21/05/2025
Web Technology Behind The Scenes(Cryptography) - English Version
***********************************************************************
Web Technology Behind The Scenes(Cryptography)
Once we begin using the web browser to search for the information we are looking for, the browser establishes a connection to a large web server and begins to use protocols to provide the web pages we requested. Web browsers can communicate with web servers via a variety of protocols.
Hypertext Transfer Protocol(HTTP)
Hypertext Transfer Protocol Secure(HTTPS)
File Transfer Protocol(FTP)
Telnet
Internet Protocol(IP)
Transmission Control Protocol(TCP)
User Datagram Protocol(UDP)
Simple Mail Transport Protocol(SMTP)
Hypertext Transfer Protocol (HTTP), one of the protocols, is an Internet protocol that connects a server and a client. The Client-Server model is typically followed by this protocol.For example, the request we typed and searched for will be sent to the server, and the server will return an IP address based on the user's request, and the browser will navigate to that IP address. Because HTTP is a human-readable format, anyone can read the data. HTTPS works in the same way as HTTP, but it is considered more secure because data on websites that use https is encrypted. As a result, anyone in the middle is no longer able to look around. As a result, HTTP is insecure, whereas HTTPS is more secure. Because it employs security certificates such as SSL (Secure Socket Layer) (or Transport Layer Security Protocol (TLS), it is more secure. This means that it becomes more secure by using security certificates to securely send (or receive) data over the internet. If the url at https://www.google.com/ begins with https, you will know that an SSL connection is in use. The SSL protocol employs public key cryptography. Because Public Key is used, it is classified as Asymmetric Key Cryptography. In this section, we will go over Symmetric and Asymmetric Cryptography.
Symmetric Cryptography
Symmetric Cryptography requires the use of the same key for both encryption and decryption. The benefit of Symmetric Cryptography is that it is fast; however, because only one key is used, a Man in the middle (MITM) attack can be used to decrypt the message. The Data Encryption System is the most widely used Symmetric Cryptography system (DES).
Assume Jessica wishes to send a plaintext text message to John. Jessica, in contrast , uses a secret key to encrypt the text she sent so that no one can read it. The key that will be used between them has been shared from the beginning. Only the completed encrypted data or ciphertext is sent to John. John can only read the original plaintext text after decrypting the ciphertext sent by Jessica with the same secret key. If there is a Third Person Harry in between them. Harry captured Jessica's message to John, but he couldn't decrypt it because he didn't have the key. You can, however, use a technique to effect change. This is known as a bit-flipping attack. This will be explained further below.
Asymmetric Cryptography
Asymmetric Cryptography means that the public key is used in the encryption process and the private key is used in the decryption process. Asymmetric cryptography has the advantage that the public key is known by many people, but the message can only be decrypted with the private key, making it more secure.
If the user sends data using the Public Key that is already in the Web Browser, the request can only be encrypted with the Web Server's private key. One advantage of encrypting data is that it is protected from unauthorized access. You will be able to control interception and data modification during data transfer.
HTTP Vs HTTPS
SSL version 2.0 was first introduced in 1995. Netscape re-released version 3 a few years later due to security issues with version 2. However, due to the Browser Wars between Netscape and Microsoft in 1999, Netscape agreed to hand over control of the SSL protocol to the Internet Engineering Task Force (IETF). As a result, TLS version 1.0 or SSL 3.1 was released before the end of 1999. Transport Layer Security replaced SSL (TLS). TLS version 1.1 was released in 2006, as well as TLS version 1.2 was released in 2008. In 2018, TLS 1.3 was released. To see the most recent TLS version supported by your browser, go to https://clienttest.Ssllabs.com:8443/ssltest/viewMy Client.html. TLS 1.3 was released to address the weaknesses that existed in previous versions, making it more improved and stronger in the security section. SSL and TLS share the goal of making data traveling over a network more secure. TLS is an advanced or upgraded version of SSL. The previous versions of SSL and TLS are no longer available, but TLS 1.2 and TLS 1.3 are still available today.
How TLS works?
TLS consists of 2 phases or 2 protocols.
The first phase or protocol is the Handshake protocol. It is made up of four processes. The handshake is used for authentication and key exchange.
Negotiate TLS protocol version
The client and server will first negotiate the protocol version.
Select Cryptographic Algorithms: cipher suites
Then select the cryptographic algorithms that will be used.
Authenticate by asymmetric cryptography
Using asymmetric cryptography, authenticate between the Client and the Server.
Establish a secret key for symmetric encryption
For symmetric encryption, a shared secret key is then generated.
The Record protocol is the second phase or protocol. It is made up of four processes. The handshake is used for authentication and key exchange.
Encrypt outgoing messages with the secret key
Outgoing messages or messages sent to the server must be encrypted using the shared secret key obtained during the handshake during this step.
Transmit the encrypted messages
Following that, encrypted messages will be transmitted.
Decrypted incoming messages with the secret key
Using asymmetric cryptography, authenticate between the Client and the Server.
Verify that the messages are not modified
It then verify to determine if messages have been altered during transmission. Only if it has not already been done, decrypt with the same key. Bulk encryption is another term for the encrypt stage.
Bit-Flipping Attack
The Bit-Flipping Attack, as previously mentioned, is an attack in which someone intercepts a message and modifies or changes the bit.
Assume Jessica transfers ten lakhs to someone. The message is encrypted using a secret key and transmitted to the bank via the internet. The encrypted message was intercepted by Harry. Harry can't decrypt because he doesn't know the secret key, but he can flip the bits number from 1 to 0 (or 0 to 1). In other words, the data will be changed, but only the modified message will be sent to the bank. As a result, only the information error will be received when returning from the bank and decrypting again. The difference in value could be enormous. As a result, cryptography concepts cannot be separated in our daily lives, from sending mail from one location to another to transferring important data over the Internet. Data security is more important than life itself in the finance world. Because if the data is no longer secure, you could lose a lot of important information and even your finances. To summarize, an Authenticated Encryption technique, rather than a standard encryption technique, must be used to prevent the Bit-Flipping Attack from working.
Authenticated Encryption Technique
The Message Authentication Code (MAC) or authentication tag is used in the Authenticated Encryption Technique. The MAC tag is used to verify that the message originated with the sender and has not been altered or modified in any way.
Authenticated Encryption is the concept of adding an authentication system to standard encryption to make it more secure.Jessica will send a message to Michael in this example.
In the first step, as we did before, we must encrypt a plaintext text using a secure symmetric encryption algorithm. AES (Advanced Encryption Standard) and CHACHA20 are two examples. Because both of these algorithms rely on a key, the key must be provided as input. In addition, a random nonce or initialization vector (IV) must be provided as input. A noun is an arbitrary number that can only be used once in cryptographic communication. Then, as shown in the image, you will receive an encrypted message.
The second step is to authenticate. The encrypted message, secret key, and nonce obtained in the first step must be fed into the MAC algorithm as input. Depending on the encryption algorithm used in the first step, the MAC algorithm used here may differ. If you used AES encryption, you must use GMAC (Galois Message Authentication Code), and if you used CHACHA20, you must use POLY1305, a MAC variant created by Daniel J. The MAC algorithm is similar to a cryptographic hash function. The MAC algorithm produces a message authentication code. The message authentication code must then be attached to the encrypted message and tag. The final result will be sent to the receiver, Michael, along with the Message Authentication Code tag.
Furthermore, to make TLS version 1.3 more secure, Associated Data such as Address, Ports, Protocol Version, and Sequence Number are added as input to the MAC algorithm.
As a result, the entire procedure is still referred to as Authenticated Encryption With Associated Data (AEAD). We'll find out how Michael decrypts the message sent by Jessica, the sender, in the coming contents.
Decryption + Verification
We will continue to learn how to make sure that Michael's message from Jessica arrived unchanged. Process of encryption and reverse concept.
The first step is to untag the encrypted message containing the Message authentication code.
The normal encrypted message, the shared secret key, and the nonce must then be fed into the MAC algorithm as input. The nonce used in this process must be the same as the nonce used in the encryption process. As pointed out previously, if TLS ver 1.3 is used, the Associated Data will be used as input to the MAC algorithm.
When the message arrives at Michael, the resulting MAC tag should be compared to the untagged MAC tag.
If the two values differ, Michael will know that the encrypted message was only sent after it was modified.
Michael will only be confident in decrypting the message if the two MAC values are the same.
Jessica and Michael use a secret key and encryption process that only they are aware of. Both decryption procedures have been completed. Previously, the secret key was sent and shared via an intermediate layer. In Germany, the secret key setting of the enigma machine was preplanned, but now that all data is transmitted over the network, it is critical to consider how the secret key was shared without leaking.Therefore, I will continue to explain how to share securely between the two of them without leaking to the public.
Key Exchange
We will undoubtedly study this key exchange technique if we study the Asymmetric (Public-key) Cryptography section of Cryptography. Furthermore, Jessica and Michael used this method to share the key. Diffie-Hellman Ephemeral (DHE) or Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) are two key exchange techniques that can be used. Diffie-Hellman is commonly used.
Diffie-Hellman
The Diffie-Hellman key exchange algorithm is an example of asymmetric cryptography, with two public keys and one private key.
Jessica and Michael must first agree on two numbers. are the two bases g and the modulus p. These two numbers are public, so everyone will be aware of them.
As a result, Jessica and Michael must choose two private numbers that only they know. Jessica's private key will be a, and Michael's private key will be b.
Jessica must use the formula A = ga mod p to calculate her public key. Jessica's public key will be A. Michael must be sent the public key A.
To calculate his public key, Michael must also use the formula B = gb mod p. B should be Michael's public key. Jessica must be sent the public key B.
Michael will receive Jessica's public key B, and Jessica will receive Michael's public key A.
Jessica will compute the public key B received from Michael and her own private key a into the formula S = Ba mod p. The value of S will then be obtained.
Michael will also insert Jessica's public key A and his own private key b into the formula S= Ab mod p. The value of S will then be obtained.
At that point, the calculated S value on both Jessica and Michael's sides will be discovered to be the same.
Because, according to the mathematical concept, substituting B= gb for Ba in S= Ba mod p generates S= gba mod p. Similarly, substituting A= ga for Ab in S= Ab mod p generates S= gab mod p. As a result, the same number is returned.
The public key can thus be shared between Jessica and Michael without being exposed to the public.
To obtain the S value, Jessica and Michael must both use the same Key derivation function in the recalculation. TLS 1.3 uses a key derivation function based on HMAC. The key derivation function will be discussed further.
Key Derivation Function
As input, KDF (Key Derivation Function) takes S, info, key length, HMAC-SHA256 cryptographic hash function, and Salt. In cryptography, salt is also random data.
Variables p,g,A,B are public variables known to the public in Diffie-Hellman Key exchange. This means that those numbers are accessible to anyone on the public network. have the right to gain access As a result, whether or not using Diffie-Hellman Key exchange is secure has become a consideration.
p,g,A,B
A = ga mod p
B = gb mod p
If the values for p,g,A,B in the above Diffie-Hellman formula are carefully chosen according to the rule, it becomes a Trapdoors Function and cannot be easily recalculated by middle men. For example, the p value must be chosen from a set of 2048 bit prime numbers. To create the Trapdoors Function, the values a,b must be chosen at random from a set of 256-bit integers. The primitive root modulo of p must be taken as the value of g. If the middle man only knows a,p,g and substitutes A = ga mod p into the formula and calculates the value of A, it becomes a modular exponential problem that is simple to solve. Knowing only A,p,g and calculating the value of a using the formula A = ga mod p results in a discrete logarithm problem, which is extremely difficult to solve. Even with today's high-performance computers, calculations can take a long time and are difficult.This is why it is considered safe. It may be possible to calculate it if quantum computers are used.
Static Key
We will continue to investigate what would happen in the Diffie-Hellman Key exchange process if both Jessica and Michael used only one private key for each session.
Harry, the middleman between Jessica and Michael, will save all of the Session 1 records and calculate the value of a. A value could not be calculated during Session 1, but it could when Session N arrived. The a value is then reused, and the secret number S is obtained. Once you've established the value of S, you'll be able to recover all of the recorded conversations from Session 1 to Session N. To avoid such issues,both parties must use only one private key in a single session. That key is known as an ephemeral key.
Harry can identify the secret key for one session, but he cannot use the secret key he obtained in the first session in the following session. As a result, it is known as 'Perfect forward secrecy.
ELLIPTIC-CURVE CRYPTOGRAPHY
Elliptic curve key exchange algorithm, like Diffie-Hellman, is a type of asymmetric cryptography with two public and private keys. The Trapdoor function is the only difference. Elliptic Curves' trapdoor function is an algebraic structure that only uses smaller keys to improve security.
To summarize, Diffie-Hellman Ephemeral(DHE), Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE) or RSA can be used for key exchange. The RSA algorithm was previously used for key exchange, but due to its lack of forward-secrecy capability, it was no longer used in TLS 1.3 and was removed.
Digital Signature
TLS continues to use Digital Signatures for authentication. Asymmetric cryptography includes digital signatures. The following digital signature algorithms are commonly used: They are:
RSA with Probabilistic Signature Scheme(RSA-PSS)
Elliptic-Curve Digital Signature Algorithm(ECDSA)
Edwards-Curve Digital Signature Algorithm(EdDSA)
Asymmetric Encryption
As previously stated, Asymmetric Encryption uses a public key for encryption and a private key for decryption.
Consider the previous example. When Jessica sends a message to Michael, she uses asymmetric encryption to encrypt the plaintext text with Michael's public key. The result will be the encrypted message or ciphertext. The final result was sent to Michael via the public network. Michael can only decrypt the original plaintext message with his own private key.
Public Key Sharing
Michael and Jessica share their public key only on the public network. As a result, everyone will have access to the public key. The Diffie-Hellman Key Exchange Algorithm describes in detail how Michael and Jessica share the key and how to decrypt the message encrypted with the public key with the private key.
As a result, Harry, the middleman, is unable to decrypt Michael's public key as it travels through the public network. Although it cannot be decrypted, the key can be replaced.
Harry is unable to decrypt the message using Michael's public key, but he is capable of replacing it, so he replaces Michael's public key with his own and sends it to Jessica. It interferes in this way. If Jessica decrypts the message believing the key she received is Michael's public key, Harry can decrypt the message using his own private key. This is due to the fact that the key is simply a number that anyone can access and exchange. If it is possible to determine who owns a key, the above scenario will not occur. As a result, the key was later used in conjunction with some identity information. This procedure is known as Digital Certificate.Michael will encrypt his public key and distribute it in the form of a certificate. Furthermore, the certificate will contain some information that can be used to determine the identity.
Digital Certificate
A digital certificate is like a passport. A passport can identify information about us. Similarly, Digital Certificates can provide proof of who owns this key. There is usually a name. However, Harry pretended to sign the certificate as Michael so that he could insert his own private key. To protect that process, the Certificate Authority (CA) verifies the digital world in the same way that the passport authority verifies the real world. The Passport Authority can detect fake passports in the real world, and the Certificate Authority (CA) is a trusted third party that can detect fake digital certificates in the digital world.
Certificate Signing
Michael will have a pair of public and private keys that he owns, according to the concept of Asymmetric Cryptography. Michael will begin by submitting a Certificate Signing Request (CSR). CSR will contain public key and identity information such as name and email address. Michael's information in the Certificate will be verified by the Certificate Authority. Then, once again, use Michael's public key to validate Michael's signature in the certificate. By doing so, Michael confirms that he owns both the public and private keys that exist together. If all of the information is correct at the moment of verification, the CA will sign their own private key and return it to Michael.
Certificate Sharing
Michael adds his public key to the certificate rather than sending it alone for added security. Then Jessica can validate the authenticity with CA's public key to ensure that the key she received is indeed Michael's key. The man in the middle, Harry, cannot then substitute his public key for Michael's public key. This is due to Harry's lack of access to the CA's private key, which will be required when signing the certificate.
However, even though you can verify authenticity with the help of a Certificate Authority (CA) organization, you also need to think about how to proceed when you no longer trust the CA. For example, if the CA gives Harry their private key, there could be problems. However, there are numerous trusted Certificate Authorities in the real world. The operating systems and browsers we use store certificate lists.For instance, we will display the Real TLS certificate used by YouTube. Normally, they should navigate to https://www.youtube.com/ using their preferred browser. Then, on the menu bar, click the lock icon.
You must keep clicking on the "Connection is secure" location.
And also you must keep clicking on the "Certificate is valid" location.
If you look at the Details Tab, you'll notice that sha256RSA is the signature algorithm.
Elliptic Curve Cryptography (ECC) is used as a public key algorithm with a 256 bit key size, as can be seen.
The image above is a step-by-step diagram of the Certificate that was used.
Digital Signature
I'll go on to explain Digital Signatures. The signer must first generate a hash. The hash value will then be computed. The hash value must be encrypted with the private key of the signer. The result of Encrypt is a Digital Signature. The document must then be signed with a digital signature. Up to this stage is the Signing Process. If you want to know whether the signature is valid or not, you must reverse the process described above. Then, decrypt again using the signer's public key. The hash value will then be obtained. The document must then be hashed using only the hash algorithm that was used during the signing process. As a result, the hash value will be obtained. It is necessary to compare two Hash values. If the two Hash values are the same, the condition is satisfied. It is invalid if it differs.
TLS 1.3 Handshake Protocol
The client will send a "Hello" message to the server. Some critical information in the message will be explained. The first is the protocol version that the client can use. For example, TLS 1.3, TLS 1.2, and so on. The second is the cipher suites that are supported. CHACHA20 POLY1305, or AES 256 GCM. The third is key exchange groups, which the client can support. Finite Field Diffie-Hellman Ephemeral and Elliptic-Curve Diffie-Hellman Ephemeral are two types of Ephemeral. In addition, the client side shared a Diffie-Hellman public key and an Elliptic-Curve Diffie-Hellman public key. The server side will only be able to compute the shared secret key if it is shared. The signature algorithm supported by the client is the final field included in the message sent by the client. Which the server will choose and use throughout the handshake.
When the server receives the 'Hello' message from the client, it will respond with a 'Hello' message. TLS 1.3 as the chosen protocol version, AES 256 GCM from the chosen cipher suites, and Diffie-Hellman Ephemeral as the chosen key exchange method will be included in the message returned from the server. Includes the public key of the server, a request for the client's certificate, and certificate verification.
The Handshake context is defined as the time between when the client sends 'Hello' and when the server sends back 'Hello,' from the supported versions to the certificate request filed. The context is hashed after being concatenated with the Server's Certificate. It is signed with the server's private key using the hashed value as input and any signature algorithm supported by the client. Handshake context, certificate, and certificate verify are similarly concatenated and hashed. Hash and sign using any MAC algorithm supported by the client using the value obtained as input. The MAC of the entire handshake will be obtained as a result. Authentication Messages are the fields Server Certificate, Certificate Verify, and Server Finish. This is because they use the entire handshake's signature and MAC to authenticate the server. When the client receives the server's hello message, it will validate the server's certificate with the root authority. The MAC of the entire signature and handshake will be examined as well.
If all of the previous step are followed correctly, the client side will send its finish message along with the MAC of the entire handshake. The TLS full handshake includes all of these processes and fields. An abbreviated handshake using preshared key resumption is also used between the Server and the Client to improve performance.
After completing the handshake steps mentioned above, the Client and Server know each other, so there is no need to authenticate again. As a result, the server will send the client one or more session tickets. In the next handshake, those tickets can be used as a pre-shared key (PSK) identity. The client will send another hello message during the next handshake. The message's pre-shared key field will contain the list of PSK identities received in the previous handshake. PSK key exchange modes will include PSK and Diffie-Hellman.If using PSK in Diffie-Hellman mode, the client must also share the Diffie-Hellman public key. If the Server receives the Hello message from the Client, the Server will respond with the Hello message. Finally, the client sends the client finish field back to the server. The certificate authentication step between server and client is not included in the abbreviated handshake. As a result, the round trip time is zero. This means that the client does not have to wait for the entire handshake to complete.
At 0-RTT, the client will send the client hello message along with the application data. The data has already been encrypted with the derived key from the first PSK in the ticket list. If the server accepts the 0-RTT request, it will resend the server hello message in the same way that normal PSK resumption would. The client will finally send the message containing the MAC back to the server. This describes how O round trip time works in TLS 1.3.
For more details, please read the images below..............................
Collection of all Deep Dive Into Cryptography Series Links posted by Page
***********************************************************************
https://www.facebook.com/share/p/HMnEP5Vm9YVD5Xag/
