What is SSL Cryptography?

Recently, I have been working on a project to deploy Cisco Jabber. Cisco Jabber needs integration with Cisco AnyConnect VPN for remote teleworkers. AnyConnect VPN is a sub-division of Cisco SSL VPN.

As I usually prefer, I will post in the following order:

1. What SSL Cryptograph?
2. SSL Messages Exchange DeepDive (for advanced users)
3. ASA SCEP Proxy Enrollment
4. Deploying Jabber for Remote Teleworkers (Step-by-Step Guide)

I prefer this order to avoid any gaps in knowledge transfer. Some of the posts won't be relevant to some people who already have the knowledge or not interested in VPN technologies.

SSL is a security protocol used to establish encrypted link between clients and servers to carry data securely. Clients can be outlook, web browsers, any connect client, etc.

Asymmetric Encryption

Asymmetric encryption (or public-key cryptography) uses a separate key for encryption and decryption. Anyone can use the encryption key (public key) to encrypt a message. However, decryption keys (private keys) are secret. This way only the intended receiver can decrypt the message. The most common asymmetric encryption algorithm is RSA.

 

Asymmetric keys are typically 1024 or 2048 bits. Though larger keys can be created, the increased computational burden is so significant that keys larger than 2048 bits are rarely used.

Symmetric Encryption

Symmetric encryption (or pre-shared key encryption) uses a single key to both encrypt and decrypt data. Both the sender and the receiver need the same key to communicate.

Symmetric key sizes are typically 128 or 256 bits.

Which is better?

There are three parameters to use in the comparison:
1. Security
Due to the fact that asymmetric encryption uses two keys, make it more secure and very complex to crack.

2. Compute Complexity

Symmetric keys are smaller than asymmetric, so they require less computational burden.

3. Ease of Distribution

Since symmetric keys should be similar at both ends of communication, distribution can be more complex in large environments. With asymmetric keys, this won't be an issue since the public key is used for encryption only. This means that you can distribute the public key globally. Private key is kept as secret and will be used by intended destination only for decryption.

SSL Encryption

SSL Encryption combines the advantages of both symmetric and Asymmetric encryption. Its usually called Public Key Infrastructure.

In SSL communications, the server’s SSL Certificate contains an asymmetric public and private key pair. The session key that the server and the browser create during the SSL Handshake is symmetric. This is explained further in the diagram below.

1. Server sends a copy of its asymmetric public key.

2. Browser creates a symmetric session key and encrypts it with the server’s asymmetric public key.

3. Server decrypts the asymmetric public key with its asymmetric private key to get the symmetric session key.

4. Server and Browser now encrypt and decrypt all transmitted data with the symmetric session key. This allows for a secure channel because only the browser and the server know the symmetric session key, and the session key is only used for that session. If the browser was to connect to the same server the next day, a new session key would be created.

Asymmetric Encryption Algorithms: These can use RSA and Elliptic Curve Cryptography (ECC) to create the public and private keys. With asymmetric encryption it is computationally easy to generate public and private keys, encrypt messages with the public key, and decrypt messages with the private key. However, it is extremely difficult (or impossible) for anyone to derive the private key based only on the public key

Symmetric Encryption Algorithms: These use algorithms like Twofish, AES, or Blowfish, to create keys. All of these encryption algorithms fall into two types: stream ciphers and block ciphers. Stream ciphers apply a cryptographic key and algorithm to each binary digit in a data stream, one bit at a time. Block ciphers apply a cryptographic key and algorithm to a block of data (for example, 64 sequential bits) as a group. Block ciphers are currently the most common symmetric encryption algorithm.

SSL Certificates

To get a certificate, you must create a Certificate Signing Request (CSR)on your server for your organization domain name/web site. This CSR creates the private key and a CSR data file that you send to the SSL Certificate issuer (called a Certificate Authority or CA). The CA uses the CSR data file to create a public key to match your private key without compromising the key itself. The CA never sees the private key.

Once you receive the SSL Certificate, you install it on your server. Now the server hosts private key, public key, and SSL certificate. Also, the server is ready to accept and encrypt connections.

Now if you got the private and public keys, why do you need the SSL certificate?

Certificates are mainly used for authentication and verifying identity of the organization (you don't want to submit your credit card information to untrusted organization using fake domain name). Anyone having a CA server (MS, Cisco IOS, OpenSSL) can issue a certificate and generate public key for a CSR, but browsers only trust server certificates issued by trusted CAs. Browsers come with a pre-installed list of trusted CAs, known as the Trusted Root CA store.

Trusted CAs usually verify the identity of the organization before signing the CSR and generating the certificate (establishment card of the organization, verifying the authorized representative of the organization, etc). When the client trying to connect to server and receives the certificate, it looks at the certificate path to check the CA who signed the certificate. If the client has the CA certificate (Root certificates) in its Trusted Root CA Store, it knows that the certificate was signed by a trusted CA which means that the organizations identity was verified, i.e. authentication is successful

Certification Chain

For some CAs, you also install a pair of intermediate certificates that establish the credibility of your SSL Certificate by tying it to your CA’s root certificate.

In the image below, you can see what is called the certificate chain. It connects your server certificate to your CA’s (in this case DigiCert’s) root certificate through a series of intermediate certificates.