-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathw4_2_HTTPS_SecureComm
112 lines (92 loc) · 6.19 KB
/
w4_2_HTTPS_SecureComm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
HTTPS and Secure Communication
------------------------------
The usernname and password submitted in plain text format transmitted on the standard http ptotocol is
easily subjected to capture by an intruder;
Hence secure communication is required;
Cryptography
------------
* Symmetric Key Cryptography
----------------------------
-> Symmetric Encryption:
------------------------------
* Shared secret key between the two parties;
Sender Receiver
Message -> + ------------------> Encrypted Message -------------------> + -> Message
/\ | /\
| | |
Secret key Malicious Third Party Secret key
Cannot decrypt
But in cases we don't know the receiver, the shered keep upon which both parties need to agree upon fails;
----------------------------------------------
* Public Key Cryptography
----------------------------
-> Asymmetric Encryption:
---------------------------
- Public key that can be widely distributed;
- Private key that is only known to the receiver;
Sender Receiver
Message -> + ------------------> Encrypted Message -------------------> + -> Message
/\ | /\
| | |
public key Malicious Third Party private key
Cannot decrypt
But public key cryptography is not used widely since it is computationally expensive;
Hence we use public key cryptography between the sender and receiver initially to agree on a secret key , and there after
they can be in symmetry and symmetric key cryptography can be performed between each other;
SSL protocol uses this;
Secure Sockets Layer (SSL) / Transport Layer Security (TLS)
-------------------------------------------------------------
-> These are cryptographic protocols that enable secure communication between sender and receiver, over an insecure network
like the internet;
-> The sender and receiver communicate over the internet using encrypted messages, which only the sender and receiver can
decrypt;
-> Privacy and Integrity of the communication is protected - uses a combination of public-key cryptography and symmetric
cryptography;
SSL/TLS Handshake
-------------------
CA -> Certification Authority;
Client Server
|------I need to communicate with you securely---------->------------->|
|<--Here's my certificate-(public key + certificate by CA)-------------|
Verify server | |
credentials | |
|---Pre-master secret encrypted with server's public key-------------->|
Generate Session | | Generate Session
Key |<-------Symmetric encryprion from now on ---------------------------->| Key
| |
|------- Message encrypted with Session Key---------->---------------->|
|<----Message encrypted with Sesion key -------------------------------|
HTTPS
-----------
HTTP Over Secure Socket Layer
Client Server
---------- -------------
| HTTP | | HTTP |
---------- --------------
| SSL/TLS| <---------Secure communication---------------------------------> | SSL/TLS |
---------- --------------
| TCP | | TCP |
---------- --------------
| IP | | IP |
---------------------------------------------------------------------------------------------------------
| UNDERLYING NETWORK |
----------------------------------------------------------------------------------------------------------
Generating Keys
---------------
The server needs public key and private key for public key cryptrography;
Certification process is required, where a certification authority - Vetisign or Thawte; They will verify and assign
a public key private key pair and sign on the public key with their own signature for the respective server;
That will be a process of establishing your authenticity to any client that want to communicate with the server;
// Computer networks - James Kurose and Keith Ross;
Tool called ->OpenSSL - to generate self-signed keys;// testing
-> Use openssl for generating keys for testing
a. openssl genrsa 1024 -> private.key;
b. openssl req -new -key private.key -out cert.csr
c. openssl x509 -req -in cert.csr -signkey private.key -out certificate.pem
-> foe production environment / deploying to the production server you need to get keys and certificate from a
certificate authority(CA) e.g.,Verisign, Thawte;
Node HTTPS Module
------------------
-> Node supports https as its core module;
-> need http; and private.key and certificate.pem, file system module is used to read private.key and certificate.pem;
----------------------------------------------------------------------------------------------------------------------------