From the course: CompTIA Security+ (SY0-601) Cert Prep: 8 Network Security Design and Implementation

TLS and SSL

- [Instructor] Digital certificates allow for the secure exchange of public encryption keys over otherwise untrusted networks. Transport encryption technology, such as Transport Layer Security or TLS, uses those digital certificates to facilitate secure occasion over public networks. Let's explore or TLS by describing the process that two systems follow, when they want to set up an encrypted session, that's protected by TLS. First, the client sends a request to the server, asking that the server initiate a secure session. This request includes a list of cipher suites supported by the client. Now, it's important to understand that TLS is only protocol that uses other cryptographic algorithms. TLS is not a cryptographic algorithm itself, therefore you can't encrypt something with TLS. You can use TLS to apply other encryption algorithms. The listing of cipher suites sent by the client to the server is a laundry list of the encryption algorithms, hash functions and other cryptographic details that the client understands. Those cipher suites are only as strong as the algorithms they include. Therefore, it's possible to use TLS in an insecure manner by choosing a weak or insecure cipher suite. Once the server receives a request from the client, it analyzes the list of cipher suites the client proposes and compares it to the list of algorithms supported by the server. It then sends a message back to the client with two pieces of information. First, the server tells the client which of the cipher suites it would like to use for the communication. And second, the server sends the client the server's digital certificate, which contains the servers public encryption key. When the client receives the server's digital certificate, it checks which certificate authority issued that certificate and uses the CA's public key to verify the digital signature on the certificate. It also verifies that the server name on the certificate matches the DNS name of the server and that the certificate has not expired or been revoked. If all of those things check out, the client knows that it has the correct public key for the server. And once the client is satisfied about the server's identity, the client creates a random encryption key called the session key. This is a symmetric encryption key that will be used for this one communication session between the client and the server. The client then uses the server's public key to encrypt the session key and sends that encrypted key to the server. When the server receives the encrypted key, it uses its own private key to decrypt that session key. The two systems may then communicate for as long as they like using the session key. Once they close the connection, the session key is destroyed and the TLS handshake starts over the next time the two systems wish to communicate. Now, one important exam tip, session keys also known as ephemeral keys. If you see the term ephemeral key on the exam, they're just talking about session keys. You may also hear about an encryption technology known as the Secure Sockets Layer or SSL, SSL was the predecessor to TLS and it works in a very similar way. However, there are known security flaws in SSL, so it should no longer be used. Unfortunately, many people use SSL as a generic term when they're really talking about TLS. This can be very confusing, so be careful to dig deeper whenever you hear the term SSL being used. Now, this naming confusion is compounded by the fact that the most popular implementation of TLS is an open-source package called OpenSSL. OpenSSL is available for almost every operating system and it's embedded in a wide variety of devices and software packages. If you'd like to experiment with OpenSSL, you can download a copy from the OpenSSL projects website just like most other third-party software packages, OpenSSL has its own history of vulnerabilities. In 2014 security researchers discovered the Heartbleed vulnerability. This vulnerability allowed attackers to retrieve information from vulnerable servers that had been sent by other users over encrypted TLS connections. Fortunately, there are patches available for OpenSSL. So if you're using a current version, you won't suffer from the Heartbleed vulnerability. From a network security perspective, the use of encrypted communications can cause issues. Specifically network security tools can lose insight into the nature of activity that's occurring on the network. When clients use end-to-end encryption that prevents security tools from examining the network traffic. SSL inspection technology solves this issue by effectively performing a man in the middle attack against an organization's own users, injecting itself into the connection and allowing security tools to examine the contents of network traffic.

Contents