Sam Bowne, profile picture
Uploaded bySam Bowne
PDF, PPTX242 views

CNIT 141: 13. TLS

The document discusses the Transport Layer Security (TLS) protocol, its evolution from SSL, and significant improvements in TLS 1.3 over previous versions, particularly in terms of security and efficiency. It highlights features such as the removal of weak algorithms, introduction of authenticated ciphers, and enhancements like downgrade protection and session resumption. Additionally, the document addresses vulnerabilities and attacks associated with TLS, emphasizing the importance of secure communications across various applications.

Embed presentation

Download as PDF, PPTX
CNIT 141 Cryptography for Computer Networks 13. TLS
Topics • Target Applications and Requirements • The TLS Protocol Suite • TLS 1.3 Improvements Over TLS 1.2 • The Strengths of TLS Security • How Things Can Go Wrong
TLS • Protects communications at layer 4 • Can carry any type of content • Email, Web traffic, mobile apps, ... • Machine-to-machine comms for IoT
TLS Vulnerabilities • TLS grew too big and bloated • Many attacks • Heartbleed • BEAST • CRIME • POODLE
TLS 1.3 • Overhaul of protocol • Removed unnecessary features • Replaced old algorithms • Simpler, faster, and more secure
Target Applications and Requirements
Secure Channel • TLS ensures that data is confidential, authenticated, and unmodified • Prevents MiTM attacks • By authenticating servers with trusted Certificate Authorities
Four Requirements • Efficient • Compare CPU to unencrypted comms • Interoperable • Work on any hardware or OS • Extensible • Support additional features & algorithms • Versatile • Not bound to any specific application
The TLS Protocol Suite
Transport Layer • TLS is not in the transport layer • It's above layer 4, adding security to it • Can run over TCP or UDP • UDP version is called DTLS • Datagram Transport Layer Security
History • SSL: began in 1995, from Netscape • SSL 2.0 and SSL 3.0 had security flaws • Should no longer be used • TLS • TLS 1.0 (1999): least secure • TLS 1.1 (2006): better but contains weak algorithms
TLS 1.2 • From 2008 • Better than previous versions • Complex and hard to configure • Supports AES-CBC, vulnerable to padding oracle attacks • Inherited dozens of features and design choices from earlier versions • TLS 1.3 is a major overhaul and improvement
TLS in a Nutshell • Record protocol • Data encapsulation • Handshake protocol • Key agreement
TLS Handshake • From Cloudflare (link Ch 13a)
Hello • ClientHello • Lists ciphers available • ServerHello • Selects a cipher to use
ClientHello
ServerHello
Certificates and Certificate Authorities (CA) • Server uses a certificate to authenticate itself • Verified by a CA • CA's public keys hard-coded into browsers • Trusted third party
Certificate
Certificate Chain
Record Protocol
Zero Padding • Adds zeroes to plaintext for short messages • Mitigates traffic analysis • Deducing contents from message size
TLS 1.3 Cryptographic Algorithms • Three types of algorithms are used • Authenticated encryption • Key derivation function • Hash function that derives secret keys from a shared secret • A Diffie-Hellman function
Authenticated Ciphers • TLS 1.3 supports only three algorithms • AES-GCM • AES-CCM • Slightly less efficient than AES-GCM • ChaCha20 stream cipher • Combined with Poly1305 MAC • Secret key can be 128 or 256 bits • Unsafe 64-bit or 80-bit keys not allowed
Key Derivation Function (KDF) • HKDF, based on HMAC • Uses SHA-256 or SHA-384
Diffie-Hellman Two Options • Elliptic Curve • With the three NIST curves, or • Curve25519, or Curve448 • Group of integers modulo a prime number • Traditional Diffie-Hellman • 2048 - 8192 bits • Security of 2048-bit group is weak length • Less than 100 bits
TLS 1.3 Improvements Over TLS 1.2
Removed Weak Algorithms • MD5, SHA-1 • RC4, AES-CBC • MAC-then-Encrypt alorithms • Like HMAC-SHA-1 • Replaces with authenticated ciphers • More efficient and secure
Removed Insecure Feature • Optional data compression • Enabled the CRIME attack • Length of the compressed message leaked information about contents
New Features • That make TLS 1.3 more secure • Downgrade protection • Single round-trip handshake • Session resumption
Downgrade Attack • MiTM attacker modifies ClientHello I want TLS 1.3 Sending ServerHello for TLS 1.1 Send her TLS 1.1 instead
Downgrade Protection • To prevent this, 8 bytes in the ServerHello denote the TLS version • They are cryptographically signed so the MiTM can't change them • The client can check them to see what TLS version is being provided
Single Round-Trip Handshake • In TLS 1.2 • Client sends some data, waits for response • Client sends more data, waits for response • TLS 1.3 combines it all into one round-trip • Saves time
Session Resumption • Leverages the pre-shared key exchanged in a previous session • To bootstrap a new session • Two benefits • Client can start encrypting immediately • No need for certificates
The Strengths of TLS Security
Authentication • TLS 1.3 handshake authenticates the server with a certificate and CA • Client is not authenticated, but can use: • Username & password in a TLS record • Secure cookie over TLS • A client certificate (rarely used)
Forward Secrecy • TLS 1.3 provides forward secrecy in both a data leak and a breach • If an attacker can steal a client's RAM • Exposes keys and secrets for the current session • And any old sessions still stored in RAM • Solution: use Secure Strings
• Provided by Microsoft • Since 2005 in .NET 2.0 • Link Ch 13b
How Things Can Go Wrong
Compromised CA • Happened in 2011 to DigiNotar • CA's private key compromised • Attacker created fake certificates for Google services
Compromised Client • Attacker who controls client can • Capture session keys • Read decrypted data • Or install a rogue CA certificate
Bugs in Implementation • Heartbleed • Leaked secrets from HTTPS servers in 2014
Improving TLS • SSL Labs TLS test • Lets you test any site's certificate • Or a browser's TLS configuration • Let's Encrypt • Free TLS certificates for everyone
CNIT 141: 13. TLS
CNIT 141: 13. TLS
CNIT 141: 13. TLS
CNIT 141: 13. TLS

More Related Content

PDF
CNIT 141 11. Diffie-Hellman
bySam Bowne
 
PDF
CNIT 141 13. TLS
bySam Bowne
 
PDF
CNIT 141: 13. TLS
bySam Bowne
 
PDF
CNIT 128 3. Attacking iOS Applications (Part 1)
bySam Bowne
 
PDF
CNIT 141: 1. Encryption
bySam Bowne
 
PDF
CNIT 141: 1. Encryption
bySam Bowne
 
PDF
CNIT 128 9. Writing Secure Android Applications
bySam Bowne
 
PDF
CNIT 141: 11. Diffie-Hellman
bySam Bowne
 
CNIT 141 11. Diffie-Hellman
bySam Bowne
 
CNIT 141 13. TLS
bySam Bowne
 
CNIT 141: 13. TLS
bySam Bowne
 
CNIT 128 3. Attacking iOS Applications (Part 1)
bySam Bowne
 
CNIT 141: 1. Encryption
bySam Bowne
 
CNIT 141: 1. Encryption
bySam Bowne
 
CNIT 128 9. Writing Secure Android Applications
bySam Bowne
 
CNIT 141: 11. Diffie-Hellman
bySam Bowne
 

What's hot

PDF
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
PPT
Ip sec
byshifanabasheer
 
PPTX
Certificate pinning in android applications
byArash Ramez
 
PPT
Network security-primer-9544
byHfz Mushtaq
 
PDF
Cryptography101
byNCC Group
 
PDF
CNIT 129S Ch 7: Attacking Session Management
bySam Bowne
 
PPTX
How to do right cryptography in android part 3 / Gated Authentication reviewed
byArash Ramez
 
PDF
CNIT 123: 6: Enumeration
bySam Bowne
 
PDF
CNIT 123 8: Desktop and Server OS Vulnerabilities
bySam Bowne
 
PDF
CNIT 141: 14. Quantum and Post-Quantum
bySam Bowne
 
PPTX
Bypass Security Checking with Frida
bySatria Ady Pradana
 
PPTX
Slidecast - Workshop
bySamant Khajuria
 
PDF
Cryptography
bySri Manakula Vinayagar Engineering College
 
PDF
CNIT 123 12: Cryptography
bySam Bowne
 
PPTX
How to do Cryptography right in Android Part One
byArash Ramez
 
PDF
CNIT 125 Ch 4. Security Engineering (Part 2)
bySam Bowne
 
PDF
CNIT 128 9. Writing Secure Android Applications
bySam Bowne
 
PPTX
The Ransomware Threat: Tracking the Digitial Footprints
byk3vb0t
 
PDF
CNIT 141: 4. Block Ciphers
bySam Bowne
 
PPTX
Path of Cyber Security
bySatria Ady Pradana
 
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
Ip sec
byshifanabasheer
 
Certificate pinning in android applications
byArash Ramez
 
Network security-primer-9544
byHfz Mushtaq
 
Cryptography101
byNCC Group
 
CNIT 129S Ch 7: Attacking Session Management
bySam Bowne
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
byArash Ramez
 
CNIT 123: 6: Enumeration
bySam Bowne
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
bySam Bowne
 
CNIT 141: 14. Quantum and Post-Quantum
bySam Bowne
 
Bypass Security Checking with Frida
bySatria Ady Pradana
 
Slidecast - Workshop
bySamant Khajuria
 
Cryptography
bySri Manakula Vinayagar Engineering College
 
CNIT 123 12: Cryptography
bySam Bowne
 
How to do Cryptography right in Android Part One
byArash Ramez
 
CNIT 125 Ch 4. Security Engineering (Part 2)
bySam Bowne
 
CNIT 128 9. Writing Secure Android Applications
bySam Bowne
 
The Ransomware Threat: Tracking the Digitial Footprints
byk3vb0t
 
CNIT 141: 4. Block Ciphers
bySam Bowne
 
Path of Cyber Security
bySatria Ady Pradana
 

Similar to CNIT 141: 13. TLS

PPTX
Jim-Nitterauer-Decrypting-the-Mess-that-is-SSL-TLS-Negotiation-Preparing-for-...
byAliHaider897273
 
PPTX
SSL_and_TLS_Overview concept the nice .pptx
byyvenkateswaracse
 
PPTX
Transport Layer Security
byHuda Seyam
 
PDF
wolfSSL and TLS 1.3
bywolfSSL
 
PDF
Introduction to TLS 1.3
byn|u - The Open Security Community
 
PPTX
TLS - Transport Layer Security
byByronKimani
 
PDF
Transport Layer Security
byIbrahiem Mohammed
 
PPTX
SIP over TLS
byHossein Yavari
 
PDF
Introduction to TLS-1.3
byVedant Jain
 
PPTX
Cours4.pptx
byBellaj Badr
 
PPTX
Difference between TLS 1.2 vs TLS 1.3 and tutorial of TLS2 and TLS2 version c...
byjeetendra mandal
 
ODP
Tls 13final13
byVitezslav Cizek
 
ODP
Tls 1.3
byKevin OBrien
 
PPTX
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
byBlueHat Security Conference
 
PPTX
TLS 1.3: Everything You Need to Know - CheapSSLsecurity
byCheapSSLsecurity
 
DOCX
Transport Layer Security
bySanjeev Kumar Jaiswal
 
PDF
Rootconf2019
byHuzaifa Sidhpurwala
 
PDF
TLS Perf: from three to zero in one spec
byNatasha Rooney
 
PDF
Why Many Websites are still Insecure (and How to Fix Them)
byCloudflare
 
PPTX
Introducing TLS 1.3 – The future of Encryption
byRapidSSLOnline.com
 
Jim-Nitterauer-Decrypting-the-Mess-that-is-SSL-TLS-Negotiation-Preparing-for-...
byAliHaider897273
 
SSL_and_TLS_Overview concept the nice .pptx
byyvenkateswaracse
 
Transport Layer Security
byHuda Seyam
 
wolfSSL and TLS 1.3
bywolfSSL
 
Introduction to TLS 1.3
byn|u - The Open Security Community
 
TLS - Transport Layer Security
byByronKimani
 
Transport Layer Security
byIbrahiem Mohammed
 
SIP over TLS
byHossein Yavari
 
Introduction to TLS-1.3
byVedant Jain
 
Cours4.pptx
byBellaj Badr
 
Difference between TLS 1.2 vs TLS 1.3 and tutorial of TLS2 and TLS2 version c...
byjeetendra mandal
 
Tls 13final13
byVitezslav Cizek
 
Tls 1.3
byKevin OBrien
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
byBlueHat Security Conference
 
TLS 1.3: Everything You Need to Know - CheapSSLsecurity
byCheapSSLsecurity
 
Transport Layer Security
bySanjeev Kumar Jaiswal
 
Rootconf2019
byHuzaifa Sidhpurwala
 
TLS Perf: from three to zero in one spec
byNatasha Rooney
 
Why Many Websites are still Insecure (and How to Fix Them)
byCloudflare
 
Introducing TLS 1.3 – The future of Encryption
byRapidSSLOnline.com
 

More from Sam Bowne

PDF
8. Authenticated Encryption
bySam Bowne
 
PDF
11. Diffie-Hellman
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
bySam Bowne
 
PDF
5. Stream Ciphers
bySam Bowne
 
PDF
9 Writing Secure Android Applications
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
PDF
3: DNS vulnerabilities
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
PDF
4 Mapping the Application
bySam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
bySam Bowne
 
PDF
10 RSA
bySam Bowne
 
PDF
Cyberwar
bySam Bowne
 
PDF
Introduction to the Class & CISSP Certification
bySam Bowne
 
PDF
9. Hard Problems
bySam Bowne
 
PDF
12 Elliptic Curves
bySam Bowne
 
PDF
8. Software Development Security
bySam Bowne
 
PDF
11 Analysis Methodology
bySam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
bySam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
bySam Bowne
 
8. Authenticated Encryption
bySam Bowne
 
11. Diffie-Hellman
bySam Bowne
 
7. Attacking Android Applications (Part 2)
bySam Bowne
 
5. Stream Ciphers
bySam Bowne
 
9 Writing Secure Android Applications
bySam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
3: DNS vulnerabilities
bySam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
4 Mapping the Application
bySam Bowne
 
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
7. Attacking Android Applications (Part 1)
bySam Bowne
 
10 RSA
bySam Bowne
 
Cyberwar
bySam Bowne
 
Introduction to the Class & CISSP Certification
bySam Bowne
 
9. Hard Problems
bySam Bowne
 
12 Elliptic Curves
bySam Bowne
 
8. Software Development Security
bySam Bowne
 
11 Analysis Methodology
bySam Bowne
 
8 Android Implementation Issues (Part 1)
bySam Bowne
 
2a Analyzing iOS Apps Part 1
bySam Bowne
 

Recently uploaded

PDF
FAMILY ASSESSMENT FORMAT - CHN practical
byDr. Sudhadevi Sadanandan
 
DOCX
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
PDF
Projecte de la porta de la classe de primer A: Mar i cel.
byeduardrubio1
 
PPTX
Cost of Capital - Cost of Equity, Cost of debenture, Cost of Preference share...
bySundar B N
 
PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
PDF
Models of Teaching - TNTEU - B.Ed I Semester - Teaching and Learning - BD1TL ...
byDr Raja Mohammed T
 
PDF
Analyzing the data of your initial survey
byThelma Villaflores
 
PDF
Digital Wellness in University Communities: Libraries as Guardians of Healthy...
bySylvester Ebhonu
 
PPTX
Semester 6 UNIT 2 Dislocation of hip.pptx
bysachin7989
 
PDF
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
PPTX
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
PPTX
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
PDF
NAVIGATE PHARMACY CAREER OPPORTUNITIES.pdf
byMd. Zakaria Faruki
 
PDF
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 
PPTX
Campfens "The Data Qualify Challenge: Publishers, institutions, and funders r...
byNational Information Standards Organization (NISO)
 
PPTX
How to use search_read method in Odoo 18
byCeline George
 
PPTX
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
PPTX
How to Manage Line Discounts in Odoo 18 POS
byCeline George
 
PPTX
York "Collaboration for Research Support at U-M Library"
byNational Information Standards Organization (NISO)
 
PDF
Unit-III pdf (Basic listening Skill, Effective Writing Communication & Writin...
bySayyadTarannum
 
FAMILY ASSESSMENT FORMAT - CHN practical
byDr. Sudhadevi Sadanandan
 
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
Projecte de la porta de la classe de primer A: Mar i cel.
byeduardrubio1
 
Cost of Capital - Cost of Equity, Cost of debenture, Cost of Preference share...
bySundar B N
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
Models of Teaching - TNTEU - B.Ed I Semester - Teaching and Learning - BD1TL ...
byDr Raja Mohammed T
 
Analyzing the data of your initial survey
byThelma Villaflores
 
Digital Wellness in University Communities: Libraries as Guardians of Healthy...
bySylvester Ebhonu
 
Semester 6 UNIT 2 Dislocation of hip.pptx
bysachin7989
 
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
NAVIGATE PHARMACY CAREER OPPORTUNITIES.pdf
byMd. Zakaria Faruki
 
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 
Campfens "The Data Qualify Challenge: Publishers, institutions, and funders r...
byNational Information Standards Organization (NISO)
 
How to use search_read method in Odoo 18
byCeline George
 
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
How to Manage Line Discounts in Odoo 18 POS
byCeline George
 
York "Collaboration for Research Support at U-M Library"
byNational Information Standards Organization (NISO)
 
Unit-III pdf (Basic listening Skill, Effective Writing Communication & Writin...
bySayyadTarannum
 

CNIT 141: 13. TLS

  • 1.
    CNIT 141 Cryptography forComputer Networks 13. TLS
  • 2.
    Topics • Target Applicationsand Requirements • The TLS Protocol Suite • TLS 1.3 Improvements Over TLS 1.2 • The Strengths of TLS Security • How Things Can Go Wrong
  • 3.
    TLS • Protects communicationsat layer 4 • Can carry any type of content • Email, Web traffic, mobile apps, ... • Machine-to-machine comms for IoT
  • 4.
    TLS Vulnerabilities • TLSgrew too big and bloated • Many attacks • Heartbleed • BEAST • CRIME • POODLE
  • 5.
    TLS 1.3 • Overhaulof protocol • Removed unnecessary features • Replaced old algorithms • Simpler, faster, and more secure
  • 6.
  • 7.
    Secure Channel • TLSensures that data is confidential, authenticated, and unmodified • Prevents MiTM attacks • By authenticating servers with trusted Certificate Authorities
  • 8.
    Four Requirements • Efficient •Compare CPU to unencrypted comms • Interoperable • Work on any hardware or OS • Extensible • Support additional features & algorithms • Versatile • Not bound to any specific application
  • 9.
  • 10.
    Transport Layer • TLSis not in the transport layer • It's above layer 4, adding security to it • Can run over TCP or UDP • UDP version is called DTLS • Datagram Transport Layer Security
  • 11.
    History • SSL: beganin 1995, from Netscape • SSL 2.0 and SSL 3.0 had security flaws • Should no longer be used • TLS • TLS 1.0 (1999): least secure • TLS 1.1 (2006): better but contains weak algorithms
  • 12.
    TLS 1.2 • From2008 • Better than previous versions • Complex and hard to configure • Supports AES-CBC, vulnerable to padding oracle attacks • Inherited dozens of features and design choices from earlier versions • TLS 1.3 is a major overhaul and improvement
  • 13.
    TLS in aNutshell • Record protocol • Data encapsulation • Handshake protocol • Key agreement
  • 14.
    TLS Handshake • FromCloudflare (link Ch 13a)
  • 15.
    Hello • ClientHello • Listsciphers available • ServerHello • Selects a cipher to use
  • 16.
  • 17.
  • 19.
    Certificates and Certificate Authorities(CA) • Server uses a certificate to authenticate itself • Verified by a CA • CA's public keys hard-coded into browsers • Trusted third party
  • 20.
  • 21.
  • 22.
  • 23.
    Zero Padding • Addszeroes to plaintext for short messages • Mitigates traffic analysis • Deducing contents from message size
  • 24.
    TLS 1.3 Cryptographic Algorithms •Three types of algorithms are used • Authenticated encryption • Key derivation function • Hash function that derives secret keys from a shared secret • A Diffie-Hellman function
  • 25.
    Authenticated Ciphers • TLS1.3 supports only three algorithms • AES-GCM • AES-CCM • Slightly less efficient than AES-GCM • ChaCha20 stream cipher • Combined with Poly1305 MAC • Secret key can be 128 or 256 bits • Unsafe 64-bit or 80-bit keys not allowed
  • 26.
    Key Derivation Function (KDF) •HKDF, based on HMAC • Uses SHA-256 or SHA-384
  • 27.
    Diffie-Hellman Two Options • EllipticCurve • With the three NIST curves, or • Curve25519, or Curve448 • Group of integers modulo a prime number • Traditional Diffie-Hellman • 2048 - 8192 bits • Security of 2048-bit group is weak length • Less than 100 bits
  • 28.
  • 29.
    Removed Weak Algorithms • MD5,SHA-1 • RC4, AES-CBC • MAC-then-Encrypt alorithms • Like HMAC-SHA-1 • Replaces with authenticated ciphers • More efficient and secure
  • 30.
    Removed Insecure Feature • Optionaldata compression • Enabled the CRIME attack • Length of the compressed message leaked information about contents
  • 31.
    New Features • Thatmake TLS 1.3 more secure • Downgrade protection • Single round-trip handshake • Session resumption
  • 32.
    Downgrade Attack • MiTMattacker modifies ClientHello I want TLS 1.3 Sending ServerHello for TLS 1.1 Send her TLS 1.1 instead
  • 33.
    Downgrade Protection • Toprevent this, 8 bytes in the ServerHello denote the TLS version • They are cryptographically signed so the MiTM can't change them • The client can check them to see what TLS version is being provided
  • 34.
    Single Round-Trip Handshake • InTLS 1.2 • Client sends some data, waits for response • Client sends more data, waits for response • TLS 1.3 combines it all into one round-trip • Saves time
  • 35.
    Session Resumption • Leveragesthe pre-shared key exchanged in a previous session • To bootstrap a new session • Two benefits • Client can start encrypting immediately • No need for certificates
  • 37.
    The Strengths ofTLS Security
  • 38.
    Authentication • TLS 1.3handshake authenticates the server with a certificate and CA • Client is not authenticated, but can use: • Username & password in a TLS record • Secure cookie over TLS • A client certificate (rarely used)
  • 39.
    Forward Secrecy • TLS1.3 provides forward secrecy in both a data leak and a breach • If an attacker can steal a client's RAM • Exposes keys and secrets for the current session • And any old sessions still stored in RAM • Solution: use Secure Strings
  • 40.
    • Provided byMicrosoft • Since 2005 in .NET 2.0 • Link Ch 13b
  • 41.
  • 42.
    Compromised CA • Happenedin 2011 to DigiNotar • CA's private key compromised • Attacker created fake certificates for Google services
  • 46.
    Compromised Client • Attackerwho controls client can • Capture session keys • Read decrypted data • Or install a rogue CA certificate
  • 47.
    Bugs in Implementation •Heartbleed • Leaked secrets from HTTPS servers in 2014
  • 48.
    Improving TLS • SSLLabs TLS test • Lets you test any site's certificate • Or a browser's TLS configuration • Let's Encrypt • Free TLS certificates for everyone