7.1.1 - Transport Layer Security (TLS)

Flashcards about Transport Layer Security (TLS), its purpose, implementation, and versions.

Why was Transport Layer Security (TLS) developed?

To address the lack of security mechanisms in the original TCP/IP application protocols, which made services vulnerable to spoofing, eavesdropping, and unauthorized modification.

Where does TLS operate in the TCP/IP stack?

Between the Application and Transport layers of the TCP/IP stack, or at the Session layer in OSI terms.

What is TLS normally used for?

To authenticate and encrypt TCP connections.

When TLS is used with the HTTP application, what is it referred to as?

HTTP Secure (HTTPS).

Besides HTTP, what other TCP applications can TLS be used to secure?

DNS, NTP, FTP, POP3/IMAP, SMTP, and LDAP.

What is TLS referred to when used with UDP, and where is it most often used?

Datagram Transport Layer Security (DTLS). It is most often used in virtual private networking (VPN) solutions.

To implement TLS, what is installed on the server?

A digital certificate issued by a trusted certificate authority (CA).

During a TLS handshake, what does the server provide to the client, and what does it contain?

The server provides its certificate to the client to prove its identity (assuming the client trusts the CA) and contains the public key part of a public/private encryption key pair.

If authentication is successful, how do the server and client establish a secure communication channel?

The server and client use the key pair in the digital certificate and a chosen cryptographic cipher suite within the TLS protocol to set up an encrypted tunnel.

How does TLS protect communications from third parties?

Even if someone knows the public key, they cannot decrypt the contents of the tunnel without obtaining the server's private key, ensuring communications cannot be read or changed by a third party.

What mechanism can the latest versions of TLS use to prevent decryption of captured packets, even if the server's private key is obtained?

Perfect Forward Secrecy (PFS). When configured, not even obtaining the server's private key allows decryption of captured packets.

What is the current version of TLS at the time of writing, and why are older versions often disabled?

TLSv1.3. Servers are often configured to use only TLSv1.3 or TLSv1.2 due to weaknesses in older versions.

Besides a compatible version, what else must the client and server agree on when using TLS?

The client and server must be able to agree on a mutually supported cipher suite.

What older protocol was TLS developed from, and what is its current status?

Secure Sockets Layer (SSL). SSL is now completely obsolete.