Cryptology has been involved in human history for almost 4000 years. This adventure, which started with the ancient Egyptians, is still alive. It is perhaps the most important issue in today’s technology world, where data disclosures and security breaches occur frequently. Despite its many years of history, cryptology still exhibits a challenging stance and the antipathy towards cryptology unfortunately maintains its place. Although cryptology involves long-term methodologies and methods, it is not an easy matter to understand. Perhaps the underlying reason for this negative perspective on cryptology is that it is a very complex and intricate issue.
Cryptology is basically divided into two parts: Cryptography, which is the encryption of information, and Cryptoanalysis, which is the decryption of encrypted information. The purpose of cryptology is to encrypt the information and to deliver the information to the relevant people securely as a result of deciphering this password by the right people. Throughout its thousands of years of history, cryptology has always aimed for this purpose. However, over time, the methods and methods have changed as the systems that contain this information have changed. In the ancient history of cryptology, this information was pictures drawn on pyramids, but today it is e-mail messages, passwords, sensitive data or server-client communication. Therefore, today there are encryption methods that work on computer systems. For this reason, the current equivalent of Cryptology is digital encryption.
In digital encryption , data is encrypted with a key and made unreadable. Thus, the privacy of the data is ensured. Encrypted data can only be made readable again with the encryption key. Digital encryption methods are divided into two: symmetric and asymmetric .
In symmetric encryption , the same key is used for encryption and decryption . In asymmetric encryption , different keys are used to encrypt and decrypt data . These keys are called public key and private key . Data encrypted by the public key can only be decrypted with the private key. Therefore, the public key can be found by anyone and does not pose a security problem. Additionally, there is no relationship between the public key and the private key.
While the main symmetric encryption algorithms include AES, DES, RC4 , asymmetric encryption algorithms include algorithms such as RSA, ECC, Diffe-Hellman . Among hashing algorithms, algorithms such as MD5 and SHA stand out. Hash encryption algorithms produce a fixed-length hash value based on the data, and data cannot be obtained from this value again. Digest encryption algorithms are mostly used to check the integrity of files and store passwords.
Asymmetric and symmetric encryption algorithms have many advantages and disadvantages when compared. For example, although symmetric encryption algorithms are better in terms of performance, one of their biggest problems is key protection and key transmission between the encrypter and decryptor . Transmitting the key between parties can pose a serious security problem. For this reason, asymmetric encryption is used especially in server-client technologies , that is, network-based data transmissions .
Now let’s come to the SSL/TLS issue. SSL is a protocol that allows two parties to communicate encrypted in a server-client architecture. SSL evolved into the TLS protocol due to security vulnerabilities that emerged over time. Today, TLS 1.3 is used as the most current version . SSL/TLS protocols use both asymmetric and symmetric encryption algorithms . Symmetric encryption algorithms are used to encrypt data . Here encryption is done with the session key . Asymmetric encryption algorithms are used to transmit the session key . In order to initiate the encryption process in the server-client architecture , a process called SSL Handshaking is first performed. The SSL Handshaking process is visualized in detail below .
Clients and servers communicate securely using SSL/TLS protocols.
But we have a problem!
Is the server really the server the client wants to access?
As if all this whirlwind wasn’t enough, a new concept emerges: Digital Certificate .
It is a file created according to the ITU X.509 standard that contains the identity information along with the public key in the digital certificate . The critical part is that this file contains the identity information of the institution or organization to which the key belongs . In other words, while the client obtains the public key from the digital certificate, it also verifies the identity of the server system it wants to access, thanks to the digital certificate .
In server-client architecture, for example web application-browser, digital certificates are used for encrypted communication. Encrypted communication between servers and clients is ensured securely according to the principle of non-repudiation . Thus, digital certificates fulfill the functions of Authentication and Data Encryption .
Digital certificates have a unique pair of private and public keys . While these certificates are installed on the server systems, the private key is only in the possession of the server system , while the public keys are distributed to the clients .
But we have a problem!
How reliable is the digital certificate and the credentials it contains ?
The security of digital certificates is guaranteed by the authority that issued it. Global certificate providers such as Globalsign, Digicert, Comodo and Verisign are accepted worldwide and recognized as trusted by many browsers, operating systems and applications. Therefore, certificates issued by these authorities are generally trusted .
In addition , there are also authorities belonging to institutions. It is possible to produce different types of certificates signed by these authorities. However, since these authorities belong only to that institution, they cannot be trusted by anyone else . For this reason, they are known as internal authorities and the certificates produced by them usually have internal use. Since the authority is within the institution, it is possible to produce a certificate of the desired quality and validity period.
Digital certificates are of great importance in the protection and secure transmission of data . Whether it is the traffic between servers and clients (data-in-transit) or the servers and systems themselves (data-in-rest), encrypting data transmission and data is now a must for security . Encryption and digital certificates are of critical importance for many security attacks (MITM, Spoofing, etc.) . It is also very important for digital certificates to have a certain standard for the security of encryption .
Although we get lost in the birch trees when it comes to encryption, encryption and digital certificates are a stronghold for the security of our systems and data.