Day 20/40 - SSL/TLS Explained Simply - How SSL/TLS Works?

hello everyone welcome back to my channel my name is p and this is video number 20 in the series CK 2024 this is a prerequisite of our next video which is going to be about certificates in kubernetes so before going into that I wanted to discuss about how SSL TLS actually works and if you are already aware about that topic feel free to skip that video but in this video we'll be doing a deep dive into SSL TLS and how it works end to endend so we'll be doing that and the comments and like targets

of this video will be 120 likes and 120 comments it's small Target and I'm sure you can do that so without any further Ado let's start with the video all right so let's take a simple example first and then we'll go deep into that so let's say you have a user who is trying to send a request to a server okay so I'm just going to create a user over here U that's your user and let's create a server as well So This Server could be a web server This Server could be an application server

anything for now just we are just taking an example of how a user communicates with a server over the internet and this user could be not just user this user could be a client so it's a client and server interaction because everything is an interaction between a client so when we are sending the request we we become a client and then where we are sending the request and from where we are expecting the response that's actually a server that could be over here right so let's say we are a user okay so we will send

a request to This Server okay maybe this could be let's say a get request so there are different type of uh HTTP request such as get put post and so on right so for now uh this user is trying to get some data from the server so that is why it is sending a get request and this is over sttp protocol so this is over sttp protocol hyper text transfer protocol so everything over the Internet either goes through HTTP or https if we are accessing a web browser a web client so it has to go

through a HTTP connection we'll talk about https later on but first let's have a look at how HTTP actually worked before so a user send the request but then server ask the authentication details of the user right so server said okay I've got your request but first identify who you are right so identification then user sends the credentials to the server okay so here's my username here's my password okay so then user sends the credential but okay let's say um after that server authenticate the request and then it actually provided the requested details and authentication

is nothing but you are defining who you are who you actually are that's the part of authentication right so when user provided the credential like it's username and password server authenticated it and sends the response back but there could be someone else in the middle right so is there could be a hacker who is sniffing the network and who is also looking into any unsecured connection request and response and as soon as he founds out that someone is sending their credential over the Internet that hacker sniffs that request and now this hacker has all the

credentials all the details and now this hacker can actually send the request to the server and and it gets a response from your server so you have been hacked right and this is okay like if you are just browsing a site with uh just the informatory site like a static page which does not have any details no login no authentication whatsoever but what if it was a highly confidential website like your banking website your uh stock trading uh brokerage website your insurance website and so on there could be thousands and thousands of of websites for

which this hacker can sniff the data from and it could make it really worse right so like our HTTP is not considered as secure you know uh because of these many reasons and there'll be a lot more uh so what we have discuss now what if a way to actually send this message like after the identification is done your user is sending your identification details what if there was a way to actually and encrypt this data before sending it to the server right so we need something called a key right a key or a token

to actually encrypt this to do that you actually added a key right and you use this key for encrypting your data which is your identification details let's say or any data afterwards but now this key was generated at by the User it's at the user end and this key has to be sent to the server as well to decrypt the data okay so this data over here it has to be sent from user to the server right and we are saying that encrypt this data with the key okay so let's say user encrypt this and

he sends the data to the server server receives it now this is an encrypted format how would server know that that what exactly is there in the data because it is encrypted so server would need a key and this key again we have to send this key from user to the server so now that server has the key server can actually decrypt the data using the same key so this type of encryption is called symmetric encryption in symmetric encryption the same key is used to encrypt and decrypt the data right but it has a loophole

you see when you are transferring your data over the Internet so let's say first you transferred your identification which is your data so again this hacker can get hold of this data right so he gets a copy of this identification now this data has been transferred to the server now when you were sending the key because server needs a key to decrypt this data when you were sending the key again hacker got a hold of it and he would then get a copy of the key so your server receives the key your server would be

able to decrypt the data from the key provided but then hacker also has your data and your key so he can also do the same and you have been compromised over here so that is why symmetric encryption is not considered one of the best practice especially when we are transferring data over the Internet what options do we have let's have a look at another example so here's a user here's a server okay I'm just going to drag it down over here okay let's say a user has a key um the same symmetric key now let's

say you have a user and then you have a server and you are trying to create a secure connection to This Server you have to let's say log into the server so you want to create an SSH con connection to the server so because password are too risky you know it can be compromised and others can easily get access to your password so you have decided to create a connection with the help of a key so for that what you will do you will create a public and private key pair so let's call this a

pub key that's your Pub Key and that's going to be your private key so how do you do that actually there is a utility so it's called SSH key gen so using this utility you generate these two keys okay so there is a pub key and a private key why we are creating two keys so that we can use one key for encryption another key for decryption because we have seen some disadvantages of using symmetric encryption so that's why we decided to use a symmetric encryption so in this case where we are using a separate

key for encryption and a separate key for decryption so this type of encryption is called asymmetric encryption okay so earlier it was symmetric encryption now it is asymmetric encryption now uh you have your public and private key what you will do you have to create connection with the server okay now you have your public and private key generated now uh what you will do is you will keep your private key with yourself because this is used for encryption and the public key is publicly available so you will send this public key to your server right

so this public key will be added to the if you have ever set up the SSH authentication so there is a file inside the server which is called SSH authorized keys right so you would add this key as an entry to this file now the public key is securely placed on the server now private key as I've said because this is private this is something that you would use for encryption it will retain with you so you will send a request to the server like an SSH request and you will pass the private key along

with the SSH request and it's sort of credentials and it will be transferred to the server server verifies it and server you know decrypt the data with the help of public key and it will send the response back so that's how your SSH connection will be established now let's have a look how this will work in case of a connection over the Internet so we'll take the same example but instead of doing the SSH connection we'll create an HTTP connection okay over here user will be sending an HTTP request to the server okay that's your

HTTP get request let's say okay and in return server will return a public key so server will have two key over here so it'll have server public key and let's call it server private key okay so we have a server public key and server private key let's copy the key icon as well is the key okay and let's copy one more time okay so now this server has two keys a server PB key and a server private key and how those keys were generated so there was a utility so there is a utility and it's

called open SSL so we generate certificates and keys from this utility right so uh that's how they have been created on the server itself so now the private key because it is private and it has the decryption details so we will be using this key for the descri decryption so that's why this key will be retained by the server itself right so server will have the private key and the public key is will be used for the encryption of data that's why uh this key will be sent to the user okay okay so now user

has servers public key okay it's I'm sure it is making sense still here but you can repeat the previous one if you are still confused okay so I'll just give a quick recap so over here our server generated a key pair a public and private key pair from the op SSL utility private key has to be retained with the server and public key it will send after the get request it will send the public key to the user now what user will do with this public key user also have a key and it's called a

symmetric key server uses asymmetric key pair public and private but user will have one symmetric key so let's call it user SIM key okay so now what user will do now user will encrypt this symmetric key key with public key right so so the user will use the public key the server public key to encrypt the user symmetry key because you know earlier what we were seeing the challenge that we were seeing over here when we were sending the private key from the user to the server uh there was a chance of getting that hacked

by the hacker so hacker you know would get the credentials would get the private key and it will uh encrypt or decrypt the data because we were using the same key or when we were using uh the public and private key pair both the keys has to be sent to the server so again hacker can get both the keys public and private key so that's why we are using this technique over here where we are using a public private key on the server and one symmetric key on the user now user will get the public

key user will use that public key to actually encrypt the symmetric key of the user so this is encryption okay now me put that all together and I'm just going to group them together okay so I've grouped them together now this part okay what does it have it has the data it has the encrypted symmetric key because our main goal was to transfer the symmetric key from user to the server securely so now this key will be transferred over here and then server will have a private key and then the server can decrypt the data

from this private key and it will get the symmetric key of the user so all the communications going forward can be taken care by this symmetric key so let's say if uh we had that hacker in between okay okay so hacker get hold of this data okay so it has an encrypted symmetric key and it has the public key of the server what can they do they would need a private key the server's private key to decrypt this data so hacker cannot really decrypt this data hacker cannot sniff this data and they can only read

the encrypted data which is of no used to them as it was uh encrypted with public key so they can just encrypt the data and they cannot read or decrypt the data so this data will be of no use to them and that is why this communication will be secured okay so our communication looks secure now but there are still ways through which hacker can intercept this communication and get the required details so let's say when you were doing a get request on the server so this could not be the actual user let's say uh

a hacker created a fishing email or something uh like a dummy website which looks exactly like your bank's website so you actually provided the get request to the Hacker's website instead of your original website and then hacker act a user on your behalf and then it sends the get request to the server now when the server will send the public key it will send it to the hacker because according to the server your hacker is the user right it will intercept that request now this hacker got hold of your servers public key okay this hacker

got hold of your servers public key and now it will send the key back to the user as well uh that's um not an issue but then hacker can ENG gript the data like we earlier had a users symetric key now there could be a similar key with hacker let's call it hacker symmetric key right so hacker can now encrypt the entire data with its own symmetry key right and when it goes to the server server will decrypt the data and it will send the request to the hacker it will be able to set the

communication with the hacker right and you will be compromised to avoid all this what happens is over here server did not identify the hacker and uh user did not identify uh the response that it is getting from the server so let's see another example over here okay so now what if there was a way through which we can identify if we are getting the key from the right server right so when uh we did the get request to the server over here server response back with uh the public key see over here so server responds

back with the public key but we are not sure whether this is the public key of server or hacker is acting as a proxy of for the server right so what if there was a way to validate this whether this is actually from the server or not so that's why instead of public and private key we are using certificates right so now instead of this this will be a certificate so certificate when user receive the certificate they can validate users browsers can validate that whether this certificate was issued to The Domain itself or not right

so for example like this is my web browser so if you go over here my web browser did the check on behalf of me and if you go to uh this icon over here it says connection is secure right and when you click on that it will say connection is secure and certificate is valid right and you can open it to see the certification details so you can get the common name that certificate was issued to this domain for this organization and here is the certificate public key as well here is the certificate fingerprints and

issued on expir on and so much other details right so now we know that this certificate is valid there is no hacker in between and then now we can use the certificate to encrypt our symmetric key and send it over to the server so now connection will be secure and now this connection will be used https protocol now this will be a secured hypertext transfer protocol connection right so that is why this connection is called s ltls and it is over https now how would server actually do that so again server creates a certificate signing

request okay so I'm just going to add it over here so it creates a CSR it creates a certificate signing request and this request has then to be issued and uh signed by a certificate Authority right so there is a certificate Authority uh it's called CA and there are many certificate authorities so we have CCH we have diger we have a few others right so for now just let's take the example of these two so the server will send a certificate signing request okay so here is our certificate signing request generated by the server and

this request then sent to certificate Authority and then CA actually what it does it actually validates your request I'm going to add it over here it validates your request it validates your domain it checks the authentication and it will make sure that you own the domain you are the owner of that domain right and once it validates it actually signs the request okay the certificate it it's been signed and then it will send the certificate to the server right so it'll again have a public and private key let's just call it public certificate okay and

there'll be a private certificate right so this private certificate will retain by the server and this public certificate will be added to the users browser right okay so this public certificate will be added to the browser so every browser will have the public certificate and it will do the you know uh that's how it is doing the validation let certificate is valid and because you have the public certificate and then it will accept that request from the server itself and then provide the response back so that's your public certificate on the browser and that's your

private but this is for the public domains so the public domains that are available over the Internet there are some domains that are within your internet like let's say if you have work for a company you have some internal websites uh your website that is only accessible by your employees Within the organization so for that you actually don't use the public CA you use something called as a custom CA or custom certificate signing Authority or custom certificate Authority that are hosted within your organization and that is responsible for issuing and signing your certificates right so

that's how TLS SSL works in the next video I mean this is quite a confusing topic so I've tried my best to explain it but you know try to go through the video again try to uh take some notes try to build some diagrams by yourself and then you will understand like how it actually works the main part over here is how we actually sent the uh let me show you that diagram okay so the main part is this how we actually send the user symmetric key to the server if you understand that part then

it will be easier so our main goal is to send this symmetric trick key from user to the server securely right and we can do that by encrypting this with the server's public key and only server private key will be able to decrypt it so even if there was a hacker in between he cannot do anything with that so the main part is this if you understand this you would understand how TLS SSL Works after that just replace the public and private key with the certificates and there is a certificate Authority in between whose responsible

for taking care of your certificate signing and make sure that your domain is valid your certificate is valid and you are actually who you say you are it does that authentication for you right so yeah that's that's about this video I'm sure uh this video was helpful in the next video we'll be looking into certificate specifically in kubernetes how it works how do we create the certificate signing request and uh we'll go from there so I hope this video was valuable if you find it please try to complete the comments and like Target so that

I can publish the next video in the next 24 hours or as soon as the target is completed and uh feel free to share this to your friends colleagues who can take this uh advantage of this learning opportunity and uh there is no exercise for this video in the GitHub repo because there is actually nothing to do the handson this is specifically to make you understand how actually it works and if you understood this uh it's well and good you can try to create some diagrams some blogs around it and share your progress with me

over LinkedIn or Twitter and I would gladly provide my feedback on that so the idea is like these concepts are available everywhere so you can um you know learn from everywhere the idea is if you were able to understand that in a simple language or not if you were then try to explain that in a blog in a GitHub repo with the help of diagrams and so on so yeah that's that's it uh I will see you soon thank you so much and I hope you have a good day