Skip to main content

SSL, TLS And Digital Certificates


What is TLS/SSL

Information security plays a vital role in this ever changing world of Digitization. Of course, you won't like someone keeping an eye on you or eavesdrop and try to tamper the information while you are in an important conversation with your boss or colleague or anyone for that matter.
We have seen several cases where information being manipulated by attackers using specific attacks like MITM (Man In The Middle) and lead the organization to lose confidential data.

To avoid such incidents and also keeping privacy concerns in mind, SSL(Secure Socket Layer) protocol was developed in 1995 and has been highly preferred to use to avoid any chances of getting compromised. The SSL and its successor TLS(Transport Layer Security) are both sometimes referred to as SSL. These are the cryptographic protocols used with several encryption/decryption algorithms(ciphers) to provide a secure network to communicate from one device to another. The protocol is highly recommended, if you want to secure the communication channel between the web server and your web browser.

How TLS/SSL works

To establish a secure communication channel between any two devices, both client and server has to define some rules, which is known as TLS handshake in this case. Following is the key information being exchanged by client and server to establish the secure connection....
  • SSL client sends client Hello message to server , which includes SSL version details and a list of supported cipher suites.
  • The server then revert with a server Hello message to client, including chosen cipher details from the list provided, Server's public key and also server's Digital certificate.
  • The client then validates the server's certificate and also checks for the other cryptographic parameters.
  • The client now then generate a session key, encrypt it with server's public key and send it to server. The session key is unique for each session.
  • Once done, both client and server starts communicating securely.

 Digital Certificates

In the earlier section, we explained how TLS/SSL works to secure the communication. However, in a real time scenario, all this is done using Public Key certificates, also known as Digital certificates. The certificate contains information about the key, identity details of the service owner and the Digital Signature of a well known authority who has verified the content of certificate and validate the authenticity of the Service. In a typical public key Infrastructure, the authority who issues the certificates is known as Certificate Authority (eg, Symantec) or CA in short. These authorities charges users for issuing Digital certificates. The most common format used for Digital certificates is X.509 as per RFC 5280.

Comments

Post a Comment

Popular posts from this blog

Reconnaissance Using Recon-ng And Netcraft

              The post is to demonstrate the basic usage of Reconnaissance tools like Recon-ng, Netcraft etc. These are quite useful and must have tools being a pen tester. As we know that being a pen tester, its very important to gather target information as much as possible. The tools can help you collect enough useful information like, Scanning target for possible subdomains registered, IP addresses, ports numbers, geo location etc... Gathering Subdomain Information Using recon-ng application is quite easier as it has various modules. In addition to this, we can use Netcraft to collect additional information as follows: Disclaimer: The sites used here are solely for educational purpose as its a freely available site to validate Pen testing capabilities and has no intention to harm. 1. To open the application, type the command as below Execute the command as follows to invoke recon-ng application 2. Using Netcraft with Recon-...
2 comments
Read more