Transport Layer Security, TLS 1.2 and 1.3 (Explained by Example)Jan 25, 2022
TLS which stands for Transport Layer Security is a protocol to secure communication between the client and the server it's used specifically in the HTTP protocol that's what the S stands for by the way in this video we'll talk obviously before of jumping into the
securityis part of this yeah we really need to talk about vanilla HTTP how this works right now we're going to talk about how HTTPS works again from a bird's eye view then we're going to talk about the abundant TLS 1.2 , that's the most I think of the most widely used encryption for the HTTP protocol.
Let's talk specifically about the handshake before sending the get request. Okay, then we'll code to jump to the new version, which is 1.3, which improved a lot of things. We really need to talk about the movie and I thought we hadn't talked about this key exchange algorithm. It is a very popular key exchange algorithm that is used everywhere and solves many problems in RSA encryption. gorithm ok, finally jumping into the TLS 1.3 enhancement, which is much faster, much more secure.
exampleif you want to become a bad software engineer consider subscribing check out the other content on this channel that's it let's move on to the video guys so the first thing we are going to talk about is vanilla HTTP ok How is the TTP? it usually works most of the time, you have a webserver listening on port 80, that's where the HTTP protocol runs, obviously you can turn it on.
I know Jess or a Tornado Python app, which listens for other ports, but essentially most ports when you do HTTP. Google comm the implicit port is 80 ok HTTP runs the phone most of the time running on the correct TCP protocol and TCP is a state that is aware of both client and server there is a bidirectionality of this. while the HTTP protocol is stateless and you really need this TCP protocol just to make it transparent that's why many people tell you HTTP you can use UDP over HTTP if you want you can use anything that's the beauty of what you should being stateless, if the connection dies, the HTTP protocol notices, ooh, my connection died, let me resume to create a new one. connection or the server doesn't see this your browser does that your browser essentially does that for you open a TCP connection your search API does that for you we talk about search I'm going to reference the search API here when making a call from the browser or any app you've visited since nantes view if you use a library like XML HTTP requests does the same thing ok so this is in a nutshell you open a connection then an event usually closes it now open and close a connection really differs depending on the version of HTTP 1, oh, it was literally opening and closing the connection after every request, but they changed, that made it persistent.
The connection will then cover another video but the connection open since I get two requests get slash right seek get slash and that is essentially that means usually the path sometimes index.html what it does is the server processes this request if you have enough bandwidth that it's going to process the request it's going to take the processing time for that request it's obviously going well and then it's going to send back the headers, content-type, HTML text and other stuff, maybe set cookies anything there are all the headers and the actual index.html and the results correct and i deliberately added a space here this is the latency joke the bandwidth they didn't see the server processing things correctly you calculate the stuff in the backend, query the database there.
It's not going to be some kind of latency that wants to minimize this as much as possible as software engineers okay guys hey guys when I talk about DLS I'm going to talk about all of those things. I will refer to software engineering. I'm not going to talk about the mathematics of encryption and all that. I'm not good at all that. I'm going to reference the videos, if anyone is interested in the mathematics of encryption and all that in another video. The teachers do a lot. much better than me obviously ok huh should be vanilla HTTP HTTPS how does it work?
It's exactly exactly the same. The only difference is that the port is different. when we establish communication securely ok that's the thing another thing is something happens before we send a get request which is usually called a handshake and there the goal of this handshake is for both of us . The client and server need to agree on a key, which is the symmetric key to be used for encryption and decryption, is this the exact same key on the client and server and then you can start asking questions now what is the difference between symmetric encryption and asymmetric question that's why we made a video on girl force here the difference between encryption symmetric encryption and nascent function and all that side why do we have to do it in general? there's always a reason ok i'm not going to go through them essentially but here that it's the same correct key and it's much faster than asymmetric encryption that's the point of this and check once we have each one you have a key, the client will take that key, take your get request, block it by blocking it. encrypt it so that this essentially becomes garbage, correct garbage, the tcp can actually take that garbage, the encryption usually this happens, I would say the
layers that are Layer Seven or level six, right?
We talk about those. I'm on the reference to them, so we're going to encrypt it and then push it down. TCP. TCP is just blindly
transporting the payload. It doesn't know it's encrypted. there's a bunch of bits i need to transfer it to the server that's what i did the client the server will receive it will use the key to decrypt it it will understand that it's a get request it will process that look i did a bit more because there's some decryption involved so that obviously there's a cost software engineers guys we really need to understand these latencies and every piece that's why we just need to understand how this TLS works oh no at least I know one overview you don't need to understand the details but you need to understand how this is affecting our work a software engineer when we write code we really understand that we need to understand what's going on well we can't just be you know not really c it's about what it's going on it's like oh this is all a black box sometimes you need to understand basic stuff encrypt the html index point or whatever the answer is jason anything corrupt send it back to anyone who smells this they'll get crap if they have the key they'll be able to crack it, okay, that's the key, that's the key, okay, gothic II and then close it.
I put three ellipses here which means it doesn't really close it after that answer it used to on one oh but on a cog one there is a keepalive which sends the services by the way keep it alive please keep me alive , don't kill me, in general, I just like to talk about different software engineering aspects of this thing TRS one point the most popular thing currently in use. I'm not going to talk about the old SSL content. It is completely outdated and very insecure. I want to talk about what was in abundance at this time.
What is used at the moment. We should move on to one four three for let's talk about 1.2 first ok 1.2 Transport Layer Security TLS exactly the same so remember guys when we explain the handshake this is what we're going to talk about let's get closer to this handshake arrow and then try to explain what's going on here, so when they first designed TLS, they said we'd make it configurable, we'd make it fancy, we'd make it options, we'd make it client give options. I'm going to make the server have options options options all about the options and then what the client did says ok I'm going to send a client hello there's a lot going on I'm going to talk about it the clientele has a lot of other information I just don't have room to add all of that in a nutshell the client says hey my name is client the tcp is already set but now we are sending the first request and its first request is a client hello and it says yo server sup my name is client and here is all the encryption s support support for key exchange support RSA pass or diffie-hellman support this support that right for symmetric key support a like support des and support there is a support Blowfish support all our stuff ok and this ok depends on the client because maybe it's a browser internet, so it only supports old stuff, maybe it's a new chrome 76.
I don't know if there's a 76 version, but I made it up, but it generally supports newer stuff than the server. say sure, you look like you're great, you're a little old, so we're going to use this encryption algorithm for a key exchange. We are going to use this encryption algorithm for the symmetric key. Here is my certificate and the certificate. it's a fancy term for the server's public key that it has has a lot of other things including the server's public key and that the client will directly use to encrypt the symmetric key so the client will tell it you're ok you want me to use AES for sure I'm going to go ahead and generate the symmetric key it's not really the symmetric key it's the premaster key to generate the symmetric key but you could also call it the symmetric key for simplicity so yeah the symmetric key and then here's what I do, I will do that. it will use the public key from the server lock it lock the key and stick to the key so through the right of the server it will send it to the right and that's essentially what works here with the same RS model ok , so it's using RS in this case blocking the symmetric key sending it to the network is really bad right we're going to talk about it even if you say you're going to say hey I'm saying this is encrypted why do you care right we'll talk about it, right, it's encrypted but you? i'm sending the key if anyone got this they somehow encrypted the whole chat they're just critical to everything right?
If someone got the server privacy they'll get immediate access to everything but yet they got the private key they got the mmetric key system the server got the key now ok now it's just now let's make the server both have the symmetric key, they take it, and then the server finally says I'm done, let's go ahead and start the communication so we can already see that we've reached the state where we want both the server and the client to have the symmetric key that they'll start encrypting, ya that I get encryption requests, I return the response and that's it, so you can see guys, that's the problem, right?
The problem is we're encrypting the symmetric key or the premaster key and sending it and that's a problem that's the problem with 1.2 ok that's a problem with a period because you're giving insecure key exchange algorithms ok like um, you're letting me. to encrypt the key and just send it if someone managed to get the private key from the server ok so you'll say oh how can you get the private key from the server? ys like open ssl like there is a problem with the server and this unpatched open ssl some people were able to extract information from the server and were able to extract the private key from the server key so it happens that it's not that easy but people could do that, okay, that's all you got, essentially the encryption.
I'll go to the exchange that we'll talk about next, which is much more secure. to keep chatting just to send a get request, there's a lot going on, yeah, round trips aren't simple, right? significant so it's slow yes it's slow slow insecure ok and insecure is a hack because it's really up to you that's the back of the options the abundance of options we give not 1.2 diffie -hellman, let's talk about there is a problem with the key exchange algorithm, especially RSA, which has the public key and makes us encrypt the symmetric and send it even if it's encrypted and no one can decrypt it inside the server if someone got that private key , people can essentially decrypt all communications so these two guys came up with a clever idea to generate send information about the key, but not the actual key, and let the parties essentially generate the key for themselves and here it is the TLDR of this, there's a lot of math in there, right?
I'm going to reference a video here that professor is dead on the diffie-hellman that math and the actual algorithm but that's the basics so you have three keys you generate a private key a red key and a private and the key blue let's say these are private this should not be sent over the wire in any way manages to have all three you give your symmetric key that's the point of this ad adding the private key the blue and the red and the pink key you it will give the private key so that is the point of this however the blue key is the first part is private the red key is the destination part which is the server or yes that is also private and there is a key which ishere which is also public and it's okay if we send it over the wire okay so private private public okay I got it combine them all together you get the private key okay the symmetric key the key the key we want the key secret, here is another information, the combination of blue and pink, which is private and public, together can be public. it's ok to send it over the wire because it's unbreakable this algorithm there the diffie-hellman if you combine them together there's no way to break everything there but it's very expensive very expensive to break those two together so sa id ok the blue and the pink can be sent together because the color even if the attacker can smell them he won't be able to break them and get the blue key again this shouldn't be alone this shouldn't be discovered red alone shouldn't be discovered the same with red and pink , combine them it's unbreakable and it could be public with that being said let's repeat it a little bit private public and private ok this is the client this is the server and this is the public the key that usually the client actually generates and sends by combining them together is public and undecryptable by combining them together it's public and unbreakable by combining all three will give you the private key ok that's it we're ready to talk about 1.3 guys, okay here's one for three he says guys enough for these options okay I'm out of options for me no options for you put one back here what happens here is the client will always communicate fourth reject being see to communicate via diffie-hellman ok this algorithm we are talking about will have a choice of which symmetric algorithm to use ok but the key exchange doesn't just give me the diffie-hellman ephemeral which let's talk after this swipe but generally that's the blue key no one can see it the client generates that and also generates the public pinkie remember this is public ok generate to keep pr ivado and the public, this is what it does, it sends the public key, who cares about you? you can type Aladdin remember Aladdin can smell it and then steal it ok and then you merge the public and private key then send it back we don't care remember it will be a number which will essentially merge these two to be a number , this will be a number, these are all just prime numbers and that is what mathematics is a very important computer science. because that's public these two are public this is not this type is not remembered when merging it can't split them so they are together they can be sent yes so the server what it does on the other hand it generates private this key to keep it keep it is very secure temporary server key and what it does these two peas are needed add it to the red key guess what guys we just got the gold key thats what we got a round trip we got the key one round trip we have the symmetry key immediately ok again this is not the scimitar key this is the input to the algorithm that gives you this symmetry key but essentially it's almost the same ok we have the key, Guys, how about we go outside and remember that the coin is not? i have the key for which the client needs the red key to merge these two to complete this encryption correctly so we can't send the red and luckily only that would be bad to send the red if you send the red like this Aladdin would have By the way this is just from the encryption of the encryption and it's symmetrical in the video we did right as it's always Alice and Bob and Charlie as the hacker we just did is added for some reason ok so Aladdin it'll pick up the right name we'll take the red key and then merge it and it'll be useful it'll only have that key dude so that's bad so what it says will take that public key pinkie will merge it with your red key, remember he has that and then send those two that's cool because those two together is fine because and they're unbreakable remember they're public it's fine if Aladdin got hold of this and this they'll know he won't be able to break them and get the yellow key properly because ob you will have what - you will get two pinkies and it will be complicated it will not be possible to send it now the client will have these two has the blue key combine them together you have the gold key done in two roundtrips TLS guys one both REE is done in two roundtrips , it's much more secure it's much faster because I don't have to do all this negotiation properly anymore and then encrypt using the fancy gold key get requests and I felt the same thing sent back index.html and we're done that's great ash guys , how cool is Ash with that being said, let's finish this video guys so why don't we talk?
We are talking about standard HTTP. it's an underlying TCP connection it's a stateless protocol it's an insecure protocol but it's very fast but we need we really need
securityso we invented HTTPS really anything that can encrypt us under it's good to use so SSL entered the scene. right TLS 1.1 1.0 1.2 came on the scene right and then it started encrypting HTTPS and then we talked about the handshake TLS 1.2 right doesn't have all that stuff we know it's sure great it's better than the old one but it's very slow there's a It doesn't go back and forth guys, well it's also insecure because it's using RSA and if someone got the private key from the server, they can encrypt the channel and they can see all of our, you know, the chat we were discussing. ok diffie-hellman we talked about this beautiful encryption algorithm ok well the only thing we didn't mention is affirm everyone affirm ok ok i don't know my first language like diffie-hellman ephemeral diffie-hellman is when that blue and red key is essentially temporary, They only spawn each time, right?
You just don't keep them, you destroy the man, you regenerate them every time, right, and that's essentially what's ephemeral? Long story short one point for improvement talking about is how fast how cool how secure 1.3 is ok guys this is the end of the video hope you enjoyed it please like this video if you liked it please subscribe and i will see you in the next one with more. kulish software and engineering videos them too
If you have any copyright issue, please Contact