Friday, 23 August 2013

More Secure HTTPS

In the last post we have seen that a cracker can hijack your facebook or any other session easily if you are using an http connection. The problem with http is that data is send in plain text by both your browser and the server. So a cracker can intercept it and read its contents, or they can capture your session cookies and hijack your session. To increase the security of http, a more secure https is used nowadays. Here we will see what does the https do so that we can communicate securely with the server. Https encrypts the http messages using TLS(also known as SSL) protocol before transmitting it, Now only the receiver can decrypt it and hence the connection is secure. To fully understand the details of https you should understand the two types of encryption used:-symmetric & asymmetric encryption.
Symmetric Encryption: Here using a secret key(only the sender and receiver know it) the sender encrypts his message and transmits it. On receiving the message it can decrypted it using the same secret key.
Asymmetric Encryption: Here the a pair of keys are used, a private key and public key. If the data is encrypted into a cyphertext with the public key then it can be decrypted into plaintext only using the private key and vice-versa.
Hash: A hash is an "almost unique" fixed length string produced by an algorithm taking varying length data, it can be noted that a small change in data most probably changes the hash by a large value.

To start communicating securely, the client and server should have to complete an ssl handshake. It consists of the following steps.

1. The client(the web browser) first sends a "client hello" message which contains information about the encryption techniques that can be used.
2. The server sends a "server hello" message which consist of the encryption algorithm choose by it and also a digital certificate along with it.
 3. The browser verifies the certificate by checking the digital signature present in it and if finds genuine,  extracts the public key from the digital certificate and uses it to encrypt a random symmetric key and sends it to the server.
4. The server decrypts the symmetric key and using its private key associated with the public key sent. Now own the connections will be encrypted and decrypted using this symmetric key.

SSL certificate of
So the client and server can communicate using https connection securely over the internet. This connection is secure because they are only parties who know what the symmetric key is.The need of using a symmetric key is it makes encryption-decryption much faster than an asymmetric encryption.
Now the question is why cant a cracker do a man-in-the-middle attack by tampering the public key present in the certificate with his own? The working of digital signatures will tell the answer. Each browser consists of a number of built in ssl certificates, these are signed by trusted authorities like verisign, (in firefox you can see them in the preferences) these certificates also contains the public key of the authority.

Now, as the certificate obtained in the handshake contains a signature. Browser can check the integrity of the signature. Actually the server have to send its certificate to the certifying authority to get it signed, certifying authority hashes the certificates and encrypts the obtained hash using its private key. Now when the browser receives the certificate it hashes it and decrypts it using the public key present in the pre-installed certificate of the signing authority. Now if the hashes match then then the certifying authority can be trusted and browser goes on and complete the handshake. If the hashes dont match or the certificate is found to be invalid then an ssl error message will be shown immediately to the user. Hence an attacker cannot come forth with  a self signed certificate as it dont have the private key of the signing authority.
An SSL error message on Firefox
If you encountered a message like this it is strongly recommended that you should not continue.
But on a good ssl connection, as long as you can trust the installed certificate on your computer, you are safe and secure.
Problems can also arise when you dont really check if you are connected using an https connection. If the connection was started as http(like when you type in "" on the address bar), mitm attacks can be done by limiting the connection to http itself. We will look into the details of it in the next post.

Tags: working https ssl handshake tls encryption certificate digitel signature public private key encryption.