SSL/TLS in depth(HTTPS)
The following article gives you a idea about SSL/TLS and also small brief about topics involved in the process like public key certificate, CA(certificate authority), RSA Crypto System, SSL Certificate Chain, etc.
Public Key Certificate
In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key.
The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate’s contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate’s subject.
In a typical public key infrastructure (PKI) scheme, the certificate issuer is a certificate authority (CA), usually a company that charges customers to issue certificates for them.
Types of Public Key Certificate
- TLS/SSL Server Certificate
- TLS/SSL Client Certificate
- Email Certificate
- EMV Certificate
- Code Signing Certificate
- Root, Intermediate and End-Entity/Leaf Certificate, etc.
Common Fields in Public Key Certificate
These are some of the most common fields in certificates. Most certificates contain a number of fields not listed here. Note that in terms of a certificate’s X.509 representation, a certificate is not “flat” but contains these fields nested in various structures within the certificate.
Serial Number: Used to uniquely identify the certificate within a CA’s systems. In particular this is used to track revocation information.
• Subject: The entity a certificate belongs to: a machine, an individual, or an organization.
• Issuer: The entity that verified the information and signed the certificate.
• Not Before: The earliest time and date on which the certificate is valid.
• Not After: The time and date past which the certificate is no longer valid.
• Key Usage: The valid cryptographic uses of the certificate’s public key. Common values include digital signature validation, key encipherment, and certificate signing.
• Extended Key Usage: The applications in which the certificate may be used. Common values include TLS server authentication, email protection, and code signing.
• Public Key: A public key belonging to the certificate subject.
• Signature Algorithm: This contain a hashing algorithm and an encryption algorithm. For example “sha265RSA” where sha265 is the hashing algorithm and RSA is the encryption algorithm.
- Signature: The body of the certificate is hashed (hashing algorithm in “Signature Algorithm” field is used) and then the hash is encrypted (encryption algorithm in the “Signature Algorithm” field is used) with the issuer’s private key.
SSL/TLS Certificate
A Secure Sockets Layer certificate (SSL certificate) is a small data file installed on a Web server that allows for a secure connection between the server and a Client.
In TLS (an updated replacement for SSL), a server is required to present a certificate as part of the initial connection setup. A client connecting to that server will perform the certificate path validation algorithm:
1. The subject of the certificate matches the hostname (i.e. domain name) to which the client is trying to connect;
2. The certificate is signed by a trusted certificate authority.
The primary hostname (domain name of the website) is listed as the Common Name in the Subject field of the certificate. A certificate may be valid for multiple hostnames (multiple websites).
SSL Certificate Chain(Chain of Trust)
What is SSL Certificate Chain?
A certificate chain acts to establish a trust between Certificate Authorities (CAs) of a Public Key Infrastructure (PKI). The trust establishes the hierarchical roles and relationships between the root CA, the intermediate CA, and the Secure Sockets Layer (SSL) certificates.
Actually, in order to identify the trust factor of the SSL certificate, a browser has to verify few more details. These details are nothing but few more certificate that has been vetted by this list of SSL Certificate from the root certificate to the end browser, represents the SSL Certificate chain.
Component of SSL Certificate Chain
1. URL/Leaf/End-Entity Certificate
2. Intermediate Certificate
3. Root Certificate
Differentiating root and intermediate CAs
The root CA is the base of the certificate chain. Certificates from the root CA carries the same level of trust as the root CA certificate. The root CA signs the certificate for the intermediate CA. The role of the intermediate CA is to sign end-entity certificates for the root CA.
SSL certificate
The SSL certificate is signed by an intermediate CA for use as a domain specific certificate. The SSL certificate is installed on an SSL enabled server (end-entity) and the certificate is presented to the browser when initiating an SSL connection with the server. The browser will try to confirm the authenticity of the SSL certificate by checking the signing authority of the certificate.
Intermediate CA
The intermediate CA is a deputy to a specific root CA and uses a certificate signed by the root CA. The intermediate CA is the signer of SSL certificates. The intermediate CAs get their CA directly from the signing root CA.
Root CA
The root CA utilizes a X.509-based public key certificate that specifically identifies the root CA. The root CA is the signing authority for the SSL certificate chain. Browser vendors include a list of known, trusted root CAs that will ultimately determine the validity of an SSL certificate.
For a browser to accept an SSL certificate, the certificate must be issued by a CA that has a signed certificate from a root CA. That is included in the browser’s store of known, trusted root CAs.
The browser will check each intermediate CA’s certificate to establish if it was issued by a known, trusted root CA. In case the certificate of the intermediate CA was signed by some another intermediate CA, the web browser will then verify if that intermediate CA’s certificate to check if the issuer of the certificate is a trusted root CA.
This chain of checking a level deeper will continue until the root CA certificate is located and checked against the browser’s trusted store of root CA’s. When the root CA matches a known and trusted root CA in the browser’s store, the certificate is accepted as valid.
Untrusted SSL connections are managed in various ways by different vendors, most will warn that the connection is distrusted, requiring the user to acknowledge the discrepancy or outright fail to allow the connection to establish.
Introduction about RSA Crypto System.
The Certificate signing process involve RSA encryption methodology. Please understand its basic before proceeding further.
First, the receiver generates a public key and a private key, and sends the public key to the sender. Then, the sender encrypts the message with the received public key, and sends it back to the receiver. The receiver then decrypts the message using the private key, and the original message is retrieved.
As we can see from the diagram above, the raw message never gets transmitted over the public domain, which is where attackers will be eavesdropping. The private key must be kept securely at all times, so that the message cannot be decrypted by a third party.
Please refer the below flow chart where I tried to show detailed explanation regarding SSL/TLS connection and Chain of Trust.
Thank You…!!!
References