Wednesday, 29 February 2012

SSL communication - In Brief

Another Guest post, From Mr. Praveen Singh (Also from Qseap Tech). This one too on IT Security. :)


SSL communication:-

SSL stands for secure socket layer. HTTP is the protocol used for communication between a client and server at the Application layer. The Hyper Text Transfer Protocol (HTTP) is the client-server network protocol that has been in use by the World-Wide Web since 1990. Whenever you surf the web, your browser will be sending HTTP request messages for HTML pages, images, scripts and styles sheets. Web servers handle these requests by returning response messages that contain the requested resource. But now a days HTTPS is used for secure communication where S stand for SSL. A SSL communication goes through following steps:
  1. Client send a request to the server to start the communication
  2. Server sends back its digital certificate back to the client.
  3. Client checks for:
Ø     Domain name
Ø     Expiry date
Ø     Digital signature from a trusted third party or self signed
`           of the certificate.
  1. If every thing is correct, the client generates a random session key (say S1). Client encrypts S1 by public key of the server and sends it to the server.
  2. Server decrypts the received data by its private key and obtains S1.
  3. once both the party have shared S1, all the request and responses are encrypted by S1 and exchanged, which can be decrypted at either side by S1.

This is how the SSL works along with HTTP. It is shown in the following diagram:



Figure.1

Role of Local proxy in SSL communication:-

A local proxy can be set on either the host machine or inside a LAN. This proxy acts as a mediator between the client and server. Once a local proxy is set, all the request and response goes from this proxy to the server and vice-versa. These requests and responses can be seen in plain text inside the proxy.
That was just a general explanation about local proxy, but the point to be considered is that, if we are using HTTPS (http + SSL), all the request and response should go encrypted over the network. But still we can see the request and responses in plain text inside the local proxy. Now this can be explained with a simple diagram.



Figure.2
           
Here a proxy is set between client and server. Now this proxy acts as a server (proxy server) for our client and for main server it acts as a client (proxy client). Hence when we use a proxy, there are two SSL pipes used:
  1. From client to proxy
  2. From proxy to Server
When the client sends a request to the server, it first reaches to the proxy. The proxy sends its own digital certificate to the client. Client generates a session key (say S2). S2 is shared by the client and proxy through public key cryptography. Then client encrypts the request with S2 and sends to the proxy. Proxy decrypts this request again by using S2 (this is how we get plain text request in the proxy).
Likewise, now proxy acts as a client and sends the captured request to main Server. Again, a new session key (say S3) is generated, which is shared among proxy and the Server. The SSL communication between proxy and server is done using S3. Hence the response from the server can be seen in plain text inside the proxy.
 --------------------------------------------------------------------------------------------------------------------------------
 About the Company:  Qseap Technology is a security company based in Navi Mumbai. It offers a wide variety of audits and security testing/consultancy services. For more please visit www.qseap.com

Sunday, 26 February 2012

The Art of lying

Everybody lies. Excluding me. (!).


I have nothing against lies, as long it does not seriously hurt anyone. And honestly, I observed two  things

- I have never met an person who never lies.
- Sometime lies help. (Good lies). (remember if you .....)



My intention is here not to say lies are good or bad. I just want to share my observation about how to tell lie, a good lie. Here it goes-

First you have to believe it for the moment. "Believe the lie", If i have to tell you I am Bill Clinton. Then I better tell you with confidence, with proper delivery, without hesitation, without extra effort. And the best way to achieve it, (if you are not a serial lier) , is to believe it for the moment. Once you believed the lie for yourself it will come out as a you are speaking a truth. Now you are going to surprise yourself.

What is the problem with this first lie. Everyone knows that i cannot be Bill Clinton. There is huge chance that i am lying. So secondly you have to mix facts with your lies. Emphasizing more on something you have extensive knowledge but completely unrelated. so lets tell "my name is Varun Goyal. I am a software analyst.". I will say it believing it and only a few persons will not believe it.

But the problem remains, I cannot start with a lie. So, thirdly, one have to wait for the right moment. A little patience will help you deliver it much consolingly. Its like i cannot keep on saying the lie every now and then. I will get my chance to deliver it with "laser precision". but you got to wait for it.

Fourthly, Above all will fail if you do not get innovative. you have to be flexible according to the situation.

I hope it will help you lying next time.