This is the fifth day of my participation in the August More text Challenge. For details, see: August More Text Challenge

When our browser displays Https://, we always feel a sense of security and reassurance because we know that the site is real and that our communication with it is secure. This security comes from TLS encrypted transmission and SSL certificates.

In the last part of this series, we introduced the meaning of HTTPS, the protocol stack, and the overall signaling process. Today we’re going to talk about the heart of HTTPS — TLS/SSL

What is the TLS/SSL

Secure Sockets Layer (SSL) is a socket security protocol for the transport Layer. Simply put, IT is used to Secure data transmitted between two network entities, which can be either a client or a server. It was invented by NETSCAPE. SSL was updated until 2015, when it was replaced by the TLS protocol, and the SSL encryption certificates that we use, also known as digital certificates, are actually part of the TLS protocol now.

Transport Layer Security (TLS) is a Transport Layer Security (TLS) protocol between HTTP and TCP. It provides encryption and integrity protection for communications between network entities through THE TLS handshake. The latest version is TLS1.3 2018.

The TLS combination

TLS uses a combination of symmetric encryption, asymmetric encryption, key negotiation, and HASH encryption. Here’s a look at the combination used in an actual TLS message:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

The TLS: protocol name

ECDHE: Key exchange method, Elliptic Curve Diffie-Hellman Ephemeral is a short-time DH encryption algorithm based on Elliptic Curve. I think a lot of people think of ECDHE as asymmetric encryption because it generates “public keys” and “private keys “, but it’s more about key negotiation.

RSA: An identity authentication mode used to sign a server. RSA uses asymmetric encryption, consisting of a set of public keys and a private key. If the server encrypts data using the private key, the client can decrypt the data using the public key of the server to verify the signature.

AES_128_GCM: indicates the data encryption mode. This method is used to generate the symmetric encryption key after the handshake. The AES symmetric algorithm is used.

SHA256: uses the 256bit hash algorithm to ensure data integrity

In a one-two punch, TLS serves three purposes:

  1. Data encryption
  2. The identity authentication
  3. Integrity protection

Integrity protection

TLS uses hashes for integrity protection. What is a HASH?

  • A HASH function is a type of HASH function that compresses the input of any length to form a summary and scrambles the order to form a unique fixed length HASH value.

  • If you use the same hash function for the same input, you will get the same output. The same hash function is used for different inputs, and different outputs are obtained with high probability. If the source data changes even 1bit, the reflected HASH value will be infinitely magnified, which prevents tampering.

  • The result is irreversible. When the length of the source data and the HASH value is sufficient, it is almost impossible to backderive the source data from the HASH value. It can effectively prevent backward cracking

  • The secrecy of a HASH is positively correlated with its length. The most popular hashes are SHA256 and SHA384, which is used for Bitcoin encryption.

  • Collision resistance, where there is little chance that any two different sources of data will have the same hash value, prevents brute force cracking. Of course, this depends on your source data. For example, if your password is 123456, the HASH value is fixed and very easy to crack.

The way Hash works is pretty straightforward:

  1. The sender sends the source data along with the HASH value to the receiver
  2. The receiver performs hash operations on the source data and compares the hash value with the received hash value. If the operation result is consistent with the received hash value, the data is not tampered.

HASH Application Scenario

Combined with the features of HASH, you can see that it is ideal for encrypting large data because its fixed length can significantly reduce storage space requirements, and the longer the source data, the better the security!

At the same time, it is also suitable for storing sensitive information such as passwords. Passwords in the server database cannot be saved in plain text. We can ask the program to automatically encrypt passwords by hash when sending passwords, and then send only the hash value to the server, which compares the hash value in the database to verify the identity of the client.

But hashes have their limitations, and they don’t prevent man-in-the-middle attacks

If both the sender’s source code and the hash are intercepted by the “middleman”, the “middleman” can tamper with the original text and generate a new hash to send to the receiver, which has no protection significance. Therefore, for the hash to be effective, it must work with an identity authentication mechanism.

Integrity protection through hashing is just the first of many TLS combinations. Next, we’ll look at how TLS performs authentication.





Thank you for reading. If there are any inaccuracies or errors, please leave a message and correct them. I will correct them in time

Summary is not easy, please do not reprint privately, otherwise don’t blame the old man you are welcome

Welcome technical friends to communicate with me, wechat 1296386616

References:

Wikipedia www.wikipedia.org

TLS Cipher Suite Search ciphersuite.info/cs/

Cryptographic Hashes and bitcoins by Kalle Rosenbaum freecontent.manning.com/cryptograph…