LATEST INTELLIGENCE
TLS provides three key services:
• Confidentiality: Ensuring that anyone
intercepting the communications
between the client and server cannot
decipher that content
• Authentication: Ensuring that a client is
in fact talking to the server that the client
thinks it is talking to. Optionally, the server
can authenticate the client, but this is rare
• Integrity: Ensuring that the messages
and communication have not been
corrupted or tampered with
The confidentiality is ensured by leveraging
symmetric cryptography, the keys of which
are negotiated during a TLS handshake.
The authenticity is established by using
certificates, once again exchanged during the
initial handshake, and maintained through
the session using either HMAC (Hashed
Message Authentication Codes) or AEAD
(Authenticated Encryption with Associated
Data), depending on the negotiated cipher
suite. The integrity is ensured by using a
Message Authentication Code (MAC).
Changes in TLS 1.3 and
their implications
TLS 1.2 provided cipher suites that offered
a choice of KEA, which meant you could
use a non-PFS (perfect forward secrecy)
cipher suite, typically RSA, to support passive
interception. TLS 1.3 has removed static RSA
and Diffie-Hellman cipher suites and only
supports KEAs which use PFS.
TLS 1.3 has several changes that improve
performance and security, while also
eliminating several complexities and
simplifying the protocol stack. However,
there are implications for enterprises that
use network security-based solutions for
compliance, risk management, as well as
threat hunting. n
Download whitepapers free from www.intelligentcio.com/me/whitepapers/
www.intelligentcio.com
INTELLIGENTCIO
21