Secure communication is extremely important online. Having conversations in clear text provides the attackers very easy access to information, conversations, and other data. PKI and SSL are both used by web server communication and email.
SSL allows PKI to be possible over the network. There is a handshake before client/server communication can continue. This is to verify the requester’s identity and validity. A current SSL certificate installed on a server will enable a padlock icon next to the URL which makes it an HTTPS domain. With a valid SSL certificate the website will allow secure connections. It is wise to not visit non-secure websites due to the increased risk of malware, browser attacks and snooping.
PKI is a process involving two pairs of keys. One pair for the client and one for the server. Each party’s public keys are well….public, and the private keys are secret which are kept by each user. A PKI certificate is is given by a certificate authority (CA) that signs the public key which proves the identity of the user and that key. There are two types of key encryption; symmetric and asymmetric; PKI uses asymmetric ciphers.
Hands-on learning with PKI and SSL is very easy. There are free tools out there to teach you how to deploy the two. If you are working in a company with an Enterprise environment chances are you have seen PKI and SSL in action and not even realized it.
What’s a Public Key Infrastructure (PKI) and how does it work?
Public key infrastructure (PKI) sets of key pairs. One public and private key is provided to both parties, usually a server and a client. The public key is used to encrypt data. The data can only be decrypted by the private key, which is kept secret by each party
PKI accomplishes two things, authentication and encryption. The authentication is performed by verifying that the other party is a legit entity (whether this be a server or client). This is done by signing the communication with your private key and encrypting the message. If the web site has a valid SSL certificate and generated keys, then the communication should proceed.
The encryption ensures the data in transit and at rest. The private key makes this happen. For example, a common use of the private key is to sign, encrypt, and send an email to another user. They will only be able to decrypt the email with their public key. The private key is not used for decryption, the public key is.
What’s a secure sockets layer (SSL) and how does it work?
Secure sockets layer is a browser/web server encryption protocol. The purpose is to encrypt data going to and from the destination. SSL uses key exchange to verify the security of the web page/server. The public key of the website is shared to the user who is visiting it, a session key is generated, and the client sees that the SSL certificate is valid through the certificate authority.
For example, we visit a page if it is secure we will see the padlock next to the domain name. Clicking it will display this information; notice that the certificate is valid, this is good.
We can also click on the certificate and see details about it. Issuing authority or certificate authority (CA), expiration, and the path are some of the details we can view.
Before web server communication can commence, an SSL handshake must be initiated and completed. Verifying the identity and validity of both parties will ensure secure data transfer.
This works the same way public key cryptography works, because it is PKI as well!
The SSL handshake works like this…
- Client sends hello packet to server
- Server sends hello, server certificate, server key exchange, client certificate request, and server hello done packets to the client
- Client sends certificate, client key exchange verification of certificate, change cipher spec and client finished message packets to server
- Server sends change cipher spec and server finished message packets
After that handshake the client and server can now send and receive data back and forth safely.
This handshake is intended to both protect the client and the server. A client wouldn’t want to access a web server with an expired certificate; likewise, a server wouldn’t want to allow access by a client without valid credentials either. This two-way trust model is essential for client and server security.
A great way to see the SSL/TLS handshake process is to view the network traffic with a tool such as Wireshark. Here you can see each network packet as it goes to and from the server. Some details you will see in the lower pane of the packet are:
- SSL/TLS versions supported by the client
- Cipher suites supported by the client (RSA, AES, SHA etc.)
- Public key and signature
- Server’s SSL/TLS certificate
- Client hello
- Server hello
- Server key exchange
- Client key exchange
- Change cipher spec
- Encrypted handshake
Dissecting the ins and outs of the SSL/TLS handshake will help you troubleshoot your web server, better understand how networking works (which can help with system/server administration), and see where possible security issues may lie.
During the handshake process, if either the server or client certificate has any issues a “your connection is not secure” page is presented to the user. You can then look at the certificate and see the status; you can also choose to add the web page as an exception and proceed or return to the previous page.
Ensuring a valid certificate is essential especially if you are hosting a domain where visits are important to your revenue. When visitors go to your site and the first thing they see is the unsafe web page warning screen, it is a huge turn off.
That person may never go back to your website because of that first impression. This is why it’s so important to make sure the certificate is valid before your site goes online! Along the same lines, it is also essential that the certificate is monitored and renewed before expiring.
A great way to make sure the cert is always current is to make or find an auto-renew script. You can develop one yourself or research ones that others have made online. A lot of web servers use Linux as the server or web host because of the simplicity, security, stability, and easy to manage.
SSL is actually outdated and because of the numerous security flaws discovered with versions 1.0 (never released), 2.0, and 3.0. Transport layer security (TLS) was made to supplement SSL and it’s weak security. The reason we keep seeing SSL speak in our certificate and web settings is because it’s more widely known than TLS. In other words, when someone says “SSL certificate” they are referring to the web server’s certificate which will usually be TLS.
Difference between asymmetric and symmetric cryptography
- Asymmetric
Asymmetric encryption uses pairs of keys. Public key cryptography is asymmetric because of the key pairs. SSL/TLS uses asymmetric encryption between the client and server. There are several asymmetric encryption algorithms with the most common being RSA and Diffie-Helman. RSA uses bit lengths of 1024, 2048, or 4096. Diffie Helman also has a bit length of 2048
- Symmetric
Symmetric encryption works by using the same key to encrypt and decrypt the plain text messages. Instead of two key pairs (asymmetric) it uses only one secret key; it is shared between both parties.
Some examples of symmetric ciphers are RC4, DES, and AES which is the strongest cipher; this is because it supports the longest bit length, this makes password attacking very difficult. AES supports 128, 192, and 256-bit key lengths and it is a block cipher; block and stream ciphers are part of symmetric cryptography. Block ciphers encrypt data within a block of bits. In contrast, a stream cipher encrypts data with a random keystream sequence.
In closing, the public key infrastructure and secure sockets layer are similar but different. PKI is the Publick Key Infastructre as a whole; while this is used for email a lot, web servers use SSL which utilizes PKI. With SSL and PKI there is a handshake which is a way of verifying that both parties are legitimate and have current certificates.
The key pairs are used for encryption, decryption, and verification. Asymmetric cryptography is more secure and harder to spoof/steal keys. The downsides are that it is slower and requires higher computing power opposed to symmetric cryptography.
Symmetric cryptography tends to be very fast but because of the use of the single key; there is much a higher risk of compromise. If symmetric cryptography is used, it is best to use a strong algorithm with a long bit length. In addition, be sure to keep the key safe between the sending and receiving parties.
Hopefully this post taught you a little about encryption and keys. Keep an eye for further posts regarding encryption and passwords!