Skip to content
MichaIng edited this page Feb 17, 2019 · 4 revisions

TLS/SSL

TLS (Transport Layer Security) is a cryptographic protocol to provide secure communication in computer networks. SSL (Secure Sockets Layer) is the now-deprecated predecessor. It should not be used any longer, but might be required to support old OS or browser versions. The term SSL is still widely used as alias for TLS as well, but we will use TLS here as sort of looking forward 😉.

The properly best known use case for TLS is the HTTPS protocol which allows secure access to websites and web applications.

Two goals are achieved by TLS:

1. Encryption

Transferred information is encrypted, using cryptosystems. The best known most likely is RSA (Rivest–Shamir–Adleman).

In short, how does it work?
  • Both communication partners have a key pair. A public key and a private key.
  • The public key can only be used to encrypt messages while the private key can only be used to decrypt messages.
  • Both partners now exchange their public keys.
  • Partner A is now able to encrypt a message with the public key of Partner B, but since (hopefully) only Partner B has its own private key, no one else than Partner B can decrypt and read the message.
  • This ensures that nobody but the desired recipient is able to read encrypted messages addressed to him, even if one manages to grab the message as a man in the middle, ISP, local network admin or such.
Why can a public key only _encrypt_ but not _decrypt_ messages?
  • This is not easy to answer but it's based on mathematical traps, calculations that can be easily done in one direction but hardly backwards.
  • Remember those days back in school, leaning mathematics, uuaargg.
  • Remember multiplying large numbers? With pen and paper and some patience you are able to do this, e.g. 1433*5501= 1000*5000 + 1000*500 + 1000*1 + 400*5000 + ... okay much to do but doable step-by-step. The result is: 7882933
  • But how to revert this step to find the two initial factors that result in 7882933? A trap 😉.
  • Note that I chose prime numbers, so the result is unique and there is no step-by-step solution. Practically you need to try out all prime numbers and do a written division for each to find the correct divisor. This well known mathematical issue is called prime factorization.
  • So decrypting an encrypted message like above is not impossible, but the mathematical effort (with use of state-of-the-art cryptosystems) is simply too large, even for modern super computers, to solve in a reasonable time.
  • If you are interested in the details about how RSA uses this mathematical trap in practice to create a key pair, encrypt and decrypt messages, see: https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Operation

2. Authentication

The identity of the communication partner is verified, using a public key certificate.

How is the identity of the communication partner verified?
  • Imagine now you initiate a TLS encrypted communication by sending your public key to the recipient and receiving its public key. How do you know that it is really the recipient you want to communicate with and not a man in the middle that catches your requests and sends back its own public key.
  • This is done via certificate. Basically a certificate includes the public key together with some information about the public key owner and most importantly the IP address and/or domain that this particular public key is valid for.
  • Your client usually verifies the integrity of the certificate by asking a so called CA (certificate authority).
  • Clients, e.g. operating systems and/or browsers, usually have a list of CAs they trust and ask to verify that the received public key and certificate really belongs to the host/domain they are communicating with.
  • For this reason, if you create your own key pair and certificate locally and e.g. enable HTTPS for your website with it, browsers usually show warnings about untrusted CA, since you yourself are not in the pubic list of trusted CAs where clients can verify that you are really you.

So finally verifying the identity of your communication partner and sending messages only this one can read is the result that enables secure network communication.

Implementation

On Debian based systems (and most other UNIX systems), thus DietPi as well, TLS is implemented via OpenSSL:

The list of trusted CAs is provided by the ca-certificates APT package, which is practically required to allow TLS/HTTPS requests, thus a core dependency of DietPi.

To generate an own key pair with trusted certificate, DietPi offers the free-of-charge solution via Let's Encrypt and Certbot: DietPi-LetsEncrypt