SSL Handshake

This is no rocket science either. All communication over the internet happens with the SSL(Secure sockets layer) handshake which is now called as the TLS(Transport layer security) handshake. SSL was designed for HTTP connections and TLS has replaced the SSL.

The TLS handshake happens between the client and the server. The two parties involved will do the following


  • Specify the version of TLS they are using 
  • The type of cipher suite 
  • Identify the server and authenticate it through server's public key or SSL certificate authority's digital signature.
  • Establish session keys to use the symmetric encryption for further data in transit. 




Below are the exact steps that occur during the TLS DH handshake


  • The browser(client) will send the "Hello" message to server with details of its TLS version and cipher suites. It also sends string of random bytes known as client random
  • The server replies with to the client with its SSL certificate, cipher suite and server random. 
  • The client verifies the server's SSL certificate with the certificate authority that issued it. This confirms that the server is who it says it is, and that the client is interacting with the actual owner of the domain.
  • The client sends one more random string of bytes, the "premaster secret." The premaster secret is encrypted with the public key and can only be decrypted with the private key by the server. (The client gets the public key from the server's SSL certificate.)
  • The server decrypts the premaster secret using the private key
  • Both client and server generate session keys from the client random, the server random, and the premaster secret. They should arrive at the same results.
  • The client sends a "finished" message that is encrypted with a session key.
  • The server sends a "finished" message encrypted with a session key.


Comments

Post a Comment

Popular posts from this blog

Bug bounty - Simple tips and tricks

Image
Its been a couple of months that I am bug hunting and I think I got hang of it now. Bug bounties are the most fancied way of earning money among the ethical hackers and otherwise engineers. I get many requests on Linkedin and Telegram to teach them about bug bounty. I have followed a few big time bug hunters and learnt from them. There are awesome writeups, podcasts and tutorials on Pentester.Land Here are a few tips and tricks to get started with any bounty program. Follow platforms like HackerOne and BugCrowd. They have organised bounty programs which reward in points and money according to the priority of the bug found. They have charity programs too if you wish to donate. So, when there are new programs launched for websites, mobile apps and APIs, you get to see whats in scope of the program and whats not. If you are reporting a bug thats not in scope, you get -ve points. There will be rules of the program which you MUST read carefully to understand the type of progra...
Read more

Hashing, Salting, Encoding and Encrypting

Image
One of the most asked questions when you say you are a cybersecurity engineer is that whats the difference between hashing, encoding and encryption. Many great blogs are available out there to answer that question. I try to make things simple so a layman gets it right. Hashing Hashing is a one way function where the given string is converted to fit in to a fixed length string using hashing algorithms. Simply put its a set of rules that convert the text in to a fixed length text. Hashing is basically used to check the authenticity of data. Assume you have a file that should be downloaded from a website. First you hash the file and digitally sign it. Now you hash the signed file too and encrypt(will talk about this later). The browser that downloads the file at the client end will get these two hash values from the file. Now it employes the same hashing mechanism and generates its own set of hashes. If these two hashes match the ones with the file downloaded, then the browser kn...
Read more

Homomorphic encryption

Image
Homomorphic encryption is a type of encryption where the data in transit can be accessed, computed, analysed all the while the data remains encrypted. This can be extension of both symmetric and asymmetric encryption(See Symmetric and Asymmetric Encryption for more details). This can be used for outsourcing encrypted data for storage and computation to the cloud environments In plain language homomorphic encryption is like this - Assume there are many things in a bag and you put your hands inside, manipulate their positions, access them and sense them but you cant pull them out and see for real what they are. This kind of data transmission is required in healthcare where the privacy is of most concern. The same holds good for voting purposes where the data needs to be encrypted for privacy purpose but also should be assessed. In the banking sectors too this is used to protect the PII and still perform the required processing on the data. The computations on the data are rep...
Read more