Sam Bowne, profile picture
Uploaded bySam Bowne
141 views

CNIT 141: 13. TLS

This document discusses Transport Layer Security (TLS), a cryptographic protocol that provides secure communication over the internet. It summarizes TLS 1.3 improvements such as removing weak algorithms, removing insecure features like compression, adding downgrade protection and enabling a single round-trip handshake. The document also outlines how TLS authenticates servers with certificates and certificate authorities, provides forward secrecy to protect past and current sessions, and how things can still go wrong with compromised certificate authorities or implementation bugs.

Embed presentation

Download to read offline
CNIT 141 Cryptography for Computer Networks 13. TLS Updated 11-19-20
New Projects and Topics
Topics • Target Applications and Requirements • The TLS Protocol Suite • TLS 1.3 Improvements Over TLS 1.2 • The Strengths of TLS Security • How Things Can Go Wrong
TLS • Protects communications at layer 4 • Can carry any type of content • Email, Web traffic, mobile apps, ... • Machine-to-machine comms for IoT
TLS Vulnerabilities • TLS grew too big and bloated • Many attacks • Heartbleed • BEAST • CRIME • POODLE
TLS 1.3 • Overhaul of protocol • Removed unnecessary features • Replaced old algorithms • Simpler, faster, and more secure
Target Applications and Requirements
Secure Channel • TLS ensures that data is confidential, authenticated, and unmodified • Prevents MiTM attacks • By authenticating servers with trusted Certificate Authorities
Four Requirements • Efficient • Minimizing CPU load compared to unencrypted comms • Interoperable • Work on any hardware or OS • Extensible • Support additional features & algorithms • Versatile • Not bound to any specific application
The TLS Protocol Suite
Transport Layer • TLS is not in the transport layer • It's above layer 4, adding security to it • Can run over TCP or UDP • UDP version is called DTLS • Datagram Transport Layer Security
History • SSL: began in 1995, from Netscape • SSL 2.0 and SSL 3.0 had security flaws • Should no longer be used • TLS • TLS 1.0 (1999): least secure • TLS 1.1 (2006): better but contains weak algorithms
TLS 1.2 • From 2008 • Better than previous versions • Complex and hard to configure • Supports AES-CBC, vulnerable to padding oracle attacks • Inherited dozens of features and design choices from earlier versions • TLS 1.3 is a major overhaul and improvement
TLS in a Nutshell • Record protocol • Data encapsulation • Handshake protocol • Key agreement
TLS Handshake • From Cloudflare (link Ch 13a)
Hello • ClientHello • Lists ciphers available • ServerHello • Selects a cipher to use
ClientHello
ServerHello
Certificates and Certificate Authorities (CA) • Server uses a certificate to authenticate itself • Verified by a CA • CA's public keys hard-coded into browsers • Trusted third party
Certificate
Certificate Chain
Record Protocol
Zero Padding • Adds zeroes to plaintext for short messages • Mitigates traffic analysis • Deducing contents from message size
TLS 1.3 Cryptographic Algorithms • Three types of algorithms are used • Authenticated encryption • Key derivation function • Hash function that derives secret keys from a shared secret • A Diffie-Hellman operation
Authenticated Ciphers • TLS 1.3 supports only three algorithms • AES-GCM • AES-CCM • Slightly less efficient than AES-GCM • ChaCha20 stream cipher • Combined with Poly1305 MAC • Secret key can be 128 or 256 bits • Unsafe 64-bit or 80-bit keys not allowed
Key Derivation Function (KDF) • HKDF, based on HMAC • Uses SHA-256 or SHA-384
Diffie-Hellman Two Options • Elliptic Curve • With the three NIST curves, or • Curve25519, or Curve448 • Group of integers modulo a prime number • Traditional Diffie-Hellman • 2048 - 8192 bits • Security of 2048-bit group is weak link • Less than 100 bits
TLS 1.3 Improvements Over TLS 1.2
Removed Weak Algorithms • MD5, SHA-1 • RC4, AES-CBC • MAC-then-Encrypt alorithms • Like HMAC-SHA-1 • Replaces with authenticated ciphers • More efficient and secure
Removed Insecure Feature • Optional data compression • Enabled the CRIME attack • Length of the compressed message leaked information about contents
New Features • That make TLS 1.3 more secure • Downgrade protection • Single round-trip handshake • Session resumption
Downgrade Attack • MiTM attacker modifies ClientHello I want TLS 1.3 Sending ServerHello for TLS 1.1 Send her TLS 1.1 instead
Downgrade Protection • To prevent this, 8 bytes in the ServerHello denote the TLS version • They are cryptographically signed so the MiTM can't change them • The client can check them to see what TLS version is being provided
Single Round-Trip Handshake • In TLS 1.2 • Client sends some data, waits for response • Client sends more data, waits for response • TLS 1.3 combines it all into one round-trip • Saves time
Session Resumption • Leverages the pre-shared key exchanged in a previous session • To bootstrap a new session • Two benefits • Client can start encrypting immediately • No need for certificates
The Strengths of TLS Security
Authentication • TLS 1.3 handshake authenticates the server with a certificate and CA • Client is not authenticated, but can authenticate after the TLS handshake with: • Username & password in a TLS record • Secure cookie over TLS • A client certificate (rarely used)
Forward Secrecy • TLS 1.3 provides forward secrecy in both a data leak and a breach • If an attacker can steal a client's RAM • Exposes keys and secrets for the current session • And any old sessions still stored in RAM • Solution: use Secure Strings
• Provided by Microsoft • Since 2005 in .NET 2.0 • Link Ch 13b
How Things Can Go Wrong
Compromised CA • Happened in 2011 to DigiNotar • CA's private key compromised • Attacker created fake certificates for Google services
Compromised Client • Attacker who controls client can • Capture session keys • Read decrypted data • Or install a rogue CA certificate
Bugs in Implementation • Heartbleed • Leaked secrets from HTTPS servers in 2014
Improving TLS • SSL Labs TLS test • Lets you test any site's certificate • Or a browser's TLS configuration • Let's Encrypt • Free TLS certificates for everyone
CNIT 141: 13. TLS
CNIT 141: 13. TLS
CNIT 141: 13. TLS
CNIT 141: 13. TLS

More Related Content

PDF
CNIT 129S Ch 7: Attacking Session Management
bySam Bowne
 
PDF
CNIT 141: 13. TLS
bySam Bowne
 
PDF
CNIT 141 13. TLS
bySam Bowne
 
PDF
CNIT 141 11. Diffie-Hellman
bySam Bowne
 
PDF
CNIT 123: 6: Enumeration
bySam Bowne
 
PDF
CNIT 50: 1. Network Security Monitoring Rationale
bySam Bowne
 
PDF
CNIT 141: 7. Keyed Hashing
bySam Bowne
 
PDF
CNIT 123 12: Cryptography
bySam Bowne
 
CNIT 129S Ch 7: Attacking Session Management
bySam Bowne
 
CNIT 141: 13. TLS
bySam Bowne
 
CNIT 141 13. TLS
bySam Bowne
 
CNIT 141 11. Diffie-Hellman
bySam Bowne
 
CNIT 123: 6: Enumeration
bySam Bowne
 
CNIT 50: 1. Network Security Monitoring Rationale
bySam Bowne
 
CNIT 141: 7. Keyed Hashing
bySam Bowne
 
CNIT 123 12: Cryptography
bySam Bowne
 

What's hot

PDF
CNIT 125 Ch 4. Security Engineering (Part 2)
bySam Bowne
 
PDF
CNIT 123 8: Desktop and Server OS Vulnerabilities
bySam Bowne
 
PDF
Cryptography101
byNCC Group
 
PDF
Ch 6: Attacking Authentication
bySam Bowne
 
PDF
Ch 7: Attacking Session Management
bySam Bowne
 
PDF
CNIT 123 Ch 8: OS Vulnerabilities
bySam Bowne
 
PDF
CNIT 123 Ch 10: Hacking Web Servers
bySam Bowne
 
PDF
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
PDF
Ssl attacks
byn|u - The Open Security Community
 
PDF
Ch 4: Footprinting and Social Engineering
bySam Bowne
 
PDF
8. Software Development Security
bySam Bowne
 
PDF
CNIT 152: 9 Network Evidence
bySam Bowne
 
PDF
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
bySam Bowne
 
PPT
Ip sec
byshifanabasheer
 
PPTX
Key management
byBrandon Byungyong Jo
 
PDF
Ch 10: Attacking Back-End Components
bySam Bowne
 
PDF
CNIT 128 9. Writing Secure Android Applications
bySam Bowne
 
PDF
CNIT 152 10 Enterprise Service
bySam Bowne
 
PDF
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
bySam Bowne
 
PDF
CNIT 141: 11. Diffie-Hellman
bySam Bowne
 
CNIT 125 Ch 4. Security Engineering (Part 2)
bySam Bowne
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
bySam Bowne
 
Cryptography101
byNCC Group
 
Ch 6: Attacking Authentication
bySam Bowne
 
Ch 7: Attacking Session Management
bySam Bowne
 
CNIT 123 Ch 8: OS Vulnerabilities
bySam Bowne
 
CNIT 123 Ch 10: Hacking Web Servers
bySam Bowne
 
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
Ssl attacks
byn|u - The Open Security Community
 
Ch 4: Footprinting and Social Engineering
bySam Bowne
 
8. Software Development Security
bySam Bowne
 
CNIT 152: 9 Network Evidence
bySam Bowne
 
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
bySam Bowne
 
Ip sec
byshifanabasheer
 
Key management
byBrandon Byungyong Jo
 
Ch 10: Attacking Back-End Components
bySam Bowne
 
CNIT 128 9. Writing Secure Android Applications
bySam Bowne
 
CNIT 152 10 Enterprise Service
bySam Bowne
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
bySam Bowne
 
CNIT 141: 11. Diffie-Hellman
bySam Bowne
 

Similar to CNIT 141: 13. TLS

ODP
Tls 13final13
byVitezslav Cizek
 
ODP
Tls 1.3
byKevin OBrien
 
PPTX
Difference between TLS 1.2 vs TLS 1.3 and tutorial of TLS2 and TLS2 version c...
byjeetendra mandal
 
PDF
wolfSSL and TLS 1.3
bywolfSSL
 
PDF
Introduction to TLS-1.3
byVedant Jain
 
PDF
Introduction to TLS 1.3
byn|u - The Open Security Community
 
PPTX
TLS 1.3: Everything You Need to Know - CheapSSLsecurity
byCheapSSLsecurity
 
PPTX
Introducing TLS 1.3 – The future of Encryption
byRapidSSLOnline.com
 
PPTX
Jim-Nitterauer-Decrypting-the-Mess-that-is-SSL-TLS-Negotiation-Preparing-for-...
byAliHaider897273
 
PDF
Transport Layer Security
byIbrahiem Mohammed
 
PPTX
TLS - Transport Layer Security
byByronKimani
 
PPTX
SSL_and_TLS_Overview concept the nice .pptx
byyvenkateswaracse
 
PPTX
SIP over TLS
byHossein Yavari
 
DOCX
Transport Layer Security
bySanjeev Kumar Jaiswal
 
PPTX
Cours4.pptx
byBellaj Badr
 
PPTX
TLS v1.3
bySiddhartha Rao
 
PPTX
Egor Podmokov - TLS from security point of view
bySergey Arkhipov
 
PDF
TLS Perf: from three to zero in one spec
byNatasha Rooney
 
PDF
Why Many Websites are still Insecure (and How to Fix Them)
byCloudflare
 
PPTX
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
byBlueHat Security Conference
 
Tls 13final13
byVitezslav Cizek
 
Tls 1.3
byKevin OBrien
 
Difference between TLS 1.2 vs TLS 1.3 and tutorial of TLS2 and TLS2 version c...
byjeetendra mandal
 
wolfSSL and TLS 1.3
bywolfSSL
 
Introduction to TLS-1.3
byVedant Jain
 
Introduction to TLS 1.3
byn|u - The Open Security Community
 
TLS 1.3: Everything You Need to Know - CheapSSLsecurity
byCheapSSLsecurity
 
Introducing TLS 1.3 – The future of Encryption
byRapidSSLOnline.com
 
Jim-Nitterauer-Decrypting-the-Mess-that-is-SSL-TLS-Negotiation-Preparing-for-...
byAliHaider897273
 
Transport Layer Security
byIbrahiem Mohammed
 
TLS - Transport Layer Security
byByronKimani
 
SSL_and_TLS_Overview concept the nice .pptx
byyvenkateswaracse
 
SIP over TLS
byHossein Yavari
 
Transport Layer Security
bySanjeev Kumar Jaiswal
 
Cours4.pptx
byBellaj Badr
 
TLS v1.3
bySiddhartha Rao
 
Egor Podmokov - TLS from security point of view
bySergey Arkhipov
 
TLS Perf: from three to zero in one spec
byNatasha Rooney
 
Why Many Websites are still Insecure (and How to Fix Them)
byCloudflare
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
byBlueHat Security Conference
 

More from Sam Bowne

PDF
Introduction to the Class & CISSP Certification
bySam Bowne
 
PDF
Cyberwar
bySam Bowne
 
PDF
3: DNS vulnerabilities
bySam Bowne
 
PDF
8. Software Development Security
bySam Bowne
 
PDF
4 Mapping the Application
bySam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
PDF
12 Elliptic Curves
bySam Bowne
 
PDF
11. Diffie-Hellman
bySam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
bySam Bowne
 
PDF
9 Writing Secure Android Applications
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
PDF
10 RSA
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
PDF
9. Hard Problems
bySam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
bySam Bowne
 
PDF
11 Analysis Methodology
bySam Bowne
 
PDF
8. Authenticated Encryption
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
bySam Bowne
 
PDF
5. Stream Ciphers
bySam Bowne
 
Introduction to the Class & CISSP Certification
bySam Bowne
 
Cyberwar
bySam Bowne
 
3: DNS vulnerabilities
bySam Bowne
 
8. Software Development Security
bySam Bowne
 
4 Mapping the Application
bySam Bowne
 
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
12 Elliptic Curves
bySam Bowne
 
11. Diffie-Hellman
bySam Bowne
 
2a Analyzing iOS Apps Part 1
bySam Bowne
 
9 Writing Secure Android Applications
bySam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
10 RSA
bySam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
9. Hard Problems
bySam Bowne
 
8 Android Implementation Issues (Part 1)
bySam Bowne
 
11 Analysis Methodology
bySam Bowne
 
8. Authenticated Encryption
bySam Bowne
 
7. Attacking Android Applications (Part 2)
bySam Bowne
 
7. Attacking Android Applications (Part 1)
bySam Bowne
 
5. Stream Ciphers
bySam Bowne
 

Recently uploaded

PPTX
13 February 2026 - Bullying in education prevalence, impact and responses acr...
byEduSkills OECD
 
PPTX
Greengnorance Toolkit Module 4 Active Mobility and Transport
byKarl Donert
 
PPTX
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
PPTX
Renal Physiology- Functional anatomy of Kidney.pptx
byDisha Soriya
 
PPTX
Return For Exchange in Odoo 18 Inventory
byCeline George
 
PDF
Nursing care plan for Vomiting /B.Sc nsg
byDr. Sudhadevi Sadanandan
 
PPTX
Plant fibres used as surgical dressings & Sutures – Surgical Catgut and Ligat...
bySai Meer College of Pharmacy
 
PDF
Orlando by Virginia Woolf: The Granite and The Rainbow
byAdityarajsinh Gohil
 
PPTX
S.Y. B. Pharm Medicinal Chemistry I Unit-I
byMs. Ashatai Patil
 
PPTX
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
PPTX
How to Change Shipping Label Size in Odoo 18 Inventory
byCeline George
 
PDF
AI Is a Tool, Not a Voice: Radio, Trust, and the Human Factor
byN.A. Shah Ansari
 
PPTX
How to Create_Generate Engineering Change Orders ECOs in Odoo 18
byCeline George
 
PDF
Judgement Regarding Land Acquisition Act not Applicable to Encroachers.pdf
byssuser9d8e4e
 
PPTX
Greengnorance Toolkit Module 2 Energy saving
byKarl Donert
 
PPTX
Problem and Solution (PowerPoint Game Template)
byacpaulite
 
PDF
How "Raiders of the Lost Ark" and "Ordinary People" Employ Non-Verbal Acting
by6x5csns4pn
 
PPTX
How to Set Recurring Tasks in Odoo Projects
byCeline George
 
PPTX
Types of counselling Directive, Non Directive, Eclectic Counselling
byPriya Sush
 
PPTX
Renal Physiology -Nephron.pptx
byDisha Soriya
 
13 February 2026 - Bullying in education prevalence, impact and responses acr...
byEduSkills OECD
 
Greengnorance Toolkit Module 4 Active Mobility and Transport
byKarl Donert
 
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
Renal Physiology- Functional anatomy of Kidney.pptx
byDisha Soriya
 
Return For Exchange in Odoo 18 Inventory
byCeline George
 
Nursing care plan for Vomiting /B.Sc nsg
byDr. Sudhadevi Sadanandan
 
Plant fibres used as surgical dressings & Sutures – Surgical Catgut and Ligat...
bySai Meer College of Pharmacy
 
Orlando by Virginia Woolf: The Granite and The Rainbow
byAdityarajsinh Gohil
 
S.Y. B. Pharm Medicinal Chemistry I Unit-I
byMs. Ashatai Patil
 
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
How to Change Shipping Label Size in Odoo 18 Inventory
byCeline George
 
AI Is a Tool, Not a Voice: Radio, Trust, and the Human Factor
byN.A. Shah Ansari
 
How to Create_Generate Engineering Change Orders ECOs in Odoo 18
byCeline George
 
Judgement Regarding Land Acquisition Act not Applicable to Encroachers.pdf
byssuser9d8e4e
 
Greengnorance Toolkit Module 2 Energy saving
byKarl Donert
 
Problem and Solution (PowerPoint Game Template)
byacpaulite
 
How "Raiders of the Lost Ark" and "Ordinary People" Employ Non-Verbal Acting
by6x5csns4pn
 
How to Set Recurring Tasks in Odoo Projects
byCeline George
 
Types of counselling Directive, Non Directive, Eclectic Counselling
byPriya Sush
 
Renal Physiology -Nephron.pptx
byDisha Soriya
 

CNIT 141: 13. TLS

  • 1.
    CNIT 141 Cryptography forComputer Networks 13. TLS Updated 11-19-20
  • 2.
  • 3.
    Topics • Target Applicationsand Requirements • The TLS Protocol Suite • TLS 1.3 Improvements Over TLS 1.2 • The Strengths of TLS Security • How Things Can Go Wrong
  • 4.
    TLS • Protects communicationsat layer 4 • Can carry any type of content • Email, Web traffic, mobile apps, ... • Machine-to-machine comms for IoT
  • 5.
    TLS Vulnerabilities • TLSgrew too big and bloated • Many attacks • Heartbleed • BEAST • CRIME • POODLE
  • 6.
    TLS 1.3 • Overhaulof protocol • Removed unnecessary features • Replaced old algorithms • Simpler, faster, and more secure
  • 7.
  • 8.
    Secure Channel • TLSensures that data is confidential, authenticated, and unmodified • Prevents MiTM attacks • By authenticating servers with trusted Certificate Authorities
  • 9.
    Four Requirements • Efficient •Minimizing CPU load compared to unencrypted comms • Interoperable • Work on any hardware or OS • Extensible • Support additional features & algorithms • Versatile • Not bound to any specific application
  • 10.
  • 11.
    Transport Layer • TLSis not in the transport layer • It's above layer 4, adding security to it • Can run over TCP or UDP • UDP version is called DTLS • Datagram Transport Layer Security
  • 12.
    History • SSL: beganin 1995, from Netscape • SSL 2.0 and SSL 3.0 had security flaws • Should no longer be used • TLS • TLS 1.0 (1999): least secure • TLS 1.1 (2006): better but contains weak algorithms
  • 13.
    TLS 1.2 • From2008 • Better than previous versions • Complex and hard to configure • Supports AES-CBC, vulnerable to padding oracle attacks • Inherited dozens of features and design choices from earlier versions • TLS 1.3 is a major overhaul and improvement
  • 14.
    TLS in aNutshell • Record protocol • Data encapsulation • Handshake protocol • Key agreement
  • 15.
    TLS Handshake • FromCloudflare (link Ch 13a)
  • 16.
    Hello • ClientHello • Listsciphers available • ServerHello • Selects a cipher to use
  • 17.
  • 18.
  • 20.
    Certificates and Certificate Authorities(CA) • Server uses a certificate to authenticate itself • Verified by a CA • CA's public keys hard-coded into browsers • Trusted third party
  • 21.
  • 22.
  • 23.
  • 24.
    Zero Padding • Addszeroes to plaintext for short messages • Mitigates traffic analysis • Deducing contents from message size
  • 25.
    TLS 1.3 Cryptographic Algorithms •Three types of algorithms are used • Authenticated encryption • Key derivation function • Hash function that derives secret keys from a shared secret • A Diffie-Hellman operation
  • 26.
    Authenticated Ciphers • TLS1.3 supports only three algorithms • AES-GCM • AES-CCM • Slightly less efficient than AES-GCM • ChaCha20 stream cipher • Combined with Poly1305 MAC • Secret key can be 128 or 256 bits • Unsafe 64-bit or 80-bit keys not allowed
  • 27.
    Key Derivation Function (KDF) •HKDF, based on HMAC • Uses SHA-256 or SHA-384
  • 28.
    Diffie-Hellman Two Options • EllipticCurve • With the three NIST curves, or • Curve25519, or Curve448 • Group of integers modulo a prime number • Traditional Diffie-Hellman • 2048 - 8192 bits • Security of 2048-bit group is weak link • Less than 100 bits
  • 29.
  • 30.
    Removed Weak Algorithms • MD5,SHA-1 • RC4, AES-CBC • MAC-then-Encrypt alorithms • Like HMAC-SHA-1 • Replaces with authenticated ciphers • More efficient and secure
  • 31.
    Removed Insecure Feature • Optionaldata compression • Enabled the CRIME attack • Length of the compressed message leaked information about contents
  • 32.
    New Features • Thatmake TLS 1.3 more secure • Downgrade protection • Single round-trip handshake • Session resumption
  • 33.
    Downgrade Attack • MiTMattacker modifies ClientHello I want TLS 1.3 Sending ServerHello for TLS 1.1 Send her TLS 1.1 instead
  • 34.
    Downgrade Protection • Toprevent this, 8 bytes in the ServerHello denote the TLS version • They are cryptographically signed so the MiTM can't change them • The client can check them to see what TLS version is being provided
  • 35.
    Single Round-Trip Handshake • InTLS 1.2 • Client sends some data, waits for response • Client sends more data, waits for response • TLS 1.3 combines it all into one round-trip • Saves time
  • 36.
    Session Resumption • Leveragesthe pre-shared key exchanged in a previous session • To bootstrap a new session • Two benefits • Client can start encrypting immediately • No need for certificates
  • 38.
    The Strengths ofTLS Security
  • 39.
    Authentication • TLS 1.3handshake authenticates the server with a certificate and CA • Client is not authenticated, but can authenticate after the TLS handshake with: • Username & password in a TLS record • Secure cookie over TLS • A client certificate (rarely used)
  • 40.
    Forward Secrecy • TLS1.3 provides forward secrecy in both a data leak and a breach • If an attacker can steal a client's RAM • Exposes keys and secrets for the current session • And any old sessions still stored in RAM • Solution: use Secure Strings
  • 41.
    • Provided byMicrosoft • Since 2005 in .NET 2.0 • Link Ch 13b
  • 42.
  • 43.
    Compromised CA • Happenedin 2011 to DigiNotar • CA's private key compromised • Attacker created fake certificates for Google services
  • 47.
    Compromised Client • Attackerwho controls client can • Capture session keys • Read decrypted data • Or install a rogue CA certificate
  • 48.
    Bugs in Implementation •Heartbleed • Leaked secrets from HTTPS servers in 2014
  • 49.
    Improving TLS • SSLLabs TLS test • Lets you test any site's certificate • Or a browser's TLS configuration • Let's Encrypt • Free TLS certificates for everyone