Breaking Down the TLS Handshake

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everybody john wagon here with deb central we're coming to you with another light board lesson video and today we're going to talk about the TLS handshake and we actually did this a while back is a flight board wednesday video but we wanted to bring this experience to you on the light board and so so we're going to go over kind of the same basic idea but but doing on the light board and so a lot of applications today use https using shin you know between client and server and so so it's important to know how that whole encryption begins and is established and all that stuff and that's what the TLS handshake is all about and so to kind of take a step back really quick the the the predominant idea behind this is that the client needs to talk to the server in a secure manner and they need to encrypt that communication well for encryption you have to have an encryption key that encrypts all the data and you know if you go way back into way old-school you would have an encryption key that would have to be passed around you know between maybe you'd have a courier that would like drive it down the road or put it on a ship and you know ship it across the ocean or whatever but nonetheless both parties had to have the encryption key this is for symmetric encryption in order to encrypt and decrypt and so so today that's not very viable so we needed a way to say let's let's share keys back and forth so that the client and the server can both have a symmetric encryption key because symmetric encryption is a lot more efficient lot faster than asymmetric encryption but nonetheless we've got to be able to share that key they both need to have the same key so that's where this whole handshake comes in and it establishes the encrypted communication between client and server so I'm going to draw kind of a waterfall effect here between a client and then I'm going to put big IP right here so big IP alrighty so if you have a client maybe this is your web browser you know Google Chrome or you know Safari or Firefox whatever it is you have a client then wants to establish a connection with us and in this case the big IP which by the way on the big IP this is a should be a client-side connection you can also have a server-side connection TLS handshake from the big IP to like a back-end server but we'll just look at the front-end on this one so you've got a client that wants to establish secure communication with the big IP and the first thing that happens is the client sends what's called a hello message so it's a client hello and that includes several things like maybe the version number of the protocol that you use them like TLS version 1.2 or maybe maybe 1.3 whatever it is another thing that's going to be included in that is the cipher suite that this client can support and so if you have a pretty modern browser that's up to date whatever maybe it can support some pretty sophisticated encryption you know types or cipher suites and so it's going to let the server know hey these are all the different cipher suites that I can support and then on the big IP side the big IP is going to say hey these are all the cipher suites that I as a web server then I'm going to support as well that's why it's really important to to establish the order of precedence on the cipher suites on your big IP because if a client comes in and says hey I only want like this really low-level like really really basic maybe not very secure encryption it comes in and the big IP if you want to if you want to be able to support that you've got to you've got to configure that on the big IP or maybe there are certain cipher suites that are so outdated or so full of ulnar abilities that you don't want to support them you've got to make sure that you exclude those on the big IP but nonetheless the the client sends the hello it includes the cipher suites that are supported the big IP gets to choose the cipher suite that is going to be used in this whole communication this whole handshake and so that gets sent so once the big IP gets that they choose the cipher suite based on the available cipher suites from the client then the big IP is then going to send a server hello so that's a hello as well back to the client and then it's also along with that going to send the certificate that that web server is going to have a you know attached to it that this client is wanting to access and so the certificate includes a lot of different things in fact we can link to this video we've got some some other content that tells you what's in a certificate on a secure web server but one of the key things that's in the certificate is the public key for the server and this goes back to that asymmetric encryption I was talking about that needs to happen in order to get you ultimately to the symmetric encryption that that ultimately takes place for the bulk encryption all right but the certificate is sent from the server back to the client the certificate includes I'll put it right here public key and then that's important because the client can then use that public key to encrypt things and send it back to the server and then the server is going to be is will be able to decrypt things using the private key that it has in order to decrypt things that were encrypted with the public key all right so when it sends the certificate back the client actually checks that certificate for validity and make sure that their should that the certificate is not revoked that it's a good certificate all those kinds of things and once that's good then then it knows hey we're dealing with a good valid certificate here after the server sent that it also sends a server or a I'm sorry a hello done message so the hello portion of this whole communication is now done and then at that point the client has the public key and in it and then it does what's what's called a I'm going to call it a pre-master secret it generates that based on some of the values of the public key and it generates that pre what I'll call a premaster secret it generates that and then it encrypts that with the public key and it sends that back to the server and it sends that back on what we'll call a key exchange so I'll put key exchange right there and then on the key exchange that includes this premaster secret that has been encrypted with the public key and then the big IP or the server in this case is going to also get is obviously going to to receive that premaster secret so premaster premaster secret over here and because that was encrypted with the public key remember the server has the private key so it can decrypt that and when it decrypts that it also has the premaster secret so now they're looking at that and they both have the same thing based on that premaster secret they both go through a series of calculations and they generate what's now what's now the symmetric encryption key that's going to be used to encrypt everything from that point forward and so after the client sends that key exchange information with the premaster secret that's been encrypted with the public key then it's going to send another message that says clients finished so I'll put client finished here all right so the client part is finished and then the and then the server then is also going to generate that symmetric key and so it is going to send a message back and it's a it's called change cypher spec it's what it's a spec right there so the big IP sends that back change Sacre spec which by the way this is also I'll put change cypress peck here as well because essentially what is happening in this key exchange is that the client is saying have I have encrypted what I'm calling my premaster secret I'm going to send it over to you as I'm doing that I'm also going to generate now what's what is going to be I'll put the symmetric key around here symmetric key that it has now generated and that's going to be the key that's used to encrypt all of the future bulk encryption information that goes on after all this stuff is done all right so the key exchange information change that respect the the big IP also generates this what would be the same symmetric key because it is this symmetric key is based on the premaster secret that was generated before so it creates the same symmetric key so I'll just put that over here and because it's symmetric key and because that's based on that premaster secret they can both calculate the exact same symmetric key so now they've both calculated the same symmetric key chain cypher spec is sent back to the and basically what the change type respect is is that as each of these two telling the other hey I am changing now from from the asymmetric encryption now over to the symmetric encryption that way when we do the bulk encryption it's going to be more efficient and we're going to use symmetric encryption for the bulk encryption alrighty so now that they both got the symmetric key calculated change type respect so now the now the server the VIP has told the client I am now changing over to symmetric encryption as well then it sends a finished message a server finished message it's not very good penmanship I apologize and then after that I'll just put kind of a line right here and this is the this is the data that's encrypted I'll draw like a little lock right here it's encrypted this is like the bulk encryption alrighty so and this is data encrypted with the symmetric key that now both of them have generated you know based on all this different stuff that we've talked about so essentially again what happens is the client sends a hello message to the server the server sends back the public key information the certificate all that kind of stuff and then ultimately they go through this asymmetric key exchange you know iterations of actions in order to ultimately get down to symmetric bulk encryption and it's interesting because if you look at the actual cipher suite that would be offered up by the client or offered up by the server or ultimately like I said it's chosen at the server level if you look at that it's got a bunch of stuff like maybe RSA you know sha which which gets into like some secure hashing like hashing algorithms RSA or like elliptic curve diffie-hellman some of the RSA or elliptic curve diffie-hellman is dealing with this whole key exchange portion of the handshake but then if you look beyond that in the cipher suite you'll see stuff like a es maybe like a es GCM like which is a which is a counter it's a mode of AES and it's got the key strength and all that so but the reason that you have all those different parts of the cipher suite is part of it deals with the key exchange portion and then the other part deals with the bulk data symmetric encryption down here so like this down here is going to be a es for example while all this stuff up here maybe like you know either RSA or maybe diffie-hellman elliptic curve you know something like that and so that's why you have kind of two of those so if you ever look at that cipher suite you wonder what is all this stuff that's that's what it is we've got some other we've got some other content that explains that in a little more detail as well we can we can link to it alright so hopefully you've you've learned a couple of things about how the client establishes communication with the server in in the context of a TLS handshake this stuff happens all the time it's extremely expensive computationally that's why the the big IP is such a good thing to have because that's five the f5 big op he just excels in this stuff it does a really really great job making sure all this stuff happens really really quickly so anyway so thanks for joining us today hopefully you've learned a couple things about TLS and handshakes and we'll see you guys out there in the community you
Info
Channel: F5 DevCentral
Views: 166,980
Rating: 4.8743801 out of 5
Keywords: f5, devcentral
Id: cuR05y_2Gxc
Channel Id: undefined
Length: 12min 29sec (749 seconds)
Published: Wed Apr 05 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.