Demystifying TLS
27
Demystifying TLS Adrien Thebo | Software Engineer | Puppet
-
Upload
puppet -
Category
Technology
-
view
388 -
download
1
Transcript of Demystifying TLS
Demystifying TLS
Adrien Thebo | Software Engineer | Puppet
Introduction
TLS == pain?
TLS Works!
What is TLS?
What does TLS do?
A brief crypto primer
Enthusiasm for prime numbers not required
A brief crypto primer
● Encryption and decryption
● Hash algorithms and message digests
● Digital signing
Symmetric algorithms
● Examples
○ AES (good)
○ Salsa20 (very good, not yet widely used)
○ Triple DES (old, slow, obsolete)
Asymmetric algorithms
● Main Examples
○ RSA (encryption + signing)
○ Diffie Hellman (encryption only)
● Signing only (we'll get to this later)
○ DSA
○ ECDSA
Symmetric vs asymmetric
Hashing algorithms
● Many examples
○ CRC32 (used in Ethernet)
● Not all hashes meant to be secure!
Message digests
● Examples
○ MD5 (cracked in about 1 second on your phone)
○ SHA1 (First collision demonstrated 2017/02/23!)
○ SHA-256 (Pretty secure! For now.)
Digital signatures
● Back to asymmetric cryptography!
○ Private key can "sign" some information
○ Public key can verify that signature
Constructing TLS
Encryption
Key exchange
● Examples
○ RSA (good)
○ Diffie Hellman (better)
Key exchange + forward secrecy
● RSA: no forward secrecy
● (Ephemeral) Diffie Hellman: forward secrecy!
○ RSA (good)
○ Diffie Hellman (better)
Authentication
● Asymmetric algorithms + TLS certificates
○ RSA
○ Other algorithms, but we're skipping them today
Certificate based authentication
● The important parts
a. An identity
■ email: [email protected]
■ dns: puppet.com
■ ip: 23.200.94.83
b. A public key
c. A signature
Authenticated key exchange
● Server certificate -> client
● Client verifies server certificate
● Client uses public key to authenticate key
exchange
○ RSA: client and server encrypt session key with
their RSA public keys
○ Diffie-Hellman + RSA: client and server sign their
DH public keys with their RSA private keys
Preventing tampering
Message authentication
● Hash based message authentication
○ Hash(session secret + message)
○ MACs can't be forged!
Everything put together
● Secrecy
○ Key exchange
○ Session encryption
● Authentication
○ Asymmetric crypto (RSA)
○ Certificates (Contains identity + public key)
● Integrity
○ Message authentication
Further reading
● Cryptography Engineering
● Puppet HTTPS background reference
Thank you!
