SSL, TLS, HTTPS and E2EE Flashcards
What are SSLs and TLSs
Encryption protocols designed to give communication security over a network or the internet
What does SSL stand for?
Secure Socket Layer
What does TLS stand for?
Transport Layer Security
What security parameters does TLS provide?
Confidentiality
Integrity
Authentication
What is special about the Diffie-Hellman Key exchange protocol
Forward Secrecy - A unique session key is generated with every session a user initiates
What is the benefit of Forward Secrecy?
- Gives assurance that session keys aren’t compromised even if the public/private key is
- Only info in that one session will be compromised and not other sessions
What does Forward Secrecy achieve in terms of messaging
if the private keys for a serve rare compromised, all previously sent messages cant be decrypted due to using different DH session keys
What is a Ciphersuite
A combination of encryption algorithms used to secure a network connection
What is SSL stripping?
A proxy looking for HTTPS redirects
Will intercept redirect and direct to http version of site
What are some mitigations against SSL stripping?
Arpwatch
Tunneling
Browser settings for HTTPS
VLANs
Firewalls
What is HTTPS in terms of HTTP
HTTPS is HTTP run over SSL or TLS
What is a digital signature?
A value hash that has been encrypted with the issuers private key (e.g. DigiCert)
How do you validate a digital signature
The SHA fingerprint (Hash) must be decrypted using the issuers public key and the decryption must match what’s on the issuers certificate
How can HTTPS be exploited?
The issuance of fake certificates
Over 1400 CA’s trusted by Microsoft etc.
One will make a mistake (Symantic)
Nation states all have influence over CA’s and can issue trusted certificates
What is Null byte poisoning? (Cetrificates)
When certificates are obtained by someone for a domain not actually owned by them
- Nation state surveillance
What is Pinning used for?
A mitigation to certificate changes
- can tie a host with their expected x.509 cert or key so the host will only accept that one key
- no data exchanged if key differs
- used by banking apps to “lock out” unnecessary connections
What is End-to-End Encryption (E2EE)
Where data encrypted by the sender can only be decrypted by the intended receiver
What are some E2EE technologies?
PGP
SSL/TLS
OTR
SMIME
What is the main goal of E2EE
Zero knowledge system ensuring that data cannot be revealed even if coerced or you wanted to
True or False:
E2EE protects data that has been received
False:
Only protects data in transit
Other methods are needed to store and protect data after
What is Steganography
The art of hiding data in another set of data
- Message hidden in the binary of a picture file when decoded
Benefit of Steganography over Encryption
Encryption isn’t hidden at all, However steganography is covert
What is the name for the file being used to hold Steganography data
A Carrier
What method in Steganography allows for plausible deniability?
A Decoy Carrier
- Creating a decoy carrier with a fake message incase compromised or coerced
What is important when choosing a file as a Carrier for Steganography?
Use a file that cannot be compared to its ‘original’
- Resize, crop and compress any downloaded photo first
- Use original photo
What are the two easiest and most paramount security controls to implement first before anything?
1) Up-to-Date Patches
2) Strong Password