SSL & TLS
Secure Socket Layer (SSL) and Transport Layer Security (TLS)
SSL and TLS are cryptographic protocols. They provide authentication and data encryption between servers, machines, and applications operating over a network.
High Level Benefits
Enables Secure Internet Connection
Safeguards Sensitive Data Between Systems
Prevent Criminals From Accessing Information
Ensure Data Transferred is Unreadable
Use Encryption Algorithms to Scramble Data
Protect Sensitive or Personal Data
Why is TLS important?
Most data transmitted over the internet is unencrypted. This means sensitive information can be easily monitored and tracked by unknown third parties.
This includes:
Login Details
Credit Card Details
Email Correspondence
Personal Details
Browsing Habits
Conference Calls
By enabling and ensuring your client and server applications support TLS, it ensures that data transmitted between them is encrypted with secure algorithms and not viewable by third parties.
For complete security, it is necessary to use it in conjunction with a publicly trusted X.509 Public Key Infrastructure (PKI) in order to authenticate that a system to which a connection is being made is indeed what it claims to be.
Evolution of SSL and TLS
How does it work?
TLS uses a combination of symmetric and asymmetric cryptography.
Symmetric cryptography: data is encrypted and decrypted with a secret key known to both sender and recipient. Symmetric cryptography is efficient in terms of computation, but having a common secret key means it needs to be shared in a secure manner.
Asymmetric cryptography: uses key pairs – a public key, and a private key. The public key is mathematically related to the private key, but given sufficient key length, it is computationally impractical to derive the private key from the public key. This allows the public key of the recipient to be used by the sender to encrypt the data they wish to send to them, but that data can only be decrypted with the private key of the recipient.
The advantage of asymmetric cryptography is that the process of sharing encryption keys does not have to be secure, but the mathematical relationship between public and private keys means that much larger key sizes are required.
TLS uses asymmetric cryptography for securely generating and exchanging a session key. The session key is used for encrypting the data transmitted by one party, and for decrypting the data received at the other end. Once the session is over, the session key is discarded.
With TLS it is desirable that a client connecting to a server is able to validate ownership of the server’s public key. This is normally undertaken using an X.509 digital certificate issued by a trusted third party known as a Certificate Authority (CA) which asserts the authenticity of the public key.
Disadvantages
A disadvantage to TLS is that encrypted connections set up by malicious software, such as connections between malware and a command-and-control-servers, can no longer be inspected due to the encryption.
This hampers detection.
A collateral development is that bona fide encrypted services offered by reputable cloud services are increasingly being misused for mala fide purposes, which impairs the effectiveness of exclusively blocking malicious IP addresses and URL.
TLS Interception
Transport Layer Security interception (TLS interception) intercepts encrypted connections to make them accessible for inspection.
TLS interception can be carried out for all types of TLS connections, such as HTTPS for web traffic and SMTP with STARTTLS for e-mail.
Organisations usually use TLS interception to detect and block malicious elements, such as viruses and malware, and data leakage within encrypted connections.
How to Use
– TLS interception entails that an organisation positions a TLS proxy between its own clients and a server in order to gain access to the content of the TLS connection.
– Organisations usually apply TLS interception to the Internet connection to block inbound malware and prevent the leakage of confidential organisational data.
– There are a number of important preconditions for implementing TLS interception in a secure and responsible manner, including a prior review of privacy aspects, correct configuration and the security of the TLS proxy and the controlled roll-out of certificates.
– TLS interception should not be implemented separately but as an integral and carefully considered component of a broader set of measures for the implementation of information security policy.
How Does TLS Interception Work?
- The TLS proxy intercepts the client’s request to start an encrypted connection with the server and the TLS proxy acts as that particular server.
- Normally, this will not be accepted by the client because it is unable to correctly authenticate the identity of the server.
- However, to enable the client to trust the TLS proxy, the root certificate (root CA) of the TLS proxy should be installed on the client.
- The client will subsequently trust all certificates signed with this root certificate (root CA).
- For every server and corresponding domain name with which a client wishes to make a connection, the TLS proxy subsequently creates a certificate, the name of which corresponds to the domain requested, and which is signed by the root certificate (root CA) of the TLS proxy.
- The client accepts the server certificate signed by the TLS proxy and sets up an encrypted connection with the TLS proxy. Next, the TLS proxy sets up an encrypted connection with the server and forwards the traffic between the client and the server.
- Since the TLS proxy is now located between the two encrypted connections, it can inspect and forward all traffic to the detection system. The detection system can be integrated in the TLS proxy or can be a separate appliance.
- Inspection is only carried out at transport level. If an application, such as malware, also applies separate encryption at application level, the TLS proxy will usually not remove that encryption.
