SSL and TLS Flashcards
What are SSL and TLS used for?
Secure Socket Layer and Transport Layer Security are used to protect TCP connections on the web, when communicating with web servers.
What can SSL and TLS protect against?
Application level threats such as server impersonation, but not IP level threats.
What are the two main protocols of SSL?
A handshake, which establishes a shared key, and a record protocol, which encapsulates the higher level data being exchanged.
How do SSL and TLS use public key encryption?
For authentication and session key transfer.
How do SSL and TLS use symmetric key encryption?
For confidentiality.
How do SSL and TLS ensure integrity?
By hashing.
What is a “master secret”?
This is in TLS. We have a master secret which is used to generate all the various secret information which is needed, including the encryption key, the IVs, and integrity protection keys.
Describe the TLS handshake.
Client (C) sends…
ClientHello: C, version(c), ciphersuite(c), nonce(c).
Server (S) sends…
ServerHello: version(s), ciphersuite(s), nonce(s).
Certificate: sigCA(S, server’s public key).
ServerHelloDone.
Client sends …
ClientKeyExchange: Server’s public key(secret(c))
ChangeCipherSpec
Finished: hash(c)
The server sends…
ChangeCipherSpec
Finished: hash(s)
How do we compute the hashes in the TLS handshake?
The hashes are computed on all the messages you have sent.
What is included in the ciphersuite in a TLS handshake?
The Key Exchange algorithm, the encryption algorithm, and the hash algorithm
What is a chosen protocol attack in TLS?
Newer versions of TLS are backwards compatible, and older versions may have vulnerabilities. So, if an attacker can fool someone into using an older version, they can exploit these weaknesses. For example, in version 2.0, there is no hashing.
What is a Javascript attack?
Javascript is executed in the browser, and the attacker can use this to their advantage by using this to execute some code on the user’s machine. An example would be inserting malicious javascript into a web page or HTML email.