Andy-Nina small talk: SSL/TLS Handshake

Nina: Hey Andy, can you answer this question about SSL?

Andy: Shoot it. I know what SSL does.

Nina: Which of these does SSL use?

  1. Asymmetric Encryption (Using public & private keys)
  2. Symmetric Encryption (Using single key)

Andy: That's simple. It uses Asymmetric Encryption.

Nina: WRONG!!

Andy: I am pretty sure. I can explain you how it works.

  1. First the client contacts the server asking to establish a secure channel.
  2. Then the server responds with a public key back to the client.
  3. After that all the information is encrypted and can only be decrypted using the private key.

Nina: What you said is partially correct. Let's see who has what keys.

  1. Server has both public and private key
  2. Any middle-person (bad guy) has public key (Remember, the whole point of SSL is to avoid middle-person stealing/manipulating information, so when talking about SSL, we need to talk about this guy)
  3. Client has public key

Andy: Right

Nina: So how can we establish a 2 way connection using just one private key? How will the server send encrypted information back to client? There is no way the client can decrypt data.

Andy: I get it now. But I remember reading it as asymmetric encryption. Okay, so the answer is Symmetric Encryption.

Nina: Not Really!! How will the client and server agree on a single key without the middle-person (bad guy) knowing it?
(Note: At this point if you are wondering how the bad guy got in the middle, then you need to read about Man-In-The-Middle attacks. One important purpose of SSL is to avoid these attacks)

Andy: So client and server need to agree on a symmetric key, but they need to do so in a secret way without the middle-person knowing it. How's that done?

Nina: Let me explain

  1. First the client contacts the server asking to establish a secure channel.
  2. Then the server responds with a public key back to the client (To establish asymmetric connection)
  3. Then the client picks a new symmetric key, encrypts the key using the public key and sends it to the server.
  4. The server which has the private key, then decrypts the message to extract the symmetric key.
  5. At this point both client and server has symmetric key and no one else have it. From this point on, they will use the symmetric encryption
So to answer my first question: SSL uses both asymmetric encryption and symmetric encryption.

Andy: That's quite nice, I didn't know it. Actually, that means asymmetric encryption is only used during initial connection setup phase and later on it's all symmetric encryption.

Nina: That's right!

Important note: Details of the actual SSL handshake are ignored here. Purpose of this article is not to explain the absolute technical details but to explain how a two-way encrypted connection is made by initially using an one-way encrypted connection. Details such as pre-master key generation, master key generation, etc are ignored. Further reading: one, two, three.

I decided to write this after I found out that quite a few developers did not pay attention to the details of SSL. Honestly, it may not be important as well, in most cases developers use 3rd party library.

Ask your colleagues and find out if they know about it.

When you ask them which mechanism SSL uses: if they say asymmetric, ask them how a 2-way communication is established. If they say it's symmetric encryption, ask them how can the key be exchanged without middle-person (bad guy) stealing the key.

Discussion on lobster. Let me know what % of your friends/colleagues are right about the details.

Do you like problem solving & critical thinking? If so checkout this newsletter.
A lil fun image :)