How are your connections with web secure and integral?

ujjwall-r

Ujjwal Raj

Posted on October 13, 2024

How are your connections with web secure and integral?

Ever wondered why, when you use your Instagram profile, you trust that your connection with Instagram is secure and not exposed to hackers or tampering? After all, you are sending streams of data bytes that could potentially be intercepted by a middleman. Did you connect to the real Instagram server or a clone pretending to be it? These concerns are addressed by TLS, or Transport Layer Security, which is a layer on top of TCP.

How is encryption maintained?

When you connect to Instagram, the initial communication between your device and the Instagram server uses asymmetric encryption to securely establish a connection. In this process, the server provides a public key, which your device uses to encrypt a shared secret key (a symmetric key) that is then sent back to the server. The server decrypts this using its private key. Once the shared key is securely exchanged, symmetric encryption takes over, allowing both your device and the server to use the same key to encrypt and decrypt all further data. This combination ensures both security and efficiency during your session.

Symmetric encryption is very fast and inexpensive, while asymmetric encryption is heavy and costly. Advances in cryptography have facilitated the use of TLS. Therefore, it is important to ensure that every connection is TLS-secured.

How does TLS maintain authentication between distributed systems?

In the context of Instagram, TLS ensures secure communication between your device (the client) and Instagram's servers by using Certificate Authorities (CAs) to authenticate the server. Here’s how it works:

When you connect to Instagram, your device initiates a TLS connection and requests the server's digital certificate. Instagram's server presents a certificate issued by a trusted CA, which contains its public key and verifies its identity. Your device checks the certificate against a list of trusted CAs (pre-installed in the system) to ensure that it is valid, properly signed by the CA, and that the domain name (Instagram) matches the certificate’s information. If everything checks out, your device accepts the server’s identity as legitimate.

This authentication ensures that your device is communicating with the real Instagram server, not an imposter. The public key from the certificate is then used to establish a shared secret for secure symmetric encryption, which protects all subsequent data exchanged between your device and Instagram during the session. Through this process, TLS guarantees both the server's authenticity and secure communication.

HMAC ensures data integrity

In Instagram's secure communication using TLS, HMAC (Hash-based Message Authentication Code) ensures the integrity and authenticity of messages exchanged between your device (the client) and Instagram's servers. After the TLS connection is established, every message sent is accompanied by an HMAC, which is generated by hashing the message along with a secret key shared between the client and the server. When Instagram receives a message, it generates its own HMAC using the same key and compares it with the one sent by your device. If they match, it confirms that the message hasn't been tampered with and is from a trusted source. If not, the message is rejected. This process protects against data tampering, ensuring the integrity of all communication during the session.

This is a typical handshake of a secure connection.

TLS handshake

  • The server and client agree on a cipher suite that contains rules such as key exchange algorithms, HMAC algorithms, etc.
  • A key exchange algorithm is used, and a shared secret is created.
  • Symmetric encryption then takes over for data exchange.
  • Before that, the systems verify each other to ensure they are valid.

You can see that there are round trips happening before the connection is established. These steps can be swapped, and several optimisations are done. For instance, in TLS 1.3, only one round trip happens, whereas in TLS 1.2, two round trips occur. While round trips cannot be avoided, this gives a reason to geographically deploy servers nearby.

Conclusion

In this blog, we explored how TLS ensures secure communication and data integrity between distributed systems like Instagram and its users. Understanding how encryption, authentication, and integrity are maintained in such systems is crucial for anyone delving into modern network security.

In the next blog, I’ll dive into another interesting topic related to distributed systems. Stay tuned!

Here are links to my previous posts on distributed systems:

Feel free to check them out and share your thoughts!

💖 💪 🙅 🚩
ujjwall-r
Ujjwal Raj

Posted on October 13, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related