Security Technologies And Processes For Accessing Websites Using HTTPS

Your tasks are to analyse and to write a report about the processes and the security technologies being used when you access any website (which uses HTTPS) online via a web browser. It is a well-known fact that the Internet is a public network and every single message you exchange with the server can potentially be intercepted by attackers. You need to analyse in detail what technologies and techniques are used to prevent attackers from modifying the communication between you and web server and what keeps your passwords and other details safe.

You are required to address the following topics and task in details in your report:

1. Analyse and write report on how the browser ensures that it is communicating to the right server. Please visit a website and add screenshots also highlighting the related part.
2. Describe how digital signatures work and what is role in authentication process, add the relevant screenshot from your web browser showing the details of signature.
3. Analyse and write report on how the server make sure that it is communicating to the right client, discuss several methods; e.g. if you are using MIT Moodle, how the server verifies that it’s actually YOU?
Confidentiality and Integrity
1. Analyse and write a report on how the confidentiality and integrity is achieved in SSL communication, and how server & client agree on one cipher suit?

2. Explain what the role of symmetric encryption and hash algorithms in SSL communication is.Add screenshots from your browser showing symmetric encryption and hash details.

In this present advance generation, most of the service is based on the internet and to properly run these services tight security is needed. The attackers target this type of online services because by cracking it they can gather valuable information about the customers and the organization. For this reason, it has become a necessity to secure the web services using various types of security technologies. In this paper, a brief about the security system of the websites will be discussed. In this discussion, the authentication process of the websites will be elaborated. How the digital signatures provide security to the authentication process will also be discussed. In the next case, the integrity and the confidentiality which can be achieved through the SSL communication will be discussed. Lastly, the anti-replay attacks related to the SSL communication will be elaborated.

The authentication process of a server follows some steps. In this process, it needs to ensure that the browser is communicating with a right server and the server also need to verify that the communicating person on the other side is genuine. Also, the digital signature verification gives extra security to the authentication process.

The first principle of establishing a secure communication channel is that the browser of the system needs to verify the server that it is authentic. The browsers and the servers together act as a client-server system. The server system hosts all the data which is required by the user [1]. For the verification purpose of the server the browser analyses the SSL certificate provided by the server. In the analysis process if the browser found that the certificate is properly signed by the CA, then the connection established between the browser and the server. In this process firstly, an SSL handshake is done in which the browser sends a request to the server to verify the authenticity of the server [2]. In the form of reply, the server sends the whole chain of the SSL certificate to the browser. In the final process, the browser checks and match the certificate with the locally stored certificate. If matched then secure connection established and for non-match cases, the browser gives a warning to the user about the authenticity of the server.

In the above screenshot Google Chrome browser is used, and in the highlighted part it is clearly showing that the SSL certificate is valid and established connection is secured which is verified by the browser.

The digital signature uses some complex mathematical calculations to verify the authenticity of some digital encrypted messages [3]. A valid signature contains some encrypted information of the sender. A proper digital signature has three properties which are the authentication, non-repudiation and integrity. The authentication property ensures that the message is sent by a recognized source, the non-repudiation properties define that the source cannot disagree about the sent message and the integrity property ensures that content of the message is not altered. The digital signature works on the principle of asymmetric cryptography [4]. When a sender sends a digital signature, it is signed by the signer's private key. In this signing process, the data goes through an encryption process. At the time of encryption the digital message is signed by the sender's private key, and for the decryption process, the public key is required which was created at the time of encryption.

Communicating to Right Server

 In the case of the authentication process, the digital signature can be used for verifying the sender of the message. As the one digital signature is bound to only one sender, by validating the signature, it can determine that the sender of the message is authentic.

The highlighted area of the above screenshot is showing the details of a digital signature where the details of the algorithm used, the issuer of the signature, validity of the signature and the details of public key has shown.

The server verifies the client in several methods. In the first case, the client needs to prove that it is the real owner of the certificate. In this process, the server asks the client to sign something by using the private key. Then the server validates the signature with the public key to establish a secure connection [5].

 In another method, public key verification of the signing authority is done. In this process certification, revocation lists are also checked so that it can be ensured that the certification is not blacklisted.

In some cases, the signature needs to contain some specific information which will ensure that the client is a valid client for that server. In this case, the server looks into some specific information in the certificate.

For the confidentiality part, the SSL communication uses asymmetric key encryption to maintain the privacy of the message. During the handshake process of the SSL, sever agree with the algorithm of the encryption and ensures that the shared key will be valid for only one time [6]. All of the data is encrypted using that key and as the SSL uses the asymmetric key encryption, transporting the shared key to become an easy task. Thus the data confidentiality is maintained.

The SSL communication ensures the data integrity by calculation of the message digest [7]. The CipherSpec of the SSL communication uses a hash algorithm to secure the data from alteration.

The client and server settle on the cipher suite by the process of TLS handshake [8]. In this case, the client takes the initiative by sending an initial message which includes the TLS version and the cipher suits list. In reply, the server transmits a message which contains the selected cipher suite and a session ID. After that, the server transmits a digital certificate to validate itself to the client. Then the server also verifies the client. After successful verification, the secret key is exchanged. Then the client sends a finish message to confirm the completion of the handshake process.

In the case of symmetric encryption, only a lone key is used for both the encryption and decryption process, and it is shared between the receiver and sender. This encryption uses two types of cypher one is a block cipher, and other is stream cipher. In case of SSL handshake, by symmetric encryption both the encryption and decryption of the data can be performed.

 In the above screenshot, the connection type is shown. The connection is using AES type of algorithm for encryption which is symmetric encryption.

The hash algorithm is used for processing a digital signature. The maximum number of algorithm processes is not able to securely sign a message of long length. The hash algorithm is used to reduce the long messages in some short segments [9]. Then the message is signed effectively. Alternatively, a message can also be verified by using the hash algorithm.

The SSL communication method is able to mitigate the replay attacks as it provides the access only to the genuine and validated websites where the replay attacks take place in the poorly secured websites or in the non-secured websites. In the case of replay attack hackers changes the packets that are travelling through a network. The main method of protecting against the replay attack is the MAC verification [10]. MAC is a sequence of unique and secret numbers which identifies only a single user. So, basically, it is not possible for some else to intercept the communication process by using replay attacks. That means the replay attack is mitigated in the SSL communication method.

References:

1. Oluwatosin, Haroon Shakirat. "Client-server model." IOSRJ Comput. Eng16, no. 1 (2014): 2278-8727.
2. Pukkawanna, Sirikarn, Gregory Blanc, Joaquin Garcia-Alfaro, Youki Kadobayashi, and Hervé Debar. "Classification of SSL servers based on their SSL handshake for automated security assessment." In Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), 2014 Third International Workshop on, pp. 30-39. IEEE, 2014.
3. Gallagher, Patrick. "Digital signature standard (DSS)." Federal Information Processing Standards Publications, volume FIPS(2013): 186-3.
4. Tripathi, Ritu, and Sanjay Agrawal. "Comparative study of symmetric and asymmetric cryptography techniques." International Journal of Advance Foundation and Research in Computer (IJAFRC)1, no. 6 (2014): 68-76.
5. Jirwan, Nitin, Ajay Singh, and Dr Sandip Vijay. "Review and analysis of cryptography techniques." International Journal of Scientific & Engineering Research4, no. 3 (2013): 1-6.
6. Huang, Lin Shung, Alex Rice, Erling Ellingsen, and Collin Jackson. "Analyzing forged SSL certificates in the wild." In Security and privacy (sp), 2014 ieee symposium on, pp. 83-97. IEEE, 2014.
7. Giani, Annarita, Eilyan Bitar, Manuel Garcia, Miles McQueen, Pramod Khargonekar, and Kameshwar Poolla. "Smart grid data integrity attacks." IEEE Transactions on Smart Grid4, no. 3 (2013): 1244-1253.
8. Möller, Bodo, and Adam Langley. TLS fallback Signaling Cipher Suite Value (SCSV) for preventing protocol downgrade attacks. No. RFC 7507. 2015.
9. Guesmi, R., M. A. B. Farah, A. Kachouri, and M. Samet. "A novel chaos-based image encryption using DNA sequence operation and Secure Hash Algorithm SHA-2." Nonlinear Dynamics83, no. 3 (2016): 1123-1136.
10. Wu, Zhizheng, Sheng Gao, Eng Siong Cling, and Haizhou Li. "A study on replay attack and anti-spoofing for text-dependent speaker verification." In APSIPA, pp. 1-5. 2014.