DEV Community

Shahriyar Al Mustakim Mitul
Shahriyar Al Mustakim Mitul

Posted on • Edited on

DevOps Prerequisite (Part 9): SSL and TLS

TLS is a certificate ensures the communication is encrypted and server is actually what it actually say it is

Image description

For example, assume that you are john and want to access to your account from the website my-bank.com

Image description
A hacker might hack the traffic and get your password and then claim your account.

Image description

To solve this issue, we use a secret key which is then applied to your password to make it unique

Image description

Image description

Now, once you want to get access to the server, your encrypted data is passed on the traffic and the hacker might get the data. Still he can't decrypt it

Image description

But here is an issue, you need to send a copy of your password to the server to decrypt it.

Image description
While doing so, hacker can get the key as well!!! This is called symmetric encryption (uses same key to encrypt and decrypt)

To solve this issue, we use assymmetric encryption (public and private key)

Image description

Let's call public key as public lock for now.

Firstly, we encrypt the data with public key/lock. Then we share the name and password along the public key/public lock
Image description

But the password can be decrypt only with the private key

Image description

So, how we generate these keys?

We generate using ssh-keygen

Image description

id_rsa is the private key and id_rsa.pub is the public key/lock

You can now lock your server using the public key.

Image description

You can also check that the key under /.ssh/autorized_keys. You can see the public key there.
Let's go back to the bank's situation
Now, we will generate public and private keys on the server.

Image description

Then the public key/lock is sent to the user and the hacker might get that as well

Image description

The user has a key (symmetric) earlier created to encrypt the data. Now this symmetric key and the lock will combine together and will be sent to the server.

Image description

The hacker also gets that

Image description

The server uses private key to decrypt the public lock/key.

Image description

So, this is how the server gets the symmetric key . Now the server can decrypt the user password and get access to data

Image description

Image description

But the hacker is not happy and somehow copies the whole website in his server and somehow takes you there

Image description

You then share your symmetric key to the server

Image description

Now, the hacker decrypt your password and you got hacked!!

Image description

Image description

But how to know know if a public lock that was shared to me is genuine from the bank server or the hacker?

Basically that public key was shared with a certificate.

Image description

The certificate looks like this

Image description

Anyone can generate the certificate.So, how to know that?

We know that by the signature. If the hacker did that, the hacker will have a signature on it (self signed)

Image description

So, this is how it looked once the hacker sent the user public lock

Gladly, all browser has certificate validation

Image description

It checks if a certificate is valid or not!

But for the original certificates, we have CA (certificate authorities). Some are Symantec etc.

Image description

So, how to generate trusted certificate?

Using the public key, you request for a signing request (CSR). How to do that?
You use openssl to send your public key and domain name to CAs and it generates a CSR request

Image description

The certificate authority then checks and it all information is right, they sign the certificate.

Image description

For the hackers case, the certificate will not be validated by CAs

Image description

So, these CAs can help validating public websites.To solve issue for private websites, you can install their private version and install in your company PC

Image description

The real bank server can also ask for the client to generate a csr to verify if he/she is the real user

Image description
Using the CA, the user can generate csr and send to the real server.

The whole thing is called as PKI (Public key infrastructure)

Examples of public key/lock and private keys

Image description

Mutual TLS

Image description
Assume that mybank.com wants to send some data to abc-financials.com
So, how will abc-financials will know that mybank.com is actually sending data?

This is where mutual TLS works and client and sever will now verify the authenticity of each other.

Assuming my-bank (client) sends some data to abc-financials (server)

Image description
Client first requests the server's public certificate.

Image description

THe server replies back it's public certificate

Image description

The client checks with the CA, if the certificate is valid

Image description
Once verified, the client sends a certificate to the server and also shares a symmetric key which is encrypted with the public key of the server.

Image description

The server now validates with the CA if the client indeed belong to the mybank

Image description

So, in this way, they have both mutually verified each other.

Top comments (0)