Ref: https://learn.cantrill.io/courses/2022818/lectures/45662102

• Summary:
• Contents:

SSL & TLS - Key Concepts

• 🔧 L6 encryption protocols for securing data transmission over the internet
  • Secure Socket Layer (SSL) → original, developed by Netscape in mid-1990s
  • Transport Layer Security (TLS) → newer, more secure version of SSL
• ❗ SSL/TLS provides:
  1. Privacy → encrypted tunnel of communication between client and server
  2. Identity verification → clients verify server identity
     • 💡 Full two-way verification possible, but generally only client needs to verify server
  3. Data integrity → protects against alteration of data in transit → reliable connection
• SSL/TLS used by many L7 protocols, e.g. HTTP, SMTP…
  • HTTP + SSL/TLS = HTTPS (HTTP Secure)
    • 💡 Every time we use HTTPS, we establish an encrypted SSL/TLS tunnel

Transport Layer Security (TLS) - 3-Phase Architecture

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/0400-TECH_FUNDAMENTALS/00_LEARNINGAIDS/TF-GEN-SSLTLS.png

💡 A TCP connection has already been established before TLS process begins

i) TLS Cipher Suites

• 🔧 Cipher Suite = set of protocols used by TLS
• A Cipher Suite includes:
  • Key exchange algorithm
  • Bulk encryption algorithm
  • Message Authentication Code (MAC)
    • ❗ Do NOT confuse with Media Access Control (MAC)!
• Client and server must agree on common cipher suite:
  • Client sends “Client HELLO”
    • Includes list of supported cipher suites (as well as SSL/TLS version, session ID…)
  • Server answers with “Server HELLO”
    • Includes cipher suite choice and server certificate (with server's public key)
    • ❗ If server doesn't support any of client's cipher suites, connection simply fails!
• 💡 Cipher Suite has been agreed and client has server's public key, which can be used to encrypt data that only server can decrypt… But before doing that client should verify that server is indeed who it claims to be!

ii) TLS Authentication

• 🔧 SSL/TLS Certificate = Digital document with server's public key and DNS name (& other stuff)
  • Has been signed by an independent, 3rd-party Certificate Authority (CA)
    • 💡 Clients’ OS and/or web browsers inherently trust many of these public CAs (they have been hard-coded to trust them)
  • Clients can verify the CA signed a SSL/TLS certificate (if client trusts the CA)
• Enabling SSL/TLS on a server:
  1. Generate a public-private key pair & certificate
  2. Send the cert in a Certificate Signing Request (CSR) to a public CA
  3. CA delivers back a signed certificate if all is well
  4. Signed certificate can now be used in client requests involving SSL/TLS