Every time you connect to a website on the internet and need to send something securely you look for the little padlock in your browser to show that you have connected to a secure website. To do this we use a system called Hypertext Transfer Protocol over Secure Socket Layer (HTTPS). However, there are a number of crypto technologies that secure the connection between you and the website that you are connecting to. Below we will look at four websites and the crypto algorithms that they use in securing your connection to them.
For starters, we will look at Google and Yahoo as they both use the same crypto systems to secure web traffic. I discovered what systems they were using by connecting securely to each site and in Firefox clicking on the padlock and then clicking on more information, which gives you all sorts of information about your connection to include the connection encryption information. Below you can see the encryption information pulled from Firefox. It looks like a bunch of gibberish but we will soon discover what it all means. All the sites below use hybrid encryption systems.
High-grade Encryption (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys)
TLS stands for Transport Layer Security and is an asymmetric cryptography method that is used primarily to exchange a symmetric key (T. Dierks, 2008). The algorithm that the TLS implementation that Google and Yahoo use is identified as ECDHE_RSA which stands for Elliptic curve Diffie–Hellman (ECDHE) as developed by RSA cryptosystems. ECDH is an anonymous key agreement protocol that allows two parties, each having an elliptic curve public–private key pair, to establish a shared secret over an insecure channel. It is considered computationally heavy, meaning that it requires a larger amount of CPU cycles to process (Elaine Barker, 2007). The combination of TLS and ECDHE_RSA are required for the implementation of Perfect-Forward Secrecy (Mavrogiannopoulos, 2011).
After the key has been exchanged with TLS_ECDHE_RSA the connection is switch over to a more efficient and faster symmetric encryption system. AES 128 stands for Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES 128 is a 128bit symmetric-key block cypher, meaning the same key is used for both encrypting and decrypting the data (National Institute of Standards and Technology (NIST), 2001). Next we move to GCM which stands for Galois/Counter Mode. GCM is an authenticated encryption algorithm designed to provide both data authenticity (integrity) and confidentiality. Furthermore, SHA_256 is a cryptographic hash function that is part of the Secure Hash Algorithm version 2 (SHA-2) standard. AES_128_GCM_SHA256 is part of a cipher suite under RFC 5288 as proposed be Cisco systems (J. Salowey, 2008).
Next we will move on to everyone’s favorite shopping site Amazon.com. As you can see blow little has changed from Googles and Yahoo’s implementations. The main difference resides in the cipher suite in use as it uses CBC instead of GCM and a weaker version of SHA. Cipher block chaining (CBC) is a mode of operation for a block cipher. Cipher block chaining uses what is known as an initialization vector (IV) of a certain length. One of its key characteristics is that it uses a chaining mechanism that causes the decryption of a block of ciphertext to depend on all the preceding ciphertext blocks (Rouse, 2014).
High-grade Encryption (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 128 bit keys)
Lastly, we will look at Newegg who has the weakest security of them all. TLS_RSA used fewer bits than TLS_ECDHE_RSA and is less computationally heavy which means a cracker dose not require so many CPU cycles to crack it however it is still considered robust enough for everyday use. The problem lies with its RC4_128_MD5 cipher suite. RC4 has shown to be vulnerable to several attacks and is considered to be insecure by the industry (Greenberg, 2013). In addition, MD5, which is a hashing algorithm, has also been broken (Corelis, 2009). With this in mind if you have to shop at Newegg try not to give them too much information because they really don’t care about the security of your information.
High-grade Encryption (TLS_RSA_WITH_RC4_128_MD5, 128 bit keys)
With all the different types of encryption standards in use on the internet, it can be a bit hard to get your head around all of it. However, after looking at what a few websites use to secure your data you can see all the different algorithms that they use in their hybrid encryption systems. Lastly, those sites that care about your data security use stronger encryption systems, however some just do the minimum to get the little green padlock to show up on your browser.
Works Cited
Corelis, T. (2009, 01 04). MD5 Is Officially Insecure: Hackers Break SSL Certificates, Impersonate CA. Retrieved from DailyTech: http://www.dailytech.com/MD5+Is+Officially+Insecure+Hackers+Break+SSL+Certificates+Impersonate+CA/article13842.htm
Elaine Barker, D. J. (2007, 03 01). Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography. Retrieved from National Institute of Standards and Te: http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf
Greenberg, A. (2013, 03 13). Cryptographers Demonstrate New Crack For Common Web Encryption. Retrieved from Forbes: http://www.forbes.com/sites/andygreenberg/2013/03/13/cryptographers-show-mathematically-crackable-flaws-in-common-web-encryption/
J. Salowey, A. C. (2008, 08 01). AES Galois Counter Mode (GCM) Cipher Suites for TLS. Retrieved from The Internet Engineering Task Force (IETF®): http://tools.ietf.org/html/rfc5288
Mavrogiannopoulos, N. (2011, 12 08). The price to pay for perfect-forward secrecy . Retrieved from Nmav’s Blog: http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html
National Institute of Standards and Technology (NIST). (2001, 11 26). ADVACED ENCRYPTION STANDARD (AES). Retrieved from National Institute of Standards and Technology (NIST): http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
Rouse, M. (2014, 08 30). cipher block chaining (CBC). Retrieved from TechTarget: http://searchsecurity.techtarget.com/definition/cipher-block-chaining
T. Dierks, E. R. (2008, 08 01). The Transport Layer Security (TLS) Protocol Version 1.2. Retrieved from The Internet Engineering Task Force (IETF®): http://tools.ietf.org/html/rfc5246
