Cryptography and
Network Security
Module 3 part 2
Module 3 Part 2:
SSL/TLS and Data Protection
Transport-Level Security Objectives
• Present an overview of Internet traffic security approaches.
• Introduce Secure Sockets Layer (SSL) and Transport Layer Security
(TLS).
• Understand the cipher suites in Secure Sockets Layer and Transport
Layer Security.
• Present an overview of HTTPS (HTTP over SSL).
Internet Traffic Security
Approaches
More options?
SSL / TLS timeline
• 1995: SSL v2 was the first public release of SSL by Netscape.
• 1996: SSL v3 was a new version that fixed several security design flaws of SSL v2. By
2004, v3 was considered insecure.
Note: Both SSL 2.0 and 3.0 have been deprecated by the Internet Engineering Task Force (IETF), in
2011 and 2015, respectively.
• 1999: TLS v1.0 was released with an SSL fallback mechanism for backwards-
compatibility.
• 2006: TLS v1.1
• 2008: TLSv1.2. Changes included adding cipher-suite-specified pseudorandom functions
(PRFs), adding AES cipher suites, removing IDEA and DES cipher suites, and several other
enhancements.
• 2018: TLS v1.3. The current version of TLS was released in August 2018 (RFC 8446). All
modern browsers support TLS v1.3.
Versions
• SSL version one was never released, version two did but had some
major flaws, SSL version 3 was a rewrite of version two (to fix these
flaws – with limited success) and TLS version 1 an improvement of SSL
version 3.
• Between TLS 1.0 and 1.1, the changes were minor. TLS 1.2 brought
some significant changes and TLS 1.3 has refined and streamlined the
whole process.
SSL (Secure sockets layer)
The main motive behind designing the SSL protocol is to provide privacy
between two communicating applications, such as a client and a server.
Moreover, the protocol is designed to authenticate the server and the
client; SSL requires a reliable transport protocol such as TCP for data
transmission and reception.
Transport layer security (TLS)
TLS is a protocol to establish a secure connection between a client and
a server and ensure privacy and integrity of information during
transmission. It is a cryptographic protocol intended to provide
information security over the Internet.
The TLS encrypts the network connection segments at the application
layer for the transport layer . It uses asymmetric cryptography for key
exchange, symmetric encryption for confidentiality, and message
authentication codes for message integrity.
Organizations can achieve confidentiality, integrity, replay prevention
and authentication when TLS is implemented correctly.
How HTTPS Works
Image from Bytebytego
Cipher Suites
• To secure data transferred over the Internet, TLS/SSL uses one or
more cipher suites.
• A cipher suite is a combination of authentication, encryption, and
message authentication code algorithms.
• They are used during the negotiation of security settings for a TLS/SSL
connection as well as for the transfer of data.
• As part of the SSL/TLS handshake, the server and client agree on the
cipher suite to be used for encrypted communication.
Updates
TLS version 1.2 used ciphers with cryptographic weaknesses that had
security vulnerabilities. The following insecure features were removed
from TLS 1.3:
• SHA-1
• RC4
• DES
• 3DES
• AES-CBC
• MD5
TLS 1.2 VS TLS 1.3
Comparison of TLS handshakes. Image courtesy of A10 Networks
TLS1.2 and TLS1.3
• The National Institute of Standards and Technology (NIST) requires
that TLS 1.2 configured with Federal Information Processing Standards
(FIPS)-based cipher suites be supported by all government TLS servers
and clients and requires support for TLS 1.3 by January 1, 2024.
Architecture
TLS is designed to make use of TCP to provide a reliable end-to-end secure service. TLS is not
a single protocol but rather two layers of protocols.
TLS Handshake Protocol allows the client and server to authenticate each other, select
encryption algorithm, and exchange symmetric key prior to data exchange.
TLS Record Protocol provides basic security services to various higher-layer protocols.
TLS Record Protocol
The TLS Record Protocol provides two services for TLS connections:
• Confidentiality: The Handshake Protocol defines a shared secret key
that is used for conventional encryption of TLS payloads.
• Message Integrity: The Handshake Protocol also defines a shared
secret key that is used to form a message authentication code (MAC).
Handshake
Protocol
Recap: Handshake and Record Protocol
TLS Handshake Protocol
It allows the client and server to authenticate each
other, select encryption algorithm, and exchange
symmetric key prior to data exchange.
TLS Record Protocol
It provides secured connections with an encryption
method.
Types of TLS/SSL Certificates
The types of SSL certificate options are based on their unique use cases
and value propositions.
The level of authentication assured by the Certificate Authority (CA) is a
significant differentiator between the types.
There are three recognized categories of TLS/SSL certificate
authentication types:
• Domain Validation (DV)
• Organization Validation (OV)
• Extended Validation (EV)
Domain Validation (DV)
Certificate
Domain Validation is the least-stringent level of validation. To obtain
one of these SSL certificates, an organization only has to prove they
control the domain. They can do this by altering the DNS record
associated with the domain, or sometimes just by sending the CA an
email. Often the process is automated.
This level of validation is the cheapest. It's a good option for blogs,
portfolio sites, or for small businesses that are just looking to quickly
launch HTTPS, especially if a business doesn't sell products via its
website (e.g. a restaurant or coffee shop).
Organization Validation (OV)
Certificate
Organization Validation involves a manual vetting process:
The CA will contact the organization requesting the SSL certificate, and
they may do some further investigating.
Organization Validation SSL certificates will contain the organization's
name and address, making them more trustworthy for users than
Domain Validation certificates.
Extended Validation (EV)
Certificate
Extended Validation involves a full background check of the organization. The CA will
make sure that the organization exists and is legally registered as a business, that they
actually are present at the address they list, and so on.
This validation level takes the longest and costs the most, but Extended Validation SSL
certificates are more trustworthy than other types of SSL certificates.
Consequently, these certificates are necessary for a website's address to turn the browser
URL bar green, the visual representation for users of a trustworthy TLS-encrypted site.
Large enterprises, financial institutions, and eCommerce stores should obtain Extended
Validation certificates. This is especially crucial if a site or application handles sensitive
customer data, such as passwords, credit card numbers, or names and addresses.
Variations of TLS/SSL
Certificates
• Single Domain SSL Certificate
Single Domain SSL (Secure Socket Layer) Certificate will protect one
domain name only.
For example, if you buy an SSL Certificate with the hostname in the
common name field as www.my-domain-name.com site, and it will not
protect the mail.my-domain-name.com or any other subdomains. This
rule applies to all types of SSL validation.
Single Domain SSL Certs are available in Domain Validated,
Organization Validated, and Extended Validation SSL Certificates types.
Variations of TLS/SSL
Certificates
• Multi-Domain (MD) or Subject Alternative Names (SAN) SSL
Certificates
Also commonly referred to as SAN certificates, multi-domain SSL allow a
single certificate to secure multiple domains, including sub-domains of a
single main domain name or entirely different domain names. One of
these can secure up to 250 unique domains with a single solution.
They provide a convenient option for organizations that own a lot of
domains and are looking for a simplified way to secure them through a
single solution rather than purchasing an individual certificate for each.
Multi-domain SSL certificates are available in DV, OV, and EV validation
options.
Variations of TLS/SSL
Certificates
• Wildcard SSL Certificates
The Wildcard option is used to secure the main domain and an
unlimited number of sub-domains under the main domain.
For example, www.yourwebsite.com, login.yourwebsite.com,
mail.yourwebsite.com, etc. Wildcard certificates offer full encryption
for the subdomains, making them an affordable and effective solution
for most websites. They are available in DV and OV validation options.
SSL / TLS Pros/Cons
Cons: SSL/TLS “Handshake”
Pros: SSL/TLS Security
• TLS will add latency
• Prevent intruders from
tampering • The handshake is
resource-intensive
• Prevent intruders from
passively listening • TLS will add complexity to
your server management
HTTPS
HTTPS (HTTP over SSL)
combination of HTTP & SSL/TLS to secure communications
between browser & server
• documented in RFC2818
• no fundamental change using either SSL or TLS
use https:// URL rather than http://
and port 443 rather than 80
encrypts
URL, document contents, form data, cookies, HTTP
headers
HTTPS Use
• connection initiation
• TLS handshake then HTTP request(s)
• connection closure
• have “Connection: close” in HTTP record
• TLS level exchange close_notify alerts
• can then close TCP connection
• must handle TCP close before alert exchange sent or completed
QUIC(Quick UDP Internet
Connections)
Disk Encryption
What is disk encryption?
Disk encryption is the process of securing data by transferring it into
unreadable code that cannot be deciphered by unauthorized persons.
You can use disk encryption software or hardware to encrypt every bit
of information that is written on the disk.
Disk encryption works similar to text message encryption . With the use
of an encryption program for the user's disk, the user can safeguard
any, and all, information burned onto the disk and save it from falling
into wrong hands.
Disk encryption - Options
• OS Dependent
-Might come with OS
-BitLocker in certain Windows
-Mac OS X include FileVault disk encryption
-Ubuntu use LUKS (Linux Unified Key Setup)
-Trusted Platform Module (TPM)
• Installation dependent
-You might only have the options to encrypt at installation of the OS
• Independent third party
TOOL: Bitlocker
Windows BitLocker Drive Encryption is a new security feature that
provides better data protection for your computer, by encrypting all data
stored on the Windows operating system volume. (In this version of
Windows, a volume consists of one or more partitions on one or more
hard disks. BitLocker works with simple volumes, where one volume is
one partition. A volume usually has a drive letter assigned, such as "C.")
Enabling BitLocker
BitLocker Management Tool
BitLocker Authentication Options
Enabling BitLocker To Go
Tool: Veracrypt
• VeraCrypt is a free open-source disk encryption software for
Windows, Mac OSX and Linux.
• https://www.veracrypt.fr/en/Downloads.html
Tool: Veracrypt: Encription process…
Tool: Veracrypt
Tool: Veracrypt
Tool: Veracrypt
Tool: Veracrypt
Tool: Veracrypt
Tool: Veracrypt
Tool: Veracrypt: …..encryption
process ends
Tool: Veracrypt: Mounting process..
Tool: Veracrypt
Tool: Veracrypt
Tool: Veracrypt: ………mounting
process ends
Reference: Disk Encryption Tools
A list of disk encryption tools is mentioned below as follows. All these tools have a common
goal, i.e., encrypting a disk partition. But environment or purpose may change. If one tool is
intended to create a virtual encrypted disk of the target disk partition, then the other may be
intended to encrypt data on Pocket PCs running Windows Mobile and so on:
• PocketCrypt available at https://www.securstar.com
• Rohos Disk Encryption available at https://www .rohos.com
• R-Crypto available at https://www.r-tt.com
• SafeBit Disk Encryption available at https://www.safebit.net
• alertsec available at https://www.alertsec .com
• Symantec Drive Encryption available at https://www .symantec.com