fbpx

What is SSL?

What is SSL?

Table of Contents

SSL or Secure Sockets Layer is a legacy cryptographic protocol that offers end to end encryption.  It acts to provides a level of data integrity and privacy during network communication.  This prevents eavesdropping or a Man-in-the-Middle Attacks from happening on network traffic. SSL has since been replaced by TLS.  However, the protocol itself is still often referred to as SSL even when TLS is being used.

Where is SSL/TLS Used?

  • Web browser;
  • Email;
  • Instant messaging;
  • Voice-over-IP (VoIP);
  • EMV payment card certificates;
  • Code signing certificate;

How Does it Work When Browsing the Internet?

SSL provides two necessary components of secure network communication. It provides confidentiality by encrypting the traffic between two end points. It provides data integrity by guaranteeing the data was not changed while in transit. Both of these are requirements when performing a financial transaction online whether it be with a bank or an eCommerce website.

When connecting to a website that is running SSL or TLS a handshake takes place.  When using Symmetric Cryptography It is during this handshake that the keys are generated.  The key generation process is based on a shared secret.  The server and your client browser negotiate which protocol to use.  That negotiation process might choose SSL1.0, SSLv2.0, SSLv3.0, TLS1.0, TLS1.1, TLS1.2 or the latest TLS1.3.  The encryption algorithm and cipher is also agreed upon.

Browser to Server TLS Negotiation

TCP Three-Way Handshake

 

The client opens a web browser and enters an https:// URI. The client is requesting to connect to a server via TCP and to a specific port. Typically port 443 is used for browser and web server communication. This negotiation process is commonly referred to as the “TCP three-way handshake“.

  1. Client sends a TCP SYN to the Server;
  2. Server receives the TCP SYN;
  3. Server responds with a TCP SYN-ACK;
  4. Client receives the TCP SYN-ACK;
  5. Client responds with a TCP ACK;
  6. Server receives the TCP ACL;
  7. TCP socket connection is established;

TLS Communication

  1. Client offers a list of ciphers and hash functions knows as cipher suites;
  2. Server chooses one of the ciphers and hashes;  The client agrees to use the cipher and hash;
  3. Server then identifies itself by sending an SSL/TLS certificate to the client;
  4. Client runs the certificate path validation algorithm specified in steps 6 and 7;
  5. The certificates Subject or Common Name is compared to the domain name of the server;
  6. Verification takes place ensuring that the certificate is signed by a trusted CA
  7. Once verified a key is exchanged. Often times this is a public key;
  8. Client and server now compute the key for symmetric encryption;
  9. Client tells the server that traffic between the two will be encrypted using the meta data that’s been exchanged. This is accomplished by sending an encryption and authentication message to the server;
  10. Server verifies the MAC and that encryption is a success;
  11. Server sends a message to the client stating as such;
  12. Encrypted communication between the client and server can now take place.

TLS/SSL Protocols

  • SSL, Secure Socket Layer 1.0;
  • SSLv2, Secure Socket Layer 2.0;
  • SSLv3, Secure Socket Layer 3.0;
  • TLS1.0, Transport Layer Security 1.0;
  • TLS1.1, Transport Layer Security 1.1;
  • TLS1.2, Transport Layer Security 1.2;
  • TLS1.3, Transport Layer Security 1.3.

SSL/TLS Certificates Types

  • Domain Validation or DV;
  • Organization Validation or OV;
  • Extended Validation or EV

What is a Cipher Suite?

  • A key exchange algorithm;
  • A bulk encryption cipher;
  • A digital signature scheme;
  • A Hash/MAC function.

OpenSSL 1.1.1 Cipher Suites

Cipher SuiteProtocolKey ExchAuthenticationEncryptionMAC
TLS_CHACHA20_POLY1305_SHA256TLSv1.3anyanyCHACHA20/POLY1305(256)AEAD
TLS_AES_256_GCM_SHA384TLSv1.3anyanyAESGCM(256)AEAD
TLS_AES_128_GCM_SHA256TLSv1.3anyanyAESGCM(128)AEAD
ECDHE-ECDSA-AES256-GCM-SHA384TLSv1.2ECDHECDSAAESGCM(256)AEAD
ECDHE-RSA-AES256-GCM-SHA384TLSv1.2ECDHRSAAESGCM(256)AEAD
DHE-RSA-AES256-GCM-SHA384TLSv1.2DHRSAAESGCM(256)AEAD
ECDHE-ECDSA-CHACHA20-POLY1305TLSv1.2ECDHECDSACHACHA20/POLY1305(256)AEAD
ECDHE-RSA-CHACHA20-POLY1305TLSv1.2ECDHRSACHACHA20/POLY1305(256)AEAD
DHE-RSA-CHACHA20-POLY1305TLSv1.2DHRSACHACHA20/POLY1305(256)AEAD
ECDHE-ECDSA-AES128-GCM-SHA256TLSv1.2ECDHECDSAAESGCM(128)AEAD
ECDHE-RSA-AES128-GCM-SHA256TLSv1.2ECDHRSAAESGCM(128)AEAD
DHE-RSA-AES128-GCM-SHA256TLSv1.2DHRSAAESGCM(128)AEAD
ECDHE-ECDSA-AES256-SHA384TLSv1.2ECDHECDSAAES(256)SHA384
ECDHE-RSA-AES256-SHA384TLSv1.2ECDHRSAAES(256)SHA384
DHE-RSA-AES256-SHA256TLSv1.2DHRSAAES(256)SHA256
ECDHE-ECDSA-AES128-SHA256TLSv1.2ECDHECDSAAES(128)SHA256
ECDHE-RSA-AES128-SHA256TLSv1.2ECDHRSAAES(128)SHA256
DHE-RSA-AES128-SHA256TLSv1.2DHRSAAES(128)SHA256
ECDHE-ECDSA-AES256-SHATLSv1ECDHECDSAAES(256)SHA1
ECDHE-RSA-AES256-SHATLSv1ECDHRSAAES(256)SHA1
DHE-RSA-AES256-SHASSLv3DHRSAAES(256)SHA1
ECDHE-ECDSA-AES128-SHATLSv1ECDHECDSAAES(128)SHA1
ECDHE-RSA-AES128-SHATLSv1ECDHRSAAES(128)SHA1
DHE-RSA-AES128-SHASSLv3DHRSAAES(128)SHA1
RSA-PSK-AES256-GCM-SHA384TLSv1.2RSAPSKRSAAESGCM(256)AEAD
DHE-PSK-AES256-GCM-SHA384TLSv1.2DHEPSKPSKAESGCM(256)AEAD
RSA-PSK-CHACHA20-POLY1305TLSv1.2RSAPSKRSACHACHA20/POLY1305(256)AEAD
DHE-PSK-CHACHA20-POLY1305TLSv1.2DHEPSKPSKCHACHA20/POLY1305(256)AEAD
ECDHE-PSK-CHACHA20-POLY1305TLSv1.2ECDHEPSKPSKCHACHA20/POLY1305(256)AEAD
AES256-GCM-SHA384TLSv1.2RSARSAAESGCM(256)AEAD
PSK-AES256-GCM-SHA384TLSv1.2PSKPSKAESGCM(256)AEAD
PSK-CHACHA20-POLY1305TLSv1.2PSKPSKCHACHA20/POLY1305(256)AEAD
RSA-PSK-AES128-GCM-SHA256TLSv1.2RSAPSKRSAAESGCM(128)AEAD
DHE-PSK-AES128-GCM-SHA256TLSv1.2DHEPSKPSKAESGCM(128)AEAD
AES128-GCM-SHA256TLSv1.2RSARSAAESGCM(128)AEAD
PSK-AES128-GCM-SHA256TLSv1.2PSKPSKAESGCM(128)AEAD
AES256-SHA256TLSv1.2RSARSAAES(256)SHA256
AES128-SHA256TLSv1.2RSARSAAES(128)SHA256
ECDHE-PSK-AES256-CBC-SHA384TLSv1ECDHEPSKPSKAES(256)SHA384
ECDHE-PSK-AES256-CBC-SHATLSv1ECDHEPSKPSKAES(256)SHA1
SRP-RSA-AES-256-CBC-SHASSLv3SRPRSAAES(256)SHA1
SRP-AES-256-CBC-SHASSLv3SRPSRPAES(256)SHA1
RSA-PSK-AES256-CBC-SHA384TLSv1RSAPSKRSAAES(256)SHA384
DHE-PSK-AES256-CBC-SHA384TLSv1DHEPSKPSKAES(256)SHA384
RSA-PSK-AES256-CBC-SHASSLv3RSAPSKRSAAES(256)SHA1
DHE-PSK-AES256-CBC-SHASSLv3DHEPSKPSKAES(256)SHA1
AES256-SHASSLv3RSARSAAES(256)SHA1
PSK-AES256-CBC-SHA384TLSv1PSKPSKAES(256)SHA384
PSK-AES256-CBC-SHASSLv3PSKPSKAES(256)SHA1
ECDHE-PSK-AES128-CBC-SHA256TLSv1ECDHEPSKPSKAES(128)SHA256
ECDHE-PSK-AES128-CBC-SHATLSv1ECDHEPSKPSKAES(128)SHA1
SRP-RSA-AES-128-CBC-SHASSLv3SRPRSAAES(128)SHA1
SRP-AES-128-CBC-SHASSLv3SRPSRPAES(128)SHA1
RSA-PSK-AES128-CBC-SHA256TLSv1RSAPSKRSAAES(128)SHA256
DHE-PSK-AES128-CBC-SHA256TLSv1DHEPSKPSKAES(128)SHA256
RSA-PSK-AES128-CBC-SHASSLv3RSAPSKRSAAES(128)SHA1
DHE-PSK-AES128-CBC-SHASSLv3DHEPSKPSKAES(128)SHA1
AES128-SHASSLv3RSARSAAES(128)SHA1
PSK-AES128-CBC-SHA256TLSv1PSKPSKAES(128)SHA256
PSK-AES128-CBC-SHASSLv3PSKPSKAES(128)SHA1

Cyber Defense Contractors Approved Cipher Suites

Cipher SuiteProtocolKey ExchAuthenticationEncryptionMAC
ECDHE-ECDSA-AES256-GCM-SHA384TLSv1.2ECDHECDSAAESGCM(256)AEAD
ECDHE-RSA-AES256-GCM-SHA384TLSv1.2ECDHRSAAESGCM(256)AEAD
DHE-RSA-AES256-GCM-SHA384TLSv1.2DHRSAAESGCM(256)AEAD
ECDHE-ECDSA-AES256-SHA384TLSv1.2ECDHECDSAAES(256)SHA384
ECDHE-RSA-AES256-SHA384TLSv1.2ECDHRSAAES(256)SHA384
DHE-RSA-AES256-SHA256TLSv1.2DHRSAAES(256)SHA256
RSA-PSK-AES256-GCM-SHA384TLSv1.2RSAPSKRSAAESGCM(256)AEAD
DHE-PSK-AES256-GCM-SHA384TLSv1.2DHEPSKPSKAESGCM(256)AEAD
AES256-GCM-SHA384TLSv1.2RSARSAAESGCM(256)AEAD
PSK-AES256-GCM-SHA384TLSv1.2PSKPSKAESGCM(256)AEAD
AES256-SHA256TLSv1.2RSARSAAES(256)SHA256
TLS_AES_256_GCM_SHA384TLSv1.3anyanyAESGCM(256)AEAD

From Our Cybersecurity Community

Hits: 91

Related Articles

Secure Data Wiping & Destruction

Data wiping is an important part of business operations and any information security program. For those that have a Written Information Security Program (WISP) it likely includes the procedures and processes for data wiping and scrubbing of files, directories, and physical storage devices.

Cybersecurity Threat Report for May 14th, 2020

GUARDED: indicates a general risk of increased hacking, virus, or other malicious activity. There are 4 other levels. There’s Low, Elevated, High, and Severe.  From the Center for Internet Security, “The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.”

Responses

Your email address will not be published. Required fields are marked *

  • Sign Up
Lost your password? Please enter your username or email address. You will receive a link to create a new password via email.