR, the result of crypto goes to the next iteration.

Counter Mode (CTR)

Each block has a nonce and an iteration counter which is first encrypted and then XORed with a plaintext block. Then the nonce changes and the counter increments on each iteration.

Stream Ciphers

Stream ciphers are ciphers that use a method of encryption that encrypts data one bit or byte at a time. Each bit is encrypted with a different key. While stream ciphers are not used much in modern cryptography, a popular example of a stream cipher is the RC4 cipher.

Message Authentication Code (MAC)

Message Authentication Code (or Cryptographic Checksum) is a method which is used to check the authenticity as well as the integrity of a message. It accepts two input parameters, a secret key and a message of arbitrary length, and the result is called a tag.

If the MAC tag of the sender and the calculated MAC tag of the receiver match, that means that the message has not been tampered with. If they do not match that means that the message has been altered during the transmission.

Hash-Based Message Authentication Code (HMAC)

HMAC is a type of MAC which uses a hash function. It accepts two input parameters, a secret key, and a message of arbitrary length.

The following is an example of HMAC function using the SHA256 hash algorithm.

HMAC_SHA256("s3cr3tk3y","Hello World") = 2d9615ee921dab63c7c4c839842703fe338db46fdf17593a681bcee2c52721de

The following illustration shows how the HMAC function works.

文章来源于互联网:TLS/SSL Explained: TLS/SSL Terminology and Basics