Wednesday, March 16, 2016

Quick Primer on Ciphers, Protocols and Certificates

Transport Layer Security (TLS) and Secure Socket Layer (SSL) are cryptographic protocols meant to secure the communications from client to server over either internal or external networks. This is meant to ensure that the privacy and security of data being transferred over a network is secure from tampering or theft. We see these protocols used heavily in web browsers to connect to web servers offering the ability to perform transaction securely on their webpages.

The TLS protocol is the predecessor to the now aged SSL protocol and has variants that are widely used to encrypt and transfer secure data across the internet. The SSL protocol v3.0 is still used on certain systems, due to old hardware/operating systems, etc., but it’s been extensively disabled due to inherent security risks within the protocol. The newer TLS protocol has three versions, v1.0, v1.1 and v1.2 with versions 1.1 and 1.2 being deemed most secure. As of earlier this year the PCI council deemed that both SSL 3.0 and TLS 1.0 have been classified as insecure protocols and should be disabled on all services offering the ability to select this protocol. It’s not enough to have it dropped in priority, since it’s still possible that it could be chosen by older browsers, or by attackers using threats like BEAST/POODLE/DROWN that could attempt downgrade attacks to misuse the vulnerable SSL 2.0 & 3.0 protocol. At this point, the recommendation is to enable only TLS v1.1 and v1.2 due to security concerns with the lower versions.

After a network protocol is agreed upon by both client and server a cipher is determined next. This all happens with the negotiation between client and server and based off which network protocol will be in use will also assist with determining the cipher lists available for selection between client and server. Most of the secure ciphers that offer the best security are within TLS 1.1 and TLS 1.2 and in regards to TLS 1.2, it’s the only protocol that has the ability to run the secure GCM ciphers. These ciphers are more secure than their CBC predecessors. As with all things in encryption, the larger the key the better encryption, so looking at the ciphers this way helps too. These ciphers will be used going forward to encrypt data from client to server. 

Using these technologies with certificates allows for authentication of another party to validate that the server the client is attaching to is who they say they are. The certificate itself doesn’t have anything to do with the selection of the network protocol (SSL 3.0, or TLS 1.2, etc.), or the cipher suite that will be used afterwards. These are selected by the client and server, normally the client browser and the server’s operating system agreeing on how to secure the data in transit. When certificates are involved it’s verifying, normally via a third party certificate authority (like Verisign or GoDaddy) that the website you’re accessing is the actual server you’re intending on viewing. Certificates are used as a way of your browser trusting that you’re going to a legitimate website. The encryption happens based off the machine negotiation, not with the presence of a certificate. Data can still be sent securely, but you’re never sure from a client perspective if you’re sending data to the “real” server unless it’s been verified by a third party certificate. 

All these aspects, network protocols, ciphers and certificates, when used in tandem, give us the ability to have secure communications over the internet and protect the security and privacy of our data.

No comments:

Post a Comment