Hi Medium! Here we are again with a new article, today we will talk about TLS Overview as follow:
4. Defence in Depth
5. Symmetric encryption
6. Asymmetric encryption
7. Cryptographic Hash function
8. Man In The Middle (MITM)
9. Transport Layer Security
10. Banking Malware That Uses TLS
Security is very critical for enterprises and organizations of all sizes and in all industries. Information security is a set of processes, tools, policies, and implemented systems against internal and external attacks that can damage or stop the services offered by an organization. We will cite some of the main core principles of information security.
Asserts that all the information and data are accessible only by persons who are authorized to have access. It is important to make sure that the information won’t be disclosed by unauthorized parties.
Maintain the protection of information to be not modified by unauthorized parties. This means that the data have to be consistent, accurate, and trustworthy during every transaction of information. Deployment of protection and detecting means against changing data is very necessary.
Seeks to ensure that the information is available by authorized users when needed. Attacks on the availability are Denial Of Service (DOS), Distributed Denial Of Service (DDOS). High availability clusters and backup copies are some mitigation systems against different attacks on availability.
4 Defence in Depth
Defense in Depth or Layered Security is a security approach describe using multi-layer security lines and controls an example of a Defense in Depth approach is to apply policies on every network and security device to improve the security of the systems.
5 Symmetric encryption
Symmetric encryption involves two keys that are the same, or as the name quite cleverly implies, are symmetric. Both keys can perform both functions: encryption and decryption.
6 Asymmetric encryption
Asymmetric encryption works with two different keys with different abilities. When encryption is asymmetric, one key encrypts, and the other key decrypts.
7 Cryptographic Hash function
It is an algorithm that can be run on data such as an individual file or a password to produce a value called a checksum.
The main use of a cryptographic hash function is to verify the authenticity and integrity of data.
8 Man In The Middle (MITM)
It is an attack where a user gets between the sender and receiver of information and sniffs any information being sent.
9 Transport Layer Security
Transport Layer Security and its predecessor, Secure Socket Layer, I will refer to both as TLS for simplicity.
Crypto protocols deal with the application of cryptographic algorithms. The TLS scheme, which is used in every Web browser, is an example of a cryptographic protocol.
In the TLS, symmetric, asymmetric algorithms and hash functions are all used together to deliver as a cipher suite. This is sometimes referred to as hybrid schemes. The reason for using both families of algorithms is that each has specific strengths and weaknesses. However, this cipher suite can offer us the confidentiality of data, the integrity of data, authentication of data, user identification.
The TLS protocol used to encrypt communication for both common applications, to keep your data secure over the Hypertext Transfer Protocol (HTTP) which is used to manage client-server interaction on the web environment.
The diagram below illustrates the exchanged responses and requests in the TLS protocol, which included the establishment of the three-way handshake of TCP protocol.
- 0 ms: As we know the TLS runs over the TCP protocol, which takes one round trip.
- 56 ms: after the establishment of the three-way handshake, the client sends the client hello request, and with this packet, the client sends a number of specifications linked to the secure channel who will be created after confirmation of the two parties.
The specifications set by the client are: the version of TLS that support, the proposed cipher suites “Figure 3.12” presented in Hexadecimal values, the compression methods, extensions (like elliptic curve point formats), supported groups heartbeat, session ticket TLS, renegotiation info, reserved GREASE for TLS1.3 and others.
- 84 ms: The server picks the version of TLS for further communication, choose a cipher suite “Figure 3.13” from the list provided by the client “Figure 1.23”, attaches its certificate, and sends the response back to the client. Optionally, the server can also send a request for the client’s certificate and parameters for other TLS extensions.
The server response packet is formulated based on server-side libraries and configurations as well as details in the Client Hello.
- 112 ms: If both sides are satisfied by the negotiation, and the client is happy with the certificate provided by the server, the client initiates either the RSA or the Diffie-Hellman key exchange, which is used to establish the symmetric key for the consequent session.
- 140 ms: The server processes the key exchange parameters sent by the client, checks the integrity of the messages by verifying the MAC, and returns an encrypted finished message back to the client.
- 168 ms: The client decrypts the message with the symmetric key negotiated, verifies the MAC, and if all is done, then the tunnel is created and application data can now be sent.
Cipher suites are named combinations of:
- TLS defines the protocol that this cipher suite is for.
- Key Exchange Algorithms (RSA, DH, ECDH, DHE, …).
- Authentication/Digital Signature Algorithm (RSA, ECDSA, …).
- Bulk Encryption Algorithms (AES, CHACHA20, Camellia, …).
- Message Authentication Code Algorithms (SHA-256, POLY1305, …).
This is an example of a cipher suite:
10 Banking Malware That Uses TLS
In this we will define some Malware that uses TLS, we will analyze the traffic of that malware in the next chapter.
The Zeus Trojan is a type of malicious program that targets Microsoft Windows and is often used to steal financial data. Originally detected in 2007, the Zeus Trojan, often called Zbot, has become one of the most efficient botnets in the world, infecting millions of machines and spawning many similar malicious programs developed from its code.
Dridex is a malicious software Trojan. It targets particular banking data particular identifiers, passwords, and secret codes (virtual keyboards or SMS code) allowing to access online bank accounts. The goal of the pirates who fly Dridex is to make fraudulent bank transfers using stolen data (damage estimated at over $40 million in 2015).
Gozi is a widely distributed banking trojan, the developer Nikita Vladimirovich Kuzmin of this trojan has just been condemned Monday to pay some 6 934 979 dollars (a little more than 6 million euros currently) that the authorities claim as damages suffered by two major banks located respectively in the United States and Europe.
In this article, we saw a different definition of some terminology that will help us understand TLS for the further chapters that will come.
I hope that you enjoyed this overview ^^
Overview about TLS 1.3 https://kinsta.com/blog/tls-1-3/