Why SSL, TLS and Ciphers for secure web-services ?
In today’s world, web services are an essential part of the modern enterprise. People can easily fulfill most of their requirements within couple of minutes through the internet. So it is very important to ensure all these communications are secure to prevent any sensitive information leaking out to other external parties. Here comes the term security for communications in web services.
Think of an SSL/TLS certificate as a driver’s license for a secure ride. It serves two functions. It grants permissions to use encrypted communication via Public Key Infrastructure, and also authenticates the identity of the certificate’s holder.
Encryption is a process that takes information and essentially scrambles it and the only one who can unscramble it is a server or computer with a corresponding key. By encrypting communication between a server and a browser, all of the information sent between the two is protected from the malicious third parties.
Authentication is done via the organization that issues the SSL certificate. These Certificate Authorities go through a validation process depending on which type of certificate a website is purchasing. There are three types of certificate levels:
* Domain Validation
* Organization Validation
* Extended Validation
What is SSL ?
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. To create an SSL connection a web server requires an SSL Certificate.
Typically an SSL Certificate will contain your domain name, your company name, your address, your city, your state and your country. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate. When a browser connects to a secure site it will retrieve the site’s SSL Certificate and check that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL. SSL secured websites also begin with https rather than http.
What is TLS ?
TLS (Transport Layer Security) is also a network protocol similar to SSL that allow data to be transferred privately and securely between a web server and a web browser. TLS is just an updated, more secure, version of SSL.
TLS consists of two parts:
- The TLS handshake layer manages which cipher will be used, the authentication (using a certificate specific to your domain name and organization), and the key exchange (based on the public-private key pair from the certificate). The handshake process is performed only once to establish a secure network connection for both parties.
- The TLS record layer gets data from the user applications, encrypts it, fragments it to an appropriate size (as determined by the cipher), and sends it to the network transport layer.
TLS establishes an encrypted, bidirectional network tunnel for the data transition between two hosts. TLS is most often used in parallel with other internet protocols such as HTTPS, SSH, FTPS, and secure email.
TLS v1.2 was introduced in 2008 and it is the most widely used TLS standard as at now. TLS 1.3 is the latest published version and it is still in it’s early age. The major benefits of TLS 1.3 vs that of TLS 1.2 is faster speeds and improved security
HTTP vs. HTTPS
HTTPS is the HTTP protocol embedded within the TLS protocol. HTTP takes care of all the web surfing mechanics, and TLS takes care of encrypting the data sent over the network and verifying the identity of the server host using a certificate.
Why SSL/TLS Security ?
- It prevent criminals from tampering the communication between website and web browsers.
- It prevent external parties from passively listening to communications with your server.
- It provide more consistency as it specifies the type of certificate that must be exchanged between nodes.
Drawbacks of SSL/TLS
- TLS will add latency to your site’s traffic.
- It will add complexity to your server management.
- It will require more resources for the handshake.
What are Ciphers ?
A cipher suite is a set of algorithms used by a secured network connection that uses TLS or SSL. The security of any SSL/TLS protected connection depends on the client and server’s choice of cipher suites. The set of algorithms that cipher suites usually contain include below components.
- key exchange algorithm- defines how symmetric keys will be exchanged
- authentication algorithm- defines how server authentication and client authentication is carried out
- bulk encryption algorithm- defines which symmetric key algorithm will be used to encrypt the actual data
- message authentication code (MAC) algorithm- defines the method used by the connection to carry out data integrity checks
Let’s elaborate this using an example.
One cipher suite typically consists of 1 key exchange, 1 authentication, 1 bulk encryption, and 1 MAC algorithm. Here’s an example of a typical cipher suite:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Let’s break that down.
- TLS simply indicates the protocol
- ECDHE signifies the key exchange algorithm
- ECDSA signifies the authentication algorithm
- AES_256_CBC indicates the bulk encryption algorithm
- SHA384 indicates the MAC algorithm
Some key exchange algorithms: RSA, DH, ECDH, ECDHE
Some authentication algorithms: RSA, DSA, ECDSA
Some bulk encryption algorithms: AES, 3DES, CAMELLIA
Some MAC algorithms: SHA, MD5
It is not mandatory to include the protocol components in certain cipher suite. Sometimes it is simply omitted. eg: DHE_RSA_AES256_SHA
Summary
TLS and SSL on top of HTTP provides a mean to protect your web site from hackers and other external parties and to provide a secure and reliable user experience. Ciphers are algorithms which is ideally a set of instructions for encrypting and decrypting information. It is a named combination of ciphers used to negotiate security settings during the SSL/TLS handshake. You can configure your web site to use either a single TLS version or multiple versions and a corresponding set of ciphers depending on your requirement and consumer expectations.
