encryption is also used to encrypt keys that are being sent between the client and the
server.
I am using the words
client
and
server
a lot through the course of
this
discussion, and it’s useful for you to understand what these
words mean. In any conversation over a network, there is always a
client and a server. This does not mean
that the server is an actual
server sitting in a data center. What it means is that there is a ser‐
vice that is being consumed. The client is always the side originat‐
ing the conversation, and the server is always the one responding.
That makes it easy to “see” the two parties—who originated and
who responded to the origination.
The next part is the symmetric encryption algorithm. This suggests that the
Advanced Encryption Standard (AES) is being offered with a key size of 256 bits. It’s
worth noting here that AES is not an algorithm itself but a standard.
The algorithm
has its own name. For decades, the standard in use was the Data Encryption Stan‐
dard, based on the Lucifer cipher developed at IBM by Horst Feistel and his collea‐
gues. In the 1990s it was determined that DES was a bit long in the tooth and would
soon be breakable. A search for a new algorithm was undertaken,
resulting in the
algorithm Rijndael being selected as the foundation for the Advanced Encryption
Standard. Initially, AES used a key size of 128 bits. It’s only been relatively recently
that the key strength is commonly increased to 256.
AES is the algorithm used for encrypting the session. This means a 256-bit
key is
used for the session key. It is the key that was derived and shared at the beginning of
the session. If the session were to last long enough, the session key may be regener‐
ated to protect against key derivation attacks. As noted before,
the key is used by both
sides of the conversation for encryption and decryption.
Finally, you’ll notice the algorithm SHA256. This is the Secure Hash Algorithm using
a 256-bit length. SHA is a cryptographic algorithm that is used to verify that no data
has changed. You may be familiar with the Message Digest 5 (MD5) algorithm that
does the same thing. The difference is the length of the output. With MD5,
the length
of the output is always 32 characters, which is 128 bits (only 4 bits out of every byte
are used). This has been generally replaced with SHA1 or higher. SHA1 generates 40
characters, or 160 bits (again, only 4 bits out of every byte are used). In our case, we
are using SHA256, which generates 64 characters. No
matter the length of the data,
the output length is always the same. This value is sent from one side to the other as a
way of determining whether the data has changed. If even a single bit is different, the
value of the hash—the word used for the output of the SHA or MD5 algorithm—will
be different.