Securing client - server connection with SSL Protocol
Security is one of the critical point to be considered in communications over internet. HTTP links between a client and web-server transfers data as plain text which causes eavesdropping attacks on the data transmitted over unsecured links. It restricts the transmission of sensitive data between client and web-server. Secured Socket Layer (SSL) is a standard cryptographic protocol for providing end-to-end encryption between client and web-server. SSL connection is established between client and server with the authentication provided by public-private key pairs in key store and trust store respectively. Before getting into what is key store and trust store, lets look into the flow of communication while establishing SSL connection. Assume your web browser as a client. You are accessing a URL through https. Following steps will be carried out consecutively:
1- Client requests server to establish an encrypted session between client and server - said as “client hello”
2 - Sever sends back certificate with its public key for authentication - said as “server hello”
3 - Client checks whether the certificate can be trusted. If so, client sends back an encrypted key with the public key sent by server
4 - Client shares an encrypted message with secret key computed using the previously created encrypted key
5 - Server decrypts the message from client and sends back another encrypted message to client to verify
6 - Client and server start to send encrypted messages throughout the session :)
In this way SSL connection is established between a client and server. Now you can successfully access URL through https. BTW, we did not talk about key store and trust store yet. Lets have a look 😊
Key store and Trust store
At a glance, key store and trust store can be considered repositories to store certificates which can be seen as same in a programmatic context. But purpose wise, key store is a file used to store private keys and own identity of client or server. Any entity (client or server) can have its own key store files as its own identity. Trust store is a repository to check the incoming certificates from clients and verify whether the certificates are authorized by trusted certificate authorities. (Need to clarify on Certificate Authorities (CA), check [1] ). If private keys are imported into trust store, it can be used as either trust store or key store. But, it always a good practice to separate public and private keys :)
That’s how SSL connection established - simple and secured. Meet you with another topic. ^_^
