Heres what you need to know about the algorithms behind SSL/TLS encryption.
If you study SSL and encryption long enough, eventually youre going to come across the word cipher. Aside from just generally being a cool word, ciphers are a very important part of encryption.
So, what are encryption ciphers?
Ciphers are algorithms, more specifically theyre a set of steps for both performing encryption as well as the corresponding decryption. Nowadays ciphers are dependent upon the advanced processing capabilities of computers. That hasnt always been the case though. One of the first, well-known historical ciphers belonged to Caesar emperor of Rome and purveyor of fancy appetizer salads who used it to communicate with his generals during military operations.
Over the years, ciphers have become more complex, but the logic behind them has stayed the same. Whether it was Caesar crossing the Rubicon, the infamous Enigma cipher of World War II or some of the algorithms of todaythe idea has always been to encode or encipher a message in such a way that only the intended party can read it.
For all intents and purposes, when we discuss ciphers as they relate specifically to SSL encryption, there are two kinds of algorithms: symmetric and asymmetric. This really comes down to the kind of encryption youre going to be performing, again, symmetric or asymmetric.
Symmetric encryption involves two keys that are the same, or as the name quite cleverly implies, symmetric. Both keys can perform both functions: encryption and decryption. You see this during an encrypted web connection between a browser and a server. After the SSL certificate has been authenticated and the SSL handshake is complete, the browser and server exchange symmetric session keys that allow them to communicate securely for the duration of the visit. While these session keys are in play, they are making use of a symmetric cipher.
Conversely, with asymmetric encryption, you are talking about different keys with different abilities. The most obvious example of this is the public/private key pair that is used during the SSL handshake. In this scenario, one key encrypts and the other key decrypts. This kind of encryption requires a different kind of cipheran asymmetric algorithm.
There are many different ciphers that are commonly used in encryption in conjunction with one another. Thats because, specifically as it relates to SSL, youre not using just a single algorithm but rather a set of algorithms that are grouped together in what is referred to as a Cipher Suite.
Were building towards that concept, so well get there in a little bit. But, now that weve got an understanding of the two types of algorithm symmetric and asymmetric we can look at some of the different ciphers and the functions they serverthen well talk about building a cipher suite.
Here are some examples of ciphers and other similar algorithms:
RSA is named after the gentlemen that created it: Rivest, Shamir and Adleman. This is a fairly common asymmetric cryptosystem that uses prime numbers and has a wide range of applications.
Named after Whitfield Diffie and Martin Hellman, this is a public key protocol used primarily for exchanging cryptographic keys over public channels. Prior to methods like DH, keys had to be transmitted in physical form.
Elliptic Curve Diffie-Hellman
A key agreement protocol that gives two parties with elliptic curve public-private key pairs to establish a shared secret (used either directly as a key or to derive one) securely over a public channel.
Typically written as TLS-PSK, this is a cipher that provides secure communication based on pre-shared symmetric keys exchanged between parties in advance.
Advanced Encryption Standard, a.k.a. Rijndael, is an NIST approved encryption cipher with a block size of 128 bit, and symmetric keys with lengths of either 128, 192 or 256 bits.
A symmetric key block cipher with similar capabilities and key sizes to AES. It was developed in Japan by NTT and Mitsubishi and is approved by the ISO/IEC, EU and the Japanese CRYPTREC project.
Another block cipher that is similar to AES, ARIA was developed by a group of researchers in South Korea in 2003.
Hash-Based Message Authentication Code (HMAC)
This is a type of message authentication that uses cryptographic hashes to both authenticate a message and ensure data integrity, think SHA-256.
AE or AEAD provides confidentiality, integrity and authentication assurances on data under a single programming interface. Typically used in conjunction with a block cipher.
Obviously, this is an incomplete list, there are dozens of other ciphers. But this should at least give you some more context when we begin discussing cipher suites in the next section.
A Cipher Suite is a combination of algorithms used to negotiate security settings during the SSL/TLS handshake. After the ClientHello and ServerHello messages are exchanged, the client sends a prioritized list of cipher suites it supports. The server then responds with the cipher suite it has selected from the list.
Cipher suites are named combinations of:
So, for instance, heres an example of a cipher suite:
Ive color-coated it to help you distinguish between the ciphers.
TLS is the protocol. Starting with ECDHE we can see that during the handshake the keys will be exchanged via ephemeral Elliptic Curve Diffie Hellman (ECDHE). RSA is the authentication algorithm. AES_128_GCM is the bulk encryption algorithm. Finally, SHA-256 is the hashing algorithm.
Most browsers and servers have a list of cipher suites that they support, the two will compare the lists in order of priority against one another during the handshake in order to determine the security settings that will be used.
Of course, as TLS 1.3 inches towards a final release, this is all going to change. While previous versions of SSL/TLS through TLS 1.2 used the version of cipher suites described here, in version 1.3 cipher suites will change structure as they will only be used to negotiate encryption and HMAC algorithms.
Because the structure of 1.3 cipher suites is different from its predecessors, they will not be interchangeable with older TLS versions.
For those that like to skim, here are the key takeaways from todays conversation:
- What Is Encryption? | Surveillance Self-Defense - December 4th, 2017
- Comodo Disk Encryption Download - softpedia.com - December 1st, 2017
- Encryption - Simple English Wikipedia, the free encyclopedia - November 24th, 2017
- BitLocker Drive Encryption Overview - technet.microsoft.com - November 23rd, 2017
- The Encrypting File System - technet.microsoft.com - November 18th, 2017
- FBI cant break the encryption on Texas shooters smartphone - November 13th, 2017
- DOJ: Strong encryption that we dont have access to is ... - November 13th, 2017
- DOJ Fires Up New War With Apple Over Encryption - November 12th, 2017
- Security Awareness - Encryption | Office of Information ... - October 15th, 2017
- Data Encryption and Decryption (Windows) - October 14th, 2017
- Trumps DOJ tries to rebrand weakened encryption as responsible ... - October 11th, 2017
- How to encrypt (almost) anything | PCWorld - September 22nd, 2017
- Private Internet Access | VPN Encryption - September 21st, 2017
- Encryption Substitutes | Privacy | Encryption - September 21st, 2017
- Data Encryption: Hardware & Software Security: Online ... - September 21st, 2017
- How To Enable BitLocker Drive Encryption In Windows 10? - September 21st, 2017
- PGP Encryption Tool - iGolder - September 21st, 2017
- encryption - How to encrypt String in Java - Stack Overflow - September 21st, 2017
- Encryption Software Market, Size, Trends and Forecast 2020 - September 21st, 2017
- Encryption Definition - Tech Terms - September 20th, 2017
- Why You Should Be Encrypting Your Devices and How to Easily Do It - Gizmodo - September 6th, 2017
- Black Hats, White Hats, and Hard Hats The Need for Encryption in Mining and Resources - Australian Mining - September 6th, 2017
- How can enterprises secure encrypted traffic from cloud applications? - TechTarget - September 6th, 2017
- Encryption Explained - Arizona Daily Wildcat - September 6th, 2017
- News in brief: Call to link encryption to ID; Facebook maps everyone ... - Naked Security - September 2nd, 2017
- 'Independent' gov law reviewer wants users preemptively identified before they're 'allowed' to use encryption - The Register - September 2nd, 2017
- High-Dimensional Quantum Encryption Performed in Real-World ... - Futurism - September 2nd, 2017
- It's Time to Replace Your Encryption-Key Spreadsheet - Data Center Knowledge - September 2nd, 2017
- Legislation to limit smartphone encryption 'may be necessary,' deputy AG Rosenstein says - Washington Times - August 31st, 2017
- Cloud Encryption Market by Component, Service Model, Organization Size, Vertical And Region - Global Forecast to ... - Markets Insider - August 31st, 2017
- Encryption in Office 365 - Office 365 - August 29th, 2017
- Need-to-Know Only: Use Encryption to Make Data Meaningless to ... - Security Intelligence (blog) - August 29th, 2017
- Four strategies to prevent data encryption from hijacking your network - Digital News Asia - August 29th, 2017
- Amber Rudd is wrong - real people do want end-to-end encryption - ITProPortal - August 29th, 2017
- Why encryption is for everyone - IFEX - August 29th, 2017
- 4D quantum encryption successful in first real-world test - New Atlas - New Atlas - August 29th, 2017
- For the First Time Ever, Quantum Communication is Demonstrated in Real-World City Conditions - Futurism - August 26th, 2017
- High-Dimensional Quantum Encryption Takes Place in Real-World ... - Photonics.com - August 26th, 2017
- Hedvig Bakes Encryption into Software-Defined Storage Platform - IT Business Edge (blog) - August 26th, 2017
- Hedvig storage upgrade adds flash tier, encryption options - TechTarget - August 26th, 2017
- How to use EFS encryption to encrypt individual files and folders on Windows 10 - Windows Central - August 26th, 2017
- Cloud Encryption Market Worth 2401.9 Million USD by 2022 - Markets Insider - August 23rd, 2017
- To Protect Genetic Privacy, Encrypt Your DNA - WIRED - August 23rd, 2017
- Data Encryption in OneDrive for Business and SharePoint Online - August 21st, 2017
- Researchers use encryption to keep patients' DNA private - Engadget - August 21st, 2017
- Additional proof that Lancaster County Commissioners should reconsider encrypting police transmissions - LancasterOnline - August 21st, 2017
- iPhone Secure Enclave firmware encryption key leaked - TechTarget - August 21st, 2017
- Encryption, speed push the modern mainframe into the future - TechTarget - August 21st, 2017
- Hardware encryption vs software encryption: the simple guide - Kroll Ontrack UK (press release) (blog) - August 21st, 2017
- Encryption Technology Could Protect the Privacy of Your DNA - Gizmodo - August 21st, 2017
- Beginner's guide to Windows 10 encryption - Windows Central - August 18th, 2017
- Encryption key for iPhone 5s Touch ID exposed, opens door to further research - AppleInsider (press release) (blog) - August 18th, 2017
- How security pros look at encryption backdoors - Help Net Security - August 18th, 2017
- The Laws of Mathematics and the Laws of Nations: The Encryption Debate Revisited - Lawfare (blog) - August 18th, 2017
- 72 percent of security pros say encryption backdoors won't stop terrorism - BetaNews - August 18th, 2017
- Ex-MI5 Boss Evans: Don't Undermine Encryption - Infosecurity Magazine - August 14th, 2017
- Despite end to end encryption, apps like WhatsApp, Messenger are still vulnerable to hacking: Study - Firstpost - August 13th, 2017
- What is Encryption? (with pictures) - wiseGEEK - August 12th, 2017
- Ex-MI5 chief warns against crackdown on encrypted messaging ... - The Guardian - August 12th, 2017
- Former UK security service head says weakening encryption would be too dangerous - 9to5Mac - August 12th, 2017
- News in brief: facial recognition planned for Carnival; spy chief backs encryption; ginger emoji planned - Naked Security - August 12th, 2017
- Avoid getting lost in encryption with these easy steps - We Live Security (blog) - August 12th, 2017
- Here's why IBM Z Mainframe Wants to Encrypt the World - Edgy Labs (blog) - August 10th, 2017
- Symantec Announces Plesk Will Integrate Symantec Encryption Everywhere Security Into Its Website Management ... - Business Wire (press release) - August 10th, 2017
- Australia: Shelve Proposed Law to Weaken Encryption - Human Rights Watch (press release) - August 6th, 2017
- IBM India Helps Create Breakthrough Encryption Technology That's Completely Hacker Proof - Indiatimes.com - August 6th, 2017
- Letter to Prime Minister Turnbull re Encryption and Human Rights - Human Rights Watch (press release) - August 5th, 2017
- Zscaler Finds Hackers Using SSL Encryption in Malware to Hide ... - eWeek - August 5th, 2017
- HBO Hack Highlights Importance of Encryption, Data Governance - eSecurity Planet - August 3rd, 2017
- UK flip-flop on encryption doesn't help anyone - CNET - August 3rd, 2017
- UpVote: Turkish regime jails IT trainers in encryption clampdown - Ars Technica UK - August 3rd, 2017
- Telegram messaging app strikes deal with Indonesia on encryption - Digital Trends - August 2nd, 2017
- Encryption is for 'Real People' - Human Rights Watch - August 2nd, 2017
- We don't want to ban encryption, but our inability to see what terrorists are plotting undermines our security - Telegraph.co.uk - August 2nd, 2017
- Real people don't need encryption - Fudzilla - August 2nd, 2017
- Ex-NSA boss questions encrypted message access laws proposed by Malcolm Turnbull - ABC Online - August 2nd, 2017
- Facebook's Sheryl Sandberg: WhatsApp metadata informs governments about terrorist activity in spite of encryption - CNBC - July 31st, 2017
- Commissioners need to rethink encryption - LancasterOnline - July 31st, 2017
- Ex-NSA chief Chris Inglis backs government's encryption push against Apple, Facebook - The Australian Financial Review - July 31st, 2017
- Oak Ridge licenses its quantum encryption method - FCW.com - July 31st, 2017