TLS Handshake Explained - Computerphile

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

It's illuminating and interesting to see how all these parts fit together.

👍︎︎ 1 👤︎︎ u/excarnateSojourner 📅︎︎ Nov 06 2020 🗫︎ replies

Captions

last time we looked at tls and we had a bit of a chat about where it came from the history and how it evolved um so i suppose we're we're left with the uh the idea of working out how it works in that handshake procedure right that's right yeah everything in tls happens in the handshake i mean that's not absolutely true but you know the majority of all the important stuff is in there the reason that tls is so prevalent and so used and how good it is is all down to how good the handshake is so let's dive right in and see what it is that it does underneath today we're going to look at the tls 1.2 handshake not the tls 1.3 the reason is because i personally think that 1.2 is perhaps a little bit more intuitive when you're learning it for the first time i like to look at 1.3 you know by by way of how it changes from 1.2 rather than just on its own like that so you know we can talk about 1.3 another time before we start i just wanted to show you if you go to your web browser i mean different web browsers show different things um but you know in firefox here i'm on the nottingham website if i click on the padlock and i click more information we can see that i've got a tls session so my computer my browser in this case and the nottingham web server have formed a tls connection that sits over tcp and is encrypting http before it gets sent and received now what i'm interested in is this string down here so we're just going to copy that down and then we'll talk about what that is and then when we look at the handshake you'll see all these different bits appearing because basically this is what we call a cipher suite so this is a string representation of all the different things we're going to do during our handshake right so for example key exchange public key authentication um the actual encryption and things like this right they're all in there so let's have a quick look i'm going to bring up the um inks pad thingy oh this is here from last time last time we used this app yeah okay yeah yeah this is only for recording videos and stuff so you know when i'm not recording videos i'm not really using it i just use my computer um all right so let's take this off there were a few different cipher suites but the one we're looking at today is the most common one and that is tls e c d h e r s a with a e s one two eight g c m i've run out of space sha256 it was impossible to know when i started at that font size that it wasn't going to make it all the way to the end right there's a lot of stuff going on here so let's have a look at these right so tls we know what we know what that is right that was the whole last video transport layer security you got two two or three ec dhe that's elliptic curve diffie-hellman ephemeral right we've talked about diffie-hell before that is the key exchange so that is how we obtain some kind of shared secret that only you and i have or only me and the web server has so no one else can see what we're doing that's obviously going to be used to derive keys for encryption rsa this is going to be the public key authentication mechanism right so we're going to make sure that that server is who they say they are by checking a public key certificate and verifying their additional signature and then when we've actually done that that's the handshake part then the actual encryption is going to be happening using aes so this is the cipher this is the key size this is the mode of operation so this is going to be galois counter mode i think i might have mentioned that in a previous video but if i didn't it's a whole different video and finally sha256 we've talked about hash functions before is the kind of the building block that's used to perform hash functions where they're needed so things like turning a secret into a key and creating mesh authentication codes and things these are some things we've covered in other videos um so all of this is in here and we've got only a few messages to get this done right because it's got to be really really quick so let's go through the actual handshake and then we'll see some of these things appearing we're going to start a conversation over the internet it's going to be with someone using tls so we begin obviously with a tcp handshake to get a tcp connection established um and before we send any application data that's when we're going to do our tls handshake so this is the client over here and this is the server over here i'm going with client server this time not alice and bob it would work just as well with alison bob if you think about the way the web works um we always the client is always the one approaching the server amazon well for the most part doesn't just send you random websites right you ask for a website and it gives you one or you ask for a file and it gives you one so the first thing we're going to do is send a message and that message is called client hello we know what that message is because all tls messages have a number that identifies them and so basically you can read off the head when you can work out what kind of message this is now this client hello message is going to contain a few things first of all it's going to contain the max tls version that this client can support because obviously you've got different servers you've got different clients so it's going to be the max tls version that they support not every server and every client is exactly the same they won't all support the very very latest version so they maybe don't support 1.3 so maybe they send 1.2 but that's the maximum version they support they're going to send a random number and that's used to make sure that replay attacks for example aren't going to work and finally they're going to send a list of cipher suites so that cypher suite we looked at just before there's going to be a number of those that they support probably and they're going to send a list of all the votes each of them has a number so it's a nice short list assuming the server is switched on right that's a whole different problem right so i'll have that out right so we've got the client hello so at this point the server knows what the client can do and now it has to pick something right the way that tls does it is that the server is the one that actually chooses as a client you go to the server and you say i can do these things and it says right we're going to use that one so the server is going to respond with a server hello now that's going to contain very similar things to what the client hello contains so it's going to have a chosen tls version right so let's say the client supported 1.3 but the server only supports 1.2 it will send back 1.2 it's going to choose one of the cypher suites and usually it will have some kind of configuration and which ones it prefers and things like this and then it's going to also send a random number um if if the server doesn't support any of the versions or the cypher suites that the client does which is very unusual then obviously this is not going to work they're going to send back some kind of failure message right they're actually sending back a tls alert and that that will say yeah it's not going to work right we won't be having a conversation all right so this is the beginning of the handshake we now know what we're going to do we're going to use let's say elliptic curve diffie-hellman we're going to use rsa we're going to use aes when we eventually get to encryption so now we actually have to do those things unfortunately so the server is going to send another message and this is going to be a certificate various videos have talked about public key certificates before but this is just going to be a standard format certificate with an rsa key if that's what we've agreed to use and it's going to crucially have a public key on it right so this is going to have a public key attached to it the server is then going to send what we call the server key exchange message that has a few things in it right the first thing it has is the parameters for the diffie-hellman key exchange right so we talked about the parameters g n back way back when we did the video alice and bob have to agree some mathematical parameters that they're going to use this is a value g or a generator and a big prime number n right now for this it's going to choose some of those possibly elliptic curve ones probably because that's what we're using and it's also going to send its public part it's public message as part of that key exchange process so if you remember back very briefly in diffie hellman you each send a public value across and then you you combine it with some private values behind the scenes this is all the colored water video we did that's the color water video yeah which but kind of works yeah the server keeps change also very importantly has a digital signature as part of it so i'm going to write that in quick digital signature now a digital signature is essentially a set of these previous messages summarized using a hash function and signed using the private key of the server the one that goes with the public key that's on the certificate it's the proof that the server is who they say they are because only theoretically that server has the private key right we've covered these kind of things before and different i think rob did a video on public key the fact that it can be decrypted with your public key means that it must have been encrypted with your private key which means it must have been you who made the message because only you have your private key what the client's going to do is it's going to look at the certificate it's going to verify that that's okay and then it's going to look at the digital signature and verify that's okay using the certificate and if they're both okay as a client we can be pretty happy that the server is who they say they are right this is almost for me the most important message right because if you can't establish that the server is who they say they are then this courses could be a complete imposter and then we've got a real problem so there's also the video that richard morty did on secure web where he talked about you follow this chain of trust all the way up to a certification authority that's the process that this client is going to follow so at this point the server sent their part of the key exchange they send their digital signature and certificate so they verify themselves their job for now is over right so they're going to send a server hello done and that says i'm not sending you any more weird information right you've got everything you need like if you're not happy that's unfortunately just how it's going to be so it's now in the clients it's now the client's turn right so the client as you remember in the key exchange you've both got to send something right so the client is going to reply with a client key exchange now normally the client doesn't send a certificate they don't have to send a certificate verification or anything like this a signature and they of course already have the parameters but the server sent so all they're going to send is they're like alice public value right that the one that goes in uh over here these can be used mathematically as part of the diffie-hellman process to create what we call a pre-master secret so at this at this point the server and the client both have the same pre-master secret right they combine that pre-mastered secret with the random numbers from above and that becomes the master secret right and that's the one that's used to derive any kind of key material that's going to be used during this process this is looking kind of complicated but actually we're nearly finished right this is this doesn't take a very long time the client is now going to send a change sign for spec message what the change cypher spec message says is i've got all the information i need from our previous handshake i'm actually ready to begin encryption so the next message you see from me is going to be encrypted right using all this using aes 128-bit key galore counter mode using the key that we just derived and so on so they're then going to send a finished message and that finished message is going to contain a summary of all of the messages so far encrypted like using the key right so obviously if this process has failed the server's not going to be able to decrypt it the server is going to respond with the exact same thing so they're going to send over this way a change cipher spec and then a finished message which will be encrypted now the really important thing about these finished messages which didn't usually exist in the really early versions of ssl is that they summarize all the messages you've seen so far so imagine someone was sitting in the middle tampering with the messages maybe they tricked the server into thinking the client actually only supported 1.1 right well then the client and the server are going to have seen different versions of events and that means that these two finished messages aren't going to match so if they don't match bail bail from the conversation jump out the nearest window right it's not good times let's look back at what we wanted from this and work out where we got it right um so we wanted some kind of shared secret right because if we didn't have a shared secret we're not going to be able to do any kind of encryption this is where we have the server key exchange message and the client key exchange message which contain those diffie-hellman uh parameters that we're gonna we're gonna share then we need to have some kind of authentication if not of the client then at least of the server right that's the way we normally do on the web it's it's you know it's fairly common to authenticate the client as well you know in other other situations this is going to be the digital signature and the certificate that do this so that's rsa it doesn't have to be rsa but that's you know what we're using this example we needed to originally agree on what we were going to do right we need you know some kind of uh what what messages we're going to send right that's all defined in the spec and of course that was part of the client hello and the server hello which had all that information on which side of the suite we're going to use and finally we wanted to make sure that there wasn't someone tampering with this it wasn't a replay attack we wanted to make sure that someone hadn't fiddled with the messages that's what the finished message is uh green green i've run out this is what i've got quite a lot of colors compared to my felt tip pens right that's what the finished messages is doing right the finished messages are making sure that now is tampered with the messages and also the random numbers for part of the client and the server hellos also prevent things like replay attacks they make sure that the key material is different every time and so on and so forth um so this is this has everything we want right it's very very difficult to break into this you know if i want to a better phrase um and the other thing to know is that we've gone once from the client to the server and then we've gone back from these messages are usually sent basically in the same packet i said or very close together back from the server to the client back to the server back to the client and then we're ready to go so it's two round trips right so if you if you live 200 milliseconds away in terms of you know transmission time from the server this is going to take 400 just under half a second basically to do this which is what happens when you go to a website when you connect to we type in the url it'll do a dns lookup if it hasn't been already cached and then you'll just do this very quick tls handshake and then encrypt everything right so it's really really quick tls 1.3 does this in just one round trip right so they've sped it up even faster how many times would this happen is this something that gets refreshed every now and then is this for the entire session of your time browsing that website yeah it's going to depend on um on you know a few different things usually you would set up a tls connection and then you would go off to let's say for an index.html page and then images that you download will also have use the same connection right you wouldn't do a tls handshake for every different resource but then if you if you know you browse away from the website and come back that would likely be a new exchange right there is kind of session resumption and stuff that will sometimes be implemented on a server level that will depend on the configuration of the server you i guess you could imagine if you're a server sending out hundreds of thousands of these being able to resume sessions when it's safe to do so kind of makes sense right from a sort of computation point of view you know verifying certificates of things does take a little bit of time i guess if um if there's ad servers involved they will be separate connections there yeah if you go off to another server to get a resource whether it's an ad or something else that's going to be a different tls connection sometimes you get one of those warnings where only part of your session is encrypted that's because you've got an https or tls session set up but one of the resources you're fetching out is not https so that's unencrypted right that's just bad website programming to do that if you stay on a website for a long time then keys or this session will be refreshed every so half an hour or something like that to make sure that you've got new keys new keyword too and you've got that perfect forward secrecy you said it um 1.3 is even faster i mean is has everybody moved to 1.3 or is that relatively new no not at all i mean we just went on the nottingham website and they're they're supporting 1.2 right and i'm not singling them out loads of people are still supporting 1.2 perhaps one of the differences so 1.0 and 1.1 have now been deprecated officially so we're not supposed to use them um but unlike those 1.2 is actually still pretty good right and if you configure it it's basically the same as 1.3 just a little bit slower with the handshake it doesn't support quite as many different things really what 1.3 did is obviously a faster handshake and it locked down a lot of the cypher sweeps you can use and things like this if you're only using those cypher sweeps anyway 1.2 is not that big a deal it involves you know reinstallation of a lot of server software people are just being a little bit slow but it's not it's not a huge problem right most browsers now support 1.3 so if you go to a website that supports it you'll be able to find one carry on copying for another 65 528 worth of bytes now where those extra bytes going to come from or they're going to come from whatever follows on in memory in the computer's memory that's there if we're lucky that data will be meaningless so it's still just you claiming to be whoever you claim to be and i've got no other way of checking that out which is why a lot of browsers

Info

Channel: Computerphile

Views: 234,279

Rating: 4.9493341 out of 5

Keywords: computers, computerphile, computer, science, University of Nottingham, Dr Mike Pound, TLS, Transport Layer Security, Handshake, TLS Handshake, Crypto, Cryptography

Id: 86cQJ0MMses

Channel Id: undefined

Length: 16min 59sec (1019 seconds)

Published: Fri Nov 06 2020