SSL/TLS

The name SSL/TLS is used for the family of protocols, however, it is also common to see both SSL and TLS names used on their own to describe the full family. From here on in the post we will use SSL/TLS for the family and will specify versions, for examples TLS 1.2, when talking about specific protocols from the family.
The following protocols currently form the SSL/TLS family:

• SSL 2.0
• SSL 3.0
• TLS 1.0
• TLS 1.1
• TLS 1.2
• TLS 1.3 (draft)

What makes up SSL/TLS?

In this post we will discuss the various parts that make up SSL/TLS protocols, as well as few terms that are often discussed alongside SSL/TLS.

• HTTPS and its relation to SSL/TLS
• Ciphers and Cipher Suites
• Key Exchange Mechanisms
• Message Authentication Codes (MAC)
• Certificates

Ciphers and Cipher Suites

A cipher is an algorithm that takes a plain text message, in the case of HTTPS your unencrypted HTTP data, and scrambles it up to prevent a third party from being able to read it. Ciphers uses keys/shared secrets to decrypt and encrypt data, it is important that that only trusted parties know these secrets; the method used to decide on this shared secret is called key exchange is discussed further below.

There are a number of ciphers available to use in the various versions of SSL/TLS, to increase the number of clients who are able to connect it is common to support a number of different ciphers; however selecting the right ciphers very important, weaknesses have been found in some ciphers that were once considered secure, and some ciphers have become more vulnerable as computing power has increased. Different versions of SSL/TLS support different ciphers, and some clients may only support a subset of the ciphers supported by a specific version of SSL/TLS.

Choice of ciphers is beyond the scope of this post, however one important factor to consider with ciphers is if they support perfect forward security. TLS 1.3 the upcoming new version of TLS will only support algorithms have perfect forward security.

Cipher suites are a combination of ciphers, key exchange methods and MACs that are typically displayed together in the following format “DHE-RSA-AES256-GCM-SHA384.”

Cipher Suite

A cipher suite is SSL/TLS terminology for a set of cipher, key exchange algorithm, MAC code, and a pseudo random number function used to set up the secure communication.  These are the strings that you often see when people are talking about SSL/TLS such as “TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.” A SSL server can have one or more cipher suites enabled and the SSL client and server will negotiate which suite to use when the connection is started, it is by this processes that clients that support older versions of SSL/TLS are still able to communicate new servers.

Certificates

Certification is the process used to prove the identity of an actor in an SSL/TLS communication. Certificates can be used to prove the identify of both parties, however in HTTPS (one of the most common users of SSL/TLS) only the server is usually identified via a certificate.

Certification works via a tree of trust, a small number of parties own certificates that have been pre-trusted with browsers and operating systems. These parties form the root of the trust tree, and can sign certificates of other trusted parties, and these parties may be able to sign further certificates. By following the chain of trust back up to the pre-trusted root certificates it is possible to check the validity of any of any certificate.

There are number of types of certificate issues to websites; that vary in the amount of checks the issuer performs and thus the amount of trust they bestow, and what they can be used for.

One type of certificate you may have heard of is an Extended Validity (EV) certificate; these certificates require more checks, but provide one of the highest levels of trust. Sites using these certificates will receive the green bar in browsers which users are taught to look for.

About SureCloud

SureCloud is a provider of cloud-based, Integrated Risk Management products and Cybersecurity services, which reinvent the way you manage risk. SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.