Security 101 for developers: TCP/IP, SSL/TLS Certificates, AES/CBC Encryption, Password Storage, and More

🥵 When I was working on my college projects, for a simple presentation we were used to store user’s login credentials in our DB directly. And also we were not aware about the security protocols that are being used in the back to establish a secure communication.

🔥 Today we’ll discuss more in depth how it is being done. How cybersecurity enable us to browse securely and what are the common practices, encryption methods, protocols and certificates are there out in the market.

⚡️ I am writing this blog because of the fact that recently in one hackathon I was not able to make request to ChatGPT API from my Local host while I was able to make a request via Postman. So, the error was ssl handshake error with explorer.api.openai.com

✨ After this error, I studied a bit about various things and now I am publishing this to help people out there who want to understand some about it.

📍 TCP/IP and SSL/TLS architecture

Whenever it comes to communication we do have some rules and languages to present ourselves. Similarly when servers/websites communicates among themselves then there are some rules or protocols to be followed which will give us the standardised version while making anything on top of it.

So, these rules are being divided in the layer wise structure to communicate which looks like:-

Ref:- https://techdocs.broadcom.com/us/en/ca-mainframe-software/traditional-management/ca-xcom-data-transport-for-as-400/11-0/using/describing-tcp-ip-ssl-network.html

🫠 So, when we browse something on internet, say google.com the request that we make to google.com actually goes to an address something like http://127.0.0.1/ (localhost machine address example).

❤️ We will be taken to some IP (IPv4 address:- 32bit address) and this google.com —> IP mapping will be stored in some DNS (domain name service). DNS is a service that maps human readable domain names to IP addresses. Refer to the below image:-

Ref:- https://aws.amazon.com/route53/what-is-dns/

🔥 We’ll not go in details of DNS but this is the first step when you request google.com

📌 Now, comes the part how request goes to the internet and finally to the server which is nothing but a machine at some end of world. And how we get the response as HTML, CSS and JS that gets rendered on our machine.

🔥 There is a layered communication stack representation to represent different rules while processing request and response. Refer below:-

Ref:- https://w3.cs.jmu.edu/kirkpams/OpenCSF/Books/csf/html/FiveLayer.html

So, when we request from our Application (Browser) then our request gets structured via various layer’s protocols:-

Ref:- https://www.avg.com/en/signal/what-is-tcp-ip#:~:text=There are four layers of,when the data is received.

Referring to the Fig 1:-

Application Layer:

The Application Layer in the TCP/IP model corresponds to the topmost layer and is responsible for interactions between end-user applications and the network. It provides a platform for software applications to access network services and resources. Protocols like HTTP, FTP, SMTP, and DNS operate at this layer. Data is formatted and processed for presentation to the user or application.

Secure Socket Layer:

This layer is responsible of encryption, signing digitally to make the communication secure. This layer can be used for the platforms running XCOM data transport which uses OpenSSL to implement a secure communication. we’ll discuss about signing, encryption and more further in this blog.

Transport Layer:

The Transport Layer is critical for end-to-end communication and data integrity. It manages the establishment, maintenance, and termination of connections. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are the two primary protocols at this layer. TCP ensures reliable and ordered data delivery, while UDP is used when speed and efficiency are more important than guaranteed delivery.

Internet Layer:

The Internet Layer, often referred to as the Network Layer, is responsible for routing and forwarding data packets between different networks. It uses IP (Internet Protocol) addresses to determine the best path for data to travel from the source to the destination. Routing devices, such as routers, operate at this layer to direct data across network boundaries.

Link Layer:

The Link Layer generally comes inside the Internet layer only in TCP/IP architecture and sometimes referred as Network layer and handles communication within a local network segment. It encompasses both the Data Link and Physical Layers in the OSI model. This layer is concerned with framing, error detection, addressing, and access to the physical transmission medium. Technologies like Ethernet and Wi-Fi are associated with the Link Layer.

Physical Layer:

The Physical Layer deals with the transmission and reception of raw data bits over the physical medium. It defines the hardware characteristics, including cables, connectors, and signaling methods. This layer is responsible for the electrical or optical signals used for data transmission.

Each layer embeds its header over the message that Nth layer gets from (N-1)th layer while sending and while receiving on the other end it removes the header that was added while sending.

SSL/TLS certificates

💀 These are the digital certificates that facilitates a secure transmission btw your machine(website) and server(website’s end server). Websites that have these certificates protects/encrypt the data being sent to or by the website.

✨ There are different types of certificates that depends on the level of assurance required and number of domains/subDomains to support.

Based on the Domain/Subdomain support

• We have Single domain certificate that can be purchased to validate only a single domain. for ex: www.abc.com
• Then we have a Wildcard certificate that can validate a single domain and multiple sub-domains like www.*.abc.com where * can represent blog, help (www.help.abc.com, www.blog.abc.com etc)
• Then we have Multi domain certificates that can be used to secure a number of domains and subdomains. for ex:- www.abc.com can secure www.abc.org, www.abc.co.us, blog.abc.com, etc

Based on the level of assurance

• Domain validation certificate (DV) is a basic certificate that can be obtained in minutes without any business verification. It makes sure you have HTTPS and a padlock(An icon appears next to your url) visible in the URL. It doesn’t involve business name in the URL.
• Organisation validation certificate (OV) is a bit more advanced certificate and for businesses that deals with the sensitive data of the customers. It has Https and padlock and might have business name in the domain name too. It is issued by the CAs (certificate authorities) after verification of your business and takes a day or two to issue.
• Extended validation certificate (EV) is a bit more hard to obtain from the CAs and it requires the verification of physical existence, Pin, country etc of your business. It will have a green padlock before your URL. It might take 3 days to obtain and is hard to obtain as compared to the other ones.

How these certificates work

When user logs in the session TSL/SSL certificates are used to establish a secure connection btw website/browser and the server. It happens through the SSL Handshake.

It happens in three stages:-

1. Authentication:- When user comes on your website, user’s browser and your server will exchange their certificates to validate each other
2. Encryption:- After this your server shares its public key which browser uses to create a pre master key
3. Decryption:- After this your server will use its private key to decrypt the pre master key to establish a secure connection for this session

Ref:- https://www.entrust.com/resources/certificate-solutions/learn/how-does-ssl-work#:~:text=The browser%2Fserver checks to,server and the web server.

How to install a SSL certificate on the server

To install or create a Certificate you can follow these steps for Windows and similarly you can google about Linux or Mac OS.

• Open the Server Manager in the Windows Start menu.
• Click Tools and select Internet Information Services (IIS) Manager.
• Select your server name in the "Connections" panel to the left.
• Open the Server Certificates tool.
• Click the Create Certificate Request link in the upper-right corner, under the Actions list.
• Fill in the information in the Request Certificate wizard. You will need to enter your two-digit country code, the state or province, city or town name, full company name, section name (i.e. IT or Marketing), and the common name (typically the domain name).
• Leave the “Cryptographic service provider” set to default.
• Set “Bit length” to “2048”.

Order a certificate

You can choose any reputed CAs to get your SSL certificate. Make sure you are clear about your requirement like whether you need EV, OV or DV validation and also do you need single domain, multi domain certificate.
Now upload your generated CSR file to the service to order a certificate. After ordering download the respective certificate and install in your server by opening Server certificates tool and select the certificate file to install.

Bind the certificate with your website

Now follow the steps https://enterprise.arcgis.com/en/web-adaptor/10.3/install/iis/enable-https-on-your-web-server-server-.htm#ESRI_SECTION1_BE7A330F475C4A38B5A54902F2302EE8 to bind the certificate.

What is AES/CBC encryption

So, setting up the SSL/TLS certificates makes the whole communication channel secure but to encrypt the actual data most commonly used algorithm is AES-256.

We’ll talk about Encryption/Decryption, Storing passwords sometime soon. Blog is getting longer so stay tuned ❤️