Processes for Securing the Web

Secure Sockets Layer (SSL) certificates

SSL/TLS certificates encrypt data transmitted between a client and a server. They are issued by trusted Certificate Authorities.

• Websites with HTTPS use SSL/TLS to secure transactions
• Small data file that digitally binds a cryptographic key to an organisation's details
• SSL certificate contains: domain name, organisation's identity, Certificate Authority that issued the certificate, public key, expiration date

How it works

• Browser requests a secure connection
• Server responds with SSL certificate
• The browser checks if the certificate is valid and from a trusted Certificate Authority (CA)
• SSL/TLS handshake - and generate a session key used to encrypt the data for the current session
  • Use asymmetric encryption to exchange keys
• Encrypted communication

SSL handshake is the process that establishes a secure connection between a client and server. It uses asymmetric encryption to exchange a shared secret key, which is then used for symmetric encryption to secure further communication.

Types

• Domain Validation (DV): Confirms domain ownership
• Organisation Validation (OV): Confirms organisation identity/legitimacy
• Extended Validation (EV): Highest level - displays a green padlock

Encryption algorithms

Mathematical formulas that convert plain text into cipher text. Common encryption algorithms:

• AES (Advanced Encryption Standard) – Used for securing sensitive information
• RSA (Rivest-Shamir-Adleman) – Commonly used for encrypting communication over the web
• ECC (Elliptic Curve Cryptography) – Provides high security with smaller key sizes

Real world example

Asymmetric encryption is used in SSL/TLS to establish secure web connections. When you visit a HTTPS website, the browser encrypts data with the public key of the server, and only the server's private key can decrypt it.

• Symmetric (AES)
  • Single shared key
  • Fast
  • Lower security (if key is leaked)
  • Encrypting data stored in databases, or communication between two parties that share secret key
• Asymmetric (RSA)
  • Public and private pair
  • Slower
  • Higher security
  • Used in SSL/TLS certificates to secure key exchange during HTTPS communication

Encryption keys

Randomly generated sequences of numbers used in encryption and decryption.

Key exchange is the process of securely sharing keys between two parties over an unsecured network.

• Public key: Used to encrypt data (asymmetric encryption)
• Private key: Used to decrypt data (asymmetric encryption)
• Secret key: Used for both encryption and decryption (symmetric encryption)

Plain text and cipher text

Plain text is readable data in its original form (has not been encrypted).

Cipher text is data that has been encrypted using an encryption algorithm and is unreadable without a decryption key.

Authentication and authorisation

Authentication verifies the identity of users or servers - only authorised entities can access sensitive information.

• Logging into website with username/password
• Biometric authentication
• MFA

Authorisation determines the level of access granted to authenticated users.

• User can see dashboard, but not admin settings
• Staff can edit documents but not delete them

OAuth Authorisation

A widely adopted authorisation framework that allows applications to access resources on behalf of users without sharing their passwords. Example: 'Sign in with Google'.

• Uses access tokens to grant temporary permissions, which specify what data the requesting app can access
• Different usage scenarios
  • Authorisation code flow: tokens are exchanged securely on server side
  • Implicit flow: tokens are directly exposed in URLs, used in single-page applications but has security risks
  • Client credentials flow: used by applications that need to authenticate themselves (not users) to access resources

OpenID Connect Authentication

Adds authentication capabilities on top of OAuth - used to implement SSO.

Hash values

Hash values are unique identifiers that are generated by applying a hash function to data.

• A fixed-size string of characters that uniquely identifies the input data
• One-way function - it is computationally infeasible to reverse the process
• Used for data integrity, password hashing, and digital signatures
• Common hash function: SHA-256 – Used for password hashing

Encoding

Encoding is the process of converting data from one form to another, to compress data, transmit it, secure it, or make it compatible with different systems. It involves changing the format, structure, or scheme of the data.

Digital signatures

A cryptographic mechanism used to authenticate the origin and integrity of digital documents or messages.

• Generated using asymmetric encryption
• Uses public key cryptography - the senders signs the document with their private key, and recipient verifies the signature with sender's public key
• Provides non-repudiation - ensures the sender can't deny sending the document

Example: When downloading software, a digital signature ensures it was not tampered with before installation.

Encryption handshake

How an encryption handshake works. It is a process used to establish a secure connection between a client and server, and is crucial for HTTPS websites and other secure online communications.

• Client Hello: Client sends a request to the server, listing supported encryption algorithms (cipher suites)
• Server Hello: Server selects strongest available encryption method and sends back its SSL/TLS certificate, which contains its public key
• Key exchange: Client verifies the server's certificate using a trusted certificate authority. Client and server generate a shared secret key using asymmetric encryption (e.g. RSA or Diffie-Hellman key exchange)
• Session key established: All communication from now is encrypted with symmetric encryption (faster and more efficient)