TLS Overview

M'hirsi Hamza
Nov 20, 2020 · 6 min read
Source

TLS Overview

Hi Medium! Here we are again with a new article, today we will talk about TLS Overview as follow:

1. Confidentiality
2. Integrity
3. Availability
4. Defence in Depth
5. Symmetric encryption
6. Asymmetric encryption
7. Cryptographic Hash function
8. Man In The Middle (MITM)
9. Transport Layer Security
10. Banking Malware That Uses TLS

Introduction

Security is very critical for enterprises and organizations of all sizes and in all industries. Information security is a set of processes, tools, policies, and implemented systems against internal and external attacks that can damage or stop the services offered by an organization. We will cite some of the main core principles of information security.

1 Confidentiality

Asserts that all the information and data are accessible only by persons who are authorized to have access. It is important to make sure that the information won’t be disclosed by unauthorized parties.

2 Integrity

Maintain the protection of information to be not modified by unauthorized parties. This means that the data have to be consistent, accurate, and trustworthy during every transaction of information. Deployment of protection and detecting means against changing data is very necessary.

3 Availability

Seeks to ensure that the information is available by authorized users when needed. Attacks on the availability are Denial Of Service (DOS), Distributed Denial Of Service (DDOS). High availability clusters and backup copies are some mitigation systems against different attacks on availability.

Confidentiality, Integrity, and Availability (CIA triad)

4 Defence in Depth

Defense in Depth or Layered Security is a security approach describe using multi-layer security lines and controls an example of a Defense in Depth approach is to apply policies on every network and security device to improve the security of the systems.

5 Symmetric encryption

Symmetric encryption involves two keys that are the same, or as the name quite cleverly implies, are symmetric. Both keys can perform both functions: encryption and decryption.

6 Asymmetric encryption

Asymmetric encryption works with two different keys with different abilities. When encryption is asymmetric, one key encrypts, and the other key decrypts.

7 Cryptographic Hash function

It is an algorithm that can be run on data such as an individual file or a password to produce a value called a checksum.

The main use of a cryptographic hash function is to verify the authenticity and integrity of data.

8 Man In The Middle (MITM)

It is an attack where a user gets between the sender and receiver of information and sniffs any information being sent.

9 Transport Layer Security

Transport Layer Security and its predecessor, Secure Socket Layer, I will refer to both as TLS for simplicity.

Crypto protocols deal with the application of cryptographic algorithms. The TLS scheme, which is used in every Web browser, is an example of a cryptographic protocol.

In the TLS, symmetric, asymmetric algorithms and hash functions are all used together to deliver as a cipher suite. This is sometimes referred to as hybrid schemes. The reason for using both families of algorithms is that each has specific strengths and weaknesses. However, this cipher suite can offer us the confidentiality of data, the integrity of data, authentication of data, user identification.

The TLS protocol used to encrypt communication for both common applications, to keep your data secure over the Hypertext Transfer Protocol (HTTP) which is used to manage client-server interaction on the web environment.

The diagram below illustrates the exchanged responses and requests in the TLS protocol, which included the establishment of the three-way handshake of TCP protocol.

TLS Exchange Diagram

- 0 ms: As we know the TLS runs over the TCP protocol, which takes one round trip.

- 56 ms: after the establishment of the three-way handshake, the client sends the client hello request, and with this packet, the client sends a number of specifications linked to the secure channel who will be created after confirmation of the two parties.

The specifications set by the client are: the version of TLS that support, the proposed cipher suites “Figure 3.12” presented in Hexadecimal values, the compression methods, extensions (like elliptic curve point formats), supported groups heartbeat, session ticket TLS, renegotiation info, reserved GREASE for TLS1.3 and others.

- 84 ms: The server picks the version of TLS for further communication, choose a cipher suite “Figure 3.13” from the list provided by the client “Figure 1.23”, attaches its certificate, and sends the response back to the client. Optionally, the server can also send a request for the client’s certificate and parameters for other TLS extensions.

The server response packet is formulated based on server-side libraries and configurations as well as details in the Client Hello.

- 112 ms: If both sides are satisfied by the negotiation, and the client is happy with the certificate provided by the server, the client initiates either the RSA or the Diffie-Hellman key exchange, which is used to establish the symmetric key for the consequent session.

- 140 ms: The server processes the key exchange parameters sent by the client, checks the integrity of the messages by verifying the MAC, and returns an encrypted finished message back to the client.

- 168 ms: The client decrypts the message with the symmetric key negotiated, verifies the MAC, and if all is done, then the tunnel is created and application data can now be sent.

Cipher suites are named combinations of:

- TLS defines the protocol that this cipher suite is for.
- Key Exchange Algorithms (RSA, DH, ECDH, DHE, …).
- Authentication/Digital Signature Algorithm (RSA, ECDSA, …).
- Bulk Encryption Algorithms (AES, CHACHA20, Camellia, …).
- Message Authentication Code Algorithms (SHA-256, POLY1305, …).

This is an example of a cipher suite:

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256.

Cipher Suites Proposed
Cipher Suite Picked

10 Banking Malware That Uses TLS

In this we will define some Malware that uses TLS, we will analyze the traffic of that malware in the next chapter.

10.1 Zeus

The Zeus Trojan is a type of malicious program that targets Microsoft Windows and is often used to steal financial data. Originally detected in 2007, the Zeus Trojan, often called Zbot, has become one of the most efficient botnets in the world, infecting millions of machines and spawning many similar malicious programs developed from its code.

10.2 Dridex

Dridex is a malicious software Trojan. It targets particular banking data particular identifiers, passwords, and secret codes (virtual keyboards or SMS code) allowing to access online bank accounts. The goal of the pirates who fly Dridex is to make fraudulent bank transfers using stolen data (damage estimated at over $40 million in 2015).

10.3 Gozi

Gozi is a widely distributed banking trojan, the developer Nikita Vladimirovich Kuzmin of this trojan has just been condemned Monday to pay some 6 934 979 dollars (a little more than 6 million euros currently) that the authorities claim as damages suffered by two major banks located respectively in the United States and Europe.

Summary

In this article, we saw a different definition of some terminology that will help us understand TLS for the further chapters that will come.

I hope that you enjoyed this overview ^^

Further Reading

Overview about TLS 1.3 https://kinsta.com/blog/tls-1-3/

The Startup

Get smarter at building your thing. Join The Startup’s +792K followers.

Sign up for Top 10 Stories

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +792K followers.

M'hirsi Hamza

Written by

Cyber Security Architect

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +792K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store