A deep dive into security certification for your website

Secure-hash-Algorithm
A deep dive into security certification for your website
Behlul M
August 14, 2017
A deep dive into security certification for your website

Every time a customer visits your website, their browser requests the web server for web pages. When this request takes place, there is a good chance that the information exchanged between the browser and the server can be extracted by a third party by eavesdropping. Sensitive information like passwords while logging in can be captured with a simple hack.

In order to avoid this and safeguard information transmitted through your website, you need to go to a Certificate Authority (CA) and purchase a Certificate Signing Request (CSR) to issue a certificate proving your ownership of the public key which is used for encryption. This certificate contains the key, identity of the owner (subject) and a digital signature of the issuer.

If the web browser recognizes the certificate as one from a trusted CA, then it intimates the user that he/she can trust the web site owner.

Secure Sockets Layer (SSL) Certificates

SSL is the security standard used for establishing a secure connection between a web browser and a web server. This contains a set of protocols that ensures the proper working of the link and data encryption algorithm. For this protocol to make certain that the communication is secure, an SSL certificate must be used.

Once you have this certificate, install it on your server. You must also install an intermediate certificate by linking your certificate to the root certificate of the CA.

The SSL certificate contains a pair of keys: a public key and a private key. The secure connection is established using an SSL Handshake, where the browser first requests the server to prove its identity. Now the server sends its copy of the SSL certificate to the browser. If the browser identifies the certificate as a trusted one, it creates a new symmetric session key, encrypts it using the server’s public key available from the certificate, and sends it to the server. The server decrypts the session key using its private key. Now the browser and server can communicate using the session key.

The user can identify a SSL secured website from the lock icon or the green address bar. The name of the website starts with https rather than http.

Secure Hash Algorithm (SHA)

The SSL protocols use SHA as a hash function to create a hash value corresponding to a file. It isn’t feasible to find out the text from the hash value. No two files should produce the same hash value during encryption. This hash functions are used to ensure data integrity. SHA is specified using the Secure Hash Standard (SHS).

The SHA must be updated as the computational capabilities of our systems improve. Hence SHA comes in several versions. SHA-0 was the initial version and was declared obsolete because of some significant flaw in the algorithm which cannot be disclosed.

SHA-1

Like SHA-0, SHA-1 is also a 160 bit message digest which uses checksum to ensure data integrity. A checksum is computed before a message is transmitted and is attached to the message. When it is received, the checksum is computed again and is matched against the attached checksum.

For example, when you set a password for some account, its checksum is stored in the server. When you login later using the same password, again the checksum is calculated and is compared with the stored one.

Why deprecate SHA-1?

The SHA-1 has several potential dangers associated with it that most of the browsers have deprecated its usage. The reasons are:

Collision Attacks:

The SHA algorithm creates a unique hash for every message. But as we need a huge number of hashes, there is a probability that two or more data can map to the same hash value. So any attacker can mimic a trusted certificate with the same hash value as the original and use the certificate to spread malicious content over the web.

Pre-image attack:

In this attack method, an attacker can extract the original message from the hash value.

Second Pre-image attack:

Using this method, an attacker can find a second message that has the same hash value as the original message.

SHA-2

SHA-2 is the successor of SHA-1 for signing digital certificates. It prevents any kind of collision attack, it produces longer hash values and is said to be ‘strong’. There are four kinds of hash functions under SHA-2: SHA-224, SHA-256, SHA-384 and SHA-512, based on the digests.

The only problem in shifting from SHA1 to SHA2 is that the devices we use must understand the algorithm. Otherwise error messages like ‘UNTRUSTED CERTIFICATE’ will be displayed. So a lot of testing must be done and the device software must be updated accordingly.

Tags: , ,

Leave a Comment