SSL and Certification Working
SSL is the process of Encryption and Identification.
Encryption Why it is needed?
Suppose you send Credit Card information from a Client device to a server, that information is not secured and can be used by hacker and misused, so we use SSL. when data is encrypted the attacker gets this data as a garbage. He cant decrypt this data and get orignal data.
HTTPS
Https is used to protect web by forming cryptographic data. Cryptography used in https are Symmetric(Encryption/Decryption) and Assymetric Cryptography.
In Symmetric Crypto, we take plain text and apply some encryption, this encrypted data is send to the receiver. At Receiver end the data is decrypted by same cryptographic function.
Asymmetric Crypto, where we use Public key to encrypt the data and secret key is used to decrypt the cipher text key at receiver end. also we can sign using secret key and get Digital Signature.this Digital signature can be verified by using public key and signature at Receiver end for authenticating the data. Like if the Signature are matched by using this algorithm (encrypting data with key) then the data is trusted and not manipulated.
KDC (Key Distribution Center)
A typical operation with a KDC involves a request from a user to use some service. The KDC will use cryptographic techniques to authenticate requesting users as themselves. It will also check whether an individual user has the right to access the service requested. If the authenticated user meets all prescribed conditions, the KDC can issue a ticket permitting access.
KDCs mostly operate with symmetric encryption. In most (but not all) cases the KDC shares a key with each of all the other parties. The KDC produces a ticket based on a server key. The client receives the ticket and submits it to the appropriate server. The server can verify the submitted ticket and grant access to the user submitting it.
Security systems using KDCs include Kerberos. (Actually, Kerberos partitions KDC functionality between two different agents: the AS (Authentication Server) and the TGS (Ticket Granting Service).)
Initially User talks to server, they talk to KDC entity, which is giant entity model having various keys and its principles.
This structure had some challenges
1) Single KDC Trusted by all.
2) Key Management
3) It should have all user information
4) Not that scalable, recovery, registration
5) KDC has to be online, which can cause bottle neck as everyone would be first talking to it.
When A & B are commuicating, A knows B's public key, so A generates Session Key, and send it to B. A then encrypt its data using public key of B and Session Key. B then decrypts using A's public key and secret key shared. Here we got rid of KDC for genertaing Session Key. Also we get authenticity of A's message been read and decrypted by B, as B has the corresponding secret key generated by A.
The secret which was generated is also been hashed by Difi Hellman and send to the receiver.This was done by KDC, which was later removed by public keys origin.
How to discover Public Key?
KDc's was later replaced by CA (certificate Authority), it removed the restriction of KDC entity of being online by issuing key. CA signs the message using secret key and send it to Sender. Then sender sends this signature to Receiver which is its public key.
Public keys are generated, like in case you bring out new computer, that computer's Web Browser comes with Signed Public Key from CA's entity.
CRL( Certification Revoking List)
The issued Certificates can be revoked by CA if they come to know about their mistake, as in case they issued Certificate to wrong domain or name.The CA then adds the list of revoked Certificates to CRL list, which users can download and not generate signature for this revoked Certificates. But this will be giant list and will add overhead and reduce number of connections on internet. So, CA just gives blank CRL list to avoid this. Also CA keeps an expiration dates for Certifaction.
Revoked Certification's are updated by bringing newer versions of browsers, like chrome updated from version 9.1.1 to version 9.1.3
No comments:
Post a Comment