This repository has been archived by the owner on Apr 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
definition_notes.txt
38 lines (34 loc) · 2.86 KB
/
definition_notes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
- TLS Transport Layer Security - A protocol to provide communications
security over the Internet. It allows client/server applications to
communicate in a way that is designed to prevent eavesdropping,
tampering, or message forgery.
- SSL Secure Sockets Layer - See above. This was the protocol as originally
defined at Netscape and went through several revisions before being
replaced by TLS based on SSL 3.0.
- PKI Public Key Infrastructure - A set of hardware, software, people, policies,
and procedures needed to create, manage, distribute, use, store, and
revoke digital certificates
- CA Certificate Authority - An entity that issues digital certificates
- D-H Diffie-Hellman key exchange - A method for two parties that have no
prior knowledge of each other to jointly establish a shared secret key
over an insecure communication channel
- MitM Man-in-the-middle attack - A form of active eavesdropping where the
attacker makes independent connections with the victims and relays
messages between them. Victims believe that they are securely talking
directly to each other but the channel is controlled by the attacker.
- WoT Web of Trust - A means for systems to establish the authenticity of the
binding between a public key and its owner based on a series of trust
assertions. An alternative to the more hierarchical PKI/CA approach.
Algorithm breakdown:
- The key exchange algorithm is used to determine if and how the client and server will authenticate during the handshake.
= The bulk encryption algorithm is used to encrypt the message stream. It also includes the key size and the lengths of explicit and implicit initialization vectors (cryptographic nonces).
= The message authentication code (MAC) algorithm is used to create the message digest, a cryptographic hash of each block of the message stream.
= The pseudorandom function (PRF) is used to create the master secret, a 48-byte secret shared between the two peers in the connection. The master secret is used as a source of entropy when creating session keys, such as the one used to create the MAC.
- FTP: FTPS (explicit) over standard FTP via "AUTH TLS"
- This is not the same as SFTP (file transfer via SSH)
- SMTP: Using STARTTLS enabling a plain text connection to upgrade to an encrypted connection on the same port
- NNTP: Network News Transfer Protocol as NNTPS (port 563)
- XMPP: Used to encrypt the communication channel. Simple Authentication and Security Layer (SASL) is used for authentication
- VPN: OpenVPN uses TLS for key exchange
- SIP: Encrypted on port 5061
HSTS: HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTP connections (i.e. HTTP layered over TLS/SSL[1]). HSTS is an IETF standards track protocol and is specified in RFC 6797.