Chapter 3: Secure links

1. Introduction to TLS

• Runs on top of TCP
• Protects against man-in-the-middle attacks
• Provides encryption, authentication, integrity
• Used by protocols like HTTP for secure communication

2. Encryption in TLS

• Uses two types of encryption:

  a. Asymmetric: For initial handshake

  • Slower but secure
  • Uses private-public key pairs
  • Shared secret never transmitted

  b. Symmetric: For ongoing communication

  • Faster and efficient
  • Uses shared key
  • Key periodically renegotiated

• Modern processors have built-in crypto support

• Recommendation: Use TLS for all communications

3. Authentication Process

• Server authentication is essential
• Uses digital signatures with asymmetric cryptography
• Components:
  • Root CA (self-signed)
  • Intermediate CAs
  • Service certificates
• Certificate verification requires:
  • Checking expiration dates
  • Verifying digital signatures
  • Trusted root CA in client's store
• Important: Monitor certificate expiration to prevent service outages

4. Integrity Protection

• Prevents data tampering
• Uses HMAC (Hash-based Message Authentication Code)
• Verifies message authenticity
• Protects against:
  • Deliberate tampering
  • Data corruption
• TCP checksum limitations:
  • 1 error per 16M-10B packets
  • Can fail every 16GB-10TB

5. TLS Handshake

• Three main steps:
  1. Cipher suite negotiation
  2. Key exchange
  3. Certificate verification
• Performance considerations:
  • TLS 1.2: 2 round trips
  • TLS 1.3: 1 round trip
• Some good practices to follow:
  • Keep servers geographically close
  • Reuse connections when possible
  • Use connection pooling

All sensitive communications should use TLS unless there's a compelling reason not to.