What is a TLS Cipher Suite?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey everybody John wagging down here with dev central and we are bringing you another light board lesson video and today we're gonna talk about TLS cipher Suites so what exactly is a TLS cipher suite we're going to go through all that before we get into the details of it I just wanted to kind of remind you that when you have a client out here in the Internet so you have a client this is a this is a browser you know it's Firefox or Chrome or Internet Explorer and whatever it is and you access a secure website so here's your here's your web web application or website and this is an HTTP web site then that is an encrypted experience so I'm gonna I'm gonna put you know there's this back and forth with a little padlock right here alright so when you again when you access the secure website it's all going to be encrypted the question becomes well how how does that happen and how does it all work kind of thing and the TLS cipher suite lays the foundation or defines as it were how all of that happens and as you can imagine it's it's a pretty complex thing so it's not just like you know hey you check a box and then all of a sudden everything's secure there's a lot of different parts and pieces that can move and it can be configured in whatever so the cipher suite specifically is established and configured on the web server so the server is the one that gets to decide you know what protocol is going to be used what you know algorithm for encryption and all that kind of stuff so that's all configured on the web server now the client also has a little bit of say in it because the client can say hey web server these are all the protocols I can support these are all the cipher suites that I can support as long as you server can support one of those then you decide which one and then we'll talk securely so as long as there's at least one you know that they can agree on the server makes the decision but again the client browser has a little bit input as well all right so when this TLS cipher suite is configured the question is what all is a part of that and the answer is again several several things one of the one of the first things that I'll put up here is the protocol so I'm gonna put protocol because whenever this HTTP secure communication happens this can be done via several different protocols and I'll list of kind of in descending order here and the first one I'll list is TLS 1.2 there is a TLS 1.3 that just got codified RFC all that stuff but it's very it's it's very very new at this point this is early 2019 one day TLS 1.3 will be pervasive but as of today not many people are using it yet so TLS 1.2 is kind of the main most current version of the TLS protocol but you also have TLS 1.1 I'm sorry that's should be a 1 right there sorry 1.1 and then you also have TLS 1.0 and then if you go really way back you have SSL v3 and SSL v2 SSL b1 actually wasn't even released that's how insecure it was as of today TLS 1.2 is the primary protocol that's used but nonetheless the protocol itself is part of what we're going to call this cipher suite and by the way the the term cipher suite is just that it's a suite of algorithms and protocols and and you know bit strength and all this stuff so it's it's like a suite of things that you're gonna offer up here and any one of those things could change as you as you want to configure you know your web your web server alright so nonetheless the protocol is one of the things that's going to be offered up in the cipher suite another thing is the key exchange so I'll put key exchange here and the key exchange primarily is going to be I'm going to put diffie-hellman or D H or it's going to be our s Rivest Shamir Adelman is what that is we've got videos that talk about diffie-hellman versus RSA RSA was used for many many years from like the mid 70s all the way up to today Frank that's still used pretty pervasively today however in the past several years the diffie-hellman key exchange has become the primary focus in fact going back to the TLS 1.3 discussion diffie-hellman key exchanges provide what's called forward secret ciphers or if you use ephemeral diffie-hellman then it provides a perfect forward secret and those things are required for the TLS 1.3 protocol so as TLS 1.3 comes on then RSA will probably phase itself out with respect to key exchange diffie-hellman will just continue to grow and grow and in its popularity a couple of things that I want to put around if you Helmut I just mentioned it there's this term called ephemeral so sometimes you'll see D H e which the D H is diffie-hellman ee stands for ephemeral ephemeral means very short-lived we have some other videos we can link to the talk about what that means and how the fee Hellman works another version or flavor as it were of the diffie-hellman key exchange protocol is what's called elliptic curve diffie-hellman so sometimes you'll see just if he Hellman sometimes you'll see actually there's another one called anonymous diffie-hellman it's not used very much but if you ever seen a ed8 that's what that stands for anonymous diffie-hellman but most of the time you're gonna see diffie-hellman so just D H or D H E which is Tiffany Hellman ephemeral or you'll see elliptic curve diffie-hellman EC DHE or you'll see EC DHE CDH E which is elliptic curve diffie-hellman ephemeral so the EC DHE is is is becoming the primary you know key exchange protocol or mechanism that people prefer today because the elliptic curve allows you much smaller key sizes to achieve the same level of security diffie-hellman gives you that forward secret capability and ephemeral gives you the perfect four word secret capability that that everyone's looking for like it would TLS what not three so nonetheless the key exchange is either going to be a diffi Hellman form or it's gonna be RSA the key exchange goes back to ultimately when the client and the server need to talk to each other they ultimately are going to talk and what's called asymmetric cryptography or symmetric encryption and in order to do that the way that symmetric cryptography works is that the data is encrypted and decrypted with the same key so it's that's why it's called symmetric cryptography well at some point the client and the server have to each get what that key is and that's what this whole key exchange is all about this is the protocol that exchanges that symmetric key between the client and the server and it's done again via either diffie-hellman or RSA but that is part of the TLS cipher suite that's going to be established here so key exchange is a big deal here the let's see the next one is authentication so I'll put auth right here and authentication is either going to be RSA or if you want to go and lift a curb sometimes you'll see elliptic curve digital signature algorithm that's DSA basically what this is is whenever this key exchange happens and whenever the communication happens between the client and the web server at some point you have to ask yourself not only do I want to encrypt the communication between the client and the server I actually want to know that the server that I'm talking to is the correct server okay so let's say you go to like amazon.com and you hit go and it's all secure and it's all encrypted well the question you know becomes hey is this is all encrypted now how do I know that I'm talking to amazon.com how do I know it's not some hacker bad guy out there that's that's you know form some malicious amazon.com site and has you know directed me over there that's what this authentication is all about and that's done in the form of certificates that get sent from the web server back to the client those certificates have public-key that can be used by the client to to decrypt some communication or some information that the server has encrypted with its private key in order to authenticate that hey yes ultimately the website that I'm going to is the website that I intended to go to so again just because you encrypt communication between you know one point and another point you still want to I mean that's all well and good but you still want to make sure that that end point out there is who it said it was all right so that's what this authentication is all about another part of it is the actual cipher which some people call this the block cipher or the bulk cipher and this is going to be things like AES the advanced encryption standard which by the way a EES can have a couple of modes like GCM which is the Galois counter mode or CBC which is the cipher block chaining so AES can stand on its own or it can be used with a with a couple of one of a couple of different modes again GCM or CBC so you may see some of those terms tied to a AES another cipher and again these are both these are the symmetric ciphers that we were talking about before where you use the same key to encrypt and decrypt AES is one Camellia so CA m e Li a this is one that's not used that much I was developed back in like 2000 published back in 2000 so several years ago Firefox and you know introduce that into its into its web browser to be used it kind of came and when a guy it was used for awhile and Firefox said no we're not going to use it other browsers or other clients have have said hey we'll support it and we're not going to this anyway it's not used that much but it is a block cipher or a bulk cipher for bulk encryption so anyway you may see it out there primarily you'll see a yes some of the older ones though that you may run into as well is des and then there's also rc4 and rc2 these are all symmetric encryption algorithms you know blocks bulks cipher you know the types that you can use to encrypt the data between your client and your web server the question is which one D of these do you use the answer would be if you're if you really want to go secure today you're gonna use AES these other one des are C for su 2 those are older ones those are known to be weak and so if you if you run into those you may want to get away from those because they're not quite as secure we'll get into another video by the way that follows this up that talks about which ones which which combinations and and all of that of all this are secure today and which one should we stay away from we'll get to that later but anyway but the cipher suite or I'm sorry the cipher encryption algorithm itself will be part of the cipher suites you know of this whole package that you offer up and then the last thing that you'll see is I'll put it I'll put it right over here is called a Mac ok message authentication code is what that stands for and this is gonna be things like sha the secure hash algorithm or you'll see things like md5 that's a five right there alright md5 is not secure sha is secure depending on the bit strength that you use there's sha-1 and then there's sha 256 this shell 384 there's different versions of sha that you could use anyway but the Mac is also part of this whole cipher suite the Mac by the way is if you remember a second ago I talked about the certificate that's sent back from the web server that's gonna tell the client hey this is actually Who I am who I say I am one way that that is verified is you have a you you have this Mac which which is a hash algorithm and basically what happens is you take the certificate the contents of the certificate itself which is just a digital file and you run what's called a hash function against that which basically takes it from this big file and it and it boils it down into a much smaller and that's what the hash algorithm does and then you can take that and you can do things like digitally sign that to make sure that you know hey the person that that you know that sent this file is who they say they are that's where the authentication comes in so all of these things start to work together but the ultimate goal of all of this is to establish a secure communication between the client and the web server but again you need to say hey there's more than one way to do all of this stuff so the question is you know again which protocol are we going to use because each one of these are different right which key exchange mechanism are we going to use these are totally different key exchanges what type of authentication these are totally different these ciphers are totally different I mean you get the point all of these are totally different so which which combination which you know how we're gonna mix and match this up so so that's again for you to decide but the point here is I wanted to tell you like what all of these things are like what what the options are when you come into a TLS cipher suite alright so when you go to your web server and you're gonna establish these things and you say hey you know I'm looking at a cipher suite what is it actually gonna look like you're gonna see something like this I'm just gonna write one out here and I'll put like eat I'm gonna say EC DHE all right so we're gonna lead off with that one that's the elliptic curve diffie-hellman ephemeral that is the key exchange mechanism that we're gonna use here and then we'll say - are s a alright well what does that mean well that one is gonna reference the authentication mechanism to authenticate that the certificate that this website is who it says it is alright so we've exchanged the keys via difficut the web server via RS a the next thing that we're gonna say is all right when we get to the bulk encryption then like the symmetric encryption once we really are just talking you know same key here we're gonna use AES and you may see something like a es 128 what that means is 128-bit AES encryption and then I'm not though the GCM on their galois counter mode remember it's you can have one of those modes associated with AES you don't have to have that but in this case we'll say that it is there and then I'll say sha and maybe sha-256 in this case alright so this right here may be one example of a cypher sweeter it is an example of a cipher suite in fact specifically this one and this is kind of cool regardless of you know whether you're doing this on a big IP or just your web server specifically or whatever these cipher suites have become standardized across the industry and there is a hexadecimal representation that has been assigned to each cipher suite that's just out there in the industry today so for this one specifically you may see a hexadecimal representation and I'll just put some parentheses here you may see that something like this zero acts which indicates a text a decimal and this one is co2 F alright so if you see co2 F then that is the hexadecimal representation for that specific cipher suite so regardless of again whether you're on a big IP or some other web server or whatever that is the representation for that cipher suite alright you may also run into things like a smaller version of this for example you may see one out there that's like aes-128 - sha and that's it and it's like okay well I know what aes-128 is that's 128-bit encryption for the AES you know block cipher protocol here or algorithm here there's no mode associated with with that AES version so it's just a tes by itself hundred twenty bit I know that sha is talking about the Mac the you know the the hashing algorithm that's used so we're talking straw there but what about authentication what about key exchange what about protocol if you don't see the any of the other things on there the key exchange and the authentication typically this may not be true 107 typically it defaults to RSA for key exchange and authentication so you can imply that RSA in this one specifically you can imply that RSA is used for key exchange and it's also used for server authentication so if you don't see that then then there you go a lot of times - you may or may not see the actual protocols listed on the cipher suite there may be like this cipher may support you know TLS 1.2 and TLS 1.1 I can link to some specific literature that talks about how the big IP specifically is set up and what protocols are supported per cipher suite but nonetheless I wanted to go over all of this today to let everybody know this is what you're going to start to see or this is what you will see when you look at a cipher suite specifically the other thing one of the other questions may be how many of these cipher suites are available out there on the big IP or can you like establish your own like can you say hey I like that one but I don't like the other one and the answer is the big IP depending on what version you're talking about for the FIB IP it is going to come pre-loaded with a certain number of these cipher suites already in its it's--when what's called it's a default cipher list alright so if you like all of them then you can keep them all enabled if you don't like some of them there are ways to say hey keep that one enabled but then this one down here that I don't like disable that one and that way it's never even offered up because remember what I talked about before the client is gonna say hey web server which ones of these do you support because the client is going to have its own list of the ones that it supports when you find a match the server is going to say hey I like that one the best I like that match the best and that's the one we're gonna use for you know all of these different things once it establishes that match and it says ok we're good to go now it knows which protocol to use now it knows how to exchange the keys now it those how to authenticate now it knows what bulk cipher it's going to use once you get to that symmetric encryption capability and it knows what kind of you know that Mac it's going to use what kind of hash algorithm it's going to use all right but again it doesn't know any of that until you tell it what to do and as you look at these random string of numbers and letters sometimes people are like man I have no idea what's going on well hopefully now after this little discussion you know what's going on so thanks for hanging in there today for this light board lesson video hey if you like this thing and click right up here on our DC ball and subscribe to our YouTube channel and we'll see you guys out there in the community you
Info
Channel: F5 DevCentral
Views: 101,250
Rating: undefined out of 5
Keywords: f5, devcentral, xls, cipher, suite, cryptography, encryption, authentication, hash, algorithm, web, application, security, https, http, web server, server, client, browser, google, chrome, firefox, microsoft, edge
Id: ZM3tXhPV8v0
Channel Id: undefined
Length: 20min 47sec (1247 seconds)
Published: Wed Jan 09 2019
Related Videos
Breaking Down the TLS Handshake
F5 DevCentral
229K
Strong vs. Weak TLS Ciphers
F5 DevCentral
19K
Digital Certificates: Chain of Trust
Dave Crabbe
243K
Explaining the Diffie-Hellman Key Exchange
F5 DevCentral
68K
Elliptic Curve Cryptography Overview
F5 DevCentral
392K
Perfect Forward Secrecy
F5 DevCentral
62K
What's in a Digital Certificate?
F5 DevCentral
41K
IPS vs WAF
F5 DevCentral
72K
How RSA Works
F5 DevCentral
39K
SAML Overview
F5 DevCentral
324K
TLS Handshake Explained - Computerphile
Computerphile
443K
What Are AEAD Ciphers?
F5 DevCentral
19K
What is a Proxy?
F5 DevCentral
290K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.