SSL and TLS Flashcards

1
Q

Why is web security important?

A

The web is widely used for a range of purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What type of threats is the web vulnerable to?

A
  • integrity
  • confidentiality
  • denial of service
  • authentication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does SSL stand for?

A

Secure Socket Layer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is SSL?

A

A standard protocol that provides a range of security services to your application data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Where does SSL sit in the TCP/IP model?

A

In-between the application layer and the TCP layer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a basic application example for SSL?

A
  1. Client contacts Server
  2. Client conveys secret info to Server
  3. Client wants to authenticate the server.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the SSL Architecture?

A

SSL is broken into two parts “layers”:
1. Record Protocol
2. Multiple Protocols (Handshake, Change Cipher Spec, Alert Protocols)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the SSL Handshake Protocol?

A

Allows the server & Client to:
- Authenticate each other
- Negotiation encryption & MAC algorithms
- Negotiate cryptographic keys to be used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the SSL Change Cipher Spec Protocol?

A

Handles and notifies the client if there’s any change in the Cipher Spec.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the SSL Alert Protocol?

A

Handles warnings and errors of web communication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is an SSL session?

A

An association between a client and a server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does it mean that SSL sessions are stateful?

A

The session state includes security algorithms and parameters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What might a session include?

A

Multiple secure connections between the same client and server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does connections of the same session share?

A

The session state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are sessions used for?

A

To avoid expensive negotiation of new security parameters for each connection (reconnection).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a session state?

A

Carries the following information:
- Session identifier
- Peer certificate
- Compression method
- Cipher Spec

17
Q

What is a session identifier?

A

A random number to identify a session.

18
Q

What is a Peer certificate?

A

Authenticates that the server or client is connected to a valid client or server.

19
Q

What is Cipher Spec?

A

Used to understand what type of encryption/security algorithm is used to secure communications.

20
Q

What are the two responsibilities of the SSL Record Protocol Services?

A
  • Message integrity
  • Confidentiality
  • Compress before encryption
21
Q

How does SSL Record protocol work?

A

Split the application data into fragments. For each fragment:
- Compress it
- Append MAC value
- Encrypt fragment
- Append SSL Record Header

22
Q

What are the phases of the Handshake Protocol?

A

Phase 1: Negotiation of the session ID, and security algorithms
Phase 2: Server can send it certificate and key exchange message and requests the client certificate
Phase 3: Client sends certificate if request and may send verification messages. Client always sends its key exchange message
Phase 4: Change Cipher Spec and finish handshake

23
Q

What is the Change Cipher Spec?

A

Practically a single message that indicates the end of the SSL handshake.

24
Q

What is TLS?

A

Transport Layer Security, same principle as SSL but may vary MAC, alert codes, verify message etc.