DEV Community

Sam
Sam

Posted on

Tender, Loving Security brought to you by TLS

Image description

Communication systems pose a general problem: How is it possible to send data over a network connection to a specific receiving party and guarantee that nobody else can eavesdrop on the message or tamper with the contents? This is a question that we as users both consider and take for granted when it comes to exchanging private information with a second party and for good reasons. For much of the internet and the systems that support it, the ‘s’ in https is part of the solution. That ‘s’ stands for security, and the security protocol is brought to you by TLS.

TLS stands for Transport Layer Security and its job is to encrypt data so that eavesdroppers and hackers are unable to access the private and sensitive information you share over the internet. Following the ever-growing creation of fake websites designed for nefarious purposes, the ‘s’ in ‘https://’ indicates to users that they’re in safe hands and that they’re using a legitimate website. To establish a secure connection between a browser and a web server, the site creators are required to apply for a TLS/SSL certificate issued by the proper Certificate Authorities. Essentially HTTPS is an implementation of the TLS encryption on top of the regular, ol’ HTTP protocol. Today HTTPS is used by all major websites along with other web services.

. TLS evolved from Security Sockets Layer (SSL), which was a previous encryption protocol developed by Netscape’s chief scientist and cryptographer Taher Elgamal in 1994 [1]. SSL 1.0 however never really reached the public for it bared significant flaws, some of which included plaintext password security issues. Although nice in theory, its integration into internet security didn’t work out smoothly, which led to the famous Version 2.0 of encrypting information. Version 2.0 ended up becoming the base for securing the HTTP language, officially taking up the title Hyper Text Transfer Protocol Secure (HTTPS). And it is this secure version that successfully spearheaded the process for allowing data to be exchanged between your browser and the website safely.

Keys and Pairs
So how is it possible to send messages that only a specific indented party can receive? Well it all starts with the foundation; the fundamental mechanism of TLS is a pair of cryptographic keys (usually referred to as a ‘key pair’ for short). First the private key is randomly, or rather “unguessably” (yes this is a real term in computer science) generated. The public key is then derived mathematically from the private key in such a way that text encrypted with either can be decrypted with the other, making it prohibitively computationally expensive to compute the private from the public key. This means that if you hold such a key pair, you can distribute the public key to anyone with whom you want to communicate.
As long as you retain sole possession of the private key, the two things are guaranteed:
Anyone who receives a message that can be decrypted correctly using the public key knows it must have been encrypted with the private key, meaning it must have come from you.
Anyone who has the public key can use it to encrypt a message and send it to you, knowing that you alone can decrypt it with the private key.

The process may seem difficult to wrap our head around at first, but it’s important to note that we as users of the web have been doing this the entire time while using surfing the web and the fact that we take it for granted proves how efficient of a system TLS has been. In conclusion, TLS provides two critical security features: Encryption and authentication. The former prevents messages from being eavesdropped and the latter allows one or both parties to prove their identity that can’t be impersonated.

1: https://en.wikipedia.org/wiki/Taher_Elgamal

Discussion (0)