All About SSL(Secure Sockets layer)

In this article I am going to explain some basics of SSL . This blog is basically meant for those people who are not familiar with SSL, especially in combination with WebLogic.

1)      What is SSL(Secure Sockets layer) ?

 SSL is a technique to secure a point-to-point socket connection, in the transport layer which will be secured. 

It provides secure connections for interfaces or (web) applications to connect and authenticate each other’s identity, and  by encrypting the data traffic between those interfaces or application back ends.

Authentication allows a server, and sometimes a  client to verify the identity of the application on the other end of a network connection.

2)      How it works ?

 SSL uses the public key encryption technology for this. A public key and a private key can be generated for a back-end server (please find the technique/method of generating private key and public key in my next blog) .

This key is used to encrypt data before sending. After the client has recieved the key, it can decrypt it using that same key i.e data encrypted with the public key can only be decrypted using the corresponding private key and vice versa. It is something like you are sending a locked safe through some transport company along with a note which contains the unlock combination.

The public key is embedded in a digital certificate with additional information about the initiator of the key. This information may consist of name, street address, email address, company information and some geographic information.

A private key and a digital certificate provide an identity for the server. The data embedded in a digital certificate is verified by a certificate authority and digitally signed with the certificate authority’s digital certificate.

The trusted certificate authority (CA) certificate establishes trust for a certificate. Below is an overview of a “Happy SSL flow”:

The flow diagram of SSL hand shake :-

And same can be captured and analyzed via network monitoring tools like WireShark

3)      Type of SSL Authentication   

Depending on the SSL flow and type of mutual handshaking , SSL authentication can be divided into 2 way:-

1)      One-Way SSL Authentication:-  In one-way SSL authentication, only the server should present its identity by presenting a digital certificate to the client, to prove its identity. The client verifies that the certificate is trusted from the trust-store.

2)      Two-Way SSL  :- In two-way SSL authentication, both the client and the server must present digital certificates before the SSL connection is established.

In two-way SSL authentication, the SSL client application verifies the identity of the SSL server application, and then the SSL server application verifies the identity of the SSL-client application.

Two-way SSL authentication is also referred to as client or mutual authentication because the application acting as an SSL client presents its certificate to the SSL server after the SSL server authenticates itself to the SSL client.

Establishing the encrypted channel using certificate-based 2-Way SSL involves:

ü  A client requests access to a protected resource.

ü  The server presents its certificate to the client.

ü  The client verifies the server’s certificate.

ü  If successful, the client sends its certificate to the server.

ü  The server verifies the client’s credentials.

ü  If successful, the server grants access to the protected resource requested by the client.

             

Note :- Both type of SSL Authentication are supported by WebLogic Server.

4)      What is Trust Store

A truststore is a keystore that is used when making decisions about what to trust. If you receive some data from an entity that you already trust, and this can be verified, then you can assume that the data really came from that entity. An entry should only be added to a truststore if you want to trust that entity.

By either generating a key pair or by importing a certificate, you have given trust to that entry, so each entry in the keystore is considered a trusted entry.

Truststores usually contain a set of certificates provided by the “Certificate Authority” of a certain company. Certification authority certificates are certificates that are issued by a CA to itself or to a second CA for the purpose of creating a defined relationship (a so called trust) between them.

 A certificate which is issued by a CA to itself is referred to as a trusted root certificate, because it is intended to establish a point of ultimate trust in a CA hierarchy. Once the trusted root has been established, it can be used to authorize underlying CA’s to issue certificates on its behalf.

5)      Basic difference between Trust Store and Identity Store

A very common confusion we come across is the difference between trust store vs identity store .

The main difference between them is the way they are used.

Identity Store : Used to store Server Certificates , CA certificate Chain , Public private key pair. Whenever some client requests Server to communicate on SSL, server uses them to serve the SSL certificate to a client.

Trust Store: Used to store third party Root certificates or Third Party server certificates. It is used to validate the third party server certificates while communicating over SSL.

It can be understood in two way SSL example (mutual authentication) :

1. Client initiates request to server ,

2. Server responds with sending its certificate from identity store to client.

3. Client validates the server certificate against truststore configured on Client.

4. Now server requests client to send it's certificate.

5. Client sends it's certificate to server .

6. Server validates , client's certificate against trust store configured on Server.

Note:-  Find the technical implementation of SSL in weblogic and generation of private key and public key , in my next blogs.