Securing Connections with SSL/TLS

Back                  << Index >>

For complete explanations, please have a look at : https://www.enib.fr/~harrouet


SSL/TLS encryption

For the moment we exchange messages without any security. Any bad people sniffing the connection can know exchanged messages between the client and the server.

ssl_tls

The solution is encrypting messages. To encrypt and decrypt a dialog, we need a key.
If the key is the same for both sides, it’s a symetric encryption .
The encryption is represented by a locked box.
If both guys own the key already, the problem is over, they can exchange messages in a safe way.

ssl_tls

Now we consider we have to transmit the key.
The client asked for connection to the server.
We consider a locked box with 2 locks : one to open, one to close.
As a result we need 2 different keys to encrypt and decrypt the message.

  1. The Server puts his message in the box
  2. The Server closes the box with his private key ( encryption )
  3. The Server sends the message with a public key

The private key belongs to the server, nobody else can get it.
The client receives a public key with the message.

ssl_tls

  1. The Client opens the box with the public key
  2. The response is encrypted with the same public key
  3. The Client sends the message
  4. The Server is the only one who can open the box since he’s got the private key ( related to the public key ).

ssl_tls

There is still a problem.
If a bad guy relays those messages, he will decode everything. This is the man in the middle attack.
The Client needs to know the server identity .

ssl_tls

The identity card is a certificate given by a trusted certification authority.
1. The Server sends a certification request and his public key to the certfication authority.
2. A signed certificate is produced
3. and encrypted by the certification authority private key.

ssl_tls

  1. Now the server joins this encrypted certificate to his message
  2. encrypts the message
    3 sends the message

ssl_tls

  1. At reception,
  2. the client decrypts the certificate with a certification authority public key ( this key is present alread in updated web browsers ).
    the client verifies this certificate is update and related to the public key.
  3. then the client and the server can exchange messages to construct a new key.

ssl_tls

This new key permits exchanging messages with symetric encryption, which is quicker than asymetric one.
Once done, both guys can exchange in a safe way.

ssl_tls


Static / Dynamic Server ( with websocket support) with SSL/TLS support



SOURCE CODE

Producing Keys and Certificate

We consider we are the certification authority. We will produce a self-signed certificate, which will trigger a web browser warning.

Static Server

ssl_tls

Dynamic Server

ssl_tls


Back                  << Index >>