TLS/SSL Certificate Issuance
Public Key is used to sign into something
1. Get certificate issued from CA
- Server asks for the public key CA.
- Servers send a new message which has their own public key, domain name to get a certificate from CA. This entire message is encrypted by using the public key of the CA.
- CA unlocks the message using their private key and looks into the message, verifies stuff and sends back the Certificate as payload along with other info and signed by the public key of the Server.
- The server can read the message using its own private key.
2. Send certificate to others to establish connection
Send certificate to others to establish connection
Session key is a symmetric key so it’s used by both server and client.
Essentially PKI is used for the key exchange process and later the encryption is handled by Symmetric key encryption.
RSA and Diffie Hellman are public key system
Flaws
RSA is not to be used from TLS/SSL 1.2 onwards.
RSA has a heartbleed issue in TLS 1.0.1 / 2 . Here a special heartbeat message is sent to the server to keep the SSL connection on.
Payload | size
The message contains a payload and size of it. When the server receives the message, it replies back with the payload that was stored in its memory.
Now if the client sends a heartbeat message with a payload of actual size = 1 byte but in the size column it says 65k then the server receives and stores the payload in its memory. It then replies back with a payload of size 65k.
This means the client gets 65k of the information stored on the server. This is a flaw and it affects because the information that is revealed is keys, sensitive data etc.
RSA is not to be used. They recommend a size higher than 2048 bits for keys and its too large.
Diffie Hellman also suffers from issues like MITM attack so it’s coupled along with Digital signatures. In recent times we use Elliptic curve based Diffie Hellman as the key size remains smaller and security is as good as lengthier key sizes.